RoamAbout ® Mobility System Software Configuration Guide Version 5.
Notice Enterasys Networks reserves the right to make changes in specifications and other information contained in this document and its web site without prior notice. The reader should in all cases consult Enterasys Networks to determine whether any such changes have been made. The hardware, firmware, or software described in this document is subject to change without notice.
Enterasys Networks, Inc. Firmware License Agreement BEFORE OPENING OR UTILIZING THE ENCLOSED PRODUCT, CAREFULLY READ THIS LICENSE AGREEMENT. This document is an agreement (“Agreement”) between the end user (“You”) and Enterasys Networks, Inc.
4. EXPORT RESTRICTIONS. You understand that Enterasys and its Affiliates are subject to regulation by agencies of the U.S. Government, including the U.S. Department of Commerce, which prohibit export or diversion of certain technical products to certain countries, unless a license to export the Program is obtained from the U.S. Government or an exception from obtaining such license may be relied upon by the exporting party.
9. OWNERSHIP. This is a license agreement and not an agreement for sale. You acknowledge and agree that the Program constitutes trade secrets and/or copyrighted material of Enterasys and/or its suppliers. You agree to implement reasonable security measures to protect such trade secrets and copyrighted material. All right, title and interest in and to the Program shall remain with Enterasys and/or its suppliers. All rights not specifically granted to You shall be reserved to Enterasys. 10. ENFORCEMENT.
Enterasys Networks, Inc. Software License Agreement This document is an agreement (“Agreement”) between You, the end user, and Enterasys Networks, Inc. (“Enterasys”) that sets forth your rights and obligations with respect to the software contained in CD‐ROM or other media. BY UTILIZING THE ENCLOSED PRODUCT, YOU ARE AGREEING TO BECOME BOUND BY THE TERMS OF THIS AGREEMENT, WHICH INCLUDES THE LICENSE AND THE LIMITATION OF WARRANTY AND DISCLAIMER OF LIABILITY.
5. PROTECTION AND SECURITY. You agree not to deliver or otherwise make available the Licensed Materials or any part thereof, including without limitation the object or source code (if provided) of the Licensed Software, to any party other than Enterasys or its employees, except for purposes specifically related to your use of the Licensed Software on a single computer as expressly provided in this Agreement, without the prior written consent of Enterasys.
NEITHER ENTERASYS NOR ITS AFFILIATES MAKE ANY OTHER WARRANTY OR REPRESENTATION, EXPRESS OR IMPLIED, WITH RESPECT TO THE LICENSED MATERIALS, WHICH ARE LICENSED “AS IS”. THE LIMITED WARRANTY AND REMEDY PROVIDED ABOVE ARE EXCLUSIVE AND IN LIEU OF ALL OTHER WARRANTIES, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, WHICH ARE EXPRESSLY DISCLAIMED, AND STATEMENTS OR REPRESENTATIONS MADE BY ANY OTHER PERSON OR FIRM ARE VOID.
viii
Contents About This Guide Introducing the Enterasys Networks Mobility System................................................................................... xxxiii Documentation ............................................................................................................................................. xxxiv Planning, Configuration, and Deployment ............................................................................................. xxxiv Installation ..............................
Chapter 3: Configuring AAA for Administrative and Local Access Overview of AAA for Administrative and Local Access ................................................................................... 3-1 Before You Start .............................................................................................................................................. 3-3 About Administrative Access .....................................................................................................................
Disabling or Reenabling a Port........................................................................................................... 4-8 Resetting a Port.................................................................................................................................. 4-8 Displaying Port Information ....................................................................................................................... 4-9 Displaying Port Configuration and Status ..........................
Displaying the Aging Timeout Period ............................................................................................... 4-23 Example ..................................................................................................................................... 4-23 Changing the Aging Timeout Period................................................................................................. 4-23 Example ....................................................................................
Managing Telnet Server Sessions.................................................................................................... 5-14 Examples ................................................................................................................................... 5-14 Managing HTTPS.................................................................................................................................... 5-15 Enabling HTTPS...............................................................
Example .................................................................................................................................................. 5-27 Logging In to a Remote Device ..................................................................................................................... 5-28 Examples ................................................................................................................................................ 5-28 Tracing a Route ........................
Example.............................................................................................................................................. 7-6 Displaying Roaming VLANs and Their Affinities ....................................................................................... 7-6 Example.............................................................................................................................................. 7-6 Displaying Tunnel Information.....................................
Public and Private SSIDs ................................................................................................................. 9-17 Encryption......................................................................................................................................... 9-18 Radio Profiles.......................................................................................................................................... 9-18 RF Auto-Tuning ..........................................
Example ..................................................................................................................................... 9-42 Disabling Idle-Client Probing ............................................................................................................ 9-42 Example ..................................................................................................................................... 9-42 Changing the User Idle Timeout ...........................................
Example............................................................................................................................................ 9-58 Displaying AP Status Information............................................................................................................ 9-59 Example............................................................................................................................................
Enabling Dynamic WEP in a WPA Network..........................................................................................10-20 Configuring Encryption for MAC Clients................................................................................................ 10-22 Chapter 11: Configuring RF Auto-Tuning RF Auto-Tuning Overview ............................................................................................................................. 11-1 Initial Channel and Power Assignment ......
Configuring Call Admission Control ...................................................................................................... 12-15 Enabling CAC ................................................................................................................................. 12-16 Example ................................................................................................................................... 12-16 Changing the Maximum Number of Active Sessions ..........................
Changing the STP Maximum Age .................................................................................................... 13-7 Example ..................................................................................................................................... 13-7 Configuring and Managing STP Fast Convergence Features....................................................................... 13-7 Port Fast Convergence .............................................................................
Displaying Multicast Receivers ............................................................................................................... 14-7 Example............................................................................................................................................ 14-7 Chapter 15: Configuring and Managing Security ACLs About Security Access Control Lists..............................................................................................................
Clearing Security ACLs from the Edit Buffer ......................................................................................... 15-19 Example.......................................................................................................................................... 15-19 Using ACLs to Change CoS ........................................................................................................................ 15-20 Example ............................................................
Installing CA-Signed Certificates from PKCS #12 Object Files............................................................. 16-13 Installing CA-Signed Certificates Using a PKCS #10 Object File (CSR) and a PKCS #7 Object File .. 16-14 Chapter 17: Configuring AAA for Network Users About AAA for Network Users ....................................................................................................................... 17-1 Authentication .................................................................
WebAAA Requirements and Recommendations .................................................................................. 17-24 RoamAbout Switch Requirements..................................................................................................17-24 Portal ACL and User ACLs............................................................................................................. 17-26 Network Requirements .........................................................................................
Viewing Local Accounting Records....................................................................................................... 17-57 Viewing Roaming Accounting Records ................................................................................................. 17-57 Example.......................................................................................................................................... 17-57 Displaying the AAA Configuration ..............................................
Example............................................................................................................................................ 19-3 Configuring 802.1X Key Transmission Time Intervals ............................................................................ 19-3 Examples.......................................................................................................................................... 19-3 Managing WEP Keys ........................................................
Specifying an Alternate SODA Agent Directory for a Service Profile.................................................... 20-10 Example.......................................................................................................................................... 20-10 Uninstalling the SODA Agent Files from the RoamAbout Switch.......................................................... 20-11 Example........................................................................................................
Configuring an Ignore List ..................................................................................................................... 22-10 Examples........................................................................................................................................ 22-10 Enabling Countermeasures ......................................................................................................................... 22-11 Examples ................................................
Saving Configuration Changes ............................................................................................................. 23-11 Examples........................................................................................................................................ 23-11 Specifying the Configuration File to Use After the Next Reboot ........................................................... 23-11 Example................................................................................
Configuring and Managing the System Log ................................................................................................... A-4 Log Message Components ...................................................................................................................... A-4 Logging Destinations and Levels ............................................................................................................. A-4 Using Log Commands..........................................................
Appendix B: Enabling and Logging Into WebView Browser Requirements ................................................................................................................................... B-1 RBT Switch Requirements ............................................................................................................................. B-1 Logging Into WebView....................................................................................................................................
About This Guide For information about... Refer to page... Introducing the Enterasys Networks Mobility System xxxiii Documentation xxxiv Getting Help xxxv This guide explains how to configure and manage a wireless LAN (WLAN) using the Mobility System Software™ command line interface (CLI) commands that you enter on a RoamAbout Switch. Read this guide if you are a network administrator or other person configuring and managing switches and Access Points (APs) in a network.
Documentation Documentation Consult the following documents to plan, install, configure, and manage a Mobility System. Planning, Configuration, and Deployment • RoamAbout Switch Manager User’s Guide. Instructions for planning, configuring, deploying, and managing the entire WLAN with the RoamAbout Switch Manager (RASM) tool suite.
Getting Help Text and Syntax Conventions RoamAbout Switch manuals use the following text and syntax conventions: Convention Use Monospace text Sets off command syntax or sample commands and system responses. Blue text Indicates a hyperlink Bold text Highlights commands that you enter or items you select. Italic text Designates command variables that you replace with appropriate values, or highlights publication titles or words requiring special emphasis.
Getting Help xxxvi • A description of your network environment (such as layout, cable type, other relevant environmental information) • Network load and frame size at the time of trouble (if known) • The device history (for example, if you have returned the device before, or if this a recurring problem) • Any previous Return Material Authorization (RMA) numbers About This Guide
1 Using the Command-Line Interface For information about... Refer to page... CLI Conventions 1-1 Command Prompts 1-2 Command-Line Editing 1-7 Using CLI Help 1-8 Understanding Command Descriptions 1-9 Mobility System Software (MSS) operates an Enterasys Networks Mobility System wireless LAN (WLAN) consisting of RoamAbout Switch Manager software, RoamAbout Switch’s, and Access Points (APs).
Command Prompts Command Prompts By default, the MSS CLI provides the following prompt for restricted users. The mm portion shows the RoamAbout Switch model number (for example, 20) and the nnnnnn portion shows the last 6 digits of the switch’s media access control (MAC) address.
Command Prompts The CLI does not support the use of special characters including the following in any named elements such as SSIDs and VLANs: ampersand (&), angle brackets (< >), number sign (#), question mark (?), or quotation marks (“”). In addition, the CLI does not support the use of international characters such as the accented É in DÉCOR. MAC Address Notation MSS displays MAC addresses in hexadecimal numbers with a colon (:) delimiter between bytes— for example, 00:01:02:1a:00:01.
Command Prompts User Globs, MAC Address Globs, and VLAN Globs Name “globbing” is a way of using a wildcard pattern to expand a single element into a list of elements that match the pattern. MSS accepts user globs, MAC address globs, and VLAN globs. The order in which globs appear in the configuration is important, because once a glob is matched, processing stops on the list of globs.
Command Prompts MAC Address Globs A media access control (MAC) address glob is a similar method for matching some authentication, authorization, and accounting (AAA) and forwarding database (FDB) commands to one or more 6‐byte MAC addresses.
Command Prompts Port Lists The physical Ethernet ports on a RoamAbout Switch can be set for connection to APs, authenticated wired users, or the network backbone. You can include a single port or multiple ports in one MSS CLI command by using the appropriate list format. The ports on a RoamAbout Switch are numbered 1 through 4. No port 0 exists on the switch. You can include a single port or multiple ports in a command that includes port port‐list.
Command-Line Editing Command-Line Editing MSS editing functions are similar to those of many other network operating systems. Keyboard Shortcuts The following table lists the keyboard shortcuts for entering and editing CLI commands: Keyboard Shortcut(s) Function Ctrl+A Jumps to the first character of the command line. Ctrl+B or Left Arrow key Moves the cursor back one character. Ctrl+C Escapes and terminates prompts and tasks. Ctrl+D Deletes the character at the cursor.
Using CLI Help Single-Asterisk (*) Wildcard Character You can use the single‐asterisk (*) wildcard character in globbing. For details, see “User Globs, MAC Address Globs, and VLAN Globs” on page 1‐4. Double-Asterisk (**) Wildcard Characters The double‐asterisk (**) wildcard character matches all usernames. For details, see “User Globs” on page 1‐4. Using CLI Help The CLI provides online help. To see the full range of commands available at your access level, type the help command.
Understanding Command Descriptions To see all the variations, type one of the commands followed by a question mark (?).
Understanding Command Descriptions 1-10 Using the Command-Line Interface
2 RoamAbout Switch Set Up Methods For information about... Refer to page... Overview 2-1 How a RoamAbout Switch Gets its Configuration 2-3 CLI quickstart Command 2-4 Remote Configuration 2-7 Opening the QuickStart Network Plan in RASM 2-8 This chapter describes the methods you can use to configure a RoamAbout Switch, and refers you to information for each method. Depending on your configuration needs, you can use one or a combination of these methods.
Administrative AAA Configuration Scenarios RoamAbout Switch Manager You can use RoamAbout Switch Manager to remotely configure a “Staged Switch”. On any switch model, you can stage the switch to request its configuration from RoamAbout Switch Manager, by preconfiguring IP parameters and enabling the auto‐config option. You also can use RoamAbout Switch Manager to plan your network, create RoamAbout Switches in the plan, then deploy the switch configurations to the real switches.
Administrative AAA Configuration Scenarios How a RoamAbout Switch Gets its Configuration Figure 2‐1 shows how a RoamAbout Switch gets a configuration when you power it on. Figure 2-1 RoamAbout Switch Startup Algorithm Switch is powered on. Does switch have a configuration? Yes Switch boots using its configuration file. Is auto-config enabled? No Switch displays CLI prompt. Yes No Test Unit? Yes Was factory reset pressed during power on? Yes Switch contacts RASM to request configuration.
Administrative AAA Configuration Scenarios CLI quickstart Command The quickstart command runs a script that interactively helps you configure the following items: • System name • Country code (regulatory domain) • System IP address • Default route • 802.
Administrative AAA Configuration Scenarios To run the quickstart command: 1. Attach a PC to the RoamAbout Switch’s serial console port. (Use these modem settings: 9600 bps, 8 bits, 1 stop, no parity, hardware flow control disabled.) 2. Press Enter three times, to display a username prompt (Username:), a password prompt (Password:), and then a command prompt such as the following: RBT-aabbcc> 3. 4.
Administrative AAA Configuration Scenarios • Username alice and password alicepass for 802.1X authentication; username bob and password bobpass for 802.1X authentication The IP addresses, usernames, and passwords in this document are examples. Use values that are appropriate for your organization. If you configure time and date parameters, you will be required to enter a name for the timezone, and then enter the value of the timezone (the offset from UTC) separately.
Administrative AAA Configuration Scenarios Enter the time (hh:mm:ss) []: 18:58:00 Enter the timezone []: EST Enter the offset from GMT for 'PST' in hh:mm [0:0]: -5:0 Do you wish to configure wireless? [y]: y Enter a clear SSID to use: public Do you want Web Portal authentication? [y]: y Enter a username with which to do Web Portal, to exit: user1 Enter a password for guesta: pass1 Enter a username with which to do Web Portal, to exit: user2 Enter a password for guestb: pass2 Enter a username with
Administrative AAA Configuration Scenarios Opening the QuickStart Network Plan in RASM RoamAbout Switch Manager comes with two sample network plans: • QuickStart—Contains a two‐floor building with two RoamAbout Switches and two RoamAbout Access Points on each switch. Each switch and its APs provide coverage for a floor. The RoamAbout equipment is configured to provide both clear (unencrypted) and secure (802.1X) wireless access.
3 Configuring AAA for Administrative and Local Access For information about... Refer to page...
Administrative AAA Configuration Scenarios • Enabled mode. To enter the enabled mode of operation, you type the enable command at the command prompt. In enabled mode, you can use all CLI commands. Although MSS does not require an enable password, Enterasys Networks highly recommends that you set one. • Customized authentication. You can require authentication for all users or for only a subset of users.
Administrative AAA Configuration Scenarios Figure 3-1 Typical Enterasys Mobility System Building 1 Floor 3 AP Layer 2 Layer 2 switches Layer 2 AP Layer 2 AP Layer 2 AP RoamAbout Switches Floor 2 RoamAbout Switches Layer 2 RoamAbout Switch AP Layer 2 Core router AP Floor 1 Data center Layer 2 or Layer 3 switches RADIUS or AAA Servers Before You Start Before reading more of this chapter, use the RoamAbout Mobility System Software Quick Start to set up a RoamAbout Switch and the attached
Administrative AAA Configuration Scenarios About Administrative Access The authentication, authorization, and accounting (AAA) framework helps secure network connections by identifying who the user is, what the user can access, and the amount of network resources the user can consume. Access Modes MSS provides AAA either locally or via remote servers to authenticate valid users.
Administrative AAA Configuration Scenarios First-Time Configuration Using the Console Administrators must initially configure the RoamAbout Switch with a computer or terminal connected to the RoamAbout Switch console port through a serial cable. Telnet access is not initially enabled. To configure a previously unconfigured RoamAbout Switch via the console, you must complete the following tasks: • Enable an administrator. (See “Enabling an Administrator” on page 3‐5.) • Configure authentication.
Administrative AAA Configuration Scenarios Setting the RoamAbout Switch Enable Password There is one enable password for the entire RoamAbout Switch. You can optionally change the enable password from the default. Note: Enterasys recommends that you change the enable password from the default (nopassword) to prevent unauthorized users from entering configuration commands. Setting the RoamAbout Switch Enable Password for the First Time To set the enable password for the first time: 1.
Administrative AAA Configuration Scenarios Authenticating at the Console You can configure the console so that authentication is required, or so that no authentication is required. Enterasys Networks recommends that you enforce authentication on the console port. To enforce console authentication, take the following steps: 1. Add a user in the local database by typing the following command with a username and password: RBT-8100# set user username password password 2.
Administrative AAA Configuration Scenarios (For information about configuring users and user groups, see “Adding and Clearing Local Users for Administrative Access” on page 3‐8.) Setting User Passwords Like usernames, passwords are case‐sensitive. To make passwords secure, make sure they contain uppercase and lowercase letters and numbers. Enterasys Networks recommends that all users create passwords that are memorable to themselves, difficult for others to guess, and not subject to a dictionary attack.
Administrative AAA Configuration Scenarios Configuring Accounting for Administrative Users Accounting allows you to track network resources. Accounting records can be updated for three important events: when the user is first connected, when the user roams from one AP to another, and when the user terminates his or her session. The default for accounting is off.
Administrative AAA Configuration Scenarios Displaying the AAA Configuration To display your AAA configuration, type the following command: RBT-8100# show aaa Default Values authport=1812 acctport=1813 timeout=5 acct-timeout=5 retrans=3 deadtime=0 key=(null) author-pass=(null) Radius Servers Server Addr Ports T/o Tries Dead State ------------------------------------------------------------------r1 192.168.253.
Administrative AAA Configuration Scenarios Administrative AAA Configuration Scenarios The following scenarios illustrate typical configurations for administrative and local authentication. For all scenarios, the administrator is Natasha with the password m@Jor. (For RADIUS server configuration details, see Chapter 18, Configuring Communication with RADIUS.
Administrative AAA Configuration Scenarios Natasha also adds the RADIUS server (r1) to the RADIUS server group sg1, and configures Telnet administrative users for authentication through the group. She types the following commands in this order: RBT-8100#RBT-8100# set server group sg1 members r1 success: change accepted. RBT-8100# set authentication admin * sg1 success: change accepted. RBT-8100# save config success: configuration saved.
Administrative AAA Configuration Scenarios Authentication When RADIUS Servers Do Not Respond This scenario illustrates how to enable RADIUS authentication for both console and administrative users, but to unconditionally allow access for administrative and console users if the RADIUS server (in this case, server r1 in server group sg1) does not respond. To configure unconditional authentication, Natasha sets the authentication method to none.
Administrative AAA Configuration Scenarios 3-14 Configuring AAA for Administrative and Local Access
4 Configuring and Managing Ports and VLANs For information about... Refer to page...
Configuring and Managing Ports Note: To configure for a DAP, refer to “Configuring for a Distributed DAP” on page 4-3 and Chapter 9, ”Configuring Access Points”. Table 4-1 Port Defaults Set By Port Type Change Port Type Parameter Wired Authentication Network VLAN membership Removed from all VLANs. You cannot assign a wired authentication port to a VLAN. MSS automatically assigns wired authentication ports to VLANs based on user traffic. None.
Configuring and Managing Ports Configuring for a Distributed DAP To configure a connection for a Distributed DAP (referred to as a DAP in the CLI), use the following command: set dap dap-num serial-id serial-ID model { AP3000 | AP4102 | AP1602 11a | 11b| 11g } | AP1102 | AP1002 } radiotype { The dap‐num parameter identifies the Distributed AP connection for the DAP. The range of valid connection ID numbers depends on the RoamAbout Switch model.
Configuring and Managing Ports Example To set port 1 as a wired authentication port, type the following command: RBT-8100# set port type wired-auth 1 success: change accepted This command configures port 1 as a wired authentication port supporting one interface and one simultaneous user session. For 802.
Configuring and Managing Ports Example To clear the port‐related settings from port 1 and reset the port as a network port, type the following command: RBT-8100# clear port type 1 This may disrupt currently authenticated users. Are you sure? (y/n) [n]y success: change accepted. Clearing a Distributed DAP Note: When you clear a Distributed DAP, MSS ends user sessions that are using the DAP.
Configuring and Managing Ports Configuring Media Type on a Dual-Interface Gigabit Ethernet Port (RBT-8400 only) The gigabit Ethernet ports on an RBT‐8400 have two physical interfaces: a 1000BASE‐TX copper interface and a 1000BASE‐SX or 1000BASE‐LX fiber interface. The copper interface is provided by a built‐in RJ‐45 connector. The fiber interface is optional and requires insertion of a Gigabit interface converter (GBIC). Only one interface can be active on a port. By default, the GBIC (fiber) interface.
Configuring and Managing Ports Configuring Port Operating Parameters Autonegotiation is enabled by default on a RoamAbout Switch’s 10/100 Ethernet ports and gigabit Ethernet ports. Note: All ports on the RBT-8100 and RBT-8400 switches support full-duplex operating mode only. They do not support half-duplex operation. Note: Enterasys Networks recommends that you do not configure the mode of an switch port so that one side of the link is set to autonegotiation while the other side is set to full-duplex.
Configuring and Managing Ports Gigabit Ports—Autonegotiation and Flow Control RoamAbout Switch gigabit ports use autonegotiation by default to determine capabilities for 802.3z flow control parameters. The gigabit ports can respond to IEEE 802.3z flow control packets. Some devices use this capability to prevent packet loss by temporarily pausing data transmission.
Configuring and Managing Ports Displaying Port Information You can use CLI commands to display the following port information: • Port configuration and status • Port statistics You also can configure MSS to display and regularly update port statistics in a separate window.
Configuring and Managing Ports Displaying Port Statistics To display port statistics, use the following command: show port counters [octets | packets | receive-errors | transmit-errors | collisions | receive-etherstats | transmit-etherstats] [port port-list] Example You can specify one statistic type with the command.
Configuring and Managing Ports If you use an option to specify a statistic type, the display begins with that statistic type. You can use one statistic option with the command. Use the keys listed in Table 4‐4 to control the monitor display. Table 4-4 Key Controls for Monitor Port Counters Display Key Effect on monitor display Spacebar Advances to the next statistics type. Esc Exits the monitor. MSS stops displaying the statistics and displays a new command prompt.
Configuring and Managing Ports Link Redundancy A port group ensures link stability by providing redundant connections for the same link. If an individual port in a group fails, the RoamAbout Switch reassigns traffic to the remaining ports. When the failed port starts operating again, the RoamAbout Switch begins using it for new traffic flows. Traffic that belonged to the port before it failed continues to be assigned to other ports.
Configuring and Managing Ports Removing a Port Group To remove a port group, use the following command: clear port-group name name Displaying Port Group Information To display port group information, use the following command: show port-group [name group-name] Example To display the configuration and status of port group server2, type the following command: RBT-8100# show port-group name server2 Port group: server2 is up Ports: 3, 4 Interoperating with Cisco Systems EtherChannel Load‐sharing port groups
Configuring and Managing VLANs Configuring and Managing VLANs Note: The CLI commands in this chapter configure VLANs on RoamAbout Switch network ports. The commands do not configure VLAN membership for wireless or wired authentication users. To assign a user to a VLAN, configure the RADIUS Tunnel-Private-Group-ID attribute or the VLAN-Name vendor specific attribute (VSA) for that user. (For more information, see Chapter 17, ”Configuring AAA for Network Users”.
Configuring and Managing VLANs Users and VLANs When a user successfully authenticates to the network, the user is assigned to a specific VLAN. A user remains associated with the same VLAN throughout the user’s session on the network, even when roaming from one RoamAbout Switch to another within the Mobility Domain.
Configuring and Managing VLANs Traffic Forwarding A RoamAbout switches traffic at Layer 2 among ports in the same VLAN. For example, suppose you configure ports 1 and 2 to belong to VLAN 2 and ports 3 and 4 to belong to VLAN 3. As a result, traffic between port 1 and port 2 is switched, but traffic between port 1 and port 3 is not switched and needs to be routed by an external router. 802.1Q Tagging The tagging capabilities of the RoamAbout Switch are very flexible. You can assign 802.
Configuring and Managing VLANs Creating a VLAN To create a VLAN, use the following command: set vlan vlan-num name name Specify a VLAN number from 2 to 4093, and specify a name up to 16 alphabetic characters long. You cannot use a number as the first character in a VLAN name. Enterasys Networks recommends that you do not use the same name with different capitalizations for VLANs or ACLs. For example, do not configure two separate VLANs with the names red and RED.
Configuring and Managing VLANs Removing an Entire VLAN or a VLAN Port To remove an entire VLAN or a specific port and tag value from a VLAN, use the following command: clear vlan vlan-id [port port-list [tag tag-value]] Note: When you remove a VLAN, MSS completely removes the VLAN from the configuration and also removes all configuration information that uses the VLAN. If you want to remove only a specific port from the VLAN, make sure you specify the port number in the command.
Configuring and Managing VLANs Restricting Layer 2 Forwarding Among Clients By default, clients within a VLAN are able to communicate with one another directly at Layer 2. You can enhance network security by restricting Layer 2 forwarding among clients in the same VLAN. When you restrict Layer 2 forwarding in a VLAN, MSS allows Layer 2 forwarding only between a client and a set of MAC addresses, generally the VLAN’s default routers.
