OmniAccess AOS-W System Reference
OmniAccess AOS-W System Reference
OmniAccess AOS-W System Reference
Reference
AOS-W System Reference
OmniAccess Reference: AOS-W System Reference
Copyright
Copyright © 2005 Alcatel Internetworking, Inc. All rights reserved.
Trademarks
AOS-W, OmniAccess 4304, OmniAccess 4308, OmniAccess Wireless LAN,
OmniAccess 6000, OmniAccess AP60, OmniAccess AP61, and OmniAccess
AP 70 are trademarks of Alcatel Internetworking, Inc. in the United States and
certain other countries.
Any other trademarks appearing in this manual are owned by their respective
companies.
Legal Notice
The use of Alcatel Internetworking, Inc. switching platforms and software, by
all individuals or corporations, to terminate Cisco or Nortel VPN client devices
constitutes complete acceptance of liability by that individual or corporation for
this action and indemnifies, in full, Alcatel Internetworking, Inc. from any and
all legal actions that might be taken against it with respect to infringement of
copyright on behalf of Cisco Systems or Nortel Networks.
Part 1 Overview . . . . . . . . . . . . . . . . . . . . . . . 1
Chapter 1 Overview . . . . . . . . . . . . . . . . . . . . . . . . 3
Key Features . . . . . . . . . . . . . . . . . . . . . . . . 3
Prevention of Layer-2 Bridging between
Wireless Users . . . . . . . . . . . . . . . . . . . . 3
Wired Port 802.1x Authentication . . . . . . . . . . . 3
Enhanced Location Services . . . . . . . . . . . . . . 4
Web Management Interface Enhancements . . . . . 4
Enhanced Network Monitoring Interface . . . . . . . 4
SNMPv3 . . . . . . . . . . . . . . . . . . . . . . . . . 4
Remote Thin AP . . . . . . . . . . . . . . . . . . . . . 4
Auto-Blacklist Firewall Extended Action . . . . . . . 5
Enhanced AP-Switch Discovery and Alcatel
Discovery Protocol . . . . . . . . . . . . ..... 5
DHCP Configuration . . . . . . . . . . . . . . ..... 6
Multicast Configuration . . . . . . . . . . . . ..... 8
iii
OmniAccess Reference: AOS-W System Reference
Chapter 4 RF Design . . . . . . . . . . . . . . . . . . . . . . . 25
The Alcatel RF Plan Tool . . . . . . . . . . . . . . . . . . 25
Getting Started . . . . . . . . . . . . . . . . . . . . . . . 26
System Requirements for Standalone RF Plan . . . 26
Installing RF Plan . . . . . . . . . . . . . . . . . . . . 26
Launching RF Plan . . . . . . . . . . . . . . . . . . . 27
RF Plan Basics . . . . . . . . . . . . . . . . . . . . . . . 27
Page Summary . . . . . . . . . . . . . . . . . . . . . 27
Page Fields . . . . . . . . . . . . . . . . . . . . . . . 28
Navigation . . . . . . . . . . . . . . . . . . . . . . . . 29
Applying and Saving . . . . . . . . . . . . . . . . . . 29
Next Step Button . . . . . . . . . . . . . . . . . . . . 29
Opening Screen. . . . . . . . . . . . . . . . . . . . . . . 30
Using RF Plan . . . . . . . . . . . . . . . . . . . . . . . . 31
Task Overview . . . . . . . . . . . . . . . . . . . . . 31
Planning Requirements . . . . . . . . . . . . . . . . 32
Adding a New Building to the Plan . . . . . . . . . . . . 32
Planning Pages . . . . . . . . . . . . . . . . . . . . . 41
Locating Devices . . . . . . . . . . . . . . . . . . . . . . 52
v
OmniAccess Reference: AOS-W System Reference
vii
OmniAccess Reference: AOS-W System Reference
ix
OmniAccess Reference: AOS-W System Reference
xi
OmniAccess Reference: AOS-W System Reference
AP Provisioning. . . . . . . . . . . . . . . . . . . . . . 428
Plug and Play . . . . . . . . . . . . . . . . . . . . . 428
Simplified AP Provisioning . . . . . . . . . . . . . 429
AP Programming Mode . . . . . . . . . . . . . . . 430
Manual AP Provisioning . . . . . . . . . . . . . . . 436
AP Reprovisioning . . . . . . . . . . . . . . . . . . 436
Accessing the AP Boot Prompt . . . . . . . . . . . 437
Initial Configuration . . . . . . . . . . . . . . . . . 441
Advanced AP Configuration. . . . . . . . . . . . . 444
GRE Tunnel Configuration . . . . . . . . . . . . . . 453
Wireless LAN Switch Setup for APs . . . . . . . . . . 454
Configuration Profiles . . . . . . . . . . . . . . . . 454
AP Attribute Commands . . . . . . . . . . . . . . 459
Wireless Client Station Attributes . . . . . . . . . 462
Order of Precedence for Profile Attributes . . . . 463
CLI Configuration Examples . . . . . . . . . . . . . 465
Viewing AP Attribute Settings . . . . . . . . . . . 468
Viewing AP Information and Statistics . . . . . . . 471
AP Reprovisioning . . . . . . . . . . . . . . . . . . . . 478
xiii
OmniAccess Reference: AOS-W System Reference
xv
OmniAccess Reference: AOS-W System Reference
xvii
OmniAccess Reference: AOS-W System Reference
Glossary 911
z Part 2, “Design”
Explains the basic network design issues in adding a Wireless
LAN switch to a network.
z Part 3, “Configuration”
Explains the features that can be configured for Alcatel Wireless
LAN switches.
z Part 4, “Monitoring”
Explains how Alcatel Wireless LAN switches are managed and
maintained.
z Part 6, “Appendix”
Includes a glossary of terms used in this document.
Preface xix
OmniAccess Reference: AOS-W System Reference
Related Documents
The following items are part of the complete documentation for the Alcatel
system:
z Alcatel Wireless LAN Switch Installation Guides (OmniAccess 4308, Omni-
Access Wireless LAN, and OmniAccess 6000)
z Alcatel AOS-W User Guide
z Alcatel AP Installation Guides (AP60/61 and AP70)
Text Conventions
Contacting Alcatel
Web Site
z Main Site http://www.alcatel.com
z Support http://www.alcatel.com/enterprise
Telephone Numbers
z Main US/Canada (800) 995-2612
z Main Outside US (818) 880-3500
Preface xxi
OmniAccess Reference: AOS-W System Reference
Overview
1
OmniAccess Reference: AOS-W System Reference
Key Features
Overview 3
OmniAccess Reference: AOS-W System Reference
SNMPv3
Previous releases of AOS-W supported only SNMPv1 and SNMPv2c. When
connecting Alcatel components to a network management platform across an
insecure network, use of these protocols could lead to unintentional releases
of sensitive information. SNMPv3 provides the ability to encrypt SNMP
communication.
Remote Thin AP
Some customers reported problems when using Alcatel APs connected to a
switch across a low-speed link such as a frame relay connection. The issue
with this was that latency in the low-speed link would cause greater than 5ms
of delay when responding to 802.11 probe request frames from wireless
clients. Certain clients would only wait on a single channel for 5ms, and would
be on a new channel by the time the probe response arrived. AOS-W 2.2
provides the ability to enable local probe responses for remotely connected
APs. This feature may be configured under the Wireless LANÆAdvanced
section of the Web-based management interface, or may be configured under
the “ap location” section of the CLI.
If the DHCP response contains a DNS server address, the AP will perform DNS
lookup of the hostname “Alcatel-master.<subdomain>”, where <subdomain>
was learned from the DHCP server. If this request is successful, the AP will
use the returned IP address to contact an Alcatel switch and continue the
boot process.
Overview 5
OmniAccess Reference: AOS-W System Reference
DHCP Configuration
DHCP servers may be configured to return Alcatel vendor-specific options to
APs. The vendor class identifier is “AlcatelAP”, and the vendor-specific option
code is 43. A sample configuration for the open-source ISC DHCP server
follows. In this example, the Alcatel switch is located at IP address 10.1.1.10.
class "vendor-class" {
default-lease-time 200;
max-lease-time 200;
Overview 7
OmniAccess Reference: AOS-W System Reference
c:\>netsh
netsh>dhcp
netsh dhcp>exit
Multicast Configuration
A network supporting IP multicast must be in place to make use of the ADP
multicast capability. To configure the Alcatel switch for multicast, enter:
This configuration will cause the Alcatel switch to send an IGMPv2 join
message for multicast group 224.0.82.11.
Command-Line Interface
Web Interface
1.AOS-W requires Internet Explorer 6.0 or higher. Other browsers may work but
with limited functionality and are therefore not officially supported.
Management Options 9
OmniAccess Reference: AOS-W System Reference
Selected
Tool
Logout
Button
Tool Bar
Page
Display
Selected
Page
Page
Tree
z Page Tree–Each tool has its own information or configuration pages and
sub-pages.
The page tree lists all of the pages available when using the currently selected
tool. You can navigate to any of the listed pages by clicking on the page name.
NOTE—Some of the items in the page tree are merely headings for their sub-pages and cannot be selected. Selectable pages
become highlighted when the mouse cursor is placed over them. Non-selectable items do not react.
Page Elements
Each tool in the Web UI has its own unique information or configuration
pages, each with specialized data and control fields. Some of the page items
appear on multiple pages in multiple tools and provide a similar navigation or
configuration function in each.
Navigation Items
z Scroll-bars–In some cases, there will be more fields than can be conve-
niently displayed on one window. When this occurs, standard Windows
scroll-bars will be available to let you access the rest of the page.
z Page Tabs–Some pages feature a row of tabs near the top of the page dis-
play area. Each tab represents a different form available from the current
page.
z Links–Items which are underlined are linked to other pages. By clicking on
the item, the relevant item’s configuration or information page will be dis-
played.
Fields
z Information Fields–These fields are used only for displaying information.
The data in these fields cannot be edited directly on the displayed screen.
z Data Entry Fields–Boxed text fields contain user-configurable data. To enter
or edit the information, click inside the field box.
z Pull-down Menus–These fields allow you to select an item from a preset
list. The currently selected item is displayed in the box. When the arrow
button is selected, a list of available options appears. You can change the
current selection by clicking on any item in the options list.
z Scrolling Menus–These fields allow you to select an item from a preset list.
Use the scroll arrows to view the available options. To select a specific
item from the list, click on the item when displayed.
Management Options 11
OmniAccess Reference: AOS-W System Reference
Action Buttons
The following buttons are generally available on configuration pages.
z Apply–Accept all configuration changes made on the current page and send
the completed form to the Wireless LAN switch.
z Clear–Reset all options on the current page to their last applied or saved
settings.
z Add–Add a new item to the current page. This generally displays a set of
relevant configuration fields for the added item.
z Edit–Edit the configuration of the selected item.
z Delete–Remove the selected item from the page configuration.
z Save Configuration–Save all applied configuration changes made since dur-
ing this configuration session. Saved settings will be retained when the
switch is rebooted or turned off. Unsaved configuration changes will be
permanently lost.
Telnet access requires that the switch management interface and default
gateway be defined. This is usually done during initial setup (see Step 3 on
page 11) but can also be done manually using the local serial console:
Logging In
Once connected, the system displays its host name (Alcatel if not
configured), followed by the log in prompts. Log in using the administrator
account. For example:
(Alcatel)
user: admin
password: admin (password is displayed as asterisks)
As shown above, the default administrator user name is admin, and the default
password is also admin. If the password has been changed, use the correct
one. When properly logged in, the user mode CLI prompt will be displayed:
(host) > _
Access Modes
Once logged in, there are two levels of access to the switch: user mode and
privileged mode.
z User Mode
User mode provides only limited access for basic operational testing, such as
running ping and traceroute. User mode is entered immediately upon login and
is shown with the following prompt:
(host) >
where host is the host name of the switch if configured, or Alcatel if not
configured.
z Privileged Mode
All configuration and management functions are available in privileged mode. To
move from user mode to privileged mode requires an additional password:
When successfully promoted to privileged mode, the > prompt is replaced by the
# prompt.
The numerous privileged mode commands are divided into groups according to
their context as outlined in the next section.
Command Context
The commands available while in the privileged mode are divided into a number
of context groups:
z Action Commands
The Action Commands take effect as soon as they are entered. They affect the
current behavior or operation of the switch, but are not saved as part of the
permanent configuration.
z Master Commands
One Alcatel Wireless LAN Switch on the network is responsible for loading
software and configuration files to the Alcatel Access Points and for managing
enhanced Wireless LAN switching features (such as air management and
wireless load balancing).
In a system with only one switch, the single switch always acts as the master.
In a system with more than one switch, one (and only one) switch is selected as
the master.
The master switch has an extended command set for handling Access Points
and enhanced Wireless LAN features. The master commands are documented
starting on page 797.
z Local Commands
In a system with two or more switches, only one acts as the master. The others
act as local switches with a more limited command set.
z Show Commands
The show commands list information about the switch configuration and
performance and are invaluable for debugging system configuration. The show
commands are documented starting on page 833.
Configuration changes made using the CLI affect only the current state of the
switch. Unless saved, the changes will be lost when the system is rebooted.
To save your changes so that they will be retained after a reboot, use the
following privileged mode CLI command:
There are two configuration images which can be viewed from the CLI:
z startup-config
This holds the configuration options which will be used the next time the
system is rebooted. It contains all the options last saved using the write memory
command. Presently unsaved changes are not included.
z running-config
This holds the current switch configuration, including all pending changes
which have yet to be saved.
Both configurations can also be saved to a file or sent to a TFTP server for
backup or transfer to another system. See “Making Configuration Backups”
on page 126 for details.
Shortcuts
Command Completion
To make command input easier, you can usually abbreviate each key word in
the command. You need type only enough of each keyword to distinguish it
from similar commands. For example:
(Alcatel) # con t
As you type, you can press the spacebar or tab to move to the next keyword.
The system will then attempt to expand the abbreviation for you. If there is
only command keyword that matches the abbreviation, it will be filled in for
you automatically. If the abbreviation is too vague (too few characters), the
cursor will not advance and you must type more characters or use the help
feature to list the matching commands.
Command Help
You can use the question mark (?) to get various types of command help.
(host) > ?
(host) # c?
If more than one item is shown, type more of the keyword characters to
distinguish your choice. However, if only one item is listed, the keyword or
abbreviation is valid and you can press tab or the spacebar to advance to the
next keyword.
(host) # write ?
erase Erase and start from scratch
file Write to a file in the file system
memory Write to memory
terminal Write to terminal
<Enter>
The <Enter> entry (“carriage return,” or the enter key) indicates that the
command can be entered without additional parameters. Any other
parameters are optional.
Command History
The system records your most recently entered commands. You can review
the history of your actions, or reissue a recent command easily, without
having to retype it.
To view items in the command history, use the <up arrow> to move back
through the list and <down arrow> key to forward. To reissue a specific
command, press <enter> when it appears. You can even use the command line
editing feature to make changes to the command prior to entering it.
Alpha-numeric characters are always inserted into the line at the cursor
position.
Command Syntax
CLI commands use basic notations for the parameters that modify a
command. These include:
z Brackets [ ]—denotes that the object(s) inside are optional.
z Braces { }—denotes that the object(s) inside are required. If more than one
object is included inside a brace, one of the objects must be specified.
z Angles < >—denotes the parameter is required and must be specified.
z Pipe | —denotes a two or more parameters, separated one from the other
by the | symbol.
For example:
crypto ipsec transform-set <set name> {esp-des|esp-3des}
{esp-md5-hmac|esp-sha-hmac}
means you have to specify the set name, then choose either esp-des or
esp3des, then choose either esp-md5-hmac or esp-sha-hmac.
In general, italics indicates a value you have to enter. For example address
means you have to specify an IP address or MAC address. You cannot just
enter “address”.
Bold, like no, means you enter that string. In this case, just type “no”.
Design and
Planning
23
OmniAccess Reference: AOS-W System Reference
RF Design 25
OmniAccess Reference: AOS-W System Reference
Getting Started
Installing RF Plan
To install RF Plan, follow the three steps below:
NOTE—RF Plan only runs on Windows 2000 and WindowsXP.
1.Other browsers may work with AOS-W but with limited capability and are therefore unsupported.
Launching RF Plan
To open RF Plan select: Start > All Programs > Alcatel Offline RF Plan> Alcatel RF
Plan.
RF Plan Basics
Page Summary
The following is a brief summary of the functionality of each of the pages in
RF Plan.
RF Design 27
OmniAccess Reference: AOS-W System Reference
z Area Editor Page Use this page to specify areas on each floor
where coverage is not desirable or where
Access Points/Air Monitors may not be
physically deployed.
z Access Editor Page Use this page to manually create, position, or
configure Access Points or Air Monitors.
z AP Plan The AP Plan page is used to initialize the
position of Access Points and launch RF
Plan’s positioning algorithm.
z AM Plan The AP Plan page is used to initialize the
position of Air Monitors and launch RF Plan’s
positioning algorithm.
Page Fields
Each tool in the RF Plan has its own unique information or configuration pages,
each with specialized data and control fields. Some of the page items appear
on multiple pages and provide a similar navigation or configuration function in
each.
z Information Fields–These fields are used only for displaying information.
The data in these fields cannot be edited directly on the displayed screen.
z Data Entry Fields–Boxed text fields contain user-configurable data. To enter
or edit the information, click inside the field box.
z Pull-down Menus–These fields allow you to select an item from a preset
list. The currently selected item is displayed in the box. When the arrow
button is selected, a list of available options appears. You can change the
current selection by clicking on any item in the options list.
z Scrolling Menus–These fields allow you to select an item from a preset list.
