Summit® WM Technical Reference Guide Software Version 5.3 Extreme Networks, Inc. 3585 Monroe Street Santa Clara, California 95051 (888) 257-3000 (408) 579-2800 http://www.extremenetworks.
AccessAdapt, Alpine, Altitude, BlackDiamond, EPICenter, Essentials, Ethernet Everywhere, Extreme Enabled, Extreme Ethernet Everywhere, Extreme Networks, Extreme Standby Router Protocol, Extreme Turbodrive, Extreme Velocity, ExtremeWare, ExtremeWorks, ExtremeXOS, Go Purple Extreme Solution, ScreenPlay, Sentriant, ServiceWatch, Summit, SummitStack, Triumph, Unified Access Architecture, Unified Access RF Manager, UniStack, the Extreme Networks logo, the Alpine logo, the BlackDiamond logo, the Extreme Turbodriv
Table of Contents About this guide .............................................................................................................................. 9 Who should use this guide ...........................................................................................................9 What is in this guide ...................................................................................................................9 Formatting conventions....................................................
Table of Contents Step 3: Configuring the Primary IAS Server..................................................................................40 Step 3a: Configuring IAS .....................................................................................................40 Step 3b: Configuring a Wireless Remote Access Policy ...........................................................43 Step 4: Configuring the secondary IAS server (if applicable) ..........................................................
Table of Contents Summit WM Controller WM20 capacity .................................................................................78 Summit WM Controller WM20 LEDs......................................................................................78 Summit WM Controller WM20 protocols ................................................................................79 Chapter 7: Hardware maintenance .................................................................................................
Table of Contents Configuration ..........................................................................................................................113 radiusd.conf file................................................................................................................113 users file ..........................................................................................................................114 eap.conf file ......................................................................
Table of Contents RU_MANAGER (6) ..................................................................................................................159 RADIUS_CLIENT (7) ...............................................................................................................162 HOST_SERVICE_MANAGER (8)................................................................................................165 VNMGR (9) ..............................................................................................
Table of Contents 8 Summit WM Technical Reference Guide, Software Version 5.
About this guide This guide describes how to install, configure, and manage Extreme Networks® Summit® WM Controller, Altitude™ Access Points, and WM software. Who should use this guide This guide is a reference for system administrators who install and manage the Summit WM Controller, Access Points, and WM software system. Any administrator performing tasks described in this guide must have an account with full administrative privileges.
About this guide ● Chapter 13, “Availability and session availability” provides information on the availability feature, which maintains service availability in the event of a Summit WM Controller outage ● Chapter 14, “SNMP MIBs” provides a reference to the subset of MIB-II, as well as proprietary MIBs used in the repository of configuration and statistical data. ● Chapter 15, “DRM – Dynamic Radio Management” provides information on DRM and the Summit WM Software system.
When you call, please have the following information ready. This will help us to identify the document that you are referring to. ● Title: Summit WM Technical Reference Guide, Software Version 5.3 ● Part Number: 120483-00 Rev 01 Protocols and standards Chapter 19, “Reference lists of standards” lists the protocols and standards supported by the Summit WM Controller, Access Points, and WM software.
About this guide 12 Summit WM Technical Reference Guide, Software Version 5.
1 System Capacities This chapter provides the supported limits and capacities of the Summit WM Controller software system. Summit WM Controller WM20/WM200/2000 The following table specifies the performance capacities of the Summit WM Controller WM20/WM200/ 2000 platforms.
System Capacities Table 2: Summit WM Controller WM100/WM1000 system capacities (Continued) Limit WM1000 WM100 Max # of users (single controller) 4096 2048 Max # of users (multi-box/reserved) 4096 2048 Max # of VoIP calls 500 61-77 Max # of WM-AD 50 32 Max # of routes 10000 5000 Max # static routes 500 500 Max # dynamic learnt routes 9500 4500 Max # of admin users 5 5 Max # of filter rules per group 128 128 Max # of filter groups or filter definitions 512 512 Max# of total f
Table 3: Altitude AP system capacities (Continued) Limit 450/451 Outdoor AP (2650/2660) 350-2i/350-2d Max voice calls per radio Wireless to wired 11b=8 11b=8 11b=10 11b/g/a=34 NOTE The maximum number of simultaneous transmissions per radio (TKIP) limits are version-dependent as follows: • V3.x – Maximum 16 TKIP clients, maximum 112 WEP/AES/none • V4.
System Capacities Table 5: Availability capacities (Continued) Limit Values Platforms Session availability failover less than 5 seconds WM200/WM2000 failover time 200 APs – 2 Minutes WM1000/WM200/WM2000 75 APs – 1 Minute WM100/WM200 4096 WM1000/WM2000 Max # users per failover Note: Failover users capacity is restricted to the number of Local users capacity of the system undertaking the failover.
2 Configuration of Dynamic Host Configuration Protocol (DHCP) Wireless AP Discovery supports the following methods: ● Service Location Protocol (SLP) ● Domain Name Server (DNS) – ext-summitwm-connect-1. ● Multicast – Same subnet multicast discovery The listed discovery methods are tried in succession until a method is identified which produces a successful registration with a controller. Static configuration can also be used for Wireless AP registration.
Configuration of Dynamic Host Configuration Protocol (DHCP) Service Location Protocol (SLP) (RFC2608) Service Location Protocol (RFC2608) is a method of organizing and locating the resources (such as printers, disk drives, databases, e-mail directories, and schedulers) in a network. Using SLP, networking applications can discover the existence, location and configuration of networked devices.
Service Agent so configured must not employ either active or passive multicast discovery of Directory Agents. The Directory Agents listed in Option 78 must be configured with the a non-empty subset of the scope list that the Agent receiving the Directory Agent Option 78 is configured with. SLP Service Scope Option (Option 79) Services are grouped together using scopes. Scopes are strings that identify a set of services that form an administrative grouping.
Configuration of Dynamic Host Configuration Protocol (DHCP) Dynamic Host Configuration Protocol – Summit WM Controller and AP Discovery and other Services Dynamic Host Configuration Protocol (DHCP) can be used for several purposes in a network configuration of a Summit WM Controller. Consider the following diagram: Figure 1: DHCP in a Summit WM Controller system Core network a.b.c.d AP deployment network 1 e.f.g.h AP deployment network 2 i.j.k.l DHCP Wireless laptop Summit WM-AD wireless network w.
In this setup there are four different areas in which DHCP must be considered: Figure 2: Areas needing consideration for DHCP A AP deployment network 1 e.f.g.h Core network a.b.c.d AP deployment network 2 i.j.k.l DHCP C B D Summit WM-AD wireless network w.x.y.z Wireless laptop Table 8: Use of DHCP Area Description of use for DHCP A DHCP INFORM messages are periodically sent on all physical ports (esa0-1 on WM1000, esa0-3 on WM200/2000 Summit WM Controllers).
Configuration of Dynamic Host Configuration Protocol (DHCP) Table 8: Use of DHCP (Continued) Area Description of use for DHCP C For AP deployment networks that are not in the same subnet as the Summit WM Controller there needs to be some mechanism to allow the APs to find the Summit WM Controller across subnet.
Using the Summit WM Controller as the default DHCP server You can use the Summit WM Controller as the default DHCP server. This feature allows the controller to act as a DHCP server for the Altitude AP. The Summit WM Controller can also be used as a general DHCP server. The Summit WM Controller’s DHCP server is configured to ensure DHCP requests made to the esa ports are properly responded to. Each physical port can be configured separately.
Configuration of Dynamic Host Configuration Protocol (DHCP) The limitation of using DHCP relay comes in the logging of DHCP messages on the Summit WM Controller. When using DHCP relay the DHCP log under Logs & Traces Æ DHCP Messages is not populated with DHCP requests. It is assumed that for DHCP relay that the target DHCP server has its own logging mechanism. DHCP configuration example: OSC dhcpd on Linux Consider the following topology: Figure 3: Topology for DHCP example Network 10.0.0.0/24 10.0.0.
The following is the configuration file dhcpd.conf from the Linux server at 10.0.0.9: Figure 4: dhcpd.conf example listing This file can be divided into the following four areas: ● General options: lines 1-3 ● Scope for 10.0.0.0/24 subnet: lines 4-8 ● Scope for 172.16.1.0/24 subnet (voice subnet): lines 9-18 ● Scope for 172.16.2.0/24 subnet (laptop subnet): lines 19-27 Summit WM Technical Reference Guide, Software Version 5.
Configuration of Dynamic Host Configuration Protocol (DHCP) General options Line 1 designates this DHCP server as authoritative in case another DHCP server answers requests. Line 2 sets options for Dynamic DNS. This option turns off DNS updates based upon DHCP mappings. There are other options that allow DHCP to update a DNS server to reflect the addresses handed out by the DHCP server. See the man page for dhcpd.conf for more information on support for this option.
Wireless AP DHCP Registration Setup (WINDOWS) You can configure the DHCP service that is included with Windows 2000 and Windows 2003 to provide DHCP option 78. Extreme Networks Altitude APs (Wireless AP) as clients to the Summit WM Controller (Summit WM Controller) may require the configuration of DHCP options 78 for controller discovery. These options are sometimes referred to as the SLP options.
Configuration of Dynamic Host Configuration Protocol (DHCP) NOTE It is also possible to attend to this using Dotted Decimal form. For example, for the controller ESA Port IP address 10.53.0.1, additions should be made in hexadecimal format 00 0A 35 00 01 For the sake of convenience a quick reference chart follows for the decimal to hexadecimal conversions.