Managing the Layer 2 Forwarding Database 11:22:33:44:55:66 9 The En field indicates whether restriction is enabled. The Drops field indicates how many packets were addressed directly from one client to another and dropped by MSS. The Hits field indicates how many packets the permitted default router has received from clients.
Managing the Layer 2 Forwarding Database • Static—A static entry does not age out, regardless of how often the entry is used. However, like dynamic entries, static entries are removed if the RoamAbout Switch is powered down or rebooted. • Permanent—A permanent entry does not age out, regardless of how often the entry is used. In addition, a permanent entry remains in the forwarding database even following a reboot or power cycle.
Managing the Layer 2 Forwarding Database Example To display all entries in the forwarding database, type the following command: RBT-8100# show fdb all * = Static Entry. + = Permanent Entry. # = System Entry.
Managing the Layer 2 Forwarding Database Removing Entries from the Forwarding Database To remove an entry from the forwarding database, use the following command: clear fdb {perm | static | dynamic | port port-list} [vlan vlan-id] [tag tagvalue] Examples To clear all dynamic forwarding database entries that match all VLANs, type the following command: RBT-8100# clear fdb dynamic success: change accepted.
Port and VLAN Configuration Scenario Port and VLAN Configuration Scenario This scenario assigns names to ports, and configures wired authentication ports, a load‐sharing port group, and VLANs. 1. Assign names to ports to identify their functions, and verify the configuration change.
5 Configuring and Managing IP Interfaces and Services For information about... Refer to page...
Configuring and Managing IP Interfaces Configuring and Managing IP Interfaces Many features, including the following, require an IP interface on the RoamAbout Switch: • Management access through Telnet • Access by RoamAbout Switch Manager • Exchanging information and user data with other RoamAbout switches in a Mobility Domain IP interfaces are associated with VLANs. At least one VLAN on a RoamAbout Switch must have an IP interface to provide management access.
Configuring and Managing IP Interfaces How MSS Resolves Conflicts with Statically Configured IP Parameters MSS compares the IP parameter values already configured on the switch with the values received from the DHCP server, and resolves any conflicts as follows: • IP address—If the VLAN also has a statically configured IP address, MSS uses an address from the DHCP server instead of the statically configured address.
Configuring and Managing IP Interfaces Example The IP interface table flags the address assigned by a DHCP server with an asterisk ( * ). In the following example, VLAN corpvlan received IP address 10.3.1.110 from a DHCP server. RBT-8100# show interface * = From DHCP VLAN Name Address Mask Enabled State RIB ---- --------------- --------------- --------------- ------- ----- -------4 corpvlan *10.3.1.110 255.255.255.
Configuring the System IP Address Configuring the System IP Address You can designate one of the IP addresses configured on a RoamAbout Switch to be the system IP address of the switch.
Configuring and Managing IP Routes Configuring and Managing IP Routes The IP route table contains routes that MSS uses for determining the interfaces for a RoamAbout Switch’s external communications. When you add an IP interface to a VLAN that is up, MSS automatically adds corresponding entries to the IP route table. For destination routes that are not directly attached, you can add static routes. A static route specifies the destination and the default router through which to forward traffic.
Configuring and Managing IP Routes Displaying IP Routes To display IP routes, use the following command: show ip route [destination] The destination parameter specifies a destination IP address. Examples To display the IP route table, type the following command: RBT-8100# show ip route Router table for IPv4 Destination/Mask Proto Metric NH-Type Gateway VLAN:Interface __________________ _______ ______ _______ _______________ _______________ 0.0.0.0/ 0 0.0.0.0/ 0 10.0.1.1/24 10.0.1.1/32 10.0.1.255/32 10.0.
Configuring and Managing IP Routes 0.0.0.0/ 0 0.0.0.0/ 0 10.0.2.1/24 10.0.2.1/32 10.0.2.255/32 224.0.0.0/ 4 Static Static IP IP IP IP 1 2 0 0 0 0 Router Router Direct Direct Direct Local 10.0.1.17 10.0.2.17 Down vlan:2:ip vlan:2:ip vlan:2:ip:10.0.1.1/24 vlan:2:ip:10.0.1.1/24 MULTICAST For more information about the fields in the output, see the RoamAbout Mobility System Software Command Line Interface Reference.
Managing the Management Services Removing a Static Route To remove a static route, use the following command: clear ip route {default | ip-addr mask | ip-addr/mask-length} default-router Note: After you remove a route, traffic that uses the route can no longer reach its destination. For example, if you are managing the RoamAbout Switch with a Telnet session and the session needs the static route, removing the route also removes the Telnet connection to the switch.
Managing the Management Services Session Timeouts Each SSH session is governed by two timeouts: • Idle timeout—controls how long an open SSH session can remain idle before MSS closes the session. The default idle timeout is 30 minutes. You can set the idle timeout to a value from 0 (disabled) to 2,147,483,647 minutes. • Absolute timeout—controls how long an SSH session can remain open, regardless of how active the session is. The absolute timeout is disabled by default.
Managing the Management Services Adding an SSH User To log in with SSH, a user must supply a valid username and password. To add a username and password to the local database, use the following command: set user username password password Optionally, you also can configure MSS either to locally authenticate the user or to use a RADIUS server to authenticate the user.
Managing the Management Services Managing SSH Server Sessions Use the following commands to manage SSH server sessions: show sessions admin clear sessions admin ssh [session-id] These commands display and clear SSH server sessions. Note: If you type the clear sessions admin ssh command from within an SSH session, the session ends as soon as you press Enter.
Managing the Management Services Adding a Telnet User To log in with Telnet, a user must supply a valid username and password. To add a username and password to the local database, use the following command: set user username password password Optionally, you also can configure MSS either to locally authenticate the user or to use a RADIUS server to authenticate the user.
Managing the Management Services Managing Telnet Server Sessions Use the following commands to manage Telnet server sessions: show sessions admin clear sessions admin telnet [session-id] These commands display and clear management sessions from a remote client to the RoamAbout Switch’s Telnet server. Note: If you type the clear sessions admin telnet command from within a Telnet session, the session ends as soon as you press Enter.
Managing the Management Services Managing HTTPS Enabling HTTPS HTTPS is disabled by default. To enable HTTPS, use the following command: set ip https server {enable | disable} Caution: If you disable the HTTPS server, WebView access to the switch is also disabled.
Configuring and Managing DNS Changing the Idle Timeout for CLI Management Sessions By default, MSS automatically terminates a console or Telnet session that is idle for more than one hour. To change the idle timeout for CLI management sessions, use the following command: set system idle‐timeout seconds You can specify from 0 to 86400 seconds (one day). The default is 3600 (one hour). If you specify 0, the idle timeout is disabled. The timeout interval is in 30‐second increments.
Configuring and Managing DNS Configuring DNS Servers You can configure a RoamAbout Switch to use one primary DNS server and up to five secondary DNS servers to resolve DNS queries. The RoamAbout Switch always sends a request to the primary DNS server first. The RoamAbout Switch sends a request to a secondary DNS server only if the primary DNS server does not respond.
Configuring and Managing Aliases Displaying DNS Server Information To display DNS server information, use the following command: show ip dns Example The following example shows DNS server information on a RoamAbout Switch configured to use three DNS servers. RBT-8100# show ip dns Domain Name: example.com DNS Status: enabled IP Address Type ----------------------------------10.1.1.1 PRIMARY 10.1.1.2 SECONDARY 10.1.2.
Configuring and Managing Aliases Displaying Aliases To display aliases, use the following command: show ip alias [name] Example RBT-8100# show ip alias Name -------------------HR1 payroll radius1 IP Address -------------------192.168.1.2 192.168.1.3 192.168.7.
Configuring and Managing Time Parameters Configuring and Managing Time Parameters You can configure the system time and date statically or by using Network Time Protocol (NTP) servers. In each case, you can specify the offset from Coordinated Universal Time (UTC) by setting the time zone. You also can configure MSS to offset the time by an additional hour for daylight savings time or similar summertime period.
Configuring and Managing Time Parameters Displaying the Time Zone To display the time zone, use the following command: show timezone Example To display the time zone, type the following command: RBT-8100# show timezone Timezone set to 'PST', offset from UTC is -8 hours Clearing the Time Zone To clear the time zone, use the following command: clear timezone Configuring the Summertime Period The summertime period offsets the system time +1 hour and returns it to standard time for daylight savings time or
Configuring and Managing Time Parameters Displaying the Summertime Period To display the summertime period, use the following command: show summertime Example To display the summertime period, type the following command: RBT-8100# show summertime Summertime is enabled, and set to 'PDT'. Start : Sun Apr 04 2004, 02:00:00 End : Sun Oct 31 2004, 02:00:00 Offset : 60 minutes Recurring : yes, starting at 2:00 am of first Sunday of April and ending at 2:00 am on last Sunday of October.
Configuring and Managing Time Parameters Configuring and Managing NTP The Network Time Protocol (NTP) allows a networking device to synchronize its system time and date with the time and date on an NTP server. When used on multiple devices, NTP ensures that the time and date are consistent among those devices. The NTP implementation in MSS is based on RFC 1305, Network Time Protocol (Version 3) Specification, Implementation and Analysis.
Configuring and Managing Time Parameters Changing the NTP Update Interval The default update interval is 64 seconds. To change the update interval, use the following command: set ntp update-interval seconds You can specify an interval from 16 through 1024 seconds. Example To change the NTP update interval to 128 seconds, type the following command: RBT-8100# set ntp update-interval 128 success: change accepted.
Managing the ARP Table Managing the ARP Table The Address Resolution Protocol (ARP) table maps IP addresses to MAC addresses. An ARP entry enters the table in one of the following ways: • Added automatically by the RoamAbout Switch. A switch adds an entry for its own MAC address and adds entries for addresses learned from traffic received by the RoamAbout Switch. When the RoamAbout Switch receives an IP packet, the switch adds the packet’s source MAC address and source IP address to the ARP table.
Managing the ARP Table Example To add a static ARP entry that maps IP address 10.10.10.1 to MAC address 00:bb:cc:dd:ee:ff, type the following command: RBT-8100# set arp static 10.10.10.1 00:bb:cc:dd:ee:ff success: added arp 10.10.10.1 at 00:bb:cc:dd:ee:ff on VLAN 1 Changing the Aging Timeout The aging timeout specifies how long a dynamic entry can remain unused before the software removes the entry from the ARP table. The default aging timeout is 1200 seconds (20 minutes).
Pinging Another Device Pinging Another Device To verify that another device in the network can receive IP packets sent by the RoamAbout Switch, use the following command: ping host [count num-packets] [dnf] [flood] [interval time] [size size] [sourceip ip-addr | vlan-name] Example To ping a device that has IP address 10.1.1.1, type the following command: RBT-8100# ping 10.1.1.1 PING 10.1.1.1 (10.1.1.1) from 10.9.4.34 : 56(84) bytes of data. 64 bytes from 10.1.1.1: icmp_seq=1 ttl=255 time=0.
Logging In to a Remote Device Logging In to a Remote Device From within an MSS console session or Telnet session, you can use the Telnet client to establish a Telnet client session from a RoamAbout switch’s CLI to another device. To establish a Telnet client session with another device, use the following command: telnet {ip-addr | hostname} [port port-num] Examples To establish a Telnet session from an RBT‐8100 to 10.10.10.90, type the following command: RBT-8100# telnet 10.10.10.90 Session 0 pty tty2.
Tracing a Route Tracing a Route You can trace the router hops necessary to reach an IP host. The traceroute facility uses the TTL (Time to Live) field in the IP header to cause routers and servers to generate specific return messages. Traceroute starts by sending a UDP datagram to the destination host with the TTL field set to 1. If a router finds a TTL value of 1 or 0, it drops the datagram and sends back an ICMP Time Exceeded message to the sender.
IP Interfaces and Services Configuration Scenario IP Interfaces and Services Configuration Scenario This scenario configures IP interfaces, assigns one of the interfaces to be the system IP address, and configures a default route, DNS parameters, and time and date parameters. 1. Configure IP interfaces on the rbt_mgmt and roaming VLANs, and verify the configuration changes. Type the following commands: RBT-8100# set interface rbt_mgmt ip 10.10.10.10/24 success: change accepted.
IP Interfaces and Services Configuration Scenario 3. Configure a default route through a default router attached to the RoamAbout Switch and verify the configuration change. Type the following commands: RBT-8100# set ip route default 10.20.10.1 1 success: change accepted. RBT-8100# show ip route Router table for IPv4 Destination/Mask Proto Metric NH-Type Gateway VLAN:Interface __________________ _______ ______ _______ _______________ _______________ 0.0.0.0/ 0 10.10.10.10/24 10.10.10.10/32 10.20.10.
IP Interfaces and Services Configuration Scenario RBT-8100# set ntp enable success: NTP Client enabled RBT-8100# show ntp NTP client: enabled Current update-interval: 20(secs) Current time: Sun Feb 29 2004, 23:58:12 Timezone is set to 'PST', offset from UTC is -8:0 hours. Summertime is enabled. Last NTP update: Sun Feb 29 2004, 23:58:00 NTP Server Peer state Local State --------------------------------------------------192.168.1.5 SYSPEER SYNCED RBT-8100# show timedate Sun Feb 29 2004, 23:59:02 PST 6.
6 Configuring SNMP For information about... Refer to page... Overview 6-1 Configuring SNMP 6-1 Displaying SNMP Information 6-10 MSS supports Simple Network Management Protocol (SNMP) versions 1, 2c, and 3. Overview The MSS SNMP engine (also called the SNMP server or agent) can run any combination of the following SNMP versions: • SNMPv1—SNMPv1 is the simplest and least secure SNMP version. Community strings are used for authentication. Communications are in the clear (not encrypted).
Configuring SNMP Setting the System Location and Contact Strings To set the location and contact strings for a switch, use the following commands: set system location string set system contact string Each string can be up to 256 characters long, with no blank spaces. Examples The following commands set a RoamAbout Switch’s location to 3rd_floor_closet and set the contact to sysadmin1: set system location 3rd_floor_closet success: change accepted. set system contact sysadmin1 success: change accepted.
Configuring SNMP • notify‐read‐write—An SNMP management application using the string can get and set object values on the switch. The switch can use the string to send notifications. Examples To clear an SNMP community string, use the following command: clear snmp community name comm‐string The following command configures community string switchmgr1 with access level notify‐read‐write: set snmp community name switchmgr1 notify-read-write success: change accepted.
Configuring SNMP • To specify a key, use the auth‐key hex‐string option. Type a 16‐byte hexadecimal string for MD5 or a 20‐byte hexadecimal string for SHA. The encrypt‐type option specifies the encryption type used for SNMP traffic. You can specify one of the following: • none—No encryption is used. This is the default. • des—Data Encryption Standard (DES) encryption is used. • 3des—Triple DES encryption is used. • aes—Advanced Encryption Standard (AES) encryption is used.
Configuring SNMP • authenticated—SNMP message exchanges are authenticated but are not encrypted. (This security level is the same as the authNoPriv level described in SNMPv3 RFCs.) • encrypted—SNMP message exchanges are authenticated and encrypted. (This security level is the same as the authPriv level described in SNMPv3 RFCs.) • auth‐req‐unsec‐notify—SNMP message exchanges are authenticated but are not encrypted, and notifications are neither authenticated nor encrypted.
Configuring SNMP 6-6 • ClientAuthorizationFailureTraps—Generated when authorization fails for a client. • ClientClearedTraps—Generated when a client’s session is cleared. • ClientDeAssociationTraps—Generated when a client is dissociated from a radio. • ClientDot1xFailureTraps—Generated when a client experiences an 802.1X failure. • ClientRoamingTraps—Generated when a client roams. • CounterMeasureStartTraps—Generated when MSS begins countermeasures against a rogue access point.
Configuring SNMP • RFDetectUnAuthorizedAPTraps—Generated when MSS detects the MAC address of an AP that is on the attack list. • RFDetectUnAuthorizedOuiTraps—Generated when a wireless device that is not on the list of permitted vendors is detected. • RFDetectUnAuthorizedSsidTraps—Generated when an SSID that is not on the permitted SSID list is detected. To apply the configuration change to all notification types, specify all.
Configuring SNMP Configuring a Notification Target A notification target is a remote device to which MSS sends SNMP notifications. You can configure the MSS SNMP engine to send confirmed notifications (informs) or unconfirmed notifications (traps). Some of the command options differ depending on the SNMP version and the type of notification you specify. You can configure up to 10 notification targets.
Configuring SNMP Specify ip if the target’s SNMP engine ID is based on its IP address. If the target’s SNMP engine ID is a hexadecimal value, use hex hex‐string to specify the value. The community‐string is applicable only when the SNMP version is v1 or v2c. The profile‐name is the notification profile. The default is default. The security option specifies the security level, and is applicable only when the SNMP version is usm: • unsecured—Message exchanges are not authenticated, nor are they encrypted.
Displaying SNMP Information Displaying SNMP Information You can display the following SNMP information: • Version and status information • Configured community strings • User‐based security model (USM) settings • Notification targets • SNMP statistics counters Displaying SNMP Version and Status Information To display SNMP version and status information, use the following command: show snmp status Displaying the Configured SNMP Community Strings To display the configured SNMP community strings, u
7 Configuring and Managing Mobility Domain Roaming For information about... Refer to page... About the Mobility Domain Feature 7-1 Configuring a Mobility Domain 7-2 Monitoring the VLANs and Tunnels in a Mobility Domain 7-5 Understanding the Sessions of Roaming Users 7-8 Mobility Domain Scenario 7-10 A Mobility Domain is a system of RoamAbout Switches and Access Points (APs) working together to support roaming wireless users (clients).
Configuring a Mobility Domain Configuring a Mobility Domain The RoamAbout switches in a Mobility Domain use their system IP address for Mobility Domain communication. To support the services of the Mobility Domain, the system IP address of every RoamAbout Switch requires basic IP connectivity to the system IP address of every other RoamAbout Switch . (For information about setting the system IP address for the RoamAbout Switch, see “Configuring the System IP Address” on page 5‐5.
Configuring a Mobility Domain Configuring Member RoamAbout Switches on the Seed To configure the list of members on the Mobility Domain seed for distribution to other member RoamAbout switches, use the following command on the seed RoamAbout Switch: set mobility-domain member ip-addr Examples The following commands add two members with IP addresses 192.168.12.7 and 192.168.15.5 to a Mobility Domain whose seed is the current RoamAbout Switch: RBT-8100# set mobility-domain member 192.168.12.
Configuring a Mobility Domain Displaying Mobility Domain Status To view the status of the Mobility Domain for the RoamAbout Switch, use the show mobility‐ domain command. Example RBT-8100#show mobility-domain Mobility Domain name: Pleasanton Member State --------------------------192.168.12.7 STATE_UP 192.168.14.6 STATE_UP 192.168.15.
Configuring RBT-Switch to RBT-Switch Security Clearing a Mobility Domain Member from a Seed You can remove individual members from the Mobility Domain on the seed RoamAbout Switch. To remove a specific member of the Mobility Domain, type the following command: clear mobility-domain member ip-addr This command has no effect if the RoamAbout Switch member is not configured as part of a Mobility Domain or the current RoamAbout Switch is not the seed.
Monitoring the VLANs and Tunnels in a Mobility Domain MSS automatically adds virtual ports to VLANs as needed to preserve the associations of users to the correct subnet or broadcast domain as they roam across the Mobility Domain. Although tunnels are formed by IP between RoamAbout switches, the tunnels can carry user traffic of any protocol type.
Monitoring the VLANs and Tunnels in a Mobility Domain vlan-pm vlan-wep vlan-wep 192.168.15.5 192.168.12.7 192.168.15.5 5 5 5 (For more information about this command and the fields in the output, see the RoamAbout Mobility System Software Command Line Interface Reference Guide.) Displaying Tunnel Information The command show tunnel displays the tunnels that the RoamAbout Switch is hosting to distribute to a locally attached VLAN.
Understanding the Sessions of Roaming Users Understanding the Sessions of Roaming Users When a wireless client successfully roams from one AP to another, its sessions are affected in the following ways: • The RoamAbout Switch treats this client session as a roaming session and not a new session. • RADIUS accounting is handled as a continuation of an existing session, rather than a new one.
Understanding the Sessions of Roaming Users Effects of Timers on Roaming An unsuccessful roaming attempt might be caused by the following timers. You cannot configure either timer. • Grace period. A disassociated session has a grace period of 5 seconds during which MSS can retrieve and forward the session history. After 5 seconds, MSS clears the session, and its accounting is stopped. • MAC address search.
Mobility Domain Scenario Mobility Domain Scenario The following scenario describes how to create a Mobility Domain named sunflower consisting of three members from a seed RoamAbout Switch at 192.168.253.21: 1. Make the current RoamAbout Switch the Mobility Domain seed. Type the following command: RBT-8100# set mobility-domain mode seed domain-name sunflower success: change accepted. 2. On the seed, add the members of the Mobility Domain.
8 Configuring Network Domains For information about... Refer to page... About the Network Domain Feature 8-1 Configuring a Network Domain 8-5 Network Domain Scenario 8-9 A Network Domain is a group of geographically dispersed Mobility Domains that share information over a WAN link. This shared information allows a user configured in one Mobility Domain to establish connectivity on a RoamAbout Switch in a remote Mobility Domain.
About the Network Domain Feature Figure 8-1 Network Domain Corporate Office RBT-Switch ND Seed Peer RBT-Switch Layer 2-3 RBT-Switch ND Seed Peer ND Seed Peer RBT-Switch RBT-Switch RBT-Switch RBT-Switch WAN Link Layer 2-3 Layer 2-3 Branch Office 1 Branch Office 2 ND Seed Peer RBT-Switch Sales Office A ND Seed Peer RBT-Switch Sales Office B ND Seed Peer RBT-Switch Sales Office C In a Network Domain, one or more RoamAbout Switch acts as a seed device.
About the Network Domain Feature Figure 8-2 How a user connects to a remote VLAN in a Network Domain Corporate Office 1 User Bob connects to RBT Switch at Corporate Office RBT-Switch 2 RBT Switch queries ND Seed about VLAN Red ND Seed Peer RBT-Switch Layer 2-3 5 User Bob is connected on VLAN Red 3 ND Seed replies pointing to RBT Switch at Sales Office RBT-Switch Bob ND Seed Peer RBT-Switch ND Seed Peer RBT-Switch RBT-Switch RBT-Switch WAN Link Layer 2-3 Layer 2-3 Branch Office 1 Branch Of
About the Network Domain Feature 4. A VLAN tunnel is created between the RoamAbout Switch at the Corporate Office and the RoamAbout Switch at Sales Office C. 5. Bob establishes connectivity on the network at the corporate office and is placed in VLAN Red. Network Domain Seed Affinity When there are multiple Network Domain seeds in an installation, a Network Domain member connects to the seed with which it has the highest configured affinity.
Configuring a Network Domain In Figure 8‐3, a RoamAbout Switch in the Mobility Domain at the corporate office is configured as a member of a Network Domain that has a local seed, as well as seeds at the two branch offices and the three sales offices. The RoamAbout Switch has an affinity value of 10 (highest) for the local seed, and an affinity value of 7 for the seed at Branch Office 1. The RoamAbout Switch has an affinity of 5 (the default) for the other seeds in the Network Domain.
Configuring a Network Domain RBT-8200# set network-domain mode member seed-ip 192.168.9.254 success: change accepted. You can configure multiple seeds in a Network Domain. When multiple Network Domain seeds are configured, a member consults the seed with which it has the highest configured affinity. If you are configuring multiple seeds in the same Network Domain (for example, a seed on each physical site in the Network Domain), you must establish a peer relationship among the seeds.
Configuring a Network Domain You can enter this command multiple times on a RoamAbout Switch, specifying different Network Domain seeds with different affinity values. The affinity value can range from 1 – 10, with 10 being the highest affinity. The default affinity value is 5. Note: If the Network Domain seed is also intended to be a member of the Network Domain, you must also enter this command on the Network Domain seed itself.
Configuring a Network Domain 10.1.0.0 DOWN SEED For more information about this command and the fields in the output, see the RoamAbout Mobility System Software Command Reference. Clearing Network Domain Configuration from a RoamAbout Switch You can clear all Network Domain configuration from a RoamAbout Switch, regardless of whether the RoamAbout Switch is a seed or a member of a Network Domain.
Network Domain Scenario Network Domain Scenario The following scenario illustrates how to create a Network Domain named globaldom consisting of three Mobility Domains at two geographically separated sites. Figure 8‐4 below illustrates this scenario. Figure 8-4 Network Domain Scenario Mobility Domain A 10.10.10.1 RBT-Switch Net. Domain Seed 1 Mob. Domain A Seed Layer 2-3 Site 1 10.10.10.2 RBT-Switch RBT-Switch 10.10.10.3 Mob. Domain A Member Mob. Domain A Member Mobility Domain B WAN Link 20.20.
Network Domain Scenario The Network Domain seed at Site 1 is also the seed for Mobility Domain A. The Network Domain seed at Site 2 is used by both Mobility Domains B and C. At least one Network Domain seed is aware of each RoamAbout Switch in the installation and maintains an active TCP connection with it. The following is the Network Domain configuration for this scenario: 1. Make the RoamAbout Switch with IP address 10.10.10.
Network Domain Scenario Member Network Domain name: globaldom Member State --------------------------10.10.10.1 UP 10.10.10.2 UP 10.10.10.3 UP 20.20.20.1 UP 20.20.20.2 UP 20.20.20.3 UP 30.30.30.1 UP 30.30.30.
Network Domain Scenario 8-12 Configuring Network Domains
9 Configuring Access Points For information about... Refer to page... AP Overview 9-1 Configuring Access Points 9-21 Disabling or Reenabling Radios 9-52 Restarting an AP 9-53 Displaying AP Information 9-54 Access Points (APs) contain radios that provide networking between your wired network and IEEE 802.11 wireless users. An AP connects to the wired network through a 10/100 Ethernet link and connects to wireless users through radio signals.
AP Overview Figure 9-1 Example Enterasys Network serial-id 0322199999 AP RAS2 System IP address 10.10.40.4 external antenna model ANT-1060 RADIUS servers 10.10.40.19/24 Layer 2 10.10.20.19/24 10.10.70.20 Router 10.10.30.19/24 10.10.60.19/24 10.10.70.40 Layer 2 AP serial-id 0322199998 10.10.10.19/24 10.10.60.18/24 Router 10.10.50.19/24 RASM Layer 2 RAS3 System IP address 10.10.50.4 To configure access points, perform the following tasks, in this order: • Specify the country of operation.
