Summit WM Series WLAN Switch and Altitude Access Point Software Version 4.1 Technical Reference Guide Extreme Networks, Inc. 3585 Monroe Street Santa Clara, California 95051 (888) 257-3000 (408) 579-2800 http://www.extremenetworks.
Alpine, Alpine 3804, Alpine 3802, Altitude, BlackDiamond, BlackDiamond 6808, BlackDiamond 6816, EPICenter, Ethernet Everywhere, Extreme Ethernet Everywhere, Extreme Networks, Extreme Turbodrive, Extreme Velocity, ExtremeWare, ExtremeWorks, ExtremeXOS, GlobalPx Content Director, the Go Purple Extreme Solution Partners Logo, Sentriant, ServiceWatch, Summit, Summit24, Summit48, Summit1i, Summit4, Summit5i, Summit7i, Summit 48i, SummitRPS, SummitGbX, Triumph, vMAN, the Extreme Networks logo, the Alpine logo, th
Table of Contents About this Guide.............................................................................................................................. 9 Who should use this guide ...........................................................................................................9 What is in this guide ...................................................................................................................9 Formatting conventions.....................................................
Table of Contents Step 8: Installing User Certificates on Wireless Client Computers for EAP-TLS................................42 Submit a user certificate request via the Web ........................................................................43 Request a certificate ...........................................................................................................43 Floppy Disk-Based Installation..............................................................................................
Table of Contents Chapter 7: MAC Based Authentication ............................................................................................ 73 How MAC-based authentication works .........................................................................................73 Roaming ..................................................................................................................................74 Radius redundancy............................................................................
Table of Contents RF Domain ...............................................................................................................................96 DRM Shaped Power Control .......................................................................................................97 DRM Power Control Summary.....................................................................................................97 DRM Automatic Channel Selection ..............................................................
Table of Contents Chapter 13: Reference lists of standards ...................................................................................... 157 RFC list..................................................................................................................................157 802.11 standards list..............................................................................................................158 Supported Wi-Fi Alliance standards .................................................
Table of Contents 8 Summit WM Series WLAN Switch and Altitude Access Point Software Version 4.
About this Guide This guide describes how to install, configure, and manage the Summit® WM series switch, access points, and WLAN switch software. Who should use this guide This guide is a reference for system administrators who install and manage the Summit WM series switch, access points, and WLAN switch software system. Any administrator performing tasks described in this guide must have an account with full administrative privileges.
About this Guide Formatting conventions The Summit WM series switch, access points, and WLAN switch software documentation uses the following formatting conventions to make it easier to find information and follow procedures: ● Bold text is used to identify components of the management interface, such as menu items and section of pages, as well as the names of buttons and text boxes. For example: Click Logout. ● Monospace font is used in code examples and to indicate text that you type.
1 Configuration of Dynamic Host Configuration Protocol (DHCP) Altitude AP discovery supports the following methods: ● Service Location Protocol (SLP) ● Domain Name Server (DNS) – controller. ● Multicast – Same subnet multicast discovery The listed discovery methods are tried in succession until a method is identified which produces a successful registration with the a controller. Static configuration can also be used for Altitude AP registration.
Configuration of Dynamic Host Configuration Protocol (DHCP) Service Location Protocol (SLP) (RFC2608) Service Location Protocol (RFC2608) is a method of organizing and locating the resources (such as printers, disk drives, databases, e-mail directories, and schedulers) in a network. Using SLP, networking applications can discover the existence, location and configuration of networked devices.
SLP Service Scope Option (Option 79) Service Agent so configured must not employ either active or passive multicast discovery of Directory Agents. The Directory Agents listed in Option 78 must be configured with the a non-empty subset of the scope list that the Agent receiving the Directory Agent Option 78 is configured with. SLP Service Scope Option (Option 79) Services are grouped together using scopes. Scopes are strings that identify a set of services that form an administrative grouping.
Configuration of Dynamic Host Configuration Protocol (DHCP) Dynamic Host Configuration Protocol – Summit WM series switch and AP Discovery and other Services Dynamic Host Configuration Protocol (DHCP) can be used for several purposes in a network configuration of a ***Summit WM Wireless LAN Switch setup. Consider the following diagram: Figure 1: DHCP in a Summit WM system This simple setup has the following properties: 14 ● A Summit WM connected to a core network segment (a.b.c.
Dynamic Host Configuration Protocol – Summit WM series switch and AP Discovery and other Services In this setup there are four different areas in which DHCP must be considered: Figure 2: Areas needing consideration for DHCP Table 1: Use of DHCP Area Description of use for DHCP A DHCP INFORM messages are periodically sent on all physical ports (esa0-1 on C1000, esa0-3 on C100). DHCP INFORM messages are NOT requests for addressing on that segment.
Configuration of Dynamic Host Configuration Protocol (DHCP) Table 1: Use of DHCP (Continued) Area Description of use for DHCP C For AP deployment networks that are not in the same subnet as the Summit WM there needs to be some mechanism to allow the APs to find the Summit WM across subnet.
DHCP setups for relayed WM-ADs and AP deployment networks DHCP setups for relayed WM-ADs and AP deployment networks Sometimes it is necessary to use a DHCP server external from the Summit WM to give offer DHCP addresses. Popular reasons for this are: ● Support for DHCP options that are not exposed through Summit WM GUI, ● To leverage existing DHCP infrastructures, and ● To consolidate the DHCP requirements for wireless client, APs, and the Summit WM in one place.
Configuration of Dynamic Host Configuration Protocol (DHCP) The following is the configuration file dhcpd.conf from the Linux server at 10.0.0.9: Figure 4: dhcpd.conf example listing This file can be divided into the following four areas: 18 ● General options: lines 1-3 ● Scope for 10.0.0.0/24 subnet: lines 4-8 ● Scope for 172.16.1.0/24 subnet (voice subnet): lines 9-18 ● Scope for 172.16.2.
General options General options Line 1 designates this DHCP server as authoritative in case another DHCP server answers requests. Line 2 sets options for Dynamic DNS. This option turns off DNS updates based upon DHCP mappings. There are other options that allow DHCP to update a DNS server to reflect the addresses handed out by the DHCP server. See the man page for dhcpd.conf for more information on support for this option. Line 3 defines the format for DHCP option 151 as we want to use it.
Configuration of Dynamic Host Configuration Protocol (DHCP) Altitude AP DHCP Registration Setup (WINDOWS) You can configure the DHCP service that is included with Windows 2000 and Windows 2003 to provide DHCP option 78. Extreme Networks Altitude APs as clients to the Summit WM series switch may require the configuration of DHCP options 78 for controller discovery. These options are sometimes referred to as the SLP options.
Altitude Access Point Discovery mechanism NOTE It is also possible to attend to this using Dotted Decimal form. For example, for the controller ESA Port IP address 10.53.0.1, additions should be made in hexadecimal format 00 0A 35 00 01 For the sake of convenience a quick reference chart follows for the decimal to hexidecimal conversions.
Configuration of Dynamic Host Configuration Protocol (DHCP) DNS Settings for Altitude AP Discovery There is an assumption that for the use of this mechanism that there are DNS services configured and available.
2 Rogue Access Point Detection The Rogue AP detection feature provides capabilities to Summit WM series switches that allow Altitude APs to periodically scan the RF space and report suspect devices. With this capability, Altitude APs can multitask as scan devices as well as access points. This allows rogue detection to occur without installing expensive overlay sensor networks.
