OmniAccess Reference TM AOS-W System Reference
OmniAccess Reference: AOS-W System Reference Copyright Copyright © 2005 Alcatel Internetworking, Inc. All rights reserved. Specifications in this manual are subject to change without notice. Originated in the USA. Trademarks AOS-W, OmniAccess 4304, OmniAccess 4308, OmniAccess Wireless LAN, OmniAccess 6000, OmniAccess AP60, OmniAccess AP61, and OmniAccess AP 70 are trademarks of Alcatel Internetworking, Inc. in the United States and certain other countries.
Preface An Overview of this Manual Related Documents . . . . . Text Conventions . . . . . . Contacting Alcatel . . . . . . Part 1 Chapter 1 xix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix xx xx xxi Overview . . . . . . . . . . . . . . . . . . . . . . . 1 Overview . . . . . . . . . . . . . . . . . . . . . . . . 3 Key Features . . . . . . . . . . . . . . . . . . . . . . . .
OmniAccess Reference: AOS-W System Reference Part 2 Chapter 4 Chapter 5 iv Part 031652-00 Design and Planning . . . . . . . . . . . . 23 RF Design . . . . . . . . . . . . . . . . . . . . . . The Alcatel RF Plan Tool . . . . . . . . . . . . . . . . Getting Started . . . . . . . . . . . . . . . . . . . . . System Requirements for Standalone RF Plan . Installing RF Plan . . . . . . . . . . . . . . . . . . Launching RF Plan . . . . . . . . . . . . . . . . . RF Plan Basics . . . . . . . . . . . . . . . .
Authentication Methods . . . . . . 802.1x Authentication . . . . . VPN Authentication . . . . . . . Captive Portal Authentication . MAC Address Role Mapping . . Stateful 802.1x . . . . . . . . . SSID Role Mapping . . . . . . . Encryption Type Role Mapping Advanced Authentication . . . . Configuring VPN Settings . . . . . IPSec . . . . . . . . . . . . . . . PPTP . . . . . . . . . . . . . . . VPN Dialer Configuration . . . . VPN Server Emulation . . . . . . Advanced Authentication . . . .
OmniAccess Reference: AOS-W System Reference Chapter 8 Chapter 9 Enforcement Policies . . . . . . . . . . AP Policies . . . . . . . . . . . . . Wireless Client Station Policies . . Global Policies . . . . . . . . . . . Statistics Events . . . . . . . . . . . . General WMS Attributes. . . . . . . . AiroPeek Support for Packet Capture Starting Packet Capture . . . . . . The AiroPeek Application . . . . . Stopping Packet Capture . . . . . Remediation with Sygate . . . . . . . . . . . . . . . . . . . . . .
Operation . . . . . . . . . . . . . . . . Rules of Operating a Virtual Switch . . . Hot Swapping Support . . . . . . . . . . Resetting the Other SC . . . . . . . . . . DHCP Server Configuration . . . . . . . DHCP Pool Configuration . . . . . . . . . DHCP Excluded Address Configuration . Chapter 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 802.1x Configuration . . . . . . . . . Introduction .................. Background . . . . . . . . . . . . . . . . .
OmniAccess Reference: AOS-W System Reference Wireless Network Operation . . . . . . . . . . . Wireless Laptops . . . . . . . . . . . . . . . . Printers . . . . . . . . . . . . . . . . . . . . . OmniAccess 6000 Switch Configuration . . Firewall Policies. . . . . . . . . . . . . . . . . User Role Configuration . . . . . . . . . . . . Authentication Parameters . . . . . . . . . . VLAN and IP Address Configuration . . . . . Wireless Configuration . . . . . . . . . . . . AP Configuration . . . . . . . . . . . .
Chapter 14 Radio Resource Management Introduction ................ ................ Calibration Optimization ................ Self-Healing . . . . . . . . . . . . . . . Load Balancing . . . . . . . . . . . . . . Client and AP DoS Protection . . . . . . . Configuration of RF Monitoring . . . . . . Coverage Hole Detection . . . . . . . . Interference Detection . . . . . . . . . Event Threshold Configuration . . . . . Advanced Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
OmniAccess Reference: AOS-W System Reference Configuring Captive Portal Authentication with Web UI ..................... Configuring MAC Address Role Mapping with ..................... Web UI Configuring Stateful 802.1x for Third Party Access Points . . . . . . . . . . . . . . . . . . Role Mapping . . . . . . . . . . . . . . . . . . . . . SSID Role Mapping . . . . . . . . . . . . . . . . Encryption Type Role Mapping . . . . . . . . . Configuring Advanced Conditions . . . . . . .
Defining Roles Using Web UI . . . . . . . . . Role Design . . . . . . . . . . . . . . . . Configuring Roles . . . . . . . . . . . . . Setting Policies Using the CLI . . . . . . . . Defining Service Aliases . . . . . . . . . Defining Source and Destination Aliases Firewall Policies . . . . . . . . . . . . . . Defining Roles Using the CLI . . . . . . . . . Configuring Roles . . . . . . . . . . . . . Defining Access Control Lists in the CLI . . Standard ACLs . . . . . . . . . . . . . . . Extended ACLs . . . .
OmniAccess Reference: AOS-W System Reference Chapter 22 Chapter 23 AP Provisioning. . . . . . . . . . . . . . . . . . Plug and Play . . . . . . . . . . . . . . . . . Simplified AP Provisioning . . . . . . . . . AP Programming Mode . . . . . . . . . . . Manual AP Provisioning . . . . . . . . . . . AP Reprovisioning . . . . . . . . . . . . . . Accessing the AP Boot Prompt . . . . . . . Initial Configuration . . . . . . . . . . . . . Advanced AP Configuration. . . . . . . . . GRE Tunnel Configuration . . .
Configuring IPSec Using the CLI . . . . . . . . . . Configuring PPTP Using the CLI . . . . . . . . . . Configuring the VPN Dialer Using the CLI. . . . . Configuring VPN Server Emulation Using the CLI Configuring SecureID Token Caching Using .................... Web UI VPN Quick Start Guide . . . . . . . . . . . . . . . Requirements From Customer . . . . . . . . . Network Topology In Examples . . . . . . . . Setting Up a VPN . . . . . . . . . . . . . . . . Verification and Troubleshooting . . . . . . .
OmniAccess Reference: AOS-W System Reference Wireless LAN Monitoring . . . . Debug Information . . . . . . . . Creating Custom Logs . . . . . . Reports ........... Example Report: Rogue APs AP Reports . . . . . . . . . . Custom Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 576 576 577 577 578 579 580 Chapter 26 Firewall Logging . . . . . . . . . . . . . . . . .
Network Utilities . . . . . . . . . . Ping . . . . . . . . . . . . . . . Traceroute . . . . . . . . . . . General Information . . . . . . . . Contacting Technical Support Access Point Diagnostics. . . . . Received Configuration . . . . Software Status . . . . . . . . Debug Log . . . . . . . . . . . Detailed Statistics . . . . . . . Web Diagnostic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
OmniAccess Reference: AOS-W System Reference aaa Commands . . . . . . . . . aaa xml-api client . . . . . . adp Commands . . . . . . . ads Commands . . . . . . ap Commands . . . . . . . arm Commands. . . . . . . arp . . . . . . . . . . . . . . banner motd . . . . . . . . clock Commands . . . . . . crypto Commands . . . . . database synchronize . . . destination . . . . . . . . . dot1x Commands . . . . . enable . . . . . . . . . . . . encrypt . . . . . . . . . . . firewall Commands . . . . foreign-agent . .
shutdown . . site-survey . . snmp-server . spanning-tree stm . . . . . . syscontact . . syslocation . . telnet cli. . . . time-range . . traceroute . . trusted . . . . udp-port . . . user . . . . . . user-role . . . version . . . . vlan . . . . . . vpdn . . . . . . vpn-dialer . . . vrrp . . . . . . web-server . . web-ui . . . . wms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
OmniAccess Reference: AOS-W System Reference Local Database Commands . . . . . . . . . . . VPN Commands . . . . . . . . . . . . . . . . . IPSec Commands . . . . . . . . . . . . . . L2TP Commands . . . . . . . . . . . . . . . VPN Dialer Commands . . . . . . . . . . . . PPTP Commands. . . . . . . . . . . . . . . Mobility Commands . . . . . . . . . . . . . . . Air Management Commands . . . . . . . . . . Air Monitor Commands . . . . . . . . . . . WMS Commands . . . . . . . . . . . . . . Site Survey Commands .
Preface This preface includes the following information: z An overview of the sections in this manual z A list of related documentation for further reading z A key to the various text conventions used throughout this manual z Alcatel support and service information An Overview of this Manual This manual is for network administrators and operators responsible for configuring and monitoring the Alcatel Wireless LAN Switch.
OmniAccess Reference: AOS-W System Reference Related Documents The following items are part of the complete documentation for the Alcatel system: z Alcatel Wireless LAN Switch Installation Guides (OmniAccess 4308, OmniAccess Wireless LAN, and OmniAccess 6000) z Alcatel AOS-W User Guide z Alcatel AP Installation Guides (AP60/61 and AP70) Text Conventions The following conventions are used throughout this manual to emphasize important concepts: TABLE P-1 Text Conventions Type Style Description Italics
TABLE P-1 Text Conventions In the command examples, italicized text within angle brackets represents items that the user should replace with information appropriate to their specific situation. For example: # send In this example, the user would type “send” at the system prompt exactly as shown, followed by the text of the message they wish to send. Do not type the angle brackets. [ Optional ] In the command examples, items enclosed in brackets are optional.
OmniAccess Reference: AOS-W System Reference xxii Part 031652-00 May 2005
1 Part Overview 1
OmniAccess Reference: AOS-W System Reference 2 Part 031652-00 May 2005
CHAPTER 1 Overview The AOS-W 2.2 Interface Reference is organized by product feature for the Alcatel Wireless LAN switches and access points. This guide also includes best practice recommendations and configuration examples for a number of features. Key Features Prevention of Layer-2 Bridging between Wireless Users In AOS-W, a global firewall feature has been added to deny all L2 bridging between users.
OmniAccess Reference: AOS-W System Reference Enhanced Location Services AOS-W 2.2 adds more precise position tracking of wireless devices by utilizing RF triangulation. In previous AOS-W releases, the “RF Locate” feature would display the nearest APs receiving signals from a wireless user or AP, along with the corresponding signal strength. AOS-W 2.2 adds the ability to triangulate position based on RF signal strength. This algorithm is accurate to within approximately 10 meters.
Chapter 1 provides the ability to enable local probe responses for remotely connected APs. This feature may be configured under the Wireless LANÆAdvanced section of the Web-based management interface, or may be configured under the “ap location” section of the CLI. Auto-Blacklist Firewall Extended Action AOS-W 2.2 provides the ability to automatically blacklist (prevent association to any AP) clients who violate a rule in a firewall policy.
OmniAccess Reference: AOS-W System Reference If no DNS information is available, the AP will begin using Alcatel Discovery Protocol (ADP) to locate a switch. It will alternately send out ADP broadcast packets and ADP multicast packets until a response is received. The multicast packet is an IP packet directed to multicast address 224.0.82.11. If a switch is attached to the local L2 segment, it will reply to the ADP broadcast.
Chapter 1 option serverip 10.1.1.10; } range 10.200.10.200 10.200.10.252; } To configure Microsoft’s DHCP server for this feature: 1. Add an “option 43” entry to the desired DHCP scope that contains the IP address of the Alcatel switch in text. An example of this is shown in the following figure.
OmniAccess Reference: AOS-W System Reference 2. From a command prompt, enter: c:\>netsh netsh>dhcp netsh dhcp>server \\ netsh dhcp>add optiondef 60 AlcatelAP String 0 comment=AlcatelSupport netsh dhcp>set optionvalue 60 STRING AlcatelAP netsh dhcp>exit Multicast Configuration A network supporting IP multicast must be in place to make use of the ADP multicast capability.
CHAPTER 2 Management Options AOS-W provides a number of methods for managing your Alcatel Wireless LAN Switch. Command-Line Interface The Command-Line Interface (CLI) provides the most direct method for configuring the switch and collecting system information.
OmniAccess Reference: AOS-W System Reference z Configure and manage wireless intrusion prevention and performance policies z Monitor the state and performance of the Wireless LAN z Perform a site survey to assist deployment of Alcatel Access Points and Air Monitors z Monitor air interface security and performance events z AP triangulation General Screen Elements When Web UI is started after a successful login, the browser window will show the default page: the Monitor Summary.
Chapter 2 z Page Tree–Each tool has its own information or configuration pages and sub-pages. The page tree lists all of the pages available when using the currently selected tool. You can navigate to any of the listed pages by clicking on the page name. NOTE—Some of the items in the page tree are merely headings for their sub-pages and cannot be selected. Selectable pages become highlighted when the mouse cursor is placed over them. Non-selectable items do not react.
OmniAccess Reference: AOS-W System Reference z Check Boxes–Represented as small squares in front of the item text. These fields allow you to turn items on or off by clicking on the check box. A feature or option will be turned on, selected, or enabled (as appropriate) when the box is checked. A feature or option will be turned off, unselected, or disabled when the box is empty. z Radio Buttons–Represented as small circles in front of the item text.
CHAPTER 3 Command Line Basics The Command Line Interface (CLI) is the most direct and comprehensive method for managing the Alcatel Wireless LAN Switch. The CLI can be used to gather information about the switch configuration, collect switch performance statistics, and make configuration changes. The CLI uses a simple, text-based interface with a Cisco-like command structure.
OmniAccess Reference: AOS-W System Reference Local or Remote Telnet If properly set up, the CLI can be accessed locally or remotely using Telnet. You can use Telnet (or SSH or the Web GUI) to access any IP interface on an Alcatel Wireless LAN switch. Enabling Telnet Access The default CLI management method is SSH. To enable Telnet, from configuration terminal mode, enter: > telnet cli Telnet access requires that the switch management interface and default gateway be defined.
Chapter 3 Using Telnet to Connect Use a Telnet client on your management workstation to connect to the Alcatel Wireless LAN Switch management interface IP address. The connection command may vary depending on the specific software used, but commonly appears as follows: > telnet When the connection is established, the login prompt will be displayed. Logging In Once connected, the system displays its host name (Alcatel if not configured), followed by the log in prompts.
OmniAccess Reference: AOS-W System Reference z Privileged Mode All configuration and management functions are available in privileged mode. To move from user mode to privileged mode requires an additional password: (Alcatel) > enable (Alcatel) # When successfully promoted to privileged mode, the > prompt is replaced by the # prompt. The numerous privileged mode commands are divided into groups according to their context as outlined in the next section.
Chapter 3 z Show Commands The show commands list information about the switch configuration and performance and are invaluable for debugging system configuration. The show commands are documented starting on page 833. Saving Configuration Changes Configuration changes made using the CLI affect only the current state of the switch. Unless saved, the changes will be lost when the system is rebooted.
OmniAccess Reference: AOS-W System Reference Shortcuts Command Completion To make command input easier, you can usually abbreviate each key word in the command. You need type only enough of each keyword to distinguish it from similar commands. For example: (Alcatel) # configure terminal could also be entered as: (Alcatel) # con t Three characters (con) represent the shortest abbreviation allowed for configure.
Chapter 3 List Matching Commands When typed at the end of a possible command or abbreviation, the question mark lists the commands that match (if any). For example: (host) # c? clear clock configure copy Clear configuration Configure the system clock Configuration Commands Copy Files If more than one item is shown, type more of the keyword characters to distinguish your choice.
OmniAccess Reference: AOS-W System Reference Command Line Editing The command line editing feature allows you to make corrections or changes to a command without retyping. Table 3-2 lists the editing controls: TABLE 3-2 Line Editing Keys Key Effect Description Home Move the cursor to the beginning of the line. or Back Move the cursor one character left. Delete Right Delete the character to the right of the cursor.
Chapter 3 z Pipe | —denotes a two or more parameters, separated one from the other by the | symbol. For example: crypto ipsec transform-set {esp-des|esp-3des} {esp-md5-hmac|esp-sha-hmac} means you have to specify the set name, then choose either esp-des or esp3des, then choose either esp-md5-hmac or esp-sha-hmac. client configuration dns [|no] means you have to specify the server1 address, but you do not have to specify anything about server2.
OmniAccess Reference: AOS-W System Reference 22 Part 031652-00 May 2005
2 Part Design and Planning 23
OmniAccess Reference: AOS-W System Reference 24 Part 031652-00 May 2005
CHAPTER 4 RF Design The Alcatel RF Plan Tool RF Plan is a three-dimensional wireless deployment modeling tool that enables Network Administrators to design an efficient Wireless Local Area Network (Wireless LAN) for their corporate environment, optimizing coverage and performance, and eliminating complicated Wireless LAN network setup.
OmniAccess Reference: AOS-W System Reference tings for each AP. Real-time calibration can be automatically programmed or manually undertaken at any time in order to quickly adapt to changes in the wireless environment. Getting Started The RF Plan application is available on the Alcatel Wireless LAN switch or as a standalone Windows application. This chapter describes the functionality for both versions of RF Plan. Where there are differences in how the two difference versions are used, they are noted.
Chapter 4 Launching RF Plan To open RF Plan select: Start > All Programs > Alcatel Offline RF Plan> Alcatel RF Plan. RF Plan Basics Page Summary The following is a brief summary of the functionality of each of the pages in RF Plan. z Building List Page The Building List page provides a list of buildings that you have created and saved. You may use this page to add or delete buildings from you saved database. You may also import or export buildings here.
OmniAccess Reference: AOS-W System Reference z Area Editor Page Use this page to specify areas on each floor where coverage is not desirable or where Access Points/Air Monitors may not be physically deployed. z Access Editor Page Use this page to manually create, position, or configure Access Points or Air Monitors. z AP Plan The AP Plan page is used to initialize the position of Access Points and launch RF Plan’s positioning algorithm.
Chapter 4 Navigation The RF Plan tool is a wizard in that it logically guides you through the process of defining radio coverage for all the buildings on your campus. The left pane of the wizard screens shows the progression you follow each time you click Apply. The button on the top, right corner also takes you to the next logical step. You can also click the link on the left pane to go to any screen in the wizard.
OmniAccess Reference: AOS-W System Reference Opening Screen When RF Plan opens, the browser window will show the default page: the RF Plan Building List page. Building List Page The Building list page contains all the buildings you have defined using the RF Plan software. The first time you run the application, there should be no buildings in the list. FIGURE 4-1 Building List Page 30 z New Building Use this button to create a new building. See “Adding a New Building to the Plan” on page 32.
Chapter 4 z Search When the database of buildings has been created, use this feature to find a specific building, on a specific campus, or search for a name string. You may add, edit, and delete buildings using this window. You may also import and export buildings using the import and export buttons. Using RF Plan Task Overview Before you begin take a minute to review this section, it explains the general steps in the order they should be taken to create a building and plan the Wireless LAN for it.
OmniAccess Reference: AOS-W System Reference Planning Requirements You should collect the following information before beginning to plan your network. Having the information below readily available will expedite your planning efforts.
Chapter 4 The Overview page shows the default values for your new building, most of which you can change in the following pages. On Building Overview Page you will be able to view the specifications for the following: z Your buildings dimensions. z Access Point modeling parameters. z Air Monitor modeling parameters. To define your building, click Building Dimensions. The Specification page displays.
OmniAccess Reference: AOS-W System Reference Building Specification Page The Building Specification Page enables you to specify the identity of your building and its dimensions. Enter the appropriate values in the text boxes in the Dimension window. z Building ID This consists of two decimal numbers separated by a dot. The first is the campus ID. The campus ID will always be “1” if there is only one campus. The second is the building number. The valid range for these fields is any integer from 1 to 255.
Chapter 4 z Floors Enter the number of floors in your building here. The valid range for this field is any integer from 1 to a 12 value corresponding to 1 ×10 . z Units Specify the units of measurement for the dimensions you specified on the page. The choices are feet and meters. A Word About Building Dimensions The dimensions you specify for building width and height should be the major dimensions (maximum height and width) of the overall footprint of the building as illustrated below.
OmniAccess Reference: AOS-W System Reference AP Modeling Page The AP Modeling page allows you to specify all the information necessary for RF Plan to determine the appropriate placement of your APs. Controls on this page allow you to select or control the following functions: z Radio Type Use this pull-down menu to specify the radio type in the appropriate combination of a, b, and or g configuration. z AP Type Specify AP 52 or AP 60.
Chapter 4 Radio Type Specify the radio type(s) of your APs using the pull-down Radio Type menu on the Modeling Parameters page. Available Radio Type Choices: z 801.11a 5GHz, Orthogonal Frequency Division Multiplexing (OFDM) with data rates up to 54Mbps. z 802.11b 2.4GHz, Direct Spread Spectrum (DSSS) multiplexing with data rates up to 11Mbps. z 802.11g 2.4GHZ, OFDM/CCK (Complementary Code Keying) with data rates up to 54Mbps.
OmniAccess Reference: AOS-W System Reference Click Apply and the AM Modeling page displays. AM Modeling Page The AM Modeling page allows you to specify all the information necessary for RF Plan to determine the appropriate placement of your AMs. Controls on this page allow you to select or control the following functions: z Monitor Rate Use this pull-down menu to specify the desired monitor rate for your Air Monitors.
Chapter 4 NOTE—The monitor rates you select for the AMs should be less than the data rates you selected for the APs. If you set the rate for the AMs at a value equal to that specified for the corresponding PHY type AP, RF Plan will allocate one AM per AP. If you specify a monitor rate larger than the data rate, RF Plan will allocate more than one AM per AP. Monitor Rates Use the drop down menus to select the desired monitor rates for 802.11b/g and 802.11a air monitors.
OmniAccess Reference: AOS-W System Reference NOTE—Importing any other file, including XML files from other applications, may result in unpredictable results. Any file you wish to import must be in the C:\Program Files\Alcatel RF Plan\data\ path. You can not specify any other path in the RF Plan Import Buildings dialog.
Chapter 4 Planning Pages Planning Floors Page The Planning Floors page enables you to see what the footprint of your floors look like. You can select or adjust the following features on the Planning Floors Page. z Zoom Use this pull-down menu or type a zoom factor in the text field to increase or decrease the size of the displayed floor area. z Approximate Cover- Use this pull-down to select a particular radio type age Map (select radio type) for which to show estimated coverage.
OmniAccess Reference: AOS-W System Reference Zoom The Zoom control sets the viewing size of the floor image. It is adjustable in finite views from 10% to 1000%. You may select a value from the pull-down zoom menu or specify a value in the text box to the left of the pull-down. When you specify a value, RF Plan adjusts the values in the pull-down to display a set of values both above and below the value you typed in the text box.
Chapter 4 Coverage Rate Adjusting the coverage rate will also affect the size of the coverage circles for AMs. Adjusting the rate values will help you understand how the coverage works in your proposed building. Reading Coverage Maps Under some conditions, AP or AM signal strengths show in coverage maps may not be reported accurately. One condition is a single AP or AM in the corner of a building. The coverage map may show the signal strength extending well outside the building.
OmniAccess Reference: AOS-W System Reference Floor Editor Page Click Edit Floor to display the Floor Editor which allows you to specify the background image, and name the floor. Naming You may name the floor anything you choose as long as the name is an alpha-numeric string with a maximum length of 64 characters. The name you specify appears just to the right of the Floor Number displayed just above the background image in the Planning view.
Chapter 4 Area Editor Page The area editor allows you to specify areas on your buildings floors where you either do not care about coverage, or where you do not want to place an AP or AM. Open the Area Editor by clicking on the New link in the Areas field just below the area where the background image is displayed. Area Editor “New” Link You specify these areas by placing them on top of the background image using the Area Editor.
OmniAccess Reference: AOS-W System Reference You may also use the drag and drop feature of the Area Editor to drag your area to where you want it and resize it by dragging one or more of the handles displayed in the corners of the area. Don’t Care areas are displayed as orange rectangles. Don’t Deploy areas are displayed as yellow rectangles. Access Editor Page The Access Editor allows you to manually create or modify a suggested access point.
Chapter 4 You may name an Access Point anything you wish. The name must be comprised of alpha-numeric characters and be 64 characters or less in length. Location 262 ft. The physical location of the AP is specified by X-Y coordinates beginning at the lower left corner of the display area. The numbers you specify in the X and Y text boxes are whole units. The X coordinates increase as a point moves up the display and the Y coordinates increase as they move from left to right across the display.
OmniAccess Reference: AOS-W System Reference 802.11 Types The 802.11 b/g and 802.11a Type drop down boxes allow you to choose the mode of operation for the access point. You may choose to set the mode of operation to access point (Alcatel AP) or Air Monitor. 802.11 Channels The 802.11a and 802.11b/g channel drop down menus allow you to select from the available channels. NOTE—The available channels will vary depending on the regulatory domain (country) in which the device is being operated. 802.
Chapter 4 AP Plan The AP Plan feature uses the information entered in the modeling pages to locate access points in the building(s) you described. Initialize Initialize the Algorithm by clicking on the Initialize button. This makes an initial placement of the access points and prepares RF Plan for the task of determining the optimum location for each of the APs. As soon as you click the Initialize button you will see the AP symbols appear on the floor plan. Access points are represented by this symbol.
OmniAccess Reference: AOS-W System Reference Colored circles around the AP symbols on the floor plan indicate the approximate coverage of the individual AP and the color of the circle represents the channel on which the AP is operating. The circles appear when you select an approximate coverage value on one of the Floors pages. You may also use click on an AP icon and drag it to manually reposition it. Start Click on the Start button to launch the optimizing algorithm.
Chapter 4 The Suggested AP Table lists the coordinates, power, location, power setting, and channel for each of the APs that are shown in the floor plan. AM Plan The AM Plan feature calculates the optimum placement for your air monitors (AMs). Initialize Initialize the Algorithm by clicking on the Initialize button. This makes an initial placement of the air monitors and prepares RF Plan for the task of determining the optimum location for each of the AMs.
OmniAccess Reference: AOS-W System Reference Viewing the Results Viewing the results of the AM Plan feature is similar to that for the AP Plan feature. The results of optimizing algorithm may be viewed two ways: graphically and in a table of suggested AMs. You may obtain information about a specific AP by placing the cursor over its symbol. An information box appears containing information about the exact location, PHY type, channel, power, etc.
Chapter 4 RF Design 53
OmniAccess Reference: AOS-W System Reference 54 Part 031652-00 May 2005
CHAPTER 5 Security Options Strong network security is an absolute necessity in today’s enterprise network environment. There are prying “eyes” everywhere. Some who want to gain access to your secrets, and some who are just plain malicious. Security hinges on two important concepts. Encryption of the information traveling on the network, and authentication of users on the network. This ensures that only authorized users are using the network and that the data transmitted by them is strongly encrypted.
OmniAccess Reference: AOS-W System Reference Default Open Ports By default, Alcatel Wireless LAN Switches and Access Points treat ports as being untrusted. However, certain ports are open by default. To maintain security, these default open ports are only open on the trusted side of the network. These open ports are listed in Table 5-1 below.
Chapter 5 TABLE 5-1 Default (Trusted) Open Ports (Continued) Port Number Protocol Where Used Description 68 UDP AP (and Wireless LAN Switch if DHCP server is configured ) DHCP client 69 UDP Wireless LAN Switch TFTP 80 TCP AP and Wireless LAN Switch HTTP Used for remote packet capture where the capture is saved on the Access Point. Provides access to the WebUI on the Wireless LAN Switch. 123 UDP Wireless LAN Switch NTP 161 UDP AP and Wireless LAN Switch SNMP. Disabled by default.
OmniAccess Reference: AOS-W System Reference TABLE 5-1 Default (Trusted) Open Ports (Continued) 58 Port Number Protocol Where Used Description 514 UDP Wireless LAN Switch Syslog 1701 UDP Wireless LAN Switch L2TP 1723 TCP Wireless LAN Switch PPTP 2300 TCP Wireless LAN Switch Internal terminal server opened by telnet soe command. 3306 TCP Wireless LAN Switch Remote wired MAC lookup. 4343 TCP Wireless LAN Switch HTTPS.
Chapter 5 TABLE 5-1 Default (Trusted) Open Ports (Continued) Port Number Protocol Where Used Description 8081 TCP Wireless LAN Switch Used internally for captive portal authentication (HTTPS). Not exposed to wireless users. A default self-signed certificate is installed after the user explicitly selects this port to be open. Users in a production environment are urged to install a certificate from a well known CA such as Verisign.
OmniAccess Reference: AOS-W System Reference z Global Firewall Settings z Advanced These options are described in this chapter. User Roles Role Design The role of a wireless user determines a number of access policies, including firewall/traffic policies, bandwidth contracts, IP address pool, VLAN assignment, and VPN dialer.
Chapter 5 FIGURE 5-2 Add New Role User role configuration parameters are described in the following sections.
OmniAccess Reference: AOS-W System Reference CLI Configuration for User Roles Sample CLI configuration follows for two different user roles. One is used for IT staff who have full access to the entire network, normally use VPN access, and have no bandwidth limitations. The other role is used for guest users. Guests must reauthenticate every 30 minutes, have a 1Mbps rate limiting policy applied, and have a restricted traffic policy that allows only Internet access.
Chapter 5 what came before – at best, ACLs can look at the “SYN” flag in a TCP packet, treating the session as new if the flag is set and treating the session as “established” if it is not. This works for “normal” traffic but is ineffective against many types of attack traffic. Traffic policies in an Alcatel Wi-Fi switch are dynamic, meaning that address information in the rules can change as the policies are applied to users. For example, a traffic policy containing the alias “user” can be created.
OmniAccess Reference: AOS-W System Reference To edit or delete existing policies, click the appropriate button. Note that some policies are system policies and cannot be deleted. The Policy Usage column will display which user roles currently have a policy applied – if a policy is in use, it cannot be deleted. To delete a policy that is in use, first edit the user role and delete the policy, then return to the policies screen to delete it. To add a new policy, click the Add button.
Chapter 5 Network – An IP subnet, consisting of a network number and subnet mask. Alias – When Alias is selected, allows selection of a pre-defined source/destination alias, or creation of a new one. See the section of this guide entitled “Source/Destination Aliases” for more information on these aliases. Service Traffic flows are identified in part by their service type. A service type may be defined by IP protocol number, TCP port number(s), or UDP port number(s).
OmniAccess Reference: AOS-W System Reference Src-nat – Changes the source IP address of the packet. If no source NAT pool is specified, the packet will be given the source IP address of the Alcatel switch. If a NAT pool is specified, the packet will be given an IP address from the NAT pool. Add a new NAT pool by clicking New, or manage NAT pools by navigating to Configuration > Security > Advanced > NAT Pools. Dst-nat – Changes the destination IP address of the packet to that of the Alcatel switch.
Chapter 5 FIGURE 5-5 Rule Ordering CLI Configuration All CLI configuration for traffic/firewall policies is done under the ip access-list session command.
OmniAccess Reference: AOS-W System Reference FIGURE 5-6 Applying Traffic Policies to Ports To add traffic policies to ports using the CLI, use the following format: interface fastethernet 2/13 ip access-group guest session Firewall Policies This section provides an ordered list of traffic policies applied to the user role. Traffic policies are executed in order, with an implicit “deny all” after the final policy.
Chapter 5 “Location” field on this line. See the chapter entitled “Wireless LAN Configuration – Advanced Location-Based AP Configuration” for more information on location codes. Create New Policy From Existing Policy – Select this option to create a new traffic policy by copying an existing one. The next screen will allow modification of the newly created policy as well as selection of a location code. See the section entitled “Firewall and Traffic Policies” for information on building traffic policies.
OmniAccess Reference: AOS-W System Reference Role VLAN ID –This parameter allows the user to be mapped to a particular VLAN based on the role assigned. This parameter only works when using L2 authentication such as 802.1x, MAC address role mapping, ESSID role mapping, or encryption type role mapping, because these happen before an IP address has been assigned. If a user authenticates using a L3 mechanism such as VPN or captive portal, this parameter has no effect.
Chapter 5 physical port basis, MAC address ACLs and Ethertype ACLs are both available. All ACL configuration is done through the CLI – because these options are not often used, no GUI configuration is available. ACLs are applied to interfaces using the ip access-group command. The direction of traffic to which the ACL is applied must also be specified, using either the keywords in or out.
OmniAccess Reference: AOS-W System Reference permit icmp 1.1.1.0 0.0.0.255 any echo-reply The example above permits TCP traffic from any host to 1.1.1.1 on ports 67 through 69. It also permits ICMP echo-replies from the 1.1.1.0/24 subnet to any network. MAC ACLs A MAC ACL is used to filter on a specific source MAC address or range of MAC addresses. MAC ACLs can be either named or numbered, with valid numbers in the range of 700 to 799 and 1200 to 1299.
Chapter 5 To configure general authentication server settings, navigate to Configuration > Security > AAA Servers > General, as shown in the figure below. FIGURE 5-9 AAA General Parameters Configuration parameters for this section are: User Idle Timeout – Determines the maximum amount of time a user may remain idle before being deauthenticated and removed from the system. The default is 5 minutes.
OmniAccess Reference: AOS-W System Reference FIGURE 5-10 RADIUS Server Configuration A list of currently configured RADIUS servers appears in this section. To edit or delete an existing server, click the appropriate button. To add a new RADIUS server, click the “Add” button as shown in the figure below. FIGURE 5-11 Add RADIUS Server Available configuration parameters when adding a RADIUS server are: Server Name – Supply a human-readable name for the RADIUS server.
Chapter 5 Shared Secret – Each RADIUS client-server pair must use a shared secret. Treat this shared secret as a password, and ensure that it is not an easily-guessed word. Ensure that the shared secret is configured identically on the RADIUS server. Authentication Port – Specifies the UDP port number over which RADIUS exchanges will take place. The default is 1812 – this value is typically used by most modern RADIUS implementations.
OmniAccess Reference: AOS-W System Reference FIGURE 5-12 Add RADIUS Server Rule Available configuration parameters are: Rule Type – Specifies if the server rule is used to determine role assignment or VLAN assignment. Attribute – Specifies a RADIUS attribute that will contain role or VLAN information. Condition – Specifies how the system will match the attribute. If the condition is set to “value-of”, the contents of the attribute will be treated literally as the role or VLAN assignment.
Chapter 5 LDAP LDAP (Lightweight Directory Access Protocol) is a lightweight protocol for accessing directory services. A directory is a specialized database optimized for searching, reading and browsing. Directories tend to contain descriptive, attribute-based information. LDAP is specifically geared towards X.500 based directory services and runs over TCP/IP. LDAP Background The LDAP information model is based on entries, where an entry is a collection of attributes.
OmniAccess Reference: AOS-W System Reference dc=Alcatelnetworks,dc=com ou=People ou=People ou=Printers uid=jdoe,cn=John Doe uid=guest,cn=Guest FIGURE 5-13 LDAP Directory Structure An entry at a given level in the directory’s tree structure is identified by a Relative Distinguished Name (or RDN). For example, the RDN of a user “John Doe” in an NIS based organization is “uid=jdoe” or “cn=John Doe”. The attribute that is used to specify the Login ID in the RDN is called the key attribute.
Chapter 5 and server is a TCP connection, there is a possibility for a third party to snoop the password from the connection. LDAP supports a more secure connection mechanism through SSL/TLS. There are a number of LDAP server implementations that are deployed by organizations including the OpenLDAP server, the Netscape Directory Server and the Microsoft Active Directory.
OmniAccess Reference: AOS-W System Reference Server Name – Specifies a human-readable name to reference the LDAP server. Host Name/IP Address – Specifies the IP address of the LDAP server. Authentication Port – The port on which the LDAP server is configured. The default value is 389. Base DN - The Distinguished Name of the node which contains the entire user database that should be used for user authentication. Admin DN - A user who has read/search privileges across all the entries in the LDAP database.
Chapter 5 authentication type, or the information may be learned from the authentication server through an attribute. Any attribute may be used – the server rule specifies how that attribute is mapped into a role or VLAN. Server rules are executed in order, and multiple server rules may be configured for each authentication server. To add a new server rule, click Add.
OmniAccess Reference: AOS-W System Reference Internal Authentication Database AOS-W supports an internal authentication database that can be used when an external authentication server is unavailable or undesirable. This database is available when using VPN, captive portal, or MAC-based authentication. 802.1x requires an external RADIUS server, and is not capable of utilizing the internal database.
Chapter 5 Accounting AOS-W supports standard RADIUS accounting for tracking user login/logout times. Accounting will track logins accurately, but logouts may not be tracked accurately since the user may roam out of range without logging out. To configure accounting, navigate to ConfigurationÆSecurityÆAAA ServersÆAccounting, as shown in the figure below. FIGURE 5-17 RADIUS Accounting Configuration parameters are: Enable Accounting – Specifies whether or not accounting will be enabled.
OmniAccess Reference: AOS-W System Reference Once an authentication method has been enabled on the switch, it is automatically available for all ESSIDs configured on that switch. 802.1x Authentication 802.1x is an IEEE standard designed to provide authentication before any L2 access to the network is permitted. 802.1x provides a framework inside of which multiple authentication protocols may operate.
Chapter 5 To configure 802.1x, navigate to Configuration > Security > Authentication Methods > 802.1x as shown in the figure below. FIGURE 5-18 802.1x Configuration To enable 802.1x authentication with minimal configuration: 1. Click the “Enable Authentication” checkbox. 2. Select a default role. 3. Add an authentication server. Available configuration parameters are: Default Role – If a client authenticates using 802.
OmniAccess Reference: AOS-W System Reference Authentication Failure Timeout – After authentication fails, the 802.1x state machine enters a quiet period specified by this value, during which the authenticator will make no attempt to acquire the supplicant. The value can be between 1-65535 seconds. The default is 30 seconds. Client Retry Count – Sets the maximum number of attempts the switch will make to authenticate a supplicant. The value can be between 0 and 10. The default value is 3.
Chapter 5 The equivalent CLI configuration for the example above is: aaa dot1x default-role "employee" aaa dot1x mode enable dot1x server server-timeout 30 dot1x timeout idrequest-period 30 dot1x timeout quiet-period 30 dot1x max-req 3 dot1x server server-retry 2 dot1x re-authentication dot1x timeout reauthperiod 3600 dot1x multicast-keyrotation dot1x timeout mcastkey-rotation-period 1200 dot1x unicast-keyrotation dot1x timeout ucastkey-rotation-period 240 aaa dot1x max-authentication-failures 0 802.
OmniAccess Reference: AOS-W System Reference VPN Authentication When the use of IPSec or PPTP is desired, Alcatel switches provide full VPN termination capabilities using hardware acceleration. All encryption protocols are run in hardware, with encryption hardware being appropriately sized to handle a full load of access points. The majority of VPN settings are configured under a dedicated VPN section below.
Chapter 5 aaa vpn-authentication auth-server Internal aaa vpn-authentication max-authentication-failures 0 Captive Portal Authentication Captive portal authentication allows a wireless client to authenticate using a web-based portal. Captive portal authentication can be done over SSL, but provides no encryption for user data once authentication has taken place. Therefore, it should be used in environments where encryption is not required, such as when providing Internet access for guest users.
OmniAccess Reference: AOS-W System Reference Enable Guest Logon – When this option is selected, the captive portal page will display a field for guest users to enter their email address. The email address is not validated or authenticated, but can be used to keep track of user identity. When a user enters an email address in the guest logon field, the switch will assign the “guest” role to the user.
Chapter 5 aaa captive-portal default-role "employee" aaa captive-portal guest-logon aaa captive-portal user-logon aaa captive-portal logout-popup-window no aaa captive-portal protocol-http aaa captive-portal redirect-pause 10 aaa captive-portal logon-wait range 5 10 aaa captive-portal logon-wait cpu-utilization 60 aaa captive-portal max-authentication-failures 0 aaa captive-portal auth-server Internal MAC Address Role Mapping MAC Address “Role Mapping” provides identification of clients based on MAC addre
OmniAccess Reference: AOS-W System Reference Default Role – If a client is identified by MAC address, and the authentication server does not provide role information, the default role will be given to the client. Authentication Failure Threshold for Station Blacklisting – If a station fails MAC address authentication by this number of times in a row, the station will be “blacklisted” and will not be allowed to associate to the network. Enter 0 to disable blacklisting.
Chapter 5 FIGURE 5-23 Stateful 802.1x Configuration Available configuration parameters are: Authentication Enabled – Enables or disables stateful 802.1x authentication. Default Role – If a client authenticates using stateful 802.1x, and the authentication server does not provide role information, the default role will be given to the client. Request/Response Timeout – Specifies the maximum time to wait for a response from the RADIUS server after seeing a RADIUS request from the AP.