AP Overview Country of Operation Before you can configure APs and radio parameters, you must specify the country in which you plan to operate the radios. Since each country has different regulatory environments, the country code determines the transmit power levels and channels you can configure on the radios. MSS ensures that the values you can configure are valid for the country you specify.
AP Overview The DNS entry allows the AP to communicate with a RoamAbout Switch that is not on the AP’s subnet. If the AP is unable to locate a RoamAbout Switch on the subnet it is connected to, the AP sends DNS requests to wlan‐switch, where the DNS suffix for mynetwork.com is learned through DHCP.
AP Overview The ip and host keywords can be in lowercase, uppercase (IP or HOST), or mixed case (example: Ip, Host, and so on.) You can use spaces after the colon or commas, but spaces are not supported within IP addresses or hostnames. Leading zeroes are supported in IP addresses. For example, 100.130.001.1 is valid. Valid characters in hostnames are uppercase and lowercase letters, numbers, periods ( . ), and hyphens ( ‐ ). Other characters are not supported.
AP Overview Boot Process for APs When an AP boots on the network, it uses the process described in this section. The boot process for a directly connected AP occurs strictly between the AP and RoamAbout Switch, and makes no use of the network’s DHCP or DNS services. The boot process for a AP consists of the following steps: 1. Establishing connectivity on the network 2. Contacting an RoamAbout Switch 3. Loading and activating an operational image 4.
AP Overview • The fully qualified domain name of a RoamAbout Switch to use as a boot device, and the IP address of a DNS server used to resolve the RoamAbout Switch’s name. These items are referred to by letter in the description of how the AP contacts a RoamAbout Switch in “How a Distributed AP Contacts an RBT Switch (Statically Configured Address)” on page 9‐8.
AP Overview The process skips to Step 6 on page 9‐8. • 3. If no RoamAbout Switches reply, the AP repeatedly resends the Find RAS broadcast. If still no RoamAbout Switches reply, the process continues with Step 3 on page 9‐8. If the AP is unable to locate a RoamAbout Switch on the subnet it is connected to, and is unable to find a RoamAbout Switch based on information in the DHCP option 43 field, the AP sends DNS requests for wlan‐switch, where the DNS suffix for mynetwork.com is learned through DHCP.
AP Overview This information is used in the following way when the AP attempts to contact a RoamAbout Switch: 1. If Items A and B (but not Item C) are specified, and the RoamAbout Switch’s IP address is part of the local subnet, then the AP sends an ARP request for its configured static IP address, to ensure that it is not already in use in the network. The AP then sends a Find RAS message to UDP port 5000 at the RoamAbout Switch’s IP address.
AP Overview Loading and Activating an Operational Image An AP’s operational image is the software that allows it to function on the network as a wireless access point. As part of the AP boot process, an operational image is loaded into the AP’s RAM and activated. The AP stores copies of its operational image locally, in its internal flash memory. The AP can either load the locally stored image, or it can download an operational image from the RoamAbout Switch to which it has connected.
AP Overview Example AP Boot over Layer 2 Network Figure 9‐1 shows an example of the boot process for an access point connected through a Layer 2 network.The RoamAbout Switches (RAS1, RAS2, and RAS3) each have a Distributed AP configuration for the AP. Figure 9-2 AP Booting over Layer 2 Network 4 RAS2 System IP address 10.10.40.4 active APs = 34 DAP 1 serial_id 0322199999 model AP3000 bias = low RAS1 System IP address 10.10.10.
AP Overview Example AP Boot over a Layer 3 Network Figure 9‐3 shows an example of the boot process for an AP connected through a Layer 3 network. Figure 9-3 AP Booting over Layer 3 Network RAS2 System IP address 10.10.40.4 active APs = 34 DAP 1 serial_id 0322199998 model AP3000 bias = low RAS1 System IP address 10.10.10.
AP Overview 7. RAS1 receives the Find RAS message and compares the bias settings on each RoamAbout Switch for the AP. More than one RoamAbout Switch has a high bias for the AP, so RAS1 selects the RoamAbout Switch that has the greatest capacity to add new active AP connections. In this example, RAS1 has more capacity. RAS1 sends its own IP address in the Find RAS Reply message to the AP. 8.
AP Overview Session Load Balancing You can assign access points to a load‐balancing group. A load‐balancing group helps reduce congestion by distributing client sessions among the access points in the group. For example, if an 802.11b/g radio operating on channel 1 is supporting more sessions than a neighboring 802.11b/g radio operating on channel 6, the load‐balancing feature can reject association requests to the radio on channel 1.
AP Overview Table 9-2 Defaults for Service Profile Parameters (continued) Parameter Default Value Radio Behavior When Parameter Set To Default Value cac-mode none Does not limit the number of active user sessions based on Call Admission Control (CAC). cac-session 14 If session-based CAC is enabled (cac-mode is set to session), limits the number of active user sessions on a radio to 14.
AP Overview Table 9-2 Defaults for Service Profile Parameters (continued) Parameter Default Value Radio Behavior When Parameter Set To Default Value short-retry-count 5 Sends a short unicast frame up to five times without acknowledgment. soda disable Sygate On Demand Agent (SODA) files are not downloaded to connecting clients. ssid-name RoamAbout Uses the SSID name RoamAbout. ssid-type crypto Encrypts wireless traffic for the SSID.
AP Overview Table 9-2 Defaults for Service Profile Parameters (continued) Parameter Default Value Radio Behavior When Parameter Set To Default Value web-portal-acl portalacl If set to portalacl and the service profile fallthru is set to web-portal, radios use the portalacl ACL to filter traffic for Web Portal users during authentication. Note: This is the default only if the fallthru type on the service profile has been set to webportal. Otherwise, the value is unconfigured.
AP Overview Encryption Encrypted SSIDs can use the following encryption methods: • Wi‐Fi Protected Access (WPA) • Non‐WPA dynamic Wired Equivalent Privacy (WEP) • Non‐WPA static WEP Dynamic WEP is enabled by default. (For more information, including configuration instructions, refer to Chapter 10, ” Configuring User Encryption”.) Radio Profiles You can easily assign radio configuration parameters to many radios by configuring a radio profile and assigning the profile to the radios.
AP Overview Table 9-3 Defaults for Radio Profile Parameters Parameter Default Value Radio Behavior When Parameter Set To Default Value preamble-length short Advertises support for short 802.11b preambles, accepts either short or long 802.11b preambles, and generates unicast frames with the preamble length specified by the client. Note: This parameter applies only to 802.11b/g radios. qos-mode wmm Classifies and marks traffic based on 802.
AP Overview Radio-Specific Parameters The channel number, transmit power, and external antenna parameters are unique to each radio and are not controlled by radio profiles. Table 9‐4 lists the defaults for these parameters. Table 9-4 Radio-Specific Parameters Parameter Default Value Description antennalocation indoors Location of the radio’s antenna. antennatype internal Note: This parameter applies only to APs that support external antennas. Enterasys external antenna model.
Configuring Access Points Configuring Access Points To configure access points, perform the following tasks, in this order: • Specify the country of operation. (refer to “Specifying the Country of Operation” on page 9‐22.) • Configure a Auto‐AP Profile for automatic configuration of APs. (refer to “Configuring an Auto‐DAP Profile for Automatic AP Configuration” on page 9‐26.) • Configure security. (refer to “Configuring AP‐ RoamAbout Switch Security” on page 9‐35.
Configuring Access Points Specifying the Country of Operation You must specify the country in which you plan to operate the RoamAbout Switch and its access points. MSS does not allow you to configure or enable the access point radios until you specify the country of operation (refer to Table 9‐5 on page 9‐22). Note: In countries where Dynamic Frequency Selection (DFS) is required, MSS performs the appropriate check for radar.
Configuring Access Points Table 9-5 Country Codes (continued) Country Code El Salvador SV Egypt EG Estonia EE Finland FI France FR Germany DE Greece GR Guatemala GT Honduras HN Hong Kong HK Hungary HU Iceland IS India IN Indonesia ID Ireland IE Israel IL Italy IT Jamaica JM Japan JP Jordan JO Kazakhstan KZ Kenya KE Kuwait KW Latvia LV Lebanon LB Liechtenstein LI Lithuania LT Luxembourg LU Malaysia MY RoamAbout Mobility System Software Configurat
Configuring Access Points Table 9-5 9-24 Country Codes (continued) Country Code Malta MT Mauritius MU Mexico MX Morocco MA Namibia NA Netherlands NL New Zealand NZ Nigeria NG Norway NO Oman OM Pakistan PK Panama PA Paraguay PY Peru PE Philippines PH Poland PL Portugal PT Puerto Rico PR Romania RO Russia RU Saudi Arabia SA Serbia CS Singapore SG Slovakia SK Slovenia SI South Africa ZA South Korea KR Spain ES Sri Lanka LK Sweden SE Switzerland
Configuring Access Points Table 9-5 Country Codes (continued) Country Code Trinidad and Tobago TT Tunisia TN Turkey TR Ukraine UA United Arab Emirates AE United Kingdom GB United States US Uruguay UY Venezuela VE Vietnam VN To verify the configuration change, use the following command: show system Examples The following commands set the country code to US (United States) and verify the setting: RBT-8100# set system countrycode US success: change accepted.
Configuring Access Points Configuring an Auto-DAP Profile for Automatic AP Configuration You can use a configuration Auto‐AP Profile to deploy unconfigured APs. An AP that does not have a configuration on a RoamAbout Switch can receive its configuration from the Auto‐AP Profile instead. The Auto‐AP Profile assigns an AP number and name to the AP, from among the unused valid AP numbers available on the switch.
Configuring Access Points Configuring a Auto-AP Profile The Auto‐AP Profile for AP configuration is like an individual AP configuration, except the configuration has the name auto instead of a AP number. Examples To create a Auto‐AP Profile for automatic AP configuration, type the following command: RBT-8100# set dap auto success: change accepted.
Configuring Access Points Table 9-6 Configurable Auto-AP Profile Parameters for APs (continued) Parameter Default Value radiotype 11g (or 11b for country codes where 802.11g is not allowed) APs that receive their configurations from the Auto‐AP Profile also receive the radio settings from the radio profile used by the Auto‐AP Profile. Likewise, the SSIDs and encryption settings come from the service profiles mapped to the radio profile.
Configuring Access Points Specifying the Radio Profile Used by the Auto-AP Profile The Auto‐AP Profile uses radio profile default by default. To use another radio profile instead, use the following command: set dap auto radio {1 | 2} radio-profile name mode {enable | disable} Example The following command changes the Auto‐AP Profile to use radio profile autodap1 for radio 1: RBT-8100# set dap auto radio 1 radio-profile autodap1 success: change accepted.
Configuring Access Points Converting an AP Configured by the Auto-AP Profile into a Permanent AP You can convert a temporary AP configuration created by the Auto‐AP Profile into a persistent AP configuration on the RoamAbout Switch. To do so, use the following command: set dap auto persistent {dap-num | all} This command creates a persistent AP configuration based on the settings in the Auto‐AP Profile. The AP name and number assigned by the Auto‐AP Profile are used for the persistent entry.
Configuring Access Points Configuring an Indirectly Connected AP If an access point that you want to manage using the RoamAbout Switch is indirectly connected to the switch through a Layer 2 or Layer 3 network, configure the AP using the following command: set dap dap-num serial-id serial-ID model {AP3000} [radiotype {11a | 11b| 11g}] The dap‐num parameter identifies the AP connection for the AP.
Configuring Access Points The next time the Distributed AP is booted, it will use the specified IP information. If the manually assigned IP information is incorrect, the AP uses DHCP to obtain its IP address, as described in “How a Distributed AP Contacts an RBT Switch (Statically Configured Address)” on page 9‐8 instead of the default boot procedure.
Configuring Access Points Clearing an AP from the Configuration Caution: When you clear an AP, MSS ends user sessions that are using the AP. To clear the port settings from a port, use the following command: clear port type port-list This command resets the port as a network port and removes all AP‐related parameters from the port. Note: The clear port type command does not place the cleared port in any VLAN, not even in the default VLAN (VLAN 1).
Configuring Access Points Configuring a Load-Balancing Group A load‐balancing group is a named set of access points. MSS balances user sessions among the access points in the group.
Configuring Access Points Enabling LED Blink Mode Blink mode makes an AP easy to identify. When blink mode is enabled on AP‐xxx models, the health and radio LEDs alternately blink green and amber. By default, blink mode is disabled. Blink mode continues until you disable it. LED blink mode is disabled by default. Changing the LED blink mode does not alter operation of the access point. Only the behavior of the LEDs is affected.
Configuring Access Points Encryption Options By default, MSS does not encrypt management communication between the RoamAbout Switch and APs, even if the AP model supports encryption. The default setting is none. You can configure the RoamAbout Switch to use encryption by setting security to optional or require: • optional— APs can be managed by the switch even if they do not have encryption keys or their keys have not been verified by an administrator. • require—All APs must have encryption keys.
Configuring Access Points Verifying an AP’s Fingerprint on a RoamAbout Switch To confirm an AP’s fingerprint, find the fingerprint and use the set dap fingerprint command to enter the fingerprint in MSS. Finding the Fingerprint An AP’s fingerprint is listed on a label on the back of the AP. (Refer to “Encryption Key Fingerprint” on page 9‐35.) If the AP is already installed and operating, use the show dap status command to display the fingerprint.
Configuring Access Points Verifying a Fingerprint on the Switch To verify an AP’s fingerprint on a RoamAbout Switch, use the following command: set dap num fingerprint hex where hex is the 16‐digit hexadecimal number of the fingerprint. Use a colon between each digit. Make sure the fingerprint you enter matches the fingerprint used by the AP.
Configuring Access Points Configuring a Service Profile A service profile is a set of parameters that control advertisement (beaconing) and encryption for an SSID. This section describes how to create a service profile and set some basic SSID parameters.
Configuring Access Points Disabling or Reenabling Encryption for an SSID To specify whether the SSID is encrypted or unencrypted, use the following command: set service-profile name ssid-type [clear | crypto] The default is crypto. Disabling or Reenabling Beaconing of an SSID To specify whether the SSID is beaconed, use the following command: set service-profile name beacon {enable | disable} SSIDs are beaconed by default. An AP radio responds to an 802.11 probe any request only for a beaconed SSID.
Configuring Access Points Changing Transmit Rates Each type of radio (802.11a, 802.11b, and 802.11g) that provides service to an SSID has a set of rates the radio is allowed to use for sending beacons, multicast frames, and unicast data. The rate set also specifies the rates clients must support in order to associate with a radio. Table 9‐9 lists the rate settings and their defaults. Table 9-9 Transmit Rates Parameter Default Value Description mandatory • 802.11a— 6.0,12.0,24.
Configuring Access Points To change transmit rates for a service profile, use the following command: set service-profile name transmit-rates {11a | 11b | 11g} mandatory rate-list [disabled rate-list] [beacon-rate rate] [multicast-rate {rate | auto}] Example The following command sets 802.11a mandatory rates for service profile sp1 to 6 Mbps and 9 Mbps, disables rates 48 Mbps and 54 Mbps, and changes the beacon rate to 9 Mbps: RBT-8100# set service-profile sp1 transmit-rates 11a mandatory 6.0,9.
Configuring Access Points Changing the Short Retry Threshold The short retry threshold specifies the number of times a radio can send a short unicast frame for an SSID without receiving an acknowledgment for the frame. A short unicast frame is a frame that is shorter than the RTS threshold. To change the short retry threshold, use the following command: set service-profile name short-retry threshold The threshold can be a value from 1 through 15. The default is 5.
Configuring Access Points Creating a New Profile To create a radio profile, use the following command: set radio-profile name [mode {enable | disable}] Specify a name of up to 16 alphanumeric characters. Do not include the mode enable or mode disable option. After you create the radio profile, you can use the enable and disable options to enable or disable all radios that use the profile.
Configuring Access Points Changing the DTIM Interval The DTIM interval specifies the number of times after every beacon that a radio sends a delivery traffic indication map (DTIM). An access point sends the multicast and broadcast frames stored in its buffers to clients who request them in response to the DTIM. The DTIM interval applies to both the beaconed SSID and the unbeaconed SSID. The DTIM interval does not apply to unicast frames.
Configuring Access Points Changing the Fragmentation Threshold The fragmentation threshold specifies the longest a frame can be without being fragmented into multiple frames by a radio before transmission. To change the fragmentation threshold, use the following command: set radio-profile name frag-threshold threshold The threshold can be a value from 256 through 2346. The default is 2346.
Configuring Access Points Changing the Preamble Length By default, 802.11b/g radios advertise support for frames with short preambles and can support frames with short or long preambles. An 802.11b/g radio generates unicast frames to send to a client with the preamble length specified by the client. An 802.11b/g radio always uses a long preamble in beacons, probe responses, and other broadcast or multicast traffic.
Configuring Access Points Resetting a Radio Profile Parameter to its Default Value To reset a radio profile parameter to its default value, use the following command: clear radio-profile name parameter The parameter can be one of the radio profile parameters listed in Table 9‐3 on page 9‐18. Caution: Make sure you specify the radio profile parameter you want to reset. If you do not specify a parameter, MSS deletes the entire profile from the configuration.
Configuring Access Points Configuring Radio-Specific Parameters This section shows how to configure the channel and transmit power on individual radios, and how to configure for external antennas. (For information about the parameters you can set on individual radios, refer to Table 9‐4.) Configuring the Channel and Transmit Power Note: If RF Auto-Tuning is enabled for channels or power, you cannot set the channels or power manually using the commands in this section.
Configuring Access Points Configuring the External Antenna Model and Location Menu choices for the RBT‐1602 are listed in Table 9‐10. Menu choices for the TRPZ‐MP‐620 are listed in Table 9‐11. Use the antenna part numbers to identify the correct menu choice. Table 9-10 RBT-1602 External Antenna Models 1. Beamwidth Part Number RASM Antenna Selection Radio Type Hoizontal Vertical RBTES-BG-S1060 ANT1060 802.11b/g 60° 65° RBTES-BG-S07120 ANT1120 802.
Configuring Access Points Mapping the Radio Profile to Service Profiles To assign SSIDs to radios, you must map the service profiles for the SSIDs to the radio profile that is assigned to the radios. To map a radio profile to a service profile, use the following command: set radio-profile name service-profile name Example The following command maps service‐profile wpa_clients to radio profile rp2: RBT-8100# set radio-profile rp2 service-profile wpa_clients success: change accepted.
Disabling or Reenabling Radios Disabling or Reenabling Radios You can disable or reenable radios on a radio profile basis or individual basis. You also can reset a radio to its factory default settings. (To disable or reenable radios when assigning or removing a radio profile, refer to “Assigning a Radio Profile and Enabling Radios” on page 9‐51.
Restarting an AP Resetting a Radio to its Factory Default Settings To disable an AP radio and reset it to its factory default settings, use the following command: clear {ap port-list | dap dap-num} radio {1 | 2 | all} This command performs the following actions: • Sets the transmit power, channel, and external antenna type to their default values. • Removes the radio from its radio profile and places the radio in the default radio profile. This command does not affect the PoE setting.
Displaying AP Information Displaying AP Information You can display the following AP information: • AP and radio‐specific configuration settings • Connection information for Distributed APs configured on a RoamAbout Switch • List of Distributed APs that are not configured on a RoamAbout Switch • Connection information for Distributed APs • Service profile information • Radio profile information • Status information • Information about static IP addresses on Distributed APs • Statistics cou
Displaying AP Information load balancing group: none location: The conference room contact: Bob the IT guy Radio 1: type: 802.11g, mode: disabled, channel: dynamic tx pwr: 1, profile: default auto-tune max-power: default Radio 2: type: 802.11a, mode: disabled, channel: dymanic tx pwr: 1, profile: default auto-tune max-power: default (For information about the fields in the output, refer to the RoamAbout Mobility System Software Command Line Interface Reference Guide.
Displaying AP Information The DAP field indicates the connection number of each AP on the RoamAbout Switch on which the command is typed. A hyphen ( ‐ ) in the DAP field indicates that the AP is configured on another RoamAbout Switch in the same Mobility Domain.
Displaying AP Information Displaying Service Profile Information To display service profile information, use the following command: show service-profile {name | ?} Entering show service‐profile ? displays a list of the service profiles configured on the RoamAbout Switch.
Displaying AP Information Displaying Radio Profile Information To display radio profile information, use the following command: show radio-profile {name | ?} Entering show radio‐profile ? displays a list of radio profiles.
Displaying AP Information Displaying AP Status Information To display status information including link state and RoamAbout Switch status, use the following commands: show ap status [terse] | [port-list | all [radio {1 | 2}]] show dap status [terse] | [dap-num | all [radio {1 | 2}]] The terse option displays a brief line of essential status information for each Distributed AP. The all option displays information for all Distributed APs configured on the switch.
Displaying AP Information Displaying Static IP Address Information for Distributed APs To display information about Distributed APs that have been configured with static IP address information, use the following command: show dap boot-configuration dap-num Example To display static IP address information for Distributed AP 1, type the following command: RBT-8100# show dap boot-configuration 1 Static Boot Configuration DAP: 1 IP Address: Disabled VLAN Tag: Disabled Switch: Disabled IP Address: Netmask: Gat
Displaying AP Information 1.0: 164492 0 9631741 0 405041 8913512 2.0: 603 0 248716 0 191103 4608065 5.5: 370594 52742 27616521 4445625 2427 133217 11.
Displaying AP Information TxMultiPkt TxMultiByte 1.0: 1017 0 10170 0 2.0: 5643 55683 822545 8697520 5.5: 0 0 0 0 6.0: 0 0 0 0 9.0: 0 0 0 0 11.0: 0 0 0 0 12.0: 0 0 0 0 18.0: 0 0 0 0 24.0: 0 0 0 0 36.0: 0 0 0 0 48.0: 0 0 0 0 54.
10 Configuring User Encryption For information about... Refer to page... Configuring WPA 10-3 Configuring RSN (802.11i) 10-12 Configuring WEP 10-15 Encryption Configuration Scenarios 10-18 Mobility System Software (MSS) encrypts wireless user traffic for all users who are successfully authenticated to join an encrypted SSID and who are then authorized to join a VLAN. MSS supports the following types of encryption for wireless user traffic: • 802.
Table 10‐1 on page 10‐2 lists the encryption types supported by MSS and their default states. Table 10-1 Wireless Encryption Defaults Encryption Type Client Support Default State Configuration Required in MSS RSN RSN clients Disabled • Enable the RSN information element (IE). Non-RSN clients WPA WPA clients • Specify the supported cipher suites (CCMP, TKIP, 40-bit WEP, 104-bit WEP). TKIP is enabled by default when the RSN IE is enabled.
Configuring WPA Figure 10-1 Default Encryption RoamAbout Switch Layer 2 AP User A Dynamic WEP Non-WPA User B Dynamic 40-bit WEP WPA Encryption settings: -WPA disabled -Dynamic WEP enabled -Static WEP disabled User C Static WEP Non-WPA User D TKIP WPA This rest of this chapter describes the encryption types and how to configure them, and provides configuration scenarios. Configuring WPA Wi‐Fi Protected Access (WPA) is a security enhancement to the IEEE 802.11 wireless standard.
Configuring WPA • WEP with 40‐bit keys—40‐bit WEP uses the RC4 encryption algorithm with a 40‐bit key. You can configure APs to support one or more of these cipher suites. For all of these cipher suites, MSS dynamically generates unique session keys for each session. MSS periodically changes the keys to reduce the likelihood that a network intruder can intercept enough frames to decode a key. Figure 10‐2 on page 10‐4 shows the client support when WPA encryption for TKIP only is enabled.
Configuring WPA Figure 10-3 WPA Encryption with TKIP and WEP RoamAbout Switch Layer 2 Encryption settings: -WPA enabled: TKIP, WEP40 -Dynamic WEP enabled -Static WEP disabled AP User A Dynamic WEP Non-WPA User B Dynamic 40-bit WEP WPA User C Static WEP Non-WPA User D TKIP WPA TKIP Countermeasures WPA access points and clients verify the integrity of a wireless frame received on the network by generating a keyed message integrity check (MIC).
Configuring WPA • A client that receives another frame with an invalid MIC disassociates from its access point and does not send or accept any frames encrypted with TKIP or WEP. The AP or client refuses to send or receive traffic encrypted with TKIP or WEP for the duration of the countermeasures timer, which is 60,000 milliseconds (60 seconds) by default. When the countermeasures timer expires, the access point allows associations and reassociations and generates new session keys for them.
Configuring WPA Client Support To use the TKIP or CCMP cipher suite for encryption, a client must support WPA. However, an AP radio configured for WPA can support non‐WPA clients who use dynamic WEP or static WEP.
Configuring WPA Creating a Service Profile for WPA Encryption parameters apply to all users who use the SSID configured by a service profile. To create a service profile, use the following command: set service-profile name To create a new service profile named wpa, type the following command: RBT-8100# set service-profile wpa success: change accepted. Enabling WPA To enable WPA, you must enable the WPA information element (IE) in the service profile.
Configuring WPA Changing the TKIP Countermeasures Timer Value By default, MSS enforces TKIP countermeasures for 60,000 ms (60 seconds) after a second MIC failure within a one‐minute interval. To change the countermeasures timer value, use the following command: set service-profile name tkip-mc-time wait-time Example To change the countermeasures wait time in service profile wpa to 30 seconds, type the following command: RBT-8100# set service-profile wpa tkip-mc-time 30000 success: change accepted.
Configuring WPA RBT-8100# set service-profile wpa psk-raw c25d3fe4483e867d1df96eaacdf8b02451fa0836162e758100f5f6b87965e59d success: change accepted. Disabling 802.1X Authentication for WPA To disable 802.1X authentication for WPA clients, use the following command: set service-profile name auth-dot1x {enable | disable} Note: This command does not disable 802.1X authentication for non-WPA clients.