DNS Settings for Altitude AP Discovery There is an assumption that for the use of this mechanism that there are DNS services configured and available.
Configuration of Dynamic Host Configuration Protocol (DHCP) 30 Summit WM Technical Reference Guide, Software Version 5.
3 Rogue Access Point Detection The rogue AP detection feature, Summit WM series Spy, provides capabilities to Summit WM Controllers that allow Wireless APs to periodically scan the RF space and report suspect devices. With this capability, Wireless APs can multitask as scan devices as well as access points. This allows rogue detection to occur without installing overlay sensor networks.
Rogue Access Point Detection 7 Inactive Wireless AP with unknown SSID – Major Alarm A “known” Wireless AP with an unknown SSID has been detected that the Summit WM Controller has identified as not in service (stolen?) 8 Known AP with Valid SSID Suppress Conflict – Critical Alarm A “known” Altitude AP with a valid SSID has been detected, however the configured AP is not broadcasting the SSID value (suppressed). Instead, the rogue device is broadcasting the SSID.
4 Creating the Windows Security Infrastructure To ensure information and best practice configuration integrity, all information contained in this section was extracted from this source: ● “Deploying Secure 802.11 Wireless Networks with Microsoft Windows”, by Joseph Davies http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx Wireless client computers running Windows: Windows XP and Windows Server 2003 have built-in support for IEEE 802.11 wireless access and IEEE 802.
Creating the Windows Security Infrastructure issuer of the IAS server computer certificates, you might also have to install root CA certificates on each wireless client. Wireless remote access policy: A remote access policy is configured for wireless connections so that employees can access the organization intranet. Multiple wireless APs: Multiple third-party wireless APs provide wireless access in different buildings of an enterprise. The wireless APs must support IEEE 802.
● Step 8: Installing User Certificates on Wireless Client Computers for EAP-TLS ● Step 9: Configuring Wireless Clients for EAP-TLS ● Step 10: Configuring Wireless Client Computers for PEAP-MS-CHAP v2 Step 1: Configuring the Certificate Infrastructure Table 12 summarizes the certificates needed for the different types of authentication.
Creating the Windows Security Infrastructure the installed root CA certificates in the Trusted Root Certification Authorities\Certificates folder and you can view the intermediate CA certificates in the Intermediate Certification Authorities\Certificates folder. ● In a typical enterprise deployment, the certificate infrastructure is configured using single root CA in a three-level hierarchy consisting of root CA/intermediate CAs/issuing CAs.
● Backing up the CA database, the CA certificate, and the CA keys is essential to protect against the loss of critical data. The CA should be backed up on a regular basis (daily, weekly, monthly) based on the number of certificates issued over the same interval. The more certificates issued, the more frequently you should back up the CA.
Creating the Windows Security Infrastructure a certificate is revoked, the CRL is manually published, but the IAS server still allows the connection because the local CRL has not yet been updated.
existing certificate templates, a feature that is only supported for Windows Server 2003, Enterprise Edition, or Windows Server 2003, Datacenter Edition, enterprise CAs. Only Windows XP and Windows Server 2003 wireless clients support user certificate autoenrollment. To configure user certificate enrollment for a Windows Server 2003, Enterprise Edition, or Windows Server 2003, Datacenter Edition, enterprise CA: 1 Click Start, click Run, type mmc, and then click OK.
Creating the Windows Security Infrastructure Step 2: Configuring Active Directory for Accounts and Groups To configure Active Directory user and computer accounts and groups for wireless access, do the following: 1 If you are using Windows 2000 domain controllers, install Windows 2000 SP3 or SP4 on all domain controllers. 2 Ensure that all users that are making wireless connections have a corresponding user account.
CAs, this method does not work for third-party CAs. The recommended method of importing certificates is to use the Certificates snap-in. For information about how to install a VeriSign, Inc. certificate for PEAP-MS-CHAP v2 authentication, see Obtaining and Installing a VeriSign WLAN Server Certificate for PEAP-MS-CHAP v2 Wireless Authentication. 3 Install IAS as an optional networking component. 4 If you are using Windows 2000 IAS, install Windows 2000 SP4.
Creating the Windows Security Infrastructure 3 Right-click Internet Authentication Service, and then click Register Server in Active Directory. When the Register Internet Authentication Service in Active Directory dialog box appears, click OK Register the IAS server in the default domain using the netsh tool 1 Log on to the IAS server with an account that has domain administrator permissions. 2 Open a command prompt.
Add RADIUS clients 1 Open the Internet Authentication Service snap-in. 2 For Windows 2000 IAS, in the console tree, right-click Clients, and then click New Client. For Windows Server 2003 IAS, in the console tree, right-click RADIUS Clients, and then click New RADIUS Client. 3 In Friendly name, type a descriptive name. 4 In Protocol, click RADIUS, and then click Next. 5 In Client address (IP or DNS), type the DNS name or IP address for the client. If you are using a DNS name, click Verify.
Creating the Windows Security Infrastructure Profile, Encryption tab: Clear all other check boxes except the Strongest check box. This forces all wireless connections to use 128-bit encryption. The settings on the Encryption tab correspond to the MS-MPPE-Encryption-Policy and MS-MPPE-Encryption-Types RADIUS attributes and might be supported by the Altitude AP. If these attributes are not supported, clear all the check boxes except No encryption.
8 Specify the vendor for your Altitude AP. To specify the vendor by selecting the name from the list, click Select from list, and then select the vendor of the Altitude AP for which you are configuring the VSA. If the vendor is not listed, specify the vendor by typing the vendor code. 9 To specify the vendor by typing the vendor code, click Enter Vendor Code and then type the vendor code in the space provided. See RFC 1007 for a list of SMI Network Management Private Enterprise Codes.
Creating the Windows Security Infrastructure 3 Click Edit Profile. The Edit Dial-In Profile dialog is displayed. 4 Click the Advanced tab. 5 Click Add. The Add Attribute dialog is displayed. 46 Summit WM Technical Reference Guide, Software Version 5.
6 From the list, select the applicable Vendor Specific Attribute, and then click Add. The Attribute Information dialog is displayed. 7 In the Attribute value box, type 4329 as the vendor number, and then click Ok. 8 Configure the applicable attributes as per the dictionary file at: /etc/extreme/raddb/ dictionary.extreme. Dictionary file File at /etc/extreme/raddb/dictionary.extreme the VSAs are: # dictionary.
Creating the Windows Security Infrastructure Step 4: Configuring the secondary IAS server (if applicable) To configure the secondary IAS server on another computer, do the following: 1 If you are using computer certificate autoenrollment and Windows 2000 IAS, force a refresh of computer Group Policy by typing secedit /refreshpolicy machine_policy from a command prompt.
Step 5: Deploying and Configuring Wireless APs Deploy your wireless APs to provide coverage for all the areas of coverage for your wireless network. Configure your Summit WM Controller and Wireless APs to support WPA, WPA2, or WEP encryption with 802.1X authentication. Additionally, configure RADIUS settings on your Summit WM Controller with the following: 1 The IP address or name of a primary RADIUS server, the shared secret, UDP ports for authentication and accounting, and failure detection settings.
Creating the Windows Security Infrastructure 9 On the Network Properties tab, type the wireless network name (SSID) and change wireless network key settings as needed. 10 Click the IEEE 802.1X tab. Change 802.1X settings as needed, including specifying and configuring the correct EAP type. Click OK twice to save changes.
The enterprise organization’s information technology (IT) group can install a computer certificate before the computer, typically a laptop, is delivered to its user. For information about CAPICOM, search for “CAPICOM” at http://msdn.microsoft.com/. Step 8: Installing User Certificates on Wireless Client Computers for EAP-TLS For user authentication with EAP-TLS, you must use a locally installed user certificate or a smart card.
Creating the Windows Security Infrastructure 3 In the Certificate Request Wizard, select the following information: The type of certificate you want to request. If you have selected the Advanced check box: a The cryptographic service provider (CSP) you are using. b The key length (measured in bits) of the public key associated with the certificate. c Do not enable strong private key protection. d If you have more than one CA available, select the name of the CA that will issue the certificate.
3 In the details pane, right-click the certificate you want to export, point to All Tasks, and then click Import. 4 Type the file name containing the certificate to be imported. (You can also click Browse and navigate to the file.) 5 If it is a PKCS #12 file, do the following: Type the password used to encrypt the private key. (Optional) If you want to be able to use strong private key protection, select the Enable strong private key protection check box.
Creating the Windows Security Infrastructure IAS1.example.microsoft.com and IAS2.example.microsoft.com, then type the string “example.microsoft.com”. Ensure that you type the correct string, otherwise, authentication will fail. 3 Click OK to save changes to the Smart Card or other Certificate EAP type To configure EAP-TLS authentication on a wireless client running Windows 2000 SP4, do the following: 1 Obtain properties of the wireless connection in the Dial-up and Network Connections folder.
NOTE By default, the PEAP-MS-CHAP v2 authentication uses your Windows logon credentials for wireless authentication. If you are connecting to a wireless network that uses PEAP-MS-CHAP v2 and you want to specify different credentials, click Configure and clear the Automatically use my Windows logon name and password check box.
