Summit WM20 Technical Reference Guide Software Version 4.2 Extreme Networks, Inc. 3585 Monroe Street Santa Clara, California 95051 (888) 257-3000 (408) 579-2800 http://www.extremenetworks.
AccessAdapt, Alpine, BlackDiamond, EPICenter, ESRP, Ethernet Everywhere, Extreme Enabled, Extreme Ethernet Everywhere, Extreme Networks, Extreme Standby Router Protocol, Extreme Turbodrive, Extreme Velocity, ExtremeWare, ExtremeWorks, ExtremeXOS, the Go Purple Extreme Solution, ScreenPlay, Sentriant, ServiceWatch, Summit, SummitStack, Unified Access Architecture, Unified Access RF Manager, UniStack, UniStack Stacking, the Extreme Networks logo, the Alpine logo, the BlackDiamond logo, the Extreme Turbodrive
Table of Contents About this Guide.............................................................................................................................. 7 Who should use this guide ...........................................................................................................7 What is in this guide ...................................................................................................................7 Formatting conventions.....................................................
Table of Contents Floppy Disk-Based Installation..............................................................................................42 Export a certificate ..............................................................................................................42 Import a certificate..............................................................................................................42 Step 9: Configuring Wireless Clients for EAP-TLS....................................................
Table of Contents Chapter 8: FreeRADIUS and Security .............................................................................................. 73 Configuration ............................................................................................................................73 radiusd.conf file..................................................................................................................73 users file ..........................................................................
Table of Contents Glossary ....................................................................................................................................... 99 Appendix A: Logs and Events ....................................................................................................... 101 STARTUP_MANAGER (0) ........................................................................................................101 EVENT_SERVER (1) ................................................................
About this Guide This guide describes how to install, configure, and manage the Summit® WM20 Controller, Access Points and Software system. Who should use this guide This guide is a reference for system administrators who install and manage the Summit WM20 Controller, Access Points and Software system. Any administrator performing tasks described in this guide must have an account with full administrative privileges.
About this Guide ● Appendix A, “Logs and Events” provides a reference list of the log and event messages. ● Appendix B, “Reference lists of standards” provides a reference list of RFCs supported.
1 Configuration of Dynamic Host Configuration Protocol (DHCP) Wireless AP Discovery supports the following methods: ● Service Location Protocol (SLP) ● Domain Name Server (DNS) – controller. ● Multicast – Same subnet multicast discovery The listed discovery methods are tried in succession until a method is identified which produces a successful registration with the a controller. Static configuration can also be used for Wireless AP registration.
Configuration of Dynamic Host Configuration Protocol (DHCP) Service Location Protocol consists of three cooperating services: ● User Agent (UA) – A process working on the user's behalf to acquire service attributes and configuration. The User Agent retrieves service information from the Service Agents or Directory Agents. ● Service Agent (SA) –A process working on the behalf of one or more services to advertise service attributes and configuration.
SLP Service Scope Option (Option 79) SLP Service Scope Option (Option 79) Services are grouped together using scopes. Scopes are strings that identify a set of services that form an administrative grouping. Service Agents (SAs) and Directory Agents (DAs) are always assigned a scope string. A User Agent (UA) is normally assigned a scope string (in which case the User Agent can only discover that particular grouping of services). This allows a network administrator to provision services to users.
Configuration of Dynamic Host Configuration Protocol (DHCP) Dynamic Host Configuration Protocol – Summit WM Controller and AP Discovery and other Services Dynamic Host Configuration Protocol (DHCP) can be used for several purposes in a network configuration of a Summit WM Controller setup. Consider the following diagram: Figure 1: DHCP in a Summit WM Controller system This simple setup has the following properties: 12 ● A Summit WM Controller connected to a core network segment (a.b.c.
Dynamic Host Configuration Protocol – Summit WM Controller and AP Discovery and other Services In this setup there are four different areas in which DHCP must be considered: Figure 2: Areas needing consideration for DHCP Table 1: Use of DHCP Area Description of use for DHCP A DHCP INFORM messages are periodically sent on all physical ports (esa0-1 on WM1000, esa0-3 on WM100). DHCP INFORM messages are NOT requests for addressing on that segment.
Configuration of Dynamic Host Configuration Protocol (DHCP) Table 1: Use of DHCP (Continued) Area Description of use for DHCP D DHCP services in area D is for WLAN clients. A separate scope for each SSID is required. DHCP services for this area are provided by default by the Summit WM Controller. DHCP services can also be relayed to an external DHCP server. DHCP setup using the internal DHCP server For simple DHCP setups it is recommended to use the Summit WM Controller’s built-in DHCP server.
DHCP configuration example: OSC dhcpd on Linux ● To consolidate the DHCP requirements for wireless client, APs, and the Summit WM Controller in one place. The one downfall of using DHCP relay comes in the logging of DHCP messages on the Summit WM Controller. When using DHCP relay the DHCP log under Logs & Traces Æ DHCP Messages is not populated with DHCP requests. It is assumed that for DHCP relay that the target DHCP server has its own logging mechanism.
Configuration of Dynamic Host Configuration Protocol (DHCP) The following is the configuration file dhcpd.conf from the Linux server at 10.0.0.9: Figure 4: dhcpd.conf example listing This file can be divided into the following four areas: 16 ● General options: lines 1-3 ● Scope for 10.0.0.0/24 subnet: lines 4-8 ● Scope for 172.16.1.0/24 subnet (voice subnet): lines 9-18 ● Scope for 172.16.2.0/24 subnet (laptop subnet): lines 19-27 Summit WM20 Technical Reference Guide, Software Version 4.
General options General options Line 1 designates this DHCP server as authoritative in case another DHCP server answers requests. Line 2 sets options for Dynamic DNS. This option turns off DNS updates based upon DHCP mappings. There are other options that allow DHCP to update a DNS server to reflect the addresses handed out by the DHCP server. See the man page for dhcpd.conf for more information on support for this option. Line 3 defines the format for DHCP option 151 as we want to use it.
Configuration of Dynamic Host Configuration Protocol (DHCP) Wireless AP DHCP Registration Setup (WINDOWS) You can configure the DHCP service that is included with Windows 2000 and Windows 2003 to provide DHCP option 78. Summit WM Access Points (Wireless AP) as clients to the Summit WM Controller may require the configuration of DHCP options 78 for controller discovery. These options are sometimes referred to as the SLP options.
Summit Wireless Access Point Discovery mechanism For example, for the controller ESA Port IP address 10.53.0.1, additions should be made in hexadecimal format 00 0A 35 00 01 For the sake of convenience a quick reference chart follows for the decimal to hexidecimal conversions.
Configuration of Dynamic Host Configuration Protocol (DHCP) 1 Start Programs Administrative Tools DNS 2 Domain that will be used for discovery, select New Host (W2K Server) New Host (A) (W2003 server) 3 First field enter Controller which is the default name for the Summit WM Controller, then enter the IP address of the HWC ESA port that will host the Wireless AP connections. 4 Select Create Pointer .
2 Rogue Access Point Detection The Rogue AP detection feature provides capabilities to Summit WM Controllers that allow Wireless APs to periodically scan the RF space and report suspect devices. With this capability, Wireless APs can multitask as scan devices as well as access points. This allows rogue detection to occur without installing expensive overlay sensor networks. Summit WM Controllers Rogue detection system is comprised of two major components; the Data Collector and the Analysis Engine.
Rogue Access Point Detection a A “known” Wireless AP with an unknown SSID has been detected that the Summit WM Controller has identified as not in service (stolen?) With each event, the following information will be reported: ● Scanning Wireless AP Name & Scan Group ● Detection Date and Time ● Rogue SSID and Channel ● Signal Strength (RSSI) ● Security/Encoding type (for example. WEP, 802.1x, none, and so on) This information is available through SNMP, or by viewing a report screen.