Configuring WPA 11a beacon rate: 6.0 multicast rate: AUTO 11a mandatory rate: 6.0,12.0,24.0 standard rates: 9.0,18.0,36.0,48.0,54.0 11b beacon rate: 2.0 multicast rate: AUTO 11b mandatory rate: 1.0,2.0 standard rates: 5.5,11.0 11g beacon rate: 2.0 multicast rate: AUTO 11g mandatory rate: 1.0,2.0,5.5,11.0 standard rates: 6.0,9.0,12.0,18.0,24.0, 36.0.48.0,54.0 The WPA settings appear at the bottom of the output. Note: The WPA fields appear in the show service-profile output only when WPA is enabled.
Configuring RSN (802.11i) Configuring RSN (802.11i) Robust Security Network (RSN) provides 802.11i support. RSN uses AES encryption. You can configure a service profile to support RSN clients exclusively, or to support RSN with WPA clients, or even RSN, WPA and WEP clients. The configuration tasks for a service profile to use RSN are similar to the tasks for WPA: 1. Create a service profile for each SSID that will support RSN clients. 2. Enable the RSN IE in the service profile. 3.
Configuring RSN (802.11i) Specifying the RSN Cipher Suites To use RSN, at least one cipher suite must be enabled. You can enable one or more of the following cipher suites: • CCMP • TKIP • 40‐bit WEP • 104‐bit WEP By default, TKIP is enabled and the other cipher suites are disabled.
Configuring RSN (802.11i) Assigning the Service Profile to Radios and Enabling the Radios After you configure RSN settings in a service profile, you can map the service profile to a radio profile, assign the radio profile to radios, and enable the radios to activate the settings.
Configuring WEP Configuring WEP Wired‐Equivalent Privacy (WEP) is a security protocol defined in the 802.11 standard. WEP uses the RC4 encryption algorithm to encrypt data. To provide integrity checking, WEP access points and clients check the integrity of a frame’s cyclic redundancy check (CRC), generate an integrity check value (ICV), and append the value to the frame before sending it. The radio or client that receives the frame recalculates the ICV and compares the result to the ICV in the frame.
Configuring WEP Figure 10-4 Encryption for Dynamic and Static WEP RoamAbout Switch Layer 2 WPA disabled Dynamic WEP enabled Static WEP enabled -Unicast key = a1b1c1d1e1 -Multicast key = a2b2c2d2e2 AP User A Dynamic WEP Non-WPA User B Dynamic 40-bit WEP WPA User C Static WEP -Unicast key = a1b1c1d1e1 -Multicast key = a2b2c2d2e2 Non-WPA User D TKIP WPA Setting Static WEP Key Values MSS supports dynamic WEP automatically.
Configuring WEP Example To configure WEP key index 1 for radio profile rp1 to aabbccddee, type the following command: RBT-8100# set service-profile rp1 wep key-index 1 key aabbccddee success: change accepted. Assigning Static WEP Keys When static WEP is enabled, static WEP key 1 is assigned to unicast and multicast traffic by default.
Encryption Configuration Scenarios Encryption Configuration Scenarios The following scenarios provide examples of ways in which you can configure encryption for network clients: • Enabling WPA with TKIP on page 10‐18 • Enabling Dynamic WEP in a WPA Network on page 10‐20 • Configuring Encryption for MAC Clients on page 10‐22 Enabling WPA with TKIP The following example shows how to configure MSS to provide authentication and TKIP encryption for 801.X WPA clients.
Encryption Configuration Scenarios 6. Map service profile wpa to radio profile rp1. Type the following commands: RBT-8100# set radio-profile rp1 service-profile wpa 7. Apply radio profile rp1 to radio 1 on port 5 and to radios 1 and 2 on port 11, enable the radios, and verify the configuration changes.
Encryption Configuration Scenarios Enabling Dynamic WEP in a WPA Network The following example shows how to configure MSS to provide authentication and encryption for 801.X dynamic WEP clients, and for 801.X WPA clients using TKIP. This example assumes that pass‐through authentication is used for all users. The commands are the same as those in “Enabling WPA with TKIP” on page 10‐18, with the addition of a command to enable a WEP cipher suite.
Encryption Configuration Scenarios 8. Apply radio profile rp2 to radio 1 on port 5 and to radios 1 and 2 on port 11, enable the radios, and verify the configuration changes. Type the following commands: RBT-8100# set ap 5,11 radio 1 radio-profile rp2 mode enable success: change accepted. RBT-8100# set ap 11 radio 2 radio-profile rp2 mode enable success: change accepted.
Encryption Configuration Scenarios Configuring Encryption for MAC Clients The following example shows how to configure MSS to provide PSK authentication and TKIP or 40‐bit WEP encryption for MAC clients: 1. Create an authentication rule that sends all MAC users of SSID voice to the local database for authentication and authorization. Type the following command: RBT-8100# set authentication mac ssid voice * local 2.
Encryption Configuration Scenarios 10. Configure a passphrase for the preshared key. Type the following command: RBT-8100# set service-profile wpa-wep-for-mac psk-phrase "passphrase to convert into a preshared key" 11. Display the WPA configuration changes.
Encryption Configuration Scenarios Radio 1: type: 802.11g, mode: enabled, channel: 6 tx pwr: 1, profile: rp3 auto-tune max-power: default Radio 2: type: 802.11a, mode: enabled, channel: 36 tx pwr: 1, profile: rp3 auto-tune max-power: default 14. Save the configuration. Type the following command: RBT-8100# save config success: configuration saved.
11 Configuring RF Auto-Tuning For information about... Refer to page... RF Auto-Tuning Overview 11-1 Changing RF Auto-Tuning Settings 11-6 Displaying RF Auto-Tuning Information 11-9 RF Auto-Tuning Overview The RF Auto‐Tuning feature dynamically assigns channel and power settings to AP radios, and adjusts those settings when needed. RF Auto‐Tuning can perform the following tasks: • Assign initial channel and power settings when an AP radio is started.
RF Auto-Tuning Overview During radio operation, MSS periodically reevaluates the channel and changes it if needed. (See “Channel Tuning” on page 11‐3.) • Initial power assignment—The AP sets a radio’s initial power level to the maximum value allowed for the country code (regulatory domain). In a deployment with fewAPs, the radio remains at maximum power. Otherwise, the radio reduces power until the power is just enough to reach the AP’s nearest neighbor that is on the same channel.
RF Auto-Tuning Overview Power Tuning By default, the switch evaluates the scan results for possible power changes every 300 seconds (5 minutes), and raises or lowers the power level if needed. If RF Auto‐Tuning determines that a power change is needed on a radio, MSS ramps the power up or down until the new power level is reached. Ramp‐up or ramp‐down of the power occurs in 1 dBm increments, at regular time intervals. The default interval is 60 seconds and is configurable.
RF Auto-Tuning Overview Tuning the Transmit Data Rate A radio sends beacons, probe requests, and probe responses at the minimum transmit data rate allowed for clients. This gives them the maximum distance. All other packets are transmitted at a rate determined by their destination. All packets are transmitted at the same power level. By default, the following minimum data rates are allowed: • 5.5 Mbps for 802.11b/g clients • 24 Mbps for 802.
RF Auto-Tuning Overview ARF Auto-Tuning Parameters Table 11‐1 lists the RF Auto‐Tuning parameters and their default settings. Table 11-1 Defaults for RF Auto-Tuning Parameters Parameter Default Value Radio Behavior When Parameter Set To Default Value Radio profile parameters channel-config enable When the radio is first enabled, RF Auto-Tuning sets the channel based on the channels in use on neighboring access points.
Changing RF Auto-Tuning Settings Changing RF Auto-Tuning Settings Changing Channel Tuning Settings Disabling or Reenabling Channel Tuning RF Auto‐Tuning for channels is enabled by default. To disable or reenable the feature for all radios in a radio profile, use the following command: set radio-profile name auto-tune channel-config {enable | disable} [no-client] The no‐client option allows MSS to change the channel on a radio even if the radio has active client sessions.
Changing RF Auto-Tuning Settings Changing the Channel Holddown Interval The default channel holddown interval is 900 seconds. You can change the interval to a value from 0 to 65535 seconds.
Locking Down Tuned Settings Changing the Maximum Default Power Allowed On a Radio By default, the maximum power level that RF Auto‐Tuning can set on a radio is the same as the maximum power level allowed for the country of operation. To change the maximum power level that RF Auto‐Tuning can assign, use the following command: set {ap port-list | dap dap-num} radio {1 | 2} auto-tune max-power power-level The power‐level can be a value from 1 to 20.
Displaying RF Auto-Tuning Information Displaying RF Auto-Tuning Information You can display the RF Auto‐Tuning configuration, a list of RF neighbors, and the values of RF attributes. (For information about the fields in the output, see the RoamAbout Mobility System Software Command Line Interface Reference.
Displaying RF Auto-Tuning Information Displaying RF Neighbors To display the other radios that a specific Enterasys radio can hear, use the following commands: show auto-tune neighbors [dap dap-num [radio {1 | 2| all}]] The list of radios includes beaconed third‐party SSIDs, and both beaconed and unbeaconed Enterasys SSIDs.
12 Configuring Quality of Service For information about... Refer to page... About QoS 12-3 Changing QoS Settings 12-18 Displaying QoS Information 12-22 This chapter describes the Quality of Service (QoS) features supported in MSS, and how to configure and manage them. About QoS MSS supports Layer 2 and Layer 3 classification and marking of traffic, and optimized forwarding of wireless traffic for time‐sensitive applications such as voice and video.
About QoS Table 12-1 QoS Parameters (continued) QoS Feature Description Configuration Command CAC mode Call Admission Control, which regulates addition of new VoIP sessions on AP radios. One of the following modes can be enabled: set service-profile cac-mode None (the default) Session-based WMM powersave support Static CoS See the following: • “Call Admission Control” on page 12-13 • “Configuring Call Admission Control” on page 12-15 Unscheduled Automatic Powersave Delivery (U-APSD).
About QoS Table 12-1 QoS Parameters (continued) QoS Feature Description Configuration Command Broadcast control Mechanisms to reduce overhead caused by wireless broadcast traffic or traffic from unauthenticated clients. One or more of the following can be enabled: set service-profile proxy-arp set service-profile no-broadcast • Proxy ARP set service-profile dhcp-restrict • No-Broadcast • DHCP Restrict • All three options are disabled by default.
About QoS WMM QoS Mode RoamAbout Switches and RoamAbout access points each provide classification and marking for WMM QoS: • RoamAbout Switches classify and mark traffic based on 802.1p tag value (for tagged traffic) or Differentiated Services Code Point (DSCP) value. • RoamAbout access points classify ingress traffic from wireless clients based on the service type value in the 802.11 header, and mark the DSCP value in the IP tunnel on which the AP forwards the user traffic to the switch.
About QoS Figure 12-1 QoS on RoamAbout Switches—Classification of Ingress Packets RoamAbout Switch receives packet. Set packet CoS based on 802.1p: 802.1p value that is not 0? 1 -> 1 2 -> 2 3 -> 3 4 -> 4 5 -> 5 6 -> 6 7 -> 7 Yes No (802.
About QoS Figure 12-2 QoS on RoamAbout Switches—Marking of Egress Packets RoamAbout Switch has classified ingress packet Mark 802.1p with CoS value: Egress interface has 802.1Q VLAN tag? Yes No VLAN tag 1 -> 1 2 -> 2 3 -> 3 4 -> 4 5 -> 5 6 -> 6 7 -> 7 Look up CoS and mark packet’s DSCP value: Egress interface is IP tunnel? No Do not mark DSCP. 12-6 Configuring Quality of Service Yes 1 -> 8 2 -> 16 3 -> 24 4 -> 32 5 -> 40 6 -> 48 7 -> 56 Transmit packet.
About QoS Figure 12-3 QoS on RoamAbout Access Points—Classification and Marking of Packets from Clients to RoamAbout Switch AP receives packet tfrom client. Static CoS enabled? Yes Set packet CoS with static CoS value. No Set packet CoS based on 802.11 Service Type: 1 -> 1 2 -> 2 3 -> 3 4 -> 4 5 -> 5 6 -> 6 7 -> 7 Set tunnel’s IP ToS to 802.1p value. Look up CoS and mark packet’s DSCP value: 1 -> 8 2 -> 16 3 -> 24 4 -> 32 5 -> 40 6 -> 48 7 -> 56 Set tunnel IP ToS to static CoS value.
About QoS Figure 12-4 QoS on RoamAbout Access Points—Classification and Marking of Packets from RoamAbout Switch to Clients AP receives packet from switch. Static CoS enabled? Yes Set packet CoS with static CoS value. No Look up CoS for DSCP value and set packet CoS: 0 - 7 -> 0 8 - 15 -> 1 16 - 23 -> 2 24 - 31 -> 3 32 - 39 -> 4 40 - 47 -> 5 48 - 55 -> 6 56 - 63 -> 7 Map CoS value to AP forwarding queue: 0 or 3 -> Background 1 or 2 -> Best Effort 4 or 5 -> Video 6 or 7 -> Voice Mark 802.
About QoS WMM QoS on the RoamAbout Switch MSS performs classification on ingress to determine a packet’s CoS value. This CoS value is used to mark the packet at the egress interface. The classification and marking performed by the switch depend on whether the ingress interface has an 802.1p or DSCP value other than 0, and whether the egress interface is tagged or is an IP tunnel. The mappings between DSCP and CoS values are configurable. (See “6,7 Voice 0 0” on page 12‐ 22.) 802.
About QoS WMM QoS on a RoamAbout Access Point RoamAbout APs use forwarding queues to prioritize traffic for wireless clients. For a packet received by the RoamAbout AP from a client, the AP classifies the packet based on the service type in the 802.11 header and maps the service type value to an internal CoS value. The AP then marks the DSCP value in the IP tunnel header to the RoamAbout Switch based on the internal CoS value.
About QoS Figure 12-5 WMM QoS in a RoamAbout Network Layer 3 3 2 802.1p = 7 IP ToS = 0xe0 Tnl Hdr IP ToS = 0xe0 802.1p = 7 Voice Data. . . RAS A RAS B Layer 3 Layer 3 Voice Data. . . Tnl Hdr IP ToS = 0xe0 4 Voice Data. . . 5 Voice Data. . . AP A 1 IP ToS = 0xe0 AP B Srvc Type = 7 Voice Data . . . 6 Voice Video Best Effort Bgrnd Figure 12‐5 on page 12‐11 shows the following process: 1. A user sends voice traffic from a WMM VoIP phone.
About QoS RoamAbout Switch A marks the packet based on the packet’s internal CoS value. In this example, the egress interface is in a VLAN and has an 802.1Q VLAN tag. Therefore, the RoamAbout Switch marks both the 802.1p value (with 7) and the tunnel header’s DSCP value (with 56). RoamAbout Switch A sends the packet to RoamAbout Switch B on the IP tunnel that connects the two switches. Note: An ACL can override a packet’s marking.
About QoS U-APSD Support WMM clients that use powersave mode can more efficiently request buffered unicast packets from AP radios by using U‐APSD. When U‐APSD support is enabled in MSS, a client can retrieve buffered unicast packets for a traffic priority enabled for U‐APSD by sending a QoS data or QoS‐Null frame for that priority. U‐ APSD can be enabled for individual traffic priorities, for individual clients, based on the client’s request.
About QoS Static CoS You can configure MSS to mark all wireless traffic on an SSID with a specific CoS value. When static CoS is enabled, the AP marks all traffic between clients and the switch for a given SSID with the static CoS value. The static CoS value must be configured on the SSID’s service profile. Static CoS is the simplest method of CoS marking to configure. However, the static CoS value applies to all traffic regardless of traffic type.
Changing QoS Settings Changing QoS Settings You can change the settings of the following QoS options: • QoS mode • U‐APSD support • CAC state and maximum number of sessions • Broadcast control • Static CoS state and CoS value • DSCP‐CoS mappings The QoS mode is configurable on a radio‐profile basis. CAC and static CoS are configurable on a service‐profile basis. DSCP‐CoS mapping is configurable on a global switch basis. Changing the QoS Mode The default QoS mode is WMM.
Changing QoS Settings Enabling CAC To enable or disable CAC on a service profile, use the following command: set service-profile name cac-mode {none | session} Example To enable session‐based CAC on service profile sp1, use the following command: RBT-8100# set service-profile sp1 cac-mode session success: change accepted. Changing the Maximum Number of Active Sessions When CAC is enabled, the maximum number of active sessions a radio can have is 14 by default.
Changing QoS Settings Changing CoS Mappings To change CoS mappings, use the following commands: set qos dscp-to-cos-map dscp-range cos level set qos cos-to-dscp-map level dscp dscp-value The first command changes the mapping of ingress DSCP values to the internal QoS table when marking packets. The second command changes the mappings of the internal QoS values to DSCP value when tagging outbound packets. Examples The following command changes the mapping of DSCP value 45 from CoS value 5 to CoS value 7.
Displaying QoS Information Displaying QoS Information You can display the following types of information for QoS: • Radio profile QoS settings: QoS mode, U‐APSD support • Service profile QoS settings: CAC, static CoS, and broadcast control settings • Broadcast control settings • Default CoS mappings • Individual DSCP‐to‐CoS or CoS‐to‐DSCP mappings • The DSCP table (a reference of standard mappings from DSCP to IP ToS and IP precedence) • QoS Statistics for the AP forwarding queues Displaying
Displaying QoS Information Displaying a Service Profile’s QoS Settings To display QoS settings and all other settings for a service profile, use the following command: show service-profile {name | ?} Example The following example shows the configuration of the sp1 service profile.
Displaying QoS Information Displaying CoS Mappings MSS provides commands for displaying the default CoS mappings and configured mappings.
Displaying QoS Information Displaying a CoS-to-DSCP Mapping To display the DSCP value to which a specific CoS value is mapped during marking, use the following command: show qos cos-to-dscp-map cos-value Example The following command displays the DSCP value to which CoS value 6 is mapped: show qos cos-to-dscp-map 6 cos 6 is marked with dscp 48 (tos 0xC0) Displaying the DSCP Table To display the standard mappings of DSCP, ToS, and precedence values, use the following command: show qos dscp-table Example
Displaying QoS Information Displaying AP Forwarding Queue Statistics You can display statistics for RoamAbout AP forwarding queues, using the following commands: show dap qos-stats [dap-num] [clear] show dap qos-stats [port-list] [clear] The clear option clears the counters after displaying their values.
13 Configuring and Managing Spanning Tree Protocol For information about... Refer to page... Spanning Overview 13-1 Enabling the Spanning Tree Protocol 13-2 Changing Standard Spanning Tree Parameters 13-2 Configuring and Managing STP Fast Convergence Features 13-7 Displaying Spanning Tree Information 13-11 Spanning Tree Configuration Scenario 13-15 Spanning Overview The purpose of the Spanning Tree Protocol (STP) is to maintain a loop‐free network.
Enabling the Spanning Tree Protocol Enabling the Spanning Tree Protocol STP is disabled by default. You can enable STP globally or on individual VLANs. To enable STP, use the following command: set spantree {enable | disable} [{all | vlan vlan-id | port port-list vlan-id}] Example To enable STP on all VLANs configured on a RoamAbout SwitchRoamAbout Switch, type the following command: RBT-8100# set spantree enable success: change accepted.
Changing Standard Spanning Tree Parameters Table 13-1 SNMP Port Path Cost Defaults Port Speed Link Type Default Port Path Cost 1000 Mbps Full Duplex Aggregate Link (Port Group) 19 1000 Mbps Full Duplex 4 100 Mbps Full Duplex Aggregate Link (Port Group) 19 100 Mbps Full Duplex 18 100 Mbps Half Duplex 19 10 Mbps Full Duplex Aggregate Link (Port Group) 19 10 Mbps Full Duplex 95 10 Mbps Half Duplex 100 Port Priority Port priority is the eligibility of the port to be the designated
Changing Standard Spanning Tree Parameters Changing STP Port Parameters You can change the STP cost and priority of an individual port, on a global basis or an individual VLAN basis. Changing the STP Port Cost To change the cost of a port, use one of the following commands. set spantree portcost port-list cost cost set spantree portvlancost port-list cost cost {all | vlan vlan-id} The set spantree portcost command changes the cost for ports in the default VLAN (VLAN 1) only.
Changing Standard Spanning Tree Parameters Changing the STP Port Priority To change the priority of a port, use one of the following commands: set spantree portpri port-list priority value set spantree portvlanpri port-list priority value {all | vlan vlan-id} The set spantree portpri command changes the priority for ports in the default VLAN (VLAN 1) only. The set spantree portvlanpri command changes the priority for ports in a specific other VLAN or in all VLANs.
Changing Standard Spanning Tree Parameters Resetting the STP Port Priority to the Default Value To reset the STP port priority to the default value, use one of the following commands: clear spantree portpri port-list clear spantree portvlanpri port-list {all | vlan vlan-id} The command applies only to the ports you specify. The port cost on other ports remains unchanged.
Configuring and Managing STP Fast Convergence Features Changing the STP Maximum Age To change the maximum age, use the following command: set spantree maxage aging-time {all | vlan vlan-id} Specify an age from 6 through 40 seconds. The default is 20 seconds. The all option applies the change to all VLANs. Alternatively, specify an individual VLAN.
Configuring and Managing STP Fast Convergence Features Backbone Fast Convergence Backbone fast convergence accelerates a port’s recovery following the failure of an indirect link. Normally, when a forwarding link fails, a bridge that is not directly connected to the link does not detect the link change until the maximum age timer expires.
Configuring and Managing STP Fast Convergence Features Displaying Port Fast Convergence Information To display port fast convergence information, use the following command: show spantree portfast [port-list] Example To display port fast convergence information for all ports, type the following command: RBT-8100# show spantree portfast Port Vlan ------------------------- ---1 1 2 1 Portfast ---------disable disable In this example, port fast convergence is enabled on ports 11 and 14 in VLAN 2 and port 4
Configuring and Managing STP Fast Convergence Features Configuring Uplink Fast Convergence To enable or disable uplink fast convergence, use the following command: set spantree uplinkfast {enable | disable} Displaying Uplink Fast Convergence Information To display uplink fast convergence information, use the following command: show spantree uplinkfast [vlan vlan-id] Example The following command displays uplink fast convergence information for all VLANs: RBT-8100# show spantree uplinkfast VLAN port list
Displaying Spanning Tree Information Displaying Spanning Tree Information You can use CLI commands to display the following STP information: • Bridge STP settings and individual port information • Blocked ports • Statistics • Port fast, backbone fast, and uplink fast convergence information Note: For information about the show commands for the fast convergence features, see “Configuring and Managing STP Fast Convergence Features” on page 13-7.
Displaying Spanning Tree Information In this example, VLAN mauve contains ports 1 through 3, 10, 15 and 16. Ports 1 and 10 are forwarding traffic. The other ports are blocking traffic. For more information about the fields in the output, see the RoamAbout Mobility System Software Command Line Interface Reference.
Displaying Spanning Tree Information Displaying Spanning Tree Statistics To display STP statistics, use the following command: show spantree statistics [port-list [vlan vlan-id]] Example To display STP statistics for port 1, type the following command: RBT-8100# show spantree statistics 1 BPDU related parameters Port 1 VLAN 1 spanning tree enabled for VLAN = 1 port spanning tree state port_id port_number path cost message age (port/VLAN) designated_root designated cost designated_bridge designated_port to
Displaying Spanning Tree Information delay root port timer delay root port timer value delay root port timer restarted is INACTIVE 0 FALSE VLAN based information & statistics spanning tree type spanning tree multicast address bridge priority bridge MAC address bridge hello time bridge forward delay topology change initiator: last topology change occurred: topology change topology change time topology change detected topology change count topology change last recvd.
Spanning Tree Configuration Scenario Spanning Tree Configuration Scenario This scenario configures a VLAN named backbone for a RoamAbout Switch’s connections to the network backbone, adds ports 1 and 2 to the VLAN, and enables STP on the VLAN to prevent loops. 1. Remove the network cables from ports 1 and 2 or use MSS to disable the ports,. This prevents a loop until you complete the STP configuration.
Spanning Tree Configuration Scenario Port Vlan STP-State Cost Prio Portfast -------------------------------------------------------------------1 10 Disabled 4 128 Disabled 2 10 Disabled 4 128 Disabled 4. Reconnect or reenable ports 1 and 2 and verify the change.
14 Configuring and Managing IGMP Snooping For information about... Refer to page...
Disabling or Reenabling Proxy Reporting Disabling or Reenabling Proxy Reporting Proxy reporting reduces multicast overhead by sending only one report for each active group to the multicast routers, instead of sending a separate report from each multicast receiver. For example, if the RoamAbout Switch receives reports from three receivers for multicast group 237.255.255.255, the switch sends only one report for the group to the routers.
Enabling Router Solicitation Changing the Query Interval To change the IGMP query interval timer, use the following command: set igmp qi seconds [vlan vlan-id] For seconds, you can specify a value from 1 through 65,535. The default is 125 seconds. Changing the Other-Querier-Present Interval To change the other‐querier‐present interval, use the following command: set igmp oqi seconds [vlan vlan-id] For seconds, you can specify a value from 1 through 65,535. The default is 255 seconds.
Configuring Static Multicast Ports Changing the Router Solicitation Interval The default multicast router solicitation interval is 30 seconds. To change the interval, use the following command: set igmp mrsol mrsi seconds [vlan vlan-id] You can specify 1 through 65,535 seconds. The default is 30 seconds. Configuring Static Multicast Ports A RoamAbout Switch learns about multicast routers and receivers from multicast traffic it receives from those devices.
Displaying Multicast Information Displaying Multicast Configuration Information and Statistics To display multicast configuration information and statistics, use the following command: show igmp [vlan vlan-id] The show igmp command displays the IGMP snooping state, the settings of all multicast parameters you can configure, and multicast statistics.
Displaying Multicast Information DVMRP 4 PIM V1 0 PIM V2 0 Topology notifications: 0 Packets with unknown IGMP type: 0 Packets with bad length: 0 Packets with bad checksum: 0 Packets dropped: 4 4 0 0 0 0 0 (For information about the fields in the output, see the RoamAbout Mobility System Software Command Line Interface Reference.
Displaying Multicast Information Displaying Multicast Routers To display information about the multicast routers only without also displaying all the other multicast information, use the following command: show igmp mrouter [vlan vlan-id] Example To display the multicast routers in VLAN orange, type the following command: RBT-8100# show igmp mrouter vlan orange Multicast routers for vlan orange Port Mrouter-IPaddr Mrouter-MAC Type TTL ---- --------------- ----------------- ----- ----10 192.28.7.