Rogue Access Point Detection 7 Inactive Altitude AP with unknown SSID – Major Alarm a A “known” Altitude AP with an unknown SSID has been detected that the Summit WM series switch has identified as not in service (stolen?) With each event, the following information will be reported: ● Scanning Altitude AP Name & Scan Group ● Detection Date and Time ● Rogue SSID and Channel ● Signal Strength (RSSI) ● Security/Encoding type (for example. WEP, 802.
3 Creating the Windows Security Infrastructure NOTE To ensure information and best practice configuration integrity, all information contained in this section was extracted from two sources: > “Deploying Secure 802.11 Wireless Networks with Microsoft Windows”, by Joseph Davies > http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx ● Wireless client computers running Windows ● ● ● At least two Internet Authentication Service (IAS) servers.
Creating the Windows Security Infrastructure ● Wireless remote access policy. ● ● A remote access policy is configured for wireless connections so that employees can access the organization intranet. Multiple wireless APs. ● Multiple third-party wireless APs provide wireless access in different buildings of an enterprise. The wireless APs must support IEEE 802.1X, RADIUS, and Wi-Fi Protected Access (WPA™) or WPA2™.
Step 1: Configuring the Certificate Infrastructure Step 1: Configuring the Certificate Infrastructure Table 4 summarizes the certificates needed for the different types of authentication.
Creating the Windows Security Infrastructure installed on the wireless client, the issuing CA certificate, intermediate CA certificates, and the root CA certificate is also installed. When the computer certificate is installed on the IAS server computer, the issuing CA certificate, intermediate CA certificates, and the root CA certificate is also installed. The issuing CA for the IAS server certificate can be different than the issuing CA for the wireless client certificates.
Step 1: Configuring the Certificate Infrastructure Additionally, if you want to take advantage of autoenrollment for computer certificates, use Windows 2000 or Windows Server 2003 Certificate Services and create an enterprise CA at the issuer CA level. If you want to take advantage of autoenrollment for user certificates, use Windows Server 2003, Enterprise Edition, or Windows Server 2003, Datacenter Edition, Certificate Services and create an enterprise CA at the issuer CA level.
Creating the Windows Security Infrastructure Step 1b: Installing Computer Certificates If you are using a Windows Server 2003 or Windows 2000 Certificate Services enterprise CA as an issuing CA, you can install a computer certificate on the IAS server by configuring Group Policy for the autoenrollment of computer certificates for computers in an Active Directory system container. To configure computer certificate enrollment for an enterprise CA: 1 Open the Active Directory Users and Computers snap-in.
Step 1: Configuring the Certificate Infrastructure To configure user certificate enrollment for a Windows Server 2003, Enterprise Edition, or Windows Server 2003, Datacenter Edition, enterprise CA: 1 Click Start, click Run, type mmc, and then click OK. 2 On the File menu, click Add/Remove Snap-in, and then click Add. 3 Under Snap-in, double-click Certificate Templates, click Close, and then click OK. 4 In the console tree, click Certificate Templates.
Creating the Windows Security Infrastructure Step 2: Configuring Active Directory for Accounts and Groups To configure Active Directory user and computer accounts and groups for wireless access, do the following: 1 If you are using Windows 2000 domain controllers, install Windows 2000 SP3 or SP4 on all domain controllers. 2 Ensure that all users that are making wireless connections have a corresponding user account.
Step 3: Configuring the Primary IAS Server a folder or sent in an email message. Although this works for certificates created with Windows CAs, this method does not work for third-party CAs. The recommended method of importing certificates is to use the Certificates snap-in. For information about how to install a VeriSign, Inc. certificate for PEAP-MS-CHAP v2 authentication, see Obtaining and Installing a VeriSign WLAN Server Certificate for PEAP-MS-CHAP v2 Wireless Authentication.
Creating the Windows Security Infrastructure 3 Right-click Internet Authentication Service, and then click Register Server in Active Directory. When the Register Internet Authentication Service in Active Directory dialog box appears, click OK Register the IAS server in the default domain using the netsh tool 1 Log on to the IAS server with an account that has domain administrator permissions. 2 Open a command prompt.
Step 3: Configuring the Primary IAS Server Add RADIUS clients 1 Open the Internet Authentication Service snap-in. 2 For Windows 2000 IAS, in the console tree, right-click Clients, and then click New Client. For Windows Server 2003 IAS, in the console tree, right-click RADIUS Clients, and then click New RADIUS Client. 3 In Friendly name, type a descriptive name. 4 In Protocol, click RADIUS, and then click Next. 5 In Client address (IP or DNS), type the DNS name or IP address for the client.
Creating the Windows Security Infrastructure Profile, Encryption tab: Clear all other check boxes except the Strongest check box. This forces all wireless connections to use 128-bit encryption. The settings on the Encryption tab correspond to the MS-MPPE-Encryption-Policy and MS-MPPE-Encryption-Types RADIUS attributes and might be supported by the wireless AP. If these attributes are not supported, clear all the check boxes except No encryption.
Step 3: Configuring the Primary IAS Server 8 Specify the vendor for your wireless AP. To specify the vendor by selecting the name from the list, click Select from list, and then select the vendor of the wireless AP for which you are configuring the VSA. If the vendor is not listed, specify the vendor by typing the vendor code. 9 To specify the vendor by typing the vendor code, click Enter Vendor Code and then type the vendor code in the space provided.
Creating the Windows Security Infrastructure 3 Click Edit Profile. The Edit Dial-In Profile dialog is displayed. 4 Click the Advanced tab. 5 Click Add. The Add Attribute dialog is displayed. 6 From the list, select the applicable Vendor Specific Attribute, and then click Add. The Attribute Information dialog is displayed. 7 In the Attribute value box, type 4329 as the vendor number, and then click Ok. 8 Configure the applicable attributes as per the dictionary file at: /etc/chantry/raddb/ dictionary.
Step 4: Configuring the secondary IAS server (if applicable) Dictionary file File at /etc/chantry/raddb/dictionary.extreme the VSAs are: # dictionary.
Creating the Windows Security Infrastructure other domains, verify that the other domains have a two-way trust with the domain in which the secondary IAS server computer is a member. Next, configure the secondary IAS server computer to read the properties of user accounts in other domains. For more information, see the “Enable the IAS server to read user objects in Active Directory” procedure previously described.
Step 6: Configuring Wireless Network (IEEE 802.11) Policies Group Policy Settings Step 6: Configuring Wireless Network (IEEE 802.11) Policies Group Policy Settings With the Wireless Network (IEEE 802.
Creating the Windows Security Infrastructure running either Windows Server 2003 with no service packs installed or Windows Server 2003 with SP1 to configure Wireless Network (IEEE 802.11) Policies settings. NOTE The Wireless Network (IEEE 802.11) Policies Group Policy extension for Windows Server 2003 with SP1 does not support the configuration of WPA2 authentication settings.
Step 8: Installing User Certificates on Wireless Client Computers for EAP-TLS If you have configured autoenrollment of user certificates, then the wireless user must update User Configuration Group Policy to obtain a user certificate. If you are not using autoenrollment for user certificates, use one of the following procedures to obtain a user certificate. Submit a user certificate request via the Web 1 Open Internet Explorer.
Creating the Windows Security Infrastructure wizard, export the private key and select Delete the private key if the import is successful. Save this file to a floppy disk and deliver it to the user of the wireless client computer. 3 On the wireless client computer, import the user certificate. For more information, see the “Import a certificate” procedure in this section. Export a certificate 1 Open an MMC console containing Certificates - Current User.