OmniAccess Reference: AOS-W System Reference FIGURE 5-24 Stateful 802.1x AP/Server Configuration Available configuration parameters are: Configuration Name – Choose a human-readable name to identify the third-party AP. IP Address – Specify the IP address of the third-party AP. RADIUS Server – Choose the RADIUS server with which the third-party AP will communicate. Key – Specify the RADIUS secret used between the third-party AP and the RADIUS server.
Chapter 5 FIGURE 5-25 SSID Role Mapping Available configuration options are: Condition – Specifies how the value should be matched. Value – Specifies the SSID that should be matched. Role Name – Specifies the role that will be applied when the SSID is matched.
OmniAccess Reference: AOS-W System Reference bypassed, this method should always be combined with a firewall policy. To configure encryption type role mapping, navigate to Configuration > Security > Authentication Methods > L2 Encryption as shown in the figure below. FIGURE 5-26 Encryption Type Role Mapping Available configuration options are: Condition – Specifies how the value should be matched. Value – Specifies the encryption type that should be matched.
Chapter 5 Configuring VPN Settings When the use of IPSec or PPTP is desired, Alcatel switches provide full VPN termination capabilities using hardware acceleration. All encryption protocols are run in hardware, with encryption hardware being appropriately sized to handle a full load of access points. Additionally, built into each switch is a “VPN dialer” Windows application that pre-configures supported Windows systems to work with Alcatel VPN services.
OmniAccess Reference: AOS-W System Reference FIGURE 5-27 IPSec Configuration Available configuration parameters are: Enable L2TP – Enables termination of L2TP/IPSec tunnels. This is required when supporting native Windows 2000/XP VPN clients. Authentication Protocols – Configures which authentication protocols will be allowed. The client, Alcatel switch, and backend RADIUS server must all support at least one of these authentication protocols. Generally, it is safe to leave all protocols enabled.
Chapter 5 Address Pools - IPSec tunnel endpoints are assigned IP addresses. The Alcatel switch endpoint will always use the switch IP address, while client addresses are assigned from a pool. To add a new address pool, click the Add button and fill in the pool name and the starting and ending addresses for the pool. Multiple pools may be configured. Enable Source NAT – If the address range included in the VPN address pool is not routable by the rest of the network, source NAT can be enabled.
OmniAccess Reference: AOS-W System Reference crypto isakmp policy 10 authentication pre-share PPTP PPTP provides an alternative to IPSec that is supported by MacOS, Linux, PocketPC, Windows 2000, Windows XP, and many other platforms. PPTP is considered to be less secure than IPSec, but also requires less configuration. To configure PPTP, navigate to Configuration > Security > VPN Settings > PPTP as shown in the figure below.
Chapter 5 Primary/Secondar y DNS Server Configures the list of DNS servers that will be passed to clients after authentication. These parameters are optional. Primary/Secondar y DNS Server Configures the list of WINS servers that will be passed to clients after authentication. These parameters are optional. Address Pools PPTP tunnel endpoints are assigned IP addresses. The Alcatel switch endpoint will always use the switch IP address, while client addresses are assigned from a pool.
OmniAccess Reference: AOS-W System Reference As shown in the figure, two VPN dialers are currently configured. “Default-dialer” is pre-configured by the system, while “test” was added manually. Each dialer can be applied to a particular user role, and multiple user roles may use the same dialer. To add a new VPN dialer, click the Add button. Dialer parameters are shown as in the figure below.
Chapter 5 Disable Wireless Devices when Client is Wired Allows the VPN dialer to detect when a wired network connection is in use. If this option is enabled, the wireless interface will be shut down while a wired connection exists. Enable SecurID New and Next Pin Mode TBC Authentication Specifies the list of authentication protocols to be supported. This list should match the switch IPSec or PPTP configuration, and should also contain at least one protocol supported by the authentication server.
OmniAccess Reference: AOS-W System Reference IPSec Hash Algorithm Specifies the hash algorithm used by IPSec. The default is to use SHA.
Chapter 5 The equivalent CLI configuration for the example above is: ip access-list session vpn-dst-nat any host 1.2.3.4 svc-ike dst-nat any host 1.2.3.4 svc-esp dst-nat any host 1.2.3.4 svc-l2tp dst-nat user-role logon session-acl vpn-dst-nat position 1 Advanced Authentication To configure advanced authentication options, select Configuration > Security > Authentication Methods > Advanced Authentication.
OmniAccess Reference: AOS-W System Reference Condition Specifies the logical relationship. Value Specifies the rule type value. Role Name The role name description. To add the new condition, click Apply. SecureID Token Caching SecureID Token Caching allows the Alcatel switch to cache SecureID tokens when the user logs in for the first time. For a configurable time interval after initial authentication, the switch will use the cached token any time a user loses and then reestablishes a VPN link.
Chapter 5 Adding IPSec Transform Sets To create IPSec transform sets, click Add. The Add Transform Set screen appears. where: Parameter Description Transform Set Name The name of the transform set. Encryption Specifies the type of encryption to be applied. Hash Algorithm Specifies the type of hash to be applied. To add the new transform set, click Apply. Firewall Settings To configure global firewall settings select Configuration > Security > Firewall Settings.
OmniAccess Reference: AOS-W System Reference where: Parameter Description Monitor Ping Attack Monitors incoming pings. Monitor TCP SYN Attack Monitors SYN attacks. Monitor IP Session Attack Monitors IP session attacks. Prevent L2 Bridging between Wireless Users Prevents wireless users from creating ad hoc networks. Drop All IP Fragments Deletes all IP fragment packets. Enforce TCP Requires completion of TCP session negotiation before Handshake Before allowing incoming packets.
Chapter 5 Advanced Security Options Service Aliases Service aliases aid in policy configuration by applying a human-readable label to protocols numbers or groups of protocol numbers. To manage service aliases, navigate to Configuration > Security > Advanced > Services, as shown in the figure below. FIGURE 5-36 Service Aliases To edit or delete an alias, click the appropriate button. To add a new service alias, click Add. The Add Service window is shown in the figure below.
OmniAccess Reference: AOS-W System Reference Service Name – A human-readable name to identify the service alias. Default service aliases begin with “svc-“ followed by the protocol name. This convention may be used if desired, or a new one may be used. Protocol – Services can be defined by TCP port numbers, UDP port numbers, or IP protocol number. If a particular service can operate over both TCP and UDP, create two separate services aliases.
Chapter 5 User – When a traffic policy containing the “user” alias is applied to an authenticated user, this alias is replaced by the IP address assigned to that user. With this alias, generic traffic policies can be configured that will automatically be customized at the time of user login. Mswitch – This policy represents the switch IP address (loopback address or VLAN 1 address) of the Alcatel switch on which the traffic policy is running.
OmniAccess Reference: AOS-W System Reference Source/destination aliases contain one or more IP addresses or ranges of IP addresses. To add a new address or address range, click the Add button. Three choices are available: Host – A single IP address. When entering a single IP address, do not fill in the netmask/range field. Network – An IP subnet, consisting of a network number and subnet mask. Range – A range of IP addresses consisting of all sequential addresses between a lower value and an upper value.
Chapter 5 Time Range To define a time range select Configuration > Security > Advanced > Time Range. The Time Range screen appears. FIGURE 5-40 Time Range To add a time range, click Add. FIGURE 5-41 Adding a Time Range Complete the information requested on the Add Time Range screen and click Apply. Additional Information This section contains background information on key concepts discussed in this chapter.
OmniAccess Reference: AOS-W System Reference Encryption Encrypting the transmitted data is only one part of the security process. Although this affords some security, all the common data encryption schemes such as WEP (Wired Equivalent Privacy) have been broken and anyone with the software can read your data in plain text. IKE (Internet Key Exchange) Encryption IKE encryption is based on establishing a contract between the two computers (or servers) that are exchanging data.
Chapter 5 IPSec IP was originally developed within a highly restricted, secure network. Therefore, IP did not have security features built in. Once the Internet became a public forum, security became a critical need. This need has been, and continues to be addressed by the IETF which had developed a suite of security protocols under the umbrella of IP Security, or IPSec.
OmniAccess Reference: AOS-W System Reference The PSK mode uses a pre-shared key (password) which is shared by all clients on the network to establish the initial communication with the access point. After the initial data exchange is complete and the user is authenticated, the key is rotated such that each client uses a different key. WPA (Wi-Fi Protected Access) Enterprise mode: requires an authentication server and uses RADIUS protocols for authentication and key distribution.
Chapter 5 z CHAP z UNIX Login z Others RADIUS authentication is based on the exchange of shared secrets between a client and the authentication server. The client issues an Access Request packet which contains an encrypted shared secret. The servers checks to see if it has a shared secret for the client, if not then the packet is silently dropped. If it has a shared secret for the client, the shared secret in the decrypted packet is compared to the shared secret stored on the server.
OmniAccess Reference: AOS-W System Reference z Microsoft Windows Mobile 203/CE 4.2 with built-in L2TP/IPSec VPN support (PDA) z Apple MacOS 10.x with built-in PPTP and L2TP/IPSec VPN support z PalmOS 5.x with built-in PPTP VPN z Mergic PPTP VPN for PalmOS 3.5—4.x z Movian VPN for PalmOS 3.5—5.x z Movian VPN for Microsoft Windows Mobile/CE z Linux VPNC Configuring L2TP and IPSec This procedure applies to configuring L2TP/IPSec on Windows 2003 PDAs. To configure L2TP/IPSec for generic Windows 2003 PDAs: 1.
Chapter 5 If you have a proxy server: z Navigate to Settings > Connections > Set up my proxy server. z Follow the on-screen instructions. At this point, if you have wireless connectivity, you should be able to click on the icon at the top of the screen with the two arrows pointing left and right next to the speaker icon. 13. Select Connect VPN. You should be connected and every thing should be working. NOTE—With AOS-W 2.
OmniAccess Reference: AOS-W System Reference 120 Part 031652-00 May 2005
3 Part Switch Configuration 121
OmniAccess Reference: AOS-W System Reference 122 Part 031652-00 May 2005
CHAPTER 6 Common Tasks Basic Network Configuration VLANs Virtual Local Area Networks (VLANs) are used to divide LAN traffic into manageable broadcast domains. Using VLANs, the LAN can be divided into smaller, logical networks, such as to segregate wireless traffic from the rest of the LAN. VLANs are created in two parts: first the network interface for the VLAN must be defined on the switch, and then physical switch ports must be added to the VLAN.
OmniAccess Reference: AOS-W System Reference 3 Provide a routing interface for the VLAN. (Alcatel) (config) # interface vlan 2 (Alcatel) (config-subif)# ip address 172.16.2.254 255.255.255.0 4 Set the DHCP server for relaying DHCP requests for the interface: (Alcatel) (config-subif)# ip helper-address 172.16.14.9 If the DHCP server is on the same subnet as the VLAN interface, then you do not need to create an IP helper address. 5 Enable the interface and exit the sub-mode.
Chapter 6 2 Set the port for access to the VLAN. (Alcatel) (config-if)# switchport access vlan 2 3 Define whether the port is trusted (LAN) or untrusted (wireless). If connected to the trusted LAN (to an upstream router for example), enter the following: (Alcatel) (config-if)# trusted Otherwise if a port is connected to wireless access points, skip this step. 4 Enable the port interface and exit the sub-mode.
OmniAccess Reference: AOS-W System Reference z max-age Set the spanning tree maximum age interval. z priority Set the spanning tree priority level. Per Interface Spanning Tree Per interface spanning tree is configured from the interface sub-mode: (Alcatel) (config)# interface / (Alcatel> (config-if)# spanning-tree Where the following options can be configured: z cost Set the interface’s spanning tree path cost.
Chapter 6 1 Save any current configuration changes. (Alcatel) # write memory Saving Configuration... Saved Configuration 2 Determine the name of the current configuration file. (Alcatel) # show boot Config File: default.cfg Boot Partition: PARTITION0 In this example, default.cfg is the name of the configuration file. 3 Copy the configuration to a new file. The format for the CLI command is: copy flash: flash: For example: (Alcatel) # copy flash: default.
OmniAccess Reference: AOS-W System Reference For example: (Alcatel) # copy flash: default.cfg tftp: 10.5.10.21 default.cfg Here, the configuration file is downloaded to a TFTP server with IP address 10.5.10.21. NOTE—A placeholder file with the destination filename must exist on the FTP or TFTP server prior to executing the copy command. Restoring the Configuration File To restore a backup configuration file, copy the backup over the original source.
Chapter 6 Upgrading the AOS-W Software The Alcatel AOS-W software can be upgraded as new releases become available. 1 Obtain a valid Alcatel Wireless LAN Switch software image. Contact Alcatel Customer Support for software availability. In this example, the file OmniAccess 6000_2.0.6.0 holds the new software image. 2 Upload the new software image to an FTP or TFTP server on your network and verify the network connection. Place the software image file in the root directory of your FTP or TFTP server.
OmniAccess Reference: AOS-W System Reference Use the following command to check the memory partitions: (Alcatel) # show image version ---------------------------------Partition : 0:0 (/dev/hda1) **Default boot** Software Version : 1.0.0.0 Build number : 1654 Built on : Tue Apr 15 04:52:19 PDT 2003 ---------------------------------Partition : 0:1 (/dev/hda2) /dev/hda2: Image not present ---------------------------------Partition : 1:0 (/dev/hdc1) Not plugged in.
Chapter 6 6 Verify that the new image is loaded. Use the following command to check the memory partitions: (Alcatel) # show image version ---------------------------------Partition : 0:0 (/dev/hda1) Software Version : 1.0.0.0 Build number : 1654 Built on : Tue Apr 15 04:52:19 PDT 2003 ---------------------------------Partition : 0:1 (/dev/hda2) **Default boot** Software Version : 1.5.0.
OmniAccess Reference: AOS-W System Reference 8 When the boot process is complete, verify the upgrade. (Alcatel) # show version Switch version Alcatel Switch Operating System Software. AOS Switch Software (MODEL: Alcatel6000), Version 2.4.0.0 Website: http://www.alcatel.com/enterprise Copyright (c) 2003 by Alcatel, Inc. Compiled on Wed Apr 23 17:34:31 PDT 2003 (#412) by p4build ROM: System Bootstrap, Version CPBoot 1.0.
Chapter 6 Reset Configuration to Defaults Under some conditions, like when reassigning a switch to a new environment, it may be helpful to first return the switch configuration to its factory default state. Use the following procedure to reset the switch configuration. 1 Log in as the administrator and enter privileged mode. 2 Erase the switch configuration.
OmniAccess Reference: AOS-W System Reference 134 Part 031652-00 May 2005
CHAPTER 7 Air Management This chapter explains the main elements of wireless intrusion prevention. Alcatel Access Points (AP60, AP61, and AP70) support Air Monitor functionality in a wide range of configurations including: z Static Access Point (AP) configuration z Static Air Monitor (AM) configuration z Access Point Monitor (APM) until needed to recover for a failed device.
OmniAccess Reference: AOS-W System Reference Wireless LAN Classification The WMS continually monitors wireless traffic to detect any new AP or wireless client station that tries to connect to the network. When an AP or wireless client is detected, it is classified and its classification is used in order to determine the security policies which should be enforced on the device.
Chapter 7 Wireless Client Station Classifications A wireless client station (STA) is classified as one of the following: z Valid STA (VSTA) A station that is part of the enterprise is a valid station. When an interfering station receives 802.11 data frames from a VAP that is encrypted or is 802.11 unencrypted but VPN encrypted, it is marked as a VSTA. z Interfering STA (ISTA) A station that is not part of the enterprise is marked as an Interfering STA. Every new STA is marked as ISTA.
OmniAccess Reference: AOS-W System Reference Wired-Side MAC Addresses If an AM is segregated from the LAN (by a firewall for example), it cannot use LAN information to help classify APs. In such a configuration, MAC addresses from the LAN can be manually entered as follows: (Alcatel) (wms) # wired-mac mode {enable|disable} Protect Unsecure AP If this policy is enabled, WMS prevents any wireless client station from accessing the Wireless LAN by connecting through a UAP.
Chapter 7 z Valid channel list for 802.11a channels: (Alcatel) (wms) # valid-11a-channel mode {enable|disable} z Valid channel list for 802.
OmniAccess Reference: AOS-W System Reference Enabling the Policy Once the reserved channels are defined, the protection policy can be configured as follows: (Alcatel) (wms) # ap-policy protect-mt-channel-split {enable|disable} Protect Multi-Tenancy SSID Split If the AM detects an IAP with an SSID that is in the valid SSID list and this policy is enabled, the AM will perform denial of service against the IAP.
Chapter 7 Use the following commands to configure watermarks.
OmniAccess Reference: AOS-W System Reference STA Impersonation Detection If the AM detects two stations with the same MAC address while this policy is enabled, a syslog event is generated.
Chapter 7 Global Policies Weak WEP If the AM detects a station or AP encrypting 802.11 frames with weak WEP, a syslog event is generated if this policy is enabled. The policy is configured as follows: (Alcatel) (wms) # global-policy detect-bad-wep {enable|disable} Interference Detection WMS can be used to detect interference near a wireless client station or AP based on an increase in the Frame Receive Error Rate and Frame Fragmentation Rate.
OmniAccess Reference: AOS-W System Reference generated. No new events are generated until the statistic value falls below the low watermark. If a statistic watermark value is set to 0, event generation is disabled for that statistic. Statistics events can be generated for the following: z Frame Retry Rate (FRR) This is generated for APs and valid wireless client stations.
Chapter 7 z Poll interval This defines the interval in milliseconds for communication between the Alcatel Wireless LAN Switch and the Alcatel Access Points and AMs. The WMS will contact the AP or AM every poll-interval to download AP to STA associations, update policy configuration changes, and download AP and STA statistics. By default, the interval is set 60000 milliseconds. This can be set to a lower value if the number of AMs deployed is small.
OmniAccess Reference: AOS-W System Reference z Laser beam debug When an AM generates a laser beam, it impersonates an AP or wireless client station. Normally, it is not possible to determine which AM generated the laser beam by examining the packet. However, when laser beam debug is enabled, the AM will place its BSSID in the packet header to assist in debugging.
Chapter 7 3 On the Alcatel Wireless LAN switch, configure the AM to send captured packets to the monitoring client station. NOTE—The AiroPeek software cannot issue commands to start the AM sending captured packets. Use the Alcatel Web Interface or CLI instead.
OmniAccess Reference: AOS-W System Reference In the capture window, the absolute time stamps that are displayed correspond to the time that the packet was received by the client station. This time is not synchronized in any manner with the time on the Air Monitor. Stopping Packet Capture The AiroPeek application cannot be used to start or stop the flow packets coming from the Alcatel Air Monitors.
Chapter 7 Additional information TBC.
OmniAccess Reference: AOS-W System Reference 150 Part 031652-00 May 2005
CHAPTER 8 802.1x Client Setup This chapter describes how to configure your wireless client station for 802.1x authentication using the Extensible Authentication Protocol (EAP). The Alcatel Wireless LAN Switch supports the following: z EAP-PEAP and EAP-TLS under Windows 2000 (see page 152) z EAP-PEAP and EAP-TLS under Windows XP (see page 160) z Cisco-PEAP under Windows XP (see page 162) Additional information can be found at the Microsoft Web site: http://www.microsoft.
OmniAccess Reference: AOS-W System Reference PEAP or TLS for Windows 2000 Prepare the Operating System 1 Install Windows 2000 with Service Pack 3. 2 Download and apply Windows 2000 patch Q313664. The required patch can be found at the following Web site: http://www.microsoft.com/windows2000/downloads/recommen ded/q313664/default.asp Configure the Service 1 Set the wireless service for automatic operation. From the Windows 2000 Control Panel, select Administrative Tools, then Services.
Chapter 8 2 If necessary, enable the Wireless Configuration service for automatic startup. If the Wireless Configuration item in the Service window is not already set for automatic startup, right click on the entry and select the properties option from the pop-up menu. The following window appears: Under Startup type, select Automatic from the pull-down menu. If the service has not already been started (as shown under Service status), click on the Start button.
OmniAccess Reference: AOS-W System Reference 3 Select the Wireless Network Connection properties. From the Windows Start menu, select Control Panel | Network Connections. In the Network Connections window, right-click on the Wireless Network Connection entry and select the properties option from the popup menu.
Chapter 8 4Ste Configure the Association attributes. In the Wireless network properties window, select the Association tab and set the following properties: z Network Authentication: Select Open from the pull-down menu. z Data encryption: Select WEP from the pull-down menu. z The key is provided to me automatically: If using dynamic WEP, check this box. Otherwise uncheck the box and enter the WEP keys manually. 802.
OmniAccess Reference: AOS-W System Reference 5 Configure the Authentication attributes. NOTE—To configure settings on the Authentication tab, you must be a member of the local Administrators group. In the Wireless network properties window, select the Authentication tab and set the following properties: z Enable IEEE 802.1x authentication for the network: Check this box to enable 802.1x authentication. z EAP type: This setting depends on the type of authentication required.
Chapter 8 6 Configure the Authentication Properties. Click on the Properties button. Depending on the authentication type selected, one of the following windows appears: If using EAP-PEAP: If using EAP-TLS: Set the following parameters (valid for either authentication type): z Validate server certificate: Check this box. This will verify that the server certificate presented to your computer is still valid.
OmniAccess Reference: AOS-W System Reference For EAP-PEAP authentication, set the following: z Enable Fast Reconnect: This enables wireless clients to ROAM between wireless access points on the same network without being re-authenticated each time they associate with the new access point. To enable fast reconnect (recommended), check this box. z Select Authentication Method: Set as Secured Password - (EAP-MSCHAP V2) and click on the Configure button.
Chapter 8 The wireless client station adapter should now use EAP authentication and the following type of message appears: This message indicates the root certification authority for the server's certificate. If this indicates the correct certification authority, click on the OK button to accept the connection. Otherwise, click Cancel. Upon successful logon, the status of your Wireless Network Connection will indicate Authentication succeeded: 802.
OmniAccess Reference: AOS-W System Reference PEAP or TLS for Windows XP NOTE—If using Cisco-PEAP with Windows XP, see the instructions on page 162 instead. 1 Install Windows XP with Service Pack 1a. 2 Enable the Wireless Network Connection. From the Windows Start menu, select Control Panel | Network Connections. If not already enabled, right-click on the Wireless Network Connection entry and select the enable option from the popup menu.
Chapter 8 3 Select the Access Point for association. z In the Network Connections window, right-click on the Wireless Network Connection entry and select the properties option from the popup menu. z From the properties window, select the Wireless Networks tab. z Select the option to Use Windows to configure my wireless network settings. This will ensure that Windows is in charge of the wireless connection properties.
OmniAccess Reference: AOS-W System Reference Cisco-PEAP for Windows XP Presently, only EAP-PEAP is supported with the Cisco ACU for Windows XP. For EAP-TLS, use the Microsoft supplicant as described on page 160. Prepare the Operating System 1 Install Windows XP with Service Pack 1/1a. 2 Install the Cisco ACU (version 5.05.001 and higher) which includes the Cisco-PEAP supplicant.
Chapter 8 1 From the Start menu, select Control Panel | Administrative Tools | Services. 2 In the Services window, locate and double-click on the Wireless Zero Configuration item. This will launch the Properties window for the Wireless Zero Configuration service. 802.
OmniAccess Reference: AOS-W System Reference 3 On the General properties tab, set the Startup type to Automatic. 4 If necessary, start the service by clicking on the Start button. NOTE—If the service is already running, the Start button may not be available. Configure the Cisco ACU The Cisco ACU must be configured to use Host-Based EAP in order to support Cisco-PEAP. Use the following procedure to create a profile with Host-Based EAP.
Chapter 8 3 Specify the System Parameters. On the System Parameters tab, specify the following: z Client Name: Specify the name of the wireless client station (My-Station in this example). z SSID1: Specify the SSID of the associated AP (My-AP in this example). z Network type: Select the Infrastructure option. 802.
OmniAccess Reference: AOS-W System Reference 4 Specify the Network Security parameters. On the Network Security tab, specify the following: z Network Security Type: Select Host Based EAP from the pull-down menu. z WEP: Select the Use Dynamic WEP Keys option. When finished, click the OK button to close the window. 5 166 In the profile manager, select Use Selected Profile and choose the Office profile.
Chapter 8 Configure the Wireless Network Connection 1 Enable the Wireless Network Connection. From the Windows Start menu, select Control Panel | Network Connections. If not already enabled, right-click on the Wireless Network Connection entry and select the enable option from the popup menu. 802.
OmniAccess Reference: AOS-W System Reference 2 Select the Access Point for association. z In the Network Connections window, right-click on the Wireless Network Connection entry and select the properties option from the popup menu. z From the properties window, select the Wireless Networks tab. z Select the option to Use Windows to configure my wireless network settings. This will ensure that Windows is in charge of the wireless connection properties.
Chapter 8 3 Configure the Association attributes. In the Wireless network properties window, select the Association tab and set the following properties: z Network Authentication: Select Open from the pull-down menu. z Data encryption: Select WEP from the pull-down menu. z The key is provided to me automatically: Check this box. 802.
OmniAccess Reference: AOS-W System Reference 4 Configure the Authentication attributes. NOTE—To configure settings on the Authentication tab, you must be a member of the local Administrators group. In the Wireless network properties window, select the Authentication tab and set the following properties: z Enable IEEE 802.1x authentication for the network: Check this box to enable 802.1x authentication. z EAP type: Select Protected EAP (PEAP). NOTE—EAP-TLS is not currently supported using the Cisco ACU.
Chapter 8 5 Configure the Authentication Properties. On the Authentication tab, click on the Properties button and set the following: z Validate server certificate: Check this box. This will verify that the server certificate presented to your computer is still valid. z Connect to these servers: (Optional) Specify whether to connect only if the server resides within a particular domain. z Trusted Root Certification Authority: Select the appropriate authority.
OmniAccess Reference: AOS-W System Reference z Second Phase EAP Type: Select the Generic Token Card option and click on properties. In the Generic Token Card Properties window, select either Static Password or One Time Password (OTP). For OTP (hardware token), the appropriate support must be installed on the Authentication Server (for example: Cisco-ACS + RSA ACE Server Agent).
Chapter 8 z Static Password: z OTP: For OTP, select either the Hardware Token or Software Token option. If you select Software Token, the Password field on the One Time Password screen becomes the PIN field. Enter your PEAP authentication user name and password (which are registered with the RADIUS server). If using a Static Password, select your domain name from the drop-down list (or type it in if applicable). When finished, click on the OK button.
OmniAccess Reference: AOS-W System Reference In some cases, the following type of message appears: This message indicates the root certification authority for the server's certificate. If this indicates the correct certification authority, click on the OK button to accept the connection. Otherwise, click Cancel.
CHAPTER 9 Basic Switch Configuration This chapter explains how to configure the Alcatel Wireless LAN switch using the AOS-W Command Line Interface (CLI) and the web-based Web UI management tool. The tasks described in this chapter are all found on the Configuration tab of Web UI. General Configuration Configuring the Switch Role The switch role (either master or local) is generally set at the time of initial configuration through the setup dialog.
OmniAccess Reference: AOS-W System Reference To set the switch role from the CLI, use the command masterip from configuration mode. If this is configured as 127.0.0.1, the switch is a master. If this is configured as any other value, the switch becomes a local switch.
Chapter 9 ip address 10.1.1.1 Mobility Configuration To enable mobility, select the Enable Mobility checkbox. FIGURE 9-3 Mobility Configuration Wi-Fi MUX Configuration An Alcatel switch operating as a Wi-Fi MUX does not perform full Wi-Fi switching functions. Instead, it accepts traffic from ports designated as MUX ports, packages this traffic inside a GRE tunnel, and forwards the traffic back to a central Alcatel switch for processing.
OmniAccess Reference: AOS-W System Reference FIGURE 9-4 VLAN Configuration To enable mux ports in the CLI, enter commands in the following format: interface fastethernet 1/7 muxport Finally, enable Wi-Fi MUX operation in the GUI by navigating to Configuration > Switch > General. Under the MUX Configuration section, enable MUX operation as shown in the figure below. The MUX Server IP address is the loopback or switch IP address of the MUX Server.
Chapter 9 navigate to Configuration > Switch > General and specify them in the MUX VLANs section. In the example below, the MUX Server is configured to terminate VLANs 22 and 23 from remote MUXes. FIGURE 9-5 MUX Server Configuration To configure Wi-Fi MUX operations using the CLI, the corresponding commands are as follows. Please see the CLI Command Reference Guide for more details on these commands.
OmniAccess Reference: AOS-W System Reference Setting the 802.11d Regulatory Domain The 802.11d regulatory domain controls which channels and power levels may be used by a radio. The regulatory domain is set at the time of installation using the initial setup dialog. To view the regulatory domain from the GUI, navigate to Configuration > Switch > General.
Chapter 9 FIGURE 9-8 NTP Configuration The equivalent CLI configuration for the example above is: ntp server 172.16.1.25 NOTE—Do not change the time after you have started NTP. NTP will take care of any time adjustments automatically. If you manually adjust the time more than 1024 seconds, NTP will fail because it cannot adjust for time discrepancies of this size or large. Port Configuration To configure physical ports on the Alcatel switch, navigate to Configuration > Switch > Port.
OmniAccess Reference: AOS-W System Reference FIGURE 9-9 Port Selection Options Ports may be selected based on their administrative state, operational state, port mode, VLAN association, or trusted state. To select ports based on one of these parameters, click on the appropriate radio button, then select the desired state from the drop-down menu. Ports selected in this way will be shown in the Port Selection section with an X.
Chapter 9 To select multiple ports from the CLI, enter commands in the form: interface range FastEthernet 2/12-23 This will select ports 2/12 through 2/23. Port Configuration Options After one or more ports have been selected, configure the selected port(s) under the Configure Selected Ports section as shown in the figure below. The checkbox on the left side of the window specifies which parameters should be updated (useful when multiple ports have been selected for configuration).
OmniAccess Reference: AOS-W System Reference Port Mode – Sets the mode of the port with respect to VLAN tagging. If the port is set to access, untagged frames will be sent and received on the port, and all traffic will be part of a single VLAN. If the port is set to trunk, tagged frames will be sent and received. VLAN z If the port is set to access mode, a single port-based VLAN will be configured here. z If the port is set to trunk mode, a native VLAN and a list of allowed VLANs can be configured.
Chapter 9 VLAN 1 is the default VLAN. All ports are part of VLAN 1 until configured otherwise. VLAN 1 cannot be deleted. View Current VLAN Configuration To view the current VLAN configuration, navigate to Configuration > Switch > VLAN as shown in the figure below. The current VLANs, along with their IP address parameters and port members, are displayed. To edit an existing VLAN, click Edit. FIGURE 9-12 Current VLAN Configuration The equivalent CLI command is show vlan.
OmniAccess Reference: AOS-W System Reference FIGURE 9-13 Adding a New VLAN The equivalent CLI configuration for the example above is: vlan 26 interface vlan 26 ip address 10.26.1.1 255.255.255.0 ip helper-address 10.4.1.22 Tunnels To configure generic tunnels for the switch, navigate to Configuration > Switch > Tunnels.
Chapter 9 FIGURE 9-14 Tunnels To create a tunnel, click Add and define the tunnel. IP Route Configuration Alcatel AOS-W supports configuration of static IP routes. To configure these, navigate to Configuration > Switch > IP Routing. On the OmniAccess 6000, two default routes can be configured – one for the management Ethernet port only, and one for the rest of the switch. On other models, a single default gateway may be configured.
OmniAccess Reference: AOS-W System Reference VRRP Configuration AOS-W 2.2 supports redundant switch configurations using Virtual Router Redundancy Protocol (VRRP) as the backup mechanism. Please see the Redundancy Design Guide for more information on creating redundant configurations. NOTE—Alcatel recommends that the redundant master switches be of the same type (for example, OmniAccess 6000 to OmniAccess 6000) and configured with the same version of AOS-W.
Chapter 9 Description – An optional description of the VRRP instance that can be used for administrator convenience. IP Address – The virtual IP address that will be created and used by the VRRP instance. This is the IP address that will be redundant – it will be active on the VRRP master, and will become active on the VRRP backup in the event that the VRRP master fails.
OmniAccess Reference: AOS-W System Reference The figure below shows a sample VRRP configuration. In this example, the switch has an IP address of 172.16.4.254 configured on VLAN 4. The other switch in the redundant pair also has VLAN 4 configured, with an IP address of 172.16.4.253. The Virtual IP address managed by VRRP is 172.16.4.252. FIGURE 9-17 VRRP Configuration The equivalent CLI configuration is shown below: vrrp 1 priority 1 authentication Floor2 ip address 172.16.4.
Chapter 9 2. Follow the rules of operation below. Rules of Operating a Virtual Switch 1. When a single SC is present in the chassis, it will try to use all the line cards present. SC-0 can use any combination of Line Cards (LCs), for example: LC-1, LC-2 or LC3. SC-1 can use any combination of LC-2 and LC-3. 2. When two SCs are present in the chassis, SC-0 is dedicated to LC-2 only and SC-1 is dedicated to LC-3 only. In this case, there are two Gigabits of bandwidth available between each LC and SC pairs.
OmniAccess Reference: AOS-W System Reference When the reset button is pushed on a SC, it will reset the SC and only the line cards it controls. This also applies to reload and reload-peer-SC commands. On a fully loaded system, each side can be reset/reloaded independently. DHCP Server Configuration IP address assignment for wireless clients is normally done through DHCP, although static addresses can also be used.
Chapter 9 FIGURE 9-19 VLAN Pool Configuration A different DHCP pool must be created for each IP subnet for which DHCP services should be provided. DHCP pools are not specifically tied to VLANs – the DHCP server exists on every VLAN. When a DHCP request comes in, the switch examines the origin of the request to determine if it should answer. If the IP address of the VLAN matches a subnet for which the DHCP server is configured, it will answer the request. To add a new DHCP pool, click Add.
OmniAccess Reference: AOS-W System Reference ip dhcp pool vlan26-pool default-router 10.26.1.1 dns-server 192.168.1.10 domain-name net26.test.com lease 0 8 0 network 10.26.1.0 255.255.255.0 DHCP Excluded Address Configuration If DHCP should specifically exclude some addresses from DHCP assignment, configure them in the excluded address section as shown in the figure below.
CHAPTER 10 802.1x Configuration Introduction This chapter will explain the process of configuring the server for 802.1x and using CA Certificates for authorization. Background The IEEE 802.1x standard defines a Layer 2, port-based network access control scheme that provides authenticated network access on wireless Ethernet networks. The ability of a device to transmit and receive data over an Ethernet switch port is denied if the authentication process is unsuccessful.
OmniAccess Reference: AOS-W System Reference Definitions and Common Abbreviations Authentication server An entity that provides an authentication service to an authenticator. This service determines, from the credentials provided by the supplicant, whether the supplicant is authorized to access the services provided by the authenticator. Example: Microsoft IAS is an Authentication Server.
Chapter 10 PEAP (Protected EAP) is an authentication protocol that uses TLS to enhance the security of other EAP authentication methods. PEAP for Microsoft 802.1X Authentication Client provides support for EAP-TLS, which uses certificates for both server authentication and client authentication, and Microsoft Challenge Handshake Authentication Protocol version 2 (EAP-MS-CHAP v2), which uses certificates for server authentication and password-based credentials for client authentication.
OmniAccess Reference: AOS-W System Reference NOTE—To configure an SSID to support 802.1x, set its opmode to dynamicWep or dynamicTkip. Failure to do so will prevent clients from implementing 802.1x. Enter the following commands at an attached terminal or via Telnet to the switch. 1 Login using the appropriate administrator username/password pair 2 Enter the enable mode.
Chapter 10 6 Enter Configuration commands, one per line. End with CNTL Z. NOTE—The command reference for this action may be found in “RADIUS Commands” on page 830. # aaa radius-server ... The parameters and defaults for this command are: acctport 7 Port number used for accounting default = 1813 authport Port number used for authentication default = 1812 host default = 0.0.0.0 The IP address of the RADIUS server.
OmniAccess Reference: AOS-W System Reference Assigning a Server to 802.1x Authentication Each instance of a RADIUS server, as created above, must be explicitly assigned as an authentication server. 1 Verify that the server you created above is enabled as a do1x authentication server and that it is assigned the correct priority. Type show aaa dot1x .
Chapter 10 Assigning Default Roles A role is a broad classification of users and is associated with a specific set of permissions. The role function is a method by which a user may be associated with specific Access Control Lists (ACLs). Create an Access Control List (ACL) Before a role can be created, the ACLs that will be associated with the role must be created. The following procedures will walk you through the process of creating an ACL named TestEmpl-acl and creating a User Role named TestEmployee.
OmniAccess Reference: AOS-W System Reference 6 Specify any for the source, destination, and port parameters and permit for the action parameter. Type any any any permit Create a User Role In this example we will create a user role and apply the session-acl TestEmpl-acl to that role. 1 Create a user role named TestEmployee.
Chapter 10 4 Verify that the authorization server and default roles were correctly assigned. Type show aaa dot1x . The system will display a screen similar to this: (Alcatel) (config) #show aaa dot1x Mode = 'Enabled' Default Role = 'TestEmployee' Auth Server List ---------------Pri Name Type Status Inservice Applied --- ---- ----------------- ------1 IAS RADIUS Enabled Yes 1 You may also view the rights that are assigned to the user (TestEmployee) Type show rights TestEmployee .
OmniAccess Reference: AOS-W System Reference Configuring the 802.1x State Machine Dot1x CLI Commands This section describes the commands and variables that may be adjusted to tune the 802.1x state machine. In most cases, the default settings should be used. The following is a description of the 802.1x commands used to configure the state machine. Commands in the dot1x group may be reset to their default values or disabled by using the no form of the command as shown below.
Chapter 10 Dot1x server The dot1x server commands are used for setting the back-end authentication server configuration. dot1x server server-retry The dot1x server server-retry command sets the number of attempts the switch may make to obtain an authentication from the server. Default: 2 Valid Range: 0 - 3 dot1x server server-timeout The dot1x server server-timeout command sets the delay period between radius requests.
OmniAccess Reference: AOS-W System Reference dot1x timeout quiet-period The state machine enters a quiet period when authentication fails. The dot1x timeout quiet-period command sets the time interval during which the authenticator will make no attempt to acquire the supplicant. Default: 60 (seconds) Valid Range: 0 - 65535 dot1x timeout reauthperiod {|server} The dot1x timeout reauthperiod command sets the period between re-authorization and the last authorization.
Chapter 10 802.1x Show Commands This sections describes the show commands applicable to 802.1x. show dot1x config The show dot1x config command displays the current values the 802.1x authenticator’s parameters. When the command is executed the system will display a screen similar to the one below.
OmniAccess Reference: AOS-W System Reference show dot1x ap-table The show dot1x ap-table command and its variants display information about access points connected to the switch. When the show dot1x ap-table command is executed the systems displays a screen similar to the one below. (Alcatel) #show dot1x ap-table list-aps AP Table -------MAC IP Essid Enabled Type -------- ------- ---00:30:f1:71:94:08 10.3.25.253 Alcatel Yes SAP Static-TKIP 00:30:f1:71:94:08 10.3.25.253 guest Yes SAP 00:0b:86:80:24:10 10.
Chapter 10 z User Name z Authentication Status (yes/no) z AP MAC z Encryption Key z Authorization Mode z EAP type show dot1x supplicant-info statistics The show dot1x supplicant-info statistics command displays statistical information about each supplicant. When this command is executed the system returns a screen containing a table that includes the following statistical information about each of the supplicants.
OmniAccess Reference: AOS-W System Reference show aaa dot1x The show aaa dot1x commands displays which servers are configured for 802.1x authentication, the priority of each server, and the default role assigned to all users authenticated under 802.1x. When the command is executed the system will display a screen similar to the one below.
Chapter 10 Debug Commands The commands in this section are used for debugging the authentication module. Debugging is accomplished through a telnet monitor. A two step process is required to enter the debugging mode. First, enter the configure terminal mode, then enter the debug mode. Exit debugging using the no debug command, see “Debug Commands” on page 831. 1 Enter the configuration command mode. Type configure t The system will display a screen similar to the one shown here.