Creating the Windows Security Infrastructure Additional Intranet Wireless Deployment Configurations The section describes the following additional intranet wireless deployment configurations: ● Internet access for business partners ● Using a third-party CA ● Cross-forest authentication ● Using RADIUS proxies to scale authentications Internet Access for Business Partners The following is the behavior of most wireless APs in use today with respect to the receipt of RADIUS Access-Accept and Access-Rej
To configure a wireless remote access policy for Internet access for business partners, vendors, or other non-employees, create a new custom remote access policy for wireless Internet access with the following settings: ● Policy name: Wireless access to Internet (example) ● Conditions: NAS-Port-Type=Wireless-Other or Wireless-IEEE 802.11, WindowsGroups=WirelessInternetUsers ● Permissions: Select Grant remote access permission.
Creating the Windows Security Infrastructure Additionally, the root CA certificates of the CAs that issued the wireless client computer and user certificates must be installed in the Certificates (Local Computer)\Trusted Root Certification Authorities\Certificates folder. Certificates on Wireless Client Computers For the user and computer certificates installed on wireless client computers, the following must be true: ● They must have a corresponding private key.
Otherwise, the proxy server settings only apply to the user account that was used to login to the IAS server in step 1. 7 From inside the new command prompt, type “%programfiles%\Internet Explorer\Iexplore.exe” (including the quotes) and press ENTER. This opens Internet Explorer in the local system security context. 8 Click Tools, and then click Internet Options. 9 Click the Connections tab, and then click LAN Settings. 10 In Proxy server, select Use a proxy server for your LAN.
Creating the Windows Security Infrastructure 60 Summit WM Technical Reference Guide, Software Version 5.
5 Windows Recommendations and Best Practices The following are recommendations and best practices for deploying an IEEE 802.11 WLAN in a large enterprise. Security Microsoft recommends that you use one of the following combinations of security technologies (in order of most to least secure): ● WPA2 with EAP-TLS and both user and computer certificates - EAP-TLS is the strongest 802.1X authentication method supported by Windows-based wireless clients.
Windows Recommendations and Best Practices ● To install user certificates, use auto-enrollment - This requires the use of a Windows Server 2003, Enterprise Edition, or Windows Server 2003, Datacenter Edition, Certificate Services server as an enterprise CA at the issuer CA level. ● Otherwise, to install user certificates, use a CAPICOM script - Alternately, use a CAPICOM script to install both computer and user certificates.
Active Directory When configuring Active Directory for wireless access, use the following best practices: ● If you have a native-mode domain and are using a group-based wireless remote access policy, use universal groups and global groups to organize your wireless accounts into a single group. Additionally, set the remote access permission on computer and user accounts to Control access through Remote Access Policy.
Windows Recommendations and Best Practices account database (such as different Active Directory forests). RADIUS messages are forwarded to a member of the corresponding remote RADIUS server group matching the connection request policy. ● Investigate whether the wireless APs need RADIUS vendor-specific attributes (VSAs) and configure them during the configuration of the remote access policy on the Advanced tab of the remote access policy profile.
Configuring Computer-only Authentication using the Wireless Network (IEEE 802.11) Policies Group Policy Extension To configure computer-only authentication using the Wireless Network (IEEE 802.11) Policies Group Policy extension, select Computer only in Computer authentication on the 802.1X tab for the preferred network the corresponds to your wireless network. Figure 4 shows an example. Figure 6: Selecting computer-only authentication in the Wireless Network (IEEE 802.
Windows Recommendations and Best Practices Alternately, you can use network management software to change registry settings on managed computers Summary You can perform secure wireless authentication with either EAP-TLS or PEAP-MS-CHAP v2. For EAPTLS, you must deploy a certificate infrastructure capable of issuing computer certificates to your IAS servers and both computer and user certificates to your wireless client computers and users.
6 Summit WM Controller diagnostics WARNING! Changes or modifications made to the Summit WM Controller or the Wireless APs which are not expressly approved by Extreme Networks could void your service contract. Only authorized Extreme Networks service personnel are permitted to service the system. Procedures that should be performed only by Extreme Networks personnel are clearly identified in this guide.
Summit WM Controller diagnostics Table 14 shows the system capacities for each license.
NOTE The error codes represented by the SSD are context dependent on the state of the LEDs (ACT, W, E). Summit WM Controller WM200/2000 LED states and Seven Segment Display (SSD) codes Firmware initialization: Table 15: LED states and SSD codes during firmware initialization Active LED Warning LED Error LED SSD Codes Condition Green 0 The processor has started; and the firmware has taken control. Green 3 The Host Supervisor Card has failed to download Bootloader from Flash.
Summit WM Controller diagnostics Warning conditions: Table 17: LED states and SSD codes during warning conditions Active LED Warning LED Error LED SSD Code Condition Green Yellow 1 High temperature reached. Green Yellow 2 Fan unit failure. Rotation counter indicates zero speed for one of the lateral trays. May be the result of fan tray removal. Green Yellow 3 Power supply failure. Failed to detect one of the power supplies.
System Startup The firmware and bootloader procedures execute the system startup phase. Table 19 provides SSD descriptions. Table 19: SSD definitions SSD Description 0 The processor has started. The firmware has taken control. This SSD is short and rarely in running systems. 4 Check Firmware consistency, ev. update 5 Format Memory 6 Initialize load device 9 Load subsystem b Start operating System, System active The SSD b is displayed to indicate that the OS has started.
Summit WM Controller diagnostics Table 20: Summit WM Controller WM200/2000 application states (Continued) Condition System halted. Administrator requested halting of system. Log Level Comment Action Major This SSD code indicates that the administrator has requested the halting of system's operations. The system is in halted state. Reset system power to restore operational state. Major (set) Temperature in one of the system's sensors has reached high threshold notification of occurrence.
Table 20: Summit WM Controller WM200/2000 application states (Continued) Condition Log Level Comment Action Error LED Failed to identify FDD. Possibly due to removal of FDD card. • Activity LED = Enabled Re-insert card. If card present, contact Technical Support to arrange replacement. • Warning LED = Enabled • Error LED = Enabled • SSD= 1 Failed to initialize NPE card. • Activity LED = Enabled • Warning LED = Enabled Re-insert card. If card present, contact Technical Support to arrange replacement.
Summit WM Controller diagnostics Table 20: Summit WM Controller WM200/2000 application states (Continued) Log Level Condition Comment Action MCE failure. Backup sectors exhausted. Contact Technical Support to arrange replacement. • Activity LED = Enabled • Warning LED = Enabled • Error LED = Enabled • SSD= 7 NPE Initialization Failure. Firmware self test (BIST) has detected failure with one component (memory, bus, interconnects) Contact Technical Support to arrange replacement.
Table 21: Protocols and Ports (Continued) Protocol (TCP/UDP) Component Src Port Dst Port Service Remarks Source Destination Controller Controller TCP(UDP) 13911 BM (AC) Availability Controller Access Point TCP/UDP 69 TFTP Access Point Controller TCP/UDP 69 TFTP Used for Access Point software update Router Controller OSPF OSPF Routing Protocol DHCP Server Controller UDP Any 67-68 DHCP DHCP communications such as DHCP relay or informs.
Summit WM Controller diagnostics Summit WM Controller WM20 diagnostics Summit WM Controller WM20 capacity Table 22 shows the filesystem capacity for the Summit WM Controller WM20. Table 22: Summit WM Controller WM20 filesystem capacity Filesystem Size Comment / 21 GB Main partition for OS and application installation /home 1.9 GB User Accounts /var/log/controller/cdr 1.9 GB Accounting CDRs /var/log/controller/logs 1.4 GB Application logs /var/log/controller/reports 1.
To connect to the console port: 1 Install the virtual serial driver by Silicon Laboratories Inc. on the laptop. You only need to install the serial driver once. You do not need to repeat installing the software each time you connect to the port. 2 The CP210x USB to UART Bridge VCP drivers are provided by Silicon Laboratories Inc. Depending on the OS of your computer, click on the appropriate "VCP Driver Kit" link on the web page given below. Note that this URL is subject to change. https://www.silabs.
Summit WM Controller diagnostics Summit WM Controller WM20 capacity Table 23 shows the system capacities for the Summit WM20 Controller.
NOTE The hot swap lever is not enabled in the current release. Pulling the hot swap lever will not affect the normal operation if the Summit WM Controller WM20 is already running. However, if you attempt to reboot the Summit WM Controller WM20 with the hot swap lever pulled out, the controller will fail to reboot. If you pull the hot swap lever while the Summit WM Controller WM20 is in operation, the Hot Swap LED will light up.
Summit WM Controller diagnostics 80 Summit WM Technical Reference Guide, Software Version 5.
7 Hardware maintenance Summit WM Controller WM200/2000 maintenance WARNING! The Summit WM Controller WM200/2000 system may not be operated in a LAN in which a DC voltage is overlaid on the data lines, since there are still switches that connect directly without checking the supply voltage first. Depending on the transformer at the LAN interface, voltages of up to 500 V can be induced. Such peak voltages usually lead to destruction of the physical LAN controller's logic.
Hardware maintenance NOTE If your infrastructure does not allow a copper connection, you must get a Gigabit Media Converter to convert the copper connection to a fibre optic connection. For example, you can use Netgear GC102 converter that receives the copper connection and outputs traffic via the fibre optic connector. Summit WM Controller WM200/2000 power supply The Summit WM Controller WM200/2000 is equipped with a redundant power supply (Figure 10).