Step 9: Configuring Wireless Clients for EAP-TLS To manually configure EAP-TLS authentication on a wireless client running Windows XP with SP1, Windows XP with SP2, or Windows Server 2003, do the following: 1 Obtain properties of the wireless connection in the Network Connections folder. Click the Wireless Networks tab, then click the name of the wireless network in the list of preferred networks and click Properties. 2 Click the Authentication tab and select Enable network access control using IEEE 802.
Creating the Windows Security Infrastructure Step 10: Configuring Wireless Client Computers for PEAP-MS-CHAP v2 If you have configured Wireless Network (IEEE 802.11) Policies Group Policy settings and specified the use of PEAP-MS-CHAP v2 authentication for your wireless network (the Protected EAP (PEAP) type with the Secured password (EAP-MSCHAP v2) authentication method), then no other configuration for wireless clients running Windows XP with SP1, Windows XP with SP2, or Windows Server 2003 is needed.
Additional Intranet Wireless Deployment Configurations To verify, obtain the properties of the computer certificate on the IAS server using the Certificates snapin and view the certificate chain from the Certification Path tab. The certificate at the top of the path is the root CA certificate.
Creating the Windows Security Infrastructure ● When the wireless AP receives an Access-Reject message, the connection is denied To allow a business partner, vendor, or other non-employee to gain access to a separate network using the same wireless infrastructure that allows employees to access to the organization intranet, the connection request must result in an Access-Accept message from the RADIUS server.
Additional Intranet Wireless Deployment Configurations ● Profile, Encryption tab: If the wireless AP supports the MS-MPPE-Encryption-Policy and MS-MPPEEncryption-Types RADIUS attributes, clear all other check boxes except the Strongest check box. This forces all wireless connections to use 128-bit encryption. If they are not, clear all the check boxes except No encryption.
Creating the Windows Security Infrastructure ● Computer certificates must contain the FQDN of the wireless client computer account in the Subject Alternative Name property. ● User certificates must be installed in the Current User certificate store ● User certificates must contain the universal principal name (UPN) of the user account in the Subject Alternative Name property.
Additional Intranet Wireless Deployment Configurations 13 Click OK to close the Internet Options dialog box. 14 Close Internet Explorer. 15 Close the new command prompt that was opened in step 6. Another way to configure proxy server settings is to use the ProxyCfg.exe tool from the command prompt opened in step 6. ProxyCfg.exe is included with Windows Server 2003. For a version of ProxyCfg.exe that works with Windows 2000 Server, see 830605 - The Proxycfg.exe configuration tool is available for WinHTTP 5.
Creating the Windows Security Infrastructure 52 Summit WM Series WLAN Switch and Altitude Access Point Software Version 4.
4 Windows Recommendations and Best Practices The following are recommendations and best practices for deploying an IEEE 802.11 WLAN in a large enterprise. Security Microsoft recommends that you use one of the following combinations of security technologies (in order of most to least secure): ● WPA2 with EAP-TLS and both user and computer certificates - EAP-TLS is the strongest 802.1X authentication method supported by Windows-based wireless clients.
Windows Recommendations and Best Practices ● To install user certificates, use auto-enrollment - This requires the use of a Windows Server 2003, Enterprise Edition, or Windows Server 2003, Datacenter Edition, Certificate Services server as an enterprise CA at the issuer CA level. ● Otherwise, to install user certificates, use a CAPICOM script - Alternately, use a CAPICOM script to install both computer and user certificates.
Active Directory Active Directory When configuring Active Directory for wireless access, use the following best practices: ● If you have a native-mode domain and are using a group-based wireless remote access policy, use universal groups and global groups to organize your wireless accounts into a single group. Additionally, set the remote access permission on computer and user accounts to Control access through Remote Access Policy.
Windows Recommendations and Best Practices account database (such as different Active Directory forests). RADIUS messages are forwarded to a member of the corresponding remote RADIUS server group matching the connection request policy. ● Investigate whether the Altitude APs need RADIUS vendor-specific attributes (VSAs) and configure them during the configuration of the remote access policy on the Advanced tab of the remote access policy profile.
Using Computer-only Authentication Figure 6: Selecting computer-only authentication in the Wireless Network (IEEE 802.11) Policies Group Policy extension For more information, see Configuring Wireless Settings Using Windows Server 2003 Group Policy at http://www.microsoft.com/technet/community/columns/cableguy/cg0703.mspx.
Windows Recommendations and Best Practices Summary You can perform secure wireless authentication with either EAP-TLS or PEAP-MS-CHAP v2. For EAPTLS, you must deploy a certificate infrastructure capable of issuing computer certificates to your IAS servers and both computer and user certificates to your wireless client computers and users.
5 Summit WM series switch WM200/2000 Diagnostics WARNING! Changes or modifications made to the Summit WM series switch or the Altitude APs which are not expressly approved by Extreme Networks could void the user's authority to operate the equipment. Only authorized Extreme Networks service personnel are permitted to service the system. Procedures that should be performed only by Extreme Networks personnel are clearly identified in this guide.
Summit WM series switch WM200/2000 Diagnostics Table 6 shows the system capacities for each model. Table 6: WM200/2000 System Capacity WM200/2000 Campus WM200/2000 Enterprise Number of APs 100 200 Number of Users 2048 + 2048 4096 + 4096 Number of WM-AD 32 64 Number of Voicecalls 200 500 Maximum Throughput 2Gbps 2GBPS Part Number F31505-K80-A21 F31505-K80-A22 LED Indicators The SME is the main entity in charge of system monitoring and state reporting.
System Startup The Seven-Segment Display (SSD) is used to provide information about startup or processor load. NOTE The error codes represented by the SSD are context dependent on the state of the LEDs (ACT, W, E). System Startup The firmware and bootloader procedures execute the system startup phase. Table 7 provides SSD descriptions. Table 7: SSD definitions SSD Description 0 The processor has started. The firmware has taken control. This SSD is short and rarely in running systems.
Summit WM series switch WM200/2000 Diagnostics Table 8: WM200/2000 Application States (Continued) Condition Log Level Comment Action Forwarding Engine initialization complete. Application initializing. Major FE initialization complete No Action Required Major Complete set of application components have restarted. System is now ready to enter active state. No Action Required Major This SSD code indicates that the administrator has requested the halting of system's operations.
Application States Table 8: WM200/2000 Application States (Continued) Condition Log Level Comment Action Error LED Failed to identify FDD. Possibly due to removal of FDD card. l l l l Activity LED = Enabled Warning LED = Enabled Error LED = Enabled SSD= 1 Failed to initialize NPE card. l l l l Activity LED = Enabled Warning LED = Enabled Error LED = Enabled SSD= 2 Critical threshold reached (95C for NPE). System will reboot.
Summit WM series switch WM200/2000 Diagnostics Table 8: WM200/2000 Application States (Continued) Condition Log Level NPE Initialization Failure. Firmware self test (BIST) has detected failure with one component (memory, bus, interconnects) l l l l Comment Action Contact Technical Support to arrange replacement. Activity LED = Enabled Warning LED = Enabled Error LED = Enabled SSD= 8 SNMP Alarms are generated for each of the conditions corresponding to Major and Critical logs.
6 Summit WM series switch WM200/2000 Hardware maintenance WARNING! The Summit WM series switch WM200/2000 system may not be operated in a LAN in which a DC voltage is overlaid on the data lines, since there are still switches that connect directly without checking the supply voltage first. Depending on the transformer at the LAN interface, voltages of up to 500 V can be induced. Such peak voltages usually lead to destruction of the physical LAN controller's logic.