OmniAccess Reference: AOS-W System Reference RF Deauthentication Debugging Using Alcatel Air Management features, Alcatel APs can identify other APs and client stations that violate configured protection policies. The Alcatel APs can also be configured to send deauthentication frames (or laser-beams) to prevent the offending AP or client station behavior (refer to the Alcatel AOS-W User's Guide).
Chapter 10 certificate. The client’s certificate is then verified against the CA certificate of the authority which issued it (Clients do not have to validate the Server certificate in order for 802.1x to function). Server Certificates and Certificate Verification Similar to client certificates, a server has a certificate which authenticates its identity.
OmniAccess Reference: AOS-W System Reference Obtaining A Certification Authority (CA) Certificate CA Certificates are obtained from the corporate CA server. Download the certificate using the following procedure. 1 Open a web browser and point it at the corporate CA server. For example: http:///crtserv The following page should appear in your browser.
Chapter 10 2 Select the Retrieve the CA Certificate or certificate revocation list option, then click Next. The following screen should appear in your browser. 3 Click on the Install this CA certification path link. 802.
OmniAccess Reference: AOS-W System Reference You may receive one or both of the following warnings. In either case click Yes. The installation should proceed automatically and the following screen should appear.
Chapter 10 Obtaining a Server Certificate The following steps will guide you through the process of obtaining and installing an authentication certificate on your server. 1 Open a web browser and point it at the corporate CA server (http:///crtserv). The webpage below should appear in your browser window. 802.
OmniAccess Reference: AOS-W System Reference 2 Select the Request a certificate option, then click Next. The web page below should appear in your browser window. 3 218 Select Advanced request, then click Next.
Chapter 10 The following web page should appear in your browser window. 802.
OmniAccess Reference: AOS-W System Reference 4 Select the Submit a certificate request to this CA using a form option, then click Next. You may receive one of the security warnings shown below. Click Yes.
Chapter 10 The web page form below should appear in your browser window. 5 Enter the following information in the Identity Information section of the form: z Name (the authentication server’s fully qualified name) z The administrator’s email address z The name of the company z The department within the company to which the server belongs z The city, state, and country where the company is located. 802.
OmniAccess Reference: AOS-W System Reference 6 Select Server Authentication Server Certificate under the Intended Purpose section. Set the following options under the Key Options section: 7 z CSP Select the Microsoft Base Cryptographics Provider v1.0 option from the drop down box.
Chapter 10 The web page shown below should appear in your browser window. 8 Click the Install this certificate button. You may see the warning text box pictured below appear on the screen, Click Yes. The certificate should now be installed on the authentication server. 802.
OmniAccess Reference: AOS-W System Reference Obtaining a Client Certificate The following steps will guide you through the process of obtaining and installing an authentication certificate on your client station/computer. 1 Open a web browser and point it at the corporate CA server (http:///crtserv). The webpage below should appear in your browser window.
Chapter 10 2 Select the Request a certificate option, then click Next. The web page below should appear in your browser window. 3 Select Advanced request, then click Next. 802.
OmniAccess Reference: AOS-W System Reference The following web page should appear in your browser window.
Chapter 10 4 Select the Submit a certificate request to this CA using a form option, then click Next. You may receive one of the security warnings shown below. Click Yes. 802.
OmniAccess Reference: AOS-W System Reference The web page form below should appear in your browser window. 5 228 Enter the following information in the Identity Information section of the form: z Name (the authentication server’s fully qualified name) z The User’s email address z The name of the company z The department within the company to which the server belongs z The city, state, and country where the company is located.
Chapter 10 6 Select Server Authentication Server Certificate under the Intended Purpose section. Set the following options under the Key Options section: 7 z CSP Select the Client Authentication Certificate option from the drop down box. z Key Usage Select Both z Key Size Set the key size to 1024 z Create new key set Select z Use local machine store Check use local machine store option Click Submit after you have correctly entered all the information.
OmniAccess Reference: AOS-W System Reference The web page shown below should appear in your browser window. 8 Click the Install this certificate button. You may see the warning text box pictured below appear on the screen, Click Yes. The certificate should now be installed on the client station/computer. 802.1x Configuration under Microsoft Pocket PC Pocket PC 2003 includes built-in support for wireless networks and 802.1x authentication.
Chapter 10 Configuration using Pocket PC Embedded Supplicant Export Trusted Certification Authority The first step in enabling 802.1x authentication on Pocket PC devices is to install a trusted certification authority, if required. If the RADIUS server uses a certificate with a certification path already trusted by the Pocket PC devices, then this step is not necessary. Certificates purchased from large certificate authorities such as Verisign, for example, will already be trusted by the clients.
OmniAccess Reference: AOS-W System Reference To install the certificate authority, simply tap on the certificate file. The system will ask for confirmation before installing the certificate. Select “Yes”. The certification path has now been installed. It can be verified by navigating on the Pocket PC device to Settings > System > Certificates > Root. Configure Wireless Settings The next step will be to configure wireless settings. If required, install the appropriate NIC card and drivers.
Chapter 10 Configuration of the Funk Odyssey client can be performed either on the host PC or on the Pocket PC device. All permanent configuration should be done on the host PC, which will then push the configuration to the mobile device. This document will describe configuration on the host PC. Certificate Configuration During the operation of 802.1x authentication, a digital certificate will be passed from the authentication server to the client.
OmniAccess Reference: AOS-W System Reference The second and more secure method specifies the domain name of the authentication server. Only servers with this domain name that send a valid trusted certificate will be authorized. To configure a trusted server, click Add on the Trusted Servers screen. Profile Configuration To use 802.1x authentication, a profile must be created to configure the appropriate EAP type, as well as other authentication details. Profiles are configured in the Profiles screen.
Chapter 10 Captive Portal Certificates with Intermediate CAs To install certificates for captive portal installations that have intermediate CAs: 1. Concatenate the certificates in the following order with every certificate followed by whatever signed it: z server certificates z intermediate certificates 2. The very last intermediate certificate must be signed by the CA that is present on the client. All certificates are formatted x509 PEM unencrypted. 802.
OmniAccess Reference: AOS-W System Reference 236 Part 031652-00 May 2005
CHAPTER 11 802.1x Solution Cookbook This chapter describes the theory, configuration, and operation of a wireless network based on Microsoft Windows client and server components and utilizing the 802.1x authentication protocol. This design is based on an actual deployment in a K-12 school district located in the United States.
OmniAccess Reference: AOS-W System Reference 802.1x authentication based on PEAP is used to provide both computer and user authentication. Domain credentials are used for computer authentication, and the user’s Windows login and password are used for user authentication. A single user sign-on facilitates both authentication to the wireless network and access to the Windows server resources. WEP is used as a link-layer encryption technology, with dynamic per-user WEP keys being provided through the 802.
Chapter 11 a The laptop searches for the wireless ESSID “Wireless LAN-01”, chooses the AP with the best signal strength, and attempts to associate to it. zi. The laptop will send 802.11 broadcast probe-requests to search for any ESSID. zii. All APs in range will respond with probe-responses containing the ESSID “Wireless LAN-01”. A load balancing feature has been enabled on the Alcatel switch that will limit the number of users on a single AP to 20.
OmniAccess Reference: AOS-W System Reference The IAS server has also been configured to transmit an RADIUS attribute called “Class” to the Alcatel switch. The value of this attribute is set to “computer” to identify the authenticated device as a computer. The Alcatel switch is configured to recognize this RADIUS attribute, and maps the wireless client to a “computer” role. zvi. Using information from the 802.
Chapter 11 a The laptop will transmit an EAPOL-Start message to the Alcatel switch. The Alcatel switch will then proceed with 802.1x authentication by transmitting an EAPOL “Request identity” message to the laptop. b b. The laptop will transmit the user’s username. The Alcatel switch will recognize the username information, record it, and map it to the MAC address of the client in an internal table. The new username will replace the previously-learned computer name.
OmniAccess Reference: AOS-W System Reference authentication takes place when a user is not logged in to the laptop, the computer’s authentication credentials will be used to perform the authentication process. 7. When a user logs out of Windows, the laptop will again perform 802.1x authentication using computer credentials, as described in 2(b) above. This places the wireless device back into the “computer” role in the Alcatel switch.
Chapter 11 netdestination district-network network 10.0.0.0 255.0.0.0 network 172.16.0.0 255.255.0.0 Student Policy The policy below prevents students from using telnet, POP3, FTP, SMTP, SNMP, or SSH to the wired portion of the network. Telnet, FTP, SNMP, and SSH are used by the IT staff to maintain network devices, but are not permitted for other classes of users. POP3 and SMTP are permitted for faculty and staff members to access email. All students use Microsoft Exchange to access email.
OmniAccess Reference: AOS-W System Reference Printer Policy The following policy is used for the printer role. It restricts printers to communicating only with the print server, and only on specific port numbers. Any violation of the printer policy will trigger a log message, notifying the system administrator that a possible network security breach had occurred. ip access-list session printer-acl user host 172.16.31.26 svc-windows-printing permit user host 172.16.31.
Chapter 11 user-role computer session-acl allowall ! user-role guest session-acl guest bandwidth-contract guest-1M Authentication Parameters The following configuration statements are related to user authentication. RADIUS Configuration The following statements configure the available RADIUS servers, including the IP address of the RADIUS server and the key. aaa radius-server IAS1 host 10.1.1.21 key |*a^t%183923! aaa radius-server IAS2 host 10.1.1.
OmniAccess Reference: AOS-W System Reference 802.1x Configuration The following statements enable 802.1x authentication. It also establishes which RADIUS server to use for 802.1x authentication, and determines the default role that an 802.1x client will get in the absence of a “Class” attribute from the RADIUS server.
Chapter 11 ! interface vlan 60 ip address 10.1.60.1 255.255.255.0 ip helper-address 10.1.1.25 ! interface vlan 61 ip address 10.1.61.1 255.255.255.0 ip helper-address 10.1.1.25 ! interface vlan 62 ip address 10.1.62.1 255.255.255.0 ip helper-address 10.1.1.25 ! interface vlan 63 ip address 10.1.63.1 255.255.255.0 ip helper-address 10.1.1.25 ! ip default-gateway 10.1.1.254 Wireless Configuration The following statements set up the default AP parameters for the entire network.
OmniAccess Reference: AOS-W System Reference staticWep deny-bcast enable virtual-ap “Guest” vlan-id 63 opmode opensystem denybcast disable AP Configuration Users associating to each AP are mapped into a VLAN. For scalability purposes and to prevent broadcast issues caused by too many users on a single network, two different user VLANs have been set up. Membership in the VLAN is determined by the initial AP to which the user associates.
Chapter 11 Windows Group Membership Configuration The authentication policy configured in IAS depends on the group membership of the computer or user in Active Directory. These policies are responsible for passing group information back to the Alcatel switch for use in assigning computers or users to the correct role and thus determining their network access privileges.
OmniAccess Reference: AOS-W System Reference z The encryption type is WEP z Open authentication should be used (this refers to 802.11 “basic” authentication, not to 802.1x) z Each client will use a dynamically-generated WEP key that will be automatically derived during the 802.1x process. z The network is not ad-hoc – APs are required to be used. Sets up 802.1x authentication parameters for the ESSID. z Enables 802.1x z Specifies that the client will initiate the 802.
Chapter 11 Microsoft Internet Authentication Server Configuration Microsoft Internet Authentication Server (IAS) provides all authentication functions for the wireless network. IAS implements the RADIUS protocol, which is used between the Alcatel switch and the server. IAS uses Active Directory as the database for looking up computers, users, passwords, and group information.
OmniAccess Reference: AOS-W System Reference z The Wireless-Student policy matches the “Student” group. z The Wireless-Faculty policy matches the “Faculty” group. z The Wireless-Sysadmin policy matches the “Sysadmin” group. In addition to matching the group, the policy also specifies that the request must be from an 802.11 wireless device.
Chapter 11 Advanced Attributes One of the principles in this network is that the Alcatel switch will restrict network access privileges based on the group membership of the computer or user. In order for this to work, the Alcatel switch must be told to which group the user belongs. This is accomplished using RADIUS attributes. To configure these attributes, select the Advanced tab from the policy profile. An attribute called “Class” has been added here.
OmniAccess Reference: AOS-W System Reference z Specifies the EAP type as PEAP z Clients will not attempt to authenticate as a guest z Clients will perform computer authentication when a user is not logged in. Sets up client PEAP properties z Server certificate will be validated. This option instructs the client to check the validity of the server certificate from an expiration, identity, and trust perspective.
Chapter 11 In the management console, select File > Add/Remove Snap-in. Select the Certificates snap-in. Typically, a trusted certificate authority certificate can be found in both the user certificate store and the computer certificate store. When prompted to select the certificate snap-in, choose “My user account”. Next, locate the certificate for the trusted certificate authority, right-click on it, select “All tasks”, then select “Export”. When prompted, export the key as a DER-encoded binary X.
OmniAccess Reference: AOS-W System Reference If the appropriate ESSID is not already shown in the list, add it by selecting “Add new”. After filling in the ESSID in the “Network Name” field, tap the “Authentication” tab. The authentication settings screen appears. Configure the screen. In the EAP type field, select PEAP. Do not click Properties – this is used to configure certificate-based authentication. A warning message will be generated if Properties is clicked – this warning message may be ignored.
CHAPTER 12 Switch Management Configuration This Chapter discusses how to use the various management features of Alcatel Switches using the AOS-W Web UI software and the command line interface (CLI). The management feature in Web UI are available on the Configuration > Management pages. Those features include: z SNMP z Access Control z Logging SNMP Configuration Using Web UI Entering SNMP system information Standard SNMP system information may be recorded for your Alcatel switch.
OmniAccess Reference: AOS-W System Reference 1 Navigate to the Configuration > Management > SNMP page. Add system information in the System Group section of the SNMP page. 2 Type a user friendly name in the System Name field. 3 Type a name or system administrator contact information in the System Contact field. 4 Type the location of the Alcatel switch in the System Location field. Configuring Trap Receivers 1 258 Navigate to Configuration > Management > SNMP page.
Chapter 12 2 Click Add in the Trap Receivers section of the SNMP page. The Add Host page appears on the screen. 3 Enter the IP address of the SNMP server host in the IP Address field. 4 Chose the appropriate SNMP version from the Version pull-down menu. 5 Enter a valid SNMP Community String in the SNMP community String field. 6 Enter the UDP port for the trap in the UDP Port field.
OmniAccess Reference: AOS-W System Reference NOTE—The console will revert to the immediate (non-privileged mode) when you change the system name. You will need to re-execute the enable and configure terminal commands before you can proceed. 2 Create a System Contact entry using the syscontact command. (UrsaMinor) (config) #syscontact AniceGuy (UrsaMinor) (config) # 3 Create a System Location entry using the syslocation command.
Chapter 12 Configuring Administrative Access Using Web UI AOS-W allows different levels of access for administrative users based on assigned roles.
OmniAccess Reference: AOS-W System Reference Navigate to the Configuration > Management > Access Control page. You can view, add, delete, or edit Management Users and Roles from this page.
Chapter 12 Adding and Editing Management Users Adding and editing users is accomplished in the Management Users section of the page Add a Management user by clicking on Add in the Management Users portion of the Access Control page. The Add User page appears. 1 Enter a name in the User Name field. The name you enter must be 1 - 16 alpha-numeric characters in length. 2 Enter a password in the Password field. The password you enter must be 1 16 alpha-numeric characters in length.
OmniAccess Reference: AOS-W System Reference Adding and Editing Management Roles Add or edit Management Role by clicking Add in the Management Roles section of the Access Control page. The Add Role page appears. 1 Click Add, the Add Module page appears. 2 Select a Management Module using the pull-down menu. 3 Select an Access Permission using the pull-down menu. 4 Click Add, the Add Role page is again displayed and shows the added module and permission.
Chapter 12 Adding and Changing Administrative Access Using the CLI Viewing Management Users You may view currently configured management users and their assigned roles by executing the show mgmt-users command from the CLI.
OmniAccess Reference: AOS-W System Reference Viewing Management Roles You may view currently configured management roles and their assigned roles by executing the show mgmt-roles command from the CLI.
Chapter 12 Adding Auth Servers Logging The logging feature in Alcatel AOS-W allows permanent system logs to be stored externally on one or more logging servers.
OmniAccess Reference: AOS-W System Reference Configuring Logging Using Web UI Begin configuring logging servers by navigating to the Configuration > Management > Logging page. Add a logging server by clicking Add. An additional text field appears.
Chapter 12 Enter the address of a logging server and click the Add button next to the text field. Select a check box of a module for which you want to do logging. The logging level menu appears. Select the appropriate logging level and click on the apply button. There are a total of eight logging levels, each having it’s own distinct characteristics: z Emergency Panic conditions that occur when the system becomes unstable. z Alert Any condition requiring immediate attention and correction.
OmniAccess Reference: AOS-W System Reference Configuring Logging Using The CLI Adding A Logging Server Add a logging server using the logging command from the CLI. (Alcatel) (config) #logging 192.168.25.25 (Alcatel) (config) # Setting Logging Levels Set a logging level using the logging level command from the CLI.
Chapter 12 Viewing Current Logging Levels View the current logging levels using the show logging level command from the CLI.
OmniAccess Reference: AOS-W System Reference 272 Part 031652-00 May 2005
CHAPTER 13 Wireless LAN Configuration This chapter discussed how to configure all the standard 802.11 features of an Alcatel Wireless LAN switch. The features discussed in this chapter are: z SSID z Radio Parameters z Encryption z AP Parameters Wireless LAN Configuration This Wireless LAN configuration chapter explains setup and configuration of all standard 802.11 settings, including SSID, radio parameters, and encryption.
OmniAccess Reference: AOS-W System Reference FIGURE 13-1 SSID Configuration The first SSID configured is primary and can be edited, but cannot be deleted. Other SSIDs can be edited or deleted. NOTE—Note: These parameters affect all APs in the network, unless a more specific configuration applies. Configuration in this section corresponds to the CLI configuration for “ap location 0.0.0”. Adding a New SSID To add a new SSID, click the Add button. The figure below will be displayed.
Chapter 13 Radio Type – SSIDs may appear on only 802.11a radios, only 802.11b/g radios or on both types of radios. SSID Default VLAN – If desired, a given SSID may be mapped to a particular VLAN. See the “VLAN Mapping” section below for more details. Ignore Broadcast Probe-Request – When a client sends a broadcast probe-request frame to search for all available SSIDs, controls whether or not the system will respond for this SSID.
OmniAccess Reference: AOS-W System Reference The 802.1x framework also allows the encryption key to be rotated at specific intervals. By allowing each user to have a different key, and by allowing key rotation, dynamic WEP provides a much better level of security than static WEP. Dynamic WEP (used with 802.1x) provides somewhat better protection, particularly when combined with AOS-W Wireless Intrusion Detection features.
Chapter 13 The equivalent CLI configuration to add the SSID shown above is: ap location 0.0.0 phy-type a virtual-ap "NewSSID" vlan-id 0 opmode staticWep,dynamicWep deny-bcast enable ap location 0.0.0 phy-type g virtual-ap "NewSSID" vlan-id 0 opmode staticWep,dynamicWep deny-bcast enable WPA,TKIP, and AES Encryption TKIP (Temporal Key Integrity Protocol) is a replacement for WEP, and along with 802.1x forms the basis for WPA (Wi-Fi Protected Access).
OmniAccess Reference: AOS-W System Reference FIGURE 13-4 TKIP Configuration If PSK TKIP is selected, fill in the pre-shared key. To enter the key directly in hex, enter 64 hex characters. To enter the key as a passphrase, select “PSK Passphrase” from the drop-down menu and enter a passphrase between 8 and 63 characters in the box on the left. When configuring clients, enter the same key or passphrase. If WPA TKIP is selected, no further configuration is required.
Chapter 13 NOTE—AOS-W versions 2.4.0.0 and later support different staticWep and staticTkip keys per SSID. In earliers releases, the staticWep and staticTkip keys applied to each Access Point. FIGURE 13-5 AES-CCM Configuration FIGURE 13-6 Mixed TKIP and AES-CCM Configuration Adjusting Radio Parameters To view and edit default radio parameters for all APs, navigate to Configuration > Wireless LAN > Radio as shown in the figure below. Radio parameters for both 802.11b/g radios and 802.
OmniAccess Reference: AOS-W System Reference FIGURE 13-7 802.11b and g Radio Parameters FIGURE 13-8 802.
Chapter 13 NOTE—Note: These parameters affect all APs in the network, unless a more specific configuration applies. Configuration in this section corresponds to the CLI configuration for “ap location 0.0.0”. Available parameters are: RTS Threshold – Wireless clients transmitting frames larger than this threshold will issue Request to Send (RTS) and wait for the AP to respond with Clear to Send (CTS).
OmniAccess Reference: AOS-W System Reference Default Channel – Sets the default channel on which the AP will operate, unless a better choice is available – either from calibration or from RF Plan. Initial Transmit Power - Sets the initial transmit power on which the AP will operate, unless a better choice is available – either from calibration or from RF Plan. LMS IP – Specifies the Local Management Switch that the AP will use in multi-switch networks.
Chapter 13 deny deny-bcast disable dns-name double-encrypt dtim-period dump-server enable essid hide-ssid hostname lms-ip local-probe-response max-clients max-retries max-tx-fail mode mtu no opmode phy-type power-mgmt radio-off-threshold restore-default rf-band rts-threshhold snmp-server syscontact syslocation Deny wireless access according to timerange argument enable to suppress responses to probe requests with broadcast SSID disable this feature or mode DNS Name for the AP.
OmniAccess Reference: AOS-W System Reference telnet tx-power virtual-ap vlan-id wepkey1 wepkey2 wepkey3 wepkey4 weptxkey wpa-hexkey wpa-passphrase wpa2-preauth wps Enable or disable telnet to the AP A number from 0 thru 4 Configure a virtual AP with its own essid The ID of the VLAN assigned to this AP's or virtual AP's associating clients (valid range: 0-4094) Specify static WEP key 1 of 4 (length 5 or 13 bytes) Specify static WEP key 2 of 4 (length 5 or 13 bytes) Specify static WEP key 3 of 4 (length 5 o
Chapter 13 configuration section. To view or modify location-based configuration, navigate to Configuration > Wireless LAN > Advanced, as shown in the figure below FIGURE 13-9 Advanced Location-Based Configuration To add a new location configuration, click Add. After specifying the location to configure, select which parameters should be different from the default for that location. Parameters that can be changed for a particular location include supported SSIDs, 802.11b/g radio parameters, and 802.
OmniAccess Reference: AOS-W System Reference FIGURE 13-10 Location 2.0.0 Configuration Assuming that the same change is made for the 802.11a tab, the equivalent CLI configuration for the example above is: ap location 2.0.0 phy-type g max-clients 128 phy-type a max-clients 128 The configuration could also be done by entering: ap location 2.0.0 max-clients 128 The following is new and needs to be added to this discussion.
Chapter 13 FIGURE 13-11 Advanced Wireless LAN Configuration Click Add to display the four categories of advanced Wireless LAN configuration: z SSID—Equivalent to Configuration > Wireless LAN > Network > SSID. z 802.11b/g—See Figure 13-7. z 802.11a—See Figure 13-8. z General—Equivalent to Configuration > Wireless LAN > Network > General. General Wireless LAN Settings To configure other Wireless LAN settings, click Configuration > Wireless LAN > Network > General. The following screen displays.
OmniAccess Reference: AOS-W System Reference FIGURE 13-12 General Wireless LAN Settings 288 Part 031652-00 May 2005
CHAPTER 14 Radio Resource Management This chapter discusses the process of configuring the Radio Resource Management features of AOS-W. This feature has two primary functions, configuring and calibrating the radio settings for the network, and then monitoring and dynamically managing those same radio resources. Introduction The goal of RF Management is to initially configure and calibrate radio settings for the network.
OmniAccess Reference: AOS-W System Reference process allows the Alcatel switch to build an RF-based map of the network topology, learning about environmental characteristics such as attenuation, interference, and reflection. When calibration has completed, the switch will automatically configure AP/AM mode of the APs, transmit power levels, and channel selection to minimize interference and maximize coverage and throughput.
Chapter 14 FIGURE 14-3 Calibration Results The equivalent CLI command to perform calibration is “site-survey calibrate”. Optimization Self-Healing After calibration has taken place, the Alcatel switch has an RF-based topology map of the entire wireless network. This allows the switch to understand which APs are within range of each other. In the event that an AP fails, surrounding APs will increase their transmit power level to fill in any gaps.
OmniAccess Reference: AOS-W System Reference Maximum neighbors to participate in self-healing – The maximum number of neighboring APs that will increase their power level after a failure. Maximum power level increase – The number of power levels a neighbor AP will increase after a failure. Self-Healing Wait Time – The time after a failure, in milliseconds, after which the self-healing algorithm will begin.
Chapter 14 FIGURE 14-5 Load Balancing Configuration Available parameters are: Enable Load Balancing – Enables or disables load balancing. Wait Time before applying Load Balancing (secs) – Specifies the number of seconds to wait before performing load balancing processing. Max Association Retries – Specifies the number of association attempts that will be rejected before a client is allowed to associate to an AP that has reached a performance threshold.
OmniAccess Reference: AOS-W System Reference The equivalent CLI configuration for the above example is: ap-policy ap-load-balancing disable ap-policy ap-lb-max-retries 8 ap-policy ap-lb-util-high-wm 90 ap-policy ap-lb-util-low-wm 80 ap-policy ap-lb-user-high-wm 255 ap-policy ap-lb-user-low-wm 230 Client and AP DoS Protection Configure station and AP Denial of Service attack protection by navigating to Configuration > RF Management > Protection as shown in the figure below.
Chapter 14 DoS Client Block Time – Specifies the number of seconds a client will be quarantined from the network after a deauth attack against the client has been detected. This is used to prevent man-in-the-middle attacks. The equivalent CLI configuration for the above example is: stm dos-prevention enable stm sta-dos-prevention enable stm sta-dos-block-time 3600 Configuration of RF Monitoring Coverage Hole Detection The way we implemented CHD is slightly different.
OmniAccess Reference: AOS-W System Reference FIGURE 14-7 Coverage Hole Detection Other than enabling or disabling the feature, these parameters should generally not be changed unless directed by Alcatel Technical Support. Available parameters are: Enable Coverage Hole Detection – Enables or disables coverage hole detection. High RSSI Threshold for Hole Detection – Stations with signal strength above this value are considered to have good coverage.
Chapter 14 stm stm stm stm poor-rssi-threshold 10 hole-detection-interval 120 good-sta-ageout 30 idle-sta-ageout 90 Interference Detection Interference detection notifies the administrator when localized interference becomes sufficient to cause performance degradation. Enable interference detection in the GUI by navigating to Configuration > RF Management > Monitoring > Interference Detection as shown in the figure below.
OmniAccess Reference: AOS-W System Reference wms global-policy global-policy global-policy global-policy detect-interference disable interference-inc-threshold 100 interference-inc-timeout 30 interference-wait-time 30 Event Threshold Configuration AOS-W provides the ability to configure event thresholds to notify the administrator when certain RF parameters are exceeded. These events can signal excessive load on the network, excessive interference, or faulty equipment.
Chapter 14 FIGURE 14-9 Event Threshold Configuration To disable detection for any parameter, set the value to 0. Available parameters are: Bandwidth Rate High Watermark – If bandwidth in an AP exceeds this value, a bandwidth exceeded condition exists. The value represents percentage of maximum for a given radio. For 802.11b, the theoretical maximum bandwidth is 7 Mbps. For 802.11a and g, the theoretical maximum is 30 Mbps. The recommended value is 85%.
OmniAccess Reference: AOS-W System Reference Frame Error Rate High Watermark – If the frame error rate, as a percentage of total frames, in an AP exceeds this value, a frame error rate exceeded condition exists. The recommended value is 16%. Frame Error Rate Low Watermark – After a frame error rate exceeded condition exists, the condition will persist until the frame error rate drops below this value. The recommended value is 8%.
Chapter 14 Frame Retry Rate Low Watermark – After a frame retry rate exceeded condition exists, the condition will persist until the frame retry rate drops below this value. The recommended value is 8%.
OmniAccess Reference: AOS-W System Reference FIGURE 14-10 RF Management Advanced Parameters The advanced parameters are: AP Ageout Interval – The number of millisecs TBC. AP Scan Inactivity – The number of seconds TBC. AM Grace Time– The number of milliseconds TBC Force Station Deauthentication for Policy Enforcement– was laser beamTBC. Enable Force Station Deauthentication– TBC. AM Poll Internal– TBC. Number of AM Poll Retries– TBC. Station Ageout Interval – TBC.
Chapter 14 Station Scan Inactivity– TBC.
OmniAccess Reference: AOS-W System Reference 304 Part 031652-00 May 2005
CHAPTER 15 Intrusion Detection Configuration This chapter discusses the various kinds of intrusion and Wireless LAN attack methods. It also describes how to configure the switch to detect and guard against the various kinds of intrusion attempts.
OmniAccess Reference: AOS-W System Reference Network discovery is a normal part of 802.11, and allows client devices to discover APs and also to learn about available services provided by APs. While network discovery itself does not necessarily lead to security problems, it is the first step that an attacker needs to accomplish before moving on to more serious intrusion attempts. z Denial of service (DoS) attack DoS attacks are designed to prevent or inhibit legitimate users from accessing the network.
Chapter 15 Rogue AP Rogue APs represent perhaps the largest threat to enterprise network security because they bypass all other security provisions and open a network up to the outside world. Rogue APs are normally placed by employees who do not understand the risks their actions represent. A rogue AP is defined as one that is a) unauthorized, and b) plugged into the wired side of the network.
OmniAccess Reference: AOS-W System Reference Mark All New APs as Valid – When installing an Alcatel switch in an environment with an existing 3rd-party wireless network, it is necessary to manually classify existing enterprise APs as valid – a time-consuming process if a large number of APs are installed. Enable this option to mark all detected APs as valid. Leave this option enabled until all enterprise APs have been detected and classified as valid.
Chapter 15 FIGURE 15-2 Rate Analysis Configuration Configuration is divided into two sections: Channel thresholds and node thresholds. A channel threshold applies to an entire channel, while a node threshold applies to a particular client MAC address. All frame types are standard management frames as defined by the 802.11 standard. Configuration parameters are: Channel/Node Threshold – Specifies the number of a specific type of frame that must be exceeded within a specific interval to trigger an alarm.
OmniAccess Reference: AOS-W System Reference ids-policy ids-policy ids-policy ids-policy ids-policy ids-policy ids-policy ids-policy ids-policy ids-policy ids-policy ids-policy ids-policy ids-policy ids-policy ids-policy ids-policy ids-policy ids-policy ids-policy ids-policy ids-policy ids-policy ids-policy ids-policy ids-policy ids-policy ids-policy ids-policy ids-policy ids-policy ids-policy ids-policy ids-policy rate-frame-type-param rate-frame-type-param rate-frame-type-param rate-frame-type-param rat
Chapter 15 To configure detection of FakeAP, navigate to Configuration > Wireless LAN Intrusion Detection > Denial of Service > FakeAP as shown in the figure below. FIGURE 15-3 FakeAP Detection Configuration parameters are: Enable Fake AP Flood Detection – Enables or disables the feature. Flood Inc Time – The time period in which a configured number of FakeAP beacons must be received.
OmniAccess Reference: AOS-W System Reference Such an attack also enables other attacks that can learn a user’s authentication credentials. Man-in-the-middle attacks often rely on a number of different vulnerabilities. MAC Spoofing MAC address spoofing is a typical attack on a wireless LAN in which an attacker will spoof the MAC address of a currently active valid client in an attempt to be granted that client’s access privileges. The AirJack driver for Linux allows easy access to such an attack.
Chapter 15 FIGURE 15-5 Detect Station Disconnection Configuration parameters are: Enable Disconnect Station Analysis – Enables or disables the feature Disconnect Station Detection Quiet Time – After a station disconnection is detected, the amount of time that must pass before another identical alarm can be generated.
OmniAccess Reference: AOS-W System Reference FIGURE 15-7 EAP Handshake Analysis Configuration parameters are: Enable EAP Handshake Analysis – Enables or disables the feature. EAP Handshake Threshold – The number of EAP handshakes that must be received within the EAP Time Interval in order to trigger an alarm. EAP Time Interval – The time period in which a configured number of EAP handshakes must be received.
Chapter 15 FIGURE 15-8 Sequence Number Analysis Configuration parameters are: Enable Sequence Number Discrepancy Checking – Enables and disables the feature. Sequence Number Difference Threshold – The maximum allowable tolerance between sequence numbers within a specific time interval. Sequence Number Checking Time Tolerance – The time interval in which sequence numbers must exceed the sequence number difference threshold in order for an alarm to be triggered.
OmniAccess Reference: AOS-W System Reference FIGURE 15-9 AP Impersonation Protection Configuration parameters are: Enable AP Impersonation Detection – Enables detection of AP impersonation. Enable AP Impersonation Protection – When AP impersonation is detected, both the legitimate and the impersonating AP will be disabled using a denial of service attack. Beacon Rate Increment Threshold – The percentage increase in beacon rate that will trigger an AP impersonation event.
Chapter 15 FIGURE 15-10 Signature Analysis Configuration parameters are: Enable Signature Analysis – Enables and disables the feature. Signature Analysis Quiet Time - After an alarm has been triggered, the amount of time that must pass before another identical alarm may be triggered. The equivalent CLI configuration for the above example is: wms ids-policy signature-check enable ids-policy signature-quiet-time 900 Pre-Defined Signatures Pre-defined signatures as of AOS-W 2.0 are listed below.
OmniAccess Reference: AOS-W System Reference Null-Probe-Response - An attack with the potential to crash or lock up the firmware of many 802.11 NICs. In this attack, a client probe-request frame will be answered by a probe response containing a null SSID. A number of popular NIC cards will lock up upon receiving such a probe response. AirJack – Airjack is a popular NIC driver for Linux that allows manipulation of many 802.11 parameters.
Chapter 15 Adding New Signatures To add new signatures, click the Add button. The Add IDS Signature screen is shown in the figure below. FIGURE 15-11 Add IDS Signature Configuration parameters are: Signature Name – A user-defined name for the new signature Signature Mode – A checkbox in this field indicates that the signature is enabled. To add signature rules, click Add.
OmniAccess Reference: AOS-W System Reference Wireless LAN Policies Ad-hoc Network Protection As far as network administrators are concerned, ad-hoc wireless networks are uncontrolled. If they do not use encryption, they may expose sensitive data to outside eavesdroppers. If a device is connected to a wired network and has bridging enabled, an ad-hoc network may also function like a rogue AP. Additionally, ad-hoc networks can expose client devices to viruses and other security vulnerabilities.
Chapter 15 Wireless Bridge Detection Wireless bridges are normally used to connect multiple buildings together. However, an attacker could place (or have an authorized person place) a wireless bridge inside the network that would extend the corporate network somewhere outside the building. Wireless bridges are somewhat different from rogue APs in that they do not use beacons and have no concept of association.
OmniAccess Reference: AOS-W System Reference policy is useful in blocking access to that AP until the configuration can be fixed. To configure protection of misconfigured APs, navigate to Configuration > Wireless LAN Intrusion Detection > Policies > Misconfigured AP, as shown in Figure 15-14.
Chapter 15 Enforce WEP Encryption for all Traffic – Any valid AP not using WEP will be flagged as misconfigured. Enforce WPA Encryption for all Traffic – Any valid AP not using WPA will be flagged as misconfigured. Valid Access Point Manufacturers OUI List – A list of MAC address OUIs that define valid AP manufacturers. Any valid AP with a differing OUI will be flagged as misconfigured.
OmniAccess Reference: AOS-W System Reference configure detection of weak WEP implementations, navigate to Configuration > Wireless LAN Intrusion Detection > Policies > Weak WEP, as shown in the figure below.
Chapter 15 FIGURE 15-16 Multi-Tenancy Configuration Available parameters are: Disable APs Violating Enterprise SSID List – When an unknown AP is detected advertising a reserved SSID, the AP will be disabled using a denial of service attack. Valid Enterprise SSID List – A list of reserved SSIDs. Disable APs Violating Channel Allocation Agreements – When an unknown AP is detected using a reserved channel, the AP will be disabled using a denial of service attack.
OmniAccess Reference: AOS-W System Reference FIGURE 15-17 MAC OUI Checking Available parameters are: Enable MAC OUI Check – Enables or disables the feature. MAC OUI Quiet Time - After an alarm has been triggered, the amount of time that must pass before another identical alarm may be triggered.
CHAPTER 16 Authentication Server Configuration Introduction Strong authentication methods use authentication servers as the basis of their methodology. Alcatel switches allow you to use either an internal authentication database or an external RADIUS or LDAP server. Authentication provides a way to identify a user and provide appropriate network access to that user. By default, all wireless users on an Alcatel network begin in the logon role.
OmniAccess Reference: AOS-W System Reference You may configure 2 general parameters here, they are: z User Idle Timeout Sets the maximum time, in seconds, that a user may be idle before the user is deauthenticated and dropped from the system. The default is 5 minutes. z Authentication Server Sets the maximum amount of time, in minutes, that an authentication server may remain unresponsive before it is considered down.
Chapter 16 Add a new server by clicking the Add button. The Add RADIUS Server page appears. Enter information about a RADIUS server on this page then click Apply and Save configuration when you are finished. The following parameters and options may be configured through Web UI. Server Name A plain language meaningful name for the RADIUS server. IP Address The IP address of the RADIUS server. Shared Secret The secret work (password) shared between the client and the server.
OmniAccess Reference: AOS-W System Reference Authentication Port Specifies the UDP port used for RADIUS exchanges. Accounting Port Specifies the UDP port used for RADIUS accounting, when it is enabled. Num Retries The maximum number the Alcatel switch will issue authentication requests without receiving a reply. Timeout The maximum time, in seconds, that the switch will wait for a response from the RADIUS server after each authentication request is transmitted.
Chapter 16 Add a rule by clicking the add button. The following parameters may be configured for server rules using Web UI: Rule Type Sets the rule type to either a role assignment or a VLAN assignment rule. Attribute Specifies which RADIUS attribute to examine for the value. Condition Specifies how the rule will match the attribute information to the specified value. Value Specifies the value for which the rule will test the specified attribute.
OmniAccess Reference: AOS-W System Reference where: Attribute Name TBC Attribute ID TBC Attribute Type TBC Vendor Name TBC Vendor ID TBC 332 Part 031652-00 May 2005
Chapter 16 Configuring LDAP Servers with Web UI Alcatel switches allow for authentication using LDAP servers. Configure LDAP servers from the Configuration > Security > AAA Servers > LDAP page in Web UI . You may add, edit, or delete an LDAP server from the LDAP page. When the Add or Edit button is clicked the following page is displayed. Server Name A plain language name to identify the server.
OmniAccess Reference: AOS-W System Reference Is Server Active Directory TBC IP Address The IP address of the LDAP server. Authentication Port The port on which the server is configured. Default=389. Base DN The Distinguished Name of the node containing the entire user database to be used for user authentication. Admin DN The name of the user who has read/search privileges across all entries in the LDAP database. Admin Password The password for the Admin defined in Admin DN.
Chapter 16 where: Rule type is Role Assignment or Vlan Assignment.
OmniAccess Reference: AOS-W System Reference Configuring the Internal Authentication Database with Web UI Alcatel AOS-W supports an internal authentication database. The internal database is available with using VPN, Captive Portal, or MAC based authentication, it is not usable for 802.1z type authentication. You may configure the internal database by navigating to the Configuration > Security > AAA Servers > Internal DB page.
Chapter 16 Configuring RADIUS Accounting with Web UI Alcatel AOS-W supports RADIUS accounting, tracking login and logout times. Configuration of RADIUS accounting is done by navigating to the Configuration > Security > AAA Servers > Accounting page. Add configured servers by clicking Add then selecting a server from the pull-down menu.
OmniAccess Reference: AOS-W System Reference Configuring 802.1x Authentication with Web UI 802.1x authentication is designed to provide authentication before the user is granted any Layer 2 access to the network, and provides a framework in which multiple authentication protocols may be employed. Several protocols are well suited for wireless networks and include: z EAP-TLS z PEAP z TTLS Begin configuring 802.1x Authentication by navigating to the Configuration > Security> Authentication Methods > 802.