Use the scroll arrows to view the available options. To select a specific item
from the list, click on the item when displayed.
z Check Boxes–These fields are represented as small squares in front of the
item text. These fields allow you to turn items on or off by clicking on the
check box. A feature or option will be turned on, selected, or enabled (as
appropriate) when the box is checked. A feature or option will be turned
off, unselected, or disabled when the box is empty.
z Radio Buttons–These fields are represented as small circles in front of the
item text. When a group of these items appears together, only one can be
selected at any given time. An item is selected when its circle is filled. An
item is unselected when the circle is empty.
Navigation
The RF Plan tool is a wizard in that it logically guides you through the process
of defining radio coverage for all the buildings on your campus. The left pane
of the wizard screens shows the progression you follow each time you click
Apply. The button on the top, right corner also takes you to the next logical
step. You can also click the link on the left pane to go to any screen in the
wizard.
Regardless of your current location, you can always return to the opening
window by clicking Plan on the menu bar.
NOTE—Always Apply. If you advance to the next step without clicking on the
Apply button the information will be lost.
RF Design 29
OmniAccess Reference: AOS-W System Reference
Opening Screen
When RF Plan opens, the browser window will show the default page: the RF
Plan Building List page.
You may add, edit, and delete buildings using this window. You may also
import and export buildings using the import and export buttons.
Using RF Plan
Task Overview
Before you begin take a minute to review this section, it explains the general
steps in the order they should be taken to create a building and plan the
Wireless LAN for it.
z Gather information about your building’s dimensions and floor plan.
z Determine the level of coverage you want for your Access Points and Air
Monitors.
z Create a new building and add its dimensions.
z Enter the parameters of your Access Point coverage.
z Enter the parameters of your Air Monitor coverage.
z Add floors to your building and import the floor plans.
z Define special areas.
z Generate suggested AP and AM tables by executing the AP/AM Plan fea-
tures.
z Export the building.
RF Design 31
OmniAccess Reference: AOS-W System Reference
Planning Requirements
You should collect the following information before beginning to plan your
network. Having the information below readily available will expedite your
planning efforts.
z Building Dimensions
z Number of floors
z Distance between floors
z Number of users and number of users per AP
z Radio type(s)
z Overlap Factor
z Desired data rates for access points
z Desired monitoring rates for air monitors
z Areas of your building(s) that you don’t necessarily want coverage
z Areas of your building(s) where you don’t want to, or cannot, deploy an
AP or AM
z Any area where you want to deploy a fixed AP or AM.
Building Dimensions
Height: Width:
Number of Floors:
User Information
Number of Users: Users per AP:
Radio Types:
Overlap Factor:
AP Desired Rates
802.11b|g: 802.11a:
AM Desired Rates
802.11b|g: 802.11a:
The Overview page shows the default values for your new building, most of
which you can change in the following pages.
On Building Overview Page you will be able to view the specifications for the
following:
z Your buildings dimensions.
z Access Point modeling parameters.
z Air Monitor modeling parameters.
RF Design 33
OmniAccess Reference: AOS-W System Reference
Enter the appropriate values in the text boxes in the Dimension window.
z Building ID This consists of two decimal numbers separated by a
dot. The first is the campus ID. The campus ID will
always be “1” if there is only one campus. The second is
the building number.
Maximum Width
Maximum Height
When height and width are specified, RF Plan creates a rectangular area in the
Planning feature pages that represent the overall area covered by the building.
You will need to import an appropriate background image (see, “Floor Editor
Page” on page 44.) to aid you in defining areas that don’t require coverage or
areas in which you do not wish to deploy Access Points and Air Monitors
(see,“Area Editor Page” on page 45).
Define your first building on this campus and click Apply. The AM Modeling
page displays.
RF Design 35
OmniAccess Reference: AOS-W System Reference
AP Modeling Page
The AP Modeling page allows you to specify all the information necessary for
RF Plan to determine the appropriate placement of your APs.
Controls on this page allow you to select or control the following functions:
z Radio Type Use this pull-down menu to specify the radio type in the
appropriate combination of a, b, and or g configuration.
z AP Type Specify AP 52 or AP 60.
z Coverage Use this option to let RF Plan automatically determine
the number of APs based on desired data rates and the
configuration of your building. The desired rate is
selectable from 1 to 54 Mbps in both the Coverage and
Capacity models.
z Capacity Use this option to let RF Plan determine the number of
APs based upon the total number of users, ratio of users
to APs, and desired data rates. The desired rate is
selectable from 1 to 54 Mbps in both the Coverage and
Capacity models.
z Custom Use this option to simply specify a fixed number of APs.
z Overlap Factor Use this field and pull-down to specify an overlap factor.
z Rates Use these pull-down to specify the data rates desired on
your Access Points.
z Users/AP Selectable for Capacity or Custom models.
z APs Selectable for Capacity or Custom models.
Radio Type
Specify the radio type(s) of your APs using the pull-down Radio Type menu on
the Modeling Parameters page.
Available Radio Type Choices:
Overlap Factor
The Overlap Factor is the amount of signal area overlap that you want when
the APs are operating. Overlap is important if an AP fails. It allows the
network to self-heal with adjacent APs powering up to assume some of the
load from the failed device. Although there may be no holes in coverage in this
scenario, there will likely be a loss of throughput. Increasing the overlap will
allow for higher throughputs when an AP has failed and will allow for future
capacity as the number of users increases.
The valid range of values for the overlap factor are from 100% to 1000%.
Users
NOTE—The Users text boxes are active only when the Capacity model is selected.
Enter the number of users you expect to have on your Wireless LAN in the
Users text box. Enter the number of users per access point you expect in the
Users/AP text box.
The numbers entered in the these two text boxes must be no-zero integers
between 1-255 inclusive.
Rates
NOTE—The Rate pull-down menus are active only when the Coverage or Capacity
design models are selected.
Select the desired data rates from the pull-down menus for 802.11b/g and
802.11a.
RF Design 37
OmniAccess Reference: AOS-W System Reference
AM Modeling Page
The AM Modeling page allows you to specify all the information necessary for
RF Plan to determine the appropriate placement of your AMs.
Controls on this page allow you to select or control the following functions:
z Monitor Rate Use this pull-down menu to specify the desired monitor
rate for your Air Monitors.
z AMs Use this field to manually specify the number of Air
Monitors to deploy (Custom Model only).
z Design Model Use these radio buttons to specify a design model to
use in the placement of Air Monitors.
Design Models
Two radio buttons on the page allow you to control the kind of model which
will be used to determine the number and type of APs.
Design Model Radio Button Options:
NOTE—The monitor rates you select for the AMs should be less than the data rates
you selected for the APs. If you set the rate for the AMs at a value equal to that
specified for the corresponding PHY type AP, RF Plan will allocate one AM per
AP. If you specify a monitor rate larger than the data rate, RF Plan will allocate
more than one AM per AP.
Monitor Rates
Use the drop down menus to select the desired monitor rates for 802.11b/g
and 802.11a air monitors.
NOTE—This option is available only when the coverage design model is selected.
Buildings exported from RF Plan will be imported into an Alcatel switch and
used by the version of RF Plan that is integrated into the Web UI Software.
The exported building file contains all the data about the building(s) you
created using RF Plan. The integrated RF Plan in Web UI gives you the ability
to automatically configure the APs and AMs that are actually connected to the
switch using the Suggested AP and Suggested AM tables created by RF Plan.
(See, “AP Plan” on page 49 and “AM Plan” on page 51.)
Import Buildings
The Import Buildings page allows you to import configuration information
from an existing Alcatel switch so you can modify it for use on another switch
or in an another building.
Only XML files exported from an Alcatel switch or from Alcatel RF Plan may be
imported into RF Plan.
RF Design 39
OmniAccess Reference: AOS-W System Reference
NOTE—Importing any other file, including XML files from other applications,
may result in unpredictable results.
Export Buildings
The Export Buildings page allows you to export the configuration of the
Wireless LAN you just created so that it may be imported into and used to
automatically configure your Alcatel switches.
When exporting a building file it is recommended that you check the Include
Images check box.
When naming your exported file, be sure to give the file the .XML file
extension.
Example: My_Building.XML
Planning Pages
Planning Floors Page
The Planning Floors page enables you to see what the footprint of your floors
look like. You can select or adjust the following features on the Planning
Floors Page.
RF Design 41
OmniAccess Reference: AOS-W System Reference
Zoom
The Zoom control sets the viewing size of the floor image. It is adjustable in
finite views from 10% to 1000%. You may select a value from the pull-down
zoom menu or specify a value in the text box to the left of the pull-down. When
you specify a value, RF Plan adjusts the values in the pull-down to display a set
of values both above and below the value you typed in the text box.
Coverage
Select a radio type from the Coverage pull-down menu to view the
approximate coverage area for each of the APs that RF Plan has deployed in AP
Plan or AM Plan. Adjusting the Coverage values will help you understand how
the AP coverage works in your building.
NOTE—You will not see coverage circles displayed here until you have executed either
an AP Plan or an AM Plan.
Coverage Rate
Adjusting the coverage rate will also affect the size of the coverage circles for
AMs. Adjusting the rate values will help you understand how the coverage
works in your proposed building.
RF Design 43
OmniAccess Reference: AOS-W System Reference
Naming
You may name the floor anything you choose as long as the name is an
alpha-numeric string with a maximum length of 64 characters. The name you
specify appears just to the right of the Floor Number displayed just above the
background image in the Planning view.
Background Images
A background image (floor plan image) may be imported into RF Plan for each
floor. A background image is extremely helpful when specifying areas where
coverage is not desired or areas where an AP/AM is not to be physically
deployed.
Select a background image using the Browse button on the Floor Editor Dialog.
z File Type and Size
Background images must be JPEG format and may not exceed 2048 X 2048
pixels in size. Attempting to import a file with a larger pixel footprint than that
specified here will result in the image not scaling to fit the image area in the
floor display area.
NOTE—Because the background images for your floors are embedded in the XML file
that defines your building you should strongly consider minimizing the file size of
the JPEGs you use for your backgrounds. You can minimize the file size by select-
ing the maximum compression (lowest quality) in most graphics programs.
z Image Scaling
Images are scaled (stretched) to fit the display area. The display area aspect
ratio is determined by the building dimensions specified on the Dimension
page.
Open the Area Editor by clicking on the New link in the Areas field just below
the area where the background image is displayed.
You specify these areas by placing them on top of the background image
using the Area Editor.
Naming
You may name an area using an alpha-numeric string of characters with a
maximum length of 64 characters. You should give areas some meaningful
name so that they are easily identified.
For example: If you defined your building to be 200 feet wide and 400 feet
long, the coordinates of the upper right-hand corner would be (199, 399).
NOTE—Remember, the location is zero based, so the values range from 0 to (height-1
and width-1).
RF Design 45
OmniAccess Reference: AOS-W System Reference
You may also use the drag and drop feature of the Area Editor to drag your
area to where you want it and resize it by dragging one or more of the handles
displayed in the corners of the area.
Naming
RF Plan automatically names APs using the default convention “a number”. It
assigns the number starting at 1 and increasing by one for each new AP. When
you manually create an AP that new AP is then assigned the next “a” number
in sequence and added to the bottom of the suggested AP list.
You may name an Access Point anything you wish. The name must be
comprised of alpha-numeric characters and be 64 characters or less in length.
Location
The physical location of the AP is specified by X-Y coordinates beginning at
the lower left corner of the display area. The numbers you specify in the X and
Y text boxes are whole units. The X coordinates increase as a point moves up
the display and the Y coordinates increase as they move from left to right
across the display.
262 ft.
Y
98
X
0,0 126 418 ft.
Fixed
Fixed APs don’t move when RF Plan executes the positioning algorithm.
NOTE—You might typically set an AP as fixed when you have a specific room, such
as a conference room, in which you want saturated coverage. You might also
want to consider using a Fixed AP when you have an area that has an unusually
high user density.
Choose Yes or No from the drop down box. Choosing Yes will lock the
position of the AP as it is shown in the coordinate boxes of the Access Editor.
Choosing No will allow RF Plan to move the AP as necessary to achieve best
performance.
PHY Types
The PHY Type drop down menu allows you to specify what radio mode the
AP will use. You may choose from one of the following:
z 802.11a/b/g
z 802.11a
z 802.1 b/g
RF Design 47
OmniAccess Reference: AOS-W System Reference
802.11 Types
The 802.11 b/g and 802.11a Type drop down boxes allow you to choose the
mode of operation for the access point. You may choose to set the mode of
operation to access point (Alcatel AP) or Air Monitor.
802.11 Channels
The 802.11a and 802.11b/g channel drop down menus allow you to select
from the available channels.
802.11b/g channels begin at 1 and are numbered consecutively through 14. The
frequencies begin at 2.412 MHz on channel 1 and increase in 22 MHz steps
through Channel 14 at 2.484 MHz.
Memo
The Memo text field allows you to enter notes regarding the access point. You
may enter a maximum of 256 alpha-numeric characters in the Memo field.
AP Plan
The AP Plan feature uses the information entered in the modeling pages to
locate access points in the building(s) you described.
Initialize
Initialize the Algorithm by clicking on the Initialize button. This makes an initial
placement of the access points and prepares RF Plan for the task of
determining the optimum location for each of the APs. As soon as you click
the Initialize button you will see the AP symbols appear on the floor plan.
Access points are represented by this symbol.
RF Design 49
OmniAccess Reference: AOS-W System Reference
Colored circles around the AP symbols on the floor plan indicate the
approximate coverage of the individual AP and the color of the circle
represents the channel on which the AP is operating. The circles appear when
you select an approximate coverage value on one of the Floors pages. You may
also use click on an AP icon and drag it to manually reposition it.
Start
Click on the Start button to launch the optimizing algorithm. You will see the
AP symbols moving on the page as RF Plan finds the optimum location for
each.
The process may take several minutes. You may watch the progress on the
status bar of your browser. The algorithm will stop when the movement is less
than a threshold value calculated based on the number of APs. The threshold
value may be seen in the status bar at the bottom of the browser window.
The Suggested AP Table lists the coordinates, power, location, power setting,
and channel for each of the APs that are shown in the floor plan.
AM Plan
The AM Plan feature calculates the optimum placement for your air monitors
(AMs).
Initialize
Initialize the Algorithm by clicking on the Initialize button. This makes an initial
placement of the air monitors and prepares RF Plan for the task of determining
the optimum location for each of the AMs. As soon as you click the Initialize
button you will see the AM symbols appear on the floor plan. Air Monitors are
represented by this symbol.
Start
Click on the Start button to launch the optimizing algorithm. You will see the
AM symbols moving on the page as RF Plan finds the optimum location for
each.
The process may take several minutes. You may watch the progress on the
status bar of your browser. The algorithm will stop when the movement is
less than a threshold value calculated based on the number of AMs. The
threshold value may be seen in the status bar at the bottom of the browser
window.
RF Design 51
OmniAccess Reference: AOS-W System Reference
The results of optimizing algorithm may be viewed two ways: graphically and
in a table of suggested AMs. You may obtain information about a specific AP
by placing the cursor over its symbol. An information box appears containing
information about the exact location, PHY type, channel, power, etc.
The Suggested AP Table lists the coordinates, power, location, power setting,
and channel for each of the APs that are shown in the floor plan.
Locating Devices
To find a specific device by for example a MAC address or ESSID, click Locate
on the main menu (Building List). AOS-W locates devices by the process of
triangulation.
RF Design 53
OmniAccess Reference: AOS-W System Reference
Security Options 55
OmniAccess Reference: AOS-W System Reference
By default, Alcatel Wireless LAN Switches and Access Points treat ports as
being untrusted. However, certain ports are open by default. To maintain
security, these default open ports are only open on the trusted side of the
network. These open ports are listed in Table 5-1 below.
Port
Protocol Where Used Description
Number
17 TCP Wireless This is use for certain types of
LAN VPN clients that accept a banner
Switch (QOTD). During normal operation,
this port will only accept a
connection and immediately
close it.
21 TCP Wireless FTP server for AP6X software
LAN download.
Switch
22 TCP Wireless SSH
LAN
Switch
23 TCP AP and Telnet is disabled by default but
Wireless the port is still open
LAN
Switch
53 UDP Wireless Internal domain
LAN
Switch
67 UDP AP (and DHCP server
Wireless
LAN
Switch if
DHCP
server is
configured
)
Port
Protocol Where Used Description
Number
68 UDP AP (and DHCP client
Wireless
LAN
Switch if
DHCP
server is
configured
)
69 UDP Wireless TFTP
LAN
Switch
80 TCP AP and HTTP Used for remote packet
Wireless capture where the capture is
LAN saved on the Access Point.
Switch Provides access to the WebUI on
the Wireless LAN Switch.
123 UDP Wireless NTP
LAN
Switch
161 UDP AP and SNMP. Disabled by default.
Wireless
LAN
Switch
443 TCP Wireless Used internally for captive portal
LAN authentication (HTTPS) and is
Switch exposed to wireless users. A
default self-signed certificate is
installed after the user explicitly
selects this port to be open.
Users in a production
environment are urged to install a
certificate from a well known CA
such as Verisign. Self-signed
certs are open to
man-in-the-middle attacks and
should only be used for testing.