Summit WM series switch WM200/2000 Hardware maintenance Power FRUs This section describes the power field replaceable units (FRUs) for Summit WM series switch WM200/ 2000. It also provides procedures for removing, replacing, and verifying each FRU. Summit WM series switch WM200/2000, AC-powered, redundant system The power FRUs on an AC-powered redundant Summit WM series switch WM200/2000 system is two AC-to-DC shelf power supply units (ACPCI) on the Summit WM series switch WM200/2000 shelf.
MF1000 Figure 10 indicates the position of fan trays in the CSPCI shelf, as well as the numbering of the fans. Figure 11 shows a side view of the fans. Figure 10: Fan tray position and numbering of fans Figure 11: Side view of fans MF1000 The MF1000 card (Figure 12) consists of a 1GB Flash Disk Drive. This card provides the persistent storage for the system. This card should not be unplugged during the live operation of the system.
Summit WM series switch WM200/2000 Hardware maintenance Figure 12: MF1000 card The MF1000 card includes: ● Hardware Part Number – MF1000 (including Flashdrive) S30810-K2319-X100 ● WM200/2000 Media Services Engine (MSE 2011) ● LEDs – The front side of the card features two green LEDs (IDE1 = HD/IDE2 = MO) that indicate the status of the individual drives. ● Compact Flash – A compact flash interface is also available on the card. Usage of this interface is not supported in release V4.x.
NP 4000 card The SC 1100 card has the following main components: ● Pentium M processor ● Micron North Bridge with dual PCI bus ● 1GB DDR memory ● Dual stage Watchdog timer ● Two signal interfaces from redundant PSU that provide the following information to CPU (registered and memory mapped): ● Provide alarm from PSU to s/w if redundant power module failed ● 2 MB of onboard Flash (used for system Bootrom, diagnostic, system serial number, Extreme-specific MAC address for Eth ports, etc…; accessib
Summit WM series switch WM200/2000 Hardware maintenance The NP 4000 card has with the following main components: ● Network processor unit ● 256MB of RDRAM ● 32MB of QDR SSRAM ● Non-transparent PCI bridge (Intel 21555) to provide 33/66MHz 32/64-bit PCI bus connectivity between NPU PCI interface and cPCI backplane ● 12-port SPI4.2 Gigabit Mac ● 4 x front-accessible Gigabit (data) ports NOTE Replacing the NP 4000 alters the MAC addresses of the system data ports.
Power and maintenance procedures 4 Check the resistance reading on the meter. The meter reading must be between 0.80 and 1.20 mega ohms. 5 Replace the wrist strap and cord assembly if the reading is not within the allowable range. Figure 15: ESD Wrist Strap and Cord Assembly Using electrostatic discharge prevention procedures Always follow the electrostatic discharge (ESD) prevention procedure when you remove and replace cards.
Summit WM series switch WM200/2000 Hardware maintenance 5 Observe the following ESD prevention guidelines during the performance of system maintenance procedures: ● Handle cards by their edges only WARNING! WARNING: Avoid contact between the card and your clothing. Electrostatic charges on clothing can damage the card. The wrist strap protects the card from electrostatic charges on your body only. ● Immediately place any card you remove from the system into a static-shielding package.
7 MAC Based Authentication The MAC-based authentication is a new feature, designed to further control access to the network resources for the wireless clients over the Summit WM series switch, access points, and WLAN switch software system. It is based on the authentication of the client’s MAC address using the same process as for the user’s RADIUS authentication.
MAC Based Authentication Roaming When a client roams from one Altitude AP to another, the MAC authentication is not required by default. The MAC authentication can be forced in the roaming case. It could happen that the user reauthentication is not required, but that the MAC re-authentication is. Radius redundancy If the primary server for the MAC authentication is not accessible, the radius redundancy will be triggered and the request will be sent to the next server.
Assumptions/recommendations Assumptions/recommendations 1 The MU session timeout is a very important factor in radius profiles definitions – timeouts. In order to avoid an infinitive loop, the radius redundancy should happen within 30 sec, otherwise the authentication requests will be sent to the non-responsive server.
MAC Based Authentication 76 Summit WM Series WLAN Switch and Altitude Access Point Software Version 4.
8 FreeRADIUS and Security Overview A good way to get up a running with an inexpensive RADIUS server is to use freeRADIUS. This program is available from www.freeradius.org and provides good options for RADIUS authentication and accounting. While it is possible to configure freeRADIUS to interoperate with a Microsoft infrastructure such as Active Directory using LDAP it is recommended that IAS (Internet Authentication Service) is used for better integration with a Microsoft environment.
FreeRADIUS and Security The simplest format to use is: client 10.0.0.10 { secret = testing123 shortname = Summit WM001 } In this case the RADIUS client is a Summit WM at 10.0.0.10. Since the Summit WM has many IP addresses, some physical and some virtual, there is confusion over which IP address to use as the RADIUS client address. The answer is that whatever interface the Summit WM will use to send the packet to the RADIUS server.
Configuration To use the Challenge Handshake Access Protocol (CHAP) which prevents the password from ever being transmitted between the Summit WM and the RADIUS server switch the Auth-Type setting to CHAP and change the Auth. Type in the WM-AD settings under the Auth & Acct tab to use CHAP.
FreeRADIUS and Security Configure eap.conf file The eap.conf file contains general information on the handling of EAP packets that are forwarded to the RADIUS server. We will cover the configuration of the file for TLS and for PEAP. For TLS or PEAP the TLS section needs to be completed. This is because even with PEAP authentication types a secure tunnel is needed from client to server and the TLS section contains the information required to set this tunnel up.
9 RADIUS Attributes Remote Authentication Dial-In User Service (RADIUS) is an industry standard for providing identification, authentication, authorization, and accounting services for distributed dial-up/remote access networking. RADIUS Vendor-Specific Attributes (VSAs) RADIUS Vendor-Specific Attributes (VSAs) are RADIUS Authentication and Accounting attributes defined by vendors to customize information exchanges between clients and servers.
RADIUS Attributes RADIUS Accounting Account-Start Packet Table 10 lists the information elements (including VSAs) supported in a RADIUS Start message, issued by Summit WM series switch, access points, and WLAN switch software, with RADIUS Accounting enabled: Table 10: Information elements supported in RADIUS Start messages Attribute NO. RAD.
RADIUS Accounting Table 11: Information elements supported in RADIUS Stop or Interim messages (Continued) Attribute NO. RAD.
RADIUS Attributes When a user session is terminated, the RADIUS client sends a RADIUS accounting stop request that will include one of the following termination codes: Table 12: Termination codes Radius Value Radius Definition Controller Value 1 User Request 4 Controller/SMT Definition Controller Name 9 RF notification that MU has disconnected from Altitude AP. This would be the case if there is a Logoff button for Captive Portal. Normally this would not apply to 802.1x connections.
Supported attributes in RADIUS authentication and RADIUS response messages Table 13: Supported attributes in RADIUS authentication and RADIUS response messages (Continued) MBA on SSID WM-AD MBA on AAA WM-AD AAA WMAD SSID WM-AD CP Auth (MSCHAP) SSID WM-AD CP Auth (CHAP) SSID WM-AD CP Auth (PAP) Login-Lat-Port (auth_state) Y X NA NA Acct-Interim-Interval X Y Y Y Tunnel-Private-Group_ID X X Y X MS-MPPE-Recv-Key NA NA Y NA MS-MPPE-Send-Key NA NA Y NA Y X NA Y Y Y User name
RADIUS Attributes 86 Summit WM Series WLAN Switch and Altitude Access Point Software Version 4.