3 Creating the Windows Security Infrastructure NOTE To ensure information and best practice configuration integrity, all information contained in this section was extracted from two sources: • “Deploying Secure 802.11 Wireless Networks with Microsoft Windows”, by Joseph Davies • http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx ● Wireless client computers running Windows ● ● ● At least two Internet Authentication Service (IAS) servers.
Creating the Windows Security Infrastructure Depending on the issuer of the IAS server computer certificates, you might also have to install root CA certificates on each wireless client. ● Wireless remote access policy. ● ● A remote access policy is configured for wireless connections so that employees can access the organization intranet. Multiple wireless APs. ● Multiple third-party wireless APs provide wireless access in different buildings of an enterprise. The wireless APs must support IEEE 802.
Step 1: Configuring the Certificate Infrastructure ● Step 9: Configuring Wireless Clients for EAP-TLS ● Step 10: Configuring Wireless Client Computers for PEAP-MS-CHAP v2 Step 1: Configuring the Certificate Infrastructure Table 4 summarizes the certificates needed for the different types of authentication.
Creating the Windows Security Infrastructure you can view the intermediate CA certificates in the Intermediate Certification Authorities\Certificates folder. ● In a typical enterprise deployment, the certificate infrastructure is configured using single root CA in a three-level hierarchy consisting of root CA/intermediate CAs/issuing CAs. Issuing CAs are configured to issue computer certificates or user certificates.
Step 1: Configuring the Certificate Infrastructure Server 2003 or Windows 2000 CAs. Issuing CAs can be subordinates of a third party intermediate CA. ● Backing up the CA database, the CA certificate, and the CA keys is essential to protect against the loss of critical data. The CA should be backed up on a regular basis (daily, weekly, monthly) based on the number of certificates issued over the same interval. The more certificates issued, the more frequently you should back up the CA.
Creating the Windows Security Infrastructure revocation checking. If a new CRL is manually published to the Active Directory, the local CRL on the IAS server is not updated. The local CRL is updated when it expires. This can create a situation wherein a certificate is revoked, the CRL is manually published, but the IAS server still allows the connection because the local CRL has not yet been updated.
Step 1: Configuring the Certificate Infrastructure Configuring user certificate autoenrollment for wireless user certificates requires you to duplicate existing certificate templates, a feature that is only supported for Windows Server 2003, Enterprise Edition, or Windows Server 2003, Datacenter Edition, enterprise CAs. Only Windows XP and Windows Server 2003 wireless clients support user certificate autoenrollment.
Creating the Windows Security Infrastructure autoenrollment of user certificates either through the inheriting of group policy settings of a parent system container or explicit configuration. Step 2: Configuring Active Directory for Accounts and Groups To configure Active Directory user and computer accounts and groups for wireless access, do the following: 1 If you are using Windows 2000 domain controllers, install Windows 2000 SP3 or SP4 on all domain controllers.
Step 3: Configuring the Primary IAS Server Personal\Certificates folder. To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. It is also possible to import a certificate by double-clicking a certificate file that is stored in a folder or sent in an email message. Although this works for certificates created with Windows CAs, this method does not work for third-party CAs.
Creating the Windows Security Infrastructure Enable the IAS server to read user accounts in Active Directory To register the IAS server in the default domain using Internet Authentication Service: 1 Log on to the IAS server with an account that has domain administrator permissions. 2 Open the Internet Authentication Service snap-in. 3 Right-click Internet Authentication Service, and then click Register Server in Active Directory.
Step 3: Configuring the Primary IAS Server differ from the default values provided (1812 and1645 for authentication and 1813 and1646 for accounting), in Authentication and Accounting, type your port settings. To use multiple ports for authentication or accounting requests, separate the ports with commas. Add RADIUS clients 1 Open the Internet Authentication Service snap-in. 2 For Windows 2000 IAS, in the console tree, right-click Clients, and then click New Client.
Creating the Windows Security Infrastructure If you are using PEAP-MS-CHAP v2 authentication, select Extensible Authentication Protocol and the Protected EAP (PEAP) EAP type, and then click Configure. In the Protected EAP Properties dialog box, select the appropriate computer certificate and ensure that Secured password (EAPMSCHAP v2) is selected as the EAP type. Profile, Encryption tab: Clear all other check boxes except the Strongest check box.
Step 3: Configuring the Primary IAS Server 6 If the vendor-specific attribute is not in the list of available RADIUS attributes, click the VendorSpecific attribute, and then click Add. 7 In the Multivalued Attribute Information dialog box, click Add 8 Specify the vendor for your wireless AP. To specify the vendor by selecting the name from the list, click Select from list, and then select the vendor of the wireless AP for which you are configuring the VSA.
Creating the Windows Security Infrastructure 3 Click Edit Profile. The Edit Dial-In Profile dialog is displayed. 4 Click the Advanced tab. 5 Click Add. The Add Attribute dialog is displayed. 6 From the list, select the applicable Vendor Specific Attribute, and then click Add. The Attribute Information dialog is displayed. 7 In the Attribute value box, type 4329 as the vendor number, and then click Ok. 8 Configure the applicable attributes as per the dictionary file at: /etc/chantry/raddb/ dictionary.
Step 4: Configuring the secondary IAS server (if applicable) Dictionary file File at /etc/chantry/raddb/dictionary.extreme the VSAs are: # dictionary.
Creating the Windows Security Infrastructure If the secondary IAS server authenticates and authorizes connection attempts for user accounts in other domains, verify that the other domains have a two-way trust with the domain in which the secondary IAS server computer is a member. Next, configure the secondary IAS server computer to read the properties of user accounts in other domains.
Step 6: Configuring Wireless Network (IEEE 802.11) Policies Group Policy Settings on the primary IAS server, perform steps 7 and 8 of the “Step 4: Configuring the secondary IAS server” section to copy the primary IAS server configuration to the secondary IAS server. Step 6: Configuring Wireless Network (IEEE 802.11) Policies Group Policy Settings With the Wireless Network (IEEE 802.
Creating the Windows Security Infrastructure in your Windows 2000 Active Directory domain that runs either Windows Server 2003 with no service packs installed or Windows Server 2003 with SP1 (for WPA authentication and encryption settings). Once this is complete, you must use the Group Policy snap-in from any domain member computer running either Windows Server 2003 with no service packs installed or Windows Server 2003 with SP1 to configure Wireless Network (IEEE 802.11) Policies settings.
Step 8: Installing User Certificates on Wireless Client Computers for EAP-TLS Alternately, the user can run a CAPICOM program or script provided by the network administrator. The execution of the CAPICOM program or script can be automated through the user logon script. If you have configured autoenrollment of user certificates, then the wireless user must update User Configuration Group Policy to obtain a user certificate.
Creating the Windows Security Infrastructure Floppy Disk-Based Installation Another method of installing a user certificate is to export the user certificate onto a floppy disk and import it from the floppy disk onto the wireless client computer. For a floppy disk-based enrollment, perform the following: 1 Obtain a user certificate for the wireless client’s user account from the CA through Web-based enrollment.
Step 9: Configuring Wireless Clients for EAP-TLS 7 If you want to specify where the certificate is stored, select Place all certificates in the following store, click Browse, and select the certificate store to use. Step 9: Configuring Wireless Clients for EAP-TLS If you have configured Wireless Network (IEEE 802.
Creating the Windows Security Infrastructure authentication servers that must perform validation, select Connect to these servers and type the names. 3 Click OK to save changes to the Smart Card or other Certificate EAP type. Step 10: Configuring Wireless Client Computers for PEAP-MS-CHAP v2 If you have configured Wireless Network (IEEE 802.
Additional Intranet Wireless Deployment Configurations issuing CA is a Windows 2000 Server or Windows Server 2003 online root enterprise CA, then the root CA certificate is automatically installed on each domain member through computer configuration Group Policy. To verify, obtain the properties of the computer certificate on the IAS server using the Certificates snapin and view the certificate chain from the Certification Path tab. The certificate at the top of the path is the root CA certificate.
