User Guide

ManualsBrandsNortel Networks ManualsOther2300

551

552

553

554

555

556

557

558

559

560

Table Of Contents

Nortel WLAN Security Switch 2300 Series Configuration Guide
Contents
How to get Help
Introducing the Nortel WLAN 2300 System
- Nortel WLAN 2300 System
- Documentation
  - Safety and Advisory Notices
  - Text and Syntax Conventions
Using the Command-Line Interface
- CLI Conventions
- Command-Line Editing
- Using CLI Help
- Understanding Command Descriptions
Configuring AAA for Administrative and Local Access
- Overview of AAA for Administrative and Local Access
- Before You Start
- About Administrative Access
  - Access Modes
  - Types of Administrative Access
- First-Time Configuration using the Console
- Configuring Accounting for Administrative Users
- Displaying the AAA Configuration
- Saving the Configuration
- Administrative AAA Configuration Scenarios
Configuring and Managing Ports and VLANs
- Configuring and Managing Ports
- Configuring and Managing VLANs
- Managing the Layer 2 Forwarding Database
- Port and VLAN Configuration Scenario
Configuring and Managing IP Interfaces and Services
- MTU Support
- Configuring and Managing IP Interfaces
- Configuring the System IP Address
- Configuring and Managing IP Routes
- Managing the Management Services
- Configuring and Managing DNS
- Configuring and Managing Aliases
- Configuring and Managing Time Parameters
- Managing the ARP Table
- Pinging Another Device
- Logging In to a Remote Device
- Tracing a Route
- IP Interfaces and Services Configuration Scenario
Configuring SNMP
- Overview
- Configuring SNMP
- Displaying SNMP Information
Configuring and Managing Mobility Domain Roaming
- About the Mobility Domain Feature
- Configuring a Mobility Domain
- Monitoring the VLANs and Tunnels in a Mobility Domain
- Understanding the Sessions of Roaming Users
- Mobility Domain Scenario
Configuring User Encryption
- Configuring WPA
- Configuring RSN (802.11i)
- Configuring WEP
  - Setting Static WEP Key Values
  - Assigning Static WEP Keys
- Encryption Configuration Scenarios
Configuring AP access points
- AP Overview
- Configuring AP access points
- Disabling or Reenabling Radios
- Displaying AP Information
Configuring RF Auto-Tuning
- RF Auto-Tuning Overview
- Changing RF Auto-Tuning Settings
- Displaying RF Auto-Tuning Information
Wi-Fi Multimedia
- How WMM Works in WSS Software
  - QoS on the WSS Switch
  - QoS on an AP
- Disabling or Reenabling WMM
- Displaying WMM Information
Configuring and Managing Spanning Tree Protocol
- Enabling the Spanning Tree Protocol
- Changing Standard Spanning Tree Parameters
- Configuring and Managing STP Fast Convergence Features
- Displaying Spanning Tree Information
- Spanning Tree Configuration Scenario
Configuring and Managing IGMP Snooping
- Disabling or Reenabling IGMP Snooping
- Disabling or Reenabling Proxy Reporting
- Enabling the Pseudo-Querier
- Changing IGMP Timers
- Enabling Router Solicitation
  - Changing the Router Solicitation Interval
- Configuring Static Multicast Ports
  - Adding or Removing a Static Multicast Router Port
  - Adding or Removing a Static Multicast Receiver Port
- Displaying Multicast Information
Configuring and Managing Security ACLs
- About Security Access Control Lists
  - Overview of Security ACL Commands
  - Security ACL Filters
- Creating and Committing a Security ACL
- Mapping Security ACLs
  - Mapping User-Based Security ACLs
  - Mapping Security ACLs to Ports, VLANs, Virtual Ports, or Distributed APs
    - Displaying ACL Maps to Ports, VLANs, and Virtual Ports
    - Clearing a Security ACL Map
- Modifying a Security ACL
- Using ACLs to Change CoS
  - Filtering Based on DSCP Values
- Enabling Prioritization for Legacy Voice over IP
  - Enabling SVP Optimization for SpectraLink Phones
- Security ACL Configuration Scenario
Managing Keys and Certificates
- Why Use Keys and Certificates?
  - Wireless Security through TLS
  - PEAP-MS-CHAP-V2 Security
- About Keys and Certificates
- Creating Keys and Certificates
- Displaying Certificate and Key Information
- Key and Certificate Configuration Scenarios
Configuring AAA for Network Users
- About AAA for Network Users
- AAA Tools for Network Users
- Configuring 802.1X Authentication
- Configuring Authentication and Authorization by MAC Address
- Configuring Web-based AAA
- Configuring Last-Resort Access
- Configuring AAA for Users of Third-Party APs
- Assigning Authorization Attributes
- Overriding or Adding Attributes Locally with a Location Policy
- Configuring Accounting for Wireless Network Users
  - Viewing Local Accounting Records
  - Viewing Roaming Accounting Records
- Displaying the AAA Configuration
- Avoiding AAA Problems in Configuration Order
  - Using the Wildcard “Any” as the SSID Name in Authentication Rules
  - Using Authentication and Accounting Rules Together
    - Configuration Producing an Incorrect Processing Order
    - Configuration for a Correct Processing Order
- Configuring a Mobility Profile
- Network User Configuration Scenarios
Configuring Communication with RADIUS
- RADIUS Overview
- Before You Begin
- Configuring RADIUS Servers
- Configuring RADIUS Server Groups
  - Creating Server Groups
  - Deleting a Server Group
- RADIUS and Server Group Configuration Scenario
Managing 802.1X on the WSS Switch
- Managing 802.1X on Wired Authentication Ports
  - Enabling and Disabling 802.1X Globally
  - Setting 802.1X Port Control
- Managing 802.1X Encryption Keys
- Setting EAP Retransmission Attempts
- Managing 802.1X Client Reauthentication
- Managing Other Timers
- Displaying 802.1X Information
Managing Sessions
- About the Session Manager
- Displaying and Clearing Administrative Sessions
- Displaying and Clearing Network Sessions
Managing System Files
- About System Files
  - Displaying Software Version Information
  - Displaying Boot Information
- Working with Files
- Managing Configuration Files
- Backing Up and Restoring the System
  - Managing Configuration Changes
  - Backup and Restore Examples
- Upgrading the System Image
Rogue Detection and Countermeasures
- About Rogues and RF Detection
- Summary of Rogue Detection Features
- Configuring Rogue Detection Lists
- Enabling Countermeasures
- Disabling or Reenabling Active Scan
- Enabling AP Signatures
- Disabling or Reenabling Logging of Rogues
- Enabling Rogue and Countermeasures Notifications
- IDS and DoS Alerts
- Displaying RF Detection Information
Appendix A: Troubleshooting a WS Switch
- Fixing Common WSS Setup Problems
- Recovering the System Password
  - WSS-2350
  - WSS-2370, WSS-2380, or WSS-2360
- Configuring and Managing the System Log
- Running Traces
- Using Show Commands
- Remotely Monitoring Traffic
- Capturing System Information for Technical Support
  - Displaying Technical Support Information
  - Sending Information to NETS
Appendix B: Supported RADIUS Attributes
- Supported Standard and Extended Attributes
- Nortel Vendor-Specific Attributes
Appendix C: Mobility Domain Traffic Ports
Appendix D: DHCP Server
- How the WSS Software DHCP Server Works
- Configuring the DHCP Server
- Displaying DHCP Server Information
Glossary
Index
Command Index