Chapter 16 1 Click the Enable Authentication checkbox. 2 Select a default role from the pull-down menu 3 Add an authentication server using the ADD button at the bottom of the page. The following options/features may be configured for 802.1x authentication using Web UI: Default Role The default role assigned to an 802.1x authenticated client if the role is not provided by the server. Enable authentication Enables/disables 802.1x authentication.
OmniAccess Reference: AOS-W System Reference Configuring VPN Authentication with Web UI Alcatel switches provide full VPN termination capabilities, using hardware acceleration. All encryption protocols are executed in hardware, with the hardware sized appropriately to handle a full compliment of access points. Configure VPN authentication by navigating to the Configuration > Security > Authentication Method > VPN page. You may configure the following VPN options and parameters using Web UI.
Chapter 16 Configuring Captive Portal Authentication with Web UI Alcatel switches provide the ability to allow wireless users to authenticate through a web-based portal. Captive portal authentication may be completed over an SSL connection, however it provides no security for user data after authentication has occurred. Captive Portal authentication should only be used in environments where encryption id not required.
OmniAccess Reference: AOS-W System Reference Default Role Use this pull-down menu to select the default role for the client when authenticated. This role is assigned if the authentication server does not provide role information. Enable Guest Logon When selected, this option enables the display of a guest user field where the user may enter their email address as a user ID. The email address is not authenticated or validated, but it is tracked.
Chapter 16 Authentication FailureThreshold for Station Blacklisting Specifies the number of time a station may fail authentication before it is placed on a blacklist and not allowed to authenticate. Enter 0 to disable blacklisting. Authentication Servers Use the Add button to create ordered list of authentication servers.
OmniAccess Reference: AOS-W System Reference Configuring MAC Address Role Mapping with Web UI MAC Address role mapping provides identification and role mapping based on the Client MAC Address. This feature should not be considered an authentication method because no secure password is employed. This feature should ALWAYS be combined with L2 encryption and appropriate firewall policies.
Chapter 16 Configuring Stateful 802.1x for Third Party Access Points This feature allows the switch to intercept communications between third-party APs and the authentication server so that it can learn the username and apply appropriate role and traffic policies. This assumes that the Alcatel switch is located in the datapath between the AP and the authentication server. Configure Stateful 802.1x by navigating to Configuration > Security > Authentication Methods > Stateful 802.1x.
OmniAccess Reference: AOS-W System Reference Role Mapping From the Web UI, you can perform role mapping based on SSID and encryption. These two methods are discussed in the following sections. From the CLI, you can perform role mapping on BSSID, location, and MAC address in addition to SSID and encryption.
Chapter 16 Adding a Role Map 1 Click Add. 2 Select a match condition from the Condition pull-down menu box. 3 Enter a value for the ESSID you wish to match to a role. 4 Select a role from the Role Name pull-down menu box. Encryption Type Role Mapping This feature enables roles to be assigned based solely on the Layer 2 encryption type used by the client. This method of role assignment bypasses authentication and should therefore be combines with a strong firewall policy.
OmniAccess Reference: AOS-W System Reference Adding a Condition TBC where: Rule Type–specifies what rule will apply such as on MAC addresses, BSSIDs, or location. Condition–specifies how the rule type is treated, for example a MAC address equal to a value. Value–specifies the value of the condition, for example when location is not equal to Headquarters. Role Name is the name of the role affected by the condition. When you finish defining the condition, click Apply.
Chapter 16 Configuring General AAA Settings Using the CLI Configure the general AAA settings using the aaa timers command (Alcatel) (config) #aaa timers idle-timeout 5 (Alcatel) (config) #aaa timers dead-time 10 View the general authentication server settings using the show aaa timers command. (Alcatel) (config) #show aaa timers User idle timeout = 5 minutes Auth Server dead time = 10 minutes Configuring RADIUS Servers Using the CLI Configure RADIUS servers using the aaa radius-server command.
OmniAccess Reference: AOS-W System Reference The configured RADIUS server settings may be viewed using the show aaa radius-server server-name command. Server Rules Define server rules for deriving roles or VLANS using the aaa derivation-rules command from the CLI. Enter the server-rule sub-mode using the aaa derivation-rules command.
Chapter 16 Configuring LDAP Servers Using the CLI Configure LDAP servers using the aaa ldap-server command from the CLI.
OmniAccess Reference: AOS-W System Reference 1 Enter the config-ldapserver submode by executing the aaa ldap-server command with the name of the server you wish to configure as the argument. (Alcatel) (config) #aaa ldap-server horseradish_2_ldap (Alcatel) (config-ldapserver-horseradish_2_ldap)# 2 Enter the LDAP server’s IP address. (Alcatel) (config-ldapserver-horseradish_2_ldap)#host 192.168.200.251 3 Specify the authentication port number.
Chapter 16 10 Set the mode, enable or disable LDAP. (Alcatel) (config-ldapserver-horseradish-2-ldap)#mode enable View the LDAP server settings using the show aaa ldap-server command from the CLI. (Alcatel) (config) # show aaa ldap-server horseradish_2_ldap LDAP Server Table ----------------LDAP Server Attribute Value --------------------- ----Priority 5 Name horseradish_2_ldap Hostname 192.168.200.
OmniAccess Reference: AOS-W System Reference Configuring the Internal Authentication Database Using the CLI An internal authentication database may be configured using the local-userdb command from the CLI. Users are added to the local database from the command rather than the configuration prompt. (Alcatel) #local-userdb add username NewGuy password NewFoo role foo-user Users may be deleted using the local-userdb delete option from the CLI.
Chapter 16 2 Assign an accounting server. (Alcatel) (config) #aaa radius-accounting auth-server rad2-radius-server Configuring 802.1x Authentication Using the CLI 802.1x configuration is accomplished using 2 families of commands from the CLI, the aaa general accounting commands and the dot1x commands. 1 Select a default role for users authenticating through 802.1x. This is the role that will be assigned unless the authentication server provides another role for the user.
OmniAccess Reference: AOS-W System Reference 8 Enable or disable re-authentication. Use the “no” form of the command to disable the feature. (Alcatel) (config) #dot1x re-authentication (Alcatel) (config) #no dot1x re-authentication 9 Set the reauthentication time interval, in seconds (60-2147483647). You may also specify that the interval provided by the server be used. (Alcatel) (config) #dot1x timeout reauthperiod 3600 10 Enable multicast key rotation.
Chapter 16 You may view the 802.1x configuration settings using the show aaa dot1x command from the CLI. (Alcatel) (config) #show aaa dot1x Mode = 'Enabled' Default Role = 'foo-user' Max authentication failures = 0 Auth Server Table ----------------Pri Name Type IP addr AuthPort Status Inservice Applied Users --- ---- ---- ------- -------- ------ --------- ------- ----(Alcatel) (config) #show dot1x ? ap-table Show 802.1X AP Table config Show 802.
OmniAccess Reference: AOS-W System Reference Adding 802.1x Authentication Servers Add an existing configured 802.1x authentication server. (Alcatel) (config) #aaa dot1x auth-server foo-dot1auth-server Configuring VPN Authentication Using the CLI VPN authentication maybe configured when IPSec or PPTP is in use on the switch. VPN authentication is configured using the aaa vpn-authentication commands from the CLI. 1 Enable VPN authentication.
Chapter 16 Configure Captive Portal using the aaa captive-portal commands from the CLI. 1 Set the default role. This is the role which will be assigned to the client if the authentication server provides no role information about the client when they authenticate. (Alcatel) (config) #aaa captive-portal default-role foo-user 2 Enable guest logon - optional. (Alcatel) (config) #aaa captive-portal guest-logon 3 Enable user logon - optional.
OmniAccess Reference: AOS-W System Reference Configuring MAC Address Role Mapping Using the CLI MAC Address Role Mapping is a method of identifying clients based on their MAC address and assigning an appropriate role based on the MAC Address. This method should not be considered a true authentication method, since no password is associated with the method. This method should always be coupled with Layer 2 encryption and strict firewall policies.
Chapter 16 3 Specify the authentication server. (Alcatel) (config) #aaa stateful-authentication dot1x auth-server AP/Server Configuration for Stateful 802.1x When stateful 802.1x authentication is used with third-party APs, a list of those APs must be maintained. The list is automatically generated when configuring 802.1x stateful authentication through Web UI (Web Interface). However, for legacy support it may be done manually through the CLI. Define the configuration.
OmniAccess Reference: AOS-W System Reference Notes on Advanced AAA Features The Advanced AAA feature pack for AOS-W unlocks a number of extended authentication and authorization features for enterprise and service provider networks.
Chapter 16 The AOS-W Solution All the problems outlined above are solved using the Advanced AAA feature pack for Alcatel AOS-W. The feature pack is a collection of authenticationand authorization-related enhancements conveniently packaged together. The feature pack includes the following solutions: Per-SSID Selection of Authentication Server In wireless networks, the SSID (Service Set Identifier) is used to differentiate between different types of services.
OmniAccess Reference: AOS-W System Reference In an enterprise network, this capability can be used to authenticate users from different organizational units. As an example, Acme Corporation may use Windows Active Directory to store user information, and may authenticate users in this network against Microsoft’s Internet Authentication Server. Acme Corporation merges with Consolidated Widgets, Inc. which uses Novell Directory Services (NDS) to manage the userbase.
Chapter 16 number of different services to be provided. All users can connect to the network using the same method, and the domain name supplied when the user authenticates will be used to determine which ISP has authentication data for that user. This method has the additional benefit of applying to wired networks as well as wireless networks.
OmniAccess Reference: AOS-W System Reference 366 Part 031652-00 May 2005
CHAPTER 17 IAS Server Configuration This chapter describes how to configure your IAS server for Extensible Authorization Protocol (EAP). It will cover the following 4 topics.
OmniAccess Reference: AOS-W System Reference Starting the IAS Server 1 Click Start on task bar, click Settings, click Administrative Tools, click Services, select and double-click on Internet Authentication (See Figure). The Internet Authentication Service Properties dialog box appears. 2 Click the General tab at the top of the IAS Properties dialog box.
Chapter 17 3 Change the Startup type to Automatic.
OmniAccess Reference: AOS-W System Reference 1 Click Start on the task bar, click Programs, then Administrative Tools, and then Internet Authentication Service. The Internet Authentication Service (IAS) window appears. Create a new NAS Client. 2 370 Right-click on the Clients folder icon.
Chapter 17 3 Select New Client. The Add Client Dialog window appears. Enter a meaningful name in the Friendly name box. 4 Use the Protocol pull-down menu to select RADIUS for the protocol. 5 Click Next. The Add RADIUS client dialog appears. 6 Enter the IP address of the RADIUS client. Select the appropriate vendor from the Client-Vendor pull-down box.
OmniAccess Reference: AOS-W System Reference 7 Enter a word in the Shared secret text box, then re-enter the same word in the Confirm shared secret text box. A shared secret is a text string that serves as a password between client and server, client and proxy, or a proxy and a server. Observe the following conventions when creating a shared secret: z The shared secret must be the same case-sensitive text string on both devices. z Use any standard alphanumeric and special characters.
Chapter 17 Remote access policies are created using the IAS Administration Tool. If the IAS Administration Tool is not already open, open it by Clicking Start on the task bar, then Programs, then Administrative Tools, and then Internet Authentication Service. 1 Right-click on the Remote Access Policies icon in the IAS window. 2 Click on New Remote Access Policy. The Add Remote Access Policy dialog appears. Type a name for the policy in the Policy friendly name text box.
OmniAccess Reference: AOS-W System Reference 3 Click Next. The Select Attribute dialog window appears. 4 Click the Add button. The Select Attribute list window appears. 5 Select the attributes (s) to add to the policy, then click the Add button. The NAS-IP-Address dialog box appears. Type the NAS-IP-Address in the text box and click OK. NOTE—Add additional conditions by clicking the Add button, just below the conditions list, at the bottom of the Add Remote Access Policy window.
Chapter 17 When finished adding conditions, click the Next button on Add Remote Access Policy dialog. 6 Select the Grant remote access permission radio box. 7 Click Next. The Add Remote Access Policy User Profile dialog appears.
OmniAccess Reference: AOS-W System Reference 8 Click the Edit Profile button. The Edit Dial-In Profile window appears. 9 Click on the Authentication tab. Check the Extensible Authentication Protocol check box. If the authentication server needs to be configured for EAP-TLS, then select either Smart Card or Other Certificate from the EAP drop-down menu.
Chapter 17 1 Click Start, then Run, then type mmc and press Enter. The Console window appears. 2 Click Console and select Add/Remove Snap-in. The Add/Remove Snap-In dialog appears. Click the Standalone Tab.
OmniAccess Reference: AOS-W System Reference 3 Select the Active Directory User and Computer item in the Add Standalone Snap-in list window. Click Add, then the Close at the bottom of the list window. Right-click the Users folder in the tree pane of the Console window. NOTE—You may find the Users folder along the path Console Root/Active Director Users and Computers/network name/Users. 4 378 Click New, then User.
Chapter 17 Type the user’s name information in the appropriate text fields., then click Next. Enter the password in the Password text field and re-enter it in the Confirm Password text field. 5 Click Next. The New Object - User dialog below appears, then click Finish.
OmniAccess Reference: AOS-W System Reference Configuring SBR TBC Configuring Funk TBC 380 Part 031652-00 May 2005
CHAPTER 18 Firewall Configuration Setting Policies Using Web UI Aliases Aliases are a convenient way to associate a human understandable name with a specific object. AOS-W enables administrators to assign easily understandable names to network ports (services) and specific IP Addresses or groups of IP Addresses Defining Service Aliases Service aliases apply to protocol/port numbers. Service aliases may be configured in Web UI.
OmniAccess Reference: AOS-W System Reference Navigate to the Configuration > Security > Advanced > Services page. Add a new Service Alias. Click Add. The Add Service page appears. The options and parameters available for configuration on the Add Service page are: Service Name A plane language name that identifies the alias. NOTE—Default service aliases begin with svc- followed by the name of the protocol.
Chapter 18 Protocol Specify the protocol, either by using the radio buttons or by entering the protocol number (0 - 255). Starting Port Sets the lower port number of a protocol port range. End Port Sets the upper port number of a protocol port range. NOTE—If the service uses a single port, enter the starting port number here also. 1 Enter a name in the Service Name text field. 2 Check the appropriate Protocol radio button. 3 Enter the Starting Port.
OmniAccess Reference: AOS-W System Reference You may add, delete, or modify source and destination aliases on this page. Alcatel provides 3 pre-defined aliases which should not be altered or deleted. User When applied to an authenticated user the alias is replaced by an IP Addressed assigned to that user. Mswitch Represents the IP Address, loopback address, or VLAN 1 address of the switch upon which the policy is running.
Chapter 18 1 Click Add to expand the page and expose the Add Rule section, near the bottom. 2 Enter a name for the new destination in the Destination Name text box. 3 Select a rule type using the Rule Type pull-down menu. The choices for rule types are: Host Use this selection to specify a single address. Do not enter anything in the Network Mask/Range field. Network Use this selection when specifying an IP subnet.
OmniAccess Reference: AOS-W System Reference Rules are organized in top-down lists where the first rule applied to the traffic is at the top of the list. Traffic is tested against each rule in order until a match is found. When a match occurs the rule is applied and no other testing occurs. Policies can be applied to physical ports or to user roles. Navigate to the Configuration > Security > Policies page. From the Firewall Policies page you may Edit, Delete, or Add policies.
Chapter 18 The Source and Destination elements of a rule have the same 5 options. Those options are: 1. any This option will test true for traffic from any source or to any destination. 2. user This option will test true only for traffic to or from a known user. 3. host This option will test true only for traffic to or from a specific IP Address. 4. network This option will test true only for traffic to or from a network specified by a network address and subnet mask 5.
OmniAccess Reference: AOS-W System Reference 5. redirect Add a policy by clicking Add, the Add New Policy page appears. The Add New Policy page is where you name your new policy and define rules for that policy. 1 Enter a meaningful name in the Policy Name field at the right hand side of the page. 2 Select a traffic source from the Source pull-down menu. 3 Select a traffic destination from the Destination pull-down menu. 4 Select an action from the Action pull-down menu.
Chapter 18 Navigate to the Configuration > Switch > Port page. Select the port to which you wish to apply a policy, then use the pull-down menu to select a policy to apply. Click Apply and Save Configuration.
OmniAccess Reference: AOS-W System Reference Defining Roles Using Web UI Role Design A role is assigned to a user when they connect to the network, and possibly again after they are authenticated. Roles determine what network resources the user may access. Roles may be very broad-based, allowing access to many resources or they may be very narrow in scope, allowing access to very limited resources.
Chapter 18 Click Add to begin adding a new role to the list. The Add Role page appears.
OmniAccess Reference: AOS-W System Reference Adding Firewall Policies Add firewall policies, begin by clicking the Add button under the Firewall Policies header on the page. The Configure Firewall Policy page then appears. You may choose one of three options on this page: z Specify an existing policy. z Create a new policy using an existing policy as a model. z Create a new policy from scratch.
Chapter 18 Specify an Existing Policy 1 Select the Choose from Configured Policies radio box. 2 Specify a particular AP (if you wish to apply this policy only when using the specified AP) by entering the its location in the Location text box. 3 Click Done. Create a New Policy From an Existing Policy 1 Select Create New Policy From Existing Policy. 2 Click Create. The Add New Policy page appears. 3 Create a new policy in exactly the same way you would in “Firewall Policies” on page 385.
OmniAccess Reference: AOS-W System Reference additional options. z Re-authentication Inter- By default a user will remain authenticated val z Role VLAN ID until the login session is terminated. Use this option to force periodic re-authentication. When a VLAN is specified for this option, the user will be mapped to that VLAN. NOTE—This option only applies if authentication is done at Layer 2. z Bandwidth Contract This option applies a bandwidth contract to the role.
Chapter 18 You may define a service alias by giving it a name, then choosing to specify one of three options:. UDP Use this option to specify UDP as the service. Specify a port for the service by including a single value after the UDP specifier or a range of ports by including two values representing startAddr and endAddr. The valid range for ports is 0-65535. TCP Use this option to specify TCP as the service.
OmniAccess Reference: AOS-W System Reference Defining Source and Destination Aliases Define a source/destination alias and enter the config-dest mode using the netdestination command from the CLI. After entering the config-dest mode you may specify one of 3 types of destinations for your alias: 1 host Use this command to specify a specific host IP address for the alias. network Use this command to specify a network or sub-net as a source or destination.
Chapter 18 2 Enter rules in the order you wish them to be applied.
OmniAccess Reference: AOS-W System Reference 2 Assign a policy to a the port used when entering the config-if mode. (Alcatel) (config-if)#ip access-group guest session Defining Roles Using the CLI Configuring Roles Roles are configured in the CLI using the config-role mode commands. Define a user role and enter the config-role mode. (Alcatel) (config) #user-role foo-user (Alcatel) (config-role) # Begin to enter the role parameters.
Chapter 18 Extended ACLs Create extended ACLs using the extended option of the access-list command. (Alcatel) (config) #ip access-list extended foo-ext-1 (Alcatel) (config-ext-foo-ext-1)# permit tcp any host 1.1.1.1 range 67 69 (Alcatel) (config-ext-foo-ext-1)#permit icmp 1.1.1.0 0.0.0.255 any echo-reply MAC ACLs Create MAC ACLs using the mac option of the access-list command.
OmniAccess Reference: AOS-W System Reference 400 Part 031652-00 May 2005
CHAPTER 19 Captive Portal Setup Overview The following outline lists the steps used to configure captive portal authentication. Each of the outlined steps is covered in detail in the sections that follow. 1 Add users to the authentication database. 2 Configure the server information on Wireless LAN switch. 3 Apply an authentication server for captive portal authentication. 4 Customize the logon role. Identify what traffic is to be permitted to authenticate the user.
OmniAccess Reference: AOS-W System Reference Add Users to the Database Authentication can be provided using one of the following: z An internal database on the Wireless LAN switch z An external RADIUS server attached to your network If using an external RADIUS server, refer to your server documentation for adding users and skip to the next section. Otherwise, users must be added to the Wireless LAN switch internal database. The internal database includes a default guest account.
Chapter 19 Configure RADIUS Server Information If using a Wireless LAN switch internal server, skip to the next section.
OmniAccess Reference: AOS-W System Reference Use the no prefix to remove the server information from the database.
Chapter 19 Customize the Logon Role The logon role is intended only to allow clients to access the captive portal logon page. Typically, the logon role should be configured with two session Access Control Lists (ACLs): one to allow general control traffic (such as DNS and DHCP) and another to allow captive portal authentication. Modify the Control ACL A default control ACL is already configured to allow generic traffic, but may be modified as necessary.
OmniAccess Reference: AOS-W System Reference Modify the Captive Portal ACL A default captiveportal ACL is already configured to allow captive portal authentication traffic.
Chapter 19 Modify the Logon Role The logon role should have only the control and captive portal ACLs assigned. ACLs that allow other forms of authentication (such as VPN) should be removed from the logon role.
OmniAccess Reference: AOS-W System Reference Allow Guest Access By default, guest access is disabled. To allow guest access, first the guest logon must be enabled, and then the guest role must be configured with appropriate ACLs. Enable the Guest Logon By default, the guest login option is disabled. This means that the guest option is not shown on the login page. Only users with valid user names and passwords are allowed.
Chapter 19 In the example above, a destination alias is created that represents all IP addresses except the internal network (by selecting the internal network and using the invert option). The guest user is then permitted access to the resources in the alias. Configure Other User Roles You can configure other user roles as needed. For each role, first create the session ACLs. Then, apply the session ACLs to the appropriate user role.
OmniAccess Reference: AOS-W System Reference Configuring Role Derivation The simplest option for role derivation is to configure a default role for the captive portal user. This role will be assigned to the user after successful authentication.
Chapter 19 For more information on how role derivation works, refer to “Setting Access Rights” on page 419. Import a Server Certificate Unless an appropriate server certificate is in place, wireless client stations using captive portal may get a security warning message after logging in. For example: FIGURE 19-1 Windows XP Security Alert To prevent the warning message, use the Alcatel Web Interface to import a valid x509 PEM server certificate.
OmniAccess Reference: AOS-W System Reference 2 Log in using the admin account When successful, the following page appears: FIGURE 19-2 Import Certificate Page 3 Select the valid server certificate. Type the filename or use the Browse button to the locate a properly formatted x509 PEM server certificate file that includes both public and private key information. 4 Upload the server certificate file. Click on the upload button to load and install the certificate.
Chapter 19 Customize the Login Screen If desired, the background image shown on the captive portal login screen can be replaced with a custom GIF, JPG, or PNG graphic file. 1 Access the Alcatel Web interface Enter the following URL in your Web browser: http:///screens/auth/captiveportal_customize.html If your PC has access to the appropriate interface, you will be prompted to login.
OmniAccess Reference: AOS-W System Reference Sample Configuration Listed below are the commands relevant to the captive portal configuration on an actual Alcatel Wireless LAN Switch places on an N+I network: ip access-list session noilabs any network 45.128.0.0 255.128.0.0 any deny exit ip access-list session nonoc user host 45.0.12.20 dns permit any network 45.0.0.0 255.255.0.0 any deny any network 45.2.0.0 255.255.0.0 any deny any network 45.125.0.0 255.255.0.0 any deny any network 45.120.0.0 255.255.0.
Chapter 19 user-role ap session-acl nonoc session-acl noilabs exit aaa captive-portal default-role noc aaa captive-portal auth-server infoblox priority 1 aaa captive-portal auth-server infoblox aaa radius-server infoblox host 45.0.12.60 key infoblox aaa server-rule server infoblox set role condition User-Name starts-with ilab set-value ilabs exit interface vlan 1 ip address 45.1.14.1 255.255.0.0 exit ip default-gateway 45.1.0.
OmniAccess Reference: AOS-W System Reference show rights This command details the access rights associated with a role.
Chapter 19 show user-table This command shows all the users currently known to the system: (OmniAccess 6000) # show user-table Users ----IP ---------10.2.15.4 6:80:60:78/a MAC -----------00:01:24:60:03:99 Name -----pdedhia Role Age(d:h:m) Auth VPN link location Roaming Essid/Bssid/Phy ---employee ---------00:09:52 ---VPN -------10.3.25.169 -------52.1.
OmniAccess Reference: AOS-W System Reference 418 Part 031652-00 May 2005
CHAPTER 20 Setting Access Rights This chapter will describe how to set access rights on the OmniAccess 6000 switch using the AOS-W software application. Introduction User rights are controlled by the ACL assigned to the user’s role. User roles are derived from information about the user obtained through the authentication process. A session ACL is comprised of one or more traffic filtering rules.
OmniAccess Reference: AOS-W System Reference Defining Alias’ Defining Service Alias’ Alias’ are useful when creating filters, giving service definitions a friendly name. Creating an alias is accomplished using the netservice command, See “Authentication Commands” on page 817. (Alcatel) (config) #netservice HTTP tcp 80 (Alcatel) (config) # Defining Destination Alias’ Define a destination alias using the destination command.See “Authentication Commands” on page 817.
Chapter 20 Creating Session ACLs and Roles Creating A Session ACL for Logon A session ACL must first be created for the Logon role. That ACL will contain filters that control the user’s access during the logon process, before the user is authenticated. Session ACLs are created or modified using the ip access-list session command. See “Access Control List Commands” on page 835.
OmniAccess Reference: AOS-W System Reference Role Derivation The simplest way to assign a role is to create a default role for the authentication method being used, then assign that role to all or most of the users when they are authenticated. Create a role using the aaa captive-portal command. See “AAA Commands” on page 823. How Role Derivation Works Roles are derived in the following order: 1. The default role for a new user is always logon. 2.
Chapter 20 The following flow illustrates how roles are derived.
OmniAccess Reference: AOS-W System Reference Show Commands The Show Commands associated with user rights are: z show rights z show rights rolename z show rights derive-role authentication_method z show access-list aclname z show aaa captive-portal z show user-table A full description of the Show Commands may be found in the Show Commands chapter.
CHAPTER 21 Access Point Setup This chapter covers the following topics for the Alcatel Wireless Access Point (AP): z Overview of the system components and supported network topology z Description of AP setup, including requirements, boot access, initial configuration, and advanced configuration. z Description of switch setup for new APs, including profiles and setting attributes. Because Access Points are broadcast radio devices, their operation is subject to governmental regulation.
OmniAccess Reference: AOS-W System Reference System Overview Components The Alcatel Wireless LAN solution consists of the three major components: z The Alcatel Wireless LAN Switch. This is an enterprise-class switch into which multiple wireless Access Points (APs) are connected and controlled. z The Alcatel Wireless Access Point. This is a next-generation wireless transceiver which functions as AP or Air Monitor (AM).
Chapter 21 APs with a direct connection to the Wireless LAN switch can also utilize optional Serial and Power Over Ethernet (SPOE) and support the Wireless LAN switch Access Point Status LEDs .(When multiple APs are connected to a port indirectly, the LEDs provide information about the aggregate connection, not about a specific AP.) NOTE—To use SPOE, the AP must be connected to the Alcatel Wireless LAN Switch without any intervening hubs, routers, or other networking equipment.
OmniAccess Reference: AOS-W System Reference AP Provisioning There are several methods for setting up and configuring Alcatel APs for use with the Wireless LAN switch. Depending on your network configuration, the following methods are available, each of which is explained in greater detail below: z Plug and Play–A limited situation where APs can be connected to the Wireless LAN switch and brought into operation with only default configuration settings.
Chapter 21 Simplified AP Provisioning This is a streamlined example of the AP Programming Mode. This procedure represents the most typical customization: setting the master Wireless LAN switch IP address on the AP. In this example, DNS is not required. NOTE—If you would like more control over AP configuration settings, or for more details on any of the commands in the procedure, see “AP Programming Mode” on page 430.
OmniAccess Reference: AOS-W System Reference 7 Once the settings are correct, push the configuration to the APs. (Alcatel) (program-ap) # config all 8 (Upload configuration to the APs) Disable the AP Programming Mode: (Alcatel) (program-ap) # disable (Return ports to normal operation) AP Programming Mode The AP Programming Mode offers extended provisioning for adding Alcatel APs to a highly customized network.
Chapter 21 3 Connect the Alcatel APs that require configuration to one of the specified AP programming ports on the switch. NOTE—Although a direct Ethernet connection between the AP and Wireless LAN switch is preferred, a Layer 2 hub can be used to connect more than one Alcatel AP to any specific AP programming port. 4 Power up the connected APs. 5 Verify that the APs connected to the AP programming ports are detected by the switch.
OmniAccess Reference: AOS-W System Reference z Disconnect and reconnect the AP from the switch port. If the AP list had previously been cleared using the clear-provisioning-ap-list command, the AP should now reappear. z If the AP was previously configured on a different network with settings incompatible with the current network (wrong hostname or static IP address), return the AP to its old network and reset the AP to its factory defaults before moving it again (see “AP Reprovisioning” on page 436).
Chapter 21 C My network uses direct IP addresses instead of DNS. If using direct IP addresses in your network, use the following commands: (Alcatel) (program-ap) # hostip (Alcatel) (program-ap) # masterip NOTE—If the hostname setting is configured in this scenario, it will be ignored. 7Ste Specify an IP address for a specific AP, if necessary. If using DHCP, the AP will obtain its IP address automatically and you can skip this step.
OmniAccess Reference: AOS-W System Reference If you prefer to manually generate the location data, record the location you set for each access point and air monitor along with the following: Note the intended function of the device (access point or dedicated air monitor) and a brief description of its service location. X, Y Coordinates For each access point and air monitor, measure its X and Y position (in feet) relative to the bottom-left corner of the building plan as seen from overhead.
Chapter 21 11St Push the configuration to the APs. Depending on how specific your AP configuration must be applies, use one of the following commands to upload configuration settings to the APs. z Using default IP address and location settings. If you are using default DHCP setting (Step 3) and default location settings (Step 8), you can configure all APs simultaneously using the following command: (Alcatel) (program-ap) # config all z Using specific IP address or location information.
OmniAccess Reference: AOS-W System Reference 15 If no other APs are to be configured, disable the AP programming mode: (Alcatel) (program-ap) # disable This will return all AP programming ports to their previously defined network settings. NOTE—If the AP programming mode is not disabled after provisioning is complete, the affected switch ports will not work properly for normal network operations.
Chapter 21 3 If desired, you can reset a deployed AP to its factory default settings: (Alcatel) (program-ap) # reset-bootinfo where AP index is the AP’s entry in the list generated using the show provisioning-ap-list command. NOTE—The reset-bootinfo command takes effect immediately and does not require use of the AP programming mode config or reprovision commands. 4 Otherwise, use the provisioning commands to set new parameters.
OmniAccess Reference: AOS-W System Reference Proceed to Step 3 on page 439. 2St If using Telnet to connect to the AP remotely, access the AP through the Wireless LAN switch Serial and Power Over Ethernet (SPOE) interface. NOTE—If using a terminal directly connected to the AP, see Step 1 on page 437 instead. By default, the Wireless LAN switch does not permit Telnet access to the serial portion of the SPOE interface.
Chapter 21 3St Interrupt the AP boot process. Depending on how far the AP boot has booted, use one of the following lettered steps: AS If the AP is initializing after power up. When power is first connected, the AP will begin its initialization process. At any time before the autoboot timer expires, you can press any key to interrupt this process. For example: APBoot 1.0.1 (Mar 7 2003 - 16:20:28) CPU: MPC8245 Revision 16.
OmniAccess Reference: AOS-W System Reference B If the AP has completed booting. If no key is pressed before the autoboot timer expires (default of 3 seconds), the AP will resume normal software loading and initialization functions: ARP broadcast 1 for 10.3.3.1 TFTP from server 10.3.3.1; our IP address is 10.3.3.3 Filename 'sap.bin'.
Chapter 21 Initial Configuration The Alcatel AP requires some initial configuration before it will operate. All direct configuration of the AP is done using the AP boot prompt (see page 437). Once connected to the AP boot prompt, configure the AP as follows: From the AP boot prompt, set the intended location for the AP: apboot> setenv location ..
OmniAccess Reference: AOS-W System Reference 2 Specify host information, if necessary. In order to provide centralized management of the APs, each OmniAccess Reference AP downloads its software image and configuration files from the master Alcatel Wireless LAN Switch.
Chapter 21 NOTE—If the servername environment variable is configured in this scenario, it will be ignored. 3Step Specify an IP address, if necessary. If using DHCP, the OmniAccess Reference will obtain its IP address automatically and this step can be skipped.
OmniAccess Reference: AOS-W System Reference Advanced AP Configuration The following sections cover the following: z How to access the Alcatel AP configuration prompt z Commands and settings that can be configured z Example configurations for common scenarios APBoot Commands The following commands are available from the apboot prompt: z help List the available commands and a brief explanation of each. z printenv List the environment variables and their current settings.
Chapter 21 APBoot Environment Variables The following environment variables can be configured using the setenv command and listed using the printenv command (see page 444): NOTE—Spelling is critical when defining environment variables. The AP may not function properly if environment variables are misspelled or misconfigured. TABLE 21-2 Configurable Environment Variables Variable Description bootdelay The length of time (in seconds) of the autoboot timer.
OmniAccess Reference: AOS-W System Reference TABLE 21-2 Configurable Environment Variables Variable Description servername This is the hostname of the Alcatel Wireless LAN Switch (or TFTP server) that holds the AP software image and/or configuration files. When using this variable, your DNS server must be configured to resolve the specified hostname to the appropriate location. The default value is Alcatel-master. If not using DNS, use the master and serverip variables instead.
Chapter 21 TABLE 21-3 Preset Environment Variables Variable Description bootfile This is the file name of the AP image. Default = sap.bin ethaddr This is the MAC address of the Ethernet interface in the AP. This is unique for each AP.
OmniAccess Reference: AOS-W System Reference z The AP location is set to -1.-1.-1 (unconfigured) and uses the default location profile. Set AP Software & Configuration Source By default, the AP downloads its software image and configuration files from a TFTP service on the Wireless LAN switch. The AP locates the switch by issuing a DNS request for the IP address of the Alcatel-master.
Chapter 21 When booted normally (without entering APBoot mode), the AP will use the new settings and the AP console will display the following kind of information: apboot> boot ARP broadcast 1 for 10.3.3.1 TFTP from server 10.3.3.1; our IP address is 10.3.3.3 Filename 'sap.bin'.
OmniAccess Reference: AOS-W System Reference If DNS is not used or if you need to assign different TFTP servers for the software and configuration files, the following environment variables can be configured: TABLE 21-4 AP Download Preferences Variable Software Image Source Configuration File Source master Not applicable. IP address or DNS name of the Alcatel Wireless LAN Switch that holds the AP configuration file. Highest priority. Overrides servername and serverip.
Chapter 21 Set AP with Specific Location The location variable can be used to specify where the AP will be permanently installed. The location specifies which configuration profile will be downloaded to the AP from the Wireless LAN switch. The location of the AP can be set manually, using the following APBoot command: setenv location .. For example: apboot> setenv location 1.2.
OmniAccess Reference: AOS-W System Reference GRE Tunnels Regardless of the network topology between the AP and the Wireless LAN switch, the AP will open one GRE tunnel per radio interface to the Wireless LAN switch. One end of the GRE tunnel will be the IP address of the AP. The other end of the GRE tunnel is specified (in descending order of priority) by the master, servername, and then serverip variables.
Chapter 21 The value of lms_address is the Wireless LAN switch tunnel end point in use by AP. Wireless Client IP Address The wireless clients associating with the AP will get an IP address in the VLAN that contains the Wireless LAN switch GRE tunnel end-point IP address. GRE Tunnel Configuration This release supports GRE tunneling between the Alcatel Wireless LAN Switch and other GRE-capable devices. Up to four tunnels can be configured.
OmniAccess Reference: AOS-W System Reference 3 Direct traffic into the tunnel. Traffic can be directed into the tunnel using static routes and/or ACLs: z Using the tunnel as the next hop for a static route. (Alcatel) (config) # ip route where the following parameters apply: destination address The base IP address of the destination on the other side of the tunnel.
Chapter 21 Location-Based Profiles AP configuration profiles can be based on the unique location index (building.floor.device) assigned to each AP during its initial setup (see page 451). These location-based configuration profiles are stored on the Wireless LAN switch and are downloaded to the appropriate APs during their startup process.
OmniAccess Reference: AOS-W System Reference Using AP Location Wildcards The location profiles allow zero (0) to be used as a wildcard in the location index. This allows you to configure AP attributes for the entire system, a particular building, or a single floor. The profile system is also hierarchical: the attributes in more generic profiles (those with more wildcards) are overridden by the attributes in the more specific profiles (those with fewer wildcards).
Chapter 21 Attributes in the various profiles are treated individually. Only the attributes which are specifically configured in one profile will override the more generic profiles. For example: System Default Base 0.0.0 Profile AP 1.2.1 Profile Result AP 1.2.
OmniAccess Reference: AOS-W System Reference The Unconfigured AP Profile APs are typically assigned a unique location code when first installed. If this is not done, the AP will use the default location index -1.-1.-1 to indicate that it is not configured. You can define a configuration profile for location -1.-1.-1 to be used for any unconfigured AP. For example, if you wanted to be sure that unconfigured APs were disabled, you could specify the ap-enable disable attribute in the profile.
Chapter 21 AP Attribute Commands AP Configuration Mode The following commands are available from the AP location or BSSID configuration sub-modes: z ageout Specify the amount of time a client is allowed to remain idle before being aged out. The default is 1000 seconds. z ap-enable {enable|disable} Enable or disable the AP. The default is enabled. z beacon-period Specify the beacon period for the AP.
OmniAccess Reference: AOS-W System Reference z no Clear the specified command attributes in the current profile. NOTE—If using location-based profiles, any specific AP will use the first defined (non-cleared) attribute in profile hierarchy: favoring AP, floor, building, base, or system default profile (in order of descending priority). z opmode Specify a comma separated list from the following: opensystem No encryption. Traffic is sent in the clear. This is the default.
Chapter 21 z wep-key{1|2|3|4} Used when opmode is set for staticWep. This command specifies one of four static WEP keys. The specific key to be used is selected using the wep-transmitkey command. z wep-transmitkey Used when opmode is set for staticWep. Specify which static WEP key to use. The default is 1.
OmniAccess Reference: AOS-W System Reference Physical Layer Sub-mode In addition to the regular AP attribute commands, the following commands are also available from the AP 802.11a or 802.11g physical layer configuration sub-modes: z channel Set the channel number for the AP physical layer. z For 80211.a: 36, 40, 44, 48, 52, 56, 60, 64, 149, 153, 157, or 161. The default is 36. z For 80211.g: 1 through 11. The default is 1.
Chapter 21 Order of Precedence for Profile Attributes Channel and Transmit Power Settings for the AP channel and transmit power attributes are obtained using the following priorities (highest to lowest): 1 Matching BSSID specific profile 2 Matching location specific profile (exact match, without any wildcards) 3 Results of a site survey stored in the WMS database. 4 Result from initial AP placement configuration in the WMS database.
OmniAccess Reference: AOS-W System Reference 1 Matching BSSID specific profile 2 Matching location specific profile (exact match, without any wildcards) 3 Results of a site survey stored in the WMS database. If an AP is initially configured to be off (due to overbuilding the network coverage for example), the device will operate in apm mode instead. 4 Result from initial AP placement configuration in the WMS database.
Chapter 21 CLI Configuration Examples This section has typical commands for configuring AP attributes on the Wireless LAN switch. The following sections assume you are logged-on to the Wireless LAN switch as the administrator in privileged mode. Disable WEP for Base Location Profile NOTE—In this example, the built-in help function is used to show available options before the actual configuration commands are issued. The help commands (those ending with a question mark “?”) are not strictly necessary.
OmniAccess Reference: AOS-W System Reference 3 Set the opmode to opensystem. (Alcatel) (sap-config ageout ap-enable authalgo beacon-period dtim-period essid max-clients max-retries mode no opmode phy-type power-mgmt rts-threshhold short-preamble tkip-key1 tkip-key2 tkip-key3 tkip-key4 tkip-transmitkey tx-power wep-key1 wep-key2 wep-key3 wep-key4 wep-transmitkey location 0.0.0) # ? Seconds of inactivity after which client is aged out One of enable or disable Only opensystem is supported.
Chapter 21 Enable Static WEP for a Specific Building To select all APs in a specific building for configuration changes, the building number is specified, but wildcards (0s) are used for the floor and device fields. For example, to select building 1: (Alcatel) (config) # ap location 1.0.0 To enable static WEP for all APs in the specified building, the following commands are issued: (Alcatel) (sap-config location 1.0.0) # opmode staticwep (Alcatel) (sap-config location 1.0.