10 SNMP MIBs Summit WM series switch is the main repository of all configuration and statistical data for itself and all Altitude APs, WM-ADs and attached Mobile Units. SNMP is one of the user interfaces to retrieve such information. For retrieval of such information, Summit WM series switch supports a subset of MIB-II, as well as proprietary MIBs.
SNMP MIBs Interfaces are numbered starting from Summit WM series switch's physical ports, with the exception of eth1 interface that is indexed at 99, then WM-AD interfaces and finally Altitude AP interfaces. Summit WM series switch physical interfaces are numbered from one, (for example esa0, esa1, esa2) with indices 1, 2, 3 respectively. The exception is the management port eth0 which is numbered 99. WM-AD indices begin following the esaXX ports.
Proprietary MIBs ● accessPoints – This group provides information about all Altitude APs and their attributes. ● mobileUnits – This group provides information about mobile units associated with the Summit WM series switch. ● association – Provides statistics about mobile units attached to the Summit WM series switch. EXTREME-SUMMIT-WM-DOT11-EXTS-MIB This MIB complements the IEEE802dot11-MIB in retrieving configuration or statistical information proprietary to Summit WM series switch.
SNMP MIBs 90 Summit WM Series WLAN Switch and Altitude Access Point Software Version 4.
11 DRM - Dynamic Radio Management Introduction WLANs are becoming more common. Usage has grown to require higher user capacities and higher radio frequency (RF) density. As 802.11 becomes standard for larger networks, network performance becomes a critical factor in managing the network. A Site Survey is necessary for installing and configuring large WLAN networks. However Site Surveys are not sufficient in addressing how the WLAN network will perform over time. The performance of an 802.
DRM - Dynamic Radio Management Other sources of RF Interference RF quality can also be affected by interference caused by other RF technologies and propagation characteristics of the RF signal through and around objects. Other devices operating in either the 2.4 GHz band or the 5GHz band can interfere with 802.11 data transmission. These types of devices include equipment such as fluorescent lights, other wireless technologies such as Bluetooth or cordless phones.
DRM Details ● Operational savings. With RF management, network administrators do not need to plan out the channel assignment and the signal strength for every Altitude AP. Also, with a dense deployment, site surveys are no longer obligatory. ● Dynamic client load balancing across Altitude APs for Dynamic Radio Management (DRM) client software.
DRM - Dynamic Radio Management Maximizing RF Footprint DRM Standard Power Control transmits 802.11 management frames at full power creating a maximum sized RF cell. Management frames include Beacons, Association and Disassociation frames, and Probe request and responses. Clients use these messages to evaluate the RF environment, establish connections to APs, and determine when to roam to a new AP. All of these operations are critical to the operation of a wireless client.
Minimizing interference If the furthest client moves closer to the AP or roams to another AP, DRM will automatically adjust the power to provide the best results for the changing environment. Clients that are continuously moving (WiFi phones for example) require an RF environment that will adapt quickly to its needs. DRM monitors every client for movement and accurately adjusts power to support them. This process is done continuously to support all clients whether stationary or moving.
DRM - Dynamic Radio Management Figure 20: Reduction of co-channel interference using DRM-enabled APs Now consider the case for DRM’s standard RF mode. The data Tx range from each AP is kept as low as possible give the active clients. The area of co-channel interference in the middle of the APs is now reduced to just co-channel interference for beacons. Beacons are regular traffic but are only sent on a typical interval of every 0.1 seconds.
DRM Shaped Power Control a text string that is transmitted with each 802.11 Summit. Clients can’t use this information to associate or compromise security. Its purpose is to create a set of APs that DRM will include in its power control adjustments. DRM Shaped Power Control DRM provides a second enterprise class power control mode called Shaped Power Control. In this mode, DRM APs will reduce power to minimize interference between other APs operating on the same channel.
DRM - Dynamic Radio Management ● When clients associate, DRM Standard Power raises the transmit power of data frames to the maximum, monitors the position of the client, and then adjusts the transmit power to provide the best possible service. ● When client movement is detected, DRM Standard Power Control will increase data frames to full power, reevaluate the position of the client, and adjust power again to best service the client.
Scanning Phase ● Compliant to all 802.11 standards ● Requires no connections between APs (i.e.
DRM - Dynamic Radio Management ● Other transmitting devices on the channel ● Transmitting devices on neighboring channels ● Transmitting devices on overlapping channels (Turbo-channels) The CQI value is designed to take into account all forms of possible interference on a particular channel. If the noise floor is high on a channel, that channel’s CQI is adjusted to look proportionally worse than a channel with no noise.
Management APs that lose the negotiation phase return to the scanning phase. A new scan takes approximately 15 seconds after which a new round of negotiating takes place. The distributed nature of this algorithm results in an optimum distribution of channels over a large number of APs. The maximum amount of time required to select channels is approximately 3 minutes. In a large and dense deployment of APs, many groups of APs pick channels simultaneously.
DRM - Dynamic Radio Management Figure 21: DRM global settings This page allows the parameters of DRM to be configured for the entire system. The following settings are available: 102 ● Enable DRM – controls whether DRM is enabled or disabled for the entire system. This setting overrides the setting on each individual AP. ● DRM on/off – controls whether DRM is enabled or disabled for a specific AP. ● Coverage – controls the selection of Standard or Shaped coverage mode for each AP.
Reporting Reporting The Summit WM provides dynamic display of channel and transmit power setting for each radio on the AP. Refer to Figure 22. Figure 22: Altitude AP statistics GUI Summit WM Series WLAN Switch and Altitude Access Point Software Version 4.
DRM - Dynamic Radio Management 104 Summit WM Series WLAN Switch and Altitude Access Point Software Version 4.
12 Logs and Events The Summit WM series switch is designed to behave like an appliance. It is either in an operational state, or it has failed due to a hardware problem or low level packet processing issue. In general, the system will self recover by rebooting if the system fault is recoverable.
Logs and Events Table 14: STARTUP_MANAGER (0) logs and events (Continued) Log ID Log Message Comment Action 9 Unable to start component [%d]. Services provided by the component will be unavailable. Internal component problem. If problem persists, contact Technical Support to investigate. 20 Component [%d] is down. Component will be restarted. Internal component became inactive. Component will restart. If problem persists, contact Technical Support to investigate. 21 Component [%s] is down.
EVENT_SERVER (1) Table 15: EVENT_SERVER (1) logs and events (Continued) Log ID Log Message Comment Action 5 Memory allocation failure. Unable to log last event. Internal Component Failure. Log system may not be working properly. If problem persists, contact Technical Support to investigate. 6 Socket call failed. Will not be able to communicate with specific component. Error no:%d. Internal Component Failure. Log system may not be working properly.
Logs and Events Table 15: EVENT_SERVER (1) logs and events (Continued) Log ID 108 Log Message Comment Action 17 Unable to determine audit file size - Error no:%d. Message will be dropped. Internal Component Failure. Log system may not be working properly. Failed to log configuration change. If problem persists, contact Technical Support to investigate. 18 Cannot write to file - Error no:%d. Message will be dropped. Internal Component Failure. Log system may not be working properly.
EVENT_SERVER (1) Table 15: EVENT_SERVER (1) logs and events (Continued) Log ID Log Message Comment Action 28 Message has been written to the log but an error was encountered when closing the file - Error no:%d. Internal Component Failure. Log system may not be working properly. Failed to log configuration change. If problem persists, contact Technical Support to investigate. 29 Unable to open AP detection log file - Error no:%d. Message will be dropped. Failure in Rogue AP Detection Logging.