Power FRUs This section describes the power field replaceable units (FRUs) for the Summit WM Controller WM200/ 2000. It also provides procedures for removing, replacing, and verifying each FRU. Summit WM Controller WM200/2000, AC-powered, redundant system The power FRUs on an AC-powered redundant Summit WM Controller WM200/2000 system are two AC-to-DC shelf power supply units (ACPCI) on the Summit WM Controller WM200/2000 shelf.
Hardware maintenance Figure 13 illustrates the fan tray covers, as well as the numbering of the fans. Figure 14 illustrates the ventilation grills for the Summit WM Controller WM200/2000 fans. Figure 13: Fan tray covers and numbering of fans Fan tray cover (Fans 1 and 2) Fan tray cover (Fans 3 and 4) Figure 14: Summit WM Controller WM200/2000 ventilation grills MF1000 Media Flash Card The MF1000 card (Figure 15) consists of a 1GB Flash Disk Drive.
Figure 15: MF1000 card The MF1000 card includes: ● Hardware Part Number – MF1000 (including Flashdrive) S30810-K2319-X110 ● WM200/2000 Media Services Engine (MSE 2011) ● LEDs – The front side of the card features two green LEDs (IDE1 = HD/IDE2 = MO) that indicate the status of the individual drives. ● Compact Flash – A 1GB compact flash interface is also available on the card. The compact flash interface supports image management operations.
Hardware maintenance ● Two signal interfaces from redundant PSU that provide the following information to CPU (registered and memory mapped): ● Provide alarm from PSU to s/w if redundant power module failed ● 2 MB of onboard Flash (used for system Bootrom, diagnostic, system serial number, Extreme Networks-specific MAC address for Eth ports, etc…; accessible by s/w applications).
NOTE Replacing the SC1100 alters the MAC addresses of the system data ports. New MAC addresses are advertised on the network in relation to the system interface IPs. You must ensure that no specific network topology is in place which can be affected by the MAC address change to the network. The IP addresses for the system do not change. Summit WM Controller WM200/2000 power and maintenance procedures This section provides procedures to power off and power on the system when performing maintenance.
Hardware maintenance Figure 18: ESD Wrist Strap and Cord Assembly Using electrostatic discharge prevention procedures Always follow the electrostatic discharge (ESD) prevention procedure when you remove and replace cards. Failure to follow the ESD prevention procedure can result in permanent or intermittent card failures. CAUTION Observe all precautions for electrostatic discharge.
5 Observe the following ESD prevention guidelines during the performance of system maintenance procedures: ● Handle cards by their edges only CAUTION Avoid contact between the card and your clothing. Electrostatic charges on clothing can damage the card. The wrist strap protects the card from electrostatic charges on your body only. ● Immediately place any card you remove from the system into a static-shielding package.
Hardware maintenance Powering off the Summit WM Controller WM200/2000 To power off the Summit WM Controller WM200/2000: 1 Login on the Summit WM GUI. 2 From the main menu, click Summit Controller Configuration. The Summit Controller Configuration page is displayed. 3 Under System Shutdown, select Halt System, and then click Apply Now. The following dialogue box is displayed. 4 Click OK. The software’s operations is halted and you are logged out of the system.
5 Switch off the Summit WM Controller’s power switches, located on the back panel. The Summit WM Controller is now completely powered off. Figure 19: Summit WM Controller WM200/2000 power switches Power switches WARNING! Do not power off the Summit WM Controller by using the power switches only. Instead, carry out the entire procedure as described above. Failure to do so may corrupt the data on the hard disk drive.
Hardware maintenance NOTE The Summit WM Controller WM20 can operate with either 110 or 230 V AC. No electrical connection exists between the Altitude APs and the Summit WM Controller WM20. The Summit WM Controller WM20 and the Altitude APs communicate with each other via the IP network. For more information, see the Summit WM User Guide.
Summit WM Controller WM20 power and maintenance procedures The power and maintenance procedures for the Summit WM Controller WM20 is similar to the Summit WM Controller WM200/2000. For more information, see “Powering off the Summit WM Controller WM200/2000” on page 90. Summit WM Technical Reference Guide, Software Version 5.
Hardware maintenance 94 Summit WM Technical Reference Guide, Software Version 5.
8 Altitude AP antenna selection You can select the antennas to be used by each radio for the Wireless 802.11n AP model Altitude 450. The default antenna selection is to use all three antennas for each radio. This feature will enable the use of single band antennas.
Altitude AP antenna selection 96 Summit WM Technical Reference Guide, Software Version 5.
9 AP as 802.1X supplicant 802.1X is an IEEE standard which addresses the issue of how to provide network access to only authorized users. The basic idea behind 802.1X is that all network switches (authenticator) that perform 802.1X authentication will only allow 802.1X traffic when a connected device (supplicant) first connect to them. Only after they have been authenticated and authorized will their normal traffic be allowed to pass through.
AP as 802.1X supplicant The Summit WM GUI’s 802.1X tab provides AP credentials management: 1 Generate a certificate signing request (CSR) for a single AP. The generated CSR is stored on the local file system and needs to be retrieved for transfer to the CA. For the Common Name used in the CSR, you can use either the AP name, serial number, MAC address, or type a custom string. 2 Install a TLS certificate on the target AP.
Storing credentials on the AP Credentials are stored on the AP in persistent storage. The private key is encrypted (i.e. scrambled) using a 256-bit key called AP storage key (APSK). Resetting the AP to factory defaults destroys the private keys and the certificates. The Summit WM Controller stores the AP’s private key and certificate for as long as is required to transfer it to the AP.
AP as 802.1X supplicant Proxy In proxy mode, the Summit WM Controller generates a CSR in PKCS#10 format for APs at the request of the administrator and generates a private key for the AP. The Summit WM Controller installs the certificate and private key to the AP once the CA has generated a signed certificate in DER encoding (.CER). In this mode, the administrator is responsible for uploading the AP’s certificate to the AP using the Summit WM GUI.
TLS server authentication As part of the EAP-TLS, a client may use server authentication. AP 802.1X supplicant will not authenticate the authentication server. Consequently, it does not need to be configured with the address of a certificate repository, a collection of CA certificates, or a CRL during .1X authentication. Authentication with 802.1X In order to enable 802.1X authentication, the authenticator (AU) must be configured for 802.1X on the port where the AP is connected.
AP as 802.1X supplicant EAP-TLS authentication Figure 23 below illustrates the EAP-TLS authentication process. The AP is directly connected to the access port on the authenticator. The AP begins the process by sending an EAP start message to the AU and responds to the AU identity request. The AP provides the identity in the identity reply. Identity is presented to the AS and from that moment on, EAP-TLS messages are exchanged between the AS and the AP.
EAP-PEAP authentication EAP-PEAP involves the same three security elements as the EAP-TLS: ● Supplicant (AP) ● Authenticator ● Authentication server EAP-PEAP consist of two stages: ● Establishment of the TLS tunnel in order to prepare a secure channel for the second stage ● Authentication based on the challenge response authentication methods APs support MD5 and MS-CHAPv2 authentication protocols. Configuring APs for .
AP as 802.1X supplicant 3 Type the EAP-PEAP username and password. The username can be one of the pre-defined choices: AP name, serial number, MAC or type a custom string. 4 Save the configuration. The certificate status window displays the results of the configuration push to the AP. NOTE The AP should be connected to the Summit WM Controller in order to receive and acknowledge the configuration.
NOTE In proxy mode there is a possibility of a mismatch between the private key created with the CSR and the certificate returned from the CA. The Summit WM Controller retains the private key that was created together with the CSR. If a new CSR is created by clicking Generate Certificate Signing Request before the certificate is returned from the CA, a new certificate is required because the old private key is overwritten with the new key.
AP as 802.1X supplicant ● Save the configuration. The certificate status window displays the results of the configuration push to the AP. The AP may reject the configuration for one of the reasons described in “Transferring credentials from the Summit WM Controller to AP” on page 98. Create CRs for selected APs Upload .zip file with EAPTLS credentials Bulk EAP-PEAP configuration To install EAP-PEAP username and password, do the following: 1 From the AP 802.
is installed, and the PEAP section displays enabled if the PEAP username and password are configured. ● Refer to the AP logs. The AP logs major events during the authentication process.
AP as 802.1X supplicant Table 25: Encryption (Continued) Symmetric encryption Crypto Alg Key Length Mode Implemented • EAP-TLS, EAP-PEAP, • PKCS#1, PKCS#7, PKCS#12, PKCS#10, • RFC-2246, TLS Protocol Version 1.0 • RFC-3268, AES Ciphersuites for Transport Layer Security • RFC-3280, Internet X.
10 MAC-Based Authentication The MAC-based authentication feature is designed to further control access to the network resources for the wireless clients over the Summit WM system. It is based on the authentication of the client’s MAC address using the same process as for the user’s RADIUS authentication. Only authenticated clients – MAC addresses can establish sessions and use network resources as defined by the rules for the virtual network segment.
MAC-Based Authentication Roaming When a client roams from one Wireless AP to another, the MAC authentication is not required by default. The MAC authentication can be forced in the roaming case. It could happen that the user reauthentication is not required, but that the MAC re-authentication is. Radius redundancy If the primary server for the MAC authentication is not accessible, the radius redundancy will be triggered and the request will be sent to the next server.
Assumptions/recommendations 1 The MU session timeout is a very important factor in radius profiles definitions and timeouts. The session timeouts can be configured via the Summit WM GUI. 2 In order to avoid an infinitive loop, the radius redundancy should happen within 30 seconds, otherwise the authentication requests will be sent to the non-responsive server.
