User Guide
Table Of Contents
- Nortel WLAN Security Switch 2300 Series Configuration Guide
- Contents
- How to get Help
- Introducing the Nortel WLAN 2300 System
- Using the Command-Line Interface
- Configuring AAA for Administrative and Local Access
- Configuring and Managing Ports and VLANs
- Configuring and Managing Ports
- Configuring and Managing VLANs
- Managing the Layer 2 Forwarding Database
- Port and VLAN Configuration Scenario
- Configuring and Managing IP Interfaces and Services
- MTU Support
- Configuring and Managing IP Interfaces
- Configuring the System IP Address
- Configuring and Managing IP Routes
- Managing the Management Services
- Configuring and Managing DNS
- Configuring and Managing Aliases
- Configuring and Managing Time Parameters
- Setting the Time Zone
- Configuring the Summertime Period
- Statically Configuring the System Time and Date
- Displaying the Time and Date
- Configuring and Managing NTP
- Adding an NTP Server
- Removing an NTP Server
- Changing the NTP Update Interval
- Resetting the Update Interval to the Default
- Enabling the NTP Client
- Displaying NTP Information
- Managing the ARP Table
- Pinging Another Device
- Logging In to a Remote Device
- Tracing a Route
- IP Interfaces and Services Configuration Scenario
- Configuring SNMP
- Overview
- Configuring SNMP
- Displaying SNMP Information
- Configuring and Managing Mobility Domain Roaming
- Configuring User Encryption
- Configuring AP access points
- AP Overview
- Configuring AP access points
- Specifying the Country of Operation
- Configuring a Template for Automatic AP Configuration
- Configuring AP Port Parameters
- Configuring AP-WSS Security
- Configuring a Service Profile
- Configuring a Radio Profile
- Configuring Radio-Specific Parameters
- Mapping the Radio Profile to Service Profiles
- Assigning a Radio Profile and Enabling Radios
- Disabling or Reenabling Radios
- Displaying AP Information
- Displaying AP Configuration Information
- Displaying a List of Distributed APs
- Displaying a List of Distributed APs that Are Not Configured
- Displaying Connection Information for Distributed APs
- Displaying Service Profile Information
- Displaying Radio Profile Information
- Displaying AP Status Information
- Displaying AP Statistics Counters
- Configuring RF Auto-Tuning
- Wi-Fi Multimedia
- Configuring and Managing Spanning Tree Protocol
- Configuring and Managing IGMP Snooping
- Configuring and Managing Security ACLs
- About Security Access Control Lists
- Creating and Committing a Security ACL
- Mapping Security ACLs
- Modifying a Security ACL
- Using ACLs to Change CoS
- Enabling Prioritization for Legacy Voice over IP
- Security ACL Configuration Scenario
- Managing Keys and Certificates
- Why Use Keys and Certificates?
- About Keys and Certificates
- Creating Keys and Certificates
- Choosing the Appropriate Certificate Installation Method for Your Network
- Creating Public-Private Key Pairs
- Generating Self-Signed Certificates
- Installing a Key Pair and Certificate from a PKCS #12 Object File
- Creating a CSR and Installing a Certificate from a PKCS #7 Object File
- Installing a CA’s Own Certificate
- Displaying Certificate and Key Information
- Key and Certificate Configuration Scenarios
- Configuring AAA for Network Users
- About AAA for Network Users
- AAA Tools for Network Users
- Configuring 802.1X Authentication
- Configuring Authentication and Authorization by MAC Address
- Configuring Web-based AAA
- Configuring Last-Resort Access
- Configuring AAA for Users of Third-Party APs
- Assigning Authorization Attributes
- Overriding or Adding Attributes Locally with a Location Policy
- Configuring Accounting for Wireless Network Users
- Displaying the AAA Configuration
- Avoiding AAA Problems in Configuration Order
- Configuring a Mobility Profile
- Network User Configuration Scenarios
- Configuring Communication with RADIUS
- Managing 802.1X on the WSS Switch
- Managing Sessions
- Managing System Files
- Rogue Detection and Countermeasures
- About Rogues and RF Detection
- Summary of Rogue Detection Features
- Configuring Rogue Detection Lists
- Enabling Countermeasures
- Disabling or Reenabling Active Scan
- Enabling AP Signatures
- Disabling or Reenabling Logging of Rogues
- Enabling Rogue and Countermeasures Notifications
- IDS and DoS Alerts
- Displaying RF Detection Information
- Appendix A: Troubleshooting a WS Switch
- Fixing Common WSS Setup Problems
- Recovering the System Password
- Configuring and Managing the System Log
- Running Traces
- Using Show Commands
- Remotely Monitoring Traffic
- Capturing System Information for Technical Support
- Appendix B: Supported RADIUS Attributes
- Appendix C: Mobility Domain Traffic Ports
- Appendix D: DHCP Server
- Glossary
- Index
- Command Index
422 Configuring AAA for Network Users
320657-A
WSS Software refuses to authenticate the user and does not allow the user onto the network from the unauthenticated
machine.
Authentication Rule Requirements
Bonded Authentication requires an 802.1X authentication rule for the machine itself, and a separate 802.1X authentica-
tion rule for the user(s). Use the bonded option in the user authentication rule, but not in the machine authentication rule.
The authentication rule for the machine must be higher up in the list of authentication rules than the authentication rule
for the user.
You must use 802.1X authentication rules. The 802.1X authentication rule for the machine must use pass-through as
the protocol. Nortel recommends that you also use pass-through for the user’s authentication rule.
The rule for the machine and the rule for the user must use a RADIUS server group as the method. (Generally, in a
Bonded Authentication configuration, the RADIUS servers will use a user database stored on an Active Directory
server.)
(For a configuration example, see “Bonded Authentication Configuration Example” on page 423.)
Nortel recommends that you make the rules as general as possible. For example, if the Active Directory domain is
mycorp.com, the following userwildcards match on all machine names and users in the domain:
• host/*.mycorp.com (userwildcard for the machine authentication rule)
• *.mycorp.com (userwildcard for the user authentication rule)
If the domain name has more nodes (for example, nl.mycorp.com), use an asterisk in each node that you want to match
globally. For example, to match on all machines and users in mycorp.com, use the following userwildcards:
• host/*.*.mycorp.com (userwildcard for the machine authentication rule)
• *.*.mycorp.com (userwildcard for the user authentication rule)
Use more specific rules to direct machines and users to different server groups. For example, to direct users in
nl.mycorp.com to a different server group than users in de.mycorp.com, use the following userwildcards:
• host/*.nl.mycorp.com (userwildcard for the machine authentication rule)
• *.nl.mycorp.com (userwildcard for the user authentication rule)
• host/*.de.mycorp.com (userwildcard for the machine authentication rule)
• *.de.mycorp.com (userwildcard for the user authentication rule)
Note. If the 802.1X reauthentication parameter or the RADIUS Session-Timeout
parameter is applicable, the user must log in before the 802.1X reauthentication timeout or
the RADIUS session-timeout for the machine’s session expires. Normally, these
parameters apply only to clients that use dynamic WEP, or use WEP-40 or WEP-104
encryption with WPA or RSN.