Logs and Events Table 15: EVENT_SERVER (1) logs and events (Continued) Log ID 110 Log Message Comment Action 47 Payload initialization failed for message type [%d]. Problem interpreting log message. Log entry may not be performed. Low impact to the system. If problem persists, contact Technical Support to investigate. 48 Invalid information [%d]. Dropping the message. Problem interpreting log message. Log entry may not be performed. Low impact to the system to the System.
EVENT_SERVER (1) Table 15: EVENT_SERVER (1) logs and events (Continued) Log ID Log Message Comment Action 60 SNMP encode failed. Problem interpreting log message. Log entry may not be performed. Low impact to the system to the System. If problem persists, contact Technical Support to investigate. 61 Message [%d] processing failed. Problem interpreting log message. Log entry may not be performed. Low impact to the system to the System.
Logs and Events Table 15: EVENT_SERVER (1) logs and events (Continued) Log ID Log Message Comment Action 79 Invalid AP SN [%s]. Possible problem with logging system. If problem persists, contact Technical Support to investigate. 80 Invalid sort criteria [%s]. Possible problem with logging system. If problem persists, contact Technical Support to investigate. 81 Unable to clear AP critical alarm. Alarm ID [%d]. Possible problem with logging system.
CONFIG_MANAGER (2) Table 16: CONFIG_MANAGER (2) logs and events (Continued) Log ID Log Message Comment Action 9 Config Manager has experienced an error which has prevented it from properly processing a request. CM will continue running, however this error may be an indicator of a larger system problem. Error Details:%s Configuration/Administration request may not have been properly processed. If problem persists, contact Technical Support to investigate.
Logs and Events Table 16: CONFIG_MANAGER (2) logs and events (Continued) Log ID Log Message Comment Action Unable to retrieve MAC address from AP AP reports may be affected. Will not be able to determine BSSID for WM-AD assignment reports. Other feature impact such as RogueAP If problem persists, contact Technical Support to investigate. Upgrading AP%s image from%s to%s AP Image upgrade. None Software version matches. Serial number:%s Ap is running adequate firmware version.
SECURITY_MANAGER (4) Table 17: STATS_SERVER (3) logs and events (Continued) Log ID Log Message Comment Action 35 Unable to start timer thread necessary to collect router port SNMP statistics Affects ability to report statistic utilization of system interfaces. No deterrent effect to system operation other than to interface reports. If problem persists, contact Technical Support to investigate. 36 Received empty AP bundle statistics record: There may be no active APs connected to the system.
Logs and Events Table 18: SECURITY_MANAGER (4) logs and events (Continued) Log ID Log Message Comment Action 2 Failed to initialize list of session tracking tags (token). Will not be able to process Captive portal authentication requests. Internal operation failure. Affects ability to provide authentication Token for Captive Portal session. User may retry again to succeed. If problem persists, contact Technical Support to investigate. 3 Unable to open listening socket.
SECURITY_MANAGER (4) Table 18: SECURITY_MANAGER (4) logs and events (Continued) Log ID Log Message Comment Action 18 Error on deleting session tracking tag (token)%d. This will not impact success/failure of authentication request - it may create a memory leak if multiple tokens cannot be deleted. If problem persists, contact Technical Support to investigate. 21 Client with MAC%s cannot be authorized on%s with filterName%s. The filterName is invalid on this%s Validate Configuration of RadiusServer.
Logs and Events Table 18: SECURITY_MANAGER (4) logs and events (Continued) Log ID 118 Log Message Comment Action 67 Error trying to close all sockets. However, they will time out on their own. No negative impact to system. However indicates possible issue with resource de-allocation. If problem persists, contact Technical Support to investigate. 68 Cannot connect to Radius Client. Will keep trying until connection is successful. Inter-communications issue.
SECURITY_MANAGER (4) Table 18: SECURITY_MANAGER (4) logs and events (Continued) Log ID Log Message Comment Action 75 Received failure from Config Manager for default filter configuration is incorrect or incomplete! Internal configuration issue encountered. User filter policy will be applied as "Default" rather than more specific filterID indicated through radius authentication. User network access to network may be different than administration intended.
Logs and Events Table 18: SECURITY_MANAGER (4) logs and events (Continued) Log ID Log Message Comment Action 85 The user with session tracking tag%d cannot authenticate due to an internal error in the component (Radius Client) which communicates with the Radius Server. Possible problem with configuration or availability of Radius Server. Validate Configuration of RadiusServer. Verify Reacheability of RadiusServer utilizing the RadiusTest feature in GlobalSettings.
RU_MANAGER (6) Table 19: RU_MANAGER (6) logs and events (Continued) Log ID Log Message Comment Action 9 An AP has attempted to connect that is unknown to the system. AP authentication failure.%s. AP With incorrect credentials attempted to register. AP shall engage in re-discovery and reestablish proper credentials. If problem persists contact Technical Support to investigate. 10 AP fails discovery.%s AP has failed the discovery registration process.
Logs and Events Table 19: RU_MANAGER (6) logs and events (Continued) Log ID Log Message Comment Action 39 AC manager: Unable to set foreign ports in database. Possible failure to update availability pair configuration. May affect Aps ability to failover properly and expediently. If problem persists contact Technical Support to investigate. 40 AC manager: Unable to set foreign APs in database. Possible failure to register Failed over Aps. May affect MDL licensing and AP registration.
RADIUS_CLIENT (7) RADIUS_CLIENT (7) Table 20: RADIUS_CLIENT (7) logs and events Log ID Log Message Comment Action 1 A file system error occurred. Unable to open RADIUS dictionary file. RADIUS client exiting. Possible initialization problem for RadiusClient component. May affect ability of users to authenticate with system and therefore affect their ability to gain network access. If problem persists contact Technical Support to investigate.
Logs and Events Table 20: RADIUS_CLIENT (7) logs and events (Continued) Log ID Log Message Comment Action 33 Config Manager returned wrong flag. Will retry retrieving configuration. Possible problem with configuration of authentication sub-system, in particular may become unable to determine correct Radius Configuration. Connection retry should resolve condition. If problem persists contact Technical Support to investigate. 34 Internal error occurred for a single request.
HOST_SERVICE_MANAGER (8) Table 20: RADIUS_CLIENT (7) logs and events (Continued) Log ID Log Message Comment Action 40 Invalid NAS port number for subnet%d. Default value will be used. Possible problem with configuration or availability of Radius Server or WM-AD configuration of radius parameters. Default parameters will be used. No expected impact to user authentication. Validate Configuration of RadiusServer in GlobalSettings and in WM-AD definition.
Logs and Events WADMGR (9) Table 22: WADMGR (9) logs and events Log ID Log Message Comment Action 1 Critical internal error - memory protection flags have been corrupted. Mobility Manager will halt. Internal operation problem. May affect Mobility Domain state. Component will be restarted automatically. If problem persists contact Technical Support to investigate. 2 Internal system interrupt handlers failed to initialize. Mobility Manager will halt. Internal operation problem.
WADMGR (9) Table 22: WADMGR (9) logs and events (Continued) Log ID Log Message Comment Action Unable to determine configuration: exiting serverthread. Possible problem with configuration of Mobility feature component subset. InterController Mobility functionality may not be functional If problem persists contact Technical Support to investigate. Unable to update configuration: exiting serverthread Possible problem with configuration of Mobility feature component subset.