MAC-Based Authentication 112 Summit WM Technical Reference Guide, Software Version 5.
11 FreeRADIUS and Security Overview A good way to get up a running with an inexpensive RADIUS server is to use FreeRADIUS. This program is available from www.freeradius.org and provides good options for RADIUS authentication and accounting. While it is possible to configure FreeRADIUS to interoperate with a Microsoft infrastructure such as Active Directory using LDAP it is recommended that IAS (Internet Authentication Service) is used for better integration with a Microsoft environment.
FreeRADIUS and Security The simplest format to use is: client 10.0.0.10 { secret = testing123 shortname = WLC001 } In this case the RADIUS client is a Summit WM Controller at 10.0.0.10. Since the Summit WM Controller has many IP addresses, some physical and some virtual, there is confusion over which IP address to use as the RADIUS client address. The answer is that whatever interface the Summit WM Controller will use to send the packet to the RADIUS server.
The only difference with overwrite is that the password does not have to be the MAC address of the device, but rather it can be anything the administrator configures (and matches on the Summit WM Controller). To use the Challenge Handshake Access Protocol (CHAP) which prevents the password from ever being transmitted between the Summit WM Controller and the RADIUS server switch the Auth-Type setting to CHAP and change the Auth. Type in the WM-AD settings under the Auth & Acct tab to use CHAP.
FreeRADIUS and Security Configure eap.conf file The eap.conf file contains general information on the handling of EAP packets that are forwarded to the RADIUS server. We will cover the configuration of the file for TLS and for PEAP. For TLS or PEAP the TLS section needs to be completed. This is because even with PEAP authentication types a secure tunnel is needed from client to server and the TLS section contains the information required to set this tunnel up.
12 RADIUS Attributes Remote Authentication Dial-In User Service (RADIUS) is an industry standard for providing identification, authentication, authorization, and accounting services for distributed dial-up/remote access networking. RADIUS Vendor-Specific Attributes (VSAs) RADIUS Vendor-Specific Attributes (VSAs) are RADIUS Authentication and Accounting attributes defined by vendors to customize information exchanges between clients and servers.
RADIUS Attributes RADIUS accounting Account-Start packet Table 27 lists the information elements (including VSAs) supported in a RADIUS Start message, issued by Summit WM Controller, Access Points, and WM software, with RADIUS Accounting enabled: Table 27: Information elements supported in RADIUS Start messages Attribute NO. RAD.
Table 28: Information elements supported in RADIUS Stop or Interim messages (Continued) Attribute NO. RAD.
RADIUS Attributes Table 29: Termination codes (Continued) Radius Value Radius Definition Controller Value Controller/SMT Definition Controller Name 4 Idle Timeout 1 User has been disconnected due to idle timeout and inactivity MU_DEREG_REASON_IDLE_ TIMEOUT 5 Session Timeout 7 Disconnection as a result of the maximum session length value indicated by RADIUS server upon Access-Accept, or defined as a default value for the WM-AD.
Table 30: Supported attributes in RADIUS authentication and RADIUS response messages (Continued) MBA on SSID WM-AD MBA on AAA WM-AD AAA WMAD SSID WM-AD CP Auth (MSCHAP) SSID WMAD CP Auth (CHAP) SSID WMAD CP Auth (PAP) Y X NA Y Y Y User name Y (ETHMAC) Y (ETHMAC) Y Y Y Y BSS-MAC Y Y Y Y Y Y NAS-IP-Address Y Y Y Y Y Y NAS-Port Y Y Y Y Y Y NAS-Port-Type Y Y Y Y Y Y Y Y Y Y Y VSAs from Radius Server redirection_url Attributes to Radius Server NAS-Identifier
RADIUS Attributes The following table describes the Service-Type RADIUS attributes that can be configured on the RADIUS server for RADIUS-based login authentication for the Summit WM Controller. Table 31: Service-Type attributes Service-Type value Name User privileges 6 Administrative Full access, read/write 7 NAS prompt Read-only No Service-type is configured (default) 122 Read-only Summit WM Technical Reference Guide, Software Version 5.
13 Availability and session availability The Summit WM Software system provides the “availability” feature to maintain service availability in the event of a Summit WM Controller outage. Network topology for fast failover and session availability The interruption in service for fast failover and session availability should be less than 5 seconds. To achieve fast failover and session availability, a layer 2 networking environment should be employed, as shown in Figure 25.
Availability and session availability Fast failover and session availability deployment scenarios The session availability timing is not guaranteed for setups where there is a WAN link between the Summit WM Controllers or between the Summit WM Controllers and the Wireless APs. In addition, other propagation delays due to network layout may affect session availability performance.
14 SNMP MIBs Summit WM Controller is the main repository of all configuration and statistical data for itself and all Wireless APs, WM-ADs and attached Mobile Units. SNMP is one of the user interfaces to retrieve such information. For retrieval of such information, Summit WM Controller supports a subset of MIB-II, as well as proprietary MIBs.
SNMP MIBs For example, WM-AD interface description is the name of the WM-AD and each Wireless AP has three interfaces—one wired and two radio. The wired interface of the Wireless AP is named by concatenation of the Wireless AP’s name and word “_ethernet” and each radio interface is named by concatenation of the Wireless AP’s name and the radio type. The following are examples of some of the interfaces with arbitrary indices. ● Some of the physical ports of the Summit WM Controller: ifDesc.1 = esa0 ifDesc.
● dot11SupportedDataRatesRxTable. Proprietary MIBs Our proprietary MIBs can be used to retrieve useful information about the system as a whole. EXTREME-SUMMIT-WM-MIB.my The main groups and tables defined in this MIB are: ● systemObects – The types of information that can be retrieved from this group includes software and hardware information, information of physical interfaces, DNS information, and tunneling information.
SNMP MIBs 128 Summit WM Technical Reference Guide, Software Version 5.
15 DRM – Dynamic Radio Management The performance and reliability of a WLAN network is becoming increasingly important as more and more applications are switching from wired to wireless, which places more users into the same wireless space. In addition, WLAN applications have expanded to include VoIP, real-time, and mission-critical services that place extra demands on network performance and reliability. Under normal circumstances, i.e.
DRM – Dynamic Radio Management If ACS is triggered only on one Wireless AP and one radio, that Wireless AP will scan all available channels for that radio and then select the best channel and begin operating on that channel (according to the criteria described below). If ACS is triggered simultaneously on multiple Wireless APs, the Wireless APs will synchronize and cooperate in the process of selecting channels. This helps to avoid multiple Wireless APs jumping on the same channel because it looks free.
16 Call Admission Controls, TSPEC, and QoS Summit WM WLAN supports TSPEC as related to the 802.11e standard, with the following capabilities: ● Admission Control (AC) for the voice and video traffic class is configurable per WM-AD. ● Medium time calculation and management is configured via the Global Settings page. ● ■ Recalculation of the available medium time occurs once per second.
Call Admission Controls, TSPEC, and QoS 132 ■ Direction ■ Mean data rate (MDR) (bps) ■ Nominal MSDU size (NMS) (bytes) ■ Surplus bandwidth allowance (SBA) (ratio) ■ Downlink rate (bps) ■ Uplink rate (bps) ■ Downlink violations (bps) ■ Uplink violations (bps) Summit WM Technical Reference Guide, Software Version 5.
17 Portable and text editable backup When working with the portable text editable backup files, use Windows WordPad or a code editor such as Source Insight or vi for a Linux system. NOTE When working with the portable text editable backup files, do not use Windows Notepad to edit the .cli file. Notepad displays the contents of the .cli file in a disorganized manner. Working with supported files A text editable backup file that can be imported into a Summit WM Controller must end with either a .cli or .
Portable and text editable backup ● Extract the *.zip file. ● Modify the contents of the extracted controller_config.cli file. ● Compress the files with the .cli file at the root directory. NOTE The .cli file cannot be in a subdirectory when the .zip file is compressed. Migration of the text editable backup files ● If a text editable backup file is migrated to a different Summit WM Controller, the management port (eth0) and management gateway values in the .
18 Logs and Events The Summit WM Controller is designed to behave like an appliance. It is either in an operational state, or it has failed due to a hardware problem or low level packet processing issue. In general, the system will self recover by rebooting if the system fault is recoverable.
Logs and Events Table 32: STARTUP_MANAGER (0) logs and events (Continued) Log ID Log Message Comment Action 9 Unable to start component [%d]. Services provided by the component will be unavailable. Internal component problem. If problem persists, contact Technical Support to investigate. 20 Component [%d] is down. Component will be restarted. Internal component became inactive. Component will restart. If problem persists, contact Technical Support to investigate. 21 Component [%s] is down.
Table 32: STARTUP_MANAGER (0) logs and events (Continued) Log ID Log Message 140 Error creating socket. Errno: %d 141 Error binding socket. Errno: %d 142 Socket address already in use. 143 Unable to connect to socket. Errno: %d 144 Startup API socket accept error. Errno: %d 145 Startup API socket select error. Errno: %d 146 Connected to component [%d].
Logs and Events Table 33: EVENT_SERVER (1) logs and events (Continued) Log ID Log Message Comment Action 8 The evaluation license for the controller has expired. Please contact your customer representative and purchase licenses to continue using the controller. If you do not purchase a license, the legal requirement is to put the system out of service. System operation is severely restricted by lack of valid license.