Displaying Multicast Information 14-8 Configuring and Managing IGMP Snooping
15 Configuring and Managing Security ACLs For information about... Refer to page...
About Security Access Control Lists Figure 15-1 Setting Security ACLs ACLs in edit buffer null Commited ACLs null ACLs mapped to users ACLs mapped to ports, VLANs, and virtual ports Security ACL Filters A security ACL filters packets to restrict or permit network traffic. These filters can then be mapped by name to authenticated users, VLANs, virtual ports, or Distributed APs. You can also assign a class‐of‐service (CoS) level that marks the packets matching the filter for priority handling.
About Security Access Control Lists You cannot perform ACL functions that include permitting, denying, or marking with a Class of Service (CoS) level on packets with a multicast or broadcast destination address. Order in Which ACLs are Applied to Traffic MSS provides different scopes (levels of granularity) for ACLs.
Creating and Committing a Security ACL Creating and Committing a Security ACL The security ACLs you create can filter packets by source address, IP protocol, port type, and other characteristics. When you configure an ACE for a security ACL, MSS stores the ACE in the edit buffer until you commit the ACL to be saved to the permanent configuration. You must commit a security ACL before you can apply it to an authenticated user’s session or map it to a VLAN, virtual port, or Distributed AP.
Creating and Committing a Security ACL Table 15-1 Number Common IP Protocol Numbers IP Protocol 1 Internet Message Control Protocol (ICMP) 2 Internet Group Management Protocol (IGMP) 6 Transmission Control Protocol (TCP) 9 Any private interior gateway (used by Cisco for Internet Gateway Routing Protocol) 17 User Datagram Protocol (UDP) 46 Resource Reservation Protocol (RSVP) 47 Generic Routing Encapsulation (GRE) protocol 50 Encapsulation Security Payload for IPSec (IPSec-ESP) 51 Authent
Creating and Committing a Security ACL AP forwarding prioritization occurs automatically for Wi‐Fi Multimedia (WMM) traffic. You do not need to configure ACLs to provide WMM prioritization. For non‐WMM devices, you can provide AP forwarding prioritization by configuring ACLs. If you disable WMM, AP forwarding prioritization is optimized for SpectraLink Voice Priority (SVP) instead of WMM, and the AP does not tag packets it sends to the RAS.
Creating and Committing a Security ACL Table 15-3 Common ICMP Message Types and Codes ICMP Message Type (Number) ICMP Message Code (Number) Echo Reply (0) None Destination Unreachable (3) • Network Unreachable (0) • Host Unreachable (1) • Protocol Unreachable (2) • Port Unreachable (3) • Fragmentation Needed (4) • Source Route Failed (5) Source Quench (4) None Redirect (5) • Network Redirect (0) • Host Redirect (1) • Type of Service (TOS) and Network Redirect (2) • TOS and Host Redirect (3) Ech
Creating and Committing a Security ACL Setting a TCP ACL The following command filters TCP packets: set security acl ip acl-name {permit [cos cos] | deny} tcp {source-ip-addr mask [operator port [port2]] destination-ip-addr mask [operator port [port2]]} [precedence precedence] [tos tos] [established] [before editbuffer-index | modify editbuffer-index] [hits] Example The following command permits packets sent from IP address 192.168.1.5 to 192.168.1.
Creating and Committing a Security ACL Determining the ACE Order The set security acl command creates a new entry in the edit buffer and appends the new entry as a rule at the end of an ACL, unless you specify otherwise. The order of ACEs is significant, because the earliest ACE takes precedence over later ACEs. To place the ACEs in the correct order, use the parameters before editbuffer‐index and modify editbuffer‐index. The first ACE is number 1.
Creating and Committing a Security ACL Use the show security acl info command to display ACLs that are already committed. ACLs are not available for mapping until you commit them. (To commit an ACL, use the commit security acl command. See Committing a Security ACL.) ACLs do not take effect until you map them to something (a user, Distributed AP, VLAN, port, or virtual port). To map an ACL, see “Mapping Security ACLs” on page 15‐13.
Creating and Committing a Security ACL Viewing Security ACL Details You can display the contents of one or all security ACLs that are committed. Examples To display the contents of all committed security ACLs, type the following command: RBT-8100# show security acl info ACL information for all set security acl ip acl-999 (hits #2 0) ---------------------------------------------------1. deny IP source IP 192.168.0.1 0.0.0.0 destination IP any 2. permit IP source IP 192.168.0.2 0.0.0.
Creating and Committing a Security ACL Clearing Security ACLs The clear security acl command removes the ACL from the edit buffer only. To clear a security ACL, enter a specific ACL name, or enter all to delete all security ACLs. To remove the security ACL from the running configuration and nonvolatile storage, you must also use the commit security acl command.
Mapping Security ACLs Mapping Security ACLs An ACL does not take effect until you commit it and map it to a user or an interface. User‐based security ACLs are mapped to an IEEE 802.1X authenticated session during the AAA process. You can specify that one of the authorization attributes returned during authentication is a named security ACL. The RAS maps the named ACL automatically to the user’s authenticated session. Security ACLs can also be mapped statically to VLANs, virtual ports, or Distributed APs.
Mapping Security ACLs Mapping Target Commands User authenticated by a MAC address set mac-user username attr filter-id acl-name.in set mac-user username attr filter-id acl-name.out When assigned the Filter‐Id attribute, an authenticated user with a current session receives packets based on the security ACL. For example, to restrict incoming packets for Natasha to those specified in acl‐222, type the following command: RBT-8100# set user Natasha attr filter-id acl-222.in success: change accepted.
Mapping Security ACLs Displaying ACL Maps to VLANs and Virtual Ports Two commands display the VLAN, virtual port, and Distributed AP mapping of a specific security ACL.
Modifying a Security ACL To delete a security ACL from a user’s configuration on a RADIUS server, see the documentation for your RADIUS server. If you no longer need the security ACL, delete it from the configuration with the clear security acl and commit security acl commands. (See “Clearing Security ACLs” on page 15‐12.) Modifying a Security ACL You can modify a security ACL in the following ways: • Add another ACE to a security ACL, at the end of the ACE list.
Modifying a Security ACL ACL information for all set security acl ip acl-violet (hits #2 0) ---------------------------------------------------1. permit IP source IP 192.168.253.1 0.0.0.255 destination IP any enablehits 2. permit IP source IP 192.168.123.11 0.0.0.255 destination IP any enablehits Placing One ACE before Another You can use the before editbuffer‐index portion of the set security acl command to place a new ACE before an existing ACE.
Modifying a Security ACL Modifying an Existing Security ACL You can use the modify editbuffer‐index portion of the set security acl command to modify an active security ACL. Example For example, suppose the ACL acl‐111 currently blocks some packets from IP address 192.168.254.12 with the mask 0.0.0.255 and you want to change the ACL to permit all packets from this address. Follow these steps: 1.
Modifying a Security ACL Clearing Security ACLs from the Edit Buffer Use the rollback command to clear changes made to the security ACL edit buffer since it was last committed. The ACL is rolled back to its state at the last commit command. Example For example, suppose you want to remove an ACE that you just created in the edit buffer for acl‐ 111: 1.
Using ACLs to Change CoS 6. Alternatively, to clear the entire edit buffer of all changes made since a security ACL was last committed and display the results, type the following commands: RBT-8100# rollback security acl all RBT-8100# show security acl info editbuffer ACL edit-buffer information for all Using ACLs to Change CoS For WMM or non‐WMM traffic, you can change a packet’s priority by using an ACL to change the packet’s CoS value.
Using ACLs to Change CoS Filtering Based on DSCP Values You can configure an ACE to filter based on a packet’s Differentiated Services Code Point (DSCP) value, and change the packet’s CoS based on the DSCP value. A CoS setting marked by an ACE overrides the CoS setting applied from the switch’s QoS map. Table 15‐4 lists the CoS values to use when reassigning traffic to a different priority. The CoS determines the AP forwarding queue to use for the traffic when sending it to a wireless client.
Using ACLs to Change CoS Using the precedence and ToS Options You also can indirectly filter on DSCP by filtering on both the IP precedence and IP ToS values of a packet. However, this method requires two ACEs. To use this method, specify the combination of precedence and ToS values that is equivalent to the DSCP value. For example, to filter based on DSCP value 46, configure an ACL that filters based on precedence 5 and ToS 12.
Enabling Prioritization for Legacy Voice over IP Enabling Prioritization for Legacy Voice over IP MSS supports Wi‐Fi Multimedia (WMM). WMM support is enabled by default and is automatically used for priority traffic between WMM‐capable devices. MSS also can provide prioritization for non‐WMM VoIP devices. However, to provide priority service to non‐WMM VoIP traffic, you must configure static CoS or configure an ACL to set the CoS for the traffic.
Enabling Prioritization for Legacy Voice over IP Table 15-5 WMM Priority Mappings (continued) Service Type IP Precedence IP ToS DSCP 802.1p CoS AP Forwarding Queue 6 6 0xc0 48 6 6 Voice 7 7 0xe0 56 7 7 Note: If you are upgrading a switch running MSS Version 3.x to MSS Version 4.x, and the switch uses ACLs to map VoIP traffic to CoS 4 or 5, and you plan to leave WMM enabled, Enterasys Networks recommends that you change the ACLs to map the traffic to CoS 6 or 7.
Enabling Prioritization for Legacy Voice over IP • Configure a radio profile to manage the radios that will provide service for the voice SSID. • Configure a VLAN for the voice clients. • Configure a last‐resort user in the local database. • Configure an authentication and accounting rule that allows clients of the voice SSID onto the network and places them in the voice VLAN. Known Limitations • You cannot have WPA and WPA2 configured on handsets simultaneously within the same ESSID.
Enabling Prioritization for Legacy Voice over IP Configuring a Service Profile for WPA To configure a service profile for SVP phones that use WPA: • Create the service profile and add the voice SSID to it. • Enable the WPA information element (IE). This also enables TKIP. Leave TKIP enabled. • Disable 802.1X authentication and enable preshared key (PSK) authentication instead. • Enter the PSK key.
Enabling Prioritization for Legacy Voice over IP Configuring a VLAN and AAA for Voice Clients MSS requires all clients to be authenticated by RADIUS or the local database, and to be authorized for a specific VLAN. MSS places the user in the authorized VLAN. – Configure a VLAN for voice clients. Notes: You can use the same VLAN for other clients. However, it is a best practice to use the VLAN primarily, if not exclusively, for voice traffic. – Disable IGMP snooping in the VLAN.
Restricting Client-To-Client Forwarding Among IP-Only Clients Example The following commands configure an ACE to prioritize SVP traffic and map the ACE to the outbound direction of the voice VLAN: RBT-8100# set security acl ip SVP permit cos 7 udp 10.2.4.69 255.255.255.255 gt 0 any gt 0 RBT-8100# set security acl ip SVP permit cos 7 119 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 RBT-8100# set security acl ip SVP permit 0.0.0.0 255.255.255.
Security ACL Configuration Scenario 3. Configure an ACE that denies all IP traffic from any IP address in the 10.10.11.0/24 subnet to any address in the same subnet. set security acl ip c2c deny ip 10.10.11.0 0.0.0.255 10.10.11.0 0.0.0.255 4. Configure an ACE that permits all traffic that does not match the ACEs configured above: set security acl ip c2c permit 0.0.0.0 255.255.255.255 5. Commit the ACL to the configuration: commit security acl c2c 6.
Security ACL Configuration Scenario RBT-8100# set authentication dot1x Natasha pass-through shorebirds success: change accepted. You must then map the security ACL to Natasha’s session in RADIUS. For instructions, see the documentation for your RADIUS server. 7. To save your configuration, type the following command: RBT-8100# save config success: configuration saved.
16 Managing Keys and Certificates For information about... Refer to page... Why Use Keys and Certificates? 16-1 About Keys and Certificates 16-2 Creating Keys and Certificates 16-5 Displaying Certificate and Key Information 16-11 Key and Certificate Configuration Scenarios 16-11 A digital certificate is a form of electronic identification for computers.
About Keys and Certificates Wireless Security through TLS In the case of wireless or wired authentication 802.1X users whose authentication is performed by the RoamAbout switch, the first stage of any EAP transaction is Transport Layer Security (TLS) authentication and encryption. RoamAbout Switch Manager and Web View also require a session to the RoamAbout switch that is authenticated and encrypted by TLS. Once a TLS session is authenticated, it is encrypted.
About Keys and Certificates • If the RoamAbout switch has a self‐signed certificate in its certificate and key store, the switch responds to the request from MSS. If the certificate is not self‐signed, the switch looks for a CA’s certificate with which to validate the server certificate. • If the RoamAbout switch has no corresponding CA certificate, the switch does not respond to the request from MSS.
About Keys and Certificates information about this option, refer to “Configuring RBT‐Switch to RBT‐Switch Security” on page 7‐5.) • EAP certificate—Used by the RoamAbout switch to authenticate itself to EAP clients. • WebAAA certificate—Used by the RoamAbout switch to authenticate itself to WebAAA clients, who use a web page served by a RoamAbout switch to log onto the network.
Certificates Automatically Generated by MSS Certificates Automatically Generated by MSS The first time you boot a switch with MSS Version 4.2 or later, MSS automatically generates keys and self‐signed certificates, in cases where certificates are not already configured or installed. MSS can automatically generate all the following types of certificates and their keys: • Admin (required for administrative access to the switch by Web View or RoamAbout Switch Manager) • EAP (required for 802.
Creating Keys and Certificates Choosing the Appropriate Certificate Installation Method for Your Network Depending on your network environment, you can use any of the following methods to install certificates and their public‐private key pairs. The methods differ in terms of simplicity and security. The simplest method is also the least secure, while the most secure method is slightly more complex to use. • Self‐signed certificate—The easiest method to use because a CA server is not required.
Creating Keys and Certificates Creating Public-Private Key Pairs To use a self‐signed certificate or Certificate Signing Request (CSR) certificate for RoamAbout switch authentication, you must generate a public‐private key pair. To create a public‐private key pair, use the following command: crypto generate key {admin | domain | eap | ssh | web} {128 | 512 | 1024 | 2048} Choose the key length based on your need for security or to conform with your organization’s practices.
Creating Keys and Certificates Installing a Key Pair and Certificate from a PKCS #12 Object File PKCS object files provide a file format for storing and transferring storing data and cryptographic information. (For more information, see “PKCS #7, PKCS #10, and PKCS #12 Object Files” on page 16‐4.) A PKCS #12 object file, which you obtain from a CA, includes the private key, a certificate, and optionally the CA’s own certificate.
Creating Keys and Certificates Creating a CSR and Installing a Certificate from a PKCS #7 Object File After creating a public‐private key pair, you can obtain a signed certificate of authenticity from a CA by generating a Certificate Signing Request (CSR) from the RoamAbout switch. A CSR is a text block with an encoded request for a signed certificate from the CA. Note: Many certificate authorities have their own unique requirements.
Creating Keys and Certificates Installing a CA’s Own Certificate If you installed a CA‐signed certificate from a PKCS #7 file, you must also install the PKCS #7 certificate of that CA. (If you used the PKCS #12 method, the CA’s certificate is usually included with the key pair and server certificate.) To install a CA’s certificate, use the following command: crypto ca-certificate {admin | eap | web} PEM-formatted-certificate When prompted, paste the certificate under the prompt.
Displaying Certificate and Key Information Displaying Certificate and Key Information To display information about certificates installed on a RoamAbout switch, use the following commands: show crypto ca-certificate {admin | eap | web} show crypto certificate {admin | eap | web} Example To display information about an administrative certificate, type the following command: RBT-8100# show crypto certificate admin Certificate: Version: 3 Serial Number: 999 (0x3e7) Subject: C=US, ST=CA, L=PLEAS, O=ETS, OU=SQ
Key and Certificate Configuration Scenarios 3. Generate self‐signed certificates: RBT-8100# crypto generate self-signed admin Country Name: US State Name: CA Locality Name: San Francisco Organizational Name: example Organizational Unit: IT Common Name: RAS 6 Email Address: admin@example.
Key and Certificate Configuration Scenarios Issuer: C=US, ST=CA, L=PLEAS, O=Enterasys, OU=SQA, CN=BOBADMIN/ emailAddress=BOBADMIN, unstructuredName=BOB Validity: Not Before: Oct 19 01:59:42 2004 GMT Not After : Oct 19 01:59:42 2005 GMT RBT-8100# show crypto certificate web Certificate: Version: 3 Serial Number: 999 (0x3e7) Subject: C=US, ST=CA, L=PLEAS, O=Enterasys, OU=SQA, CN=BOBADMIN/ emailAddress=BOBADMIN, unstructuredName=BOB Signature Algorithm: md5WithRSAEncryption Issuer: C=US, ST=CA, L=PLEAS, O=Ent
Key and Certificate Configuration Scenarios 5. Unpack the PKCS #12 object files into the certificate and key storage area on the RoamAbout switch. Use the following command: crypto pkcs12 {admin | eap | web} filename The filename is the location of the file on the RoamAbout switch. For example: RBT-8100# crypto pkcs12 admin 2048admn.p12 Unwrapped from PKCS12 file: keypair device certificate CA certificate RBT-8100# crypto pkcs12 eap 20481x.
Key and Certificate Configuration Scenarios Email Address: admin@example.com Unstructured Name: wiring closet 12 CSR for admin is -----BEGIN CERTIFICATE REQUEST----MIIBdTCB3wIBADA2MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExGjAYBgNVBAMU EXRlY2hwdWJzQHRycHouY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC4 ... 2L8Q9tk+G2As84QYMwe9RJAjfbYM5bdWRUFiLzvK7BJgqBsCZz4DP00= -----END CERTIFICATE REQUEST----- 4. Copy the CSR into the CA’s application.
Key and Certificate Configuration Scenarios 16-16 Managing Keys and Certificates
17 Configuring AAA for Network Users For information about... Refer to page... About AAA for Network Users 17-1 AAA Tools for Network Users 17-8 Configuring 802.
About AAA for Network Users Authentication When a user attempts to access the network, MSS checks for an authentication rule that matches the following parameters: • For wireless access, the authentication rule must match the SSID the user is requesting, and the user’s username or MAC address. • For access on a wired authentication port, the authentication rule must match the user’s username or MAC address.
About AAA for Network Users Authentication Algorithm MSS can try more than one of the authentication types described in Authentication Types to authenticate a user. MSS tries 802.1X first. If the user’s NIC supports 802.1X but fails authentication, MSS denies access. Otherwise, MSS tries MAC authentication next. If MAC authentication is successful, MSS grants access to the user. Otherwise, MSS tries the fallthru authentication type specified for the SSID or wired authentication port.
About AAA for Network Users Figure 17-1 Authentication Flowchart for Network Users Client associates with the Enterasys radio or requests access from wired authentication port Client requests encrypted SSID? Yes 802.1X rule that matches SSID? Client responds to 802.1X? Yes No No No Yes Authent. Allow succeeds? Yes Client No Refuse Client Authent.
About AAA for Network Users SSID Name “Any” In authentication rules for wireless access, you can specify the name any for the SSID. This value is a wildcard that matches on any SSID string requested by the user. For 802.1X and WebAAA rules that match on SSID any, MSS checks the RADIUS servers or local database for the username (and password, if applicable) entered by the user. If the user information matches, MSS grants access to the SSID requested by the user, regardless of which SSID name it is.
About AAA for Network Users The default well‐known password is Enterasys but is configurable. (The same password applies to MAC users.) If the last‐resort authentication rule matches on SSID any, which is a wildcard that matches on any SSID string, the RADIUS servers or local database must have user last‐resort‐any, exactly as spelled here.
About AAA for Network Users Regardless of whether you configure the user and attributes on RADIUS servers or the switch’s local database, the VLAN attribute is required. The other attributes are optional. Accounting MSS also supports accounting. Accounting collects and sends information used for billing, auditing, and reporting—for example, user identities, connection start and stop times, the number of packets received and sent, and the number of bytes transferred.
AAA Tools for Network Users AAA Tools for Network Users Authentication verifies network user identity and is required before a network user is granted access to the network. A RoamAbout Switch authenticates user identity by username‐password matching, digital signatures and certificates, or other methods (for example, by MAC address). You must decide whether to authenticate network users locally on the RoamAbout Switch, remotely via one or more external RADIUS server groups, or both locally and remotely.
AAA Tools for Network Users AAA Rollover Process A RoamAbout Switch attempts AAA methods in the order in which they are entered in the configuration: 1. The first AAA method in the list is used unless that method results in an error. If the method results in a pass or fail, the result is final and the RoamAbout Switch tries no other methods. 2. If the RoamAbout Switch receives no response from the first AAA method, it tries the second method in the list. 3.
AAA Tools for Network Users 3. To enable PEAP offload plus local authentication for all users of SSID mycorp at @example.com, the administrator enters the following command. RBT-8100# set authentication dot1x ssid mycorp *@example.com peap-mschapv2 server-group1 local Figure 17‐2 shows the results of this combination of methods.
AAA Tools for Network Users Notes: • If one of the RADIUS servers in the group responds, and indicates that the user does not exist on the RADIUS server, or that the user is not permitted on the network, then authentication for the user fails, regardless of any additional methods. If all the RADIUS servers in the server group do not respond, then the RoamAbout Switch attempts to authenticate using the next method in the list.
AAA Tools for Network Users Ways a RoamAbout Switch Can Use EAP Network users with 802.1X support cannot access the network unless they are authenticated. You can configure a RoamAbout switch to authenticate users with EAP on a group of RADIUS servers and/or in a local user database on the RoamAbout switch, or to offload some authentication tasks from the server group. Table 17‐2 details these three basic RoamAbout switch authentication approaches.
Configuring 802.1X Authentication Wired users are not eligible for the encryption performed on the traffic of wireless users, but they can be authenticated by an EAP method, a MAC address, a Web login page served by the RoamAbout switch, or a last‐resort username. Configuring 802.1X Authentication The IEEE 802.1X standard is a framework for passing EAP protocols over a wired or wireless LAN. Within this framework, you can use TLS, PEAP‐TTLS, or EAP‐MD5.
Configuring 802.1X Authentication Configuring EAP Offload You can configure the RoamAbout Switch to offload all EAP processing from server groups. In this case, the RADIUS server is not required to communicate using the EAP protocols. For PEAP‐MS‐CHAP‐V2 offload, you define a complete user profile in the local RoamAbout Switch database and only a username and password on a RADIUS server. Example The following command authenticates all wireless users who request SSID marshes at example.
Configuring 802.1X Authentication Binding User Authentication to Machine Authentication Bonded Auth™ (bonded authentication) is a security feature that binds an 802.1X user’s authentication to authentication of the machine from which the user is attempting to log on. When this feature is enabled, MSS authenticates a user only if the machine from which the user logs on has already been authenticated separately. By default, MSS does not bind user authentication to machine authentication.
Configuring 802.1X Authentication • host/*.mycorp.com (userglob for the machine authentication rule) • *.mycorp.com (userglob for the user authentication rule) If the domain name has more nodes (for example, nl.mycorp.com), use an asterisk in each node that you want to match globally. For example, to match on all machines and users in mycorp.com, use the following userglobs: • host/*.*.mycorp.com (userglob for the machine authentication rule) • *.*.mycorp.
Configuring 802.1X Authentication Bonded Auth Configuration Example To configure Bonded Auth: • Configure separate authentication rules for the machine and for the user(s). • Set the Bonded Auth period. • Verify the configuration changes. The following commands configure two 802.1X authentication rules for access to SSID mycorp. The first rule is for authentication of all trusted laptop PCs at mycorp.com (host/*‐laptop.mycorp.com). The second rule is for bonded authentication of all users at mycorp.
Configuring 802.1X Authentication reauthentication enabled authentication control enabled WEP rekey period 1800 WEP rekey enabled Bonded period 60 Information for the 802.1X authentication rule for the machine (host/bob‐laptop.mycorp.com) is also displayed. However, the bonded option is configured only for the user’s authentication rule. The bonded option applies only to the authentication rules for users, not the authentication rules for machines.
Configuring Authentication and Authorization by MAC Address Configuring Authentication and Authorization by MAC Address You must sometimes authenticate users based on the MAC addresses of their devices rather than a username‐password or certificate. For example, some Voice‐over‐IP (VoIP) phones and personal digital assistants (PDAs) do not support 802.1X authentication. If a client does not support 802.1X, MSS attempts to perform MAC authentication for the client instead.
Configuring Authentication and Authorization by MAC Address Clearing MAC Users and Groups To clear a MAC user from a user group, use the following command: clear mac-user mac-addr group Examples The following command removes MAC user 01:0f:03:04:05:06 from group macfans: RBT-8100# clear mac-user 01:0f:03:04:05:06 group success: change accepted. The clear mac‐usergroup command removes the group.
Configuring Authentication and Authorization by MAC Address To add the MAC user 00:01:02:03:04:05 to VLAN red: RBT-8100# set mac-user 00:01:02:03:04:05 attr vlan-name red success: change accepted To change the value of an authorization attribute, reenter the command with the new value.
Configuring Web Web Portal WebAAA Configuring Web Web Portal WebAAA WebAAA simplifies secure access to unencrypted SSIDs. When a user requests access to an SSID or attempts to access a web page before logging onto the network, MSS serves a login page to the user’s browser. After the user enters a username and password, MSS checks the local database or RADIUS servers for the user information, and grants or denies access based on whether the user information is found.
Configuring Web Web Portal WebAAA Note: MSS ignores the VLAN-Name or Tunnel-Private-Group-ID attribute associated with the user, and leaves the user in the VLAN associated with the web-portal-ssid or web-portal-wired user. These users are automatically created by MSS, and MSS associates the default VLAN with these users by default. To associate a web-portal-ssid or web-portal-wired user with a VLAN other than default, you must modify the user. 7.
Configuring Web Web Portal WebAAA WebAAA Requirements and Recommendations Note: MSS Version 5.0 does not require or support special user web-portal-ssid, where ssid is the SSID the Web-Portal user associates with. Previous MSS Versions required this special user for Web-Portal configurations. Any web-portal-ssid users are removed from the configuration during upgrade to MSS Version 5.0. However, the web-portal-wired user is still required for Web Portal on wired authentication ports.