500 UDP Wireless ISAKMP
LAN
Switch
Security Options 57
OmniAccess Reference: AOS-W System Reference
Port
Protocol Where Used Description
Number
514 UDP Wireless Syslog
LAN
Switch
1701 UDP Wireless L2TP
LAN
Switch
1723 TCP Wireless PPTP
LAN
Switch
2300 TCP Wireless Internal terminal server opened
LAN by telnet soe command.
Switch
3306 TCP Wireless Remote wired MAC lookup.
LAN
Switch
4343 TCP Wireless HTTPS. A different port is used
LAN from 443 in order to not conflict
Switch with captive portal. A default
self-signed certificate is installed
after the user explicitly selects
this port to be open. Users in a
production environment are
urged to install a certificate from
a well known CA such as
Verisign. Self-signed certs are
open to man-in-the-middle
attacks and should only be used
for testing
4500 UDP Wireless sae-urn
LAN
Switch
8080 TCP Wireless Used internally for captive portal
LAN authentication (HTTP-proxy). Not
Switch exposed to wireless users.
Port
Protocol Where Used Description
Number
8081 TCP Wireless Used internally for captive portal
LAN authentication (HTTPS). Not
Switch exposed to wireless users. A
default self-signed certificate is
installed after the user explicitly
selects this port to be open.
Users in a production
environment are urged to install a
certificate from a well known CA
such as Verisign. Self-signed
certs are open to
man-in-the-middle attacks and
should only be used for testing.
8082 TCP Wireless Used internally for single sign-on
LAN authentication (HTTP). Not
Switch exposed to wireless users.
8083 TCP Wireless Used internally for single sign-on
LAN authentication (HTTPS). Not
Switch exposed to wireless users.
8088 TCP Wireless Internal
LAN
Switch
8200 UDP Wireless Alcatel Discovery Protocol (ADP)
LAN
Switch
8211 UDP Wireless Internal
LAN
Switch
Security Options 59
OmniAccess Reference: AOS-W System Reference
User Roles
Role Design
The role of a wireless user determines a number of access policies, including
firewall/traffic policies, bandwidth contracts, IP address pool, VLAN
assignment, and VPN dialer. The role is determined through some type of
authentication mechanism, and can be as simple as “employee” versus
“guest”, or more granular such as “sales user, marketing user, finance user, IT
staff”. The selection of a role framework is an important design decision.
Role Configuration
To manage user roles, navigate to Configuration > Security > Roles. Current roles
will be displayed, as shown in the figure below.
To edit an existing role, click Edit. To add a new role, click Add as shown in the
figure below.
Security Options 61
OmniAccess Reference: AOS-W System Reference
user-role IT-staff
dialer IT-staff
pool l2tp pool3
pool pptp pool3
session-acl allowall
!
user-role guest
bandwidth-contract guest-1M
vlan 2
reauthentication-interval 30
session-acl Internet_Only
Traffic policies are often confused with access control lists (ACLs), but the two
have some major differences:
Traffic policies are stateful, meaning they understand flows in a network and
keep track of the state of sessions. If a policy is enabled to allow telnet
outbound from a client, a traffic policy will understand that inbound traffic
associated with that session should be allowed. ACLs have no memory of
what came before – at best, ACLs can look at the “SYN” flag in a TCP packet,
treating the session as new if the flag is set and treating the session as
“established” if it is not. This works for “normal” traffic but is ineffective
against many types of attack traffic.
Traffic policies in an Alcatel Wi-Fi switch are dynamic, meaning that address
information in the rules can change as the policies are applied to users. For
example, a traffic policy containing the alias “user” can be created. After the
policy is applied to a particular user, this alias is automatically changed to
match the IP address assigned to the user. An ACL is typically a static packet
filter, with IP addresses hard coded into the rule.
Traffic policies are bi-directional. While ACLs are normally applied either to
traffic inbound to an interface or outbound from an interface, traffic policies
automatically work in both directions. Traffic policy configuration can be
simpler than ACL configuration for this reason, since the administrator does
not need to worry about building consistent input and output ACLs.
Security Options 63
OmniAccess Reference: AOS-W System Reference
To edit or delete existing policies, click the appropriate button. Note that some
policies are system policies and cannot be deleted. The Policy Usage column
will display which user roles currently have a policy applied – if a policy is in
use, it cannot be deleted. To delete a policy that is in use, first edit the user role
and delete the policy, then return to the policies screen to delete it.
To add a new policy, click the Add button. The “Add New Policy” screen
appears, as shown in the figure below. Supply a descriptive name for the new
policy, and click Add under Rules to begin adding rules.
Source/Destination
Identical parameters are available for both source and destination selection.
Traffic policies are bi-directional, and will match traffic in either direction. A
packet will match a particular rule in the traffic policy only if the rule is matched
exactly, meaning that source address, destination address, and service all
match. However, traffic policies are stateful. For example, when a wireless
user generates a DNS request to a DNS server, the traffic policy will
automatically create a session entry for the response so that the response will
be permitted. Because traffic policies are stateful, it is not necessary to
configure separate rules for inbound and outbound traffic. All packets that
match an identified flow will receive the same treatment by the traffic policy.
User –Alias that represents the user’s IP address. When a traffic policy
containing the “user” alias is applied to an authenticated user, this alias is
replaced by the IP address assigned to that user. With this alias, generic traffic
policies can be configured that will automatically be customized at the time of
user login.
Service
Traffic flows are identified in part by their service type. A service type may be
defined by IP protocol number, TCP port number(s), or UDP port number(s).
Four options are available for service selection:
Service – Matches a pre-defined service alias, and also provides the ability to
create a new service alias by clicking the “New” button. The use of a service
alias allows for a more easily readable and understandable policy. For more
information about service aliases, please see the section of this guide entitled
“Service Aliases”.
Action
The traffic policy action defines what the disposition of packets matching the
rule will be. Five options are available:
Security Options 65
OmniAccess Reference: AOS-W System Reference
Src-nat – Changes the source IP address of the packet. If no source NAT pool
is specified, the packet will be given the source IP address of the Alcatel
switch. If a NAT pool is specified, the packet will be given an IP address from
the NAT pool. Add a new NAT pool by clicking New, or manage NAT pools by
navigating to Configuration > Security > Advanced > NAT Pools.
Redirect – The redirect action does not modify the packet, but changes the
internal destination of the packet. This action is configured automatically by
the system when Stateful 802.1x is enabled. This action can also be
configured by the administrator to redirect packets to tunnel interfaces.
Log
If the “Log” option is checked, all packets matching the rule will be recorded in
the system logfile. Use caution when enabling this option for high-volume
traffic, since the logfile will quickly grow very large.
Queue
Select this action to place packets outbound to wireless users in either a high
or low priority queue. AOS-W uses strict queueing, meaning that any time
packets are waiting in the high priority queue, they will be transmitted ahead of
packets in the low priority queue.
Rule Ordering
After rules have been defined the order of rules may be changed by clicking on
the up arrow or down arrow next to each rule, as shown in the figure below.
The order of rules is important, since policies are executed from the first rule
sequentially to the last rule.
CLI Configuration
All CLI configuration for traffic/firewall policies is done under the ip
access-list session command. Equivalent CLI configuration for the example
shown above is:
ip access-list session Internet_Only
user alias Internal_Network svc-dhcp permit
user alias Internal_Network svc-dns permit
user alias Internal_Network any deny
user any svc-http permit
user any svc-https permit
user any svc-ike permit
user any any deny
Security Options 67
OmniAccess Reference: AOS-W System Reference
To add traffic policies to ports using the CLI, use the following format:
interface fastethernet 2/13
ip access-group guest session
Firewall Policies
This section provides an ordered list of traffic policies applied to the user role.
Traffic policies are executed in order, with an implicit “deny all” after the final
policy. For more information on firewall and traffic policies, see the section
entitled “Firewall and Traffic Policies.”
Three options are available when adding new traffic policies to a user role:
Choose from Configured Policies – Select this option to apply a traffic policy
already configured in the system. By default, the policy will be applied to the
user role regardless of where the user is physically located (indicated by
Location 0.0.0). However, if the policy only applies while the user is associated
to a particular AP or is located in a particular building or floor, fill in the
“Location” field on this line. See the chapter entitled “Wireless LAN
Configuration – Advanced Location-Based AP Configuration” for more
information on location codes.
Create New Policy From Existing Policy – Select this option to create a new
traffic policy by copying an existing one. The next screen will allow
modification of the newly created policy as well as selection of a location
code. See the section entitled “Firewall and Traffic Policies” for information on
building traffic policies.
dc=Alcatelnetworks, dc=com
Create New Policy – Create an entirely new traffic policy. The next screen will
allow editing of the newly created policy as well as selection of a location
code. See the section entitled “Firewall and Traffic Policies” for information on
building traffic policies.
Multiple traffic policies may be applied to a user role. When multiple traffic
policies are applied, they behave as a single policy – that is, once a rule is
matched in the policy and action is taken, no further rules are processed in the
policy. Rules are executed from top to bottom, so the placement of rules
within a policy and of policies within a user role is important. When multiple
traffic policies are applied to a user role, their position within the role may be
adjusted using the up and down arrows, as shown in the figure below.
Security Options 69
OmniAccess Reference: AOS-W System Reference
VPN Dialer – If VPN is used is an access method, a user may login using
captive portal and download a customized VPN “dialer”. This dialer is a
Windows application that configures the VPN client built into Microsoft
Windows 2000 and Windows XP. The VPN dialer may be customized based on
the user role. This parameter specifies which customization profile should be
available for download to users who are part of this user role. See the section
entitled “Configuring VPN Settings” for more information on setting up VPN
dialers.
L2TP Pool – If VPN is used as an access method, specifies which address pool
the user’s IP address should be assigned from when the user negotiates an
L2TP/IPSec session. Address pools are configured under Configuration >
Security > VPN Settings > IPSec > Address Pools. See the section entitled
“Configuring VPN Settings” for more information on setting up L2TP/IPSec.
PPTP Pool – If VPN is used as an access method, specifies which address pool
the user’s IP address should be assigned from when the user negotiates a
PPTP session. Address pools are configured under Configuration > Security >
VPN Settings > PPTP > Address Pools. See the section entitled “Configuring VPN
Settings” for more information on setting up PPTP.
physical port basis, MAC address ACLs and Ethertype ACLs are both
available. All ACL configuration is done through the CLI – because these
options are not often used, no GUI configuration is available.
Standard ACLs
A standard ACL permits or denies traffic based on the source IP address of
the packet. Standard ACLs can be either named or numbered, with valid
numbers in the range of 1 to 99 and 1300 to 1399. Standard ACLs use a
bitwise mask (sometimes inaccurately called an “inverse netmask”) to specify
which portion of the address should be matched.
Sample configuration:
ip access-list standard 1
permit 1.0.0.0 0.255.255.255
permit host 10.1.1.3
deny any
The example above permits any traffic from the subnet 1.0.0.0/8. It also
permits traffic from a host with IP address 10.1.1.3. All other traffic is denied.
Extended ACLs
Extended ACLS permit or deny traffic based on source or destination IP
address, source or destination port number, or IP protocol. Extended ACLs
can be named or numbered, with valid numbers in the range of 100 to 199 and
2000 to 2699. The command syntax follows standard Cisco IOS conventions,
and extensive context-sensitive help is available by pressing the ? key after
each keyword entry.
Sample configuration:
ip access-list extended 101
permit tcp any host 1.1.1.1 range 67 69
Security Options 71
OmniAccess Reference: AOS-W System Reference
The example above permits TCP traffic from any host to 1.1.1.1 on ports 67
through 69. It also permits ICMP echo-replies from the 1.1.1.0/24 subnet to
any network.
MAC ACLs
A MAC ACL is used to filter on a specific source MAC address or range of
MAC addresses. MAC ACLs can be either named or numbered, with valid
numbers in the range of 700 to 799 and 1200 to 1299.
Sample configuration:
ip access-list mac 700
permit host 00:01:01:04:cf:b2
permit 00:03:01:00:00:00 ff:ff:ff:00:00:00
Ethertype ACLs
Ethertype ACLs are used to filter based on the ethertype field in the frame
header. These ACLs could be used, for example, to permit IP while blocking
other non-IP protocols such as IPX or AppleTalk. Ethertype ACLs can be named
or numbered, with valid numbers in the range of 200 to 299.
Sample configuration:
ip access-list eth IP-only
permit 2048
The above ACL permits only IP traffic. IP is ethertype 0x800 (hex) or 2048
(decimal). The ethertype can also be entered in hex using “0x” to precede the
ethertype value.
All strong authentication methods (meaning that the user identity is validated)
must use some type of authentication server. In an Alcatel switch, the
authentication server may be an internal database, or may be an external
RADIUS or LDAP server. MAC address “authentication” also can make use of
an authentication server, simplifying access control when many
MAC-authenticated devices (such as VoIP handsets) are used in a network.
User Idle Timeout – Determines the maximum amount of time a user may
remain idle before being deauthenticated and removed from the system. The
default is 5 minutes.
RADIUS
RADIUS is the most commonly used type of authentication server. RADIUS is
flexible, extensible, and has a high degree of interoperability. To configure
RADIUS server settings navigate to Configuration > Security > AAA Servers >
RADIUS, as shown in the figure below.
Security Options 73
OmniAccess Reference: AOS-W System Reference
Server Name – Supply a human-readable name for the RADIUS server. This
name will be referenced in other parts of the configuration when this RADIUS
server is used.
Shared Secret – Each RADIUS client-server pair must use a shared secret.
Treat this shared secret as a password, and ensure that it is not an
easily-guessed word. Ensure that the shared secret is configured identically
on the RADIUS server.
Authentication Port – Specifies the UDP port number over which RADIUS
exchanges will take place. The default is 1812 – this value is typically used by
most modern RADIUS implementations.
Num Retries – Specifies the number of times that the Alcatel switch will send
authentication requests without receiving a reply
Timeout – Specifies how long, in seconds, the Alcatel switch will wait for a
response from the RADIUS server for each request sent.
mode "enable"
Server Rules
For each authentication server used by the system, a server rule may be
configured to specify how role and VLAN information is determined. Role and
VLAN determination may be done simply by specifying a default value per
authentication type, or the information may be learned from the authentication
server through a RADIUS attribute. Any attribute may be used – the server rule
specifies how that attribute is mapped into a role or VLAN. Server rules are
executed in order, and multiple server rules may be configured for each
authentication server. To add a new server rule, click the “Add” button.
Security Options 75
OmniAccess Reference: AOS-W System Reference
Rule Type – Specifies if the server rule is used to determine role assignment or
VLAN assignment.
Condition – Specifies how the system will match the attribute. If the condition
is set to “value-of”, the contents of the attribute will be treated literally as the
role or VLAN assignment. For example, if the attribute is set to “Filter-ID” and
the condition is set to “value-of”, the RADIUS server will return the value of
“IT-Staff” in side the Filter-ID attribute to set the user’s role to “IT-Staff”.
Value – If the condition is set to any option other than “value-of”, the value
specifies what the contents of the attribute should be in order to match the
rule. For example, if the attribute is set to “Filter-ID”, the condition is set to
“equals”, and the value is set to “IT”, a role can be selected when the RADIUS
server returns the Filter-ID attribute containing the value “IT”.
Role/VLAN – Specifies the role or VLAN that will be set if the rule is matched.
"Filter-Id" value-of
LDAP
LDAP (Lightweight Directory Access Protocol) is a lightweight protocol for
accessing directory services. A directory is a specialized database optimized
for searching, reading and browsing. Directories tend to contain descriptive,
attribute-based information. LDAP is specifically geared towards X.500 based
directory services and runs over TCP/IP.
LDAP Background
The LDAP information model is based on entries, where an entry is a
collection of attributes. An attribute has a type and one or more values. A
type is typically a mnemonic string, for example, “cn” for Common Name, or
“mail” for Email Address. The syntax of an attribute’s value depends on the
type of the attribute. It can be a string, for example, the value “John Doe” for
“cn”, or a binary JPEG format value for an attribute, say “jpegPhoto”. LDAP
allows the administrator to control the attributes in an entry through the use
of a special attribute called objectClass. An objectClass defines the attributes
for an entry, and specifies which attributes are required, and which ones are
optional. In addition to the attributes that comprise an entry, protection and
privacy mechanisms for an entry can be specified in LDAP. Access rights for
performing the read/write/search operations on the entry can be defined for
each entry.
Security Options 77
OmniAccess Reference: AOS-W System Reference
dc=Alcatelnetworks,dc=com
ou=People
ou=People ou=Printers
uid=jdoe,cn=John Doe
uid=guest,cn=Guest
LDAP provides an API for interrogating and updating the directory. Although
LDAP supports operations to add, delete and update an entry, it is primarily
used to search for information in the directory. The LDAP search operation
allows the user to specify the portion of the directory that should be searched.
In addition, a search filter¸ can be used to specify the criteria that should be
looked for in the entries that are being searched for.
and server is a TCP connection, there is a possibility for a third party to snoop
the password from the connection. LDAP supports a more secure connection
mechanism through SSL/TLS.
Security Options 79
OmniAccess Reference: AOS-W System Reference
Authentication Port – The port on which the LDAP server is configured. The
default value is 389.
Base DN - The Distinguished Name of the node which contains the entire user
database that should be used for user authentication.
Admin DN - A user who has read/search privileges across all the entries in the
LDAP database. The user need not have write privileges – the user should be
able to search the database and read attributes of other users in the database.
Key Attribute - The attribute that contains the unique key for the LDAP object.
This is the name of the attribute that contains the login ID of the users.
Filter - The filter that should be applied to search of the user in the LDAP
database. The default filter string is: “(objectclass=*)”.