Table 33: EVENT_SERVER (1) logs and events (Continued) Log ID Log Message Comment Action 20 Cannot reset file pointer to beginning of the log file - Error no:%d. The message and subsequent messages will be dropped. Internal Component Failure. Log system may not be working properly. Failed to log configuration change. If problem persists, contact Technical Support to investigate. 21 Trying to read non-empty file Error no:%d. Message will be dropped. Internal Component Failure.
Logs and Events Table 33: EVENT_SERVER (1) logs and events (Continued) Log ID Log Message Comment Action 31 Cannot reset AP detection log file pointer to beginning of file - Error no:%d. The message and subsequent messages will be dropped. Failure in Rogue AP Detection Logging. Reporting of rogue devices may be affected. Only relevant if Summit WM series Spy is enabled. If problem persists, contact Technical Support to investigate.
Table 33: EVENT_SERVER (1) logs and events (Continued) Log ID Log Message Comment Action 48 Invalid information [%d]. Dropping the message. Problem interpreting log message. Log entry may not be performed. Low impact to the system to the System. If problem persists, contact Technical Support to investigate. 49 Invalid length [%d] for AP serial number. Problem interpreting log message. Log entry may not be performed. Low impact to the system to the System.
Logs and Events Table 33: EVENT_SERVER (1) logs and events (Continued) Log ID Log Message Comment Action 61 Message [%d] processing failed. Problem interpreting log message. Log entry may not be performed. Low impact to the system to the System. If problem persists, contact Technical Support to investigate. 62 Invalid sort type [%d]. Problem interpreting log message. Log entry may not be performed. Low impact to the system to the System.
Table 33: EVENT_SERVER (1) logs and events (Continued) Log ID Log Message Comment Action 78 Exported image file [%s] cannot be opened. Possible problem with logging system. If problem persists, contact Technical Support to investigate. 79 Invalid AP SN [%s]. Possible problem with logging system. If problem persists, contact Technical Support to investigate. 80 Invalid sort criteria [%s]. Possible problem with logging system. If problem persists, contact Technical Support to investigate.
Logs and Events Table 34: CONFIG_MANAGER (2) logs and events (Continued) Log ID Log Message Comment Action 4 An AP has encountered an error processing configuration. Error details:%s Access Point failed to process configuration set. AP is not able to provide service. Verify AP Image version to validate that controller and AP are properly matched. If problem persists, contact Technical Support to investigate.
Table 34: CONFIG_MANAGER (2) logs and events (Continued) Log ID Log Message Comment Action Config failed. Serial number:%s Access Point upgrade fails. AP may be prevented to register with controller due to configuration mismatch. If problem persists, contact Technical Support to investigate. Unable to retrieve MAC address from AP AP reports may be affected. Will not be able to determine BSSID for WM-AD assignment reports.
Logs and Events Table 35: STATS_SERVER (3) logs and events (Continued) Log ID Log Message Comment Action 33 Unable to create thread to register callbacks to Startup Manager. Stats Server will continue, but will be unable to respond to Startup Manager requests. Internal Component Problem. Major component functions not affected. If problem persists, contact Technical Support to investigate.
Table 35: STATS_SERVER (3) logs and events (Continued) Log ID Log Message 132 Received ES_LOG_LVL_UPDATE_NOTIF Y message 133 Received IXP_RU_STATS_NOTIFY_MSG 134 Received IXP_RU_STATS_NOTIFY message 135 Received IXP_MU_DEREGISTER_NOTIF Y message 136 Received IXP_RU_DISCONNECT_NOTIFY message 137 Received VN_MGR_STATS_NOTIFY message 138 Received response for IXP SNMP port statistics Comment Action SECURITY_MANAGER (4) Table 36: SECURITY_MANAGER (4) logs and events Log ID Log Message Commen
Logs and Events Table 36: SECURITY_MANAGER (4) logs and events (Continued) Log ID Log Message Comment Action 4 Error binding to listener socket. Will not be able to communicate with Apache server. Unable to establish connection to authentication server. Affects ability to provide internal captive portal. Could indicate problem with Apache Server instantiation. Component could be restarted to see if problem persists If problem persists, contact Technical Support to investigate.
Table 36: SECURITY_MANAGER (4) logs and events (Continued) Log ID Log Message Comment Action 21 Client with MAC%s cannot be authorized on%s with filterName%s. The filterName is invalid on this%s Validate Configuration of RadiusServer. Validate that matches WM-AD configuration. If problem persists contact Technical Support for assistance. Client with MAC%s cannot be authorized with filterName%s as this filterName is invalid on the%s with id%d Validate Configuration of RadiusServer.
Logs and Events Table 36: SECURITY_MANAGER (4) logs and events (Continued) 150 Log ID Log Message Comment Action 68 Cannot connect to Radius Client. Will keep trying until connection is successful. Inter-communications issue. Component re-attempts should restore proper link. However, if un-resolved will not allow authentication to proceed and therefore blocking any users from gaining proper access to network. If problem persists, contact Technical Support to investigate.
Table 36: SECURITY_MANAGER (4) logs and events (Continued) Log ID Log Message Comment Action 78 Cannot find session tracking tag (token)%d. The Captive portal or MAC-based authentication request may already have been processed. Authentication token for Captive portal received for user that is no longer listed as pending authentication. User will be redirected to internal captive portal if authentication hasn't indeed changed. If problem persists, contact Technical Support to investigate.
Logs and Events Table 36: SECURITY_MANAGER (4) logs and events (Continued) Log ID Log Message Comment Action 86 The user with session tracking tag%d cannot authenticate due to a conflict in the shared secret key for the Radius Server. Please check your configuration. Possible problem with configuration or availability of Radius Server. Validate Configuration of RadiusServer. Verify Reachability of RadiusServer utilizing the RadiusTest feature in GlobalSettings.
Table 36: SECURITY_MANAGER (4) logs and events (Continued) Log ID Log Message 147 Delete session information (token mapping) for session tracking tag (token) %d. 148 Session tracking tag (token) %d already used. 149 Apache read bytes error with errno %d. 150 Apache write bytes error. 151 Apache Authentication User Request unsuccessful. 152 Received Apache Validation Fields with session tracking tag (token) %d. 153 Send authentication response message to Apache for token %d with status %d.
Logs and Events Table 36: SECURITY_MANAGER (4) logs and events (Continued) 154 Log ID Log Message 163 Empty login parameters to send to Radius Client for session tracking tag (token) %d. 164 Empty MU params to send to Radius Client for session tracking tag (token) %d. 165 Invalid msgId to send to Radius Client. Cannot send a msgId of zero as the msgId corresponds to the session tracking tag (token) which cannot be zero. 166 Received Radius message parameters with session tracking tag (a.ka.
Table 36: SECURITY_MANAGER (4) logs and events (Continued) Log ID Log Message 179 Error on receiving MU_GET_PARAMS response from MU Mgr. 180 Send MU_SET_PARAMS request to MU Mgr. 181 Error on sending MU_SET_PARAMS request to MU Mgr. 182 Received MU_SET_PARAMS response from MU Mgr. 183 Error on receiving MU_SET_PARAMS response from MU Mgr. 184 Send CONFIG_POLICY request to Config Manager for session tracking tag (token) %d.
Logs and Events Table 36: SECURITY_MANAGER (4) logs and events (Continued) 156 Log ID Log Message 199 Received UPDATE_LOGLEVEL_NOTIFY message from Config Manager. 200 Error on receiving UPDATE_LOGLEVEL_NOTIFY message from Config Manager. 201 Received UPDATE TRACE BITMASK message from Config Mgr. 202 Error on receiving UPDATE TRACE BITMASK message from Config Manager. 203 Error reading CIA received AUTH TOKEN REQ. 204 Error reading CIA received MU_GET_PARAMS_RESP.
Table 36: SECURITY_MANAGER (4) logs and events (Continued) Log ID Log Message 217 EAP socket is zero. Cannot send a message to the EAP handler. 218 CIA socket is zero. Cannot send a message to the IXP card. 219 Error reading Radius Response library function. 220 Error writing Radius Request library function for session tracking tag (token) %d. 221 Send Radius message successful for session tracking tag (token) %d. 222 Redirector will get session tracking tag (token) %d.
Logs and Events Table 36: SECURITY_MANAGER (4) logs and events (Continued) 158 Log ID Log Message 235 Received EAP Access response message 236 Send EAP Config Policy request for sessionId %d to CM 237 Error on sending EAP Config Policy request for sessionId %d 238 Received EAP Config Policy response message 239 Resend EAP Access request message for sessionId %d 240 MAC address %d %d %d %d %d %d already exists in session list 241 Update sessionId %d for MAC address %d %d %d %d %d %d 242 S
Table 36: SECURITY_MANAGER (4) logs and events (Continued) Log ID Log Message 255 Failed to delete EAP session for sessionId %d Comment Action RU_MANAGER (6) Table 37: RU_MANAGER (6) logs and events Log ID Log Message Comment Action 1 RU Manager has suffered a critical internal error and will halt (unable to start process thread). Internal operation problem. May affect ability of APs to register with controller. Component should be restarted.
Logs and Events Table 37: RU_MANAGER (6) logs and events (Continued) Log ID Log Message Comment Action 13 Lost connectivity with Availability Peer%s. Controller entering into Failover Mode. Indicates that link with peer controller has been lost. Peer controller may have shutdown or may indicate problem with interconnecting network. If Peer controller has indeed failed and network connections are intact APs will now begin failing to surviving controller. Investigate state of peer controller.