Configuring Web Web Portal WebAAA Note: In MSS Version 4.1 and earlier, the VLAN was required to be statically configured on the RoamAbout Switch where WebAAA was configured and through which the user accessed the network. MSS Version 4.2 removes this restriction. The VLAN you want to place an authenticated WebAAA user on does not need to be statically configured on the switch where Web Portal is configured.
Configuring Web Web Portal WebAAA The web rule also must match on the SSID the user will use to access the network. If the user will access the network on a wired authentication port, the rule must match on wired. To configure authentication rules, use the set authentication web command. – Web Portal WebAAA must be enabled, using the set web‐portal command. The feature is enabled by default. – Authentication rules—A web authentication rule must be configured for the WebAAA users.
Configuring Web Web Portal WebAAA Network Requirements The VLAN where users will be placed must have an IP interface, and the subnet the interface is in must have access to DHCP and DNS servers. RoamAbout Switch Recommendations • Consider installing a WebAAA certificate signed by a trusted CA, instead of one signed by the RoamAbout switch itself.
Configuring Web Web Portal WebAAA Configuring Web Portal WebAAA To configure Web Portal WebAAA: 1. Configure an SSID or wired authentication port and set the fallthru authentication type to web‐portal. The default for SSIDs and for wired authentication ports is none. Note: When you create the service profile for an SSID, make sure to set the SSID name before you change the fallthru authentication type.
Configuring Web Web Portal WebAAA 5. Display the configuration: RBT-8100# show config # Configuration nvgen'd at 2005-5-09 19:14:10 # Image 4.0.1 # Model RBT-8100 # Last change occurred at 2005-5-09 19:13:45 ... set service-profile mycorpsrvcprof ssid-name mycorp set service-profile mycorpsrvcprof ssid-type clear set service-profile mycorpsrvcprof auth-fallthru web-portal ...
Configuring Web Web Portal WebAAA After authentication and authorization are complete, the web‐portal‐mycorp username is replaced with the username entered by the WebAAA user during login.
Configuring Web Web Portal WebAAA Copying and Modifying the Enterasys Login Page To copy and modify the Enterasys Web login page: 1. Configure an unencrypted SSID on a RoamAbout switch. The SSID is temporary and does not need to be one you intend to use in your network.
Configuring Web Web Portal WebAAA c. Map a radio to the temporary radio profile and enable it: set ap 2 radio 1 radio-profile temprad mode enable success: change accepted. 2. From your PC, attempt to directly access the temporary SSID. The RoamAbout Switch serves the login page. 3. In the browser, select File > Save As to save the login page. 4. Delete the temporary SSID, along with the temporary service profile and radio profile you created for it.
Configuring Web Web Portal WebAAA Filename Size file:mycorp-login.html 15:42:26 637 bytes file:mylogo.gif 15:57:11 Total: 9. 1202 bytes Created Aug 12 2004, Aug 12 2004, 1839 bytes used, 206577 Kbytes free Use the following command to configure the SSID to use the custom page: set service-profile name web-portal-form url For the url, specify the full path; for example, mycorp‐webaaa/mycorp‐login.html.
Configuring Web Web Portal WebAAA When user piltdown is successfully authenticated and authorized, MSS redirects the user to the following URL: http://myserver.com/piltdown.html The following example configures a redirect URL that contains a script argument using the literal character ?: RBT-8100# set usergroup ancestors attr url https://saqqara.org/ login.php$quser=$u success: change accepted.
Configuring Web Web Portal WebAAA Configuring the Web Portal WebAAA Session Timeout Period When a client that has connected through Web Portal WebAAA enters standby or hibernation mode, MSS may place the client’s Web Portal WebAAA session in the Deassociated state.
Configuring Last-Resort Access Configuring Last-Resort Access Users who are not authenticated and authorized by 802.1X methods or a MAC address can gain limited access to the network as guest users. You can optionally configure a special username called last‐resort‐wired (for wired authentication access) or last‐resort‐ssid, where ssid is the SSID requested by the user. To match on the wildcard SSID name any, configure user last‐resort‐any, exactly as spelled here.
Configuring AAA for Users of Third-Party APs Configuring AAA for Users of Third-Party APs A RoamAbout Switch can provide network access for users associated with a third‐party AP that has authenticated the users with RADIUS. You can connect a third‐party AP to a RoamAbout Switch and configure the RoamAbout Switch to provide authorization for clients who authenticate and access the network through the AP. Figure 17‐3 shows an example.
Configuring AAA for Users of Third-Party APs Requirements Third-Party AP Requirements • The third‐party AP must be connected to the RoamAbout Switch through a wired Layer 2 link. MSS cannot provide data services if the AP and RoamAbout Switch are in different Layer 3 subnets. • The AP must be configured as the RoamAbout Switch’s RADIUS client. • The AP must be configured so that all traffic for a given SSID is mapped to the same 802.1Q tagged VLAN.
Configuring AAA for Users of Third-Party APs RADIUS Server Requirements • For 802.1X users, the usernames and passwords must be configured on the RADIUS server. • For non‐802.1X users of a tagged SSID, the special username web‐portal‐ssid or last‐resort‐ ssid must be configured, where ssid is the SSID name. The fallthru authentication type (web‐ portal or last‐resort) specified for the wired authentication port connected to the AP determines which username you need to configure.
Configuring AAA for Users of Third-Party APs Examples The following command configures RoamAbout Switch ports 3 and 4 as wired authentication ports, and assigns tag value 104 to the ports: set port type wired-auth 3-4 tag 104 success: change accepted. You can specify multiple tag values. Specify the tag value for each SSID you plan to support. The following command configures a MAC authentication rule that matches on the third‐party AP’s MAC address.
Configuring AAA for Users of Third-Party APs Configuring Authentication for Non-802.1X Users of a Third-Party AP with Tagged SSIDs To configure MSS to authenticate non‐802.1X users of a third‐party AP, use the same commands as those required for 802.1X users. Additionally, when configuring the wired authentication port, use the auth‐fall‐thru option to change the fallthru authentication type to last‐resort or web‐portal.
Assigning Authorization Attributes Assigning Authorization Attributes Authorization attributes can be assigned to users in the local database or on remote servers. The attributes, which include access control list (ACL) filters, VLAN membership, encryption type, session time‐out period, and other session characteristics, let you control how and when users access the network.
Assigning Authorization Attributes Table 17-5 Authentication Attributes for Local Users (continued) Attribute Description Valid Value(s) filter-id Security access control list (ACL), to permit or deny traffic received (input) or sent (output) by the RoamAbout Switch. Name of an existing security ACL, up to 253 alphanumeric characters, with no tabs or spaces. (For more information about security ACLs, see Chapter 15, Configuring and Managing Security ACLs.) • Use acl-name.
Assigning Authorization Attributes Table 17-5 Authentication Attributes for Local Users (continued) Attribute Description Valid Value(s) start-date Date and time at which the user becomes eligible to access the network. Date and time, in the following format: MSS does not authenticate the user unless the attempt to access the network occurs at or after the specified date and time, but before the end-date (if specified).
Assigning Authorization Attributes Table 17-5 Authentication Attributes for Local Users (continued) Attribute Description Valid Value(s) url URL to which the user is redirected after successful WebAAA. Web URL, in standard format. For example: (network access mode only) http://www.example.com Note: You must include the http:// portion.
Assigning Authorization Attributes To change the value of an authorization attribute, reenter the command with the new value. To assign an authorization attribute to a user’s configuration on a RADIUS server, refer to the documentation for your RADIUS server.
Assigning Authorization Attributes Assigning SSID Default Attributes to a Service Profile You can configure a service profile with a set of default AAA authorization attributes that are used when the normal AAA process or a location policy does not provide them. These authorization attributes are applied by default to users accessing the SSID managed by the service profile.
Assigning Authorization Attributes Assigning a Security ACL to a User or a Group Once a security access control list (ACL) is defined and committed, it can be applied dynamically and automatically to users and user groups through the 802.1X authentication and authorization process. When you assign a Filter‐Id attribute to a user or group, the security ACL name value is entered as an authorization attribute into the user or group record in the local RoamAbout Switch database or RADIUS server.
Assigning Authorization Attributes Assigning a Security ACL on a RADIUS Server To assign a security ACL name as the Filter‐Id authorization attribute of a user or group record on a RADIUS server, see the documentation for your RADIUS server.
Assigning Authorization Attributes Encryption-Type Value Encryption Algorithm Assigned 4 Temporal Key Integrity Protocol (TKIP). 8 Wired-Equivalent Privacy protocol using 104 bits of key strength (WEP_104). This is the default. 16 Wired-Equivalent Privacy protocol using 40 bits of key strength (WEP_40). 32 No encryption.
Assigning Authorization Attributes Yes in the table means the VLAN is set on the roamed‐to RoamAbout Switch, by the mechanism indicated by the column header. No means the VLAN is not set. Yes or No means the mechanism does not affect the outcome, due to another mechanism that is set. The VLAN Assigned By column indicates the mechanism that is used by the roamed‐to switch to assign the VLAN, based on the various ways the VLAN is set on that switch.
Overriding or Adding Attributes Locally with a Location Policy Overriding or Adding Attributes Locally with a Location Policy During the login process, the AAA authorization process is started immediately after clients are authenticated to use the RoamAbout Switch. During authorization, MSS assigns the user to a VLAN and applies optional user attributes, such as a session timeout value and one or more security ACL filters.
Overriding or Adding Attributes Locally with a Location Policy Setting the Location Policy To enable the location policy function on a RoamAbout Switch, you must create at least one location policy rule with one of the following commands: set location policy deny if {ssid operator ssid-name | vlan operator vlan-glob | user operator user-glob | port port-list | dap dap-num} [before rule-number | modify rule-number] set location policy permit {vlan vlan-name | inacl inacl-name | outacl outacl-name} if {ssid
Overriding or Adding Attributes Locally with a Location Policy Applying Security ACLs in a Location Policy Rule When reassigning security ACL filters, specify whether the filter is an input filter or an output filter, as follows: • Input filter—Use inacl inacl‐name to filter traffic that enters the switch from users via a wired authentication port or from the network via a network port.
Configuring Accounting for Wireless Network Users Id Clauses ---------------------------------------------------------------1) permit vlan guest_1 if vlan neq *.ourfirm.com 2) permit vlan bld4.tac inacl tac_24.in if user eq *.ny.ourfirm.com 3) permit inacl svcs_2.in outacl svcs_3.out if vlan eq bldg4.* 4) deny if user eq *.theirfirm.
Configuring Accounting for Wireless Network Users Start Records Update and Stop Records Session duration Session duration Timestamp Timestamp VLAN name VLAN name Client’s MAC address Client’s MAC address AP port number and radio number AP port number and radio number AP’s MAC address AP’s MAC address Number of octets received by the RoamAbout Switch Number of octets sent by the switch Number of packets received by the switch Number of packets sent by the switch (For details about show account
Configuring Accounting for Wireless Network Users RBT-8100# set accounting system shorebirds success: change accepted. Note that local is not a valid method for this command. When you enter this command, an Accounting‐On message is generated and sent to the specified server or server group. Subsequent Accounting‐On messages are generated each time the RoamAbout Switch starts. When the RoamAbout Switch is administratively shut down, an Accounting‐Off message is generated.
Configuring Accounting for Wireless Network Users Acct-Authentic=2 User-Name=Administrator@example.com Acct-Multi-Session-Id=SESSION-4-1106424789 Event-Timestamp=1053536492 Vlan-Name=default Calling-Station-Id=00-06-25-09-39-5D Nas-Port-Id=1/1 Called-Station-Id=00-0B-0E-76-56-A8 The user roamed to RBT‐8100‐0017. RBT-8100-0017# show accounting statistics May 21 17:05:00 Acct-Status-Type=UPDATE Acct-Authentic=2 Acct-Multi-Session-Id=SESSION-4-1106424789 User-Name=Administrator@example.
Configuring Accounting for Wireless Network Users If you configured accounting records to be sent to a RADIUS server, you can view the records of user roaming at the RADIUS server. (For more information on these attributes, see Appendix C, Supported RADIUS Attributes.) For information about requesting accounting records from the RADIUS server, see the documentation for your RADIUS server.
Displaying the AAA Configuration Displaying the AAA Configuration To view the results of the AAA commands you have set and verify their order, type the show aaa command. The order in which the commands appear in the output determines the order in which MSS matches them to users. (Sometimes the order might not be what you intended. See “Avoiding AAA Problems in Configuration Order” on page 17‐61.
Avoiding AAA Problems in Configuration Order Avoiding AAA Problems in Configuration Order Using the Wildcard “Any” as the SSID Name in Authentication Rules You can configure an authentication rule to match on all SSID strings by using the SSID string any in the rule. For example, the following rule matches on all SSID strings requested by all users: set authentication web ssid any ** sg1 MSS checks authentication rules in the order they appear in the configuration file.
Avoiding AAA Problems in Configuration Order Using Authentication and Accounting Rules Together When you use accounting commands with authentication commands and identify users with user globs, MSS might not process the commands in the order you entered them. As a result, user authentication or accounting might not proceed as you intend, or valid users might fail authentication and be shut out of the network.
Configuring a Mobility Profile success: change accepted. RBT-8100# set authentication dot1x ssid mycorp * peap-mschapv2 local success: change accepted. The configuration order now shows that all 802.1X users are processed as you intended: RBT-8100# show aaa ...
Network User Configuration Scenarios During 802.1X authorization for clients at EXAMPLE\, MSS must search for the Mobility Profile named roses‐profile. If it is not found, the authorization fails and clients with usernames like EXAMPLE\jose and EXAMPLE\tamara are rejected. If roses‐profile is configured for EXAMPLE\ users on your RoamAbout Switch, MSS checks its port list.
Network User Configuration Scenarios General Use of Network User Commands The following example illustrates how to configure IEEE 802.1X network users for authentication, accounting, ACL filtering, and Mobility Profile assignment: 1. Configure all 802.1X users of SSID mycorp at EXAMPLE to be authenticated by server group shorebirds. Type the following command: RBT-8100# set authentication dot1x ssid mycorp EXAMPLE\* pass-through shorebirds 2.
Network User Configuration Scenarios 7. Use the show aaa command to verify your configuration.
Network User Configuration Scenarios Enabling PEAP-MS-CHAP-V2 Authentication The following example illustrates how to enable local PEAP‐MS‐CHAP‐V2 authentication for all 802.1X network users. This example includes local usernames, passwords, and membership in a VLAN. This example includes one username and an optional attribute for session‐timeout in seconds. 1. To set authentication for all 802.
Network User Configuration Scenarios Combining EAP Offload with Pass-Through Authentication The following example illustrates how to enable PEAP‐MS‐CHAP‐V2 offload for the marketing (mktg) group and RADIUS pass‐through authentication for members of engineering. This example assumes that engineering members are using DNS‐style naming, such as is used with EAP‐TLS. A RoamAbout switch server certificate is also required. 1. Configure the RADIUS server r1 at IP address 10.1.1.
18 Configuring Communication with RADIUS For information about... Refer to page... RADIUS Overview 18-1 Before You Begin 18-2 Configuring RADIUS Servers 18-3 Configuring RADIUS Server Groups 18-6 RADIUS and Server Group Configuration Scenario 18-9 For a list of the standard and extended RADIUS attributes and Enterasys vendor‐specific attributes (VSAs) supported by MSS, see Chapter C, Supported RADIUS Attributes.
Before You Begin Figure 18-1 Wireless Client, AP, RoamAbout switch, and RADIUS Servers AP 1 AP 2 3 2 1 Client (with laptop) Client (with laptop) Wired connection(s) RAS with local database 4 Wireless connection RADIUS Server 1 RADIUS Server 2 In the example shown in Figure 18‐1, the following events occur: 1. The wireless user (client) requests an IEEE 802.11 association from the AP. 2.
Configuring RADIUS Servers Configuring RADIUS Servers An authentication server authenticates each client with access to a switch port before making available any services offered by the switch or the wireless network. The authentication server can reside either in the local database on the RoamAbout switch or on a remote RADIUS server. When a RADIUS server is used for authentication, you must configure RADIUS server parameters.
Configuring RADIUS Servers Configuring Global RADIUS Defaults You can change RADIUS values globally and set a global password (key) with the following command. The key string is the shared secret that the RoamAbout switch uses to authenticate itself to the RADIUS server. set radius {deadtime minutes | encrypted-key string | key string | retransmit number | timeout seconds} (To override global settings for individual RADIUS servers, use the set radius server command.
Configuring RADIUS Servers Configuring Individual RADIUS Servers You must set up a name and IP address for each RADIUS server. To configure a RADIUS server, use the following command: set radius server server-name [address ip-address] [key string] The server name must be unique for this RADIUS server on this RoamAbout Switch. Do not use the same name for a RADIUS server and a RADIUS server group.
Configuring RADIUS Server Groups Configuring RADIUS Server Groups A server group is a named group of up to four RADIUS servers. Before you can use a RADIUS server for authentication, you must first create a RADIUS server group and add the RADIUS server to that group. You can also arrange load balancing, so that authentications are spread out among servers in the group. You must declare all members of a server group, in contact order, when you create the group.
Configuring RADIUS Server Groups However, if the local database is the first method in the list, followed by a RADIUS server group, the RoamAbout switch responds to a failed search of the database by sending a request to the following RADIUS server group. This exception is called local override. For more information, see “AAA Methods for IEEE 802.1X and Web Network Access” on page 17‐8.
Configuring RADIUS Server Groups Example To add RADIUS server coot to server group shorebirds: 1. Determine the server group by typing the following command: RBT-8100# show aaa Radius Servers Server Addr Ports T/o Tries Dead State ------------------------------------------------------------------sandpiper 192.168.253.3 1812 1813 5 3 0 UP heron 192.168.253.1 1812 1813 5 3 0 UP coot 192.168.253.4 1812 1813 5 3 0 UP egret 192.168.253.
RADIUS and Server Group Configuration Scenario Deleting a Server Group To remove a server group, type the following command: clear server group group-name Example To delete the server group shorebirds, type the following command: RBT-8100# clear server group shorebirds success: change accepted.
RADIUS and Server Group Configuration Scenario 6. Display the configuration. Type the following command: RBT-8100# show aaa Default Values authport=1812 acctport=1813 timeout=5 acct-timeout=5 retrans=3 deadtime=0 key=(null) author-pass=(null) Radius Servers Server Addr Ports T/o Tries Dead State ------------------------------------------------------------------sandpiper 192.168.253.17 1812 1813 5 3 0 UP seagull 192.168.243.12 1812 1813 5 3 0 UP egret 192.168.243.15 1812 1813 5 3 0 UP pelican 192.168.253.
19 Managing 802.1X on the RoamAbout Switch For information about... Refer to page... Managing 802.1X on Wired Authentication Ports 19-1 Managing 802.1X Encryption Keys 19-3 Setting EAP Retransmission Attempts 19-5 Managing 802.1X Client Reauthentication 19-5 Managing Other Timers 19-7 Displaying 802.1X Information 19-8 Certain settings for IEEE 802.1X sessions on the RAS are enabled by default.
Managing 802.1X on Wired Authentication Ports Enabling and Disabling 802.1X Globally The following command globally enables or disables 802.1X authentication on all wired authentication ports on a RAS: set dot1x authcontrol {enable | disable} The default setting is enable, which permits 802.1X authentication to occur as determined by the set dot1X port‐control command for each wired authentication port. The disable setting forces all wired authentication ports to unconditionally authorize all 802.
Managing 802.1X Encryption Keys Managing 802.1X Encryption Keys By default, the RoamAbout Switch sends encryption key information to a wireless supplicant (client) in an Extensible Authentication Protocol over LAN (EAPoL) packet after authentication is successful. You can disable this feature or change the time interval for key transmission.
Managing 802.1X Encryption Keys Managing WEP Keys Wired‐Equivalent Privacy (WEP) is part of the system security of 802.1X. MSS uses WEP to provide confidentiality to packets as they are sent over the air. WEP operates on the access point. WEP uses a secret key shared between the communicators. WEP rekeying increases the security of the network. New unicast keys are generated every time a client performs 802.1X authentication. The rekeying process can be performed automatically on a periodic basis.
Setting EAP Retransmission Attempts Setting EAP Retransmission Attempts The following command sets the maximum number of times the RAS retransmits an 802.1X‐ encapsulated EAP request to the supplicant (client) before it times out the authentication session: set dot1x max-req number-of-retransmissions The default number of retransmissions is 2. You can specify from 0 to 10 retransmit attempts.
Managing 802.1X Client Reauthentication Setting the Maximum Number of 802.1X Reauthentication Attempts The following command sets the number of reauthentication attempts that the RAS makes before the supplicant (client) becomes unauthorized: set dot1x reauth-max number-of-attempts The default number of reauthentication attempts is 2. You can specify from 1 to 10 attempts.
Managing Other Timers Type the following command to reset the default timeout period: RBT-8100# clear dot1x reauth-period success: change accepted. Setting the Bonded Authentication Period The following command sets the Bonded Auth™ (bonded authentication) period, which is the number of seconds MSS retains session information for an authenticated machine while waiting for the 802.1X client on the machine to start (re)authentication for the user.
Displaying 802.1X Information Setting the 802.1X Timeout for an Authorization Server Use this command to configure the number of seconds before the RAS times out a request to a RADIUS authorization server. set dot1x timeout auth-server seconds The default is 30 seconds. The range is from 1 to 65,535 seconds. Examples Type the following command to set the authorization server timeout to 60 seconds: RBT-8100# set dot1x timeout auth-server 60 success: dot1x auth-server timeout set to 60.
Displaying 802.1X Information Viewing 802.1X Clients Type the following command to display active 802.
Displaying 802.
20 Configuring SODA Endpoint Security for a RoamAbout Switch For information about... Refer to page... About SODA Endpoint Security 20-1 Configuring SODA Functionality 20-4 Sygate On‐Demand (SODA) is an endpoint security solution that allows enterprises to enforce security policies on client devices without having to install any special software on the client machines. MSS can be configured to run SODA security checks on users’ machines as a requirement for gaining access to the network.
About SODA Endpoint Security • Cache Cleaner – Ensures that Web browser information, such as cookies, history, auto‐ completion data, stored passwords, and temporary files are erased or removed upon termination of the user’s session, inactivity timeout, or closing of the browser. • Connection Control – Controls network connections based on Domain, IP address, Port, and Service.
About SODA Endpoint Security 5. SODA functionality is enabled for an SSID that also has Web Portal WebAAA configured. Once configured, SODA functionality works as follows: 1. A user connects to an AP managed by a service profile where SODA functionality is enabled. 2. Since the Web Portal WebAAA feature is enabled for the SSID, a portal session is started for the user, and the user is placed in the VLAN associated with the web‐portal‐ssid or web‐ portal‐wired user. 3.
Configuring SODA Functionality Configuring SODA Functionality Configuring SODA functionality on a RoamAbout Switch consists of the following tasks: 1. Configure Web Portal WebAAA for the service profile. See “Configuring Web Portal WebAAA for the Service Profile” on page 20‐4. 2. Using SODA manager, create the SODA agent. See “Creating the SODA Agent with SODA Manager” on page 20‐5. 3. Copy the SODA agent to the RoamAbout Switch. “Copying the SODA Agent to the RoamAbout Switch” on page 20‐6 4.
Configuring SODA Functionality Creating the SODA Agent with SODA Manager Sygate On‐Demand Manager (SODA Manager) is a Windows application used for configuring security policies based on locations, and for creating agents that enforce those security policies. For information on how to use SODA Manager to create security policies, see the documentation that came with the product.
Configuring SODA Functionality Copying the SODA Agent to the RoamAbout Switch After creating the SODA agent with SODA manager, you copy the .zip file to the RoamAbout Switch using TFTP. Example The following command copies the soda.ZIP file from a TFTP server to the RoamAbout Switch: RBT-8100# copy tftp://172.21.12.247/soda.ZIP soda.ZIP ....................................success: received 2912917 bytes in 11.230 seconds [ 259387 bytes/sec] success: copy complete.
Configuring SODA Functionality Enabling SODA Functionality for the Service Profile To enable SODA functionality for a service profile, use the following command: set service-profile name soda mode {enable | disable} When SODA functionality is enabled for a service profile, a SODA agent is downloaded to clients attempting to connect to an AP managed by the service profile. The SODA agent performs a series of security‐related checks on the client.
Configuring SODA Functionality Specifying a SODA Agent Success Page When a client successfully runs the checks performed by the SODA agent, by default a dynamically generated page is displayed on the client indicating that the checks succeeded. You can optionally create a custom success page that is displayed on the client instead of the dynamically generated one.
Configuring SODA Functionality The following command specifies failure.html, in the soda‐files directory on the RoamAbout Switch, as the page to load when a client fails the SODA agent checks: RBT-8100# set service-profile sp1 soda failure-page soda-files/failure.html success: change accepted. Specifying a Remediation ACL If the SODA agent checks fail on a client, by default the client is disconnected from the network.
Configuring SODA Functionality The client can request this page at any time, to ensure that the client’s session has been terminated. You can add the IP address of the RoamAbout Switch to the DNS server as a well‐known name, and you can advertise the URL of the page to users as a logout page. Examples The following command specifies logout.
Configuring SODA Functionality Uninstalling the SODA Agent Files from the RoamAbout Switch To remove the directory on the RoamAbout Switch that contains SODA agent files, use the following command: uninstall soda agent agent-directory directory This command removes the SODA agent directory and all of its contents. All files in the specified directory are removed. The command removes the directory and its contents, regardless of whether it contains SODA agent files.
Configuring SODA Functionality Displaying SODA Configuration Information To view information about the SODA configuration for a service profile, use the show service profile command. Example The following is an example of the output of the show service profile command for service profile sp1. In the example, the fields related to SODA functionality are highlighted in bold.
21 Managing Sessions For information about... Refer to page... About the Session Manager 21-1 Displaying and Clearing Administrative Sessions 21-1 Displaying and Clearing Network Sessions 21-3 Displaying and Changing Network Session Timers 21-8 About the Session Manager A session is a related set of communication transactions between an authenticated user (client) and the specific station to which the client is bound. Packets are exchanged during a session.