Server Rules
For each authentication server used by the system, a server rule may be
configured to specify how role and VLAN information is determined. Role and
VLAN determination may be done simply by specifying a default value per
Rule Type – Specifies if the server rule is used to determine role assignment or
VLAN assignment.
Condition – Specifies how the system will match the attribute. If the condition
is set to “value-of”, the contents of the attribute will be treated literally as the
role or VLAN assignment. For example, if the attribute is set to “Filter-ID” and
the condition is set to “value-of”, the LDAP server will return the value of
“IT-Staff” in side the Filter-ID attribute to set the user’s role to “IT-Staff”.
Value – If the condition is set to any option other than “value-of”, the value
specifies what the contents of the attribute should be in order to match the
rule. For example, if the attribute is set to “Filter-ID”, the condition is set to
“equals”, and the value is set to “IT”, a role can be selected when the LDAP
server returns the Filter-ID attribute containing the value “IT”.
Role/VLAN – Specifies the role or VLAN that will be set if the rule is matched.
Security Options 81
OmniAccess Reference: AOS-W System Reference
The internal database contains fields for username, password, role, email
address, and administrative status. A role assignment rule is automatically
configured by the system to enable role assignment by the internal database. If
additional role or VLAN assignment rules are desired, click Add.
To add users, click the “Add User” button and fill in appropriate details for each
user. The internal database supports up to 4000 user entries.
CLI configuration to add a user to the internal database is done from command
mode, rather than configuration mode:
local-userdb add username demo password abc123 role
employee
Accounting
AOS-W supports standard RADIUS accounting for tracking user login/logout
times. Accounting will track logins accurately, but logouts may not be tracked
accurately since the user may roam out of range without logging out. To
configure accounting, navigate to ConfigurationÆSecurityÆAAA
ServersÆAccounting, as shown in the figure below.
Authentication Methods
Security Options 83
OmniAccess Reference: AOS-W System Reference
802.1x Authentication
802.1x is an IEEE standard designed to provide authentication before any L2
access to the network is permitted. 802.1x provides a framework inside of
which multiple authentication protocols may operate. A number of
authentication protocols, including EAP-TLS, PEAP, and TTLS are ideally suited
for wireless network, most notably because they allow the client to
authenticate the network as well as allowing the network to authenticate the
client. The authentication protocols are all based on EAP (Extensible
Authentication Protocol) and are also known as “EAP types”.
Client Response Timeout – Sets the period between each identity request
sent to the supplicant by the authenticator. The ID request is sent when a
client associates or reassociates with an AP or when the reauthentication time
expires. The value can be between 1-65535 seconds. The default is 30
seconds.
Security Options 85
OmniAccess Reference: AOS-W System Reference
Client Retry Count – Sets the maximum number of attempts the switch will
make to authenticate a supplicant. The value can be between 0 and 10. The
default value is 3.
Server Retry Count – Specifies the number of attempts the switch may make
to obtain authentication from the server after an initial attempt times out. The
value can be between 0 and 3. The default value is 2.
Unicast Key Rotation Time Interval – When unicast key rotation is enabled,
specifies the amount of time that must elapse since the last key rotation until a
new unicast key rotation is done. The value can be between 1 and
4,294,967,295 seconds. The default value is 240 seconds.
Reset 802.1x Parameters to Factory Defaults – Check this box to reset all
802.1x settings back to default values. The equivalent CLI configuration
command is “dot1x default”.
To add an authentication server, click the “Add” button. One or more servers
may be added to the list. To change the order in which servers are used by the
system, click the up or down arrows next to the appropriate server name.
The equivalent CLI command to add the server shown above is:
aaa dot1x auth-server test
Security Options 87
OmniAccess Reference: AOS-W System Reference
VPN Authentication
When the use of IPSec or PPTP is desired, Alcatel switches provide full VPN
termination capabilities using hardware acceleration. All encryption protocols
are run in hardware, with encryption hardware being appropriately sized to
handle a full load of access points. The majority of VPN settings are configured
under a dedicated VPN section below. VPN backend authentication parameters
are configured under Configuration > Security > Authentication Methods > VPN, as
shown in the figure below.
Security Options 89
OmniAccess Reference: AOS-W System Reference
Enable Guest Logon – When this option is selected, the captive portal page will
display a field for guest users to enter their email address. The email address is
not validated or authenticated, but can be used to keep track of user identity.
When a user enters an email address in the guest logon field, the switch will
assign the “guest” role to the user.
Enable User Logon – When this option is selected, the captive portal page will
display a field for a registered user to enter a username and password. The
user will be authenticated against the selected authentication server and will
be assigned a role according to either the authentication server role
information, or the captive portal default role.
Protocol Type – Selects whether the captive portal page will be transmitted
using HTTP or HTTPS (SSL). The default is HTTPS. If HTTP is selected, then
usernames and passwords would be transmitted with no encryption, making it
possible for anyone to intercept them.
Logon Wait Interval – If the switch control CPU is in a high load condition,
rendering the captive portal page could cause other higher-priority tasks to
slow down. This parameter specifies how long the logon process will be
delayed if the CPU is in a highly loaded condition.
Security Options 91
OmniAccess Reference: AOS-W System Reference
Stateful 802.1x
Third-party Access Points
When third-party access points are used in the network, and those third-party
access points act as 802.1x authenticators, AOS-W provides the ability to
intercept communication between the AP and the authentication server in
order to learn username information and apply appropriate role and traffic
policies. This assumes that the Alcatel switch is located in the data path
between the third-party AP and the authentication server. To configure stateful
802.1x, navigate to Configuration > Security > Authentication Methods > Stateful
802.1x, as shown in the figure below.
AP/Server Configuration
After enabling stateful 802.1x as shown above, a list of each third-party AP
for which stateful 802.1x should be performed must be entered as shown in
the figure below.
Security Options 93
OmniAccess Reference: AOS-W System Reference
RADIUS Server – Choose the RADIUS server with which the third-party AP will
communicate.
Key – Specify the RADIUS secret used between the third-party AP and the
RADIUS server.
Role Name – Specifies the role that will be applied when the SSID is matched.
Security Options 95
OmniAccess Reference: AOS-W System Reference
Role Name – Specifies the role that will be applied when the encryption type is
matched.
Advanced Authentication
To configure advanced security options, navigate to Configuration > Security >
Authentication Methods > Advanced. The Advanced tab appears in the figure
below.
When the use of IPSec or PPTP is desired, Alcatel switches provide full VPN
termination capabilities using hardware acceleration. All encryption protocols
are run in hardware, with encryption hardware being appropriately sized to
handle a full load of access points. Additionally, built into each switch is a
“VPN dialer” Windows application that pre-configures supported Windows
systems to work with Alcatel VPN services.
IPSec
AOS-W supports termination of IPSec tunnels using both L2TP/IPSec
(supported natively by Windows 2000, XP, and PocketPC 2003) and
IPSec/XAUTH (supported by most 3rd-party VPN clients). To configure IPSec,
navigate to Configuration > Security > VPN Settings > IPSec, as shown in the
figure below.
Security Options 97
OmniAccess Reference: AOS-W System Reference
Primary/Secondary DNS Server – Configures the list of DNS servers that will
be passed to clients after authentication. These parameters are optional.
Enable Source NAT – If the address range included in the VPN address pool is
not routable by the rest of the network, source NAT can be enabled. When
this is enabled, the source address of all user traffic emerging from a VPN
tunnel will be changed to the switch IP address. This checkbox configures a
traffic policy for the VPN default role – if multiple roles are being used with
VPN, a source-NAT traffic policy will need to be configured for each of them.
IKE Aggressive Group Name – When configuring IPSec XAUTH, enter the
group name. This group name must match the group name configured on
each client.
IKE Shared Secrets – Specifies IKE pre-shared keys for different IP address
ranges. This option is only used when IKE pre-shared key authentication is in
use. To configure a single IKE pre-shared key for all clients, enter a subnet of
0.0.0.0 with a mask length of 0. The IKE pre-shared key must be identically
configured on all clients. The shared secret should be treated as a password,
and should not be composed of common dictionary words or phrases.
Security Options 99
OmniAccess Reference: AOS-W System Reference
PPTP
PPTP provides an alternative to IPSec that is supported by MacOS, Linux,
PocketPC, Windows 2000, Windows XP, and many other platforms. PPTP is
considered to be less secure than IPSec, but also requires less configuration.
To configure PPTP, navigate to Configuration > Security > VPN Settings > PPTP as
shown in the figure below.
The minimum required configuration for a VPN dialer is to specify a dialer name
and an IKE pre-shared key. Specifying these two parameters and leaving all
other parameters at default values will allow most implementations to work.
Disable Wireless Allows the VPN dialer to detect when a wired network
Devices when connection is in use. If this option is enabled, the
Client is Wired wireless interface will be shut down while a wired
connection exists.
Enable SecurID TBC
New and Next
Pin Mode
Authentication Specifies the list of authentication protocols to be
supported. This list should match the switch IPSec or
PPTP configuration, and should also contain at least one
protocol supported by the authentication server. It is
generally safe to leave all protocols enabled. If SecureID
Token Caching is enabled (see the SecureID Token
Caching section of this guide below), the system will
cache SecureID tokens so that users do not need to
reauthenticate every time a network connection is lost.
IKE Lifetime Specifies how long an IKE security association lasts, in
seconds. This parameter must match the IKE lifetime
configured in the IPSec IKE policy. The default value is
28,800 seconds.
IKE Encryption Specifies the IKE encryption protocol. This parameter
must match the IKE encryption protocol configured in
the IPSec IKE policy. The default value is triple-DES.
IKE Specifies whether IKE will use Diffie-Hellman group 1 or
Diffie-Hellman group 2. This parameter must match the IKE
Group Diffie-Hellman group configured in the switch. The
default is group 2.
IKE Hash Specifies the hash algorithm used by IKE – either SHA or
Algorithm MD5. This parameter must match the IKE hash
algorithm configured in the IPSec IKE policy. The default
is SHA.
IKE Specifies whether RSA signatures or pre-shared keys
Authentication should be used for IKE authentication. This parameter
must match the “IKE Shared Secrets” configuration.
The default is for pre-shared key authentication. Make
sure the pre-shared key specified here matches the
pre-shared key specified in the IKE shared secrets policy.
IPSec Lifetime Specifies how long an IPSec security association lasts,
in seconds. The default is 7200 seconds.
IPSec Mode Specifies the IPSec Perfect Forward Secrecy (PFS)
Group mode. The default is Group 2.
IPSec Encryption Specifies the encryption type used for IPSec. The
default is triple-DES.
IPSec Hash Specifies the hash algorithm used by IPSec. The default
Algorithm is to use SHA.
Configure a list containing the switch IP addresses of all Alcatel switches that
could potentially result in the situation described above.
Advanced Authentication
To configure advanced authentication options, select Configuration > Security >
Authentication Methods > Advanced Authentication.
where:
Parameter Description
Rule Type Specifies the type of rule to be created.
To configure SecureID Token Caching, navigate to Configuration > Security > VPN
Settings > Advanced, as shown in Figure 5-34.
where:
Parameter Description
Transform Set The name of the transform set.
Name
Encryption Specifies the type of encryption to be applied.
Hash Algorithm Specifies the type of hash to be applied.
Firewall Settings
To configure global firewall settings select Configuration > Security > Firewall
Settings.
where:
Parameter Description
Monitor Ping Monitors incoming pings.
Attack
Monitor TCP SYN Monitors SYN attacks.
Attack
Monitor IP Monitors IP session attacks.
Session Attack
Prevent L2 Prevents wireless users from creating ad hoc networks.
Bridging between
Wireless Users
Drop All IP Deletes all IP fragment packets.
Fragments
Enforce TCP Requires completion of TCP session negotiation before
Handshake Before allowing incoming packets.
Allowing Data
Prohibit IP Prevents IP spoofing.
Spoofing
Prohibit RST Prevents RST replay attacks.
Replay Attack
Log ICMP Errors Logs ICMP (for example, ping) errors.
Disable stateful TBC
SIP Processing
Allow Tri-session TBC
with DNAT
Session Mirror TBC
Destination
Disable FTP server Prevents FTP transfers.
Service Aliases
Service aliases aid in policy configuration by applying a human-readable label
to protocols numbers or groups of protocol numbers. To manage service
aliases, navigate to Configuration > Security > Advanced > Services, as shown in
the figure below.
To edit or delete an alias, click the appropriate button. To add a new service
alias, click Add. The Add Service window is shown in the figure below.
Protocol – Services can be defined by TCP port numbers, UDP port numbers,
or IP protocol number. If a particular service can operate over both TCP and
UDP, create two separate services aliases.
Starting Port – For TCP or UDP services, specifies the lower port number of a
port range. To specify a single port, enter the same number in both the starting
and ending field.
End Port – For TCP or UDP services, specifies the upper port number of a port
range. To specify a single port, enter the same number in both the starting and
ending field.
Source/Destination Aliases
Source and destination aliases aid in policy configuration by applying a
human-readable label to IP addresses and groups of IP addresses.
Source/destination aliases are used in traffic policies to specify either the
source of a packet or the destination of a packet. To manage
source/destination aliases, navigate to Configuration > Security > Advanced >
Destinations, as shown in the figure below.
Destination Name – A human-readable name for the alias. This name appears
in all traffic policies making use of this source/destination alias.
Invert – Specifies that the inverse of the addresses entered should be used.
For example, if a network of 172.16.0.0/16 is entered, the “invert” option
specifies that the policy should match everything except 172.16.0.0/16.
Host – A single IP address. When entering a single IP address, do not fill in the
netmask/range field.
Bandwidth Contracts
To configure bandwidth contracts, go to Configuration > Security > Bandwidth
Contracts.
You can create a bandwidth contract on a VLAN to rate limit only multicast and
broadcast packets. The syntax is:
(config)# interface vlan <x>
(config-subif)# bandwidth-contract <name>
NAT Pools
To create the collection of IP addresses that are assigned to users inside the
firewall, go to Configuration > Security > NAT Pools.
Time Range
To define a time range select Configuration > Security > Advanced > Time Range.
The Time Range screen appears.
Complete the information requested on the Add Time Range screen and click
Apply.
Additional Information
Encryption
Encrypting the transmitted data is only one part of the security process.
Although this affords some security, all the common data encryption schemes
such as WEP (Wired Equivalent Privacy) have been broken and anyone with the
software can read your data in plain text.
Phase I Negotiations
The negation of a contract initially involves three basic steps:
z Policy negotiation
z DH public value exchange
z Authentication
During the DH exchange only the base information required to generate the
actual key’s is exchanged.
Authentication of the DH key exchange is done to assure that the keys were
generated and correctly passed.
Phase II Negotiations
Phase II is the negotiation of the algorithms used to encrypt the payload data.
This is comprised of 3 steps:
z Policy Negotiation
z Session key materials are exchanged or renewed
z As (Security Associations), keys, and SPI (Security Parameters Index)
are passed to the IPSec driver.
IPSec
IP was originally developed within a highly restricted, secure network.
Therefore, IP did not have security features built in. Once the Internet became
a public forum, security became a critical need. This need has been, and
continues to be addressed by the IETF which had developed a suite of security
protocols under the umbrella of IP Security, or IPSec. IPSec defines two
encryption modes: Transport mode (which only encrypts the data in a packet)
and Tunnel mode (which encrypts the entire packet).
All encrypted traffic must be decrypted upon receipt. Therefore, the receiving
node (which also must be IPSec compliant) uses a decryption device called a
key, which it shares with the encrypting node. The key, known as a public
key, is shared between the two communicating nodes by means of the
Internet Security Association and Key Management Protocol (ISAKMP).
WEP Encryption
WEP encryption comes in two basic flavors 64-bit and 128-bit encryption.
Obviously, the 128-bit version offers stronger encryption. When using WEP
both sender and receiver must be using the same key to decrypt the
transmitted data. WEP allows for rotation of keys and most equipment will
allow you to have as many as 4 keys.
Some equipment supports WEP Mapped Keys which are MAC keyed pairwise
keys. In this scheme each unique pair of MAC address share a unique WEP
key. The pairing is stored in a MIB table.
TKIP is used in two modes, WPA and PSK (pre-shared key). The WPA mode
requires the use of an authentication server and is described below.
The PSK mode uses a pre-shared key (password) which is shared by all clients
on the network to establish the initial communication with the access point.
After the initial data exchange is complete and the user is authenticated, the
key is rotated such that each client uses a different key.
Authentication
Authentication of users is critical to protect network resources and data. There
are a number of methods for authenticating users/clients. Authentication
verifies the identity of users attempting to associate with the network.
Authentication in and of itself is not secure. Authentication requests as with all
data transmitted over wireless should be encrypted with a form of strong
encryption.
RADIUS
RADIUS (Remote Authentication Dial In User Service) originally developed in
1992 is probably the most widely deployed method of client authentication.
The RADIUS protocol is described in RFC 2138 (1). It is a highly extensible UDP
client/server application protocol. A full implementation of the protocol
consists of a RADIUS server and a separate RADIUS Accounting server bound
to UDP ports 1812 and 1813 respectively. Usually, both services are combined
into a single server daemon.
z CHAP
z UNIX Login
z Others
The servers checks to see if it has a shared secret for the client, if not then the
packet is silently dropped. If it has a shared secret for the client, the shared
secret in the decrypted packet is compared to the shared secret stored on the
server.
When the server receives the packet is decrypts the shared secret and
compares it to the shared secret for the requesting client, stored on the
server.
The server may also validate other parameters such as time of day, NAS, or
access ports before it will authenticate the user.