Creating the Windows Security Infrastructure Internet Access for Business Partners The following is the behavior of most wireless APs in use today with respect to the receipt of RADIUS Access-Accept and Access-Reject messages: ● When the wireless AP receives an Access-Accept message, the connection is allowed ● When the wireless AP receives an Access-Reject message, the connection is denied To allow a business partner, vendor, or other non-employee to gain access to a separate network using the same wi
Additional Intranet Wireless Deployment Configurations computer certificates installed on the IAS server, click Configure, and then select the appropriate computer certificate. For Windows Server 2003 IAS, clear all other check boxes. Click EAP Methods and add the Smart Card or other Certificate EAP type. If you have multiple computer certificates installed on the IAS server, click Edit, and then select the correct computer certificate.
Creating the Windows Security Infrastructure Certificates on Wireless Client Computers For the user and computer certificates installed on wireless client computers, the following must be true: ● They must have a corresponding private key. ● They must contain the Client Authentication EKU (OID “1.3.6.1.5.5.7.3.2”) ● Computer certificates must be installed in the Local Computer certificate store.
Additional Intranet Wireless Deployment Configurations 8 Click Tools, and then click Internet Options. 9 Click the Connections tab, and then click LAN Settings. 10 In Proxy server, select Use a proxy server for your LAN. 11 Type the name or IP address of your proxy server in Address, then type the Web port number (typically 80) in Port.
Creating the Windows Security Infrastructure 50 Summit WM20 Technical Reference Guide, Software Version 4.
4 Windows Recommendations and Best Practices The following are recommendations and best practices for deploying an IEEE 802.11 WLAN in a large enterprise. Security Microsoft recommends that you use one of the following combinations of security technologies (in order of most to least secure): ● WPA2 with EAP-TLS and both user and computer certificates - EAP-TLS is the strongest 802.1X authentication method supported by Windows-based wireless clients.
Windows Recommendations and Best Practices ● To install user certificates, use auto-enrollment - This requires the use of a Windows Server 2003, Enterprise Edition, or Windows Server 2003, Datacenter Edition, Certificate Services server as an enterprise CA at the issuer CA level. ● Otherwise, to install user certificates, use a CAPICOM script - Alternately, use a CAPICOM script to install both computer and user certificates.
Active Directory Active Directory When configuring Active Directory for wireless access, use the following best practices: ● If you have a native-mode domain and are using a group-based wireless remote access policy, use universal groups and global groups to organize your wireless accounts into a single group. Additionally, set the remote access permission on computer and user accounts to Control access through Remote Access Policy.
Windows Recommendations and Best Practices account database (such as different Active Directory forests). RADIUS messages are forwarded to a member of the corresponding remote RADIUS server group matching the connection request policy. ● Investigate whether the wireless APs need RADIUS vendor-specific attributes (VSAs) and configure them during the configuration of the remote access policy on the Advanced tab of the remote access policy profile.
Using Computer-only Authentication Configuring Computer-only Authentication using the Wireless Network (IEEE 802.11) Policies Group Policy Extension To configure computer-only authentication using the Wireless Network (IEEE 802.11) Policies Group Policy extension, select Computer only in Computer authentication on the 802.1x tab for the preferred network the corresponds to your wireless network. Figure 4 shows an example. Figure 6: Selecting computer-only authentication in the Wireless Network (IEEE 802.
Windows Recommendations and Best Practices Alternately, you can use network management software to change registry settings on managed computers Summary You can perform secure wireless authentication with either EAP-TLS or PEAP-MS-CHAP v2. For EAPTLS, you must deploy a certificate infrastructure capable of issuing computer certificates to your IAS servers and both computer and user certificates to your wireless client computers and users.
5 Diagnostics WARNING! Changes or modifications made to the Summit WM Controller or the Wireless APs which are not expressly approved by Extreme Networks could void the user's authority to operate the equipment. Only authorized Extreme Networks service personnel are permitted to service the system. Procedures that should be performed only by Extreme Networks personnel are clearly identified in this guide.
Diagnostics Using the console port Connect to the console port of the Summit WM20 Controller to perform diagnostics or a rescue procedure. The Summit WM20 Controller does not directly expose a DB9 COM interface. Instead, serial console access is provided through the USB Control port as a USB connection. The connector is reserved for Serial-over-USB operation. To connect to the console port: 1 Install the virtual serial driver by Silicon Laboratories on the laptop.
Summit WM20 Controller Diagnostics NOTE Rescue procedure is not applicable in recovery of failed hardware, including HDD. The Summit WM20 Controller supports the following methods for rescue: ● Local Rescue – rescue file is directly present on filesystem ● Remote Rescue – rescue file is located in a remote FTP server Local Rescue The rescue partition contains a rescue image. The rescue image is typically installed at manufacturing time, during the image cloning process.
Diagnostics Figure 7: Summit WM20 Controller LED lights Activity LED Status LED HDD Activity LED Not used in current release The description of the LED states is provided below: 60 ● ACTIVITY LED – Indicates the CPU activity, including the amount of traffic carried to and from the Wireless APs. ● STATUS LED – Indicates the normal state of the Summit WM Controller as seen by the system’s software. This LED covers all stages of the Summit WM Controller, ranging from restarting, to shutting-down.
Summit WM20 Controller Diagnostics Summit WM20 Controller LED states and the corresponding system states Table 7: Summit WM20 Controller LED states and corresponding system states System state Status LED Activity LED Power up (BIOS, POST) Blinking Amber Green System booting (failed to boot) Off Green Startup Manager: Task Started Solid Amber Blinking Amber Startup Manager: Task completes the startup — All components active Solid Green Blinking Green upon traffic activity A component fails to
Diagnostics Table 8: Protocols and Ports (Continued) Protocol (TCP/UDP) Component 62 Src Port Dst Port Service Remarks 69 TFTP Used for Access Point software update Source Destination Access Point Controller TCP/UDP Router Controller OSPF OSPF Routing Protocol DHCP Server Controller UDP Any 67-68 DHCP DHCP communications such as DHCP relay or informs.
6 Hardware Maintenance Summit WM20 Controller WARNING! You should avoid operating the Summit WM20 Controller in a LAN in which the DC volatage is overlaid on the data lines because the LAN may have switches that connect directly without checking the supply voltage. Depending upon the transformer at the LAN interface, voltages of upto 500 Volts can be induced. Such peak voltages can destroy the physical LAN controller’s logic. NOTE The Summit WM20 Controller can operate with either 110 or 230 V AC.
Hardware Maintenance Maintenance If the Summit WM20 experiences any problems and Extreme Networks technical support has determined that the unit needs to be replaced, ship the defective unit to Extreme Networks per the RMA instructions. Backing up the Summit WM20 Controller’s system configuration You can back up the Summit WM Controller’s system configuration. You can also define the automatic schedule backups to occur.
Summit WM20 Controller Figure 9: ESD Wrist Strap and Cord Assembly Using electrostatic discharge prevention procedures Always follow the electrostatic discharge (ESD) prevention procedure when you remove and replace cards. Failure to follow the ESD prevention procedure can result in permanent or intermittent card failures. CAUTION Observe all precautions for electrostatic discharge.
Hardware Maintenance ● Handle cards by their edges only CAUTION Avoid contact between the card and your clothing. Electrostatic charges on clothing can damage the card. The wrist strap protects the card from electrostatic charges on your body only. ● Immediately place any card you remove from the system into a static-shielding package. CAUTION The card must remain in a static-shielding bag or static-free box until the card is returned to the warehouse.
Summit WM20 Controller 3 Under System Shutdown, select Halt System, and then click Apply Now. The following dialogue box is displayed. 4 Click OK. The software’s operations is halted and you are logged out of the system. NOTE You can also use the CLI command to stop the software operation instead of Summit WM Graphical User Interface (GUI). 5 Switch off the Summit WM20 controller’s power switch, located on the front panel. The power receptacle is on the rear panel.