Table 37: RU_MANAGER (6) logs and events (Continued) Log ID Log Message Comment Action 65 AP registered.%s AP Identified by Serial Number has registered. None 66 AP authenticated.%s AP Identified by Serial Number has registered. None 67 RU Manager started normally. Component state. None 68 RU Manager shutting down normally. Component state. None 69 SLP registration successful. Component state.
Logs and Events RADIUS_CLIENT (7) Table 38: RADIUS_CLIENT (7) logs and events Log ID Log Message Comment Action 1 A file system error occurred. Unable to open RADIUS dictionary file. RADIUS client exiting. Possible initialization problem for RadiusClient component. May affect ability of users to authenticate with system and therefore affect their ability to gain network access. If problem persists contact Technical Support to investigate.
Table 38: RADIUS_CLIENT (7) logs and events (Continued) Log ID Log Message Comment Action 33 Config Manager returned wrong flag. Will retry retrieving configuration. Possible problem with configuration of authentication sub-system, in particular may become unable to determine correct Radius Configuration. Connection retry should resolve condition. If problem persists contact Technical Support to investigate. 34 Internal error occurred for a single request.
Logs and Events Table 38: RADIUS_CLIENT (7) logs and events (Continued) Log ID Log Message Comment Action 39 Invalid radius server port number for subnet%d. Default value will be used. Possible problem with configuration or availability of Radius Server or WM-AD configuration of radius parameters. Default parameters will be used. If default value doesn't provide reachability of RadiusServer, users may be unable to authenticate.
Table 38: RADIUS_CLIENT (7) logs and events (Continued) Log ID Log Message 132 Got EAP_Entry:[%d]:wmad_id:%d,flags:%d,rad_srv_ip: %d,rad_srv_port:%d,retrycount: %d,timeout:%d 133 got entry:NONE_CONFIG:[%d]: wm-ad_id:%d, flags:%d.
Logs and Events Table 40: VNMGR (9) logs and events (Continued) Log ID Log Message Comment Action 4 Critical internal error - unable to allocate memory for Mobility Manager. Mobility Manager will halt. Internal operation problem. May affect Mobility Domain state. Component will be restarted automatically. However, failure condition may indicate larger issue with memory resource utilization in the system. If problem persists contact Technical Support to investigate. 5 Socket call failed.
Table 40: VNMGR (9) logs and events (Continued) Log ID Log Message Comment Action 11 Get Configuration data failed. The Mobility Manager may be restarted. Possible problem with configuration of Mobility feature component subset. Possibly Minor impact on Inter-Controller feature. If problem persists contact Technical Support to investigate. 12 Internal status changed. Mobility Manager will shutdown and be re-started by the Start-up Manager. Role change by Administrator.
Logs and Events Table 40: VNMGR (9) logs and events (Continued) Log ID Log Message Comment Action 20 Establishment of control tunnel with Mobility Manager failed. Please verify Mobility configuration for both Agent and target Manager. Possible problem with configuration of Mobility feature component subset. Inter-Controller Mobility functionality may not be functional. Verify Mobility Feature configuration. If problem persists Contact Technical Support for investigation. 33 Client%s.
Table 40: VNMGR (9) logs and events (Continued) Log ID Log Message Comment Action 76 Mobility Agent has found a Mobility Manager at IP address%s. Mobility State management None 77 Communication heart-beat interval changed to%d. Mobility Configuration management. Administrator change. None 78 Default communication heartbeat time changed. Mobility Configuration management. Administrator change. None 79 Slpd service or attribute change successful. Mobility Configuration management.
Logs and Events Table 40: VNMGR (9) logs and events (Continued) 170 Log ID Log Message 140 Write VN packet with ac_num %d, mu_num %d, and tunnel_num %d 141 Read VN_Conn_establish payload with hb_int %d and agent_ac_id %d 142 Write VN_Conn_establish payload with hb_int %d and agent_ac_id %d 143 Read VN disconnect payload with errCode %d and subErrCode %d 144 Write VN disconnect payload with errCode %d and subErrCode %d 145 Connected to VN Mgr at %s.
Table 40: VNMGR (9) logs and events (Continued) Log ID Log Message 160 Received CIA_IXP_MU_STATE_NOTIFY message for MU with %s. 161 Received CIA_IXP_MU_STATS_NOTIFY message 162 Received CIA_MU_DEREGISTER_NOTIF Y message for MU with MAC %s. 163 Received unknown CIA message with messageType %d 164 Update main MU List with %s. 165 Cleanup MU list 166 Update main AC list with %s 167 Update AC neighbor list with %s. 168 Add or delete tunnel with %s.
Logs and Events STACK_ADAPTER (10) Table 41: STACK_ADAPTER (10) logs and events Log ID Log Message Comment Action 65 Fast Ethernet Stack Adaptor Started. System initialization state None 66 Gigabit Ethernet Stack Adapter Started. System initialization state None Log Message Comment Action 9 Upgrade process failed failure reason:%s. System application/firmware upgrade process failed. System operating components and personality may be lost as a result.
Table 42: CLI (11) logs and events (Continued) Log ID Log Message Comment Action 34 failure reason:%s. Database backup procedure failed. Revisit operation parameters and storage availability. If problem persists Contact Technical Support for investigation. 65 FTP for%s started. FTP operation state None 66 FTP for%s successful. FTP operation state None 67 Back-up process started. Backup Procedure state None 68 Back-up process successful.
Logs and Events Table 43: LANGLEY (13) logs and events (Continued) Log ID Log Message Comment Action 10 A connection request from '%s' failed to authenticate with the messaging server. This may indicate that somebody is portscanning the access controller, or is attempting to gain backdoor access. Possible Denial of Service attack. Verify credentials of source. If problem persists and problem is deemed to be associated with internal component, contact Technical Support to investigate.
Table 44: NSM_SERVER (15) logs and events (Continued) Log ID Log Message Comment Action Unknown internal program message received - type%d. Message will be ignored and processing continued. Internal communications issue. No direct impact to system operation, however may be symptom of more serious condition. If problem persists Contact Technical Support for investigation. 65 NSM started normally. Component state None 67 Static route deleted successfully.
Logs and Events Table 45: OSPF_SERVER (17) logs and events (Continued) Log ID Log Message Comment Action 67 Get static routes successful. Component state None 68 Delete OSPF interface successful. Component state None 69 Retrieving OSPF configuration successful. Component state None 70 Retrieving OSPF interface information successful.
Table 46: CDR_COLLECTOR (23) logs and events (Continued) Log ID Log Message Comment Action 3 File storage limit has been reached for the accounting files. The oldest file(s) will be deleted to free up room for the new accounting files. CDRs will be truncated to create room for new records. Customer should retrieve CDRs more frequently and clear old files. 8 CDR critical:%s. n/a n/a 9 Internal messaging error:%d. Accounting information for one client session will be incomplete.
Logs and Events Table 46: CDR_COLLECTOR (23) logs and events (Continued) 178 Log ID Log Message Comment Action 37 Unable to read binary property from internal message payload [%d]. Error will be ignored and processing continued. Internal operation error. Specific CDR record may not be consistent. If problem persists Contact Technical Support for investigation. 38 Unable to read integer property from internal message payload [%d]. Error will be ignored and processing continued.
Table 46: CDR_COLLECTOR (23) logs and events (Continued) Log ID Log Message Comment Action Fail to receive cdr_config_notify. Possible issue with configuration of CDR/ Accounting sub-system. Can result in lack of accounting reporting/CDR for system users. Doesn't affect users state, however, it doesn't allow owner to provide proper billing for services rendered. Validate configuration of CDR/ Accounting settings for Radius Server and WM-AD definitions.
Logs and Events Table 46: CDR_COLLECTOR (23) logs and events (Continued) Log ID Log Message Comment Action 69 All CDR records written to file. Shutting down normally. Accounting sub-system state If problem persists Contact Technical Support for investigation. 70 The old CDR directory has been removed. Accounting sub-system state If problem persists Contact Technical Support for investigation. 128 CDR informational:%s. n/a n/a Trace 180 129 Received IXP_MU_STATE_NOTIFY message.
RF_DATA_COLLECTOR (36) Table 47: RF_DATA_COLLECTOR (36) logs and events Log ID Log Message Comment Action An error has occurred in the RF Data Collector which will cause this component to shutdown (and be restarted by the system). Details:%s. Internal operation error. Rogue AP scan updates may be temporarily suspended. Should resume once component is automatically restarted by the system's health monitor. If problem persists Contact Technical Support for investigation.
Logs and Events Table 47: RF_DATA_COLLECTOR (36) logs and events (Continued) Log ID Log Message Comment Action Trace 129 %s. 130 Error details: %s. REMOTE_INS (58) Table 48: REMOTE_INS (58) logs and events Log ID Log Message Comment Action Rogue AP found by AP%s (SN%s) for scan%s (ID%d) on%s with unknown bssType%u Scan Result indication Take appropriate remedial action to identify and neutralize threat. Threat [Inactive AP with valid SSID] detected by AP%s, SN%s (%s).
Table 48: REMOTE_INS (58) logs and events (Continued) Log ID Log Message Comment Action Unable to initialize signal handlers Internal operation error. May indicate a larger problem with system's memory resource management. If problem persists Contact Technical Support for investigation. Unable to initialize internal configuration data structures Internal operation error. May indicate a larger problem with system's memory resource management.