Displaying and Clearing Administrative Sessions Displaying and Clearing All Administrative Sessions To view information about the sessions of all administrative users, type the following command: RBT-8100> show sessions admin Tty Username -------------------------tty0 tty2 tech tty3 sshadmin Time (s) -------3644 6 381 Type ---Console Telnet SSH 3 admin sessions To clear the sessions of all administrative users, type the following command: RBT-8100# clear sessions admin This will terminate manager sessi
Displaying and Clearing Network Sessions Displaying and Clearing Client Telnet Sessions To view administrative sessions of Telnet clients, type the following command: RBT-8100# show sessions telnet client Session Server Address Server Port ------------------------------0 192.168.1.81 23 1 10.10.1.
Displaying and Clearing Network Sessions • By the name of the VLAN to which the user belongs. (See “Displaying and Clearing Network Sessions by VLAN Name” on page 21‐6.) • By the local session ID. (See “Displaying and Clearing Network Sessions by Session ID” on page 21‐7.) Note: Authorization attribute values can be changed during authorization. If the values are changed, show sessions output shows the values that are actually in effect following any changes.
Displaying and Clearing Network Sessions Displaying and Clearing Network Sessions by Username You can view sessions by a username or user glob. (For a definition of user globs and their format, see “User Globs, MAC Address Globs, and VLAN Globs” on page 1‐4.
Displaying and Clearing Network Sessions Displaying and Clearing Network Sessions by MAC Address You can view sessions by MAC address or MAC address glob. (For a definition of MAC address globs and their format, see “User Globs, MAC Address Globs, and VLAN Globs” on page 1‐4.
Displaying and Clearing Network Sessions Displaying and Clearing Network Sessions by Session ID You can display information about a session by session ID. To find local session IDs, enter the show sessions command. You can view more detailed information for an individual session, including authorization parameters and, for wireless sessions, packet and radio statistics.
Displaying and Changing Network Session Timers The following command deletes network session 9: RBT-8100# clear sessions network session-id 9 SM Apr 11 19:53:38 DEBUG SM-STATE: localid 9, mac 00:06:25:09:39:5d, flags 0000012fh, to change state to KILLING Localid 9, globalid SESSION-9-893249336 moved from ACTIVE to KILLING (client=00:06:25:09:39:5d) Displaying and Changing Network Session Timers MSS periodically sends keepalive probes to wireless clients to verify that the clients are still present.
22 Rogue Detection and Countermeasures For information about... Refer to page...
About Rogues and RF Detection About Rogues and RF Detection RF detection detects all the IEEE 802.11 devices in a Mobility Domain and can single out the unauthorized rogue access points. Rogue Access Points and Clients A rogue access point is an access point that is not authorized to operate in a network. Rogue access points and their clients undermine the security of an enterprise network by potentially allowing unchallenged access to the network by any wireless user or client in the physical vicinity.
About Rogues and RF Detection An empty permitted SSID list or permitted vendor list implicitly allows all SSIDs or vendors. However, when you add an entry to the SSID or vendor list, all SSIDs or vendors that are not in the list are implicitly disallowed. An empty client black list implicitly allows all clients, and an empty ignore list implicitly considers all third‐party wireless devices to be potential rogues. All the lists except the black list require manual configuration.
About Rogues and RF Detection RF Detection Scans All radios continually scan for other RF transmitters. Radios perform passive scans and active scans: • Passive scans—The radio listens for beacons and probe responses. • Active scans—The radio sends probe any requests (probe requests with a null SSID name) to solicit probe responses from other access points. Passive scans are always enabled and cannot be disabled. Active scans are enabled by default but can be disabled on a radio‐profile basis.
Summary of Rogue Detection Features Countermeasures You can enable MSS to use countermeasures against rogues. Countermeasures consist of packets that interfere with a client’s ability to use the rogue. Countermeasures are disabled by default. You can enable them on an individual radio‐profile basis. When you enable them, all devices of interest that are not in the known devices list become viable targets for countermeasures.
Configuring Rogue Detection Lists Table 22-1 Rogue Detection Features (continued) Applies To Rogue Detection Feature Description Third-Party APs Clients Ignore list List of MAC addresses to ignore during RF detection. MSS does not classify devices on this list as rogues or interfering devices, and does not issue countermeasures against them. Yes Yes Countermeasures Packets sent by Enterasys APs to interfere with the operation of a rogue.
Configuring Rogue Detection Lists To display the permitted vendor list, use the following command: show rfdetect vendor-list The following example shows the permitted vendor list on a switch: RBT-8100# show rfdetect vendor-list Total number of entries: 1 OUI Type ----------------- -----aa:bb:cc:00:00:00 client 11:22:33:00:00:00 ap To remove an entry from the permitted vendor list, use the following command: clear rfdetect vendor-list {client | ap} {mac-addr | all} The following command removes client OU
Configuring Rogue Detection Lists To remove an SSID from the permitted SSID list, use the following command: clear rfdetect ssid-list ssid-name The following command clears SSID mycorp from the permitted SSID list: RBT-8100# clear rfdetect ssid-list mycorp success: mycorp is no longer in ssid-list. Configuring a Client Black List The client black list specifies clients that are not allowed on the network. MSS drops all packets from the clients on the black list.
Configuring Rogue Detection Lists To remove a MAC address from the client black list, use the following command: clear rfdetect black-list mac-addr The following command removes MAC address 11:22:33:44:55:66 from the black list: RBT-8100# clear rfdetect black-list 11:22:33:44:55:66 success: 11:22:33:44:55:66 is no longer blacklisted.
Configuring Rogue Detection Lists Configuring an Ignore List By default, when countermeasures are enabled, MSS considers any non‐Enterasys transmitter to be a rogue device and can send countermeasures to prevent clients from using that device. To prevent MSS from sending countermeasures against a friendly device, add the device to the known devices list.
Enabling Countermeasures Enabling Countermeasures Caution: Countermeasures affect wireless service on a radio. When an AP radio is sending countermeasures, the radio is disabled for use by network traffic, until the radio finishes sending the countermeasures. Countermeasures are disabled by default. You can enable them on an individual radio profile basis.
Enabling AP Signatures Enabling AP Signatures An AP signature is a set of bits in a management frame sent by an AP that identifies that AP to MSS. If someone attempts to spoof management packets from an Enterasys AP, MSS can detect the spoof attempt. AP signatures are disabled by default. To enable or disable them, use the following command: set rfdetect signature {enable | disable} The command applies only to APs managed by the RAS on which you enter the command.
IDS and DoS Alerts Flood Attacks A flood attack is a type of Denial of Service attack. During a flood attack, a rogue wireless device attempts to overwhelm the resources of other wireless devices by continuously injecting management frames into the air. For example, a rogue client can repeatedly send association requests to try to overwhelm APs that receive the requests. The threshold for triggering a flood message is 100 frames of the same type from the same MAC address, within a one‐second period.
IDS and DoS Alerts • Spoofed AP—A rogue device pretends to be an Enterasys AP by sending packets with the source MAC address of the Enterasys AP. Data from clients that associate with the rogue device can be accessed by the hacker controlling the rogue device. Note: MSS detects a spoofed AP attack based on the fingerprint of the spoofed AP. Packets from the real AP have the correct signature, while spoofed packets lack the signature. (See “Enabling AP Signatures” on page 22-12.
IDS and DoS Alerts Disallowed Devices or SSIDs You can configure the following types of lists to explicitly allow specific devices or SSIDs: • Permitted SSID list—MSS generates a message if an SSID that is not on the list is detected. • Permitted vendor list—MSS generates a message if an AP or wireless client with an OUI that is not on the list is detected. • Client black list—MSS prevents clients on the list from accessing the network through a RAS.
IDS and DoS Alerts Table 22-2 IDS and DoS Log Messages (continued) Message Type Example Log Message Disassociate request flood Client aa:bb:cc:dd:ee:ff is sending disassociate request flood on AP Weak WEP initialization vector (IV) Client aa:bb:cc:dd:ee:ff is using weak wep initialization vector. Decrypt errors Client aa:bb:cc:dd:ee:ff is sending packets with decrypt errors. Seen by AP on radio 1 on channel 11 with RSSI -53. Seen by AP on radio 1 on channel 11 with RSSI -53.
Displaying RF Detection Information Table 22-2 IDS and DoS Log Messages (continued) Message Type Example Log Message Interfering client seen on wired network Client Mac aa:bb:cc:dd:ee:ff is seen on the wired network by RAS 10.1.1.1 on port 3 vlan 2 tag 1. Detected by listener aa:bb:cc:dd:ee:fd(radio 1), channel 11 with RSSI -53. Displaying RF Detection Information You can use the CLI commands listed in Table 22‐3 to display rogue detection information.
Displaying RF Detection Information Table 22-3 Rogue Detection Show Commands (continued) Command Description show rfdetect attack-list Displays the list of wireless devices that you want APs to attack with countermeasures. (See “Configuring an Attack List” on page 22-9.) show rfdetect ignore Displays the BSSIDs of third-party devices that MSS ignores during RF detection scans. (See “Configuring an Ignore List” on page 22-10.
Displaying RF Detection Information Displaying Rogue Detection Counters To display rogue detection statistics counters, use the following command: show rfdetect counters Example The command shows counters for rogue activity detected by the RAS on which you enter the command. RBT-8100# show rfdetect counters Type Current Total -------------------------------------------------- ------------ -----------Rogue access points Interfering access points Rogue 802.11 clients Interfering 802.11 clients 802.
Displaying RF Detection Information Clients not present in vendor-list Clients added to automatic black-list 0 0 0 0 Note: MSS generates log messages for most of these statistics. See “IDS and DoS Alerts” on page 22-12.
Displaying RF Detection Information RBT-IPaddress: 10.8.121.102 Port/Radio/Ch: 3/1/1 Mac: 00:0b:0e:00:0a:6a Device-type: interfering Adhoc: no Crypto-types: clear RSSI: -75 SSID: ets-webaaa RBT-IPaddress: 10.3.8.103 Port/Radio/Ch: dap 1/1/1 Mac: 00:0b:0e:76:56:82 Device-type: interfering Adhoc: no Crypto-types: clear RSSI: -76 SSID: ets-webaaa Two types of information are shown. The lines that are not indented show the BSSID, vendor, and information about the SSID.
Displaying RF Detection Information ...
23 Managing System Files For information about... Refer to page... About System Files 23-1 Working with Files 23-4 Managing Configuration Files 23-9 Backing Up and Restoring the System 23-14 Upgrading the System Image 23-16 A RoamAbout Switch contains nonvolatile storage. MSS allows you to manage the files in nonvolatile storage. In addition, you can copy files between the RAS and a TFTP server on the network.
About System Files Displaying Software Version Information To display the software, firmware, and hardware versions, use the following command: show version [details] The details option displays hardware and software information about the APs configured on the RoamAbout Switch. Example To display version information for a RoamAbout Switch, type the following command: RBT-8100# show version Mobility System Software, Version: 3.0.
About System Files F/W2 : N/A S/W : 3.0.0 (For additional information about the output, see the RoamAbout Mobility System Software Command Line Interface Reference.) Displaying Boot Information Boot information consists of the MSS version and the names of the system image file and configuration file currently running on the RoamAbout Switch. The boot command also lists the system image and configuration file that will be loaded after the next reboot.
Working with Files Working with Files The following section describe how to manage files stored on the RoamAbout Switch. Displaying a List of Files Files are stored on a RoamAbout Switch in the following areas: • File—Contains configuration files • Boot—Contains system image files • Temporary—Contains log files and other files created by MSS The file and boot areas are in nonvolatile storage. Files in nonvolatile storage remain in storage following a software reload or power cycle.
Working with Files The following command displays the files in the old subdirectory: RBT-8100# dir old =============================================================================== file: Filename Size Created file:configuration.txt 3541 bytes Sep 22 2003, 22:55:44 file:configuration.xml 24 KB Sep 22 2003, 22:55:44 Total: 27 Kbytes used, 207824 Kbytes free (For information about the fields in the output, see the RoamAbout Mobility System Software Command Line Interface Reference.
Working with Files Note: You can copy a file from a RAS to a TFTP server or from a TFTP server to a RoamAbout Switch, but you cannot use MSS to copy a file directly from one TFTP server to another. Examples To copy the file floor2ras from nonvolatile storage to a TFTP server, type the following command: RBT-8100# copy floor2ras tftp://10.1.1.1/floor2 success: sent 365 bytes in 0.401 seconds [ 910 bytes/sec] The above command copies the file to the same filename on the TFTP server.
Working with Files Using an Image File’s MD5 Checksum To Verify Its Integrity If you download an image file from the Enterasys Networks support site and install it in a RoamAbout Switch’s boot partition, you can verify that the file has not been corrupted while being copied. md5 [boot0: | boot1:]filename To verify an image file’s integrity: 1.
Working with Files Deleting a File Caution: MSS does not prompt you to verify whether you want to delete a file. When you press Enter after typing a delete command, MSS immediately deletes the specified file. Enterasys Networks recommends that you copy a file to a TFTP server before deleting the file. Note: MSS does not allow you to delete the currently running software image file or the running configuration.
Managing Configuration Files Filename Size Created *boot0:bload 746 KB May 09 2004, 19:02:16 *boot0:ras030000.020 8182 KB May 09 2004, 18:58:16 boot1:ras030000.
Managing Configuration Files Examples To display the running configuration, type the following command: RBT-8100# show config # Configuration nvgen'd at 2004-5-10 19:08:38 # Image 2.1.0 # Model RBT-8100 # Last change occurred at 2004-5-10 16:31:14 set trace authentication level 10 set ip dns server 10.10.10.69 PRIMARY set ip dns server 10.20.10.69 SECONDARY set ip route default 10.8.1.
Managing Configuration Files Saving Configuration Changes To save the running configuration to a configuration file, use the following command: save config [filename] If you do not specify a filename of up to 128 alphanumeric characters, the command replaces the startup configuration file that was loaded the last time the software was rebooted. (To display the filename of that configuration file, see “Displaying Boot Information” on page 23‐3.
Managing Configuration Files Reloading configuration may result in lost of connectivity, do you wish to continue? (y/n) [n]y success: Configuration reloaded After you type y, MSS replaces the running configuration with the configuration in the newconfig file. If you type n, MSS does not load the newconfig file and the running configuration remains unchanged.
Managing Configuration Files Resetting to the Factory Default Configuration To reset the RoamAbout Switch to its factory default configuration, use the following command: clear boot config This command removes the configuration file that the RoamAbout Switch searches for after the software is rebooted.
Backing Up and Restoring the System Backing Up and Restoring the System MSS has commands that enable you to easily backup and restore 8100 system and user files: backup system [tftp:/ip-addr/]filename [all | critical] restore system [tftp:/ip-addr/]filename [all | critical] [force] The backup command creates an archive in Unix tape archive (tar) format. The restore command unzips an archive created by the backup command and copies the files from the archive onto the RoamAbout Switch.
Backing Up and Restoring the System Managing Configuration Changes The backup command places the boot configuration file into the archive. (The boot configuration file is the Configured boot configuration in the show boot command’s output.) If the running configuration contains changes that have not been saved, these changes are not in the boot configuration file and are not archived.
Upgrading the System Image Upgrading the System Image To upgrade the switch from one MSS version to another, use the procedure in this section. For a given release, there may be notes and cautions that apply only to that release. Consequently, before upgrading to a new software image, you should also consult the release notes for that release. Preparing the RoamAbout Switch for the Upgrade Caution: Save the configuration, then create a backup of your switch files before you upgrade the switch.
Upgrading the System Image 6. Reboot the software. To restart an RAS switch and reboot the software, type the following command: reset system [force] When you restart the switch, the switch boots using the new MSS image. The switch also sends the AP version of the new boot image to APs, and restarts the APs. After an AP restarts, it checks the version of the new AP boot image to make sure the boot image is newer than the boot image currently installed on the AP.
Upgrading the System Image Command Changes During Upgrade When you upgrade a switch, some commands from the previously installed release may have been deprecated or changed in the new release, which may affect your configuration. For information about commands that were deprecated or changed from a previous release, see the release notes for the release you are installing.
24 AirDefense Integration with the Enterasys Mobility System For information about... Refer to page... About AirDefense Integration 24-1 Converting an Access Point into an AirDefense Sensor 24-3 Configuring an AirDefense Sensor 24-4 Zero-Configuration option 24-6 AP Authorization from a RoamAbout Switch 24-8 This chapter describes how the AirDefense security system integrates with the Enterasys Mobility System, and how an Enterasys Mobility Point can be converted into an AirDefense sensor.
About AirDefense Integration • Excessive traffic is observed between wireless clients • An excessive number of decryption errors are observed • A NetStumbler scan is detected on the network The Enterasys Mobility System integrates with the AirDefense security solution in the following ways: • Enterasys Mobility Points can be configured to operate as AirDefense sensors, reporting information about possible threats or intrusions to an AirDefense server • RASM can be configured to receive SNMP traps
Converting an Access Point into an AirDefense Sensor Converting an Access Point into an AirDefense Sensor This section describes the procedures for converting an AP into an AirDefense sensor, specifying the AirDefense server the converted AP sends information to, and how to convert an AirDefense sensor back to an AP. Note: Converting an AP to an AirDefense sensor is supported only for models RBT-1602 and MP-372.
Configuring an AirDefense Sensor How a Converted AP Obtains an IP Address If you had previously configured the AP to use a static IP address, then when the AP boots as an AirDefense sensor, it uses that same IP address. Otherwise, the converted AP uses DHCP to obtain its IP address. Optionally, the converted AP can obtain an IP address directly from an AirDefense server.
Configuring an AirDefense Sensor Figure 24-2 4. Sensor User Interface You must provide a valid IP address, netmask, and gateway IP address for the Sensor to communicate with the AirDefense Server. You can manually set each Sensor’s static IP address, Sensor Netmask, and Gateway IP address, or you can automatically receive these address settings from a DHCP (Dynamic Host Control Protocol) server. Refer to Table 24‐1 for an overview of the AirDefense Sensor UI settings.
Zero-Configuration option 6. Confirm connectivity to the Sensor by viewing the Connection State on the Status page of the Sensor UI. a. Log into the AirDefense Server. b. View the Sensor tree in the dashboard tree view. It should display the list of sensors currently in your network. The new sensor will be listed under Default Location > Default Group.
Zero-Configuration option If you are configuring a specific DHCP Vendor Class: 1. Create a new Vendor Class with a name unique to that system. 2. Add the vendor ID “adsensor” (without quotes) to the ASCII portion of the “vendor ID” field. 3. From the server options, select “Predefined Options” for this vendor class. 4. From the list of predefined options presented, choose 043 to be added to this vendor class. 5.
AP Authorization from a RoamAbout Switch Clearing the AirDefense Sensor Software from the AP’s Configuration To clear the AirDefense sensor software file from the AP’s configuration, use the following command: clear dap dap-num image For example, the following command causes the AirDefense sensor software file to be cleared from the configuration of Distributed AP 1: RBT-8100# clear dap 1 image success: change accepted.
AP Authorization from a RoamAbout Switch Figure 24-3 4. Switch Information Panel Tab Click on Edit to edit the fields. Table 24‐2 describes the features and their descriptions. Table 24-2 Switch Configuration Settings Feature Explanation Name Enter the name of the switch IP Address Enter the IP Address of the switch SNMP Port Enter the Simple Network Management Protocol port number for this switch. This is normally 161, but it can be different.
AP Authorization from a RoamAbout Switch Table 24-2 Switch Configuration Settings (continued) Feature Explanation Enabled Yes/No Select Yes or No for the Switch to be enabled for MAC Address lookup in AirDefense Enterprise. Description Add any miscellaneous information about the switch in this text box. Online (read-only) The online status is determined by the server’s communication with the switch, and cannot be accessed by the AirDefense user.
AP Authorization from a RoamAbout Switch File Format for Importing Switches The file for importing Switches should contain rows of data, one row for each Switch being imported into your AirDefense wireless LAN. Each row is separated by a carriage return or new line character. If the Switch being imported is already in the system, the import overwrites the field values, based on the address. The text field values are overwritten, regardless of letter case.
AP Authorization from a RoamAbout Switch 24-12 AirDefense Integration with the Enterasys Mobility System
25 Configuring APs to be AeroScout Listeners For information about... Refer to page... Configuring AP Radios to Listen for AeroScout RFID Tags 25-2 Locating an RFID Tag 25-3 AeroScout RFID tags are wireless transmitters that you can place on assets such as office equipment to track the equipment’s location. Each tag regularly transmits its unique ID. AeroScout listeners detect the transmissions from the RFID tags and relay this information to an AeroScout Engine or RoamAbout Switch.
Configuring AP Radios to Listen for AeroScout RFID Tags Configuring AP Radios to Listen for AeroScout RFID Tags To configure AP radios to listen for AeroScout RFID tags: • Configure a service profile for the AeroScout listeners and set the SSID type to clear (unencrypted). • Configure a radio profile for the AeroScout listeners. – Disable RF Auto‐Tuning of channels on the service profile. Channels on RFID tags are statically configured. Therefore, the listener should not dynamically change channels.
Locating an RFID Tag Locating an RFID Tag You can use an AeroScout Engine or RoamAbout Switch Manager to locate an asset to which an RFID tag is attached. Using an AeroScout Engine 1. Load the site map in AeroScout System Manager. 2. Mark the origin point (0,0), if not already done. 3. Calibrate distance, if not already done. 4. Add each AP configured as a listener to the map, and enter its IP address. Note: To look up a Distributed AP’s IP address, use the show dap status command. 5.
Locating an RFID Tag 7. To locate an asset: a. Select its tag in the list. b. Select Locate AeroScout Tag. A picture of the floor plan where the tag is located appears. The asset’s likely location is indicated.
A Troubleshooting a RoamAbout Switch For information about... Refer to page... Fixing Common RoamAbout Switch Setup Problems A-2 Recovering the System When the Enable Password is Lost A-3 Configuring and Managing the System Log A-4 Running Traces A-10 Using Show Commands A-13 Remotely Monitoring Traffic A-15 Capturing System Information for Technical Support A-20 Some common problems that occur during RoamAbout Switch installation and basic configuration are simple to solve.
Fixing Common RoamAbout Switch Setup Problems Fixing Common RoamAbout Switch Setup Problems Table A‐1 on page A‐2 contains remedies for some common problems that can occur during basic installation and setup of a RoamAbout Switch. Table A-1 RoamAbout Switch Setup Problems and Remedies Symptom Diagnosis Remedy RoamAbout Switch Manager or a web browser (if you are using Web View) warns that the RoamAbout Switch’s certificate date is invalid.
Recovering the System When the Enable Password is Lost Table A-1 RoamAbout Switch Setup Problems and Remedies (continued) Symptom Diagnosis Remedy Configuration information disappears after a software reload. The configuration changes were not saved. 1. Retype the commands for the missing configuration information. Mgmt LED is quickly blinking amber. The RoamAbout Switch was unable to load the system image file. CLI stops at boot prompt (boot>). 2.
Configuring and Managing the System Log Configuring and Managing the System Log System logs provide information about system events that you can use to monitor and troubleshoot MSS.
Configuring and Managing the System Log Table A-2 System Log Destinations and Defaults (continued) Destination Definition Default Operation and Severity Level sessions Sets defaults for Telnet sessions. Logging is disabled and shows information-level events when enabled. trace Sends log information to the volatile trace buffer. Trace is enabled and shows debug output. Specifying a severity level sends log messages for events or conditions at that level or higher to the logging destination.
Configuring and Managing the System Log To stop sending messages to a syslog server, use the following command: clear log server ip-addr Logging to the Log Buffer The system log consists of rolling entries stored as a last‐in first‐out queue maintained by the RoamAbout Switch. Logging to the buffer is enabled by default for events at the error level and higher.
Configuring and Managing the System Log Logging to the Console By default, console logging is enabled and messages at the error level and higher are sent to the console. To modify console logging, use the following command: set log console severity severity-level (See Table A‐3 on page A‐5 for information on severity levels.
Configuring and Managing the System Log Setting Telnet Session Defaults Session logging is disabled by default, and the event level is set to information (info) or higher. To enable event logging to Telnet sessions and change the default event severity level, use the following command: set log sessions severity severity-level enable (For information on severity levels, see Table A‐3 on page A‐5.
Configuring and Managing the System Log Enabling Mark Messages You can configure MSS to generate mark messages at regular intervals. The mark messages indicate the current system time and date. Enterasys Networks can use the mark messages to determine the approximate time when a system restart or other event causing a system outage occurred. Mark messages are disabled by default. When they are enabled, MSS generates a message at the notice level once every 300 seconds by default.
Running Traces Running Traces Trace commands enable you to perform diagnostic routines. You can set a trace command with a keyword, such as authentication or sm, to trace activity for a particular feature, such as authentication or the session manager. Caution: Using the set trace command can have adverse effects on system performance. Enterasys Networks recommends that you use the lowest levels possible for initial trace commands, and slowly increase the levels to get the data you need.
Running Traces RBT-8100# set trace dot1x user tamara@example.com level 4 success: change accepted. Displaying a Trace Use the show trace command to show the trace areas that are enabled. For example, to display all currently running trace commands, type the following command: RBT-8100# show trace milliseconds spent printing traces: 31.
Running Traces Displaying Trace Results To view the output of currently running trace commands, use the following command: show log trace [{+|-|/}number-of-messages] [facility facility-name] [matching string] [severity severity-level] For example, the following command displays a trace log of error‐level events: RBT-8100# show log trace severity error KERNEL Jan 15 23:08:10 ERROR duplicate IP address 10.7.122.
Using Show Commands Using Show Commands To troubleshoot the RAS , you can use show commands to display information about different areas of the MSS. The following commands can provide helpful information if you are experiencing MSS performance issues. Viewing VLAN Interfaces To view interface information for VLANs, type the following command: RBT-8100# show interface * = From DHCP VLAN Name Address ---- --------------- --------------1 default 0.0.0.0 130 vlan-eng 192.168.12.7 190 vlan-wep 192.168.19.
Using Show Commands (For more information about AAA, see Chapter 3, Configuring AAA for Administrative and Local Access and Chapter 17, Configuring AAA for Network Users.) Viewing FDB Information The show fdb command displays the hosts learned by the RAS and the ports to which they are connected. To display forwarding database (FDB) information, type the following command: RBT-8100# show fdb * = Static Entry. + = Permanent Entry. # = System Entry.