OmniAccess Reference: AOS-W System Reference Viewing AP Attribute Settings Show a Location Profile (Alcatel) # show ap config location 1.0.0 CONFIG_AP_RESULT ---------------PARAMETER 802.11b/g 802.11a ----------------------Location (Bldg.Flr.Loc) 1.0.0 1.0.
Chapter 21 Show a BSSID Profile (Alcatel) # show ap config bssid 01:02:03:04:05:06 CONFIG_AP_RESULT ---------------PARAMETER --------Location (Bldg.Flr.Loc) BSSID Channel ESSID Encryption ... Value ----1.0.0 01:02:03:04:05:06 6 alpha-guest staticWep Show Encryption Keys for a Location (Alcatel) # show ap keys location 0.0.0 CONFIG_AP_RESULT ---------------LOC PHYTYPE WEPKEY1 --------- ------0.0.0 802.11a ********************** 0.0.0 802.
OmniAccess Reference: AOS-W System Reference Show Effective Config for a Specific AP This example shows the actual configuration that will be applied to a BSSID of a specific physical layer type at a specific location. The command traverses the configuration tree and site survey database to compile the configuration: (Alcatel) # show ap effective-config bssid 01:02:03:04:05:06 location 1.0.0 phy-type g CONFIG_AP_RESULT ---------------PARAMETER --------Location (Bldg.Flr.
Chapter 21 Viewing AP Information and Statistics List Bootstrapped APs (Alcatel) # show ap registered location 0.0.0 AP_REGISTRATIONS_RESULT ----------------------LOC SAP_IP LMS_IP .b_MAC .a_MAC ----------------------1.1.1 10.2.13.194 10.2.13.254 00:30:f1:70:49:93 00:30:f1:71:93:8f 7 1.1.2 10.2.12.253 10.2.12.254 00:30:f1:70:49:4c 00:30:f1:71:93:7d 7 1.1.3 10.1.1.56 10.3.25.1 00:30:f1:70:49:6f 00:30:f1:71:93:d5 7 1.1.4 10.2.12.212 10.2.12.254 00:30:f1:70:49:65 00:30:f1:71:93:54 7 1.2.1 10.3.25.252 10.3.25.
OmniAccess Reference: AOS-W System Reference List Management Registered APs (Alcatel) # show stm connectivity Alcatel AP Table -------------bss --00:30:f1:70:49:6f 00:30:f1:70:49:71 00:30:f1:71:93:5c 00:30:f1:71:93:8f 00:30:f1:70:49:4c ... Num APs:14 ess --Alcatel-alpha-ap Alcatel-alpha-ap Alcatel-alpha-ap Alcatel-alpha-ap Alcatel-alpha-ap s/p ip phy type ------ ---2/23 10.1.1.56 g ap 2/2 10.3.25.237 g am 2/2 10.3.25.237 a am 2/15 10.2.13.194 a ap 2/12 10.2.12.253 g apm max-cl loc + ------ --+ 42 1.1.
Chapter 21 Use the following command to view the state of the Access Point Status LED for a specific line card: (Alcatel) # show ap-leds 2 LED State --------s/p led ----2/0 1 2/1 1 2/2 1 2/3 6 2/4 6 2/5 6 2/6 6 2/7 6 2/8 6 2/9 6 2/10 6 2/11 6 2/12 1 2/13 6 2/14 5 2/15 5 2/16 6 2/17 6 2/18 6 2/19 6 2/20 6 2/21 6 2/22 6 2/23 5 (View LED states for the line card in slot 2) reason -----unsecure ap found unsecure ap found unsecure ap found no ap connected no ap connected no ap connected no ap connected no ap
OmniAccess Reference: AOS-W System Reference List Configuration Applied on an AP (Alcatel) # show am config 10.1.1.56 Wireless LAN Configuration -----------------bssid essid --------00:30:f1:70:49:6f Alcatel-alpha-ap 00:30:f1:71:93:d5 Alcatel-alpha-ap tx-pwr chan lms encr ------ ---- -----4 6 10.3.25.1 s-wep/ 4 52 10.3.25.1 s-wep/ mode rat+ ------+ master f + master ff0+ List Statistics for an AP or STA (Alcatel) # show ap stats 10.2.12.
Chapter 21 (Alcatel) # show ap stats 10.2.12.
OmniAccess Reference: AOS-W System Reference List Status for an AP (OmniAccess 6000) #show ap status 10.1.1.
Chapter 21 List Information for Technical Support (Alcatel) # show tech-support Access Point Setup 477
OmniAccess Reference: AOS-W System Reference AP Reprovisioning If the AP is already configured and you want to change the AP parameters, use the Reprovisioning option. (You must have a network connection between the AP and the configured Alcatel Wireless LAN Switch. 1. Go to Maintenance > Program AP page The Provisioning and Reprovisioning tabs display. 2. Click Reprovisioning This page displays all the APs currently configured DHCP pool of the Alcatel Wireless LAN Switch. 3.
Chapter 21 5. Configure the location, Host IP/Name, Master IP. If the AP is going to be assigned a static IP, enter IP address, Net mask, and Gateway IP. If the AP will use DHCP for its IP address information, select DHCP. 6. After configuring the required parameters, select the entry from the list (the AP to which the configuration is to be applied) and click Apply. FIGURE 21-4 Entering Updated Provisioning Information The State shows In Progress. FIGURE 21-5 Processing Updates 7.
OmniAccess Reference: AOS-W System Reference FIGURE 21-6 Updated Configuration Click Back to go into the previous page and see that the entry of the AP is still selected. 8. Click Disable to disable AP Reprovisioning. The entry will be deselected. Now the AP is configured with the Parameters given 9. Reboot the AP to allow the AP to come up with the new configured parameters.
Chapter 21 Access Point Setup 481
OmniAccess Reference: AOS-W System Reference 482 Part 031652-00 May 2005
CHAPTER 22 VPN Setup The Alcatel Virtual Private Network (VPN) connection consists of the wireless user, the Access Point, and the Alcatel Wireless LAN switch. The wireless user is connected to the Wireless LAN switch via a captive portal which allows the wireless user to download the Alcatel dialer which makes the VPN connection. The relationship between the wireless user and the Wireless LAN switch is illustrated in the figure below.
OmniAccess Reference: AOS-W System Reference z Obtain a valid RADIUS server IP Address (if you are not using an internal database) z RADIUS password and access port number, typically UDP port 1645 z A routable IP Pool for VPN. The pool must not conflict with any other VLAN subnet. This item is not required if you are using source NAT. Contact Alcatel support to setup source NAT. z VLAN topology and switch loopback IP. z Windows 2000 or Windows XP are required to run the VPN Dialer.
Chapter 22 2 Configure the VLAN port using the following CLI commands. (Alcatel) (config) # interface fastethernet 2/0 [Makes port 2/0 a Fast Ethernet (10/100 Mbps) port] (Alcatel) (config-if) # trusted [Makes the port 2/0 a trusted port] (Alcatel) (config-if) # switchport access vlan 1 [Puts port 2/0 on VLAN 1] (Alcatel) (config-if) # exit 3 (Set the default gateway using the following CLI command. (Alcatel) (config) # ip default-gateway 3.3.3.
OmniAccess Reference: AOS-W System Reference 4 Exit the RADIUS server setup. (Alcatel) (config) # exit 5 Test the RADIUS server setup using the following CLI command.
Chapter 22 5 Test the setup using the following CLI Commands (Alcatel) # aaa test-server servername username password L2TP IPSec VPN Server Setup This section describes the steps necessary to configure the Alcatel switch as a VPN server. 1 Enter the policy sub-mode and define a policy with a specified priority. (Alcatel) (config) # crypto isakmp policy num 2 Specify the authentication method (pre-shared key) using the following CLI command.
OmniAccess Reference: AOS-W System Reference 8 Turn off the default mschapv2 authentication using the following CLI command. (Alcatel) (config-vpdn-l2tp) # no ppp authentication mschapv2 9 Specify the DNS IP address that will be pushed to the VPN Dialer using the following CLI command. (Alcatel) (config-vpdn-l2tp) # client configuration dns n.n.n.n 10 Specify the WINS IP address that will be pushed to the VPN Dialer using the following CLI command.
Chapter 22 4 Exit the vpn-dialer sub-mode. (Alcatel) (config-vpn-dialer) # exit 5 Enter the role sub-mode and create a role using the following CLI command. (Alcatel) (config) # user-role RoleName 6 Assign a dialer to the role using the following CLI command. (Alcatel) (config-role) # dialer DialerName 7 Assign a session ACL to the role using the following CLI command. (Alcatel) (config-role) # session-acl ACLname 8 Exit the role sub-mode.
OmniAccess Reference: AOS-W System Reference VPN Dialer Before You Begin z Make sure you have wireless connectivity. You can check the connectivity by “pinging” the switch. z Make sure you aren’t currently running a VPN dialer. If you are, quit the application. Downloading the Client 1 490 Open a browser. Your browser should be redirected to the switch’s captive portal, shown below.
Chapter 22 2 Enter your username and password, then click the Log In button. NOTE—You might see a Security Alert Dialog appear. If this happens it probably means that the server certificate is either expired or not signed. The client is shipped with a self-signed certificate. You will need to purchase a certificate for your server that is signed by a well known CA.
OmniAccess Reference: AOS-W System Reference 3 Click on the Click to download VPN Dialer link. NOTE—If you close the Alcatel Logout window you can access it again to logout of the switch by opening a browser and going to the following URL https://switch IP Address/logout.html. The File Download dialog box appears. 4 492 Click the Open button.
Chapter 22 The download process will begin and installation will begin automatically.
OmniAccess Reference: AOS-W System Reference Installation When the setup file is finished downloading the Dialer Setup Wizard will open. 1 Click the Next button. The License Agreement dialog appears. 2 Select I accept and click on the Next button. The Choose Setup Type dialog appears.
Chapter 22 3 Click on the Complete button. The Ready to Install dialog appears. 4 Click the Install button.
OmniAccess Reference: AOS-W System Reference The Installation Progress dialog appears, when the installation is finished the “Completing the Alcatel VPN Setup Wizard” dialog appears. 5 Click the Finish button. The Alcatel VPN Dialer dialog will launch and the dialog appears.
Chapter 22 Connecting With VPN You are now ready to connect to the network using VPN. The Alcatel VPN icon appears in the Startup tray at the right hand side of the Windows Task Bar. You may launch the VPN Dialer by double-clicking on the icon or you may launch it from the Windows Start Menu. The VPN Dialer window appears as soon as the application is launched. 1 Type your username and password in the text boxes on the VPN Dialer dialog and click the Connect button.
OmniAccess Reference: AOS-W System Reference Alcatel VPN Dialer Features The Dialer has 4 features that may be selected. z Launch at Boot-Up z Connect at Launch z Wait For Wireless z Hide After Connect. z Network Info Launch at Boot-up When selected, this feature will cause the VPN Dialer to launch automatically each time you start or restart your computer. Connect at Launch When selected, this feature allows the Dialer to automatically connect every time the application is launched.
Chapter 22 Network Info This feature will display a static window showing important network information.
OmniAccess Reference: AOS-W System Reference Troubleshooting Common Dialer Error Messages Interface is down or no route. This message indicates that there is a wireless connectivity problem. Route to destination is not wireless This message indicates that the computer (laptop) is connected through a wired connection. If you wish to connected through the wired side of the network, uncheck the Wait For Wireless box on the Dialer window. Otherwise, unplug the network cable from the computer.
Chapter 22 Common Problems Dialer does not connect to server If the dialer seems to stall while attempting to connect (as indicated by a persistent Connecting status, are several possible causes for the failure. The following steps will help you to identify and correct the problem. Those causes include: 1 z Make sure you have the latest dialer. You can download the latest dialer from your switch by going to the captive portal login (http:// switchIP/login.html).
OmniAccess Reference: AOS-W System Reference 2 Use the show crypto ipsec sa command on the switch to make sure the user is doing IPSec encryption correctly. (Alcatel)(config) #show crypto ipsec sa Responder IP 10.1.1.158 Initiator IP 10.1.1.122 Initiator cookie ce91845e68f75026 Responder cookie 9635499cf2dad66e Life secs 7200 transform: esp-3des esp-sha-hmac If the initiator IP matches the client IP, then IPSec encryption is good.
Chapter 22 "L2TP"=DWORD:1 "DNETCLEAR"=DWORD:0 "MSCHAPV2"=DWORD:0 "CACHE-SECURID"=DWORD:1 "IKESECS"=DWORD:28800 "IKEENC"="3DES" "IKEGROUP"="TWO" "IKEHASH"="SHA" "IPSECSECS"=DWORD:7200 "IPSECGROUP"="GROUP2" "IPSECENC"="ESP-3DES" "IPSECAUTH"="ESP-SHA-HMAC" "PAP"=DWORD:1 "CHAP"=DWORD:0 "MSCHAP"=DWORD:0 "IKEPASSWD"="changeme" "IKEAUTH"="PRE-SHARE" "WIREDNOWIFI"=DWORD:1 "SETUPIP"="1.1.1.1" "NovellLogin"=DWORD:0 3. Modify IKEPASSWD to the pre-shared key you use and SETUPIP to the IP address of the switch.
OmniAccess Reference: AOS-W System Reference 504 Part 031652-00 May 2005
CHAPTER 23 VPN Configuration Alcatel switches provide full support for Virtual Private Network (VPN) termination using IPSec and PPTP. Encryption protocols run in hardware appropriately sized to process a full complement of access points.
OmniAccess Reference: AOS-W System Reference Configuring IPSec Using Web UI The following parameters and options may be configured through Web UI. z Enable L2TP Enable or disable L2TP authentication functionality z Authentication Proto- Use these check boxes to select the cols z Primary DNS Server Specify the IP address of the Primary DNS server in the text box. z Secondary DNS Server Specify the IP address of the Secondary DNS server in the text box.
Chapter 23 z Secondary WINS Server Specify the IP address of the Secondary WINS server in the text box. z Address Pools IPSec tunnel endpoints are assigned discrete IP addresses. The client is assigned an address from one of the pools specified in this option. The IP address at the switch endpoint will always be either one of the IP address on the switch or the Emulate Server IP address. z Enable Source NAT Enable or disable NAT (Network Address Translation).
OmniAccess Reference: AOS-W System Reference Adding Address Pools Add Address Pools by clicking Add under the address pool section. The Configuration > VPN Settings > IPSec > Add Address Pool page appears. 1 Enter a unique name for the address pool you are defining. 2 Enter the start and end addresses for the pool. 3 Click done. 4 Click Save configuration on the Configuration > VPN Settings IPSec page.
Chapter 23 The Configuration> Security > VPN Settings > IPSec > Add IKE Secret page appears. 1 Type the secret in the IKE Shared Secret field. 2 Re-type the secret in the Verify Shared Secret field. 3 Enter a subnet and subnet mask if you are using multiple keys. Adding IKE Policies Add IKE policies by clicking the Add button at the bottom of the IKE Policies portion of the page. The Configuration> Security > VPN Settings > IPSec > Add Policy page appears.
OmniAccess Reference: AOS-W System Reference 1 Specify a priority. 2 Select an encryption type from the Encryption pull-down box. 3 Select a hash algorithm from the Hash Algorithm pull-down box. 4 Select an authentication type from the Authentication pull-down box. 5 Select a Diffie-Hellman group from the Diffie Hellman pull-down box. 6 Specify a lifetime (in seconds). L2TP Configuring PPTP Using Web UI To configure PPTP, go to the Configuration > Security > VPN Settings > PPTP page.
Chapter 23 z PPTP Echo Timeout The period of time, in seconds, the system for a PPTP echo response from a client before dropping the client. z Authentication Proto- Determines the PPTP authentication protocol. At this time only MS-CHAPv2 is supported. col z Primary DNS Server Specify the Primary DNS server IP Address. z Secondary DNS Server Specify the Secondary DNS server IP Address.
OmniAccess Reference: AOS-W System Reference You may configure the VPN dialer by navigating to the Configuration > VPN Settings > Dialers page. Add a new dialer by clicking Add. The Configuration > VPN Settings > Dialers > Add Dialers page appears. The following parameters and options may be configured through Web UI. z Dialer Name 512 Part 031652-00 Specify a name for the dialer.
Chapter 23 z Enable PPTP Enable PPTP tunneling to the Alcatel switch. NOTE—You may check both PPTP and L2TP, however they will not run simultaneously. When both are checked, the client will attempt the more secure method, L2TP, first. z Enable L2TP Enable L2TP tunneling to the Alcatel switch. NOTE—You may check both PPTP and L2TP, however they will not run simultaneously. When both are checked, the client will attempt the more secure method, L2TP, first.
OmniAccess Reference: AOS-W System Reference z IKE Hash Algorithm Specifies which hash algorithm will be used by IKE. The choice in the dialer must match the algorithm specified in the IPSec IKE policy on the switch. The default is SHA. z IKE Authentication Specifies wither RSA signatures or a Pre-shared key for IKE authentication and must match that specified in the IPSec IKE policy on the switch. The shared secret must match that specified in the IKE share secret policy on the switch.
Chapter 23 of ACLsMaximum Number of IP Addresses = Number ----------------------------------------3 VPN Server Emulation may be configured by navigating to the Configuration > VPN Settings Emulate VPN Servers page. Add a server IP address Click on the Add box. 1 Type the IP Address in the text box. 2 Click the Add button again. 3 Click the Save Configuration tab near the top of the page.
OmniAccess Reference: AOS-W System Reference SecureID Token Ring Caching may be configured by navigating to the Configuration > Security > VPN Settings > Advanced page. 1 Check the SECUREID Token Persistence Enabled check box. 2 Set the SECUREID Token Persistence Timeout in minutes by typing a value in the text box. Configuring IPSec Using the CLI IPSec is configured from the config-vpdn-l2tp prompt in the CLI. 1 Enter the config-vpdn-l2tp submode using the vpdn group l2tp command from the CLI.
Chapter 23 3 Specify the primary and secondary WINS servers (Alcatel)(config-vpdn-l2tp)# client configuration wins 192.168.30.1 192.168.30.2 4 Select authentication protocols (Alcatel) (Alcatel) (Alcatel) (Alcatel) 5 (config-vpdn-l2tp)# (config-vpdn-l2tp)# (config-vpdn-l2tp)# (config-vpdn-l2tp)# ppp ppp ppp ppp authentication authentication authentication authentication PAP CHAP MSCHAP MSCHAPv2 Define an address pool for VPN users. This is done from the config prompt.
OmniAccess Reference: AOS-W System Reference 1 Enter the config-vpdn-pptp submode using the vpdn group pptp command from the CLI (Alcatel) (config) #vpdn group pptp (Alcatel) (config-vpdn-pptp)# 2 Specify the IP addresses of the primary and secondary DNS servers (Alcatel) (config-vpdn-pptp)# 192.168.29.1 192.168.29.2 3 Specify the IP addresses of the primary and secondary WINS servers. (Alcatel) (config-vpdn-pptp)# 192.168.30.1 192.168.30.
Chapter 23 4 Set the IKE lifetime. (Alcatel) (config-vpn-dialer)#ike lifetime 28800 5 Select an encryption type. (Alcatel) (config-vpn-dialer)#ike encryption 3des 6 Specify a Diffie-Hellman group. (Alcatel) (config-vpn-dialer)#ike group 2 7 Specify a IKE hash algorithm. (Alcatel) (config-vpn-dialer)#ike hash sha 8 Specify a preshared key for IKE. (Alcatel) (config-vpn-dialer)#ike authentication pre-share foo123 9 Specify an IPSec lifetime in seconds.
OmniAccess Reference: AOS-W System Reference 2 Define rules. (Alcatel)(config-sess-vpn-dst-nat)#any host 192.68.8.1 svc-ike dst-nat (Alcatel)(config-sess-vpn-dst-nat)#any host 192.68.8.1 svc-esp dst-nat (Alcatel)(config-sess-vpn-dst-nat)#any host 192.68.8.1 svc-l2tp dst-nat 3 Return to the config prompt. (Alcatel) (config-sess-vpn-dst-nat)#! 4 Apply a role for VPN users. (Alcatel) (config) #user-role logon 5 Set the position of the ACL defined above.
Chapter 23 VPN Quick Start Guide Requirements From Customer The user must provide the following: z RADIUS server IP (if not using internal database) z RADIUS password and access port number (typically UDP port 1645) z Routable IP pool for VPN. Pool MUST NOT conflict with any other VLAN subnet (may skip if using source NAT, contact support to setup source NAT) z Desired IPSec pre-shared key (global, not per user), use something long with capital letters and numbers.
OmniAccess Reference: AOS-W System Reference 5 Set up client The following sections explain each step in detail. 1. Set up Network The steps necessary to set up a network are: (Alcatel6000) (config) # vlan 1 (Alcatel6000) (config) # interface vlan 1 (Alcatel6000) (config-subif) # ip address 3.3.3.1 255.255.255.
Chapter 23 z Username and/or password is wrong z Alcatel switch is not allowed to access RADIUS server (NAS IP on RADIUS) 2(b). Set up and Test Internal Database Skip this step if you are using RADIUS. Proceed to Step 3. To configure the local database: (Alcatel6000) (config) # (Alcatel6000) (config) # (Alcatel6000) (config) # aaa vpn-authentication auth-server Internal aaa captive-portal auth-server Internal exit Add a user to the internal database.
OmniAccess Reference: AOS-W System Reference (Alcatel6000) (Alcatel6000) (Alcatel6000) (Alcatel6000) (Alcatel6000) (config-vpdn-l2tp) (config-vpdn-l2tp) (config-vpdn-l2tp) (config-vpdn-l2tp) (config-vpdn-l2tp) # # # # # ppp authentication PAP no ppp authentication mschapv2 client configuration dns 10.1.1.2 client configuration wins 10.1.1.2 exit 4. Set up VPN Dialer and Roles for Users Set up the dialer.
Chapter 23 Type in username foo, password bar. You should see a page with the link to download VPN-dialer. Select that link and open setup.exe. Follow the onscreen instructions. For more information refer to “VPN Setup” on page 483 If the laptop receives a notice to reboot, comply. Once the laptop is back and the dialer is running, type in username foo and password bar. The user should connect.
OmniAccess Reference: AOS-W System Reference transform: esp-3des esp-sha-hmac If there is an initiator IP that matches the client’s IP, it means the client successfully started IPSec authentication. Otherwise, check the IKE pre-shared key on the crypto isakmp key command and vpn-dialer default-dialer command. The two must match. On the switch, enter: (Alcatel6000) #show crypto ipsec sa Responder IP 10.1.1.158 Initiator IP 10.1.1.
Chapter 23 Common Dialer Messages: Interface is down or no route There is a basic wireless connectivity problem. Route to destination is not wireless The laptop is connected through a wired link. Uncheck Wait for Wireless if that’s how you want to connect, or disconnect the wire. No Alcatel switches detected…will retry The laptop cannot automatically detect the presence of an Alcatel switch. Uncheck Wait for Wireless if you think this is an error. Wired.
OmniAccess Reference: AOS-W System Reference CPU utilization threshold ....
Chapter 23 Hello timeout: 60 seconds DNS primary server: 10.1.1.2 DNS secondary server: 30.0.0.0 WINS primary server: 10.1.1. WINS secondary server: 0.0.0.0 PPP client authentication methods: PAP ÅIMPORTANT IP LOCAL POOLS: vpnaddr: 2.2.2.1 – 2.2.2.
OmniAccess Reference: AOS-W System Reference Example VPN Configurations This section includes sample VPN clients terminating on Alcatel Wireless LAN switches. Using Cisco VPN Client on Alcatel Switches If you are terminating a Cisco VPN client on an Alcatel switch, refer to the information below for help in managing this connection. Requirements The following requirements apply to Cisco VPN clients terminating on Alcatel Wireless LAN switches. z Release 2.4.0.
Chapter 23 FIGURE 23-1 Emulating VPN Servers Go to Configuration > Security > Roles > Edit Role (logon) to verify that the vpn-dst-nat ACL is associated with the log on role.
OmniAccess Reference: AOS-W System Reference FIGURE 23-2 Verifying the Logon Role ACL Make sure the IKE shared secrets match by going to Configuration > Security > VPN Settings > IPSec.
Chapter 23 FIGURE 23-3 Matching the IKE Shared Secret The IKE Aggressive Group Name is the same as the Cisco dialog box Authentication tab Group Authentication Name. The IKE Shared Secret is the same as the Cisco dialog box Authentication tab Group Authentication Password.
OmniAccess Reference: AOS-W System Reference FIGURE 23-4 Matching IKE Parameters Default Values The following figures show the default values for the Cisco dialog box Transport, Backup Servers and Dial Up tabs 534 Part 031652-00 May 2005
Chapter 23 Default Transport Values FIGURE 23-5 Default Transport Tab Values VPN Configuration 535
OmniAccess Reference: AOS-W System Reference Default Backup Servers Values FIGURE 23-6 Default Backup Servers Tab Values 536 Part 031652-00 May 2005
Chapter 23 Default Dial Up Values FIGURE 23-7 Default Dial-Up Tab Values Typical Third-Party VPN Clients The steps required to terminate typical VPN clients on an Alcatel Wireless LAN switch are: z Configure the Alcatel GUI for basic VPN connection z Configure the VPN client wizard (if applicable) z Logon using the VPN client dialog box Basic Alcatel Configuration Configure the group name by selecting Configuration > Security > VPN Settings > IPSec.
OmniAccess Reference: AOS-W System Reference FIGURE 23-8 Configuring a Group Name Verify the IKE policy settings by selecting Configuration > Security > VPN Settings > IPSec > Edit. Make sure the IKE key matches, that the IKE policy is pre-shared key, and that the Group ID is defined.
Chapter 23 FIGURE 23-9 IKE Policy Settings Verify the basic logon role by selecting Configuration > Security > Roles > Edit Role (logon).
OmniAccess Reference: AOS-W System Reference FIGURE 23-10 Basic Logon Role Modify the basic logon role by adding an ACL to allow TCP on port 17 by selecting Configuration > Security > Roles > Edit Role (logon) > Edit Policy (Control).
Chapter 23 FIGURE 23-11 Allowing TCP on Port 17 Configuring a Third-Party VPN Client Complete the VPN client wizard with source and destination information to configure the VPN client.
OmniAccess Reference: AOS-W System Reference Troubleshooting the Connection If you have trouble connecting to the Alcatel Wireless LAN switch using a typical third-party VPN client, check the following: z Verify the ACL groups in the “logon” role. z Verify that TCP port 17 is allowed (this solves a banner problem). z Verify the IKE key is matching. z Verify that Group ID is defined. z Verify that the IKE policy is pre-shared key.
CHAPTER 24 Switch Maintenance Alcatel switches provide full support for maintenance at the switch level, the file level, the wireless LAN level, and at the captive portal level. All maintenance functions are available from the Maintenance tab on the toolbar. Switch Level Maintenance To access the switch level maintenace functions, click Maintenance > Switch.
OmniAccess Reference: AOS-W System Reference Image management options are. Upgrade using Specify how you are going to copy an image onto the server. Both TFTP and FTP are supported. Server IP Address Specify the IP address of the TFTP or FTP server which contains the image to download onto the switch. Image File Name Enter the name of the image file. Partition to Upgrade You can copy the image into Partition 0 or 1. Specify the location here.
Chapter 24 To save any changes to the current switch configuration, click Yes. To leave the configuration file unchanged, click No. To proceed with the switch reboot, click Continue and follow any prompts. Reboot Peer Supervisor Card The Maintenance > Switch > Reboot Peer Supervisor Card option requires an Alcatel Wireless LAN switch with a supervisor card installed. Clear Config To reset the switch configuration to factory default settings, use the Maintenance > Switch > Clear Config option.
OmniAccess Reference: AOS-W System Reference When ready to revert to the original, factory configuration, click Continue and follow any prompts. From the CLI, enter: write erase all reload Make sure you do this from the serial console as this removes all IP and port configurations. The switch will reboot and display the Setup Dialog. Synchronize This feature is only valid in redundant Master-Master configurations.
Chapter 24 The following parameters and options may be configured through Web UI. Boot Partition Specify which partition the switch will use when it reboots. Configuration File Select the name of the saved configuration file from the drop down menu. When finished, click Apply.
OmniAccess Reference: AOS-W System Reference The options are. Source Selection Select Flash File System and select the name of a file from the drop-down menu. To use a TFTP server, click TFTP and enter the IP address of the TFTP server. To copy the running configuration, click Running Configuration. To copy the startup configuration, click Startup Configuration.
Chapter 24 Destination Selection If you are copying a flash file system, select Flash File System and specify the name of a file. To use a TFTP server, click TFTP and enter the IP address of the TFTP server. To use a use an FTP server, click FTP and enter the IP address of the FTP server. Copy Logs To copy logs from the switch to another system, go to Maintenance > File > Copy Logs. You can copy the logs using an FTP server or TFTP server.
OmniAccess Reference: AOS-W System Reference You can copy the crash files using an FTP server or TFTP server. Once you have specified the transfer protocol, specify the IP address and file name to be used for the crashfile. Backup Flash To copy the files in flash, go to Maintenance > File > Backup Flash. Click Create Backup to start the backup process. The system will report the backup being created when finished. Clicking Copy Backup is the same as selecting “Copy Files”.
Chapter 24 The system must reboot before it can use the restored Flash files. Delete Files To keep from running out of flash file space, you should delete files you no longer need. You can also delete files that you have copied off the switch. To remove unwanted or no longer needed files, go to Maintenance > File > Delete Files. Click the file(s) to be deleted, and click Delete. To select multiple files: Shift-click file names that form a continuos block of file names.
OmniAccess Reference: AOS-W System Reference z Calibrate the Radio Network—See “Calibration” on page 289. z Program Access Points—See “AP Reprovisioning” on page 478. z Reboot Access Points—See below. z WMS Database—See below. Rebooting Access Points To reboot an Access Point, go to Maintenance > Wireless LAN > Reboot AP. Click the Access Point(s) you want to reboot, and click Reboot. To find an AP, click Search and enter any information you have (such as location, IP or MAC address).
Chapter 24 Importing a WMS Database TBC Removing Old Entries TBC Switch Maintenance 553
OmniAccess Reference: AOS-W System Reference Re-initializing a WMS Database TBC 554 Part 031652-00 May 2005
Chapter 24 Captive Portal Maintenance The captive portal is the screen users see when their wireless device connects to the network through the switch. This screen allows network administrators to control what users and guests see, and what they can do once they log in and are authenticated.
OmniAccess Reference: AOS-W System Reference Upload Certificate To manually upload a authentication certificate for the captive portal, go to Maintenance > Captive Portal > Upload Certificate. Specify the name of the certificate file to be imported in the File to be imported field. You can click Browse to search for the file. When ready, click Upload. As the onscreen notice advises, the switch expects the certificate file to be an X.509 PEM file.
Chapter 24 Switch Maintenance 557
OmniAccess Reference: AOS-W System Reference 558 Part 031652-00 May 2005
4 Part Monitoring and Troubleshooting 559
OmniAccess Reference: AOS-W System Reference 560 Part 031652-00 May 2005
CHAPTER 25 Monitoring the Wireless Environment The Web UI Monitoring tab contains information on the wireless network, the Alcatel Wireless LAN switch, and the Wireless LAN. If you have created custom logs, you can view them here.
OmniAccess Reference: AOS-W System Reference Network Monitoring To see a summary of the status of the wireless network, click Monitoring. Network Summary is displayed by default. Wireless LAN Network Status shows the number of operational Wireless LAN switches, Access Points, Air Monitors, unprovisioned APs, enterprise clients, RADIUS servers, and LDAP servers.
Chapter 25 Switch Monitoring The Monitoring > Switch screens provide details about the Wireless LANs in the wireless network. Select Monitoring > Switch Summary to see details about the Wireless LAN switch including its Model, AOS-W Version, IP Address, and MAC Address. Select Monitoring > Switch > Access Points to see details about the APs connected to this Wireless LAN switch. Details include Name, Location, IP address, Type, 802.11b and g Clients, 802.
OmniAccess Reference: AOS-W System Reference and Port ACL Hits (including ACL, ACE, New Hits, Total Hits, and Index. ACE is the individual permit or deny rule that makes up an ACL. The index number is the priority of each ACE starting with 1.) Select Monitoring > Switch >Ports to see details about port activity. Details include Admin State, Operational State, Port Mode, VLAN Association, Trusted or untrusted. Click Status, Profile, Activity, or Diagnostics for additional information.
Chapter 25 Sample Air Monitor Screens To display a typical screen for Air Monitors, select Monitoring > Switch > Air Monitors. FIGURE 25-2 Monitoring Air Monitors From the screen shown in Figure 25-2, you can select to view information on: z Overview—see Figure 25-3. z Channel—see Figure 25-4 and Figure 25-5. z APs—see Figure 25-6. z Clients—see Figure 25-7 z Packet Capture—see Figure 25-8.
OmniAccess Reference: AOS-W System Reference Overview Information Click Overview to see the following information.
Chapter 25 Channel Information Click Channel to see the following information.
OmniAccess Reference: AOS-W System Reference The details on the selected change are shown in the figure below.
Chapter 25 AP Information Click APs to see the following information. FIGURE 25-6 AP Information Client Information Click Clients to see the following information.
OmniAccess Reference: AOS-W System Reference Packet Capture Information Click Packet Capture to see the following information. FIGURE 25-8 Packet Capture Information Example Port Information To see monitoring information on ports, select Monitoring > Switch > Ports. FIGURE 25-9 Monitoring Ports The following types of information are available: Status—see Figure 25-10. Profile—see Figure 25-11. Activity—see Figure 25-12.
Chapter 25 Diagnostics—see Figure 25-13. Port Status Information Click Status to see the following types of information. FIGURE 25-10 Port Status Information Port Profile Information Click Profile to see the following types of information.
OmniAccess Reference: AOS-W System Reference Port Activity Information Click Activity to see the following types of information. FIGURE 25-12 Port Activity Information Port Diagnostic Information Click Diagnostics to see the following types of information.
Chapter 25 Status Information Click Status to see the following types of information. FIGURE 25-14 Port Status Information Events As mentioned above, selecting Monitoring > Switch is equivalent to selecting the Events tab. FIGURE 25-15 Events Events consists of Event ID A system generated identifier for this event. Type The type of event. Info An optional field with additional event details.
OmniAccess Reference: AOS-W System Reference Device The type of device involved in the event. MAC Address The MAC address of the device. Count The number of packets involved in the event. Occurred Time The timestamp when the event occurred. You can sort the events on any of these categories by using the Group By drop-down menu. Click Search to find a specific event, or use the page navigation links to display additional pages of events.
Chapter 25 Creating Custom Reports Additionally, the Events tab allows you to create custom reports by going to Events > Create Custom Reports. FIGURE 25-16 Custom Reports The Custom Reports option allows you to tailor event reports to suit your needs. For example, you can create a report that just shows Rogue APs, or track times when bandwidth rates were exceeded. To create a custom report, click Search and enter the criteria and click Save As to name the report.
OmniAccess Reference: AOS-W System Reference Wireless LAN Monitoring Displays network information for each Wireless LAN based on the SSID of each Wireless LAN. Debug Information You can set debugging levels on an Alcatel Wireless LAN switch to capture information on local clients. To enable this feature, select Monitoring > Debug > Local Clients. Wireless users will have their MAC Address, IP Address, and User Name recorded To view the resulting debug activity, select Monitoring > Debug > Process Logs.
Chapter 25 Creating Custom Logs Using the information collected by the logging process, you can tailor custom logs that suit your needs. Reports The reporting capability of AOS-W is located in the Reports tab.
OmniAccess Reference: AOS-W System Reference FIGURE 25-18 Sample Report You can change the status of a rogue or interfering device by clicking Set as Valid, Set as Interfering, Set as Known Interfering, etc. If necessary, you can also turn off any device by clicking Disable. Example Report: Rogue APs To analyze active rogue AP activity, go to Reports > Active Rogue APs to display the screen shown above. You can examine the list and determine if you want to mark any APs as interfering as opposed to rogue.
Chapter 25 AP Reports To see a typical AP report, select Reports > AP > Active Valid APs. The following type of report displays. FIGURE 25-19 Report on all Active Valid APs Status To get details on a specific device on a report, click the checkbox to the left of the device and click Status. Detailed information for this device displays as shown in Figure 25-20.
OmniAccess Reference: AOS-W System Reference a Networks FIGURE 25-20 Selected AP Status Using the Command Line Interface You may use the CLI to detect and disable rogue APs. However, it is significantly more complex and difficult than using the Web-based Management Interface. Enable or disable rogue detection using the ap-policy protect-unsecure-ap [enable | disable] command. See “Air Management Commands” on page 804. Custom Reports You can customize reports to suit your needs.
Chapter 25 asf asf Monitoring the Wireless Environment 581
OmniAccess Reference: AOS-W System Reference 582 Part 031652-00 May 2005
CHAPTER 26 Firewall Logging This chapter discusses firewall logging and explains the events found in those logs. Firewall logging in the AOS-W software (version 2.4 or higher) is International Computer Security Association (ICSA) compliant.
OmniAccess Reference: AOS-W System Reference Authentication failed for User : src ip src port dst ip dst port connection type TELNET This entry is issued when a user connected through TELNET fails to authenticate. Information about the source and destination IP addresses and ports is provided. Authentication succeeded for User : connection type SERIAL This entry is issued when a user connected through the serial port successfully authenticates.
Chapter 26 src-nat: dst-nat: redirect: policy The packet was forwarded with the source IP address modified. The packet was forwarded with the destination IP address modified. The packet was forwarded without modifying the address fields, but through an interface other than that indicated in the IP routing table. indicates which firewall policy was matched in order to generate the log message.
OmniAccess Reference: AOS-W System Reference {TCP | UDP} srcip=, srcport=, dstip=, dstport=, action=, policy= where: srcip srcport dstip dstport action policy 586 Part 031652-00 indicates the source IP address of the packet. indicates the source TCP or UDP port number of the packet. indicates the destination IP address of the packet. indicates the destination TCP or UDP port number of the packet.
CHAPTER 27 Troubleshooting AOS-W Environments Basic Connectivity The troubleshooting information in this chapter covers problems with basic wireless connectivity, such as inability to associate or inability to communicate after association. Figure 27-1describes the steps you should take to install and configure your Alcatel wireless network. If you follow these steps in the order they appear, then troubleshooting becomes a more straightforward process of finding where the process flow is broken.
OmniAccess Reference: AOS-W System Reference Design your network do a wireless site survey VLANs, IP, Routing Switch redundancy Install the hardware (switch and APs) Install the software Configure L2/L3 Configure the APs ADP SSIDs defined/Encryption Enable ARM Wireless Access Wireless Monitoring Config APs as AMs Define user roles Define access permissions for roles Configure Access Policies User Roles Enable IDS Policies Config access policies Enable Detection/ Containment Config user roles a
Chapter 27 General The Wi-Fi Alliance has made great strides in testing interoperability between 802.11 devices from many different manufacturers. Despite these efforts, however, client incompatibility remains the primary complaint from network managers deploying wireless LANs. A wide range of wireless hardware and software is in use, with a corresponding wide range of quality – a given client adapter card may work fine with one revision of driver software, but experience numerous problems with another.
OmniAccess Reference: AOS-W System Reference Specific Probe Request – In this type of probe-request, the client is only interested in one particular ESSID. It will include this ESSID in the request, and only APs supporting this ESSID will respond. It is possible in an Alcatel deployment to disable responses to broadcast probe-requests, and require a specific probe-request with the correct ESSID before an AP will answer.
Chapter 27 z Ensure that the wireless network is operational and that no APs or switches have failed. If part of the network has failed, it is likely that multiple users will report problems. Note that in a standard dense-mode Alcatel deployment, multiple APs will normally be able to provide service to one user, so the failure of one AP is unlikely to cause this symptom. z Enable client debugging for the client device in question.
OmniAccess Reference: AOS-W System Reference Client finds AP, but cannot associate After a client has located one or more APs supporting the desired ESSID, it must associate to that AP. Association is a four-step process consisting first of 802.11 authentication (not to be confused with 802.1x or VPN authentication) followed by association. Four frames are exchanged on the wireless network during association, as shown in the figure below.