Logs and Events Table 22: WADMGR (9) logs and events (Continued) Log ID Log Message Comment Action Mobility Manager has received incomplete filterId information for the client with MAC%s. This client will be treated as experiencing an authorization error. MAC based authentication. User will be disconnected and forced to re-authenticate with system If problem persists contact Technical Support to investigate. Mobility Manager has received invalid authentication information for the client with MAC%s.
WADMGR (9) Table 22: WADMGR (9) logs and events (Continued) Log ID Log Message Comment Action 35 Mobility Manager failed to received response for MACbased authorization for client with MAC%s. MAC based authentication. User will be disconnected and forced to re-authenticate with system. If problem persists Contact Technical Support for investigation. 36 Connection established with:%s Mobility Peer Identification None 65 Mobility Manager shutting down normally.
Logs and Events Table 22: WADMGR (9) logs and events (Continued) Log ID Log Message Comment Action 79 Slpd service or attribute change successful. Mobility Configuration management. Administrator change. None 80 Configuration change successful. Mobility Configuration management. Administrator change. None 81 Two or more ACs are proclaiming that they are the home for an MU with the MAC address%s. The Mobility Manager will be informed and will resolve this conflict. Conflict Resolution.
CLI (11) CLI (11) Table 24: CLI (11) logs and events Log ID Log Message Comment Action 9 Upgrade process failed - failure reason:%s. System application/firmware upgrade process failed. System operating components and personality may be lost as a result. If problem persists Contact Technical Support for investigation. 10 System restore process failed failure reason:%s. Database restore procedure failed. System configuration may not be up to level customer intends.
Logs and Events Table 24: CLI (11) logs and events (Continued) Log ID Log Message Comment Action 77 Patch installation successful. System Software Maintenance State None Log Message Comment Action Langley has suffered a critical error, and has halted. Error Details:%s Internal communications issue. Possible interruption in interprocess communication. If problem persists Contact Technical Support for investigation.
NSM_SERVER (15) NSM_SERVER (15) Table 26: NSM_SERVER (15) logs and events Log ID Log Message Comment Action 9 NSM suffered an internal connection failure. Re-trying connection. Internal operation issue. Retrial should resolve issue. If problem persists Contact Technical Support for investigation. 10 NSM suffered an internal messaging failure. Re-trying connection. Internal operation issue: Retrial should resolve issue. If problem persists Contact Technical Support for investigation.
Logs and Events Table 27: OSPF_SERVER (17) logs and events (Continued) Log ID Log Message Comment Action 65 NSM started normally. Component state None 66 Static route deleted successfully. Component state None 67 Get static routes successful. Component state None 68 Delete OSPF interface successful. Component state None 69 Retrieving OSPF configuration successful. Component state None 70 Retrieving OSPF interface information successful.
CDR_COLLECTOR (23) Table 28: CDR_COLLECTOR (23) logs and events (Continued) Log ID Log Message Comment Action 12 Internal messaging error:%d. Error will be ignored and message re-tried. Internal operation error. Specific CDR record may not be consistent. If problem persists Contact Technical Support for investigation. 13 Internal messaging error:%d. Error will be ignored and message re-tried. Internal operation error. Specific CDR record may not be consistent.
Logs and Events Table 28: CDR_COLLECTOR (23) logs and events (Continued) Log ID 136 Log Message Comment Action 41 Client statistics message failed to be logged to accounting record. Record may be incomplete for client session. Internal operation error. Specific CDR record may not be consistent. If problem persists Contact Technical Support for investigation. 42 Client authentication message failed to be logged to accounting record. Record will be incomplete for client session.
CDR_COLLECTOR (23) Table 28: CDR_COLLECTOR (23) logs and events (Continued) Log ID Log Message Comment Action Client MAC:%s User-ID:%s: has invalid IP address [0.0.0.0]. Failed to create CDR. User records are not tracked until user obtains proper IP address. Verify that users are able to obtain proper addresses from WM-AD. If problem persists Contact Technical Support for investigation. Fail to receive message get_params_resp:%d Internal operation error. Specific CDR record may not be consistent.
Logs and Events RF_DATA_COLLECTOR (36) Table 29: RF_DATA_COLLECTOR (36) logs and events Log ID Log Message Comment Action An error has occurred in the RF Data Collector which will cause this component to shutdown (and be restarted by the system). Details:%s. Internal operation error. Rogue AP scan updates may be temporarily suspended. Should resume once component is automatically restarted by the system's health monitor. If problem persists Contact Technical Support for investigation.
REMOTE_INS (58) REMOTE_INS (58) Table 30: REMOTE_INS (58) logs and events Log ID Log Message Comment Action Rogue AP found by AP%s (SN%s) for scan%s (ID%d) on%s with unknown bssType%u Scan Result indication Take appropriate remedial action to identify and neutralize threat. Threat [Inactive AP with valid SSID] detected by AP%s, SN%s (%s).
Logs and Events Table 30: REMOTE_INS (58) logs and events (Continued) Log ID Log Message Comment Action Unable to initialize global log bitmask Internal operation error. May indicate a larger problem with system's memory resource management. If problem persists Contact Technical Support for investigation. Threat [Known AP with invalid SSID] detected by AP%s, SN%s (%s).
REMOTE_INS (58) Table 30: REMOTE_INS (58) logs and events (Continued) Log ID Log Message Comment Action Error in setting up RFDC connection: Cannot save client session information into memory. Connection cannot be setup. Internal operation error. Problem may prevent Rogue AP (Summit spy) detection from taking place. Component may need to be restarted. If problem persists Contact Technical Support for investigation. Unable to setup RFDC connection Internal operation error.
Logs and Events Table 30: REMOTE_INS (58) logs and events (Continued) Log ID Log Message Comment Action In run_analysis_against_specific_lis t: cleanup_memory_for_data for FRIENDLY_AP failed. Internal operation issue. May result in problems with memory management for the system. If problem persists Contact Technical Support for investigation. Unable to cleanup memory for AP information. Memory leak may occur Internal operation issue. May result in problems with memory management for the system.
REMOTE_INS (58) Table 30: REMOTE_INS (58) logs and events (Continued) Log ID Log Message Comment Action Connection with AC for RFDC session with ip addr%s is down Possible Feature Impact. Scanning peer may not be available to report information. Determine if outage was caused by configuration change to Summit spy feature (add/ Remove of controllers from Scan Domain). Determine if outage was caused by network path interruption. If interruption was caused by failure of INS controller, please review.
Logs and Events LLC_HANDLER (62) Table 31: LLC_HANDLER (62) logs and events Log ID Log Message Comment Action Malloc failed Internal operation error. May indicate a larger problem with system's memory resource management. If problem persists Contact Technical Support for investigation. Unable to initialize semaphores Internal operation error. May indicate a larger problem with system's memory resource management. If problem persists Contact Technical Support for investigation.
RADIUS_ACCOUNTING (64) Table 31: LLC_HANDLER (62) logs and events (Continued) Log ID Log Message Comment Action Error in llc_packet_thread: Cannot determine langley connection subscriptions. Thread will exit Internal operation error. Thread exist shall cause component to terminate and be automatically started by system's health monitor facility. Situation should repair itself. If problem persists Contact Technical Support for investigation.
Logs and Events Table 32: RADIUS_ACCOUNTING (64) logs and events (Continued) Log ID Log Message Comment Action No Response from one RADIUS accounting server:%s. Possible issue with configuration of CDR/Accounting sub-system. Can result in lack of accounting reporting/CDR for system users. Doesn't affect users state, however, it doesn't allow owner to provide proper billing for services rendered. If backup/ alternate servers were defined system will attempt to connect to them.