Logs and Events Table 48: REMOTE_INS (58) logs and events (Continued) Log ID Log Message Comment Action Error in setting up RFDC connection: Cannot save client session information into memory. Connection cannot be setup. Internal operation error. Problem may prevent Rogue AP (Summit WM series Spy) detection from taking place. Component may need to be restarted. If problem persists Contact Technical Support for investigation. Unable to setup RFDC connection Internal operation error.
Table 48: REMOTE_INS (58) logs and events (Continued) Log ID Log Message Comment Action In run_analysis_against_specific_li st: cleanup_memory_for_data for THIRD_PAP failed. Internal operation issue. May result in problems with memory management for the system. If problem persists Contact Technical Support for investigation. In run_analysis_against_specific_li st: cleanup_memory_for_data for FRIENDLY_AP failed. Internal operation issue. May result in problems with memory management for the system.
Logs and Events Table 48: REMOTE_INS (58) logs and events (Continued) Log ID Log Message Comment Action Connection with RFDC session (id =%d) is up Summit WM series Spy feature state None Connection with AC for RFDC session with ip addr%s is down Possible Feature Impact. Scanning peer may not be available to report information. Determine if outage was caused by configuration change to Summit WM series Spy feature (add/Remove of controllers from Scan Domain).
LLC_HANDLER (62) Table 49: LLC_HANDLER (62) logs and events Log ID Log Message Comment Action Malloc failed Internal operation error. May indicate a larger problem with system's memory resource management. If problem persists Contact Technical Support for investigation. Unable to initialize semaphores Internal operation error. May indicate a larger problem with system's memory resource management. If problem persists Contact Technical Support for investigation.
Logs and Events Table 49: LLC_HANDLER (62) logs and events (Continued) Log ID Log Message Comment Action Error in llc_packet_thread: Cannot determine langley connection subscriptions. Thread will exit Internal operation error. Thread exist shall cause component to terminate and be automatically started by system's health monitor facility. Situation should repair itself. If problem persists Contact Technical Support for investigation.
Table 50: RADIUS_ACCOUNTING (64) logs and events (Continued) Log ID Log Message Comment Action 9 No Response from one RADIUS accounting server:%s. Possible issue with configuration of CDR/ Accounting sub-system. Can result in lack of accounting reporting/CDR for system users. Doesn't affect users state, however, it doesn't allow owner to provide proper billing for services rendered. If backup/alternate servers were defined system will attempt to connect to them.
Logs and Events Table 51: RU_SESMGR_ID (65) logs and events (Continued) Log ID Log Message Comment Action 36 Mobility tunnel establishment failed with Peer%s. Please verify peer's reachability. Possible Feature Impact. Some possible user impact as tunnel change purges sessions associated with peer. Users if connected will need to reauthenticate and renegotiate topology profile.
Table 51: RU_SESMGR_ID (65) logs and events (Continued) Log ID Log Message Comment Action Trace 130 %s MU_SESMGR_ID (66) Table 52: MU_SESMGR_ID (66) logs and events Log ID Log Message Comment Action 33 Maximum number of home sessions has been reached. No more home users will be permitted. Reached maximum user capacity for system. Need to deploy additional controllers to take on excessive capacity. Contact Sales support to discuss expanding deployment.
Logs and Events Table 52: MU_SESMGR_ID (66) logs and events (Continued) Log ID Log Message Comment Action 75 Client session de-registration succeeded (%s) Reason is: Resync cleanup. Policy request to user deregistration. None 76 Client session de-registration succeeded (%s) Reason is: Session roam away. Policy/Mobility request to user de-registration. None 77 Client session de-registration succeeded (%s) Reason is: Life time session time out. Policy request to user deregistration.
Table 53: FILTER_MGR_ID (67) logs and events (Continued) Log ID Log Message Comment Action 12 No rules defined for this filter ID [%d]. Internal Error Condition. Filers are defined by default with at least 1 rule (Deny All). This condition should never occur. If problem persists Contact Technical Support for investigation. 13 Filter rules response returned NACK. Error code [%d]. Internal operation failure. Failed to obtain a set of filter rules from the systems provisioning system.
Logs and Events Table 53: FILTER_MGR_ID (67) logs and events (Continued) Log ID Log Message Comment Action 26 No FE mode was set [%d]. Failed to resolve type of FE on system. Possible impact to filtering subsystem behaviour. Filters may not be properly installed in FE If problem persists Contact Technical Support for investigation. 27 Unknown filter ID [%d] in the update response. Internal operation failure.
REDIRECTOR4 (68) Table 54: REDIRECTOR4 (68) logs and events Log ID Log Message Comment Action 1 Got a bad token from secMgr for%s Failed to obtain credential abstraction for captive portal redirection. Redirection operation will fail for that operation. Client will most likely restart. If problem persists Contact Technical Support for investigation. 2 Client%s is in an infinite loop! Detected possible issue with Client behaviour on redirection.
Logs and Events Table 55: BEAST (75) logs and events (Continued) Log ID Log Message Comment Action 1 Failed to receive CIA message. Internal communication operation. If problem persists Contact Technical Support for investigation. 2 Unable to connect to database. Failed to interface with provisioning system. Will affect report generation. If problem persists Contact Technical Support for investigation. 3 Failed to initialize the input queue. Internal operational issue.
Table 55: BEAST (75) logs and events (Continued) Log ID Log Message Comment Action 34 Failed to process CIA message:%d. Internal communication issue. If problem persists Contact Technical Support for investigation. 65 Received unexpected CIA message:%d. Internal communication issue. If problem persists Contact Technical Support for investigation. 66 Received message [%d] whose payload is NULL. Internal communication issue. If problem persists Contact Technical Support for investigation.
Logs and Events REDIR_ID (106) Table 58: REDIR_ID (106) logs and events Log ID Log Message Comment Action Redirect packet is too big, packet will be dropped (%s) Redirector packet exceeds maximum available buffer. None Major 9 CPDP_AGENT_ID (110) Table 59: CPDP_AGENT_ID (110) logs and events Log ID Log Message Comment Action 9 Possible LAND DoS attack (%s). Possible Denial of Service attack. Investigate attach characteristics.
ECHELON (126) Table 61: ECHELON (126) logs and events Log ID Log Message Comment Action FE Link is down. Link to the FE is lost. System will reboot to reset full system. If problem persists Contact Technical Support for investigation. FE Link is up. FE is ready to start receiving provisioning configuration from MP and to begin providing data services. None Critical 1 Major 9 Summit WM Technical Reference Guide, Software Version 5.
Logs and Events 200 Summit WM Technical Reference Guide, Software Version 5.
19 Reference lists of standards RFC list This section provides the Internet Engineering Task Force (IETF) Request for Comments (RFCs) standards supported by Summit WM Controller, Access Points, and WM software. The Request for Comments is a series of notes about the Internet, submitted to the Internet Engineering Task Force (IETF) and designated by an RFC number, that may evolve into an Internet standard. The RFCs are catalogued and maintained on the IETF RFC website: www.ietf.org/rfc.html.
Reference lists of standards Table 62: List of RFCs (Continued) RFC Number Title RFC 3418 Management Information Base (MIB) for the Simple Network Management Protocol (SNMP). RFC 3576 Dynamic Authentication Extensions to RADIUS RFC 959 File Transfer Protocol.
Table 63: List of 802.11 standards supported (Continued) Standard Name 802.1p 802.1q VLANs 802.11 MIB management information base for 802.11 Supported Wi-Fi Alliance standards The following WiFi Alliance standards are supported: ● ● ● ● ● Standard IEEE ● IEEE 802.11a ● IEEE 802.11b ● IEEE 802.
Reference lists of standards 204 Summit WM Technical Reference Guide, Software Version 5.
Glossary AAA Authentication, Authentication, Accounting ACS Auto Channel Selection AP Access point (also referred to as Altitude AP) AS Authentication Server ATPC Automatic Tx Power Control AU Authentication Authentication server Entity that provides an authentication service to an authenticator. Typically, a RADIUS server operates as an authentication server, with RADIUS acting as a transport for EAP from the authenticator to the authentication server.
Glossary 206 EAP-TLS Requires both client and server to authenticate with each other via PKI which can be in the form of X.509 certificates or smart cards. The exchange is done inside a TLS tunnel which makes it resistant to man-in-the-middle attacks. The drawback is that it requires heavy PKI infrastructure to be in place.
supplicant Usually a laptop or other device that requires authentication or has to access service from a network point of attachment Tx Transmit or Transmission WISP Wireless ISP WLAN Wireless Local Area Network WM-AD WM Access Domain Summit WM Technical Reference Guide, Software Version 5.
Glossary 208 Summit WM Technical Reference Guide, Software Version 5.
Index Numerics 802.11 standards list, 202 802.
Index M T MAC-based authorization, 109 MIB, 125 EXTREME-SUMMIT-PRODUCT-MIB, 127 IF, 125 proprietary, 127 multicast, 17 termination codes, 119 TLS credentials, 99 certificate expiration, 100 Pass-through, 99 Proxy, 100 TLS server authentication, 101 topology, 24 traces, 24 N netsh tool, 42 U O User Agent (UA), 18 user certificates, 38 Organizationally Unique Identifier (OUI), 117 P PKI, 61 policies group policy settings, 49 proprietary MIBs, 127 R RADIUS accounting, 118 attributes, 110 clients, 43