LDAP
LDAP (Lightweight Directory Access Protocol) is defined by RFC 1777 (1995).
Originally designed at the University of Michigan to adapt a highly complex
directory system to the internet. LDAP provides a means to access complex
directory structures to verify user name and password information for
authentication.
MAC
MAC authentication uses the MAC address of the client device to establish an
identity for authentication.
z Microsoft Windows Mobile 203/CE 4.2 with built-in L2TP/IPSec VPN sup-
port (PDA)
z Apple MacOS 10.x with built-in PPTP and L2TP/IPSec VPN support
z PalmOS 5.x with built-in PPTP VPN
z Mergic PPTP VPN for PalmOS 3.5—4.x
z Movian VPN for PalmOS 3.5—5.x
z Movian VPN for Microsoft Windows Mobile/CE
z Linux VPNC
5. Click Next and select A pre-shared key and type the IPSEC pre-shared key
(not the securID that you configured on the switch).
6. Follow the rest of the instructions (your password is the securID).
7. Navigate to Settings > Connections.
8. Select the Advanced tab.
9. Select Select Networks.
10. Click Exceptions.
11. Click Add new URL.
12. Type */* and click OK.
At this point, if you have wireless connectivity, you should be able to click on
the icon at the top of the screen with the two arrows pointing left and right
next to the speaker icon.
13. Select Connect VPN.
NOTE—With AOS-W 2.2 or lower, L2TP/IPSEC clients terminating on anything other than
the switch IP (loopback or VLAN 1) required the server IP to be in the emulate servers
table for dest-natting purposes.
With AOS-W 2.3.0.0 and higher, this restriction has been removed. The only IPs needed
in the emulate servers table are the IPs not present on the current switch itself.
The program only needs to be run once after a new entry is created. It will
modify the registry in the entries for all L2TP/IPSec entries present in the PDA.
121
OmniAccess Reference: AOS-W System Reference
VLANs
Virtual Local Area Networks (VLANs) are used to divide LAN traffic
into manageable broadcast domains. Using VLANs, the LAN can
be divided into smaller, logical networks, such as to segregate
wireless traffic from the rest of the LAN.
VLANs are created in two parts: first the network interface for the
VLAN must be defined on the switch, and then physical switch
ports must be added to the VLAN.
4 Set the DHCP server for relaying DHCP requests for the inter-
face:
If the DHCP server is on the same subnet as the VLAN interface, then you do not
need to create an IP helper address.
You can also select a range of consecutive ports in a specific slot using the
following command:
interface range <interface> <slot>/<start port>-<end port>
For example, to select slot 2, ports 0 through 23, enter the following:
You can also use a comma separated list of consecutive ports, for example:
If connected to the trusted LAN (to an upstream router for example), enter the
following:
Repeat this procedure for each port or port range being added to the VLAN.
Port Trunks
Port trunks allow multiple VLANs on one interface. For example, to configure a
Fast Ethernet port interface as an 802.1q trunk, the following configuration
commands could be used:
Spanning Tree
Alcatel Wireless LAN switches support Common Spanning Tree (CST),
Multiple instance STP (MISTP), and Rapid Spanning Tree (RSTP) protocols.
z hello-time <interval>
Set the spanning tree hello interval.
z max-age <interval>
Set the spanning tree maximum age interval.
z priority <level>
Set the spanning tree priority level.
z port-priority <value>
Set the interface’s spanning tree priority.
z portfast
Change the interface from blocking to forwarding mode.
A backup requires that all four files be copied and placed on a external system.
To recover or restore a configuration to the Wireless LAN switch, these four
files must be copied to the switch from the external system.
For example:
(Alcatel) # dir
-rw-r--r-- 1 root root 1333 Apr 20 00:19 default-backup.cfg
-rw-r--r-- 1 root root 1333 Apr 20 14:59 default.cfg
You should see the configuration file and any backup you created.
NOTE—In AOS-W 2.2.1.0, you can also use tar flash and wms export-db com-
mands to make backups.
For example:
NOTE—A placeholder file with the destination filename must exist on the FTP or
TFTP server prior to executing the copy command.
To restore an on-system backup, the format for the CLI command is:
copy flash: <backup filename> flash: <original filename>
For example:
For example:
Place the software image file in the root directory of your FTP or TFTP server.
The switch must have a valid network route to the FTP or TFTP server. You
can verify the route using the ping command from the switch CLI:
ping <destination IP address>
Of the switch’s four memory partitions, two are used to hold switch software
images. One of the partitions holds the active software image and the other
generally holds a backup.
When loading new software, it is recommended to load the new image into
the backup partition. In this way, if there is a failure during the download
process, the active partition is not compromised. Later, after the download is
confirmed, the partition with the new software image is automatically
selected for active use, keeping the old image as a backup.
In this example, partition 0 contains the active image and partition 1 is empty.
To protect the active image, in the following steps we will load the new image
into partition 1.
5 Load the new image into the Alcatel Wireless LAN Switch.
Use the copy command to place the image file into the switch:
copy tftp: <server address> <image filename> system: partition{0|1}
For example:
(Alcatel) # reload
Do you really want to reset the system(y/n): y
System will now restart!
If there are any unsaved changes, the switch will prompt you about saving the
changes.
In this example, Version 2.4.0.0 is loaded and running, indicating that the
upgrade is complete.
Performing a write erase will also remove the certificate that was uploaded
for the Web UI.
Once the switch configuration is erased, you can continue to use the CLI to
make new configuration changes, or you use the build-in setup dialog to
perform initial setup. To use the setup dialog, first reboot the switch:
(Alcatel) # reload
Required Components
z An Alcatel Access Point acting as an Air Monitor (AM)
When acting as an AM, the Alcatel Access Point works with the
Alcatel Wireless LAN Switch to analyze Wireless LAN traffic in
order to classify and enforce security policies.
AP Classifications
AP are classified as one of the following:
z Valid AP (VAP)
An AP that is part of the enterprise providing Wireless LAN services is a valid
AP. An AP will be classified as valid under the following circumstances:
z The Alcatel AP successfully connects with the switch and loads its
software and configuration, or
z The AP is manually classified as valid by the administrator, or
z If AP learning is enabled (see page 137), every new AP is classified as
valid.
z Interfering AP (IAP)
An AP that is part of a foreign network in a multi-tenancy environment is an
Interfering AP. An AP will be classified as interfering under the following
circumstances:
z DoS AP (DAP)
An AP through which administrator does not want any access to the network is
a DoS AP.
Enforcement Policies
Enforcement policies control how the Alcatel Wireless LAN Switch handles
IAPs, UAPs, and various kinds of suspicious traffic. Specific enforcement
policies can be enabled or disabled based on your security needs. All policies
are configured from the WMS configuration sub-mode, which is accessible as
follows:
AP Policies
The following policies provide control for AP behavior.
AP Learning
Learning affects the way APs are classified (see “AP Classifications” on
page 136). To enable or disable learning, use the following command:
Protect Unsecure AP
If this policy is enabled, WMS prevents any wireless client station from
accessing the Wireless LAN by connecting through a UAP. The policy is
configured as follows:
Protect Misconfigured AP
The administrator can specify the configuration attributes that are part of a
VAP. Then, if this policy is enabled, WMS prevents any wireless client station
from accessing the Wireless LAN by connecting to a misconfigured AP.
Attributes Description
wpa Wired Protected Access
privacy WEP privacy key
short-preamble Short preamble
where the OUI address is the first half of the MAC address, formatted as
AA:BB:CC.1
z SSID list:
(Alcatel) (wms) # valid-ssid <SSID> mode {enable|disable}
AP Load Balancing
The AP load balancing feature allows the system to balance wireless traffic
across adjacent APs. Load balancing can be triggered based on the number of
users or degree of utilization on an AP. When traffic reaches the configured
thresholds on an AP where load balancing is allowed, any new wireless client
station attempting to associate with the saturated AP will be directed to an
adjacent AP instead. Stations which are already associated with the AP not
affected.
Maximum number of retries must also be configured for load balancing. The
maximum retries is the number of times a new station is encouraged to move
to an adjacent access point. If the station still attempts to associate with the
AP after that, association is allowed.
Valid STA
If a station is classified as VSTA and connects to an IAP, the AM will disrupt
the connection if this policy is enabled. The policy is configured as follows:
Global Policies
Weak WEP
If the AM detects a station or AP encrypting 802.11 frames with weak WEP, a
syslog event is generated if this policy is enabled. The policy is configured as
follows:
Interference Detection
WMS can be used to detect interference near a wireless client station or AP
based on an increase in the Frame Receive Error Rate and Frame
Fragmentation Rate. If this policy is enabled, an increase in the expected rates
will generate a syslog event. The policy is configured as follows:
Statistics Events
generated. No new events are generated until the statistic value falls below the
low watermark. If a statistic watermark value is set to 0, event generation is
disabled for that statistic. Statistics events can be generated for the following:
z Frame Retry Rate (FRR)
This is generated for APs and valid wireless client stations.
z Poll interval
This defines the interval in milliseconds for communication between the Alcatel
Wireless LAN Switch and the Alcatel Access Points and AMs. The WMS will
contact the AP or AM every poll-interval to download AP to STA associations,
update policy configuration changes, and download AP and STA statistics. By
default, the interval is set 60000 milliseconds. This can be set to a lower value
if the number of AMs deployed is small.
z Poll retries
This defines the maximum number of failed polling attempts before the polled
AP is declared down.
z Grace time
This defines the buffer time for the WMS to AM communication in
milliseconds. By default, this is set 2000 milliseconds.
z Laser beam
The AM sends “laser beams” to APs or wireless stations to enforce policies.
For policy enforcement, this feature must be enabled.
When enabled, the AM will place its BSSID in the packet header as follows:
z AP to STA
If the laser beam is impersonated as from the AP to the wireless client station
(packet header ToDS = 1 and FromDS = 0), the AM’s BSSID appears in the 802.11
Addr1 (BSSID) field.
z STA to AP
If the laser beam is impersonated as from the wireless client station to the AP
(packet header ToDS = 0 and FromDS = 1), the AM’s BSSID appears in the 802.11
Addr1 (DA) field.
NOTE—When laser beam debug is enabled, policies may not be enforced in some
cases, as 802.11 headers are no longer standards compliant.
The Alcatel Air Monitor (AM) can be configured to capture packets and send
then to a remote client station running Wildpackets’ AiroPeek monitoring soft-
ware. This requires the Alcatel remote adapter plug-in (available from Wild-
packets) installed on the monitoring station.
Start the software manually, or by using the link on the Alcatel Web Interface.
NOTE—The Web Interface can only be used to launch the AiroPeek software (if
not already running). It will not automatically open a capture window for an
AM.
The following CLI command can be used to start the AM packet capture:
pcap raw-start <AM IP address> <client IP address> <UDP port> <format> [bssid <radio BSSID>]
[channel <channel>]
The AiroPeek application listen for all Air Monitor packets for the configured
client IP address and UDP port. All packets are processed, however, you can
apply display filters on the capture window to control the number and type of
packets being displayed.
In the capture window, the absolute time stamps that are displayed corre-
spond to the time that the packet was received by the client station. This time
is not synchronized in any manner with the time on the Air Monitor.
The pcap ID can be found using the show pcap status command to list active
packet captures.
AOS-W 2.4 users who rely on Sygate Technologies for firewall and virus
scanning protection need to install the XML 4 Active X Control file
(MSXML-install.zip) which can be obtained on the Alcatel support website. The
file is in the Tech Tips directory under Support Bulletins.
If you are using Windows XP Service Pack 2, and there is a warning box above,
click on it, then choose “Install”. Once installation is done, click here to
proceed.
http://www.microsoft.com/windows2000/downloads/recommen
ded/q313664/default.asp
From the Windows 2000 Control Panel, select Administrative Tools, then
Services. The following window appears:
If the Wireless Configuration item in the Service window is not already set for
automatic startup, right click on the entry and select the properties option
from the pop-up menu. The following window appears:
Under Startup type, select Automatic from the pull-down menu. If the service
has not already been started (as shown under Service status), click on the
Start button.
Once the service has started, click on the OK button to close the window.
From the Windows Start menu, select Control Panel | Network Connections.
In the Wireless network properties window, select the Association tab and set
the following properties:
z Network Authentication: Select Open from the pull-down menu.
z Data encryption: Select WEP from the pull-down menu.
z The key is provided to me automatically:
If using dynamic WEP, check this box. Otherwise uncheck the box and enter
the WEP keys manually.
In the Wireless network properties window, select the Authentication tab and
set the following properties:
z Enable IEEE 802.1x authentication for the network: Check this box to
enable 802.1x authentication.
z EAP type: This setting depends on the type of authentication required.
z If using EAP-PEAP, select Protected EAP (PEAP).
z If using EAP-TLS, select Smart Card or Other Certificate.
z Uncheck the other two authentication boxes.
Check the box if you want to automatically use the Windows logon name and
password as your user credentials. Otherwise, you will have to enter the user
credentials manually. If you check this box make sure your windows name and
password are the user credentials configured on the Authentication Server
(e.g., IAS).
This informs you that a certificate or other credentials are required to access
the network. Click on the message to open the user credentials entry window.
Specify your user credentials and click on the OK button.
The wireless client station adapter should now use EAP authentication and
the following type of message appears:
This message indicates the root certification authority for the server's
certificate. If this indicates the correct certification authority, click on the OK
button to accept the connection. Otherwise, click Cancel.
Upon successful logon, the status of your Wireless Network Connection will
indicate Authentication succeeded:
NOTE—If using Cisco-PEAP with Windows XP, see the instructions on page 162
instead.
From the Windows Start menu, select Control Panel | Network Connections.
The rest of the configuration instructions are identical to the Windows 2000
procedure. Go to Step 4 on page 155 to continue the configuration.
Presently, only EAP-PEAP is supported with the Cisco ACU for Windows XP.
For EAP-TLS, use the Microsoft supplicant as described on page 160.
The latest drivers for the Cisco Wireless Network Adapter can be found at:
http://www.cisco.com/public/sw-center/sw-wireless.shtml
This will launch the Properties window for the Wireless Zero Configuration
service.
Click on Add profile and provide the profile name (Office in this example).
From the Windows Start menu, select Control Panel | Network Connections.
In the Wireless network properties window, select the Association tab and set
the following properties:
z Network Authentication: Select Open from the pull-down menu.
z Data encryption: Select WEP from the pull-down menu.
z The key is provided to me automatically: Check this box.
In the Wireless network properties window, select the Authentication tab and
set the following properties:
z Enable IEEE 802.1x authentication for the network: Check this box to
enable 802.1x authentication.
z EAP type: Select Protected EAP (PEAP).
NOTE—EAP-TLS is not currently supported using the Cisco ACU.
On the Authentication tab, click on the Properties button and set the
following:
z Validate server certificate: Check this box. This will verify that the server
certificate presented to your computer is still valid.
z Connect to these servers: (Optional) Specify whether to connect only if the
server resides within a particular domain.
z Trusted Root Certification Authority: Select the appropriate authority.
Make sure you have retrieved the CA Certificate from the Root CA Server.
For more details on certificates for 802.1x Authentication refer to Certifi-
cates for 802.1x.
z Second Phase EAP Type: Select the Generic Token Card option and click on
properties.
In the Generic Token Card Properties window, select either Static Password or
One Time Password (OTP).
For OTP (hardware token), the appropriate support must be installed on the
Authentication Server (for example: Cisco-ACS + RSA ACE Server Agent).
This informs you that a certificate or other credentials are required to access
the network. Click on the message to configure user credentials. Depending on
whether a Static Password or OTP was chosen, one of the following appears:
z Static Password:
z OTP:
For OTP, select either the Hardware Token or Software Token option. If you
select Software Token, the Password field on the One Time Password screen
becomes the PIN field.
Enter your PEAP authentication user name and password (which are
registered with the RADIUS server). If using a Static Password, select your
domain name from the drop-down list (or type it in if applicable).
When finished, click on the OK button. The wireless client station adapter
should now use EAP authentication.
This message indicates the root certification authority for the server's
certificate. If this indicates the correct certification authority, click on the OK
button to accept the connection. Otherwise, click Cancel.
Upon successful logon, the status of your Wireless Network Connection will
indicate Authentication succeeded:
General Configuration
To set the switch role from the CLI, use the command masterip from
configuration mode. If this is configured as 127.0.0.1, the switch is a master. If
this is configured as any other value, the switch becomes a local switch.
To set the loopback IP address through the GUI, navigate to Configuration >
Switch > General as shown in the figure below.
To set the loopback address through the CLI, enter the following command:
interface loopback
ip address 10.1.1.1
Mobility Configuration
To enable mobility, select the Enable Mobility checkbox.
On the Wi-Fi MUX switch, the first step in enabling MUX operation is to
configure VLANs that will be transported to the MUX server. These VLANs can
either be local port-based VLANs used for segmentation, or tagged VLANs
originating from 3rd-party APs attached to the MUX switch. Create new
VLANs by navigating to Configuration > Switch > VLAN. Click Add to add a new
VLAN. Configure a VLAN ID and assign ports as shown in the figure below. An
IP address may be configured for the VLAN if desired, but it is not required.
To enable mux ports in the CLI, enter commands in the following format:
Finally, enable Wi-Fi MUX operation in the GUI by navigating to Configuration >
Switch > General. Under the MUX Configuration section, enable MUX operation
as shown in the figure below. The MUX Server IP address is the loopback or
switch IP address of the MUX Server. On the Wi-Fi MUX itself, do not
configure the “MUX VLANs” section.
navigate to Configuration > Switch > General and specify them in the MUX
VLANs section. In the example below, the MUX Server is configured to
terminate VLANs 22 and 23 from remote MUXes.