560 Rogue Detection and Countermeasures

320657-A

Fake AP SSID (when

source MAC address is

known)

FakeAP SSID attack detected from aa:bb:cc:dd:ee:ff.

Seen by AP on port 2, radio 1 on channel 11 with RSSI -53 SSID myssid.

Fake AP SSID (when

source MAC address is

not known)

FakeAP BSSID attack detected.

Seen by AP on port 2, radio 1 on channel 11 with RSSI -53 SSID myssid.

Spoofed SSID AP Mac aa:bb:cc:dd:ee:ff(ssid myssid) is masquerading our ssid used by

aa:bb:cc:dd:ee:fd.

Detected by listener aa:bb:cc:dd:ee:fc(port 2, radio 1), channel 11 with

RSSI -53.

Wireless bridge

detected

Wireless bridge detected with address aa:bb:cc:dd:ee:ff.

Seen by AP on port 2, radio 1 on channel 11 with RSSI -53 SSID myssid.

Netstumbler detected Netstumbler detected from aa:bb:cc:dd:ee:ff.

Seen by AP on port 2, radio 1 on channel 11 with RSSI -53 SSID myssid.

Wellenreiter detected Wellenreiter detected from aa:bb:cc:dd:ee:ff.

Seen by AP on port 2, radio 1 on channel 11 with RSSI -53 SSID myssid.

Ad-hoc client frame

detected

Adhoc client frame detected from aa:bb:cc:dd:ee:ff.

Seen by AP on port 2, radio 1 on channel 11 with RSSI -53 SSID myssid.

Spoofed AP AP Mac aa:bb:cc:dd:ee:ff(ssid myssid) is being spoofed. Received

fingerprint 1122343 does not match our fingerprint 123344.

Detected by listener aa:bb:cc:dd:ee:fd(port 2, radio 1), channel 11 with

RSSI -53.

Disallowed SSID

detected

AP Mac aa:bb:cc:dd:ee:ff(ssid myssid) is not part of ssid-list.

Detected by listener aa:bb:cc:dd:ee:fd(port 2, radio 1), channel 11 with

RSSI -53.

AP from disallowed

vendor detected

AP Mac aa:bb:cc:dd:ee:ff(ssid myssid) is not part of vendor-list.

Detected by listener aa:bb:cc:dd:ee:fd(port 2, radio 1), channel 11 with

RSSI -53.

Client from disallowed

vendor detected

Client Mac aa:bb:cc:dd:ee:ff is not part of vendor-list. Detected by

listener aa:bb:cc:dd:ee:fd(port 2, radio 1), channel 11 with RSSI -53.

Interfering client seen

on wired network

Client Mac aa:bb:cc:dd:ee:ff is seen on the wired network by WSS

10.1.1.1 on port 3 vlan 2 tag 1. Detected by listener

aa:bb:cc:dd:ee:fd(port 2, radio 1), channel 11 with RSSI -53.

Table 34: IDS and DoS Log Messages (continued)

Message Type Example Log Message