Chapter 27 802.11 Authentication Fails The 802.11 authenticate exchange is a primitive form of authentication specified by the original 802.11 standard, and is not related to secure authentication such as 802.1x or VPN. This authentication exchange must still take place before an association exchange, but no useful information is exchanged. z Enable client debugging for the client device in question. From the Alcatel CLI, use the command “aaa user debug mac ”.
OmniAccess Reference: AOS-W System Reference z Enable client debugging for the client device in question. From the Alcatel CLI, use the command “aaa user debug mac ”. Log output from the debug process can be viewed by issuing the command “show log intuser 30” (to display the last 30 lines of the log file). The log should indicate the reason for a failed authentication or association. Often the cause is a capability mismatch between the client and AP.
Chapter 27 Client associates to AP, but higher-layer authentication fails Problems with higher-layer authentication such as 802.1x are normally not related to basic connectivity, but can disguise themselves as such. If association to an AP is successful, basic connectivity problems are likely ruled out. z Reset the client NIC. If association is successful a second or third time but authentication continues to fail, it is unlikely that a basic connectivity problem is causing the issue.
OmniAccess Reference: AOS-W System Reference z Once association and higher-layer authentication have succeeded, it is analogous to the link light turning on in a wired Ethernet network. Troubleshoot the problem using traditional tools such as “ping” and “traceroute”. Problems such as this often indicate faults in the wired network or in client network settings.
Chapter 27 z WPA/802.11i Key Exchange Failure: In a WPA or 802.11i network, the dynamic key exchange process may fail. This is an error condition and indicates either a man-in-the-middle attack or a faulty NIC driver. Examine the “Authentication” log file in the Alcatel switch for details – because the WPA/802.11i key exchange is a standard and utilizes a four-way verified handshake, error messages will be generated when part of the process fails.
OmniAccess Reference: AOS-W System Reference z Reset the client NIC. If an internal error has caused the dropped association, a reset of the NIC may restore connectivity. Client experiences poor performance This scenario covers many different situations. In general, the complaint will be slow performance – download speeds may be low, application timeouts may occur, or general sluggishness may be reported. z If the performance problems began while the user was moving, it is possible that roaming failed.
Chapter 27 z If the above parameters are within acceptable ranges, but throughput is still low, it may indicate a congested AP. Perform activity monitoring on the entire AP rather than on the individual client to examine how much bandwidth is being consumed on the AP. If there are too many clients connected to a given AP, performance may be increased by reducing the maximum number of clients allowed on the AP. (The theoretical maximum number of clients allowed per AP is 255.
OmniAccess Reference: AOS-W System Reference TABLE 27-1 Access Point Duplex/Speed Matrix 600 NIC Speed/Duplex Configuration Switch Speed/Duplex Configuration Resultant NIC Speed/Duplex Configuration Resultant Switch Speed/Duplex Configuration Auto Auto 1000Mbps/F ull-duplex 1000Mbps/F ull-duplex Proper Observations configuration. If this configuration causes problem, verify that the NIC is operating as configured.
Chapter 27 TABLE 27-1 Access Point Duplex/Speed Matrix NIC Speed/Duplex Configuration Switch Speed/Duplex Configuration Resultant NIC Speed/Duplex Configuration Resultant Switch Speed/Duplex Configuration 100Mbps/Full-du plex 1000Mbps/Fullduplex No link No link Because the speeds do not match, no link is established.
OmniAccess Reference: AOS-W System Reference TABLE 27-1 Access Point Duplex/Speed Matrix 602 NIC Speed/Duplex Configuration Switch Speed/Duplex Configuration Resultant NIC Speed/Duplex Configuration Resultant Switch Speed/Duplex Configuration 100Mbps/Full-du plex 100Mbps/Full-d uplex 100Mbps/Fu ll-duplex 100Mbps/Fu ll-duplex Proper configuration. If this configuration causes problem, verify that the NIC is operating as configured.
Chapter 27 TABLE 27-1 Access Point Duplex/Speed Matrix NIC Speed/Duplex Configuration Switch Speed/Duplex Configuration Resultant NIC Speed/Duplex Configuration Resultant Switch Speed/Duplex Configuration 10Mbps/Half-du plex 100Mbps/Halfduplex No Link No Link Because the speeds do not match, no link is established. Auto 100Mbps/Halfduplex 100Mbps/H alf-duplex 100Mbps/H alf-duplex The switch, which is configured for Auto, will default to half duplex for 100Mbps settings.
OmniAccess Reference: AOS-W System Reference Incorrect Username/password (TTLS or PEAP) A typical cause of authentication failure is an incorrect username, password, or one-time token. In most cases, this is a simple problem to troubleshoot, because the client will generate an error message indicating the cause of the failure. However, depending on the 802.1x supplicant in use, this error may not be obvious. z Check the RADIUS server.
Chapter 27 z Perform a wireless packet capture. If 802.1x authentication is observed to begin, and then abruptly stops, a certificate error may be the cause. The 802.1x supplicant should not proceed with authentication if it detects an invalid server certificate. Client Certificate is not accepted (EAP-TLS only) When using EAP-TLS as an 802.1x authentication method, a client certificate must be validated by the RADIUS server in order for authentication to succeed.
OmniAccess Reference: AOS-W System Reference RADIUS Server reports “Authentication Method Not Supported” This error message is caused by the client and server using different 802.1x authentication methods. z Verify that the RADIUS server and client are configured for the same 802.1x authentication method. For example, if the RADIUS server is configured to use PEAP, the client must also be configured this way. Microsoft clients default to EAP-TLS (Smart card or other certificate).
Chapter 27 VPN Dialer displays “No Alcatel switches detected” When this error message is displayed, it indicates that the VPN dialer could not verify that the client was associated to an Alcatel switch. The mechanism used to determine if an Alcatel switch is present is a DNS lookup. If the client is associated to an Alcatel switch, the DNS request will be intercepted by the Alcatel switch and a response sent back to the client.
OmniAccess Reference: AOS-W System Reference z Examine the output of “show crypto ipsec sa”. Once IKE negotiation has succeeded (an IKE SA appears for the client), this command will list all IPSec security associations (SAs) currently active in the switch. If no SA appears for the client in question, it is likely that the client and switch have mismatching lifetimes, encryption types, or hash configuration.
Chapter 27 FIGURE 27-5 Windows IPSec Service IPSec is up, but dialer does not display “Logging on” message This message indicates that IPSec was successful, but L2TP was not. z Verify the diagnosis by examining the output of show crypto ipsec sa. If a security association exists for the client, IPSec was successful. Examine the output of show vpdn tunnel l2tp. If L2TP has failed, no tunnel will exist for the client in question. z This is an error condition.
OmniAccess Reference: AOS-W System Reference Sample Packet Captures Broadcast Probe Request Frame Packet Information Flags: Status: Packet Length: Timestamp: Data Rate: Channel: Signal Level: Signal dBm: Noise Level: 0x00 0x01 54 17:04:36.126816600 04/09/2004 2 1.0 Mbps 1 2412 MHz 68% -42 0% 802.11 MAC Header Version: Type: Subtype: Frame Control Flags: 0 %00 Management %0100 Probe Request %00000000 0... .... Non-strict order .0.. .... WEP Not Enabled ..0. .... No More Data ...0 ....
Chapter 27 Supported Rates Element ID: Length: Supported Rate: Supported Rate: Supported Rate: Supported Rate: Supported Rate: Supported Rate: Supported Rate: Supported Rate: 1 Supported Rates 8 1.0 (Not BSS Basic Rate) 2.0 (Not BSS Basic Rate) 5.5 (Not BSS Basic Rate) 11.0 (Not BSS Basic Rate) 6.0 (Not BSS Basic Rate) 12.0 (Not BSS Basic Rate) 24.0 (Not BSS Basic Rate) 36.0 (Not BSS Basic Rate) Extended Supported Rates Element ID: 50 Extended Supported Rates Length: 4 Supported Rate: 9.
OmniAccess Reference: AOS-W System Reference .0.. ..0. ...0 .... .... .... .... .... .... 0... .0.. ..0. WEP Not Enabled No More Data Power Management - active mode This is not a Re-Transmission Last or Unfragmented Frame Not an Exit from the Distribution System .... ...0 Not to the Distribution System Duration: Destination: Source: BSSID: Seq. Number: Frag. Number: 0 Microseconds FF:FF:FF:FF:FF:FF 00:04:E2:64:C1:C0 FF:FF:FF:FF:FF:FF 349 0 Ethernet Broadcast SMC Net:64:C1:C0 Ethernet Broadcast 802.
Chapter 27 FCS - Frame Check Sequence FCS (Calculated): 0xCF771F24 Beacon Frame Packet Information Flags: Status: Packet Length: Timestamp: Data Rate: Channel: Signal Level: Signal dBm: Noise Level: 0x00 0x00 97 17:04:36.139436600 04/09/2004 2 1.0 Mbps 1 2412 MHz 38% -73 0% 802.11 MAC Header Version: Type: Subtype: Frame Control Flags: 0 %00 Management %1000 Beacon %00000000 0... .... Non-strict order .0.. .... WEP Not Enabled ..0. .... No More Data ...0 .... Power Management - active mode .... 0...
OmniAccess Reference: AOS-W System Reference x....... .x...... ..0..... ...x.... ....0... ........ ........ ........ ........ ........ Reserved Reserved DSSS-OFDM is Not Allowed Reserved Robust Security Network Disabled .....0.. ........ G Mode Short Slot Time [20 microseconds] ......x. .......x ........ ........ ........ ........ ........ ........ ........ ........ ........ ........ 0....... .0...... ..1..... ...1.... ....0... .....0.. ......0. .......
Chapter 27 Supported Supported Supported Supported Supported Rate: Rate: Rate: Rate: Rate: 18.0 24.0 36.0 48.0 54.0 (Not (Not (Not (Not (Not BSS BSS BSS BSS BSS Basic Basic Basic Basic Basic Rate) Rate) Rate) Rate) Rate) ERP Information Element ID: Length: ERP Flags: 42 ERP Information 1 %00000010 x... .... Reserved .x.. .... Reserved ..x. .... Reserved ...x .... Reserved .... x... Reserved .... .0.. Not Barker Preamble Mode .... ..1. Use Protection .... ...
OmniAccess Reference: AOS-W System Reference Timestamp: Data Rate: Channel: Signal Level: Signal dBm: Noise Level: Noise dBm: 14:33:18.161865000 02/10/2004 2 1.0 Mbps 1 2412 MHz 45% 0 0% 0 802.11 MAC Header Version: Type: Subtype: Frame Control Flags: 0 %00 Management %0101 Probe Response %00000000 0... .... Non-strict order .0.. .... WEP Not Enabled ..0. .... No More Data ...0 .... Power Management - active mode .... 0... This is not a Re-Transmission .... .0.. Last or Unfragmented Frame .... ..0.
Chapter 27 .......x ........ ........ ........ ........ ........ ........ ........ ........ ........ 0....... .0...... ..1..... ...1.... ....0... .....0.. ......0. .......1 Reserved Channel Agility Not Used PBCC Not Allowed Short Preamble Privacy Enabled CF Poll Not Requested CF Not Pollable Not an IBSS Type Network ESS Type Network SSID Element ID: Length: SSID: 0 SSID 4 air1 Supported Rates Element ID: Length: Supported Rate: Supported Rate: Supported Rate: Supported Rate: 1 Supported Rates 4 1.
OmniAccess Reference: AOS-W System Reference Noise Level: Noise dBm: 0% 0 802.11 MAC Header Version: Type: Subtype: Frame Control Flags: 0 %00 Management %1011 Authentication %00000000 0... .... Non-strict order .0.. .... WEP Not Enabled ..0. .... No More Data ...0 .... Power Management - active mode .... 0... This is not a Re-Transmission .... .0.. Last or Unfragmented Frame .... ..0. Not an Exit from the Distribution System .... ...
Chapter 27 Signal Level: Signal dBm: Noise Level: Noise dBm: 37% 0 0% 0 802.11 MAC Header Version: Type: Subtype: Frame Control Flags: 0 %00 Management %1011 Authentication %00000000 0... .... Non-strict order .0.. .... WEP Not Enabled ..0. .... No More Data ...0 .... Power Management - active mode .... 0... This is not a Re-Transmission .... .0.. Last or Unfragmented Frame .... ..0. Not an Exit from the Distribution System .... ...
OmniAccess Reference: AOS-W System Reference Data Rate: Channel: Signal Level: Signal dBm: Noise Level: Noise dBm: 2 1.0 Mbps 1 2412 MHz 37% 0 0% 0 802.11 MAC Header Version: Type: Subtype: Frame Control Flags: 0 %00 Management %0000 Association Request %00000000 0... .... Non-strict order .0.. .... WEP Not Enabled ..0. .... No More Data ...0 .... Power Management - active mode .... 0... This is not a Re-Transmission .... .0.. Last or Unfragmented Frame .... ..0.
Chapter 27 ........ ........ ........ ........ ........ ........ Listen Interval: ..1..... ...1.... ....0... .....0.. ......0. .......1 Short Preamble Privacy Enabled CF Poll Not Requested CF Not Pollable Not an IBSS Type Network ESS Type Network 1 SSID Element ID: Length: SSID: 0 SSID 4 air1 Supported Rates Element ID: Length: Supported Rate: Supported Rate: Supported Rate: Supported Rate: Supported Rate: Supported Rate: Supported Rate: Supported Rate: 1 Supported Rates 8 1.
OmniAccess Reference: AOS-W System Reference Auth OUI: 0x00-0x50-0xF2-01 Extra bytes (Padding): .. 00 00 SSN FCS - Frame Check Sequence FCS (Calculated): 0x0499A2D5 Association Response Packet Info Flags: Status: Packet Length: Timestamp: Data Rate: Channel: Signal Level: Signal dBm: Noise Level: Noise dBm: 0x00 0x00 40 14:33:23.627186000 02/10/2004 2 1.0 Mbps 1 2412 MHz 47% 0 0% 0 802.11 MAC Header Version: Type: Subtype: Frame Control Flags: 0 %00 Management %0001 Association Response %00000000 0.
Chapter 27 802.11 Management—Association Response Capability Info: %0000010000110001 x....... ........ .x...... ........ ..0..... ........ ...x.... ........ ....0... ........ Reserved Reserved DSSS-OFDM is Not Allowed Reserved Robust Security Network Disabled .....1.. ........ G Mode Short Slot Time [9 microseconds] ......x. .......x ........ ........ ........ ........ ........ ........ ........ ........ Status Code: Association ID: ........ ........ 0....... .0...... ..1..... ...1.... ....0... .....0.
OmniAccess Reference: AOS-W System Reference z Session mirror sniffing and z Packet-capture for control path packets Packet Capture This CLI utility allows sniffing of all control path packets. This is useful for sniffing RADIUS, 802.1x, VPN control path (IKE is encrypted, L2TP is not), station up/down opcodes, mobility, DHCP, and virtually any other packets that traverse the control path CPU.
Chapter 27 z Alcatel message BPDUs z TCP cli ports (default ones) Examples Debugging a wireless WEP station doing VPN would typically require: z station up/down: Alcatel msg opcode 30 z wep key plumbing: Alcatel msg opcode 29 z DHCP: Alcatel msg opcode 90 (not udp 67 as that won't catch mobility packets) z ike: udp port 500 & 4500 z l2tp: udp port 1701 Enter: packet-capture Alcatelmsg 30,29,90 udp 500,4500,1701,1812,1645 Debugging 802.
OmniAccess Reference: AOS-W System Reference Use ethereal on the target machine, in the above example, that's 1.2.3.4. It does not require an Alcatel specific ethereal as the packet format is GRE w/ Ethernet bridging. The target does not need to be trusted, the packet will be sent to the target regardless of being trusted or untrusted.
CHAPTER 28 Diagnostic Tools The Web UI Diagnostic tab contains information on tools to help you coordinate your troubleshooting of your Alcatel Wireless LAN environment with Alcatel Technical Support. Network Utilities Ping To launch a ping from the WebUI, navigate to Diagnostics > Ping. Enter the target IP address and click Ping.
OmniAccess Reference: AOS-W System Reference Traceroute To see the path traffic is taking by using the WebUI, navigate to Diagnostics > Traceroute. Enter the destination IP address anc click Trace. FIGURE 28-2 Traceroute Test General Information Contacting Technical Support To create a report on your configuration navigate to the Diagnostics > Technical Support page.
Chapter 28 Received Configuration To capture AP configurations, navigate to Diagnostics > Received Configuration. Enter the AP IP address and ESSID and click Show Configuration. FIGURE 28-4 AP Recieved Configuration Software Status To display software status information for specified APs, navigate to Diagnositcs > Software Status, enter the IP address of the target AP and click Show Status.
OmniAccess Reference: AOS-W System Reference Debug Log To display the debug log when you have run debug tests, navigate to Diagnostics > Debug Log, enter the IP address of the logging device, and click Show Debug Log. FIGURE 28-6 Debug Log Detailed Statistics To examine statistics for APs, navigate to Diagnostics > Detailed Statistics, enter the IP address of the target AP, then click Show Statistics.
Chapter 28 Web Diagnostic To see diagnostics information from an AP’s Web Server, navigate to Diagnostics > Web Diagnostics, enter the IP address of the target AP, and click Link to AP Web Server. NOTE—The AP’s Web server can only be accessed while the AP is booting.
OmniAccess Reference: AOS-W System Reference 632 Part 031652-00 May 2005
Part 5 Command Reference 633
OmniAccess Reference: AOS-W System Reference 634 Part 031652-00 May 2005
CHAPTER 29 AOS-W Commands Understanding the Command Line Interface The AOS-W command line interface is designed to conform with networking industry standard CLIs. Commands are grouped into modes so commands that perform similar functions are accessed at the same level. The system prompt identifies the current mode level. When you enter a command and press Enter, the command executes. Use caution when testing a command as executing it will affect the switch.
OmniAccess Reference: AOS-W System Reference Online help is available for all commands by pressing ?. There are two levels of help. To see what other command strings match what you have entered, type ? at the end of the string (no space) for which you want information. For example: (switch) #reload? reload Coldstart the switch reload-peer-SC Coldstart the peer Supervisor Card (OmniAccess 6000) shows you what commands start with the string reload.
Chapter 29 Execute Mode Commands Exec mode commands allow very basic administrative access to the switch. Users who know the username and password for this level, but not the Privileged mode password, can only confirm basic Layer-3 connectivity. TABLE 29-1 Exec Mode Commands Prompt Commands Description (switch) > enable Turn on Privileged commands (switch)# exit End this session. Any unsaved changes are lost. Same as the logout command. logout End this session. Any unsaved changes are lost.
OmniAccess Reference: AOS-W System Reference See logout. logout Terminates the session. Example (switch)> logout _ See exit. ping Equivalent to the Unix ping command (with default options). This command issues a query to the specified device such that if the specified device is active and online, that device will respond back to the device issuing the ping. Useful for determining network connectivity between devices.
Chapter 29 Example (switch)#traceroute 10.1.2.3 Press 'q' to abort. Tracing the route to 10.1.2.3 1 2 3 4 ... 20 21 10.4.21.254 * * * * * * * * * * * * 0.788 msec 0.564 msec 0.56 msec * (switch) # Privileged Mode Commands Users who know the Privileged mode password have access to the commands that control the switch’s file operating system, and such modes as the AAA and Air Monitor modes.
OmniAccess Reference: AOS-W System Reference TABLE 29-2 Privileged Mode Commands (Continued) Prompt 640 Part 031652-00 Commands Description boot Restarts the switch. clear Accesses clear commands. clock Sets the system clock. configure Accesses the configuration commands. (Alcatel) (config) # copy Copies the specified files. database Manages the database. debug Access the debug commands. delete Removes files. dir Displays directories in flash.
Chapter 29 TABLE 29-2 Privileged Mode Commands (Continued) Prompt Commands Description restore Restores the directories on flash. secret Commands reserved for Alcatel engineering. Do not access these commands with Alcatel tech support assistance. show Access the show commands. site-survey Accesses the site survey commands. stm Accesses the Station Management commands. swkey Accesses licensing controls. tar Creates a tar file of the specified directory.
OmniAccess Reference: AOS-W System Reference user User commands See also the aaa commands in Configure mode. (switch) #aaa inservice Enables the specified authentication server. Syntax aaa inservice where string is the name of the authentication server to be enabled. Example (switch)# aaa inservice Alcatel.com See also: aaa test-server (switch) #aaa inservice stateful-authentication Enables stateful authentication on authentication servers.
Chapter 29 Example The following example verifies that the authentication server Alcatel is enabled and working. (switch)# aaa test-server Alcatel (switch) #aaa user Manages users for authentication purposes. You can add, delete, logoff, and debug users. You can also clear sessions for an individual user. Syntax add Adds the IP address of a user clear-sessions Clears the specified user session. debug > Debugs user by user’s IP address, MAC address, or name.
OmniAccess Reference: AOS-W System Reference Example (switch) #ads netad learn am Configures scanning on the specified channel for the specified Air Monitor. Syntax am scan where: is the IP address of the Air Monitor to be scanned. is the channel to tune to. Set this to 0 to start scanning. is the MAC Address of the Air Monitor Example (switch) #am scan 10.4.4.4 11 Module AM is busy.
Chapter 29 backup Backs up and compresses critical files to flashbackup.tar.gz. Example (switch) #backup flash See also restore. boot Specifies the configuration file and the partition the switch uses to boot. Syntax boot | <0|1> Example The following example directs the switch to boot from config file 9147. (switch) #boot config-file 9147 The following example directs the switch to boot from partition 0.
OmniAccess Reference: AOS-W System Reference Parameter Description wms Wireless LAN Management system commands clear ads netad anomaly Sets the network anomaly detection counters to zero. Parameter Description all Resets all NETAD anomaly counters to zero. id Resets the specified NETAD anomaly counter to zero. Example (switch) #clear ads netad anomaly all clear arp Clears the Address Resolution Protocol statistics.
Chapter 29 clear counters vrrp Clears the Virtual Router Redundancy Protocol statistics. Syntax clear counters vrrp where is the Virtual Router ID. Valid ID range is 1-255. Example (switch) #clear counters vrrp 1 (switch) #clear arp clear crypto Turns off cryptographic state.
OmniAccess Reference: AOS-W System Reference (switch) #clear loginsession 2 (switch) #clear mobile packet-counters Clears mobility packet counters registration-statisti.. Clears mobile ip message counts for a mobile node (switch) #clear mobile packet-counters ? (switch) #clear mobile registration-statistics ? IP address of mobile node (switch) #clear mobile registration-statistics ip ? (switch) #clear mobile registration-statistics 192.10.10.
Chapter 29 (switch) #clear site-survey calibration Clear Site Survey Calibration In Progress channel-plan (switch) #clear site-survey calibration ? Building ID to start site survey on (switch) #clear site-survey calibration 1.2.3 ? (switch) #clear site-survey calibration 1.1.1 ? (switch) #clear site-survey channel-plan ? Building ID to start site survey on (switch) #clear site-survey channel-plan 1.1.
OmniAccess Reference: AOS-W System Reference bssid BSSID for the flagged AP to clear hole (switch) #clear stm hole all ? (switch) #clear stm hole testap ? (switch) #clear stm hole 00:00:00:01:01:01 ? (switch) #clear vpdn tunnel Clear vpdn tunnel (switch) #clear vpdn tunnel ? l2tp pptp Clear vpdn all L2TP tunnel Clear vpdn all PPTP tunnel, not supported (switch) #clear vpdn tunnel l2tp ? id Tunnel ID to clear (switch) #clear vpdn tunnel pptp ? id Tunnel ID to clear, not supported
Chapter 29 (switch) #clear wms ap Clear AP information probe sta Clear STA information (switch) #clear wms probe ? (switch) #clear wms ap ? BSSID of AP (switch) #clear wms sta ? MAC Address of STA (switch) #clear wms 00:00:01:01:0a ? (switch) # clock See also the clock commands in Configuration mode.
OmniAccess Reference: AOS-W System Reference where is the four-digit year, is the name of the month, is the number of the day (1-31), hour is the time in hours (0-24) , is the number of minutes in the hour (0-60), and is the number of seconds in the minute (0-60). Example To set the time to be 5 January 2005 at 11:23:00 PM, enter: (switch) #clock set 2005 January 5 11 23 00 (switch) # NOTE—In AOS-W 2.
Chapter 29 Examples (switch) #copy flash: 9147 tftp:10.1.1.55 (switch) #copy flash: 9147 flash: copy9147 copy system Copies the system from one partition to the other. Syntax copy system: Example (switch) #copy system: partition 1 0 copy log Copies the specified log file to the specified location.
OmniAccess Reference: AOS-W System Reference sapm snmp ssi stm suser traffic wms only) Logging Logging Logging Logging Logging Logging Logging for for for for for for for AP Manager (Master switch only) SNMP agent Secure Service Interface Station Management User Information traffic Wireless Management (Master switch copy running-config Copies the running-config file to the specified location.
Chapter 29 Syntax copy ftp: where: Is the name of the file to be copied. flash Specifies that the file be copied to the flash file system. system Specifies the System Partition number, 0 or 1. Example The following example specifies that the file main be copied to system partition 1 using FTP. (switch) #copy ftp: crypto Configures IKE. Syntax cyrpto isakmp Example (switch) #crypto isakmp database Syncs the database.
OmniAccess Reference: AOS-W System Reference crypto Debugging for VPN (IKE/IPSEC) dhcpd Debugging for DHCP packets fpapps Debugging for Layer 2,3 control intuser Debugging for User Information (Internal) l2tp Debugging for L2TP localdb Debugging for local database master Debugging for Mobility Master Database (Master switch only) mmgr Debugging for Mobility Manager mobagent Debugging for Mobility Agent packetfilter Debugging for packet filtering of Alcatel messaging and control frames p
Chapter 29 (switch) #debug aaa all (switch) # delete Removes the specified file name from flash. The file must exist in flash and be correctly specified before the delete command can remove it. Syntax delete where is the name of the file in flash that is to be erased. Example The following example removes the file named test from flash. (switch) #delete test dir Displays a listing of all the files in flash.
OmniAccess Reference: AOS-W System Reference Example (switch) #halt (switch) # local-userdb Manages the user database. Syntax local-userdb {add | del | del-all | export | fix-database | import | modify} where add Add a user del Delete a user del-all Delete all users export Export the Local User Database to a file fix-database Use this command with CAUTION, it will wipe out the whole database. To save existing data use the export command.
Chapter 29 (switch) #no crypto isakmp To disable debugging the L2TP module, enter: (switch) #no debug l2tp packet-capture Configures monitoring the specified types of traffic. This is useful for diagnostic purposes. Syntax packet-capture {Alcatelmsg | other | tcp | udp } where: Alcatelmsg Enables or disables Alcatel internal messaging packet cap turing. For debugging only. opcodesSpecifies opcodes to capture. You can specify up ten opcodes, separated by commas.
OmniAccess Reference: AOS-W System Reference Example TBD (switch) #paging (switch) # panic Manages files created during a system crash. Syntax panic {clear | info | save filename} | nvram symbolfile> | list
Chapter 29 bssid BSSID of AM interface to start PCAP on channel Channel to tune into to capture packets Example The following example starts a raw packet capture session for the AM at 10.100.100.1 and sends the frames to the target IP address 192.168.22.44 on port 604 with pcap format . (switch) #pcap raw-start 10.100.100.1 192.168.22.44 604 0 Explanation ping Syntax ping where ipaddr is the IP address of the device to send ping (or ICMP echo) packets. Example (switch)> ping 10.1.1.
OmniAccess Reference: AOS-W System Reference (switch) #reload-peer-SC rename Changes the specified file name to a new file name. Syntax (switch) #rename Example The following example changes the file named bud to pub. (switch) #rename bud pub restore Reinstates the backed up flash directories in flashbackup.tar.gz. The tar backup file is untarred and uncompressed. Syntax restore flash Example (switch) #restore flash See also backup.
Chapter 29 banner boot clock configuration country cpuload crypto database datapath debugging destination dot1x firewall hostname image interface inventory ip keys local-switches local-userdb location log logging loginsessions mac-address-table master-redundancy memory mgmt-modules mgmt-role mgmt-user mobile mux netdestination netservice netstat ntp packet-capture packet-capture-defaul..
OmniAccess Reference: AOS-W System Reference provisioning-ap-list rap-wml rfsm rights roleinfo routerid running-config sapm session-access-list site-survey slots snmp spanning-tree spantree ssi startup-config station-table stm storage switch switches included switchinfo syscontact syslocation tech-support time-range trunk un-provisioned user user-table users version virt-ap vlan vpdn vpn-dialer vrrp Wireless LAN wms Rogue AP Wired MAC Lookup Commands Show RF Spectrum Management Information Show access rig
Chapter 29 site-survey See also the site-survey commands in Configuration mode. Syntax Example (switch) #site-survey ? calibrate channel-plan Start site survey calibration and channel assignment Start channel assignment update-channel-plan Update channel plan for specific AP (switch) #site-survey channel-plan ? Building ID to start site survey on (switch) #site-survey channel-plan 1.1.9 ? (switch) #site-survey channel-plan 1.1.2 ? (switch) #site-survey channel-plan 1.1.
OmniAccess Reference: AOS-W System Reference (switch) #site-survey calibrate 1.1.1 ? (switch) #site-survey update-channel-plan ? AP bssid (switch) #site-survey update-channel-plan bud ? (switch) #site-survey update-channel-plan bud stm Manages the station manager commands. See also the stm commands in Configuration mode.
Chapter 29 (switch) #stm add-dos-sta ? STA to add to DoS list (switch) #stm add-dos-sta 00:00:00:01:01:ab ? (switch) #stm add-dos-sta 00:00:00:01:01:ab (switch) #stm kick-off-sta ? STA to kick off (switch) #stm kick-off-sta 00:00:00:01:01:ab ? AP to to kick off STA from (switch) #stm kick-off-sta 00:00:00:01:01:ab bud ? (switch) #stm kick-off-sta ? STA to kick off (switch) #stm kick-off-sta paul ? (switch) #stm remove-dos-sta ? AOS-W Commands 667
OmniAccess Reference: AOS-W System Reference STA to remove from DoS list (switch) #stm remove-dos-sta 00:00:00:01:01:ab ? (switch) #stm remove-dos-sta 00:00:00:01:01:ab (switch) #stm start-trace ? (switch) #stm start-trace 00:00:00:01:01;ab ? (switch) #stm stop-trace ? STA/BSSID to stop tracing (switch) #stm stop-trace 00:00:00:01:01:ab (switch) # swkey The software licenses key. Enables the specified feature.
Chapter 29 Example TBD tar Creates a file in Unix tar file format. Syntax tar {clean | crash | flash | logs} where: clean crash flash logs Removes tar the tar and tar the a tar file crash directory to crash.tar compress the /flash directory to flash.tar.gz logs directory to logs.tar Example To create a tar file for the directories in flash, enter: (switch) #tar flash traceroute Equivalent to the Unix traceroute command (with default options).
OmniAccess Reference: AOS-W System Reference (switch) # See also the traceroute command in Configuration mode and Exec mode. whoami This command returns the name of the user who is logged in to this session. It is the same as the Unix command of the same name. Example (switch) #whoami user admin - role root wms See also the wms commands in Configuration mode.
Chapter 29 (switch) #wms ap pub ? (switch) #wms ap pub ^ % Invalid input detected at '^' marker.
OmniAccess Reference: AOS-W System Reference (switch) #wms station ? MAC Address of station (switch) #wms station test ? (switch) # write Saves the running configuration to memory or to the terminal computer. Can also be used to erase the running configuration and return the switch to factory defaults.
Chapter 29 The following command allow you to configure your Wireless LAN Switch and APs.
OmniAccess Reference: AOS-W System Reference TABLE 29-3 Terminal Configuration Mode Commands Prompt 674 Part 031652-00 Commands Description loginsession Login Session mac-address-table Configure the MAC address table master-redundancy Accesses Master Switch Redundancy Configuration commands masterip Configure the master ip address for the switch mgmt-role Management Role Definition mgmt-user Configure a management user.
Chapter 29 TABLE 29-3 Terminal Configuration Mode Commands Prompt Commands Description service Configure services shutdown Shut down interface site-survey Site Survey configuration commands snmp-server Enable SNMP; Modify SNMP parameters spanning-tree Spanning Tree Subsystem ssi Configure Security Service Interface stm 802.
OmniAccess Reference: AOS-W System Reference Syntax aaa {bandwidth-contract | captive-portal | derivation-rules | dot1x | kerberos | ldap-server | mac-authentication | mgmt-authentication | pubcookie-authentication | radius-accounting | radius-attributes | radius-server | stateful-authentication | timers | trusted-ap | vpn-authentication | web} aaa bandwidth-contract Configures the bandwith contract.
Chapter 29 Syntax aaa captive-portal {auth-server | default-role | guest-logon | login-page | logon-wait <%> | | logout-popup-window | max-authentication-failures | protocol-http | redirect-pause
OmniAccess Reference: AOS-W System Reference aaa derivation-rules server Configures rules to derive user role or VLAN after successful authentication. Syntax aaa derivation-rules server where STRING is the name of the authentication server. (The server must have already been configured.) Example (Alcatel6000) (config) #aaa derivation-rules server Alcatel aaa derivation-rules user Configures rules to derive user role or VLAN based on user attributes.
Chapter 29 Syntax none Example (Alcatel6000) (config) #aaa dot1x enforce-machine-authentication aaa dot1x max-authentication-failure Configures the maximum number of authentication failures before user is blacklisted. Syntax aaa dot1x max-authentication-failures NUMBER where NUMBER is the number of times a user can attempt to authenticate before being blacklisted. Valid range is . Example (Alcatel6000) (config) #aaa dot1x max-authentication-failures 4 aaa dot1x mode Enables or disable 802.
OmniAccess Reference: AOS-W System Reference aaa ldap-server Configures an LDAP server. Syntax aaa ldap-server STRING where STRING is the name of the LDAP server Example (Alcatel6000) (config) #aaa ldap-server paul (Alcatel6000) (config-ldapserver-paul)# aaa ldap-server admin-dn Configures the administrator’s Distinguished Name. Syntax admin-dn STRING where STRING is the Distinguished Name.
Chapter 29 Example (Alcatel6000) (config-ldapserver-paul)#allow-noencrypt (Alcatel6000) (config-ldapserver-paul)# (Alcatel6000) (config-ldapserver-paul)#allow-noencrypt aaa ldap-server authport Specifies the port number used for LDAP authentication. The default for LDAP over SSL is port 636. The default for SSL over LDAP is port 389. Syntax [no] authport INTEGER where INTEGER is the port number to be used for authentication.
OmniAccess Reference: AOS-W System Reference Example (Alcatel6000) (config-ldapserver-paul)#filter filter (Alcatel6000) (config-ldapserver-paul)# aaa ldap-server host Specifies the IP address of the LDAP server. Syntax host STRING where STRING is the IP address of the LDAP server. Example (Alcatel6000) (config-ldapserver-paul)#host 192.11.2.0 (Alcatel6000) (config-ldapserver-paul)# aaa ldap-server inservice Enables the LDAP server as being in service.
Chapter 29 aaa ldap-server mode Enables or disables the LDAP server. Syntax inservice Example (Alcatel6000) (config-ldapserver-paul)#inservice (Alcatel6000) (config-ldapserver-paul)# aaa ldap-server no Disables the following commands: allow-noencrypt authport filter inservice timeout See individual commands for more information. aaa ldap-server timeout Configures the LDAP request timeout. The default is 20 seconds. Syntax [no] timeout where seconds is the timeout value in seconds.
OmniAccess Reference: AOS-W System Reference syntax aaa mac-authentication auth-server STRING position where STRING is the name of the authentication server and position is the server priority. Valid range is . Specify 1 for the highest position. The default is lowest position. Example (Alcatel6000) (config) #aaa mac-authentication auth-server internal-db 5 aaa mac-authentication default-role Configure the MAC-based authentication server default role.
Chapter 29 aaa mgmt-authentication auth-server Configures administrator user authentication syntax aaa mgmt-authentication auth-server STRING position where STRING is the name of the authentication server and position is the server priority . Valid range is . Specify 1 for the highest position. The default is lowest position. Example (Alcatel6000) (config) #aaa mgmt-authentication auth-server internal-db 5 aaa mgmt-authentication default-role Configures the default management role.
OmniAccess Reference: AOS-W System Reference aaa radius-accounting Configures RADIUS accounting.
Chapter 29 where the options to this command are: STRING specifies the name of RADIUS server.
OmniAccess Reference: AOS-W System Reference Syntax aaa stateful-authentication dot1x ap-config ap-ipaddr radius-server-name [key ] Where is the configuration name ap-ipaddr is the authentication IP Address of AP (NAS) configured for 802.1X stateful radius-server-name is the name of the RADIUS Server used for stateful 802.
Chapter 29 Example (Alcatel6000) (config) #aaa stateful-authentication dot1x default-role pauldefrole (Alcatel6000) (config) # aaa stateful-authentication mode Enables or disables 802.1x stateful authentication.
OmniAccess Reference: AOS-W System Reference Example (Alcatel6000) (config) #aaa stateful-authentication kerberos enable (Alcatel6000) (config) # 690 Part 031652-00 May 2005
Chapter 29 aaa timers dead-time Configure authentication timers (Alcatel6000) (config) #aaa timers ? dead-time Help not defined idle-timeout Set user idle timeout (in minutes) logon-lifetime Set maximum lifetime of unauthenticated users (Alcatel6000) (config) #aaa timers dead-time ? <1-60> Dead time in Minutes (Alcatel6000) (config) #aaa timers dead-time 30 ? (Alcatel6000) (config) #aaa timers idle-timeout ? <0-255> Minutes. Value of 0 disables idle timeout.
OmniAccess Reference: AOS-W System Reference aaa timers idle-timeout (Alcatel6000) (config) #aaa timers ? dead-time Help not defined idle-timeout Set user idle timeout (in minutes) logon-lifetime Set maximum lifetime of unauthenticated users (Alcatel6000) (config) #aaa timers dead-time ? <1-60> Dead time in Minutes (Alcatel6000) (config) #aaa timers dead-time 30 ? (Alcatel6000) (config) #aaa timers idle-timeout ? <0-255> Minutes. Value of 0 disables idle timeout.
Chapter 29 aaa timers logon-lifetime (Alcatel6000) (config) #aaa timers ? dead-time Help not defined idle-timeout Set user idle timeout (in minutes) logon-lifetime Set maximum lifetime of unauthenticated users (Alcatel6000) (config) #aaa timers dead-time ? <1-60> Dead time in Minutes (Alcatel6000) (config) #aaa timers dead-time 30 ? (Alcatel6000) (config) #aaa timers idle-timeout ? <0-255> Minutes. Value of 0 disables idle timeout.
OmniAccess Reference: AOS-W System Reference aaa trusted-ap Configure trusted third party APs. Syntax aaa trusted-ap where is the MAC address of the AP in A:B:C:D:E:F notation. Example (Alcatel6000) (config) #aaa trusted-ap 43:a:4:1:a:0 (Alcatel6000) (config) # aaa user fast-age Configures fast aging with multiple instances of the same user (same MAC address).
Chapter 29 aaa vpn-authentication auth-server Assigns an authentication server. Syntax (Alcatel6000) (config) #aaa vpn-authentication auth-server ? STRING Name of authentication server (Alcatel6000) (config) #aaa vpn-authentication auth-server paul ? position Server Position. Default is lowest. 1 is highest.
OmniAccess Reference: AOS-W System Reference Syntax (Alcatel6000) (config) #aaa web admin-port https port number where : admin-port configures a port for Web administration https specifies HTTPS protocol for the port Port Number is the number of the HTTPS port. Valid range is 0-65535. Example (Alcatel6000) (config) #aaa web admin-port https 6500 (Alcatel6000) (config) # aaa xml-api client Configures the exernal XML API. Syntax aaa xml-api client IPaddress where: client A.B.C.
Chapter 29 adp discovery Enables or disables ADP. Syntax (Alcatel6000) (config) # adp [discovery | igmp-join | igmp-vlan ] Where: discovery enables or disables ADP igmp-joine enables or disables IGMP Join for ADP IP Multicast addresses igmp-vlan specifies which VLAN to send IGMP Reports to. Default 0. Uses default route VLAN.
OmniAccess Reference: AOS-W System Reference (Alcatel6000) (config) #ads netad mode learn ? (Alcatel6000) (config) #ads netad mode detect ? (Alcatel6000) (config) #ads netad mode detect (Alcatel6000) (config) #ads netad mode disable ? (Alcatel6000) (config) #ads netad mode disable ap Commands Configures Access Points either by BSSID or by location. ap bssid Configures APs by their MAC address (BSSID).