Hardware Maintenance Backing up the Summit WM20 Controller’s system configuration You can back up the Summit WM20 Controller’s system configuration. You can also define the automatic schedule backups to occur. While defining a scheduled backup, you can configure to have the backup copied to an FTP server. The backup will be copied to the FTP server after the backup is completed on the local drive. For more information, refer to the Summit WM20 User Guide.
7 MAC Based Authentication The MAC-based authentication is a new feature, designed to further control access to the network resources for the wireless clients over the Summit WM Software system. It is based on the authentication of the client’s MAC address using the same process as for the user’s RADIUS authentication. Only authenticated clients – MAC addresses can establish sessions and use network resources as defined by the rules for the virtual network segment.
MAC Based Authentication Roaming When a client roams from one Wireless AP to another, the MAC authentication is not required by default. The MAC authentication can be forced in the roaming case. It could happen that the user reauthentication is not required, but that the MAC re-authentication is. Radius redundancy If the primary server for the MAC authentication is not accessible, the radius redundancy will be triggered and the request will be sent to the next server.
Assumptions/recommendations Assumptions/recommendations 1 The MU session timeout is a very important factor in radius profiles definitions – timeouts. In order to avoid an infinitive loop, the radius redundancy should happen within 30 sec, otherwise the authentication requests will be sent to the non-responsive server.
MAC Based Authentication 72 Summit WM20 Technical Reference Guide, Software Version 4.
8 FreeRADIUS and Security A good way to get up a running with an inexpensive RADIUS server is to use freeRADIUS. This program is available from www.freeradius.org and provides good options for RADIUS authentication and accounting. While it is possible to configure freeRADIUS to interoperate with a Microsoft infrastructure such as Active Directory using LDAP it is recommended that IAS (Internet Authentication Service) is used for better integration with a Microsoft environment.
FreeRADIUS and Security shortname = SWC001 } In this case the RADIUS client is a Summit WM Controller at 10.0.0.10. Since the controller has many IP addresses, some physical and some virtual, there is confusion over which IP address to use as the RADIUS client address. The answer is that whatever interface the controller will use to send the packet to the RADIUS server. In the CLI of the controller, use the ping command to determine which interface will be used if it is not obvious.
Configuration setting to CHAP and change the Auth. Type in the WM-AD settings under the Auth & Acct tab to use CHAP.
FreeRADIUS and Security Configure eap.conf file The eap.conf file contains general information on the handling of EAP packets that are forwarded to the RADIUS server. We will cover the configuration of the file for TLS and for PEAP. For TLS or PEAP the TLS section needs to be completed. This is because even with PEAP authentication types a secure tunnel is needed from client to server and the TLS section contains the information required to set this tunnel up.
9 RADIUS Attributes Remote Authentication Dial-In User Service (RADIUS) is an industry standard for providing identification, authentication, authorization, and accounting services for distributed dial-up/remote access networking. RADIUS Vendor-Specific Attributes (VSAs) RADIUS Vendor-Specific Attributes (VSAs) are RADIUS Authentication and Accounting attributes defined by vendors to customize information exchanges between clients and servers.
RADIUS Attributes RADIUS Accounting Account-Start Packet Table 10 lists the information elements (including VSAs) supported in a RADIUS Start message, issued by Summit WM Controller, Access Points and Software, with RADIUS Accounting enabled: Table 10: Information elements supported in RADIUS Start messages Attribute NO. RAD.
RADIUS Accounting Table 11: Information elements supported in RADIUS Stop or Interim messages (Continued) Attribute NO. RAD.
RADIUS Attributes When a user session is terminated, the RADIUS client sends a RADIUS accounting stop request that will include one of the following termination codes: Table 12: Termination codes Radius Value Radius Definition Controller Value Controller/SMT Definition Controller Name 1 User Request 9 RF notification that MU has disconnected from Wireless AP. This would be the case if there is a Logoff button for Captive Portal. Normally this would not apply to 802.1x connections.
Supported attributes in RADIUS authentication and RADIUS response messages Table 13: Supported attributes in RADIUS authentication and RADIUS response messages (Continued) MBA on SSID WM-AD MBA on AAA WM-AD AAA WM-AD SSID WM-AD CP Auth (MSCHAP) SSID WMAD CP Auth (CHAP) SSID WMAD CP Auth (PAP) Acct-Interim-Interval X Y Y Y Tunnel-Private-Group_ID X X Y X MS-MPPE-Recv-Key NA NA Y NA MS-MPPE-Send-Key NA NA Y NA Y X NA Y Y Y User name Y (ETHMAC) Y (ETHMAC) Y Y Y Y BSS-MAC
RADIUS Attributes 82 Summit WM20 Technical Reference Guide, Software Version 4.
10 SNMP MIBs Summit WM Controller is the main repository of all configuration and statistical data for itself and all Wireless APs, WM-ADs and attached Mobile Units. SNMP is one of the user interfaces to retrieve such information. For retrieval of such information, Summit WM Controller supports a subset of MIB-II, as well as proprietary MIBs.
SNMP MIBs For example, WM-AD interface description is the name of the WM-AD and each Wireless AP has three interfaces—one wired and two radio. The wired interface of the Wireless AP is named by concatenation of the Wireless AP’s name and word “_ethernet” and each radio interface is named by concatenation of the Wireless AP’s name and the radio type. The following are examples of some of the interfaces with arbitrary indices. ● Some of the physical ports of the Summit WM Controller: ifDesc.1 = esa0 ifDesc.
Proprietary MIBs Proprietary MIBs Our proprietary MIBs can be used to retrieve useful information about the system as a whole. EXTREME-SUMMIT-WM-MIB.my The main groups and tables defined in this MIB are: ● systemObects – The types of information that can be retrieved from this group includes software and hardware information, information of physical interfaces, DNS information, and tunneling information.
SNMP MIBs 86 Summit WM20 Technical Reference Guide, Software Version 4.
11 DRM - Dynamic Radio Management Introduction WLANs are becoming more common. Usage has grown to require higher user capacities and higher radio frequency (RF) density. As 802.11 becomes standard for larger networks, network performance becomes a critical factor in managing the network. A Site Survey is necessary for installing and configuring large WLAN networks. However Site Surveys are not sufficient in addressing how the WLAN network will perform over time. The performance of an 802.
DRM - Dynamic Radio Management Other sources of RF Interference RF quality can also be affected by interference caused by other RF technologies and propagation characteristics of the RF signal through and around objects. Other devices operating in either the 2.4 GHz band or the 5GHz band can interfere with 802.11 data transmission. These types of devices include equipment such as fluorescent lights, other wireless technologies such as Bluetooth or cordless phones.
DRM Details ● Dynamic client load balancing across HAPs for Dynamic Radio Management (DRM) client software. ● Advanced features: ● Co-existence with Rogue AP Detection (Summit WM series Spy) feature ● Load balancing even across multi-subnetted HAPs ● Interaction with other APs to reduce co-channel interference. DRM can be configured to avoid cochannel interference with neighboring WLANs.
DRM - Dynamic Radio Management to APs, and determine when to roam to a new AP. All of these operations are critical to the operation of a wireless client. Figure 11: DRM Standard Power Mode The diagram in Figure 1 shows clients at different distances from the AP. Both clients measure the signal strength from the AP using Beacons or Probe Responses. This gives the client and accurate view of the RF signal quality it can obtain from the AP.
Minimizing interference Now consider this deployment for a system of 4 APs deployed in a region where there are only 3 nonoverlapping channels such as America. Figure 12: Non DRM APs and area of co-channel interference When APs are deployed to cover an area a minimum average data rate is generally required by the customer. However, when APs are deployed to ensure this rate everywhere the area covered by then entire cell must be considered. This is shown above.
DRM - Dynamic Radio Management Now consider the case for DRM’s standard RF mode. The data Tx range from each AP is kept as low as possible give the active clients. The area of co-channel interference in the middle of the APs is now reduced to just co-channel interference for beacons. Beacons are regular traffic but are only sent on a typical interval of every 0.1 seconds.