Port Configuration
Port Selection
To select ports manually, click on the appropriate port(s) in the Port Selection
section. Positioning the mouse over each port will show the current status for
that port in the Configuration Details section. Multiple ports may be selected
for configuration by clicking on each port once.
To select multiple ports from the CLI, enter commands in the form:
interface range FastEthernet 2/12-23
Enable Cisco Power Over Ethernet – Enable support for Cisco pre-standard
power over Ethernet. Use this option with certain types of Cisco access
points.
Port Mode – Sets the mode of the port with respect to VLAN tagging. If the
port is set to access, untagged frames will be sent and received on the port,
and all traffic will be part of a single VLAN. If the port is set to trunk, tagged
frames will be sent and received.
VLAN
z If the port is set to access mode, a single port-based VLAN will be config-
ured here.
z If the port is set to trunk mode, a native VLAN and a list of allowed VLANs
can be configured. The native VLAN specifies the VLAN to which untagged
ingress traffic will be mapped. In addition to the native VLAN, the port may
be configured to allow all other VLANs in the switch, or to allow only a spe-
cific list of VLANs.
Firewall Policy – Applies a firewall policy to the physical port. Firewall policies
are created under Configuration > Security > Policies.
Enable MUX – Specifies that this port connects to a third-party AP for which
the switch will perform the Wi-Fi MUX function. See the section on configuring
Wi-Fi MUX for more details.
VLAN Configuration
VLAN 1 is the default VLAN. All ports are part of VLAN 1 until configured
otherwise. VLAN 1 cannot be deleted.
If desired, a DHCP helper may be configured for the VLAN. If this option is
enabled, all DHCP broadcasts on the VLAN will be unicast-forwarded to the
specified DHCP server. When using this option, ensure that there is only one
DHCP helper on the VLAN and that the Alcatel switch has not been configured
as a DHCP server.
The figure below shows the addition of a new VLAN with VLAN ID 26. The
Alcatel switch interface in the VLAN has IP address 10.26.1.1/24, and a DHCP
helper has been configured with all DHCP requests forwarded to 10.4.1.22.
vlan 26
interface vlan 26
ip address 10.26.1.1 255.255.255.0
ip helper-address 10.4.1.22
Tunnels
To configure generic tunnels for the switch, navigate to Configuration > Switch >
Tunnels.
IP Route Configuration
Alcatel AOS-W supports configuration of static IP routes. To configure these,
navigate to Configuration > Switch > IP Routing. On the OmniAccess 6000, two
default routes can be configured – one for the management Ethernet port only,
and one for the rest of the switch. On other models, a single default gateway
may be configured. Costs may be specified on routes to specify priority for
multiple routes to the same destination – a lower cost equals a higher priority.
To configure a static route other than the default route, click Add button and
fill in the required parameters as shown in the figure below.
VRRP Configuration
To enable VRRP, navigate to Configuration > Switch > VRRP. The Virtual Router
Table will display all redundant networks in which the switch currently
participates.
To add a new VRRP instance, click Add. Parameters available are the following:
IP Address – The virtual IP address that will be created and used by the VRRP
instance. This is the IP address that will be redundant – it will be active on the
VRRP master, and will become active on the VRRP backup in the event that
the VRRP master fails. This IP address must be part of the IP subnet
configured on the VLAN, and must be unique – the address cannot be the
loopback address of the switch, or the address of any VLAN interface. This is
the IP address to which Access Points will connect, and should be the
address configured as the LMS for an AP Group (see the Wireless
LAN-Advanced section of this guide for more information.)
Priority – Defines which switch will become VRRP master if pre-emption has
been enabled. These values should be different on each member of the
redundant pair. A higher number specifies higher priority. This value must be
between 1 and 254.
Admin State – Can be set either up or down. When down, VRRP is not active,
although the configuration information is retained.
VLAN – Specifies the VLAN on which VRRP is active. If the redundant switch
pair is connected to more than one VLAN, each VLAN should have a VRRP
configuration.
The figure below shows a sample VRRP configuration. In this example, the
switch has an IP address of 172.16.4.254 configured on VLAN 4. The other
switch in the redundant pair also has VLAN 4 configured, with an IP address of
172.16.4.253. The Virtual IP address managed by VRRP is 172.16.4.252.
If SC-0 is then removed, SC-1 takes over LC-2 and controls LC-2 and LC-3,
again without traffic interruption.
When the reset button is pushed on a SC, it will reset the SC and only the line
cards it controls. This also applies to reload and reload-peer-SC commands.
On a fully loaded system, each side can be reset/reloaded independently.
CLI commands to configure DHCP server functionality can be found in the CLI
Command Reference Guide under “service dhcp”, “ip dhcp pool”, and “ip dhcp
excluded-address”.
To enable the DHCP server, click on the start button. To disable the DHCP
server, click on the stop button. The equivalent CLI commands are:
service dhcp
no service dhcp
A different DHCP pool must be created for each IP subnet for which DHCP
services should be provided. DHCP pools are not specifically tied to VLANs –
the DHCP server exists on every VLAN. When a DHCP request comes in, the
switch examines the origin of the request to determine if it should answer. If
the IP address of the VLAN matches a subnet for which the DHCP server is
configured, it will answer the request.
To add a new DHCP pool, click Add. Fill in parameters as shown in the figure
below. Only those parameters shown are supported by the DHCP server. If
additional DHCP options are required, an external DHCP server should be
used. In the example shown, a DHCP pool has been created for network
10.26.1.0/24. The default router for the subnet is 10.26.1.1, and the primary
DNS server is 192.168.1.10.
Introduction
This chapter will explain the process of configuring the server for
802.1x and using CA Certificates for authorization.
Background
The IEEE 802.1x standard defines a Layer 2, port-based network
access control scheme that provides authenticated network
access on wireless Ethernet networks. The ability of a device to
transmit and receive data over an Ethernet switch port is denied if
the authentication process is unsuccessful. This standard was
originally developed for traditional wired networks and has been
successfully adapted for use with wireless networks.
Authentication server
An entity that provides an authentication service to an authenticator. This service
determines, from the credentials provided by the supplicant, whether the suppli-
cant is authorized to access the services provided by the authenticator. Example:
Microsoft IAS is an Authentication Server.
Authenticator
An entity at one end of a point-to-point LAN segment that facilitates authentica-
tion of the entity attached to the other end of that link. Example: Alcatel-6000 is
an 802.1x Authenticator.
Certificates
Certificates are digital documents which are commonly used for authenticating
users, computers and for securing information on open networks. Certificates
bind public keys to the entity that possesses the private key and are digitally
signed by the issuing certification authority (CA).
EAP
(Extensible Authentication Protocol) is a general protocol for PPP authentication
which supports multiple authentication mechanisms.
EAP-TLS
(EAP-Transport Level Security) is used in certificate-based security environ-
ments. It provides the strongest authentication and key determination method.
EAP-TLS provides mutual authentication, negotiation of the encryption method,
and encrypted key determination between the client and the authenticator.
EAP-TTLS
(EAP- Tunnelled TLS Authentication Protocol) is an EAP protocol that extends
EAP-TLS. In EAP-TLS, a TLS handshake is used to mutually authenticate a client
and server. EAP-TTLS extends this authentication negotiation by using the
secure connection established by the TLS handshake to exchange additional
information between client and server. In EAP-TTLS, the TLS handshake may be
mutual; or it may be one-way, in which only the server is authenticated to the cli-
ent.
PEAP
(Protected EAP) is an authentication protocol that uses TLS to enhance the
security of other EAP authentication methods. PEAP for Microsoft 802.1X
Authentication Client provides support for EAP-TLS, which uses certificates for
both server authentication and client authentication, and Microsoft Challenge
Handshake Authentication Protocol version 2 (EAP-MS-CHAP v2), which uses
certificates for server authentication and password-based credentials for client
authentication.
RADIUS
(Remote Authentication Dial-In User Service) is a distributed client/server system
that secures networks against unauthorized access. Alcatel-6000 can be config-
ured as a RADIUS Client and send authentication requests to the configured
RADIUS servers that contains all user authentication and network service
access information.
Supplicant
An entity at one end of a point-to-point LAN segment that is being authenticated
by an authenticator attached to the other end of that link. Example: Win-XP/2K
Wireless station is a supplicant.
TLS
(Transport Layer Security) provide privacy and data integrity between two com-
municating applications.
NOTE—The command reference for this action may be found in “RADIUS Com-
mands” on page 830.
7 Verify that the radius server was created. RADIUS server is created with the
default values, unless otherwise specified.
Type show aaa radius-server <Enter>
1 Verify that the server you created above is enabled as a do1x authentication
server and that it is assigned the correct priority.
Mode = 'Enabled'
Default Role = 'employee'
Auth Server List
----------------
Pri Name Type Status Inservice Applied
--- ---- ---- ------ --------- -------
1 Alcatel2 RADIUS Enabled Yes 1
The order in which servers are queried is determined by their priority. The
server with the highest priority (priority = 1) is queried first.
2 If the priority of the server is too low, change the priority with the aaa dot1x
auth-server command.
Type aaa dot1x auth-server <server name> <priority> <number> <Enter>.
NOTE—The command reference for this action may be found in “Access Con-
trol List Commands” on page 835.
(Alcatel) #configure t
Enter Configuration commands, one per line. End with CNTL/Z
(Alcatel) (config) #
5 Create an ACL with the name TestEmpl-acl (you may choose any name you
wish).
Type ip access-list session TestEmpl-acl <Enter>
6 Specify any for the source, destination, and port parameters and permit for the
action parameter.
Type any any any permit <Enter>
(Alcatel) (config-role) #
3 Assign the TestEmployee role as the default role for all users authenticated
using 802.1X
Type aaa dot1x default-role TestEmployee <Enter>
(Alcatel) (config) #
4 Verify that the authorization server and default roles were correctly assigned.
Type show aaa dot1x <Enter>. The system will display a screen similar to this:
Mode = 'Enabled'
Default Role = 'TestEmployee'
Auth Server List
----------------
Pri Name Type Status Inservice Applied
--- ---- ---- ------ --------- -------
1 IAS RADIUS Enabled Yes 1
You may also view the rights that are assigned to the user (TestEmployee)
Type show rights TestEmployee <Enter>.
TestEmpl-acl
------------
Priority Source Destination Service Action Opcode TimeRange Log Expired Queue
-------- ------ ----------- ------- ------ ------ --------- --- ------- -----
1 any any any permit Low
Commands in the dot1x group may be reset to their default values or disabled
by using the no form of the command as shown below.
(Alcatel) (config) # no dot1x re-authentication <Enter>
dot1x default
The dot1x default command resets the dot1x state machine configuration to its
default values.
Default: 5
Valid Range: 0 - 10
dot1x multicast-keyrotation
The dot1x multicast-keyrotation command enables the rotation of multicast
keys. Multicast keys are used to encrypt multicast packets generated for each
AP. Multicast keys are associated with each essid.
Default: Disabled
dot1x re-authentication
The dot1x re-authentication command enables the re-authentication of
supplicants. Re-authorization occurs after a specific amount of time has
elapsed from the last authentication. The time period is specified using the
dot1x timeout reauthperiod command (see below). Unicast keys are updated
after each re-authorization.
Default: Disabled
Dot1x server
The dot1x server commands are used for setting the back-end authentication
server configuration.
Default: 2
Valid Range: 0 - 3
Default: 30 (seconds)
dot1x timeout
The dot1x timeout commands are used for setting the periods of the timers
used in the 802.1x authenticator.
Default: 30 (seconds)
Default: 60 (seconds)
Default: 60 (seconds)
When the command is executed the system will display a screen similar to the
one below.
(OmniAccess 6000) #
When the show dot1x ap-table command is executed the systems displays a
screen similar to the one below.
AP Table
--------
MAC IP Essid Enabled Type Location Vlan Enc
--- -- ----- ------- ---- -------- ---- ---
00:30:f1:71:94:08 10.3.25.253 Alcatel Yes SAP 1.2.3 1
Static-TKIP
00:30:f1:71:94:08 10.3.25.253 guest Yes SAP 1.2.3 7 Static WEP
00:0b:86:80:24:10 10.3.8.191 alpha No SAP 1.1.1 1 Dynamic WEP
static-wep Displays the static wep keys of all the APs. The
information includes:
z AP MAC Address
z WEP Key and Size for each of the four keys.
dynamic wep Displays the dynamic wep keys of all the APs. The
information includes:
z AP MAC Address
z WEP Key, Size, and Slot for the two keys.
tkip Displays the tkip keys for all APs.
When this command is executed the system returns a screen containing a table
the includes the following information about each of the supplicants.
z User Name
z Authentication Status (yes/no)
z AP MAC
z Encryption Key
z Authorization Mode
z EAP type
When the command is executed the system will display a screen similar to the
one below.
Mode = 'Enabled'
Default Role = 'guest'
Auth Server List
----------------
Pri Name Type Status Inservice Applied
--- ---- ---- ------ --------- -------
1 Alcatel RADIUS Enabled Yes 1
2 IAS RADIUS Enabled Yes 1
Debug Commands
The commands in this section are used for debugging the authentication
module. Debugging is accomplished through a telnet monitor.
A two step process is required to enter the debugging mode. First, enter the
configure terminal mode, then enter the debug mode.
The system will display a screen similar to the one shown here.
(Alcatel) #configure t
Enter Configuration commands, one per line. End with CNTL/Z
RF Deauthentication Debugging
Using Alcatel Air Management features, Alcatel APs can identify other APs and
client stations that violate configured protection policies. The Alcatel APs can
also be configured to send deauthentication frames (or laser-beams) to prevent
the offending AP or client station behavior (refer to the Alcatel AOS-W User's
Guide).
When enabled, Alcatel APs alter their deauthentication frames to include their
own MAC address. This identifies the source of the laser-beam to packet cap-
ture software or inspection equipment (“sniffers”) and nullifies the deauthenti-
cation effect.
Certificates
1 Open a web browser and point it at the corporate CA server. For example:
http://<ip address>/crtserv
2 Select the Retrieve the CA Certificate or certificate revocation list option, then
click Next. The following screen should appear in your browser.
You may receive one or both of the following warnings. In either case click
Yes.
The installation should proceed automatically and the following screen should
appear.
4 Select the Submit a certificate request to this CA using a form option, then
click Next.
You may receive one of the security warnings shown below. Click Yes.
The web page form below should appear in your browser window.
5 Enter the following information in the Identity Information section of the form:
z Name (the authentication server’s fully qualified name)
z The administrator’s email address
z The name of the company
z The department within the company to which the server belongs
z The city, state, and country where the company is located.
7 Click Submit after you have correctly entered all the information.
You may see the warning text box pictured below appear on the screen, Click
Yes.
The web page shown below should appear in your browser window.
You may see the warning text box pictured below appear on the screen, Click
Yes.
4 Select the Submit a certificate request to this CA using a form option, then
click Next.
You may receive one of the security warnings shown below. Click Yes.
The web page form below should appear in your browser window.
5 Enter the following information in the Identity Information section of the form:
z Name (the authentication server’s fully qualified name)
z The User’s email address
z The name of the company
z The department within the company to which the server belongs
z The city, state, and country where the company is located.
7 Click Submit after you have correctly entered all the information.
You may see the warning text box pictured below appear on the screen, click
Yes.
The web page shown below should appear in your browser window.
You may see the warning text box pictured below appear on the screen, Click
Yes.
Pocket PC 2003 includes built-in support for wireless networks and 802.1x
authentication. Some PDA vendors, including HP, have also produced system
updates to enable support for WPA and TKIP, assuming the NIC driver also
supports TKIP. Section 1 of this document explains how to configure Pocket
PC devices using either the built-in 802.1x supplicant. Section 2 explains how
to perform the same configuration using the Funk Odyssey client.
In the management console, select File > Add/Remove Snap-in. Select the Certificates
snap-in.
Next, locate the certificate for the trusted certificate authority, right-click on it,
select “All tasks”, then select “Export”.
If given the option, do not export the private key. This option only appears on
the certificate authority itself. Save the file somewhere accessible on the hard
drive.
To install the certificate authority, simply tap on the certificate file. The system
will ask for confirmation before installing the certificate. Select “Yes”.
The certification path has now been installed. It can be verified by navigating
on the Pocket PC device to Settings > System > Certificates > Root.
If the appropriate ESSID is not already shown in the list, add it by selecting
“Add new”.
After filling in the ESSID in the Network Name field, select the Authentication tab.
The authentication settings screen appears.
Configure the screen. In the EAP type field, select PEAP. Do not click Properties
– this is used to configure certificate-based authentication. A warning message
will be generated if Properties is clicked – this warning message may be
ignored.
Supply the necessary login credentials, and the process will complete.
Configuration of the Funk Odyssey client can be performed either on the host
PC or on the Pocket PC device. All permanent configuration should be done
on the host PC, which will then push the configuration to the mobile device.
This document will describe configuration on the host PC.
Certificate Configuration
During the operation of 802.1x authentication, a digital certificate will be
passed from the authentication server to the client. This certificate will be
used by the client to authenticate the network infrastructure, so that
connections to untrusted networks are not made. To authenticate the
network, the client checks the certification path of the server certificate and
compares it with trusted root certification authorities for which the client has
been configured. Microsoft Windows and Pocket PC come with a number of
large public certification authorities pre-installed, including authorities such as
VeriSign, SecureSign, GTE, C&W, and others. An organization may also use a
self-signed server certificate, generated by a local certificate server.