Chapter 29 ap location Accesses the AP location mode. arm Commands Configures the Adaptive Radio Management commands.
OmniAccess Reference: AOS-W System Reference Where: Option Description acceptable-coverag This specifies to the AP how good the coverage in on this e-index channel should be. The range is . The default is 2. In general, the more APs there are in a given area, the lower this number should be. backoff-time Specifies how long (in seconds) the AP should wait after asking for a new channel or power setting. The default is 230 seconds. Range .
Chapter 29 arp Adds a static Address Resolution Protocol entry to the routing table. Syntax arp where: is the IP address of the device to be added to the ARP table. is the 48-bit hardware address of the device, entered in the following format: xx:xx:xx:xx:xx:xx Example (Alcatel6000) (config) #arp 64.121.71.218 00:00:01:01:02:ae NOTE— If the IP address does not belong to a valid IP subnet, the ARP entry will not be added.
OmniAccess Reference: AOS-W System Reference (Alcatel6000) (config) # clock Commands Configures the Wireless LAN Switch’s clock to show the Switch’s timezone and to toggle to Daylight Saving Time as appropriate for the timezone setting. clock summer-time Configures the start of summer (daylight saving) time. Syntax clock summer-time recurring [<1-4>|first|last>] [day] [month] {hh:mm] [<1-4>|first|last>] [day] [month] {hh:mm] [<-23-23] [<0-59>] where: is the label of the timezone.
Chapter 29 Configures the time zone in which the Switch is located. Syntax clock summer-time [<-23-23] [<0-59>] where: is the label of the timezone. This label should be no less than three and no more than five characters long and should not start with a colon (:).' <-23 - 23> is the number of hours offset from UTC. <0-59> is the number of minutes of offset from UTC.
OmniAccess Reference: AOS-W System Reference syntax dynamic-map |secrity-association |transform-set >> where: is the name of the dynamic-map to create or modify is the priority of the map.
Chapter 29 Syntax crypto ipsec | < transform-set> Where: mtu configures the IPSec MTU transform-set configures a transform set to support: ESP with 168-bit Triple DES encryption, or ESP with 128-bit AES encryption, or ESP with 192-bit AES encryption, or ESP with 256-bit AES encryption, or ESP with 56-bit DES encryption and ESP with the MD5 (HMAC variant) authentication algorithm, or ESP with the SHA (HMAC variant) authentication algorithm (Alcatel6000)
OmniAccess Reference: AOS-W System Reference Example (Alcatel6000) (config) #crypto isakmp ? address Configure the IP for the group key disable Disable the IKE processing enable Enable the IKE processing groupname Configure IKE Aggressive group name key Configure the IKE PRE-SHARED key policy Configure an IKE policy (Alcatel6000) (config) #crypto isakmp address ? Configure the IP for the group key (Alcatel6000) (config) #crypto isakmp address 10.25.5.
Chapter 29 (Alcatel6000) (config) # (Alcatel6000) (config) #crypto isakmp ? address Configure the IP for the group key disable Disable the IKE processing enable Enable the IKE processing groupname Configure IKE Aggressive group name key Configure the IKE PRE-SHARED key policy Configure an IKE policy (Alcatel6000) (config) #crypto isakmp disable ? (Alcatel6000) (config) #crypto isakmp disable (Alcatel6000) (config) #crypto isakmp ? address Configure the IP for the group key disable Dis
OmniAccess Reference: AOS-W System Reference (Alcatel6000) (config) #crypto isakmp groupname ? Configure IKE Aggressive group name (Alcatel6000) (config) #crypto isakmp groupname paul ? (Alcatel6000) (config) #crypto isakmp groupname paul (Alcatel6000) (config) #crypto isakmp key ? Configure the value of the IKE PRE-SHARED key, must b e between 6-64 characters (Alcatel6000) (config) #crypto isakmp key 1111111111 % Incomplete command.
Chapter 29 Configure the IP for the group key (Alcatel6000) (config) #crypto isakmp key 1111111111 address 100.100.100.1 % Incomplete command. (Alcatel6000) (config) #crypto isakmp key 1111111111 address 100.100.100.1 ? netmask Configure the IP netmask for the group key (Alcatel6000) (config) #crypto isakmp key 1111111111 address 100.100.100.1 netmask ? Configure the IP netmask for the group key (Alcatel6000) (config) #crypto isakmp key 1111111111 address 100.100.100.
OmniAccess Reference: AOS-W System Reference pre-share rsa-sig Use Pre Shared Keys for IKE authentication Use RSA Signatures for IKE authentication (Alcatel6000) (config-isakmp)# authentication pre-share ? (Alcatel6000) (config-isakmp)# authentication rsa-sig ? (Alcatel6000) (config-isakmp)# encryption ? 3DES Use 168-bit 3DES-CBC encryption algorithm AES128 Use 128-bit AES-CBC encryption algorithm AES192 Use 192-bit AES-CBC encryption algorithm AES256 Use 256-bit AES-CBC encryption alg
Chapter 29 (Alcatel6000) (config-isakmp)# hash md5 ? (Alcatel6000) (config-isakmp)# lifetime ? [300 - 86400] seconds (Alcatel6000) (config-isakmp)# lifetime 301 ? (Alcatel6000) (config-isakmp)# lifetime 301 (Alcatel6000) (config-isakmp)# ? authentication encryption Configure the IKE authentication method Configure the IKE encryption algorithm group Configure the IKE Diffie Hellman group hash Configure the IKE hash algorithm lifetime Configure the IKE lifetime in seconds (Al
OmniAccess Reference: AOS-W System Reference Where: configures the default global map defines the priority of the map ipsec-isakmp specifies the IPSec map dynamic specifies the use of a dynamic map specifies the name of the dynamic map Example (Alcatel6000) (config) # crypto map global-map 5 ipsec-isakmp dynamic Paulmap (Alcatel6000) (config) # database synchronize Synchronizes the internal database or RF Plan data on redundant master switches.
Chapter 29 (Alcatel6000) (config) # destination Syntax destination STRING [invert | ] Where: STRING is the name of destination host or subnet IP address is the IP Address of destination host or subnet is the subnet mask of the destination host invert Specifies to use all destinations EXCEPT this destination Example (Alcatel6000) (config) #destination farleytech 67.121.71.218 (Alcatel6000) (config) #destination farleytech 67.121.71.
OmniAccess Reference: AOS-W System Reference timeout unicast-keyrotation use-session-key use-static-key wired-clients wpa-key-retries handshake xSec-MTU Set 802.1X timeout values Enable Unicast Key Rotation Use Radius Session Key as the Unicast WEP key Use static key Enable 802.1x for wired supplicants Set the number of retries for the wpa key xSec MTU dot1x default Sets global 802.1X parameters to their default values.
Chapter 29 dot1x key-size Set the Dynamic WEP Key Size. Syntax dot1x key-size <128> |<40> where 128 specifies the 128-bit key (the default) 40 specifies the 40-bit key Example (Alcatel6000) (config) # dot1x key-size 40 (Alcatel6000) (config) # dot1x key-size 128 (Alcatel6000) (config) # dot1x max-req Sets the maximum number of identity requests. Syntax dot1x max-req where is the number of retries. Valid range is 1-10.
OmniAccess Reference: AOS-W System Reference Syntax dot1x opp-key-caching ? Example (Alcatel6000) (config) # dot1x opp-key-caching (Alcatel6000) (config) # dot1x re-authentication Enables periodic 802.1X authentication. Syntax dot1x opp-key-caching Example (Alcatel6000) (config) # dot1x opp-key-caching (Alcatel6000) (config) # dot1x reauth-max Maximum number of reauthentication attempts Syntax ot1x reauth-max where specifies the value of maximium authentication count.
Chapter 29 Example (Alcatel6000) (Alcatel6000) (Alcatel6000) (Alcatel6000) (config) (config) (config) (config) # dot1x server server-retry 3 # # dot1x server server-timeout 244 # dot1x timeout idrequest-period Sets 802.1X timeout period between identification requests. Syntax dot1x timeout idrequest-period <1-65535> where <1-65535> is the number of seconds between requests.
OmniAccess Reference: AOS-W System Reference Example (Alcatel6000) (config) # dot1x timeout quiet-period (Alcatel6000) (config) # 22 dot1x timeout reauth-period Sets the 802.1X time period between reauthentication attempts. Syntax dot1x timeout reauthperiod where: is the length of the reauthentiation period in seconds. Valid range is 60-2147483647 seconds.
Chapter 29 Syntax dot1x timeout wpa-key-timeout where: is the timeout in seconds for each WPA key exchange. Valid range is 1-5 seconds. Example (Alcatel6000) (config) # dot1x timeout wpa-key-timeout (Alcatel6000) (config) # 4 dot1x unicast-keyrotation Enables Unicast Key Rotation. Syntax dot1x unicast-keyrotation Example (Alcatel6000) (config) # dot1x unicast-keyrotation (Alcatel6000) (config) # dot1x use-session-key Use Radius Session Key as the Unicast WEP key.
OmniAccess Reference: AOS-W System Reference Syntax dot1x wired-clients Example (Alcatel6000) (config) # dot1x wired-clients (Alcatel6000) (config) # dot1x wpa-key-retries Set the number of retries for the WPA key handshake. Syntax dot1x wpa-key-retries where: is the WPA Key Retry Count. Valid range is 1-5. Example (Alcatel6000) (config) # dot1x wired-clients 5 (Alcatel6000) (config) # xSec-MTU Specifies the xSec MTU.
Chapter 29 Example (Alcatel6000) (config) # enable Password:****** Re-Type password:****** (Alcatel6000) (config) # encrypt Enables encryption on the switch. Syntax encrypt Example To turn on encryption, enter: (Alcatel6000) (config) # encrypt enable (Alcatel6000) (config) # firewall Commands Use these commands to configure the firewall. firewall allow-tri-session Allow three way session when performing destination NAT.
OmniAccess Reference: AOS-W System Reference is the number of pings per second allowed. Higher number of pings per second are deemed to be an attack. Valid range is 1-255 pings per second. Example firewall attack-rate session Configures the firewall to monitor the number of IP sessions. Syntax firewall attack-rate session where is the limit of the number of IP sessions that can occur. Higher numbers of IP sessions than this limit are considered an attack.
Chapter 29 Example (Alcatel2400) (config) #firewall deny-inter-user-bridging (Alcatel2400) (config) # firewall disable-ftp-server Disables the FTP server. Syntax (firewall disable-ftp-server Example (Alcatel2400) (config) # firewall disable-ftp-server (Alcatel2400) (config) # firewall disable-stateful-sip-processing Disable stateful SIP processing. Default is enabled.
OmniAccess Reference: AOS-W System Reference firewall enable-per-packet-logging Enable per-packet logging. Default is per-session logging.
Chapter 29 Example (Alcatel2400) (config) #firewall prohibit-ip-spoofing (Alcatel2400) (config) # firewall prohibit-rst-replay Prohibits TCP RST replay attack. Syntax firewall prohibit-rst-replay Example (Alcatel2400) (config) #firewall prohibit-rst-replay (Alcatel2400) (config) # firewall session-mirror-destination Configures a destination for a mirrored session.
OmniAccess Reference: AOS-W System Reference Syntax secure delete where is the Security Parameter Index greater than 256.
Chapter 29 secure-foreign delete Deletes the home-agent-foreign-agent security association. Syntax home-agent delete where: is the number of the Security Parameter Index. This is an integer greater than 256. Example (OAW-Wireless LAN) (config-ha) #secure-foreign delete 400 secure-foreign spi Configures the security association parameters between the home agent and the foreign agent.
OmniAccess Reference: AOS-W System Reference Syntax hostname where: Specifies the hostname Example (Alcatel6000) (config-ha) #hostname labtest (labtest) > NOTE— When you change the hostname you are returned to Exec mode and must log back in. Interface Commands Allows access to the interface type commands. This release supports the following interfaces: z FastEthernet IEEE 802.
Chapter 29 description Syntax description where is a text lable. Lables can be up to Example (Alcatel6000) (config-if)# description this_is_a test (Alcatel6000) (config-if)# duplex Configures the interface to support duplex and half duplex traffic. Syntax duplex where auto configures the interface to automatically adjust to full or half duplex transmissions based on the traffic requirements. full configues the interface to support full duplex traffic.
OmniAccess Reference: AOS-W System Reference muxport Configures Mux functionality on the port.
Chapter 29 Example (Alcatel6000) (config-if)# rnet poe Power Over Ethernet interface fastethernet port Perform switch port configuration Syntax where Example (Alcatel6000) (config-if)# interface fastethernet shutdown Shut down the selected interface Syntax where Example (Alcatel6000) (config-if)# AOS-W Commands 731
OmniAccess Reference: AOS-W System Reference interface fastethernet snmp Modify SNMP interface parameters Syntax where Example (Alcatel6000) (config-if)# interface fastethernet spanning-tree Spanning Tree subsystem Syntax where Example (Alcatel6000) (config-if)# interface fastethernet speed 732 Part 031652-00 Configure Speed Operation May 2005
Chapter 29 Syntax where Example (Alcatel6000) (config-if)# interface fastethernet switchport Set the switching mode characteristics Syntax where Example (Alcatel6000) (config-if)# interface fastethernet trusted trusted Make this a trusted port Syntax where AOS-W Commands 733
OmniAccess Reference: AOS-W System Reference Example (Alcatel6000) (config-if)# interface fastethernet trusted xsec Xtreme Security enabled on the port Syntax where Example (Alcatel6000) (config-if)# interface gigabitethernet GigabitEthernet Interface Syntax Example interface loopback Loopback Interface interface mgmt Management Ethernet Interface Syntax 734 Part 031652-00 May 2005
Chapter 29 Example interface port-channel Ethernet channel of interfaces Syntax Example interface range Interface range interface tunnel Syntax Example interface vlan Switch VLAN Virtual Interface (switch) (config-if)# (Alcatel6000) (config) #interface gigabitethernet ? GigabitEthernet Interface is / format (Alcatel6000) (config) #interface gigabitethernet 1/0 (Alcatel6000) (config-if)# (Alcatel6000) (config) #interface loopback ? AOS-W Commands 735
OmniAccess Reference: AOS-W System Reference (Alcatel6000) (config) #interface loopback (Alcatel6000) (config-loop)#? ip Interface Internet Protocol config commands (Alcatel6000) (config-loop)#ip ? address Set the IP address of loopback interface, to be used as switch ip. (Alcatel6000) (config-loop)#ip address ? A.B.C.D A.B.C.D IP address (Alcatel6000) (config-loop)#ip address 127.4.4.
Chapter 29 as switch ip. (switch) (config-loop)# ip address ? A.B.C.D A.B.C.D IP address (switch) (config-loop)# ip address 10.4.21.29 ? A.B.C.D A.B.C.D IP subnet mask (switch) (config-loop)# ip address 10.4.21.29 255.255.255.0 ? (switch) (config-loop)# ip address 10.4.21.29 255.255.255.0 Switch IP Address is Modified.
OmniAccess Reference: AOS-W System Reference NAT which configures Network Address Translation. RADIUS which configures RADIUS authentication. Route which specifies static routes. Router which enables a routing process. Each command is described below. ip access-list eth Configures an Ethernet type access list. Syntax ip access-list eth where is the access list name or number. If you specify a number it must be between 200 and 299.
Chapter 29 Example (hostswitch) (config) #ip access-list mac 709 (hostswitch) (config) # ip access-list session Configures a session access list. Syntax ip access-list session Where: is the Access-list name. Example (hostswitch) (config) #ip access-list session corporate (hostswitch) (config) # ip access-list standard Configures a standard access list. Syntax ip access-list standard STRING Where: STRING is the access list name or number.
OmniAccess Reference: AOS-W System Reference Example (hostswitch) (config) #ip default-gateway 1.1.1.1 mgmt (hostswitch) (config) # ip dhcp excluded-address Configures the DHCP server’s excluded address range. Syntax ip dhcp excluded-address [var2] Where: specifies the low range of the DHCP excluded addresses specifes the optional high range of DHCP excluded addresses. Example (hostswitch) (config) #ip dhcp excluded-address 1.1.1.1 20.2.2.
Chapter 29 no option Delete Command Configure client specific options ip igmp Configure Internet Group Management Protocol Syntax Example ip local Configures the local address pool for L2TP.
OmniAccess Reference: AOS-W System Reference ip radius dynamic-authorization Configures a RFC-3576 compliant RADIUS client. Syntax ip radius dynamic-authorization client A.B.C.D Where: A.B.C.D is the IP address of the RADIUS client. Example (hostswitch) (config) #ip radius dynamic-authorization client 3.3.3.3 (hostswitch) (config) # ip radius nas-ip Configures the NAS IP address sent in RADIUS packets. Syntax ip radius nas-ip A.B.C.D Where: A.B.C.D is the NAS IP address.
Chapter 29 (hostswitch) (config) #ip radius source-interface vlan 3030 (hostswitch) (config) # ip route Establishes static routes. Syntax ip route [cost] Where: is the IP address of the destination host is the subnet mask of the destination host is the IP address of the forwarding router is the dstance metric for this route info- Example The following example establishes a static route to the host at 1.1.1.
OmniAccess Reference: AOS-W System Reference (switch) (config) # key paul Syntax Error processing command (switch) (config) # location Specifies the switch location. Syntax location Where: switchlocation> is he location of the switch. Example (switch) (config) # location 10.4.21.1 ? (switch) (config) # logging Commands (switch) (config) # logging ? logging
Chapter 29 Example logging level Set Facility Logging level logging monitor Set Terminal Line (monitor) logging level (switch) (config) #logging monitor alerts loginsession timeout Specifies how long a session will stay active without activity. Syntax loginsession timeout Where: is the time out value in minutes. Specify from 5 to 60 minutes. The default is 15 minutes.
OmniAccess Reference: AOS-W System Reference gigabitethernet specifies Gigabit Ethernet per the IEEE 802.3 specification specifes the module slot and port number on that module vlan specifies the VLAN name. Example (hostswitch) (config) # mac-address-table static 00:00:00:1:2:3 fastethernet 3/4 vlan (hostswitch) (config) # master-redundancy Accesses the commands that configure redundancy (VRRP) on the Master Switch. master-vrrp Configures the VRRP router ID.
Chapter 29 Example (hostswitch) (hostswitch) (hostswitch) (hostswitch) (config-master-redundancy)# no master-vrrp (config-master-redundancy)# (config-master-redundancy)# no peer-ip-address (config-master-redundancy)# peer-ip-address Configures the redundant host. Syntax peer-ip-address A.B.C.D Where: A.B.C.D is the IP address of the redundant host. Example (hostswitch) (config-master-redundancy)#peer-ip-address 10.1.1.
OmniAccess Reference: AOS-W System Reference mgmt-role Access the commands that define the Management Role. Syntax mgmt-role Where: is the name of the Management Role. Valid name length is 1-32 characters. Example (hostswitch) (config) #mgmt-role bigboss (Alcatel6000) (mgmt-role)# Description Describes the Management Role. Syntax description Example no Disables the Management Role definition. Syntax no Example Tbd permit Defines which modules the Management Role can control.
Chapter 29 Example TBD mgmt-user (Alcatel6000) (config) #mgmt-user ? Name of the user. (Alcatel6000) (config) #mgmt-user pauluser ? Role of the user. (Alcatel6000) (config) #mgmt-user pauluser paulrole ? PASSWD User password. (Alcatel6000) (config) #mgmt-user pauluser paulrole ERROR: Configuring the Password. (Alcatel6000) (config) #mgmt-user pauluser paulrole paul (Alcatel6000) (config) #no mgmt-user ? Name of the user.
OmniAccess Reference: AOS-W System Reference (Alcatel6000) (config) #no mgmt-user pauluser ? (Alcatel6000) (config) #no mgmt-user pauluser Error Deleting the User Entry (Alcatel6000) (config) # mobagent Accesses mobilty agent mode commands.
Chapter 29 event-threshold Syntax Example ignore-l2-broadcast Ignore layer 2 broadcasts for making mobility decisions. Default disabled.
OmniAccess Reference: AOS-W System Reference Example max-dhcp-requests Maximum number of DHCP DISCOVERS/REQUESTS after which Proxy DHCP should quit Syntax Example no Delete Command Syntax Example on-association Enable/disable mobility to trigger on station association Syntax Example parameters Set the global parameters for the mobility manager Syntax Example proxy-dhcp Enables/disables proxy dhcp support for the mswitch 752 Part 031652-00 May 2005
Chapter 29 secure Configure the global security association parameters for the mobility manager. Syntax Example station-masquerade Enable/disable station masquerading. Enable this if uplink routers do not accept Gratuitous ARPs Syntax Example trusted-roaming Mobility handles roam from untrusted to trusted. Default disabled. (Alcatel6000) (config-mob) # Syntax Example mobility-local Accesses the mobility manager mode commands for the local switch.
OmniAccess Reference: AOS-W System Reference Syntax Example ha-priority Set Home Agent priority for this VLAN Syntax Example local-ha If enabled, sets mswitch as HA for all subnet it owns else accepts HA designated by master Syntax Example no Delete Command (Alcatel6000) (config-mob-local) # mobmaster primary-subnet Syntax Example 754 Part 031652-00 May 2005
Chapter 29 mux-address (Alcatel6000) (config) #mux-address ? A.B.C.D IP address (Alcatel6000) (config) #mux-address 10.100.101.30 ? (Alcatel6000) (config) #mux-address 10.100.101.
OmniAccess Reference: AOS-W System Reference % Incomplete command.
Chapter 29 newbury (Alcatel6000) (config) # newbury ? Specify IP Address of Locate Server A.B.C.D (Alcatel6000) (config) # no Disables the following actions: (Alcatel6000) (config) #no ? no aaa Configure Authentication Syntax Example no ap Specify configuration of an AP by location or by BSSID Syntax Example no arp Configure ARP parameters.
OmniAccess Reference: AOS-W System Reference no clock Configure time-of-day clock Syntax Example no crypto Configure IPSec, IKE, and CA Syntax Example no database Database management no destination Configure network destination (deprecated; use netdestination) Syntax Example no dot1x Configure IEEE 802.
Chapter 29 Syntax Example no firewall Configure global firwall policies Syntax Example no interface Select an interface to configure Syntax Example no ip Interface Internet Protocol config commands Syntax Example no logging Modify Message Logging Facilities Syntax Example AOS-W Commands 759
OmniAccess Reference: AOS-W System Reference no loginsession Login Session Syntax Example no mac-address-table Configure the MAC address table Syntax Example no masterip Configure the master ip address for the switch Syntax Example no mgmt-role Management Role Definition no mgmt-user Configure a management user.
Chapter 29 Syntax Example no netdestination Configure network destination no netservice Configure a network service Syntax Example no newbury Specify Newbury Locate Server Information Syntax Example no ntp Configure NTP no pptp Configure IP information for PPTP Syntax Example no rap-wml Wired MAC Lookup for AP Classification commands AOS-W Commands 761
OmniAccess Reference: AOS-W System Reference Syntax Example no router Router Mobile Syntax Example no service Configure services Syntax Example no shutdown Shut down interface Syntax Example no snmp-server Enable SNMP; Modify SNMP parameters Syntax Example 762 Part 031652-00 May 2005
Chapter 29 no spanning-tree Spanning Tree Subsystem Syntax Example no telnet Enable telnet port Syntax Example no time-range Configure a time range Syntax Example no trusted Make this a trusted port Syntax Example no udp-port Configure the UDP port to receive Discennect-Requests. Default is 3999.
OmniAccess Reference: AOS-W System Reference Syntax Example no vlan Create Switch VLAN Virtual Interface Syntax Example no vpn-dialer Configure the VPN dialer no vrrp Virtual Router Redundancy Protocol Configuration (Alcatel6000) (config) #no ntp server (Alcatel6000) (config) #ntp ? server Configure NTP Server (Alcatel6000) (config) #ntp 10.100.101.30 ? (Alcatel6000) (config) #ntp 10.100.101.30 ^ % Invalid input detected at '^' marker.
Chapter 29 (Alcatel6000) (config) #ntp 10.100.101.30 ? (Alcatel6000) (config) #ntp 10.100.101.30 packet-capture-defaults (Alcatel6000) (config) #packet-capture-defaults (Alcatel6000) (config) # (Alcatel6000) (config) #packet-capture-defaults ? packet-capture-defaults Alcatelmsg Enable or disable Alcatel internal messaging packet capturing. For debugging only. Syntax Example packet-capture-defaults other Enable or disable all other types of packets.
OmniAccess Reference: AOS-W System Reference (Alcatel6000) (config) #packet-capture-defaults tcp ? ports Up to 10 comma separated ports to capture. Use [all] to sniff all tcp ports or [disable] to bypass all. All CLI ports are always skipped. (Alcatel6000) (config) #packet-capture-defaults udp ? ports Up to 10 comma separated ports to capture. Use [all] to sniff all udp ports or [disable] to bypass all. (Alcatel6000) (config) #packet-capture-defaults udp % Incomplete command.
Chapter 29 (Alcatel6000) (config) # ping (Alcatel6000) (config) #ping ? Send ICMP echo packets to a specified IP address. (Alcatel6000) (config) #ping 10.100.101.30 Press 'q' to abort. Sending 5, 100-byte ICMP Echos to 10.100.101.30, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1.032/1.1152/1.
OmniAccess Reference: AOS-W System Reference (Alcatel6000) (config) #no pptp ip ? local Configure local IP information for PPTP (Alcatel6000) (config) #no pptp ip local ? pool Configure a local IP pool for PPTP (Alcatel6000) (config) #no pptp ip local pool ? Configure local IP pool's name (Alcatel6000) (config) #no pptp ip local pool paulpool ? (Alcatel6000) (config) #no pptp ip local pool paulpool (Alcatel6000) (config) # pptp provision mode tbd Syntax Example program-ap (Alcatel6000) (
Chapter 29 (Alcatel5050) > (Alcatel5050) >enable Password:****** (Alcatel5050) #configure terminal Enter Configuration commands, one per line. End with CNTL/Z (Alcatel5050) (config) #show prompt ? (Alcatel5050) (config) #show prompt ^ % Invalid input detected at '^' marker. (Alcatel5050) (config) #no prompt ? (Alcatel5050) (config) #no prompt ^ % Invalid input detected at '^' marker.
OmniAccess Reference: AOS-W System Reference % Incomplete command. (Alcatel6000) (config) # show rap-wml ? cache Show Cache of all lookups for a DB Server servers Show DB Server State wired-mac Show Wired MAC Discovered on traffic through AP (Alcatel6000) (config) # show rap-wml servers ? (Alcatel6000) (config) # show rap-wml servers WML DB Servers -------------name ---- ip -- type ---- user password db-name cache ---- -------- ------- ----- paulsql 0.0.0.
Chapter 29 table Specify Name of MSSQL Server Specify Table Name for Lookup (Alcatel6000) (config) #no rap-wml paulsql (Alcatel6000) (config) #show rap-wml % Incomplete command.
OmniAccess Reference: AOS-W System Reference (Alcatel6000) (config) #router mobile ? IP Address to be used for Mobile IP Service (Alcatel6000) (config) #router mobile Module Mobile IP is busy.
Chapter 29 SAPM_COUNTERS_RESULT -------------------LOC SAP_IP Updates Sent ACKs Rcvd APBoots Sent APBoots Rcvd Bootstraps Reboots Calibration .g Calibration .a --- ------ ------------ --------- ------------ --------------------- ------- -------------- -------------Num APs:0 (Alcatel6000) (config) #no sapm ? (Alcatel6000) (config) # service Enable disable DHCP.
OmniAccess Reference: AOS-W System Reference shutdown (switch) (config) # shutdown ? all All the physical interfaces in the switch (switch) (config) # shutdown all ? (switch) (config) # shutdown all site-survey (switch) (config) #site-survey site-survey calibration-max-packets (switch) (config) #site-survey calibration-max-packets ?
Chapter 29 neighbor-tx-power-bump for HA rra-max-compute-time amount of increase in tx power for a neighbor recovery max time in seconds for RRA computation site-survey ha compute-time (switch) (config) #site-survey ha-compute-time ? time in milliseconds when HA reconvergence algorithms are kicked off (switch) (config) #site-survey ha-compute-time 15 ? calibration-max-packe.. max packets to send per tx power and rate calibration-transmit-..
OmniAccess Reference: AOS-W System Reference (switch) (config) #site-survey neighbor-tx-power-bump ?
Chapter 29 snmp-server (switch) (config) #snmp-server ? community set read-only community string enable host Specify host address to receive SNMP notifications. new Traps defined in the new MIB's supported.
OmniAccess Reference: AOS-W System Reference snmp-server host (switch) (config) #snmp-server host ? A.B.C.D IP address of SNMP notofication host. ?? (switch) (config) #snmp-server new ? traps The system will generate new versions of the trap.
Chapter 29 spanning-tree forward-time (switch) (config) #spanning-tree forward-time ? Set a Spanning Tree FORWARD Interval <4-30> (switch) (config) #spanning-tree forward-time 15 ? (switch) (config) #spanning-tree forward-time 15 spanning-tree hello-time (switch) (config) #spanning-tree hello-time ? Set a Spanning Tree HELLO Interval <1-10> (switch) (config) #spanning-tree hello-time 2 (switch) (config) #spanning-tree max-age ? Set a Spanning Tree MAX AGE Interval <6-40> sp
OmniAccess Reference: AOS-W System Reference (switch) (config) #show spanning-tree Spanning Tree is not currently active The following parameters have been configured Stp Status : Disabled Protocol : IEEE Max Age (sec) : 20 Hello Time (sec) : 2 Forward Delay (sec) : 15 Bridge Priority : 32768 (switch) (config) #spanning-tree enable ^ % Invalid input detected at '^' marker. (switch) (config) #spanning-tree Connection to host lost.
Chapter 29 sta-dos-block-time sta-dos-prevention strict-compliance this value Amount of time to block a STA on with DoS is detected . In seconds. 0 blocks indefinitely Enable/Disable STA DoS prevention. Enable/Disable strict WECA compliance stm ap-inactivity-timeout (switch) (config) #stm ap-inactivity-timeout ?
OmniAccess Reference: AOS-W System Reference good-sta-ageout Amount of time after with STA with good RSSID to one of the APs is aged out. in seconds hole-detection-interv.. Amount of time after with hole detection event is gen erated. in seconds idle-sta-ageout Amount of time after which STA with potential hole in fo with bad RSSI to one of the APs is aged out.
Chapter 29 Example stm coverage-hole-dectection Syntax Example stm dos-prevention (switch) (config) # (switch) (config) #stm dos-prevention ? disable Disable enable Enable (switch) (config) #stm dos-prevention enable ? ap-inactivity-timeout Amount of time after which AP is aged out. in seconds auth-failure-block-ti.. Amount of time to block a STA if it fails repeated au thentications. In seconds. 0 blocks indefinitely coverage-hole-detecti..
OmniAccess Reference: AOS-W System Reference enable Enable (switch) (config) #stm dos-prevention enable fast-roaming enable ? ap-inactivity-timeout Amount of time after which AP is aged out. in seconds auth-failure-block-ti.. Amount of time to block a STA if it fails repeated au thentications. In seconds. 0 blocks indefinitely coverage-hole-detecti..
Chapter 29 sta-dos-block-time sta-dos-prevention strict-compliance this value Amount of time to block a STA on with DoS is detected . In seconds. 0 blocks indefinitely Enable/Disable STA DoS prevention. Enable/Disable strict WECA compliance stm idle-sta-ageout (switch) (config) # (switch) (config) # (switch) (config) #stm idle-sta-ageout ? Amount of time after which STA with potential hole in fo with bad RSSI to one of the APs is aged out.
OmniAccess Reference: AOS-W System Reference coverage-hole-detecti.. dos-prevention fast-roaming good-rssi-threshold Enable/Disable STM coverage hole capabilities Enable/Disable STM DoS prevention capabilities Enable/Disable Fast Roaming stop hole detection if RSSI from STA is more than thi s value good-sta-ageout Amount of time after with STA with good RSSID to one of the APs is aged out. in seconds hole-detection-interv.. Amount of time after with hole detection event is gen erated.
Chapter 29 auth-failure-block-ti.. Amount of time to block a STA if it fails repeated au thentications. In seconds. 0 blocks indefinitely coverage-hole-detecti.. Enable/Disable STM coverage hole capabilities dos-prevention Enable/Disable STM DoS prevention capabilities fast-roaming Enable/Disable Fast Roaming good-rssi-threshold stop hole detection if RSSI from STA is more than thi s value good-sta-ageout Amount of time after with STA with good RSSID to one of the APs is aged out.
OmniAccess Reference: AOS-W System Reference stm sta-dos-prevention stm strict-compliance Syntax Example syscontact (switch) (config) # syscontact ? Change the system contact (switch) (config) # syscontact rama ? (switch) (config) # show syscontact ? (switch) (config) # show syscontact Contact is not configured (switch) (config) #syscontact Rama (switch) (config) #show syscontact Rama syslocation (switch) (config) #syslocation ? Change the system location (switch) (
Chapter 29 (switch) (config) #syslocation Crossman main lab ^ % Invalid input detected at '^' marker.
OmniAccess Reference: AOS-W System Reference time-range Informs the Switch when a time-restricted feature, like an access list, is to be used.
Chapter 29 (switch) (config) #show time-range (switch) (config) # traceroute (switch) (config) #traceroute ? Trace route to specified IP address. (switch) (config) #traceroute 64.121.71.217 Press 'q' to abort. Tracing the route to 64.121.71.217 1 2 3 10.4.21.254 * * * * 0.783 msec 0.559 msec 0.565 msec (switch) (config) #traceroute 64.121.71.217 ? (switch) (config) #traceroute 64.121.71.217 Press 'q' to abort. Tracing the route to 64.121.71.
OmniAccess Reference: AOS-W System Reference 20 21 22 23 24 25 26 27 28 29 30 * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * (switch) (config) #show traceroute ? (switch) (config) #show traceroute ^ % Invalid input detected at '^' marker. (switch) (config) # trusted (switch) (config) #trusted all ? (switch) (config) #show trusted ? (switch) (config) #show trusted ^ % Invalid input detected at '^' marker.
Chapter 29 (switch) (config) #show authentication-method bssid debug essid global-user-map user ? Match authentication method Match BSSID Show users that are currently being debugged Match ESSID Displays summary of all users currently in the system internal ip location mac mobile name phy-type role rows Show internal user entries Match IP address Match location Match MAC address Show mobile users Match name Match PHY type Match role Show certain rows (switch) (config) #show user name ? STRING
OmniAccess Reference: AOS-W System Reference 10.4.21.102 00:00:00:00:00:00 1/0 Wired 10.4.21.104 00:00:00:00:00:00 1/0 Wired rama ap-role 00:00:25 VPN 10.4.21.229 rama ap-role 00:23:28 VPN 10.4.21.193 User Entries: 2/2 (switch) (config) # user-role (switch) (config) #user-role % Incomplete command. (switch) (config) #user-role ? STRING Name of user role (switch) (config) #user-role rama ? (switch) (config) #show user role % Incomplete command.
Chapter 29 (switch) (config) #show user role guest ? rows Show certain rows (switch) (config) #show user role guest Users ----IP MAC Roaming Essid/Bssid/Phy ---------- ------------------ --------------- Name Role Age(d:h:m) Auth VPN link location ------ ---- ---------- ---- -------- -------- User Entries: 0/0 (switch) (config) #user-role ? STRING Name of user role (switch) (config) #user-role visitor ? (switch) (config) #user-role visitor (switch) (config-role) #show user ? authenti
OmniAccess Reference: AOS-W System Reference (switch) (config-role) #show user role visitor Users ----IP MAC Roaming Essid/Bssid/Phy ---------- ------------------ --------------- Name Role Age(d:h:m) Auth VPN link location ------ ---- ---------- ---- -------- -------- User Entries: 0/0 (switch) (config-role) # (switch) (config-role) #no user-role visitor ^ % Invalid input detected at '^' marker.
Chapter 29 (switch) (config-role) #version 2.4 (switch) (config) #show version ? (switch) (config) #show version Alcatel Wireless Operating System Software. AOS-W (MODEL: switch), Version 2.4.0.0 Website: http://www.alcatel.com Copyright (c) 2003-2005 by Alcatel, Inc. Compiled on 2004-12-22 at 19:08:49 PST (build 9270) by p4build ROM: System Bootstrap, Version CPBoot 1.1.5 (Aug 30 2004 - 01:52:13) Switch uptime is 23 hours 40 minutes 48 seconds Reboot Cause: User reboot.
OmniAccess Reference: AOS-W System Reference (switch) (config) # vlan (switch) (config) # vlan (switch) (config) #show vlan VLAN CONFIGURATION -----------------VLAN Name Ports ---- -------1 Default Fa1/0-23 Gig1/24-25 Pc0-7 (switch) (config) #vlan 2 (switch) (config) #show vlan 2 VLAN CONFIGURATION -----------------VLAN Name Ports ---- -------2 VLAN0002 (switch) (config) #show vlan VLAN CONFIGURATION -----------------VLAN Name Ports ---- -------1 Default Fa1/0-23 Gig1/24-25 Pc0-7 2 VLAN0002 (switch)
Chapter 29 pptp Configure the PPTP group (switch) (config) #vpdn group l2tp ? (switch) (config) #vpdn group pptp ? (switch) (config) #show vpdn ? l2tp Show vpdn L2TP state pptp Show pptp state tunnel Show vpdn tunnel state (switch) (config) #show vpdn l2tp % Incomplete command.
OmniAccess Reference: AOS-W System Reference (switch) (config) #show vpdn pptp ? configuration Show PPTP configuration local Show PPTP local IP pool (switch) (config) #show vpdn pptp configuration Enabled Hello timeout: 60 seconds DNS primary server: 0.0.0.0 DNS secondary server: 0.0.0.0 WINS primary server: 0.0.0.0 WINS secondary server: 0.0.0.
Chapter 29 (switch) (config) #show vpdn tunnel pptp Command obsolete. All PPTP Please use show user-table to get a list of users.
OmniAccess Reference: AOS-W System Reference STRING Configuration Name of the VPN dialer (switch) (config) #vpn-dialer test ? (switch) (config) #vpn-dialer test (switch) (config-vpn-dialer)#show vpn-dialer default-dialer -------------Attribute --------PPTP L2TP DNETCLEAR WIREDNOWIFI PAP CHAP MSCHAP MSCHAPV2 CACHE-SECURID IKESECS IKEENC IKEGROUP IKEHASH IKEAUTH IKEPASSWD IPSECSECS IPSECGROUP IPSECENC IPSECAUTH SECURID_NEWPINMODE test ---Attribute --------PPTP L2TP DNETCLEAR WIREDNOWIFI PAP CHAP MSCHA
Chapter 29 CACHE-SECURID IKESECS IKEENC IKEGROUP IKEHASH IKEAUTH IKEPASSWD IPSECSECS IPSECGROUP IPSECENC IPSECAUTH SECURID_NEWPINMODE disabled 28800 3DES TWO SHA PRE-SHARE ******** 7200 GROUP2 ESP-3DES ESP-SHA-HMAC disabled (switch) (config-vpn-dialer)#no vpn-dialer test ^ % Invalid input detected at '^' marker. (switch) (config-vpn-dialer)#no vpn-dialer ? (switch) (config-vpn-dialer)#no vpn-dialer test ^ % Invalid input detected at '^' marker.
OmniAccess Reference: AOS-W System Reference intra-switch Confi Intra-switch Virtual Router Redundancy Protocol guration (switch) (config) #vrrp 25 ? (switch) (config) #show vrrp (switch) (config) #show vrrp ? <1-255> Virtual Router ID statistics (switch) (config) #show vrrp statistics ? <1-255> Virtual Router ID (switch) (config) #show vrrp statistics % Incomplete command.
Chapter 29 shutdown Disable VRRP intra-switch (switch) (config-vrrp)#no shutdown ? (switch) (config-vrrp)#no shutdown Can't start router: VR ID is not configured (switch) (config-vrrp)#? no Delete Command shutdown Disable VRRP intra-switch (switch) (config-vrrp)# web-server (switch) (config) #web-server ? (switch) (config) #web-server (switch) (config-webserver)#show web-server % Incomplete command.