DRM Power Control Summary It is important to make sure that the APs configured for this mode are operating on the same plane as the clients. The APs are adjusting power to avoid interfering with each other and are not taking into account the location of clients. If the APs are mounted on high ceilings (For Example: 50 feet above an exhibit hall floor) and the APs reduce power to avoid interfering with other APs, the coverage on the exhibit hall floor may be severely impacted.
DRM - Dynamic Radio Management ● ● DRM Shaped Power control will adjust the cell size when new APs are brought online or removed from service DRM Shaped Power Control minimizes the co-channel interference between APs. DRM Automatic Channel Selection When DRM is enabled for both the Summit WM Controller and for a specific AP then the access point may then participate in a dynamic channel selection procedure.
Selection Phase In addition to listening for existing devices operating on the channel, the DRM APs notify other DRM APs that they are in the process of selecting a channel. This serves the following purpose: ● Synchronize all DRM APs during the channel selection process (only applies to situations where all APs are booting at the same time such as after a power failure).
DRM - Dynamic Radio Management that have selected the same channel to receive all of the other APs channel selection information. Once the negotiation period expires, all the APs determine if they are allowed to operate on the selected channel. The AP with the greatest need is allowed to operate on the selected channel. All other APs return to the scanning phase. The APs that return to the scanning phase perform a minimal scan to detect any new APs operating on a channel.
Management 5 Restart DRM (resetting of channel and power). 6 Type of shaped coverage (standard versus shaped) 7 Max/Min RF power configuration When DRM is enabled, both channel and transmit signal strength are automatically configured by DRM. Upon power-up, DRM will scan the WLAN network to select a channel and set its power to maximum. It will back-off its power to adjust for the presence of neighboring disabled DRM Access Points. The DRM application is enabled globally on the Summit WM Controller.
DRM - Dynamic Radio Management Reporting Figure 15 provides a dynamic display of channel and transmit power setting for each radio on the AP. Figure 15: Wireless AP statistics 98 Summit WM20 Technical Reference Guide, Software Version 4.
Glossary AAA Authentication, Authentication, Accounting CDR Call Detail Record CLI Command Line Interface Cell RF coverage area provided by Summit Access Point or an Access Point CTP CAPWAP Tunneling Protocol DRM Dynamic Radio Management EAP Extensible Authentication Protocol ESS Extended Service Set ESSID Extended Service Set Identification EU European Union GUI Graphical User Interface ICMP Internet Control Message Protocol IEEE Institute of Electrical and Electronics Engineers
Glossary 100 RS Radio Signal SLP Service Location Protocol SNMP Simple Network Management Protocol SNR Signal-to-Noise Ratio SSID Service Set Identifier SWM Summit Wireless Controller (controller) WISP Wireless ISP WLAN Wireless Local Area Network WM-AD WM Access Domain Services Summit WM20 Technical Reference Guide, Software Version 4.
A Logs and Events The Summit WM Controller is designed to behave like an appliance. It is either in an operational state, or it has failed due to a hardware problem or low level packet processing issue. In general, the system will self recover by rebooting if the system fault is recoverable.
Logs and Events Table 14: STARTUP_MANAGER (0) logs and events (Continued) Log ID Log Message Comment Action 9 Unable to start component [%d]. Services provided by the component will be unavailable. Internal component problem. If problem persists, contact Technical Support to investigate. 20 Component [%d] is down. Component will be restarted. Internal component became inactive. Component will restart. If problem persists, contact Technical Support to investigate. 21 Component [%s] is down.
EVENT_SERVER (1) Table 14: STARTUP_MANAGER (0) logs and events (Continued) Log ID Log Message 141 Error binding socket. Errno: %d 142 Socket address already in use. 143 Unable to connect to socket. Errno: %d 144 Startup API socket accept error. Errno: %d 145 Startup API socket select error. Errno: %d 146 Connected to component [%d]. Comment Action EVENT_SERVER (1) Table 15: EVENT_SERVER (1) logs and events Log ID Log Message Comment Action 1 Failed to create thews thread.
Logs and Events Table 15: EVENT_SERVER (1) logs and events (Continued) Log ID Log Message Comment Action The evaluation license for the controller has expired. Please contact your customer representative and purchase licenses to continue using the controller. If you do not purchase a license, the legal requirement is to put the system out of service. System operation is severely restricted by lack of valid license.
EVENT_SERVER (1) Table 15: EVENT_SERVER (1) logs and events (Continued) Log ID Log Message Comment Action 20 Cannot reset file pointer to beginning of the log file - Error no:%d. The message and subsequent messages will be dropped. Internal Component Failure. Log system may not be working properly. Failed to log configuration change. If problem persists, contact Technical Support to investigate. 21 Trying to read non-empty file Error no:%d. Message will be dropped. Internal Component Failure.
Logs and Events Table 15: EVENT_SERVER (1) logs and events (Continued) Log ID Log Message Comment Action 31 Cannot reset AP detection log file pointer to beginning of file Error no:%d. The message and subsequent messages will be dropped. Failure in Rogue AP Detection Logging. Reporting of rogue devices may be affected. Only relevant if Summit WM series Spy is enabled. If problem persists, contact Technical Support to investigate.
EVENT_SERVER (1) Table 15: EVENT_SERVER (1) logs and events (Continued) Log ID Log Message Comment Action 48 Invalid information [%d]. Dropping the message. Problem interpreting log message. Log entry may not be performed. Low impact to the system to the System. If problem persists, contact Technical Support to investigate. 49 Invalid length [%d] for AP serial number. Problem interpreting log message. Log entry may not be performed. Low impact to the system to the System.
Logs and Events Table 15: EVENT_SERVER (1) logs and events (Continued) Log ID Log Message Comment Action 61 Message [%d] processing failed. Problem interpreting log message. Log entry may not be performed. Low impact to the system to the System. If problem persists, contact Technical Support to investigate. 62 Invalid sort type [%d]. Problem interpreting log message. Log entry may not be performed. Low impact to the system to the System.
CONFIG_MANAGER (2) Table 15: EVENT_SERVER (1) logs and events (Continued) Log ID Log Message Comment Action 81 Unable to clear AP critical alarm. Alarm ID [%d]. Possible problem with logging system. If problem persists, contact Technical Support to investigate. 82 Unable to send log export response. Possible problem with logging system. If problem persists, contact Technical Support to investigate. 83 Invalid page request [%d]. Possible problem with logging system.
Logs and Events Table 16: CONFIG_MANAGER (2) logs and events (Continued) Log ID Log Message Comment Action 10 Access point%s has reported a radar interference violation on%s. The affected radio(s) have been placed in auto channel select mode, and will not respond to channel changes until 30min after the radar interference is last detected. Information. AP has responded to Radar signal information. None 11 AP [%s] has not responded to a configuration change.
STATS_SERVER (3) Table 16: CONFIG_MANAGER (2) logs and events (Continued) Log ID Log Message Comment Action Cannot send syslog enable notify. Possible impact to Log System configuration in terms of logging to external log system. Retry applying syslog configuration. If problem persists, contact Technical Support to investigate. Software config response sent out.
Logs and Events Table 17: STATS_SERVER (3) logs and events (Continued) Log ID Log Message Comment Action Unable to determine local physical ports on system; port statistics will not be collected. Affects ability to report statistic utilization of system interfaces. No deterrent effect to system operation other than to interface reports. If problem persists, contact Technical Support to investigate. 65 Shutdown sequence initiated.
SECURITY_MANAGER (4) Table 17: STATS_SERVER (3) logs and events (Continued) Log ID Log Message 137 Received VN_MGR_STATS_NOTIFY message 138 Received response for IXP SNMP port statistics Comment Action SECURITY_MANAGER (4) Table 18: SECURITY_MANAGER (4) logs and events Log ID Log Message Comment Action 1 Cannot allocate memory. Will not be able to process Captive portal authentication request. Internal operation failure.