MU_SESMGR_ID (66) Table 33: RU_SESMGR_ID (65) logs and events (Continued) Log ID Log Message Comment Action 37 Mobility manager startup. Component state None 38 RU Session Manager startup. Component state None 65 Access point registration and authentication succeeded. (%S.) Access Controller registration state None 66 Access point registration and/or authentication failed. (%S.) Access Controller registration failed. AP unsuccessful in establishing credential exchange with controller.
Logs and Events Table 34: MU_SESMGR_ID (66) logs and events (Continued) Log ID Log Message Comment Action Maximum number of visiting sessions has been reached. No more visiting users will be permitted. Reached maximum user capacity for system. Need to deploy additional controllers to take on excessive capacity. Contact Sales support to discuss expanding deployment. 65 Client session registration succeeded (%s) New user joined coverage domain.
FILTER_MGR_ID (67) Table 34: MU_SESMGR_ID (66) logs and events (Continued) Log ID 83 Log Message Comment Action Client session de-registration succeeded (%s) Reason is: User changing subnet. Policy request to user deregistration. None FILTER_MGR_ID (67) Table 35: FILTER_MGR_ID (67) logs and events Log ID Log Message Comment Action Connection to messaging bus failed - reason [%d]. Filter Manager shutdown!!! Internal operation error. Connection will be re-attempted.
Logs and Events Table 35: FILTER_MGR_ID (67) logs and events (Continued) Log ID Log Message Comment Action 17 Failed to send message [%d]. Internal operation failure. Filter sub-system will retry If problem persists Contact Technical Support for investigation. 18 Filter params is NULL for message [%d]. Internal operation failure. Filter sub-system will retry If problem persists Contact Technical Support for investigation. 19 Failed to initialize list for message [%d].
REDIRECTOR4 (68) Table 35: FILTER_MGR_ID (67) logs and events (Continued) Log ID Log Message Comment Action 34 Failed to process message [%d]. Internal operation failure. Filter sub-system will retry If problem persists Contact Technical Support for investigation. 35 Unknown message type [%d]. Internal operation failure. Filter sub-system will retry If problem persists Contact Technical Support for investigation. 36 Rules request timer has expired.
Logs and Events Table 36: REDIRECTOR4 (68) logs and events (Continued) Log ID Log Message Comment Action 3 Cannot grok the MAC address for%s, ignoring request Failed to identify session being redirected. Typically client will be retried. If problem persists Contact Technical Support for investigation. 4 Cannot get a token from secMgr for%s (Langley communication timeout?) Failed to obtain credential abstraction for captive portal redirection. Redirection operation will fail for that operation.
BEAST (75) Table 37: BEAST (75) logs and events (Continued) Log ID Log Message Comment Action 10 Unable to create thread for polling RU Session Manager. Internal operational issue. May result in failure to generate proper reports. Component may need to be reset. If problem persists Contact Technical Support for investigation. 11 Unable to create thread for polling WADMGR. Internal operational issue. May result in failure to generate proper reports. Component may need to be reset.
Logs and Events ALTITUDE 350-2 (99) Table 38: ALTITUDE 350-2(99) logs and events Log ID Log Message Comment Action %s ALTITUDE 350-2 Log Ids come from its own log dictionary. n/a Critical 1 FILTER_MANAGER_ID (103) Table 39: FILTER_MANAGER_ID (103)logs and events Log ID Log Message Comment Action Filter Manager configuration complete - all filter parameters have been resolved. Notification of completion of pushing filtering policy to FE.
PORT_INFO_J_MANAGER (118) Table 41: CPDP_AGENT_ID (110) logs and events (Continued) Log ID 10 Log Message Comment Action Possible PING-OF-DEATH DoS attack (%s). Possible Denial of Service attack. Investigate attach characteristics. Identify source and determine best cause of action to remedy problem. CPDP thread connection reset. Connection between FE and Management plane lost. Connection will be re-attempted and communication restored.
Logs and Events 156 Summit WM Series WLAN Switch and Altitude Access Point Software Version 4.
13 Reference lists of standards RFC list This section provides the Internet Engineering Task Force (IETF) Request for Comments (RFCs) standards supported by Summit WM series switch, access points, and WLAN switch software. The Request for Comments is a series of notes about the Internet, submitted to the Internet Engineering Task Force (IETF) and designated by an RFC number, that may evolve into an Internet standard. The RFCs are catalogued and maintained on the IETF RFC website: www.ietf.org/rfc.html.
Reference lists of standards Table 44: List of RFCs (Continued) RFC Number Title RFC 3416 Version 2 of the Protocol Operations for the Simple Network Management Protocol (SNMP) RFC 3417 Transport Mappings for the Simple Network Management Protocol (SNMP). RFC 3418 Management Information Base (MIB) for the Simple Network Management Protocol (SNMP). RFC 3576 Dynamic Authentication Extensions to RADIUS RFC 959 File Transfer Protocol.
Supported Wi-Fi Alliance standards Table 45: List of 802.11 standards supported (Continued) Standard Name 802.3u 100Base-T 802.3x Full Duplex 802.3z 1000Base-X (Gigabit Ethernet) 802.1d MAC bridges 802.1p 802.1q VLANs 802.11 MIB management information base for 802.11 Supported Wi-Fi Alliance standards The following WiFi Alliance standards are supported: ● ● ● ● ● Standard IEEE ● IEEE 802.11a ● IEEE 802.11b ● IEEE 802.
Reference lists of standards 160 Summit WM Series WLAN Switch and Altitude Access Point Software Version 4.
Glossary Definitions and Resources AAA Authentication, Authentication, Accounting CDR Call Detail Record CLI Command Line Interface Cell RF coverage area provided by Summit WM Access Point or an Access Point CTP CAPWAP Tunneling Protocol DRM Dynamic Radio Management EAP Extensible Authentication Protocol ESS Extended Service Set ESSID Extended Service Set Identification EU European Union GUI Graphical User Interface ICMP Internet Control Message Protocol IEEE Institute of Electrical
Glossary Definitions and Resources (Continued) 162 ROW Rest of World RS Radio Signal SLP Service Location Protocol SNMP Simple Network Management Protocol SNR Signal-to-Noise Ratio SSID Service Set Identifier WISP Wireless ISP WLAN Wireless Local Area Network WM-AD WM Access Domain Services Summit WM Series WLAN Switch and Altitude Access Point Software Version 4.
Index Numerics E 802.11 standards list, 158 EAP-TLS authentication, 25 events, 105 EXTREME-SUMMIT-WM-BRANCH-OFFICE-MIB, 89 EXTREME-SUMMIT-WM-DOT11-EXTS-MIB, 89 EXTREME-SUMMIT-WM-WIRELESS-PRODUCTMIB, 89 EXTREME-SUMMT-WM-MIB.
Index T proprietary, 88 SNMP, 87 multicast, 11 N termination codes, 83 topology, 17 traces, 17 netsh tool, 34 U O User Agent (UA), 12 user certificates, 30 Organizationally Unique Identifier (OUI), 81 V P PKI, 53 policies group policy settings, 41 proprietary MIBs, 88 R RADIUS accounting, 82 attributes, 74 clients, 35 infrastructure, 55 redundancy, 74 server, 25 supported attributes, 84 registry, 57 remote access policy, 36 RF footprint, 94 interference, 92 transmission, 92 RFC list, 157 RFC1213