OmniAccess Reference: AOS-W System Reference SSLv3 and TLSv1 admin-port (switch) (config-webserver)#admin-port ? https Specify https port (switch) (config-webserver)#admin-port https ? <0-65535> Port Number (switch) (config-webserver)#admin-port https 22 ? ciphers (switch) (config-webserver)#ciphers ? high Cipher suite with encryption keys larger than 128 bit s low Cipher suite with 56 or 64 bit encryption keys medium Cipher suite with 128 bit encryption keys (switch) (config-webserver)#ciphers medi
Chapter 29 (switch) (config-webserver)#ssl-protocol tlsv1 sslv2 ? sslv3 Use SSLv3 (switch) (config-webserver)#ssl-protocol tlsv1 sslv2 sslv3 ? (switch) (config-webserver)# web-ui (switch) (config) # webui ? user Configure the web ui administrator password (switch) (config) # webui user ? administrator Configure the web ui administrator password (switch) (config) # webui user administrator ? Enter web ui administrator password (switch) (config) # webui user administrator admin ?
OmniAccess Reference: AOS-W System Reference reserved-11a-channel reserved-11b-channel station-policy valid-11a-channel valid-11b-channel valid-oui valid-ssid wired-mac enable/disable 80211a channel ted channel enable/disable 80211b channel ted channel Configure Station Policy enable/disable 80211a channel enable/disable 80211b channel configure valid OUI for AP configure valid SSID for AP configure Wired MAC of router as multi tenancy protec as multi tenancy protec as valid as valid or server ap-conf
Chapter 29 ap-lb-max-retries ap-lb-user-high-wm ap-lb-user-low-wm ap-lb-util-high-wm ap-lb-util-low-wm ap-lb-util-wait-time ap-load-balancing beacon-diff-threshold beacon-inc-wait-time classification detect-ap-impersonati.. detect-misconfigured-.. learn-ap min-pot-ap-beacon-rate min-pot-ap-monitor-ti.. protect-ap-impersonat.. protect-ibss protect-misconfigured.. protect-mt-channel-sp..
OmniAccess Reference: AOS-W System Reference ap-lb-util-low-wm load ap-lb-util-wait-time disabling ap-load-balancing beacon-diff-threshold trigger a beacon-inc-wait-time generating a balancing Low WM on utilization that triggers disabling ap balancing Time in seconds to wait before enabling or load balancing once threshold is hit enable/disable AP load balancing percent increase in beacon rate that should n ap impersonation event.
Chapter 29 ids-signature no reserved-11a-channel protec reserved-11b-channel protec station-policy valid-11a-channel valid-11b-channel valid-oui valid-ssid wired-mac configure a signature for the IDS check Delete Command enable/disable 80211a channel as multi tenancy ted channel enable/disable 80211b channel as multi tenancy ted channel Configure Station Policy enable/disable 80211a channel as valid enable/disable 80211b channel as valid configure valid OUI for AP configure valid SSID for AP configure Wir
OmniAccess Reference: AOS-W System Reference poll-retries sta-ageout-interval sta-inactivity-timeout stat-update wired-laser-beam # of retries before it is declared down STA ageout interval in minutes. 0 to disable STA inactivity timeout in scan seconds.
Chapter 29 eap-rate-threshold interva eap-rate-time-interval count mac-oui-check mac-oui-quiet-time invalid MA rate-check rate-frame-type-param sequence-check sequence-diff cons sequence-quiet-time sequence nu ake anomlay after which the check can be resumed Number of EAP handshake packets over the time l that constitutes an anomaly Time interval in seconds over which the packet should be checked. Maximum is 120 seconds.
OmniAccess Reference: AOS-W System Reference ap-flood-check ap-flood-inc-time count ap-flood-quiet-time flood b ap-flood-threshold dsta-check dsta-quiet-time disconnect st eap-check eap-rate-quiet-time handsh eap-rate-threshold interva eap-rate-time-interval count mac-oui-check mac-oui-quiet-time invalid MA rate-check rate-frame-type-param sequence-check sequence-diff cons sequence-quiet-time sequence nu IDS Fake AP Flood Detection Number of consecutive seconds over which the AP is more than the threshold
Chapter 29 wbridge-quiet-time wireless br Time to wait in seconds after detecting a idge after which the check can be resumed (switch) (wms) #ids-? ids-policy ids-signature configure IDS Policy for AP and AM configure a signature for the IDS check ids-signature (switch) (wms) #ids-signature ? name of signature (switch) (wms) #ids-signature paul ? (switch) (wms) # (switch) (wms) #? ap-config ap-policy event-threshold general global-policy ids-policy ids-signature no reserved-11a-channe
OmniAccess Reference: AOS-W System Reference (switch) (wms) #reserved-11a-channel ? enable/disable 80211a channel as multi tenancy protec ted channel (switch) (wms) #reserved-11a-channel 4 ? mode enable/disable (switch) (wms) #reserved-11a-channel 4 mode ? disable enable (switch) (wms) #reserved-11a-channel 4 mode enable ? reserved-11b-channel (switch) (wms) #reserved-11b-channel ? enable/disable 80211b channel as multi tenancy protec ted channel (switch)
Chapter 29 NOTE—The handoff-assist option allows the switch to force a sticky client off of an AP when the RSSI drops below the defined minimum threshold. This is useful when a client will not let go of an AP as long as it was getting any Acks (even at 1 Mbps) and will only look for new AP after about 10 seconds of not getting Ack responses from the old AP.
OmniAccess Reference: AOS-W System Reference (switch) (wms) #valid-11b-channel 14 ? mode enable/disable (switch) (wms) #valid-11b-channel 14 mode enable ? valid-oui (switch) (wms) #valid-oui ? configure valid OUI for AP (switch) (wms) #valid-oui 4 ? valid-ssid (switch) (wms) #valid-ssid ? configure valid SSID for AP (switch) (wms) #valid-ssid 3434 ? mode enable or disable a SSID (switch) (wms) #valid-ssid 3434 mode enable ? wired-mac (switch) (wms) #wired-mac ?
CHAPTER 30 Action Commands Action Commands are available from the main Command-Line Interface (CLI) prompts in user mode and privileged mode. These commands take effect as soon as they are entered and, if appropriate, any resulting configuration changes are automatically saved. Different Action commands are available in each mode. This chapter provides a summary of the action commands available on the Alcatel Wireless LAN Switch in your network. The command summary is organized by command function.
OmniAccess Reference: AOS-W System Reference Switch Management Commands enable Type this command to enter the privileged mode. You will be prompted for the password. (Alcatel) > enable Password:*********** (Alcatel) # logout Close this CLI session. Any configuration changes which have not yet been saved are lost. swkey Use this privileged command to enable extra features in the Alcatel switch software.
Chapter 30 Privileged Mode Commands Privileged mode is entered from the user mode through the enable command (see page 820). This mode provides access to configuration and information collection commands. Privileged mode is indicated by the host# prompt, where host is the host name of the switch, if defined. From any privileged mode or sub-mode, you can exit to the user mode using the global exit command. Switch Management Commands boot...
OmniAccess Reference: AOS-W System Reference configure terminal Enter the configuration mode. This mode provides access to system configuration commands. The commands available depends on the switch mode. Local configuration commands (see page 445) are available on any switch. Master configuration commands (page 797) are only available on the master switch. copy... Copy file or image items from one location to another. Variations: z copy flash flash Copy a system file.
Chapter 30 z z z z z z z z z authmgr cfgm crypto errorlog fpapps ha intuser l2tp localdb z z z z z z z z z master mmgr mobagent ppp pptp sapm stm user wms destination IP address The IP address of the FTP destination for the type.log file. user name If required, the name of a valid user account at the destination. password If required, the password for the user account at the destination. delete Delete the specified file from the system. To view a list of files, use the dir command.
OmniAccess Reference: AOS-W System Reference reload Reboot the system after prompting the user to verify the command. If there are any unsaved configuration changes, you will be prompted whether you wish to save them first. halt Shuts down the switch (the switch will not reboot automatically). rename Change the name of a system file. To view a list of files, use the dir command. show Enter the Show mode (see page 833).
Chapter 30 traceroute This command traces the route, displaying each hop, to a host specified by the IP Address argument. Air Management Commands Air Monitor Commands am scan [bssid ] pcap...
OmniAccess Reference: AOS-W System Reference WMS Commands wms ap [mode ] This command defines the access point specified by the MAC address argument as either an interfering, valid, or denial of service type access point. wms station [mode ] This command defines the station specified by the MAC address argument as either an interfering, valid, or denial of service type station.
Chapter 30 Site Survey Commands site-survey...
OmniAccess Reference: AOS-W System Reference Authentication Commands AAA Commands The following immediate commands are used for Accounting, Authentication, & Authorization (AAA). Other AAA commands can be found starting on page 823. aaa debug {save-config} aaa inservice Place the named AAA server into service. aaa test-server Test the response of a configured AAA server.
Chapter 30 Local Database Commands The local user database is an internal Wireless LAN switch database for authenticating users. If using an external RADIUS server for authentication, the internal database is not required. local-userdb... Variations: z local-userdb add username password [disable] [email ] [role ] Add a user to the local user database. The user is initially enabled unless the disable option is used.
OmniAccess Reference: AOS-W System Reference Clear Commands clear arp This command clears the ARP table. clear counters [fastethernet / | gigabitethernet |] This command clears the counters on the specified port. clear crypto dp This command displays the last few commands in the debug buffer that were sent from the control path to the data path, adding or deleting IPSec SAs and routes. The buffer is cleared after the stored commands have been displayed.
Chapter 30 clear stm hole This command clears the coverage hole information for the specified BSSID. Debug Commands debug... Variations: z debug [...] Turn debugging on for the specified feature type and sub-type. z undebug {all| [...]} Turn debugging off for the specified feature type and sub-type.
OmniAccess Reference: AOS-W System Reference Panic Commands panic clear This command Clears all panic information from NVRAM. panic info [file |nvram ] This command prints the contents of the specified panic file(s). panic list [file |nvram] This command lists all the panics in the specified panicfilename or in nvram. panic save This command saves all the panic information stored in nvram to the specified panicfilename.
CHAPTER 31 Show Commands This chapter provides a summary of the show commands available on the Alcatel Wireless LAN Switch in your network. The command summary is organized by command function. Each command entry depicts the syntax. Many provide output examples. Show commands may only be executed from the Privileged mode. For more information on the commands, use the CLI help feature described on page 18.
OmniAccess Reference: AOS-W System Reference show image version This command displays version information about the software image. show keys This command displays the status of features on the Alcatel switch.
Chapter 31 show loginsessions This command displays information about current sessions. (Alcatel) # show loginsessions ID User Name -- --------------00 admin Connection From --------------10.1.1.
OmniAccess Reference: AOS-W System Reference show station-table This command displays information about the stations connected to the switch. Executing this command with no options will display all the stations on the switch. Options: z mac Show the station with the specified MAC address. show trunk This command displays the Trunk Port table. show version This command shows the current versions of the boot code, processor, and assembly.
Chapter 31 show inventory This commands shows the physical contents of the switch. It also shows the status of each power supply and fan. (Alcatel) # show inventory Supervisor Card slot : 0 Supervisor FPGA Rev : 0x6 ID 0x0 Assembly# : 00004A00 (Rev:02.08) Serial# : P00000016 (Date:03/14/03) Crypto Assembly : 00005A00 (Rev:02.
OmniAccess Reference: AOS-W System Reference show processes This command shows which processes are currently running and their command paths.
Chapter 31 show syslocation This command displays the physical location of the switch, if it has been specified in the configuration file. Configuration Manager Commands show roleinfo This command displays the role of the switch. show local-switches This command displays the IP Address and location of each local switch. show location This command displays the physical location of the switch.
OmniAccess Reference: AOS-W System Reference Layer 2/Layer 3 Commands Layer 2 Commands show mac-address-table Displays the MAC addresses that have either been learned or that have been manually configured for each device.
Chapter 31 show spantree This command display information about the status of spanning-tree ports. Execute this command with no options to view the spanning tree configuration for all the ports on the switch. Options: z blocking Displays the ports in a blocking state. z forwarding Displays the ports in a forwarding state. show spanning-tree This command displays information about the spanning tree topology.
OmniAccess Reference: AOS-W System Reference show vlan [] This command displays the name and ports for the specified vlan. If the parameter is not specified, then the command displays information for all the vlans on the switch.
Chapter 31 Layer 3 Commands show ip route [static] (Alcatel) # show ip route Codes: C - connected, O - OSPF, R - RIP, S - static U - route usable, * - candidate default Gateway of last resort is 10.3.25.254 to network 0.0.0.0 S* C C C C 0.0.0.0/0 [0/0] via 10.3.25.254* 10.3.25.0 is directly connected, VLAN1 10.2.12.0 is directly connected, VLAN212 10.2.13.0 is directly connected, VLAN213 10.1.5.0 is directly connected, VLAN7 show routerid This command displays the IP Address of the switch.
OmniAccess Reference: AOS-W System Reference show arp (Alcatel) # show arp Protocol Internet Internet Internet Internet Internet Internet Internet Internet Internet Internet Internet Internet Internet 844 Part 031652-00 Address 10.3.25.170 10.1.5.254 10.1.5.1 10.3.25.237 10.1.5.11 10.2.12.253 10.2.13.174 10.3.25.242 10.3.25.253 10.3.25.219 10.3.25.182 10.3.25.254 10.3.25.
Chapter 31 DHCP Commands show ip dhcp database This command displays information about DHCP pools created using the ip dhcp pool command. (Alcatel) # show ip dhcp database # 212 subnet 10.2.12.0 netmask 255.255.255.0 { option domain-name "Alcatelnetworks.com"; option domain-name-servers 10.1.1.2; option netbios-name-servers 10.1.1.2; option routers 10.2.12.254; range 10.2.12.21 10.2.12.253; } # 213 subnet 10.2.13.0 netmask 255.255.255.0 { option domain-name "Alcatelnetworks.
OmniAccess Reference: AOS-W System Reference Interface Commands show port link-event This command displays a count of up/down links on each of the switch’s ports. show port monitor This command displays the current configuration of the port monitor. show port stats This command displays statistics about the amount of packet and byte traffic on each port. show port status This command displays the status of each port on the switch.
Chapter 31 z POE z Trusted z SpanningTree z PortMode show port trusted This commands displays a list of trusted ports.
OmniAccess Reference: AOS-W System Reference show interface counters This command displays the various inbound and outbound packet counters on each port.
Chapter 31 show interface {fastethernet|gigabitethernet} / [switchport] [allowed-vlan|native-vlan] This command displays information about the interface. The parameters must be specified in the order shown above. The show interface command may be invoked as it with no arguments. If so, it will display verbose information about all the interface ports. Specifying parameters will provide increasing levels of granularity.
OmniAccess Reference: AOS-W System Reference show interface fastethernet / (Alcatel) # show interface fastethernet 2/1 Fa 2/1 is up, line protocol is down Hardware is FastEthernet, address is 00:0B:86:00:15:82 (bia 00:0B:86:00:15:82) Description: 10/100 Copper-Level Encapsulation ARPA, loopback not set Duplex ( AUTO ), speed ( AUTO ) MTU 1500 bytes, BW is 200 Mbit Last clear of "show interface" counters 1 day 12 hr 16 min 48 sec link status last changed 1 day 12 hr 16 min 48 sec 0 packets input
Chapter 31 show interface fastethernet / switchport native-vlan (Alcatel) # show interface fastethernet 2/1 switchport native-vlan 1 (Default) show interface gigabitethernet (Alcatel) # show interface gigabitethernet 2/24 Gig 2/24 is up, line protocol is down Hardware is Gigabit Ethernet, address is 00:0B:86:00:17:99 (bia 00:0B:86:00:17:99) Description: Gigabit-Level Encapsulation ARPA, loopback not set Duplex ( AUTO ), speed ( AUTO ) MTU 1500 bytes, BW is 2000 Mbit Last clear of
OmniAccess Reference: AOS-W System Reference show interface port-channel <0-7> (Alcatel) # show interface port-channel 0 Port-Channel id 0 is administratively up Hardware is Port-Channel, address is 00:0B:86:00:15:81 (bia 00:0B:86:00:15:81) Description: Unit: 0, Slot: 4, Port: 0, Link Aggregate, cardID: 0xff010001 Spanning Tree is disabled VLAN membership: 1 Member port: Last clear of "show interface" counters 1 day 12 hr 29 min 14 sec link status last changed 1 day 12 hr 29 min 14 sec 0 packets input, 0 b
Chapter 31 Local Database Commands show local-userdb [] This command displays information about local users.
OmniAccess Reference: AOS-W System Reference VPN Commands IPSec Commands show crypto dp This command displays the last few add and delete commands sent from the control path to the data path. show crypto isakmp {policy|sa|key} This command displays information about the Internet Key Exchange (IKE) policies, keys, and security associations. It displays the data encryption and authentication method(s), and how often the encryption keys are changed.
Chapter 31 show crypto ipsec transform-set [tag ] This command displays the encryption and data authentication type associations used in the transform-set-name specified in the tag parameter of the command. If no tag parameter is envoked, then the command will return the default transform-set.
OmniAccess Reference: AOS-W System Reference L2TP Commands show vpdn tunnel {l2tp|pptp|tunnel} [id ] This command displays information about the tunnel specified by tunnelID in the id parameter. Information returned when the tunnel id is not specified. (Alcatel) # show vpdn tunnel l2tp L2TP Tunnel Information (Total tunnels = 1) Tunnel ID = 17767 is up, remote id is 67 Tunnel state is SCCCN: Connection Connected Remote Internet Address 10.3.14.
Chapter 31 show vpdn {l2tp|pptp} configuration This command displays information about the VPN tunnel settings. L2TP option (Alcatel) # show vpdn l2tp configuration Enabled Hello timeout: 60 seconds DNS primary server: 10.1.1.2 DNS secondary server: 0.0.0.0 WINS primary server: 10.1.1.2 WINS secondary server: 0.0.0.0 PPP client authentication methods: CACHE-SECURID: timeout 1440 minutes IP LOCAL POOLS: pool1: 10.2.15.1 - 10.2.15.
OmniAccess Reference: AOS-W System Reference show vpdn {l2tp|pptp} local pool [] This command displays information about local pools. (Alcatel) # show vpdn l2tp local pool IP addresses used in pool p1 10.7.1.
Chapter 31 VPN Dialer Commands show vpn-dialer [] This command displays all the attributes of the specified dialername. If no dialername parameter is specified, the command will display information about all the dialers.
OmniAccess Reference: AOS-W System Reference PPTP Commands show vpdn pptp configuration This command displays the VPN configuration for PPTP. This command is exactly analogous to the show vpn {l2pp|pptp} command. (Alcatel) # show vpdn pptp configuration Enabled Hello timeout: 60 seconds DNS primary server: 0.0.0.0 DNS secondary server: 0.0.0.0 WINS primary server: 0.0.0.0 WINS secondary server: 0.0.0.
Chapter 31 Mobility Commands show mobile active-user-table This command displays information about all currently active users. show foreign-agent [configuration|pending| security|status] This command displays information about foreign agents associated with the switch. This information includes configuration, pending registration requests, security associations between the foreign agent and the home agent, and the current status of the foreign agent.
OmniAccess Reference: AOS-W System Reference show home-agent [configuration|{security [foreign|mobile]}|status] This command displays information about the home agent. (Alcatel) # show home-agent security mobile Authentication Algorithm: HMac MD5 Replay Method: Nonce SPI: 1000 Binding Life: 400 Shared Secret: Alcatel show home-agent options: configurati on This configuration returns information related to the configuration of the home agent.
Chapter 31 show mobile client [verbose ] This command will display information about mobile clients currently registered with the home agent. If the command is issued without the IP argument it will simply show what clients are registered. If the command is issued with the verbose parameter and the client IP address it will return detailed information about the client.
OmniAccess Reference: AOS-W System Reference show mobile configuration This command displays information bout the mobility manager configuration. (Alcatel) # show mobile configuration Switch IP: 10.3.25.1 Master: 10.3.25.1 Mobility: Enabled Proxy Dhcp: Enabled Local Mobility Agent: 127.0.0.
Chapter 31 show mobile home-agents {global|local} This command displays the home agent tables. (Alcatel) # show mobile home-agents global Home Agent Table ---------------Id Subnet Netmask -- -----------1 10.3.25.0 255.255.255.0 2 10.1.5.0 255.255.255.0 3 10.2.12.0 255.255.255.0 4 10.2.13.0 255.255.255.0 HomeAgent --------10.3.25.1 10.3.25.1 10.3.25.1 10.3.25.
OmniAccess Reference: AOS-W System Reference show mobile messages (Alcatel) # show mobile messages Datapath Messages ----------------Opcode Type Sent ------ ------0x4 Session 0 0x5 Forward 84 0x2 Bridge 515 0x15 Mac 12239 0x17 Tunnel 0 0x8 Arp 262 Recvd ----N/A N/A N/A 10972 0 8 The messages shown by the mobile messages command are listed below, each message table contains the opcode, type of message, number sent, and number received.
Chapter 31 show mobile received-packets (Alcatel) # show mobile received-packets 5 Packet History -------------No. Time DestIp Type Action --- ------------ -----1 Fri Aug 8 07:26:47 2003 10.3.25.237 10.3.25.1 GRE 2 Fri Aug 8 07:26:47 2003 10.3.25.237 10.3.25.1 GRE 3 Fri Aug 8 07:26:47 2003 10.3.25.237 10.3.25.1 GRE 4 Fri Aug 8 07:26:47 2003 10.3.25.237 10.3.25.1 GRE 5 Fri Aug 8 07:26:47 2003 10.3.25.237 10.3.25.
OmniAccess Reference: AOS-W System Reference show mobile registration-statistics This command displays mobile IP packet registration statistics for a user with the IP address specified in the IP variable.S (Alcatel) # show mobile registration-statistics 10.3.25.
Chapter 31 show mobile tunnels [ mobile-ip | sap ] This command displays all the IPIP tunnels existing between M-switches. (alpha) (config) # show mobile tunnels sap Sap Tunnels ----------No. TunnelId --- -------1 0x1069 2 0x106a 3 0x106b 4 0x106c 5 0x106d Bssid ----00:0b:86:9d:5e:28 00:0b:86:9d:5e:28 00:0b:86:9d:5e:20 00:0b:86:9d:5e:20 00:0b:86:9d:5b:f0 Essid IP Vlan --------Alcatel-alpha-ap 10.3.25.249 1 alpha-guest 10.3.25.249 7 Alcatel-alpha-ap 10.3.25.249 1 alpha-guest 10.3.25.249 7 alpha-guest 10.
OmniAccess Reference: AOS-W System Reference show mobile user-status [address ] [mac-address ] (Alcatel) # show mobile user-status address 10.3.25.237 RoamingState:User is currently associated with this Mswitch which is the Home Mswitch for the user. The user is on the Home Vlan Mobility State -------------Home Agent Home Network Home Vlan DHCP State ---------- ------------ --------- ---------10.3.25.1 10.3.25.
Chapter 31 show mobile vlan-configuration This command displays all the current VLANs on the switch. (Alcatel) (config) #show mobile vlan-configuration Vlan Configuration -----------------Vid Subnet --- -----1 10.3.25.0 7 10.1.5.0 212 10.2.12.0 213 10.2.13.0 999 64.60.249.192 Netmask ------255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.
OmniAccess Reference: AOS-W System Reference Air Management Commands Air Monitor Commands show pcap free-space (Alcatel) # show pcap free-space 10.1.1.162 free-memory:1027072 bytes This command displays the amount of memory available for pcap batch files. show pcap status This command displays the state of all active PCAP sessions show am air-mac This command displays information about all the MACs on the wireless side of the specified air monitor.
Chapter 31 show am bssid-scan This command lists the .... (Alcatel) (config) #show am bssid-scan 10.3.25.
OmniAccess Reference: AOS-W System Reference show am pot-ap-list This command displays the BSSIDs seen on the specified air monitor which it cannot classify as access points. (Alcatel) (config) #show am pot-ap-list 10.3.25.
Chapter 31 show am stats [verbose] TIP: You can find an AP or AM IP address and MAC by using the show stm connectivity command. show ap stats [verbose] (Alcatel) # show ap stats 10.2.12.
OmniAccess Reference: AOS-W System Reference (Alcatel) # show ap stats 10.2.12.
Chapter 31 show am association This command displays information about a specific station associated with an air monitor. (Alcatel) # show am association 10.1.1.162 00:0b:86:80:24:10 Association Table ----------------mac --00:0b:fd:52:dc:f6 rsta-type --------valid auth ---yes phy-type -------80211b show am ap-list This command displays basic information about access points . (Alcatel) # show am ap-list 10.1.1.
OmniAccess Reference: AOS-W System Reference show am sta-list (Alcatel) # show am sta-list 10.1.1.
Chapter 31 show am version (Alcatel) # show am version 10.1.1.162 $Id: //depot/margot/FCS1.1/soft-ap/asap_module/release.h#51 $ $Revision: #51 $ $Author: p4build $ $DateTime: 2003/08/05 23:30:29 $ $DateTime: 2005/08/05 23:30:29 $ show am scan-times This command displays the scan times for the specified Air Monitor. (alpha) (config) #show am scan-times 10.3.25.
OmniAccess Reference: AOS-W System Reference show am counters (Alcatel) # show am counters 10.1.1.
Chapter 31 WMS Commands WMS commands are privileged commands entered from the WMS sub-mode. 1 Enter the privileged mode. Type configure terminal 2 Enter the WMS mode. Type wms show wms This command displays information about the wireless management system and its components. Options: z ap Displays information about a specified access point. z ap-config Displays information about valid access point configurations. z ap-policy Displays the ap-policy attributes.
OmniAccess Reference: AOS-W System Reference show wms ap This command displays the monitors that are listening to the access point specified in the BSSID argument. The soft-ap entry in the displayed data is the station itself. (Alcatel) (config) #show wms ap 00:0b:86:20:28:13 AP Info ------BSSID ----00:0b:86:20:28:13 Probe Info ---------MAC --00:0b:86:20:27:a0 00:0b:86:20:28:13 00:0b:86:20:27:ac 00:0b:86:20:27:a1 00:0b:86:20:27:a6 882 Part 031652-00 SSID ---alpha-guest Channel ------1 IP -10.
Chapter 31 show wms sta This command displays the monitors that are listening to the station specified in the MAC Address argument. The soft-ap entry in the displayed data is the station itself. (Alcatel) (config) #show wms sta 00:30:f1:71:93:d5 AP Info ------BSSID ----00:30:f1:71:93:d5 Probe Info ---------MAC --00:30:f1:71:94:08 00:0b:86:a0:00:5a 00:30:f1:71:93:54 00:30:f1:71:93:d5 SSID ---alpha-guest Channel ------48 IP -10.3.25.249 10.2.12.252 10.3.25.248 10.1.1.150 Loc --1.2.3 1.1.
OmniAccess Reference: AOS-W System Reference show wms counters (Alcatel) # show wms counters Counters -------Name ---DB Reads DB Writes Remove Event Probe Register AP Message Set RAP Type STA Message Set RSTA Type Configuration Update Poll Request Poll Response Probe AP Type Probe Unsecure AP SAP Down Probe Wired MAC Update Add Event Value ----2266 382945 206 105 10196 5221 14332 2480 110 19091 19080 76 1 13 107 371 Site Survey Commands show site survey calibration [dst | max-per | src
Chapter 31 show site survey in-progress This commands displays information about any site survey currently in progress. Station Management Commands This family of command displays information about station management functions. show stm ap-list [] This command displays ID and location information about access points associated with the switch. You may filter on an essid to narrow the amount of information returned by the command.
OmniAccess Reference: AOS-W System Reference show stm dos-sta This command displays information about stations that are currently subject to DoS (Denial of Service). show stm essid This command displays all the active essid’s on the switch. show stm holes This command displays all the detected coverage holes. show stm packets This command display the last specified number of packets received by the switch.
Chapter 31 Access Point Management Commands Alcatel Soft AP Commands show ap config location This command displays the configuration of a specified access point. Location and BSSID information about access points may be obtained using the show stm connectivity command. (Alcatel) (config) #show ap config location 1.1.2 CONFIG_AP_RESULT ---------------PARAMETER --------Location (Bldg.Flr.
OmniAccess Reference: AOS-W System Reference show ap configs This command displays the configuration information for all APs. show ap effective-config bssid This command displays the actual configuration that will be applied to a BSSID. The command traverses the configuration tree and site survey database to compile the configuration. The BSSID of the access point may be obtained using the show stm connectivity command.
Chapter 31 show ap keys This command displays the keys for the AP in the specified location. If the encrypt feature has been enabled the keys will display as a string of asterisks (****). Use the (Alcatel)(config)# encrypt disable command to see the keys. show ap-leds This command displays the AP LED state for all access points on a specified slot. The condition numbers are explained below.
OmniAccess Reference: AOS-W System Reference show ap registered location (Alcatel) # show ap registered location 0.0.0 AP_REGISTRATIONS_RESULT ----------------------LOC SAP_IP LMS_IP ------------1.1.1 10.2.13.194 10.2.13.254 1.1.2 10.2.12.253 10.2.12.254 1.1.3 10.1.1.56 10.3.25.1 1.1.4 10.2.12.212 10.2.12.254 1.2.1 10.3.25.252 10.3.25.1 1.2.2 10.3.25.237 10.3.25.1 1.2.3 10.3.25.253 10.3.25.1 Num APs:7 .
Chapter 31 Authentication Commands General Authentication Commands show netservice [] (Alcatel) # show netservice Alcatel1645 Services -------Name Protocol ----------Alcatel1645 udp Ports ----1645 show destination [] (Alcatel) # show destination Services -------Name ---Alcatel user RSA mswitch Alcatel2 any Destination ----------10.1.1.2 255.255.255.255 0.0.0.0 10.1.1.58 10.3.25.1 10.1.1.3 0.0.0.0 0.0.0.
OmniAccess Reference: AOS-W System Reference z mac Show information about a specific user by MAC address. z mobile Show information about mobile users. z name Show information about a specific user by user name. z role Show information about users with a specific role. z verbose Show all the information in the user table. show user This command displays information about users, including: roles, IP addresses, MAC addresses, user names, location, associations, and authentication methods.
Chapter 31 z mobile This option displays IP address, name, role, authentication, and location information for users that have moved away or are visiting the switch. z name This option displays VLAN, switch, and access point for a user identified by user name. z role This option displays IP address, MAC address, name, and authentication information for all users with the specified role.
OmniAccess Reference: AOS-W System Reference IEEE 802.1x Commands show dot1x config The show dot1x config command displays the current values the 802.1x authenticator’s parameters. When the command is executed the system will display a screen similar to the one below.
Chapter 31 z MAC Address of the supplicant z User Name z Authentication Status (yes/no) z AP MAC z Encryption Key z Authorization Mode z EAP type show dot1x supplicant-info statistics The show dot1x supplicant-info statistics command displays statistical information about each supplicant. When this command is executed the system returns a screen containing a table that includes the following statistical information about each of the supplicants.
OmniAccess Reference: AOS-W System Reference Accounting, Authentication, Authorization show aaa derivation-rules This command displays derivation rules configured for an authentication server or for deriving roles based on user information. Options: z server [] z user Display all the derivation rules configured for the specified server. Use this option without specifying a name to show rules for all servers. Display the rules for deriving user roles based on user information.
Chapter 31 show aaa server-rules This command displays the User Rule Table for the named authentication server. You may discover the names of the current hallucination servers by using the show aaa radius-server command.
OmniAccess Reference: AOS-W System Reference show aaa timers (Alcatel) # show aaa timers User idle timeout = 1 minutes Auth Server dead time = 10 minutes show aaa bandwidth-contracts This command displays the name of each configured bandwidth contract and its associated rate.
Chapter 31 show aaa state messages (Alcatel) # show aaa state messages PAPI Messages ------------Msg ID Name ------ ---13 mm inter move 5004 set master ip 7005 Set switch ip 16 mm move user RAW socket Messages ------------------Msg ID Name ------ ---1 raw PAP req Sibyte Messages --------------Opcode Name ------ ---3 route 15 acl 16 ace 17 user 29 wkey 30 station 42 nat 43 user tmout 53 ace log 56 forw unenc 64 auth Since last Read --------------13 1 1 11 Since last Read --------------1 Since last Read -
OmniAccess Reference: AOS-W System Reference show aaa state user (Alcatel) #show aaa state user 10.3.25.237 Name: Alcatel-alpha-ap, IP: 10.3.25.237, MAC: 00:30:f1:71:93:5c, Role:ap-role, Age: 03:17:48 Authentication: No, status: not started, method: , protocol: , server: Role Derivation: ACL Hits: show aaa state configuration (Alcatel) #show aaa state configuration SAPI state: cfgm1, fpapps1, mob1, cert0 switch IP is 10.3.25.1 Master IP is 10.3.25.
Chapter 31 show aaa localdb-server [server-name ] (Alcatel) # show aaa localdb-server Local Database Server Table --------------------------Pri Host IP addr Retries --- ---------------1 Internal 10.3.25.1 3 Timeout ------5 Status -----Enabled Inservice --------Yes show aaa dot1x The show aaa dot1x commands displays which servers are configured for 802.1x authentication, the priority of each server, and the default role assigned to all users authenticated under 802.1x.
OmniAccess Reference: AOS-W System Reference show aaa auth-server [server-name ] [server-type {radius|ldap|local}] [auth-method {cp|mac|vpn|dot1x}] This command displays configuration information about authentication servers. The available options allow you to see all servers (no arguments), or you may view the servers by server type or authentication method. show aaa web admin-port This command displays the configured admin port numbers.
Chapter 31 Access Lists Commands show access-list [|] Display a list of the configured ACLs, or a specific ACL by name or number. See show ip access-list.
OmniAccess Reference: AOS-W System Reference show ip access-list [|] Preferred from of the show access-list command. Display a list of the configured ACLs, or a specific ACL by name or number.
Chapter 31 show time-range This command displays currently configured time ranges.
OmniAccess Reference: AOS-W System Reference Enhanced Show Commands Depending on the target of the show command, the output is more clearly formatted in summary or detail tables: z Summary Tables The show commands that display information for a general feature or a large set of items output columns of information in a summary table. For example: (Alcatel) # show datapath user table User Table Entries -----------------IP MAC --------------- ----------------10.5.10.2 00:00:00:00:00:00 10.5.168.
Chapter 31 z Detail Lists The show commands that display information for a specific device, protocol, or event present detailed information in a list format. For example. (Alcatel) # show ap config location 0.0.0 CONFIG_AP_RESULT ---------------PARAMETER --------Location (Bldg.Flr.
OmniAccess Reference: AOS-W System Reference 908 Part 031652-00 May 2005
6 Part Appendices 909
OmniAccess Reference: AOS-W System Reference 910 Part 031652-00 May 2005
Glossary 10BaseT* An IEEE standard (802.3) for operating 10 Mbps Ethernet networks (LANs) with twisted pair cabling and a wiring hub. 802.11 standard* 802.11, or IEEE 802.11, is a type of radio technology used for wireless local area networks (Wireless LANs). It is a standard that has been developed by the IEEE (Institute of Electrical and Electronic Engineers), http://standards.ieee.org.
OmniAccess Reference: AOS-W System Reference 802.11b* International standard for wireless networking that operates in the 2.4 GHz frequency range (2.4 GHz to 2.4835 GHz) and provides a throughput of up to 11 Mbps. This is a very commonly used frequency. Microwave ovens, cordless phones, medical and scientific equipment, as well as Bluetooth devices, all work within the 2.4 GHz frequency band. 802.11g* Similar to 802.11b, but this standard provides a throughput of up to 54 Mbps. It also operates in the 2.
Authentication server An entity that provides an authentication service to an authenticator. This service determines, from the credentials provided by the supplicant, whether the supplicant is authorized to access the services provided by the authenticator. Example: Microsoft IAS is an Authentication Server. Authenticator An entity at one end of a point-to-point LAN segment that facilitates authentication of the entity attached to the other end of that link. Example: OmniAccess-6000 is an 802.
OmniAccess Reference: AOS-W System Reference Bus adapter* A special adapter card that installs in a PC's PCI or ISA slot and enables the use of PC Card radios in desktop computers. Some companies offer one-piece PCI or ISA Card radios that install directly into an open PC or ISA slot. Captive Portal A secure, dedicated, web connection between a client station and a server.
Crossover cable* A special cable used for networking two computers without the use of a hub. Crossover cables may also be required for connecting a cable or DSL modem to a wireless gateway or access point. Instead of the signals transferring in parallel paths from one set of plugs to another, the signals “crossover.” If an eight-wire cable was being used, for instance, the signal would start on pin one at one end of the cable and end up on pin eight at the other end.
OmniAccess Reference: AOS-W System Reference DHCP* A utility that enables a server to dynamically assign IP addresses from a predefined list and limit their time of use so that they can be reassigned. Without DHCP, an IT Manager would have to manually enter in all the IP addresses of all the computers on the network. When DHCP is used, whenever a computer logs onto the network, it automatically gets an IP address assigned to it.
Encryption key* An alphanumeric (letters and/or numbers) series that enables data to be encrypted and then decrypted so it can be safely shared among members of a network. WEP uses an encryption key that automatically encrypts outgoing wireless data. On the receiving side, the same encryption key enables the computer to automatically decrypt the information so it can be read. Enterprise* A term that is often applied to large corporations and businesses.
OmniAccess Reference: AOS-W System Reference transmits packets it receives to all the connected ports. A small wired hub may only connect 4 computers; a large hub can connect 48 or more. Wireless hubs can connect hundreds. HZ* The international unit for measuring frequency, equivalent to the older unit of cycles per second. One megahertz (MHz) is one million hertz. One gigahertz (GHz) is one billion hertz.
IP address* A 32-bit number that identifies each sender or receiver of information that is sent across the Internet. An IP address has two parts: an identifier of a particular network on the Internet and an identifier of the particular device (which can be a server or a workstation) within that network. ISA* A type of internal computer bus that allows the addition of card-based components like modems and network adapters. ISA has been replaced by PCI and is not very common anymore.
OmniAccess Reference: AOS-W System Reference L2TP Layer 2 Tunnelling Protocol. L2TP is an extension of Point-to-Point Protocol (PPP). LAN* A system of connecting PCs and other devices within the same physical proximity for sharing resources such as an Internet connections, printers, files and drives. When Wi-Fi is used to connect the devices, the system is known as a wireless LAN or Wireless LAN.
Network name* Identifies the wireless network for all the shared components. During the installation process for most wireless networks, you need to enter the network name or SSID. Different network names are used when setting up your individual computer, wired network or workgroup. NIC* A type of PC adapter card that either works without wires (Wi-Fi) or attaches to a network cable to provide two-way communication between the computer and network devices such as a hub or switch.
OmniAccess Reference: AOS-W System Reference Plug and Play* A computer system feature that provides for automatic configuration of add-ons and peripheral devices such as wireless PC Cards, printers, scanners and multimedia devices. PPTP Point-to-Point Tunnelling Protocol. A secure method of transmitting data on a virtual private network (VPN).
Router* A device that forwards data packets from one local area network (LAN) or wide area network (WAN) to another. Based on routing tables and routing protocols, routers can read the network address in each transmitted frame and make a decision on how to send it via the most efficient route based on traffic load, line costs, speed, bad connections, etc. Server* A computer that provides its resources to other computers and devices on a network.
OmniAccess Reference: AOS-W System Reference SSL* Commonly used encryption scheme used by many online retail and banking sites to protect the financial integrity of transactions. When an SSL session begins, the server sends its public key to the browser.
on a network. Every computer in a TCP/IP network has its own IP address that is either dynamically assigned at startup or permanently assigned. All TCP/IP messages contain the address of the destination network as well as the address of the destination station. This enables TCP/IP messages to be transmitted to multiple networks (subnets) within an organization or worldwide. TLS (Transport Layer Security) provide privacy and data integrity between two communicating applications.
OmniAccess Reference: AOS-W System Reference Wi-Fi* An interoperability certification for wireless local area network (LAN) products based on the Institute of Electrical and Electronics Engineers (IEEE) 802.11 standard. Wireless LAN* Also referred to as LAN. A type of local-area network that uses high-frequency radio waves rather than wires to communicate between nodes. WMS Wireless LAN Management System WPA WPA/2 Wireless Protected Access and the update to this standard.
Glossary 927
OmniAccess Reference: AOS-W System Reference 928 Part 031652-00 May 2005