Logs and Events Table 18: SECURITY_MANAGER (4) logs and events (Continued) Log ID Log Message Comment Action Major 9 Status thread failed to start. Will not be able to communicate with startup/shutdown Mgr until status thread starts. If problem persists, contact Technical Support to investigate. 13 Error occurred when sending response message to Apache server. If problem persists, contact Technical Support to investigate.
SECURITY_MANAGER (4) Table 18: SECURITY_MANAGER (4) logs and events (Continued) Log ID Log Message Comment Action 36 Client with MAC%s has failed authorization on AP <%s>. Client on specific AP has failed authentication with controller. Verify that user in question is properly configured to access network. 37 Client session MAC%s has failed authentication Client on specific AP has failed authentication with controller Verify that user in question is properly configured to access network.
Logs and Events Table 18: SECURITY_MANAGER (4) logs and events (Continued) Log ID 116 Log Message Comment Action 73 Error trying to send a message to Radius Client. Captive portal authentication request will fail. Internal interprocess communication issue. Users authenticated via internal captive portal may not reach authenticated state even with proper credentials. Component may need to be restarted. If problem persists, contact Technical Support to investigate.
SECURITY_MANAGER (4) Table 18: SECURITY_MANAGER (4) logs and events (Continued) Log ID Log Message Comment Action 82 Invalid message Id%d received from Radius Client. Authentication request for the session will fail. Authentication response is not processed. User will re-attempt and situation shall clear itself. If problem persists, contact Technical Support to investigate. 83 The user (with session tracking tag%d) cannot authenticate as the message to the Radius Server has timed out.
Logs and Events Table 18: SECURITY_MANAGER (4) logs and events (Continued) 118 Log ID Log Message 137 Set Radius Client socket to %d. 138 Set Listening socket to %d. 139 Set Apache socket to %d. 140 Set CIA Agent socket to %d. 141 Received a shutdown message from the Startup/Shutdown Mgr. 142 Processing Apache message was unsuccessful. 143 Processing CIA message was unsuccessful. 144 Processing Radius Client message was unsuccessful. 145 Processing EAP message unsuccessful.
SECURITY_MANAGER (4) Table 18: SECURITY_MANAGER (4) logs and events (Continued) Log ID Log Message 158 Failed to convert MAC CHAR message to MAC Hi and Low. 159 Send Radius Message with session tracking tag %d. 160 Received Authentication success message from Radius Client for session tracking tag %d. 161 Received Authentication failure message from Radius Client for session tracking tag (token, msgId) %d.
Logs and Events Table 18: SECURITY_MANAGER (4) logs and events (Continued) Log ID 120 Log Message 175 Error reading CIA header. This error is generally caused by a component (CIA/CM) shutting down without properly closing the socket. 176 Send MU_GET_PARAMS_REQ to MU Mgr. 177 Error on sending MU_GET_PARAMS_REQ to MU Mgr. 178 Received MU_GET_PARAMS response from MU Mgr. 179 Error on receiving MU_GET_PARAMS response from MU Mgr. 180 Send MU_SET_PARAMS request to MU Mgr.
SECURITY_MANAGER (4) Table 18: SECURITY_MANAGER (4) logs and events (Continued) Log ID Log Message 192 Received wrong number of entries for Config Policy List from Config Manager for session tracking tag (token) %d. 193 Closed EAP Socket %d. 194 Closed Radius Socket %d. 195 Closed CIA socket %d. 196 Closed Apache socket %d. 197 Received CIA message. 198 Received EAP message. 199 Received UPDATE_LOGLEVEL_NOTIFY message from Config Manager.
Logs and Events Table 18: SECURITY_MANAGER (4) logs and events (Continued) Log ID 122 Log Message 213 Cannot set policy parameters for session tracking tag (token) %d. Captive portal authentication request will fail. 214 Cannot set MU parameters for session tracking tag (token) %d. Captive portal authentication request will fail. 215 Apache socket is zero. Cannot send a message to the Apache Server. 216 Radius socket is zero. Cannot send a message to Radius. 217 EAP socket is zero.
SECURITY_MANAGER (4) Table 18: SECURITY_MANAGER (4) logs and events (Continued) Log ID Log Message 231 Send authentication success message to EAP for sessionId %d 232 Send authentication failure message to EAP for sessionId %d 233 Send EAP Access request message for sessionId %d 234 Error on sending EAP Access request message for sessionId %d 235 Received EAP Access response message 236 Send EAP Config Policy request for sessionId %d to CM 237 Error on sending EAP Config Policy request for s
Logs and Events Table 18: SECURITY_MANAGER (4) logs and events (Continued) Log ID Log Message 252 Received unknown status for sessionId %d so assume failure 253 Setup EAP entry returns failure for sessionId %d 254 Received status failed for sessionId %d regarding getting/ setting MU params 255 Failed to delete EAP session for sessionId %d Comment Action RU_MANAGER (6) Table 19: RU_MANAGER (6) logs and events Log ID Log Message Comment Action 1 RU Manager has suffered a critical internal er
RU_MANAGER (6) Table 19: RU_MANAGER (6) logs and events (Continued) Log ID Log Message Comment Action 12 Remote Access Point failed registration: Maximum license limit of APs reached.%s MDL Mismatch. More AP attempted to failover from availability peer. Recommend systems support same capacity. Some AP may become unable to provide RF service. Verify number of Aps allowed by MDL portion of License. Verify that purchase limits match on both systems. Contact Sales support to discuss allowance increases.
Logs and Events Table 19: RU_MANAGER (6) logs and events (Continued) Log ID Log Message Comment Action 65 AP registered.%s AP Identified by Serial Number has registered. None 66 AP authenticated.%s AP Identified by Serial Number has registered. None 67 RU Manager started normally. Component state. None 68 RU Manager shutting down normally. Component state. None 69 SLP registration successful. Component state.
RADIUS_CLIENT (7) RADIUS_CLIENT (7) Table 20: RADIUS_CLIENT (7) logs and events Log ID Log Message Comment Action 1 A file system error occurred. Unable to open RADIUS dictionary file. RADIUS client exiting. Possible initialization problem for RadiusClient component. May affect ability of users to authenticate with system and therefore affect their ability to gain network access. If problem persists contact Technical Support to investigate.
Logs and Events Table 20: RADIUS_CLIENT (7) logs and events (Continued) Log ID Log Message Comment Action 33 Config Manager returned wrong flag. Will retry retrieving configuration. Possible problem with configuration of authentication sub-system, in particular may become unable to determine correct Radius Configuration. Connection retry should resolve condition. If problem persists contact Technical Support to investigate. 34 Internal error occurred for a single request.
RADIUS_CLIENT (7) Table 20: RADIUS_CLIENT (7) logs and events (Continued) Log ID Log Message Comment Action 40 Invalid NAS port number for subnet%d. Default value will be used. Possible problem with configuration or availability of Radius Server or WM-AD configuration of radius parameters. Default parameters will be used. No expected impact to user authentication. Validate Configuration of RadiusServer in GlobalSettings and in WM-AD definition.
Logs and Events Table 20: RADIUS_CLIENT (7) logs and events (Continued) Log ID Log Message 238 RADIUS CLIENT SEND: %s 239 RADIUS CLIENT RECEIVE: %s Comment Action HOST_SERVICE_MANAGER (8) Table 21: HOST_SERVICE_MANAGER (8) logs and events Log ID Log Message Comment Action Failed to set management IP address ' + newData[1] + '. Please check your network for probable conflict. Rolling back to IP address ' + currentData[1] + '.' Possible network conflict for system IP address.
VNMGR (9) Table 22: VNMGR (9) logs and events (Continued) Log ID Log Message Comment Action 5 Socket call failed. Will not be able to communicate with specific component. Internal operation issue. May affect Mobility Domain state. Component will be restarted automatically. If problem persists contact Technical Support to investigate. 6 Unable to initialize internal program data structure. Mobility Manager will halt. Internal operation issue. May affect Mobility Domain state.