The Funk Odyssey client will automatically push required certificates to the
mobile device. However, this assumes that the certificate information –
including trusted certification paths – is already available on the host PC. If a
server certificate’s certification path includes of these pre-installed certificate
authorities, no further action is required on the client. If a self-signed
certificate is used, the organization’s certificate authority server must be
configured on the client device so that it is trusted. For instructions on
installing a certification authority (CA) certificate on the host PC, please
consult the Alcatel AOS-W User’s Guide and look for the section entitled
“Obtaining a Certification Authority (CA) Certificate.”
The server trust configuration may be done in two different ways. One
method instructs the client to trust any server that provides a certificate
ultimately signed by a specified certification authority (CA). This option is not
recommended if the CA is a public CA, since the client would then trust any
certificate that was also signed by that same CA. To configure this method,
click Advanced.
The second and more secure method specifies the domain name of the
authentication server. Only servers with this domain name that send a valid
trusted certificate will be authorized. To configure a trusted server, click Add
on the Trusted Servers screen.
Profile Configuration
To use 802.1x authentication, a profile must be created to configure the
appropriate EAP type, as well as other authentication details. Profiles are
configured in the Profiles screen.
The first step of profile configuration is to establish the user information and
type of authentication credentials. In this example, a username and password
is required to access the network. The password can be saved on the device, if
desired.
Next, the authentication EAP type must be selected. In this case, PEAP is used
in this network. The “Validate server certificate” option should always be
enabled for security reasons.
Networks Configuration
Once a profile has been configured, the SSID with which the device should
connect must be configured. This is done in the “Networks” screen.
In the example below, the SSID “Wireless LAN-01” will be used. Open
authentication is used with WEP encryption. The previously-created “Wireless
LAN” authentication profile will be used to authenticate to the network, and
WEP keys will be generated automatically during 802.1x authentication.
Connection Configuration
Finally, the default network should be specified. Although multiple networks
may be configured under the “Networks” screen, only one of them will be the
default network.
Push to Device
After all configuration has been completed in the Funk Odyssey Configuration
Manager, the configuration must be pushed out to the mobile device. After
establishing an ActiveSync connection, select Commands > Push To Device from
the Odyssey Configuration Manager.
Physical Topology
The OmniAccess 6000 switch connects to the rest of the network through a
port on the main routing switch. This port is part of the 10.1.1.0 subnet, on
which most of the servers also exist.
Redundancy was not a primary design concern in the wireless network, since
other parts of the network are not redundant.
Wireless Laptops
1. Wireless laptop boots Windows XP and comes up with a Windows domain
login screen.
2. In order to gain network connectivity to the domain controller, the
Windows laptop associates and authenticates to the wireless network.
a The laptop searches for the wireless ESSID “Wireless LAN-01”, chooses
the AP with the best signal strength, and attempts to associate to it.
zi. The laptop will send 802.11 broadcast probe-requests to search for
any ESSID.
zii. All APs in range will respond with probe-responses containing the
ESSID “Wireless LAN-01”. A load balancing feature has been enabled
on the Alcatel switch that will limit the number of users on a single AP
to 20. If the load-balancing high watermark has been reached on a
given AP, this AP will not respond to probe-responses. From the lap-
top’s perspective, it appears as though the AP does not exist.
ziii. The laptop will choose the best AP among the list of responses. This
decision is typically based on measured signal strength.
ziv. The laptop will initiate an 802.11 association process with the chosen
AP.
b The laptop will initiate 802.1x authentication by transmitting an
EAPOL-Start message to the AP. An 802.1x authentication sequence
using PEAP will follow. The Alcatel switch will convert all 802.1x EAPOL
messages on the wireless network into EAPOL-over-RADIUS messages
on the wired network, and will transmit them to the Microsoft IAS server.
All 802.1x communication is between the client and the IAS server, with
the Alcatel components acting as pass-through devices.
zi. The laptop will transmit a username of “host\computer_name” where
“computer_name” is replaced by the actual configured computer name
of the laptop. The Alcatel switch will recognize the username informa-
tion, record it, and map it to the MAC address of the client in an inter-
nal table.
zii. The IAS server will compare the transmitted username with a list of
computers and users in the Active Directory database. Because the
username represents a computer in the domain, the IAS server will
process the authentication request according to a policy matching all
domain computers.
ziii. The IAS server will transmit a digital certificate to the client. This digi-
tal certificate was issued and signed by the local Windows certificate
authority. Each laptop has been configured to trust the local certificate
authority. Because of this trust relationship, the client accepts the cer-
tificate and allows authentication to proceed. If an invalid certificate
were presented (for example, from an intruder attempting to gain
access to the network by running a separate AP and authentication
server), the client would halt the authentication process at this point.
ziv. During the encrypted PEAP exchange, the client will again transmit a
username corresponding to its computer name. Using MS-CHAP v2,
the computer will next transmit a password. In this case, the pass-
word is the domain SID (security identifier) previously exchanged
between the laptop and the domain controller the first time the laptop
joined the domain. The SID is stored on each laptop automatically.
zv. If the computer name and SID match those stored in the Active Direc-
tory database, authentication is granted. The IAS server transmits a
RADIUS “Accept” message to the Alcatel switch. The Alcatel switch
transmits an EAPOL “Success” message to the wireless client. This
concludes 802.1x authentication.
5 The user now has network access consistent with the user’s group
privileges.
6. If the user moves to another room where the wireless association can no
longer be maintained, the laptop will search for a new AP and re-initiate the
association process. After each association, the 802.1x authentication
process will repeat. While a user is logged in to the laptop, the 802.1x
authentication will be performed using the user’s credentials. If 802.1x
authentication takes place when a user is not logged in to the laptop, the
computer’s authentication credentials will be used to perform the
authentication process.
7. When a user logs out of Windows, the laptop will again perform 802.1x
authentication using computer credentials, as described in 2(b) above. This
places the wireless device back into the “computer” role in the Alcatel
switch.
Printers
Separate to the process above, support for wireless-attached printers is also
provided. The printers connect to the wireless network using a hidden ESSID
of “Wireless LAN-01-printer”. Because the wireless adapters for the printers do
not support strong authentication or encryption, this ESSID utilizes WEP
encryption with no authentication. For security reasons, printers are
automatically mapped to a special “printer” role in the Alcatel switch, are
placed into a special VLAN, and have restricted access to the network. In the
event that the printer WEP key were compromised, the potential damage an
attacker could do would be very limited, and the breach would be quickly
discovered by the network administrator.
Firewall Policies
Several firewall policies have been configured in the Alcatel switch, and are
mapped to user roles. These firewall policies are designed to control access
only to the internal
network. The school district implements other firewall technology for the
connection to the Internet to further limit district-wide Internet traffic.
netdestination district-network
network 10.0.0.0 255.0.0.0
network 172.16.0.0 255.255.0.0
Student Policy
The policy below prevents students from using telnet, POP3, FTP, SMTP,
SNMP, or SSH to the wired portion of the network. Telnet, FTP, SNMP, and
SSH are used by the IT staff to maintain network devices, but are not
permitted for other classes of users. POP3 and SMTP are permitted for faculty
and staff members to access email. All students use Microsoft Exchange to
access email.
ip access-list session student
user alias district-network svc-telnet deny
user alias district-network svc-pop3 deny
user alias district-network svc-ftp deny
user alias district-network svc-smtp deny
user alias district-network svc-snmp deny
user alias district-network svc-ssh deny
Faculty Policy
The faculty policy is similar to the student policy above in restricting use of
maintenance protocols to the internal network. However, faculty members are
allowed the use of POP3 and SMTP. Faculty laptops have email clients
configured to use these protocols as they were deemed more efficient than
the Exchange protocol when laptops were taken home and used with VPN
remote access. Students did not have this same requirement, since they are
not permitted to use VPN remote access.
ip access-list session faculty
user alias district-network svc-telnet deny
user alias district-network svc-ftp deny
user alias district-network svc-snmp deny
user alias district-network svc-ssh deny
Printer Policy
The following policy is used for the printer role. It restricts printers to
communicating only with the print server, and only on specific port numbers.
Any violation of the printer policy will trigger a log message, notifying the
system administrator that a possible network security breach had occurred.
ip access-list session printer-acl
user host 172.16.31.26 svc-windows-printing permit
user host 172.16.31.27 svc-windows-printing permit
any any any deny log
Guest Policy
The following policies permit guest access only to the Internet, and only during
daytime working hours.
time-range working-hours periodic
weekday 07:30 to 17:00
ip access-list session guest
user host 10.1.1.25 svc-dhcp permit time-range working-hours
user host 10.1.1.25 svc-dns permit time-range working-hours
user alias district-network any deny
user any svc-http permit time-range working-hours
user any svc-https permit time-range working-hours
user any any deny
user-role computer
session-acl allowall
!
user-role guest
session-acl guest
bandwidth-contract guest-1M
Authentication Parameters
The following configuration statements are related to user authentication.
RADIUS Configuration
The following statements configure the available RADIUS servers, including
the IP address of the RADIUS server and the key.
aaa radius-server IAS1 host 10.1.1.21 key |*a^t%183923!
aaa radius-server IAS2 host 10.1.1.25 key |*a^t%312213!
The second statement instructs the switch to place any clients associating
with the ESSID “Wireless LAN-01-printer” into the “printer” role. There is
currently no authentication for printers – only the static WEP key and firewall
policy protects the printer network from unauthorized users.
aaa derivation-rules user
set role condition essid equals "Wireless LAN-01-printer" set-
The third statement instructs the switch to place any clients associating with
the ESSID “Guest” into the “guest” role. Guests are not required to
authenticate, but are only permitted very limited network access and only
during daytime working hours.
aaa derivation-rules user
set role condition essid equals "Guest" set-value guest
For more information on the role derivation process, refer to:“Setting Access
Rights” on page 419.
802.1x Configuration
The following statements enable 802.1x authentication. It also establishes
which RADIUS server to use for 802.1x authentication, and determines the
default role that an 802.1x client will get in the absence of a “Class” attribute
from the RADIUS server.
aaa dot1x mode enable
aaa dot1x default-role student
aaa dot1x auth-server IAS1
aaa dot1x auth-server IAS2
!
interface vlan 60
ip address 10.1.60.1 255.255.255.0
ip helper-address 10.1.1.25
!
interface vlan 61
ip address 10.1.61.1 255.255.255.0
ip helper-address 10.1.1.25
!
interface vlan 62
ip address 10.1.62.1 255.255.255.0
ip helper-address 10.1.1.25
!
interface vlan 63
ip address 10.1.63.1 255.255.255.0
ip helper-address 10.1.1.25
!
ip default-gateway 10.1.1.254
Wireless Configuration
The following statements set up the default AP parameters for the entire
network. This establishes the encryption mode as dynamic TKIP (WPA) and
the default ESSID as “Wireless LAN-01”. In addition, a second ESSID called
“Wireless LAN-01-printer” is established with the encryption mode set to
static WEP, and the static WEP key is defined. The “Wireless LAN-01-printer”
ESSID does not respond to broadcast probe requests, preventing clients from
seeing it. Note that a hidden ESSID name is used for convenience and to
reduce confusion among the users – not as a security mechanism. Simple
attack tools are available that will quickly reveal a hidden ESSID name.
ap location 0.0.0
weptxkey 1
wepkey1 c4f32001f1c25ab20f838312f2
phy-type a
opmode dynamicWep
essid "Wireless LAN-01"
virtual-ap "Wireless LAN-01-printer" vlan-id 62 opmode
staticWep deny-bcast enable
virtual-ap “Guest” vlan-id 63 opmode opensystem deny-
bcast disable
phy-type g
opmode dynamicWep
essid "Wireless LAN-01"
virtual-ap "Wireless LAN-01-printer" vlan-id 62 opmode
AP Configuration
Users associating to each AP are mapped into a VLAN. For scalability purposes
and to prevent broadcast issues caused by too many users on a single
network, two different user VLANs have been set up. Membership in the VLAN
is determined by the initial AP to which the user associates. As users roams
between different APs, they will keep their original VLAN assignment
regardless of which AP they are currently associated with. Currently, APs are
mapped to VLANs based on the floor on which the AP has been deployed.
Within the policy, several different settings are available. The information
below appears on each client device as long as the domain policy has been
updated.
For each RADIUS client configured, a shared secret must be configured. The
shared secret is configured on the RADIUS server and client, and ensures that
an unauthorized client cannot perform authentication against the RADIUS
server
Policy Configuration
The heart of IAS configuration is the policy configuration screen. From this
screen, all policies related to wireless access can be defined – including time
of day restrictions, session length, authentication type, and group-related
policies. The essential policy settings for wireless access are described here -
for detailed explanations of all IAS policy settings, please see Microsoft’s
official documentation.
The policies above are designed to work by examining the username portion
of the authentication request, searching the Active Directory database for a
matching name, and then examining the group membership for a computer or
user entry that matches. The following policy-group matches are made:
z The Wireless-Computers policy matches the “Domain Computers” group.
This group contains the list of all computers that are members of the
domain.
In addition to matching the group, the policy also specifies that the request
must be from an 802.11 wireless device. The policy above instructs IAS to
grant remote access permission if all the conditions specified in the policy
match, a valid username/password was supplied, and the user’s or computer’s
remote access permission was set to “Allow”.
Authentication Methods
To enable 802.1x authentication, an appropriate EAP type must be selected
under the Authentication tab.
The only EAP method that should be selected is Protected EAP (PEAP). By
click Edit in the screen above, additional properties for PEAP can be selected.
Fast reconnect can be enabled in this screen also. If fast reconnect is enabled
here and also on client devices, additional time can be saved when multiple
authentications take place (such as when clients are roaming between APs
often) because the server will keep alive the PEAP encrypted tunnel. For this
application, fast reconnect was not desired.
Advanced Attributes
One of the principles in this network is that the Alcatel switch will restrict
network access privileges based on the group membership of the computer or
user. In order for this to work, the Alcatel switch must be told to which group
the user belongs. This is accomplished using RADIUS attributes. To configure
these attributes, select the Advanced tab from the policy profile.
An attribute called “Class” has been added here. The Alcatel switch has been
configured to interpret the “Class” attribute and use it to determine group
membership. The example above is for the “Wireless-Computers” policy, and
upon successful completion will return the “Class” attribute to the Alcatel
switch containing the value “computer”.
Windows will connect to preferred networks in the order in which they appear
in this list.
PocketPC 2003 includes built-in support for wireless networks and 802.1x
authentication. Some PDA vendors, including HP, have also produced system
updates to enable support for WPA and TKIP, assuming the NIC driver also
supports TKIP. This deployment uses dynamically-generated WEP keys, but
has a future upgrade path to WPA/TKIP.
In the management console, select File > Add/Remove Snap-in. Select the
Certificates snap-in.
Next, locate the certificate for the trusted certificate authority, right-click on it,
select “All tasks”, then select “Export”.
If given the option, do not export the private key. This option only appears on
the certificate authority itself. Save the file somewhere accessible on the hard
drive.
To install the certificate authority, simply tap on the certificate file. The system
will ask for confirmation before installing the certificate. Select “Yes”.
The certification path has now been installed. It can be verified by navigating
on the PocketPC device to Settings > System > Certificates > Root.
If the appropriate ESSID is not already shown in the list, add it by selecting
“Add new”.
After filling in the ESSID in the “Network Name” field, tap the “Authentication”
tab. The authentication settings screen appears.
Configure the screen. In the EAP type field, select PEAP. Do not click Properties
– this is used to configure certificate-based authentication. A warning message
will be generated if Properties is clicked – this warning message may be
ignored.
NOTE—Maintain the battery on PDA at operating levels. Should you allow the
battery to run low, your configuration may become corrupted. If this hap-
pens, delete the configured ESSID. Create the exact same ESSID as you just
deleted. Then enable PEAP for this configuration.
Supply the necessary login credentials, and the process will complete.
Microsoft Requirement
For 802.1x, Microsoft requires that you specify the subject Alt Name.
1 Navigate to the Configuration > Management > SNMP page. Add system
information in the System Group section of the SNMP page.
4 Type the location of the Alcatel switch in the System Location field.
3 Enter the IP address of the SNMP server host in the IP Address field.
4 Chose the appropriate SNMP version from the Version pull-down menu.
5 Enter a valid SNMP Community String in the SNMP community String field.
6 Enter the UDP port for the trap in the UDP Port field.
You can view, add, delete, or edit Management Users and Roles from this
page.
1 Enter a name in the User Name field. The name you enter must be 1 - 16
alpha-numeric characters in length.
2 Enter a password in the Password field. The password you enter must be 1 -
16 alpha-numeric characters in length.
7 Click on Save Configuration near the top of the page to save the changes to the
configuration file.
4 Click Add, the Add Role page is again displayed and shows the added module
and permission.
6 Click the Save Configuration button near the top of the page to save the
changes to the configuration file.
NOTE—The Web GUI includes a View only Role. When a role is made view-only, all
module permission information is ignored.
(Alcatel) (config) #
(Alcatel) (config) #
Role: guest
Description:
Permit List
-----------
MGMT-MODULE ACCESS
----------- ------
Role: root
Permit List
-----------
MGMT-MODULE ACCESS
----------- ------
super-user READ_WRITE
(Alcatel) (config) #
Add a permission to the role using the permit <moduleID> <permission> command.
Logging
Enter the address of a logging server and click the Add button next to the text
field.
Select a check box of a module for which you want to do logging. The logging
level menu appears.
Select the appropriate logging level and click on the apply button.