Remotely Monitoring Traffic Remotely Monitoring Traffic Remote traffic monitoring enables you to snoop wireless traffic, by using a Distributed AP as a sniffing device. The AP copies the sniffed 802.11 packets and sends the copies to an observer, which is typically a protocol analyzer such as Ethereal or Tethereal. How Remote Traffic Monitoring Works To monitor wireless traffic, an AP radio compares traffic sent or received on the radio to snoop filters applied to the radio by the network administrator.
Remotely Monitoring Traffic To inform you of this condition, MSS generates a log message such as the following the first time an ICMP error message is received following the start of a snoop filter: AP Mar 25 13:15:21.681369 ERROR DAP 3 ap_network: Observer 10.10.101.2 is not accepting TZSP packets To prevent ICMP error messages from the observer, Enterasys Networks recommends using the Netcat application on the observer to listen to UDP packets on the TZSP port.
Remotely Monitoring Traffic The following command configures a snoop filter named snoop2 that matches on all data traffic between the device with MAC address aa:bb:cc:dd:ee:ff and the device with MAC address 11:22:33:44:55:66, and copies the traffic to the device that has IP address 10.10.30.3: RBT-8100# set snoop snoop2 frame-type eq data mac-pair aa:bb:cc:dd:ee:ff 11:22:33:44:55:66 observer 10.10.30.
Remotely Monitoring Traffic Displaying the Snoop Filters Mapped to a Radio To display the snoop filters that are mapped to a radio, use the following command: show snoop map filter-name The following command shows the mapping for snoop filter snoop1: RBT-8100# show snoop map snoop1 filter 'snoop1' mapping Dap: 3 Radio: 2 Displaying the Snoop Filter Mappings for All Radios To display all snoop filter mappings, use the following command: RBT-8100# show snoop Dap: 3 Radio: 2 snoop1 snoop2 Dap: 2 Radio: 2 sn
Remotely Monitoring Traffic Displaying Remote Traffic Monitoring Statistics The AP collects statistics for packets that match the enabled snoop filters mapped to its radios. The AP retains statistics for a snoop filter until the filter is changed or disabled. The AP then clears the statistics.
Capturing System Information for Technical Support 6. b. Select Protocol Preferences to display the 802.11 Protocol Preferences dialog. c. Click next to Ignore the WEP bit to deselect the option. This option is applicable for any type of data encryption used by AP radios. Enable the snoop filter on the AP, using the following command: set snoop {filter-name | all} mode {enable [stop-after num-pkts] | disable} 7. Stop the Ethereal capture and view the monitored packets.
B Enabling and Logging Into WebView WebView is a web‐based management application available on RoamAbout Switches. You can use WebView for common configuration and management tasks. For information about... Refer to page... Browser Requirements B-1 RBT Switch Requirements B-1 Logging Into WebView B-2 Browser Requirements WebView is supported on the following browsers: • Mozilla Firefox Version 1.0 or later • Microsoft Internet Explorer Version 6.0 or later TLS 1.0, SSL 2.0, or SSL 3.
Logging Into WebView Logging Into WebView 1. Type https://ip‐addr in the Web browser’s Address, or Location field, and press Enter. For ip‐addr, type an IP address you configured on the switch. 2. If your browser displays a certificate warning, select an option to accept the certificate. The certificate is presented to your browser by the RoamAbout Switch to authenticate the switch’s identify.
C Supported RADIUS Attributes For information about... Refer to page... Supported Standard and Extended Attributes C-2 Enterasys Networks VSAs C-5 Enterasys Networks Mobility System Software (MSS) supports the standard and extended RADIUS authentication and accounting attributes listed in Table C‐1 on page C‐2. Also supported are Enterasys Networks vendor‐specific attributes (VSAs), listed in Table C‐2 on page C‐5.
Supported Standard and Extended Attributes Supported Standard and Extended Attributes The RADIUS attributes shown in Table C‐1 are sent by RoamAbout switches to RADIUS servers during authentication and accounting. Table C-1 801.1X Attributes Attribute Type Rcv in Access Resp? Sent in Access Reqst? Sent in Acct Reqst? User-Name 1 No Yes Yes String. Name of the user to be authenticated. Used only in Request packets.
Supported Standard and Extended Attributes Table C-1 801.1X Attributes (continued) Attribute Type Rcv in Access Resp? Sent in Access Reqst? Sent in Acct Reqst? State 24 Yes Yes No Can be sent by a RADIUS server in an AccessChallenge message to the RAS. If the RAS receives an Access-Challenge with this attribute, it returns the same State value in an Access-Request response to the RADIUS server, when a response is required. (For details, see RFC 2865.
Supported Standard and Extended Attributes Table C-1 801.1X Attributes (continued) Attribute Type Rcv in Access Resp? Sent in Access Reqst? Sent in Acct Reqst? Acct-OutputOctets 43 No No Yes Number of octets sent on the port in the course of this service being provided. Can be present only in Accounting-Request records in which Acct-Status-Type is set to Acct-Stop or AcctInterim-Update.
Enterasys Networks Vendor-Specific Attributes Table C-1 801.1X Attributes (continued) Attribute Type Rcv in Access Resp? Sent in Access Reqst? Sent in Acct Reqst? EventTimestamp 55 No No Yes Time that the user session started, stopped, or was updated, in seconds since January 1, 1970. TunnelPrivate-GroupID 81 Yes No No Same as VLAN-Name. NAS-Port-Id 87 No Yes Yes RAS physical port that authenticates the user, in the form AP port number/radio.
Enterasys Networks Vendor-Specific Attributes Table C-2 Enterasys Networks VSAs (continued) Attribute Type, Vendor ID, Vendor Type Rcv in Access Resp? Sent in Access Reqst? Sent in Acct Reqst? Start-Date 26, 14525, 7 Yes No No Description Date and time at which the user becomes eligible to access the network. Use the following format: YY/MM/DD-HH:MM URL 26, 14525, 8 Yes No No URL to which the user is redirected after successful WebAAA. Use the following format: http://www.example.
D Traffic Ports Used by MSS When deploying an Enterasys wireless network, you might attach Enterasys equipment to subnets that have firewalls or access controls between them. Enterasys equipment uses various protocol ports to exchange information. To ensure full operation of your network, make sure the equipment can exchange information on the ports listed in Table D‐1.
D-2 Traffic Ports Used by MSS
E DHCP Server For information about... Refer to page... How the MSS DHCP Server Works E-2 Configuring the DHCP Server E-2 Displaying DHCP Server Information E-3 MSS has a DHCP server that the switch uses to allocate IP addresses to the following: • Host connected to a new (unconfigured) RBT‐8100, to configure the switch using the Web Quick Start DHCP service for these items is enabled by default.
How the MSS DHCP Server Works How the MSS DHCP Server Works When MSS receives a DHCP Discover packet, the DHCP server allocates an address from the configured range according to RFC 2131 and ARPs the address to ensure that it is not already in use. If the address is in use, the server allocates the next address in the range, and ARPs again. The process continues until MSS finds an address that is not in use. MSS then offers the address to the Distributed AP or client that sent the DHCP Discover.
Displaying DHCP Server Information Example The following command enables the DHCP server on VLAN red‐vlan to serve addresses from the 192.168.1.5 to 192.168.1.25 range: RBT-8100# set interface red-vlan ip dhcp-server enable start 192.168.1.5 stop 192.168.1.25 success: change accepted.
Displaying DHCP Server Information Subnet Mask: Default Router: DNS Servers: DNS Domain Name: E-4 DHCP Server 255.255.255.0 10.10.20.1 10.10.20.4 10.10.20.5 mycorp.
F Dual-Homing (RBT-1602 Access Point Only) For information about... Refer to page... Resiliency and Dual-Homing Options F-1 Bias F-1 Dual-Homed Configuration Examples F-2 This chapter only applies to the RBT‐1602 Access Point. Resiliency and Dual-Homing Options The RBT‐1602 can support a wide variety of resiliency options. Redundancy for PoE, for data link connections and for Roamabout switch services can be provided to the RBT‐1602.
Dual-Homed Configuration Examples Dual-Homed Configuration Examples The following sections show examples of dual‐homed configurations. Figure F‐1 shows an example of a dual‐homed configuration in which both AP connections are distributed over the network.
Dual-Homed Configuration Examples If the switches are in another subnet, the AP uses DNS to locate one of the switches, and asks the switch to send the IP address of the best RoamAbout Switch to use, based on the bias settings on each switch and the capacity of each switch to add new active AP connections. The AP then requests its image and configuration files from the best RoamAbout Switch.
Dual-Homed Configuration Examples F-4 Dual-Homing (RBT-1602 Access Point Only)
Glossary 3DES A three‐round application of the Data Encryption Standard (DES) that uses a 168‐bit encryption key. See also DES. 802.1D The IEEE LAN specification for the operation of media access control (MAC) bridges. 802.1p An IEEE LAN standard method for classifying packets in bridged virtual LANs (VLANs). As part of 802.1Q protocol, 802.1p defines a field in the VLAN tag of a frame header that provides class‐of‐service (CoS) definitions at Layer 2. See also 802.1Q. 802.
802.11a A supplement to the IEEE 802.11 wireless LAN (WLAN) specification, describing transmission through the Physical layer (PHY) based on orthogonal frequency division multiplexing (OFDM), at a frequency of 5 GHz and data rates of up to 54 Mbps. 802.11b A supplement to the IEEE 802.11 wireless LAN (WLAN) specification, describing transmission through the Physical layer (PHY) based on direct‐sequence spread‐spectrum (DSSS), at a frequency of 2.4 GHz and data rates of up to 11 Mbps. 802.
ACE A rule in a security access control list (ACL) that grants or denies a set of network access rights based on one or more criteria. ACEs use criteria such as a protocol and a source or destination IP address to determine whether to permit or deny packets that match the criteria. ACEs are processed in the order in which they appear in the security ACL. See also Security ACL. ACL See Security ACL. ad hoc network One of two IEEE 802.11 network frameworks.
authentication mobility The ability of a user (client) authenticated via Extensible Authentication Protocol (EAP)—plus an appropriate subprotocol and back‐end authentication, authorization, and accounting (AAA) service—to roam to different Access Points (APs) without reauthentication. authentication server An entity that provides an authentication service to an authenticator.
CCMP Counter‐Mode with Cipher Block Chaining Message Authentication Code Protocol. A wireless encryption protocol based on the Advanced Encryption Standard (AES) and defined in the IEEE 802.11i specification. CCMP uses a symmetric key block cipher mode that provides privacy by means of counter mode and data origin authenticity by means of cipher block chaining message authentication code (CBC‐MAC). See also 802.11i; AES; TKIP; WPA. Compare WEP. cell The geographical area covered by a wireless transmitter.
coverage area In Enterasys RoamAbout Switch Manager, the smallest unit of floor space within which to plan Access Point (AP) coverage for a wireless LAN (WLAN). The number of access points required for a coverage area depends on the type of IEEE 802.11 transmission used, and the area’s physical features and user density. CPC Communications plenum cable. See plenum‐rated cable. CRC Cyclic redundancy check. A primitive message integrity check. crypto See cryptography.
DAP In this document, Distributed Access Point. Delivery Traffic Indication Map See DTIM. DES Data Encryption Standard. A federally approved symmetric encryption algorithm in use for many years and replaced by the Advanced Encryption Standard (AES). See also 3DES. DHCP Dynamic Host Configuration Protocol. A protocol that dynamically assigns IP addresses to stations, from a centralized server. DHCP is the successor to the Bootstrap Protocol (BOOTP).
domain policy A collection of configuration settings that you can define once in RoamAbout Switch Manager and apply to many RoamAbout Switches. Each Mobility Domain group in the network has a default domain policy that applies to every RoamAbout Switch in the Mobility Domain. See also Policy Manager. DSA Digital Signature Algorithm. The public‐key algorithm used to sign X.509 certificates. DSSS Direct‐sequence spread‐spectrum.
EAPoL EAP over LAN. An encapsulated form of the Extensible Authentication Protocol (EAP), defined in the IEEE 802.1X standard, that allows EAP messages to be carried directly by a LAN media access control (MAC) service between a wireless client (or supplicant) and an authenticator. EAPoL is also known as EAP over Wireless (EAPoW). See also EAP. EAP over LAN See EAPoL. EAP over Wireless See EAPoL. EAPoW See EAPoL. EAP-TLS Extensible Authentication Protocol with Transport Layer Security.
ESS Extended service set. A logical connection of multiple basic service sets (BSSs) connected to the same network. Roaming within an ESS is guaranteed by the Enterasys Networks Mobility System. Ethernet II The original Ethernet specification produced by Digital, Intel, and Xerox (DIX) that served as the basis of the IEEE 802.3 standard. ETSI European Telecommunications Standards Institute. A nonprofit organization that establishes telecommunications and radio standards for Europe.
forwarding database (FDB) A database maintained on a RoamAbout Switch for the purpose of making Layer 2 forwarding and filtering decisions. Each entry consists of the media access control (MAC) address of a source or destination device, an identifier for the port on which the source or destination station is located, and an identifier for the virtual LAN (VLAN) to which the device belongs.
hash A one‐way algorithm from whose output the input is computationally infeasible to determine. With a good hashing algorithm you can produce identical output from two identical inputs, but finding two different inputs that produce the same output is computationally infeasible. Hash functions are used widely in authentication algorithms and for key derivation procedures. HiperLAN High‐performance radio local area network.
IE See WPA IE. IEEE Institute of Electrical and Electronic Engineers. An American professional society whose standards for the computer and electronics industry often become national or international standards. In particular, the IEEE 802 standards for LANs are widely followed. IGMP Internet Group Management Protocol. An Internet protocol, defined in RFC 2236, that enables an Internet computer to report its multicast group membership to neighboring multicast routers.
International Organization for Standardization See ISO. Internet Authentication Service See IAS. Internet Group Management Protocol See IGMP. Interswitch Link See ISL. ISL Interswitch Link. A proprietary Cisco protocol for interconnecting multiple switches and maintaining virtual LAN (VLAN) information as traffic travels between switches. Working in a way similar to VLAN trunking, described in the IEEE 802.
location policy rule A rule in the location policy on a RoamAbout Switch that grants or denies a set of network access rights based on one or more criteria. Location policy rules use a username or VLAN membership to determine whether to override—or supply—authorization attributes during authentication and to redirect traffic. Location policy rules are processed in the order in which they appear in the location policy. See also location policy. MAC (1) Media access control. See MAC address.
Message-Digest algorithm 5 See MD5. Message Integrity Code See MIC. MIC Message integrity code. The IEEE term for a message authentication code (MAC). See MAC. Microsoft Challenge Handshake Authentication Protocol See MS‐CHAP‐V2. minimum data transmit rate The lowest rate at which a Access Point (AP) can transmit data to its associated mobile clients. If the data rate to a client drops below the minimum, the AP increases power, if RF Auto‐Tuning is enabled.
MTU Maximum transmission unit. The size of the largest packet that can be transmitted over a particular medium. Packets exceeding the MTU value in size are fragmented or segmented, and then reassembled at the receiving end. If fragmentation is not supported or possible, a packet that exceeds the MTU value is dropped. NAT Network address translation.
PEM Privacy‐Enhanced Mail. A protocol, defined in RFC 1422 through RFC 1424, for transporting digital certificates and certificate signing requests over the Internet. PEM format encodes the certificates on the basis of an X.509 hierarchy of certificate authorities (CAs). Base64 encoding is used to convert the certificates to ASCII text, and the encoded text is enclosed between BEGIN CERTIFICATE and END CERTIFICATE delimiters. Per-VLAN Spanning Tree protocol See PVST+.
PoE Power over Ethernet. A technology, defined in the developing IEEE 802.3af standard, to deliver DC power over twisted‐pair Ethernet data cables rather than power cords. The electrical current, which enters the data cable at the power‐supply end and comes out at the device end, is kept separate from the data signal so neither interferes with the other.
Protocol Independent Multicast protocol See PIM. PseudoRandom Function See PRF. PseudoRandom Number Generator See PRNG. PSK Preshared key. The IEEE 802.11 term for a shared secret, also known as a shared key. See shared secret. PTK Pairwise transient key. A value derived from a pairwise master key (PMK) and split into multiple encryption keys and message integrity code (MIC) keys for use by a client and server as temporal session keys for IEEE 802.11i robust security. See also 802.11i.
RADIUS Remote Authentication Dial‐In User Service. A client‐server security protocol described in RFC 2865 and RFC 2866. RADIUS extensions, including RADIUS support for the Extensible Authentication Protocol (EAP), are described in RFC 2869. Originally developed by Livingston Enterprises, Inc., to authenticate, authorize, and account for dial‐up users, RADIUS has been widely extended to broadband and enterprise networking.
To monitor network performance, RoamAbout Switch Manager collects RoamAbout Switch and AP information, calculates and displays AP neighbor relationships, and detects anomalous events—for example, rogue access points. roaming The ability of a wireless user (client) to maintain network access when moving between Access Points (APs). Robust Security Network See RSN. Rogue Access Point An Access Point (AP) that is not authorized to operate within a wireless network.
The rules in an ACL are known as access control entries (ACEs). See also ACE. seed (1) An input to a pseudorandom number generator (PRNG), that is generally the combination of two or more inputs. (2) The RoamAbout Switch that distributes information to all the RoamAbout switches in a Mobility Domain™ group. SentrySweep™ A radio frequency (RF) detection sweep that runs continuously on the disabled radios in a Mobility Domain™ group. See also RF detection sweep.
station Any device with a media access control (MAC) address and a Physical layer (PHY) interface to the wireless medium that comply with the standards for all IEEE 802 networks. Wireless clients and Access Points (APs) are stations in an Enterasys Networks Mobility System. STP Spanning Tree Protocol. A link management protocol, defined in the IEEE 802.1D standard, that provides path redundancy while preventing undesirable loops in a network. STP is also known as Spanning Tree Bridge Protocol.
TTLS supports authentication methods defined by EAP, as well as the older Challenge Handshake Authentication Protocol (CHAP), Password Authentication Protocol (PAP), Microsoft CHAP (MS‐ CHAP), and MS‐CHAPV2. Compare EAP‐TLS; PEAP. Tunneled Transport Layer Security subprotocol See TTLS. tunneling The transmission of data by one network through the connections of another network by encapsulating its data and protocol information within the other network’s transmission units.
You can divide a single device into multiple logical Layer 2 switches, with each VLAN operating as a separate switch, or make multiple devices members of multiple logical Layer 2 networks. By default, all RoamAbout Switch ports are members of VLAN 1, which is named default. VLAN glob A naming convention for applying the authentication, authorization, and accounting (AAA) attributes in the location policy on a RoamAbout Switch to one or more users, based on a virtual LAN (VLAN) attribute.
Wi-Fi Protected Access See WPA. wildcard mask A 32‐bit quantity used with an IP address to determine which bits in the address to ignore in a comparison with another IP address. When setting up security access control lists (ACLs), you specify source and destination IP addresses and corresponding wildcard masks by which the RoamAbout Switch determines whether to forward or filter packets.
X.500 A standard of the International Organization for Standardization (ISO) and International Telecommunications Union Telecommunication Standardization Sector (ITU‐T), for systematically collecting the names of people in an organization into an electronic directory that can be part of a global directory available to anyone in the world with Internet access. X.
Command Index B backup system 23-14, 23-16 boot OPT+=default A-3 C clear {ap | dap} radio 9-53 clear accounting system 17-57 clear boot config 23-13 clear dap 4-5, 9-33 clear dap image 24-8 clear dot1x bonded-period 17-16 clear dot1x max-req 19-5 clear dot1x port-control 19-2 clear dot1x quiet-period 19-7 clear dot1x reauth-max 19-6 clear dot1x reauth-period 19-7 clear dot1x timeout auth-server 19-8 clear dot1x timeout supplicant 19-8 clear dot1x tx-period 19-3 clear fdb 4-23 clear igmp statistics 14-6 cle
set {ap | dap} radio radio-profile 9-51 set {ap | dap} radio tx-power 9-49 set {ap | dap} upgrade-firmware 9-34 set accounting admin 3-9 set accounting dot1X 17-55 set accounting system 17-56 set ap radio radio-profile 10-11, 10-14 set arp 5-25 set arp agingtime 5-26 set authentication console 3-7 set authentication dot1x 17-13 set authentication dot1x local 17-14 set authentication mac 17-20 set authentication proxy 17-39 set boot configuration-file 23-11 set dap 4-3, 9-31 set dap auto 9-27 set dap auto bi
set security acl ip 15-4, 15-6 set security acl ip before 15-17 set security acl ip tcp 15-8 set security acl map 15-14 set security acl modify 15-18 set security acl udp 15-8 set security l2-restrict 4-19 set server group 18-6 set server group load-balance 18-7 set server group members 18-7 set service-profile 10-8, 10-12 set service-profile auth-dot1x 10-10 set service-profile auth-fallthru 9-40 set service-profile auth-psk 10-9 set service-profile beaconed 9-40 set service-profile cac-mode 12-16 set serv
show security acl editbuffer 15-9, 15-10 show security acl hits 15-11 show security acl info 15-9, 15-11 show security acl info all editbuffer 15-9 show security acl map 15-15 show security l2-restrict 4-19 show service-profile 9-57, 10-10, 10-13 show sessions admin 5-12, 5-14, 21-2 show sessions console 21-2 show sessions network 21-3 show sessions network mac-addr 21-6 show sessions network session-id 21-7 show sessions network user 21-5 show sessions network verbose 21-4 show sessions network vlan 21-6 s
Index Numerics 802.11a 4-3, 9-31 802.11b 4-3, 9-31 802.11g 4-3, 9-31 802.11i. See RSN 802.1Q tagging 4-16 802.
wired ports 19-2 WPA 10-6 authentication, authorization, and accounting.
counters radio 9-60 See also statistics country, specifying 9-22 critical logging level A-5 Cryptographic Message Syntax Standard 16-4 current TTY session A-4 D database, local clearing users from 3-8 mapping security ACLs to users in 17-48 date, configuring 5-20 daylight savings time, configuring 5-21 DEASSOCIATED user state, for roaming 7-8 debug logging level A-5 delimiter characters, for user globs 1-4 delivery traffic indication map (DTIM) interval 9-45 Denial-of-Service (DoS) protection 22-12 destina
ACLs 15-7 guest users, last-resort access 17-36 H hello interval configuring 13-6 defined 13-6 help, command-line 1-8 history buffer, reusing commands in 1-7 hits, security ACLs configuring 15-11 sampling 15-11 HTTPS, disabling 5-15 I ICMP ACLs 15-6 IEEE 802.
wildcards in 1-5 MAC addresses asterisks (*) in 1-3 authentication by 17-19 clearing network sessions by 21-6 displaying network sessions by 21-6 leading zeros in 1-3 notation conventions 1-3 PDAs 17-19 search timer, for roaming 7-9 wildcards in 1-3 MAC authentication available encryption 17-12 configuring 17-19 MAC authorization password 17-21 MAC user groups 17-19 MAC users 17-19 machine authentication 17-15 manuals, product iii mapping security ACLs clearing security ACL maps 15-15 in the local database
password case-sensitive 3-8 enable, changing 3-6 enable, setting 3-6 invalid for last-resort users 3-8, 17-36 one-time 16-8, 16-13 RADIUS 18-3 user 3-8 user in local database 3-8 PDAs, MAC addresses of 17-19 PEAP-MS-CHAP-V2 configuration scenario 17-67 defined 17-11 See also PEAP-MS-CHAP-V2 offload authentication PEAP-MS-CHAP-V2 offload authentication configuration scenario 17-67 configuring 17-14 with pass-through, scenario 17-68 peer, Network Domain configuring 8-6 PEM 16-9 performance issues A-13 permane
password, global 18-3, 18-4 server configuration 18-3 server group configuration 18-6 server group, configuration scenario 18-9 server groups, displaying 17-60 timers 18-6 unresponsive RADIUS servers, scenario 3-13 usage guidelines B-1, C-1 RADIUS attributes accounting, supported C-2 Enterasys specific C-5 global attributes, resetting 18-4 RFCs for C-1 standard and extended C-2 value characteristics C-1 VLAN assignment 4-15 VSAs C-5 RADIUS proxy 17-37 range operator in security ACLs 15-7 RAS (RoamAbout Swit
operators 15-7 ordering 15-9 planning maps 15-2, 15-14 ports 15-14 reassigning in a location policy rule 17-54 sample hit rate 15-11 TCP 15-8 TCP source and destination ports 15-7 UDP 15-8 UDP source and destination ports 15-7 user-based 15-13 virtual ports 15-14 VLANs 15-14 wildcard masks for IP addresses 15-5 seed, Mobility Domain configuring 7-2 defined 7-1 member configuration 7-3 seed, Network Domain configuring 8-5, 8-6 self-signed certificates administrative 16-7 defined 16-6 EAP 16-7 generating 16-7
setting 23-11 system image file 23-1 incomplete load, troubleshooting A-3 upgrading 23-16 system image version 23-2 system IP address 5-5 assigning to VLAN 5-5 required on a Mobility Domain seed 7-2 system logs configuring A-5 destinations A-4 disabling output to the console A-7 displaying the configuration of A-9 managing A-4 message components A-4 severity levels A-5 system time, configuring 5-20 T tabs, for command completion 1-7 tag type 4-16 target buffer A-4 console A-4 server A-4 sessions A-5 trace
See also security ACLs User-Name attribute C-2 usernames case-sensitive 3-8 clearing sessions by 21-5 displaying network sessions by 21-5 last-resort 17-36 User-Password attribute C-2 users 802.1X 19-9 accounting 17-55 adding to local database 3-8 authentication and authorization 17-8 clearing from the local database 3-8 no network access, troubleshooting A-2 security ACLs, assigning 17-48 V vendor list 22-6 Vendor-Specific attribute, 802.1X attribute C-3 vendor-specific attributes.
dynamic 19-3 rekeying broadcast and multicast keys 19-4 secret key 19-4 static 10-1 using with RSN 10-13 using with WPA 10-8 WEP 802.1X keys rekey interval 19-4 rekeying 19-4 Wi-Fi Multimedia (WMM) 12-1 Wi-Fi Protected Access. See WPA (WiFi Protected Access) wildcard masks 15-5 notation conventions 1-3 wildcards in MAC address globs 1-5 in MAC addresses 1-3 in user globs 1-4 in VLAN globs 1-5 masks for in security ACLs 15-5 wired authentication ports 4-1 802.