Logs and Events Table 22: VNMGR (9) logs and events (Continued) Log ID Log Message Comment Action Mobility Manager has received incomplete filterId information for the client with MAC%s. This client will be treated as experiencing an authorization error. MAC based authentication. User will be disconnected and forced to re-authenticate with system If problem persists contact Technical Support to investigate. Mobility Manager has received invalid authentication information for the client with MAC%s.
VNMGR (9) Table 22: VNMGR (9) logs and events (Continued) Log ID Log Message Comment Action 35 Mobility Manager failed to received response for MACbased authorization for client with MAC%s. MAC based authentication. User will be disconnected and forced to re-authenticate with system. If problem persists Contact Technical Support for investigation. 36 Connection established with:%s Mobility Peer Identification None 65 Mobility Manager shutting down normally.
Logs and Events Table 22: VNMGR (9) logs and events (Continued) Log ID Log Message Comment Action 79 Slpd service or attribute change successful. Mobility Configuration management. Administrator change. None 80 Configuration change successful. Mobility Configuration management. Administrator change. None 81 Two or more ACs are proclaiming that they are the home for an MU with the MAC address%s. The Mobility Manager will be informed and will resolve this conflict. Conflict Resolution.
VNMGR (9) Table 22: VNMGR (9) logs and events (Continued) Log ID Log Message 142 Write VN_Conn_establish payload with hb_int %d and agent_ac_id %d 143 Read VN disconnect payload with errCode %d and subErrCode %d 144 Write VN disconnect payload with errCode %d and subErrCode %d 145 Connected to VN Mgr at %s.
Logs and Events Table 22: VNMGR (9) logs and events (Continued) Log ID 136 Log Message 162 Received CIA_MU_DEREGISTER_NOTIFY message for MU with MAC %s. 163 Received unknown CIA message with messageType %d 164 Update main MU List with %s. 165 Cleanup MU list 166 Update main AC list with %s 167 Update AC neighbour list with %s. 168 Add or delete tunnel with %s. 169 Cleanup tunnel entry with ac_id %d 170 Set all tunnels to disconnected 171 Add or update total tunnel list with %s.
STACK_ADAPTER (10) STACK_ADAPTER (10) Table 23: STACK_ADAPTER (10) logs and events Log ID Log Message Comment Action 65 Fast Ethernet Stack Adaptor Started. System initialization state None 66 Gigabit Ethernet Stack Adapter Started. System initialization state None Log Message Comment Action 9 Upgrade process failed - failure reason:%s. System application/firmware upgrade process failed. System operating components and personality may be lost as a result.
Logs and Events Table 24: CLI (11) logs and events (Continued) Log ID Log Message Comment Action 34 failure reason:%s. Database backup procedure failed. Revisit operation parameters and storage availability. If problem persists Contact Technical Support for investigation. 65 FTP for%s started. FTP operation state None 66 FTP for%s successful. FTP operation state None 67 Back-up process started. Backup Procedure state None 68 Back-up process successful.
NSM_SERVER (15) Table 25: LANGLEY (13) logs and events (Continued) Log ID Log Message Comment Action A connection request from '%s' failed to authenticate with the messaging server. This may indicate that somebody is portscanning the access controller, or is attempting to gain backdoor access. Possible Denial of Service attack. Verify credentials of source. If problem persists and problem is deemed to be associated with internal component, contact Technical Support to investigate.
Logs and Events Table 26: NSM_SERVER (15) logs and events (Continued) Log ID Log Message Comment Action Unknown internal program message received - type%d. Message will be ignored and processing continued. Internal communications issue. No direct impact to system operation, however may be symptom of more serious condition. If problem persists Contact Technical Support for investigation. 65 NSM started normally. Component state None 67 Static route deleted successfully.
CDR_COLLECTOR (23) Table 27: OSPF_SERVER (17) logs and events (Continued) Log ID Log Message Comment Action 66 Static route deleted successfully. Component state None 67 Get static routes successful. Component state None 68 Delete OSPF interface successful. Component state None 69 Retrieving OSPF configuration successful. Component state None 70 Retrieving OSPF interface information successful.
Logs and Events Table 28: CDR_COLLECTOR (23) logs and events (Continued) Log ID Log Message Comment Action 3 File storage limit has been reached for the accounting files. The oldest file(s) will be deleted to free up room for the new accounting files. CDRs will be truncated to create room for new records. Customer should retrieve CDRs more frequently and clear old files. 8 CDR critical:%s. n/a n/a 9 Internal messaging error:%d. Accounting information for one client session will be incomplete.
CDR_COLLECTOR (23) Table 28: CDR_COLLECTOR (23) logs and events (Continued) Log ID Log Message Comment Action 37 Unable to read binary property from internal message payload [%d]. Error will be ignored and processing continued. Internal operation error. Specific CDR record may not be consistent. If problem persists Contact Technical Support for investigation. 38 Unable to read integer property from internal message payload [%d]. Error will be ignored and processing continued.
Logs and Events Table 28: CDR_COLLECTOR (23) logs and events (Continued) Log ID Log Message Comment Action Fail to receive cdr_config_notify. Possible issue with configuration of CDR/Accounting sub-system. Can result in lack of accounting reporting/CDR for system users. Doesn't affect users state, however, it doesn't allow owner to provide proper billing for services rendered. Validate configuration of CDR/ Accounting settings for Radius Server and WM-AD definitions.
CDR_COLLECTOR (23) Table 28: CDR_COLLECTOR (23) logs and events (Continued) Log ID Log Message Comment Action 69 All CDR records written to file. Shutting down normally. Accounting sub-system state If problem persists Contact Technical Support for investigation. 70 The old CDR directory has been removed. Accounting sub-system state If problem persists Contact Technical Support for investigation. 128 CDR informational:%s. n/a n/a Trace 129 Received IXP_MU_STATE_NOTIFY messagee.
Logs and Events RF_DATA_COLLECTOR (36) Table 29: RF_DATA_COLLECTOR (36) logs and events Log ID Log Message Comment Action An error has occurred in the RF Data Collector which will cause this component to shutdown (and be restarted by the system). Details:%s. Internal operation error. Rogue AP scan updates may be temporarily suspended. Should resume once component is automatically restarted by the system's health monitor. If problem persists Contact Technical Support for investigation.
REMOTE_INS (58) Table 29: RF_DATA_COLLECTOR (36) logs and events (Continued) Log ID Log Message 130 Error details: %s. Comment Action REMOTE_INS (58) Table 30: REMOTE_INS (58) logs and events Log ID Log Message Comment Action Rogue AP found by AP%s (SN%s) for scan%s (ID%d) on%s with unknown bssType%u Scan Result indication Take appropriate remedial action to identify and neutralize threat. Threat [Inactive AP with valid SSID] detected by AP%s, SN%s (%s).
Logs and Events Table 30: REMOTE_INS (58) logs and events (Continued) Log ID Log Message Comment Action Unable to initialize internal configuration data structures Internal operation error. May indicate a larger problem with system's memory resource management. If problem persists Contact Technical Support for investigation. Unable to initialize global log bitmask Internal operation error. May indicate a larger problem with system's memory resource management.
REMOTE_INS (58) Table 30: REMOTE_INS (58) logs and events (Continued) Log ID Log Message Comment Action Error in setting up RFDC connection: cannot set detached pthread attributes. Connection cannot be setup. Internal operation error. Problem may prevent Rogue AP (Summit WM series Spy) detection from taking place. Component may need to be restarted. If problem persists Contact Technical Support for investigation.
Logs and Events Table 30: REMOTE_INS (58) logs and events (Continued) Log ID 33 Log Message Comment Action In run_analysis_against_specific_lis t: cleanup_memory_for_data for AP failed. Internal operation issue. May result in problems with memory management for the system. If problem persists Contact Technical Support for investigation. In run_analysis_against_specific_lis t: cleanup_memory_for_data for THIRD_PAP failed. Internal operation issue.
REMOTE_INS (58) Table 30: REMOTE_INS (58) logs and events (Continued) Log ID Log Message Comment Action Received request from CM to delete RFDC session with ip addr%s Summit WM series Spy feature state None Connection with RFDC session with ip addr%s is up Summit WM series Spy feature state None Connection with RFDC session (id =%d) is up Summit WM series Spy feature state None Connection with AC for RFDC session with ip addr%s is down Possible Feature Impact.
Logs and Events LLC_HANDLER (62) Table 31: LLC_HANDLER (62) logs and events Log ID Log Message Comment Action Malloc failed Internal operation error. May indicate a larger problem with system's memory resource management. If problem persists Contact Technical Support for investigation. Unable to initialize semaphores Internal operation error. May indicate a larger problem with system's memory resource management. If problem persists Contact Technical Support for investigation.
RADIUS_ACCOUNTING (64) Table 31: LLC_HANDLER (62) logs and events (Continued) Log ID Log Message Comment Action Error in llc_packet_thread: Cannot determine langley connection subscriptions. Thread will exit Internal operation error. Thread exist shall cause component to terminate and be automatically started by system's health monitor facility. Situation should repair itself. If problem persists Contact Technical Support for investigation.
Logs and Events Table 32: RADIUS_ACCOUNTING (64) logs and events Log ID Log Message Comment Action No Response from one RADIUS accounting server:%s. Possible issue with configuration of CDR/Accounting sub-system. Can result in lack of accounting reporting/CDR for system users. Doesn't affect users state, however, it doesn't allow owner to provide proper billing for services rendered. If backup/ alternate servers were defined system will attempt to connect to them.
RU_SESMGR_ID (65) Table 33: RU_SESMGR_ID (65) logs and events (Continued) Log ID Log Message Comment Action 36 Mobility tunnel establishment failed with Peer%s. Please verify peer's reachability. Possible Feature Impact. Some possible user impact as tunnel change purges sessions associated with peer. Users if connected will need to reauthenticate and renegotiate topology profile.
Logs and Events MU_SESMGR_ID (66) Table 34: MU_SESMGR_ID (66) logs and events Log ID Log Message Comment Action 33 Maximum number of home sessions has been reached. No more home users will be permitted. Reached maximum user capacity for system. Need to deploy additional controllers to take on excessive capacity. Contact Sales support to discuss expanding deployment. 34 Maximum number of visiting sessions has been reached. No more visiting users will be permitted.
FILTER_MGR_ID (67) Table 34: MU_SESMGR_ID (66) logs and events (Continued) Log ID Log Message Comment Action 78 Client session de-registration succeeded (%s) Reason is: Tunnel Disconnect. Policy/Mobility request to user de-registration. None 79 Client session de-registration succeeded (%s) Reason is: User request. User requested disconnection from Mobility Domain (Captive Portal). None 80 Client session de-registration succeeded (%s) Reason is: Mobility Manager request.
Logs and Events Table 35: FILTER_MGR_ID (67) logs and events (Continued) 158 Log ID Log Message Comment Action 15 Configuring wrong filter ID [%d]. Internal operation error in processing a Filter group. Possible misconfiguration problem. Filtering sub-system will retry. If problem persists Contact Technical Support for investigation. 16 Property array is NULL for the received message [%d]. Internal operation failure.Flter sub-system will retry.
REDIRECTOR4 (68) Table 35: FILTER_MGR_ID (67) logs and events (Continued) Log ID Log Message Comment Action Filter ID mismatch [%d] in the FE filter add operation. Internal operation failure. Filter sub-system will retry If problem persists Contact Technical Support for investigation. 33 Failed to receive message reason [%d]. Internal operation failure. Filter sub-system will retry If problem persists Contact Technical Support for investigation. 34 Failed to process message [%d].
Logs and Events Table 36: REDIRECTOR4 (68) logs and events (Continued) Log ID Log Message Comment Action 2 Client%s is in an infinite loop! Detected possible issue with Client behaviour on redirection. Verify that ""Non-Authenticated"" filter rules for ""WM-AD"" are properly defined to allow access to target authentication server. Filter failure may result in continuous redirection. If no configuration issue is identified Contact Technical Support to investigate.
BEAST (75) Table 37: BEAST (75) logs and events (Continued) Log ID Log Message Comment Action Failed to initialize the output queue. Internal operational issue. May result in failure to generate proper reports. Component may need to be reset. If problem persists Contact Technical Support for investigation. 9 Unable to create thread for polling MU Session Manager. Internal operational issue. May result in failure to generate proper reports. Component may need to be reset.
Logs and Events Table 37: BEAST (75) logs and events (Continued) Log ID Log Message Comment Action 66 Received message [%d] whose payload is NULL. Internal communication issue. If problem persists Contact Technical Support for investigation. 67 Shut down Access Controller Statistician. Statistics server is terminating. Reports will not be generated. User accounting may also be affected. If problem persists Contact Technical Support for investigation. Trace 129 Received CIA message: %d.
CPDP_AGENT_ID (110) CPDP_AGENT_ID (110) Table 41: CPDP_AGENT_ID (110) logs and events Log ID Log Message Comment Action 9 Possible LAND DoS attack (%s). Possible Denial of Service attack. Investigate attach characteristics. Identify source and determine best cause of action to remedy problem. 10 Possible PING-OF-DEATH DoS attack (%s). Possible Denial of Service attack. Investigate attach characteristics. Identify source and determine best cause of action to remedy problem.
Logs and Events Table 43: ECHELON (126) logs and events (Continued) Log ID Log Message Comment Action FE Link is up. FE is ready to start receiving provisioning configuration from MP and to begin providing data services. None Major 9 164 Summit WM20 Technical Reference Guide, Software Version 4.
B Reference lists of standards RFC list This section provides the Internet Engineering Task Force (IETF) Request for Comments (RFCs) standards supported by Summit WM Controller, Access Points and Software. The Request for Comments is a series of notes about the Internet, submitted to the Internet Engineering Task Force (IETF) and designated by an RFC number, that may evolve into an Internet standard. The RFCs are catalogued and maintained on the IETF RFC website: www.ietf.org/rfc.html.
Reference lists of standards Table 44: List of RFCs (Continued) RFC Number Title RFC 3416 Version 2 of the Protocol Operations for the Simple Network Management Protocol (SNMP) RFC 3417 Transport Mappings for the Simple Network Management Protocol (SNMP). RFC 3418 Management Information Base (MIB) for the Simple Network Management Protocol (SNMP). RFC 3576 Dynamic Authentication Extensions to RADIUS RFC 959 File Transfer Protocol.
Supported Wi-Fi Alliance standards Table 45: List of 802.11 standards supported (Continued) Standard Name 802.3z 1000Base-X (Gigabit Ethernet) 802.1d MAC bridges 802.1p 802.1q VLANs 802.11 MIB management information base for 802.11 Supported Wi-Fi Alliance standards The following WiFi Alliance standards are supported: ● ● ● ● ● Standard IEEE ● IEEE 802.11a ● IEEE 802.11b ● IEEE 802.
Reference lists of standards 168 Summit WM20 Technical Reference Guide, Software Version 4.
Index Numerics E 802.11 standards list, 166 EAP-TLS authentication, 23 EXTREME-SUMMIT-WM-BRANCH-OFFICE-MIB, 85 EXTREME-SUMMIT-WM-DOT11-EXTS-MIB, 85 EXTREME-SUMMIT-WM-MIB.
Index N U netsh tool, 32 User Agent (UA), 10 user certificates, 28 O Organizationally Unique Identifier (OUI), 77 P PKI, 51 policies group policy settings, 39 proprietary MIBs, 85 R RADIUS accounting, 78 attributes, 70 clients, 33 infrastructure, 53 redundancy, 70 server, 23 supported attributes, 80 registry, 55 remote access policy, 34 RF footprint, 89 interference, 88 transmission, 88 RFC list, 165 RFC1213, 84 roaming, 70 rogue systems, 22 V VSAs IAS server, 35 W WEP, 51 Wi-Fi Alliance standards,