There are a total of eight logging levels, each having it’s own distinct
characteristics:
LOGGING LEVELS
--------------
Application Level
----------- -----
authmgr informational
crypto informational
l2tp informational
pptp informational
wms informational
mmgr informational
mobagent informational
master informational
stm informational
localdb informational
sapm informational
fpapps informational
cfgm informational
suser informational
intuser informational
aaa informational
traffic informational
dhcpd informational
processes informational
publisher informational
(Alcatel) (config) #
Before wireless users can gain access to the network, they must
associate to an access point using a particular ESSID. AOS-W
supports up to 16 ESSIDs – 8 each for 802.11a and 802.11b/g. In
the Alcatel Access Point, each ESSID uses a separate BSSID
(MAC address) for 802.11b/g radios, while all ESSIDs share the
same BSSID (MAC address) for 802.11a radios. To view, add, and
modify SSIDs, navigate to Configuration > Wireless LAN > Network,
as shown in the figure below.
The first SSID configured is primary and can be edited, but cannot be deleted.
Other SSIDs can be edited or deleted.
NOTE—Note: These parameters affect all APs in the network, unless a more
specific configuration applies. Configuration in this section corresponds to
the CLI configuration for “ap location 0.0.0”.
SSID – Fill in the name of the ESSID. Clients will use this ESSID to associate to
the correct network.
Radio Type – SSIDs may appear on only 802.11a radios, only 802.11b/g
radios or on both types of radios.
NOTE—When using multiple SSIDs on Alcatel Access Points, the 802.11a radio
may respond with multiple probe responses using the same BSSID (MAC
address). Some clients will report only a single ESSID per BSSID and may
not be able to associate. If this problem occurs, enable this option to sup-
press responses to broadcast probe requests.
VLAN Mapping
AOS-W supports a concept known as “crypto-VLANs” whereby clients may
access the same network using different encryption types. Good security
practices require that different L2 encryption types be mapped to different L2
subnets – otherwise, broadcast and multicast frames from a less secure
encryption such as static WEP may lead to the compromise of a more secure
encryption type such as TKIP. When using multiple encryption types on
separate SSIDs, make sure that each SSID is mapped to a different VLAN
inside the Alcatel switch.
SSID-based VLAN mapping may also be used for separation of traffic. For
example, traffic from a guest SSID may be mapped to a guest VLAN, while
traffic from employee SSIDs may be mapped to an internal network.
WEP Encryption
Two types of WEP encryption are available: static WEP and dynamic WEP.
When static WEP is used, one WEP key will be configured for the SSID. All
users on the network must use the same key, and no key rotation is possible.
Static WEP is generally considered to provide less-than-ideal security and
should be supplemented with Alcatel’s built-in firewall protection when used.
The 802.1x framework also allows the encryption key to be rotated at specific
intervals. By allowing each user to have a different key, and by allowing key
rotation, dynamic WEP provides a much better level of security than static
WEP.
To configure WEP encryption, click on the WEP radio button in the Add SSID
screen as shown in the figure below.
If static WEP is selected, fill in one or more keys. WEP keys must be entered in
hex, and must be either 10 characters (for 64-bit WEP) or 26 characters (for
128-bit WEP). If dynamic WEP is selected, no keys need to be configured. Both
static WEP and dynamic WEP may be enabled at the same time.
The equivalent CLI configuration to add the SSID shown above is:
ap location 0.0.0 phy-type a virtual-ap "NewSSID" vlan-id 0 opmode
staticWep,dynamicWep deny-bcast enable
ap location 0.0.0 phy-type g virtual-ap "NewSSID" vlan-id 0 opmode
staticWep,dynamicWep deny-bcast enable
WPA TKIP requires the use of 802.1x for authentication and, similar to
dynamic WEP, provides a mechanism for the authentication server to assign a
unique encryption key to each client. WPA TKIP provides the best available L2
encryption available today.
To enable TKIP, select the appropriate radio button as shown in the figure
below.
If PSK TKIP is selected, fill in the pre-shared key. To enter the key directly in
hex, enter 64 hex characters. To enter the key as a passphrase, select “PSK
Passphrase” from the drop-down menu and enter a passphrase between 8 and
63 characters in the box on the left. When configuring clients, enter the same
key or passphrase.
The equivalent CLI configuration to add the SSID shown above is:
ap location 0.0.0 phy-type a virtual-ap "NewSSID" vlan-id 0 opmode
staticTkip deny-bcast enable
ap location 0.0.0 phy-type g virtual-ap "NewSSID" vlan-id 0 opmode
staticTkip deny-bcast enable
ap location 0.0.0 wpa-hexkey
abc123abc123abcdefabcdef12345678abc123abc123abcdefabcdef12345678
NOTE—AOS-W versions 2.4.0.0 and later support different staticWep and stat-
icTkip keys per SSID. In earliers releases, the staticWep and staticTkip keys
applied to each Access Point.
To view and edit default radio parameters for all APs, navigate to Configuration
> Wireless LAN > Radio as shown in the figure below. Radio parameters for both
802.11b/g radios and 802.11a radios are available by selecting the appropriate
tab.
NOTE—Note: These parameters affect all APs in the network, unless a more
specific configuration applies. Configuration in this section corresponds to
the CLI configuration for “ap location 0.0.0”.
Ageout – Specifies the amount of time a client is allowed to remain idle before
being aged out. The default is 1000 seconds.
Hide SSID – Enables or disables hiding of the SSID name in beacon frames.
Note that hiding the SSID does very little to increase security.
Max Retries – Specifies the maximum number of retries allowed for the AP to
send a frame. The recommended range is between 3 and 7. The default is 3.
DTIM Period – Specifies the interval between sending DTIMs in the beacon.
This is the maximum number of beacon cycles before unacknowledged
network broadcasts are flushed. When using wireless clients that employ
power management features to sleep, the client must revive at least once
during the DTIM period to received broadcasts. The default is 2.
Max Clients – Specifies the maximum number of wireless clients for a radio
on an AP. The default is 0, but is set to 64 if the initial setup dialog is used to
configure the switch.
Default Channel – Sets the default channel on which the AP will operate,
unless a better choice is available – either from calibration or from RF Plan.
Initial Transmit Power - Sets the initial transmit power on which the AP will
operate, unless a better choice is available – either from calibration or from RF
Plan.
LMS IP – Specifies the Local Management Switch that the AP will use in
multi-switch networks. The LMS is responsible for terminating user traffic
from the APs, processing it, and forwarding it to the wired network. Setting
the option in this screen will set an LMS for the entire network, which is
probably not desirable.
When using redundant switches as the LMS, set this parameter to be the VRRP
IP address. This will ensure that APs always have an active IP address with
which to terminate sessions.
Basic Rates – Specifies the a list of supported rates that will be advertised in
beacon frames and probe responses.
Using ARM
If you enable ARM in AOS-W 2.3 and later, disable healing based on
calibration. To do this, enter:
The previous two sections have described default SSID and radio configuration
for the global network. If differing configuration is required for specific
buildings, floors, or APs, this can be set in the Advanced Location-Based
To add a new location configuration, click Add. After specifying the location to
configure, select which parameters should be different from the default for
that location. Parameters that can be changed for a particular location include
supported SSIDs, 802.11b/g radio parameters, and 802.11a radio parameters.
In the example below, all APs in building 2 will be configured to support 128
users, rather than the default of 64:
Assuming that the same change is made for the 802.11a tab, the equivalent
CLI configuration for the example above is:
ap location 2.0.0
phy-type g
max-clients 128
phy-type a
max-clients 128
ap location 2.0.0
max-clients 128
Introduction
Calibration
process allows the Alcatel switch to build an RF-based map of the network
topology, learning about environmental characteristics such as attenuation,
interference, and reflection. When calibration has completed, the switch will
automatically configure AP/AM mode of the APs, transmit power levels, and
channel selection to minimize interference and maximize coverage and
throughput.
To initiate calibration from the GUI, navigate to Configuration > RF Management >
Calibration. Two parameters can be set from this screen, as shown in the figure
below.
To calibrate the network, click on the “Calibrate Radio Network” button. (See
also Maintenance > Calibrate.)
To begin calibration, click on the calibrate button for each building and each
radio type. Perform calibration on only one building and one radio type at a
time. Depending on the number of APs in the building, calibration may take
between one and forty-five minutes. While calibration is in progress, the
message “Calibration in progress” will be displayed on the Radio Calibration
Status screen. When calibration has completed, the message “Calibration
Previously Done” will be displayed. To view the results of calibration, click on
this message. Results similar to the figure below will be displayed.
Optimization
Self-Healing
After calibration has taken place, the Alcatel switch has an RF-based topology
map of the entire wireless network. This allows the switch to understand
which APs are within range of each other. In the event that an AP fails,
surrounding APs will increase their transmit power level to fill in any gaps.
Self-healing is enabled by default, and can be configured in the GUI by
navigating to Configuration > RF Management > Optimization > Self Healing.
Self-Healing Wait Time – The time after a failure, in milliseconds, after which
the self-healing algorithm will begin. This should be set sufficiently high so that
an AP reboot, rather than a failure, will not trigger the self-healing algorithm.
Load Balancing
When multiple APs are available to service users in the same area, load
balancing ensures that a single AP does not become overloaded. Load
balancing works by keeping track of user count and bandwidth utilization for
each AP in the network. If an AP reaches a configured performance threshold,
that AP will attempt to force new clients to a different AP by temporarily
rejecting association attempts. If no other AP is able to pick up the load,
eventually the client will be allowed to associate after a configured interval has
passed.
Wait Time before applying Load Balancing (secs) – Specifies the number of
seconds to wait before performing load balancing processing.
Maximum User Count Low Watermark – After load balancing has begun, the
number that the current association count must go below for load balancing
to stop.
DoS Client Block Time – Specifies the number of seconds a client will be
quarantined from the network after a deauth attack against the client has been
detected. This is used to prevent man-in-the-middle attacks.
Configuration of RF Monitoring
We don’t do any CHD based on the RSSI of data packets. The way I test is
associate a client (I used CISCO-350) to the AP and moved to around 180ft.
Then Cisco started sending out probe–request around 180ft. And the AP
noticed low RSSI on the probe request and generated CHD event.
You will see now a coverage hole detection (CHD) event in the log.
Our CHD works only when the client is not able to associate.
Coverage hole detection looks for clients unable to associate to any AP,
associating at very low data rates, or associating with low signal strength.
These symptoms indicate areas of a building where holes in radio coverage
exist. When the system detects such coverage holes, the administrator is
notified of the condition via the event log. To configure coverage hole
detection, navigate to Configuration > RF Management > Monitoring > Coverage
Hole Detection as shown in the figure below.
Other than enabling or disabling the feature, these parameters should generally
not be changed unless directed by Alcatel Technical Support. Available
parameters are:
High RSSI Threshold for Hole Detection – Stations with signal strength above
this value are considered to have good coverage.
Low RSSI Threshold for Hole Detection – Stations with signal strength below
this value will trigger detection of a coverage hole.
Ageout time for Good RSSI Station – Amount of time, in seconds, after which
a station with good RSSI will be aged out.
Delay Time for Hole Detection Event Generation – The amount of time after a
coverage hole is detected until another coverage hole event notification is
generated.
Idle Time for Bad RSSI Station – Amount of idle time, in seconds, after which
a station in a poor coverage area will be aged out.
stm poor-rssi-threshold 10
stm hole-detection-interval 120
stm good-sta-ageout 30
stm idle-sta-ageout 90
Interference Detection
Interference detection notifies the administrator when localized interference
becomes sufficient to cause performance degradation. Enable interference
detection in the GUI by navigating to Configuration > RF Management >
Monitoring > Interference Detection as shown in the figure below.
Interference Wait Time – Specifies the amount of time that the frame retry
rate of frame receive error rate must be continuously above the threshold in
order for an interference detection event to be generated.
wms
global-policy detect-interference disable
global-policy interference-inc-threshold 100
global-policy interference-inc-timeout 30
global-policy interference-wait-time 30
Frame Error Rate High Watermark – If the frame error rate, as a percentage of
total frames, in an AP exceeds this value, a frame error rate exceeded condition
exists. The recommended value is 16%.
Frame Error Rate Low Watermark – After a frame error rate exceeded
condition exists, the condition will persist until the frame error rate drops
below this value. The recommended value is 8%.
Frame Low Speed Rate High Watermark – If the rate of low-speed frames, as
a percentage of total frames, in an AP exceeds this value, a low-speed rate
exceeded condition exists. This could indicate a coverage hole. The
recommended value is 16%.
Frame Low Speed Rate Low Watermark – After a low-speed rate exceeded
condition exists, the condition will persist until the percentage of low-speed
frames drops below this value. The recommended value is 8%.
Frame Receive Error Rate High Watermark – If the frame receive error rate,
as a percentage of total frames, in an AP exceeds this value, a frame receive
error rate exceeded condition exists. The recommended value is 16%.
Frame Receive Error Rate Low Watermark – After a frame receive error rate
exceeded condition exists, the condition will persist until the frame receive
error rate drops below this value. The recommended value is 8%
Frame Retry Rate High Watermark – If the frame retry rate, as a percentage
of total frames, in an AP exceeds this value, a frame retry rate exceeded
condition exists. The recommended value is 16%.
Frame Retry Rate Low Watermark – After a frame retry rate exceeded
condition exists, the condition will persist until the frame retry rate drops
below this value. The recommended value is 8%.
Advanced Parameters
To access RF management advanced parameters, navigate to Configuration >
RF Management > Advanced.
DoS attacks are designed to prevent or inhibit legitimate users from accessing
the network. This includes blocking network access completely, degrading
network service, and increasing processing load on clients and network
equipment.
z Surveillance
A network intrusion attack implies that an attacker is able to gain full access to
enterprise network resources.
Rogue AP
Rogue APs represent perhaps the largest threat to enterprise network security
because they bypass all other security provisions and open a network up to
the outside world. Rogue APs are normally placed by employees who do not
understand the risks their actions represent.
Disable Users from Connecting to Rogue APs – By default, rogue APs are
only detected, but are not automatically disabled. Enable this option to
automatically shut down rogue APs. When this option is enabled, clients
attempting to associate to a rogue AP will be disconnected from the rogue AP
through a denial of service attack.
NOTE—Note: Use caution when enabling both “Mark Unknown APs as Rogue”
and “Disable Users from Connecting to Rogue APs”. If the system is
installed in an area where APs from neighboring locations can be detected,
these two options will disable all APs in the area.
Denial of Service
Rate Analysis
Many DoS attacks flood an AP or multiple APs with 802.11 management
frames. These can include authenticate/associate frames, designed to fill up
the association table of an AP. Other management frame floods, such as probe
request floods, can consume excess processing power on the AP. To
configure rate analysis, navigate to Configuration > Wireless LAN Intrusion
Detection > Denial Of Service > Rate Analysis as shown in the figure below.
Channel/Node Time – Specifies the time interval in which the threshold must
be exceeded in order to trigger an alarm.
Channel/Node Quiet Time – After an alarm has been triggered, specifies the
amount of time that must elapse before another identical alarm may be
triggered. This option prevents excessive messages in the logfile.
FakeAP Detection
FakeAP is a tool originally created to thwart wardrivers by flooding beacon
frames containing hundreds of different addresses. This would appear to a
wardriver as though there were hundreds of different APs in the area, thus
concealing the real AP. While the tool is still effective for this purpose, a newer
purpose is to flood public hotspots or enterprises with fake AP beacons to
confuse legitimate users and to increase the amount of processing client
operating systems must do.
Flood Inc Time – The time period in which a configured number of FakeAP
beacons must be received.
Quiet Time – After an alarm has been triggered, the amount of time that must
pass before another identical alarm may be triggered.
Man-in-the-Middle
Such an attack also enables other attacks that can learn a user’s authentication
credentials. Man-in-the-middle attacks often rely on a number of different
vulnerabilities.
MAC Spoofing
MAC address spoofing is a typical attack on a wireless LAN in which an
attacker will spoof the MAC address of a currently active valid client in an
attempt to be granted that client’s access privileges. The AirJack driver for
Linux allows easy access to such an attack.
EAP Time Interval – The time period in which a configured number of EAP
handshakes must be received.
EAP Rate Detection Quiet Time – After an alarm has been triggered, the
amount of time that must pass before another identical alarm may be triggered.
Sequence Number Checking Quiet Time – After an alarm has been triggered,
the amount of time that must pass before another identical alarm may be
triggered.
AP Impersonation Protection
AP impersonation attacks can be done for several purposes, including as a
Man-In-the-Middle attack, as a rogue AP attempting to bypass detection, and
as a possible honeypot attack. In such an attack, the attacker sets up an AP
that assumes the BSSID and ESSID of a valid AP. To configure AP
Impersonation Detection and Protection, navigate to Configuration > Wireless
LAN Intrusion Detection > Man-in-the-Middle > AP Impersonation as shown in the
figure below.
Signature Detection
Signature Analysis Quiet Time - After an alarm has been triggered, the
amount of time that must pass before another identical alarm may be
triggered.
Pre-Defined Signatures
Pre-defined signatures as of AOS-W 2.0 are listed below. These signatures
may be supplemented or changed as additional software versions are
released.
AirJack – Airjack is a popular NIC driver for Linux that allows manipulation of
many 802.11 parameters. Airjack also includes AP functionality that by default
generates beacons with an ESSID of “AirJack”. This signature detects the AP
functionality using the default configuration.
To add signature rules, click Add. Available attributes for signature matching
include BSSID, destination MAC address, frame type, payload, sequence
number, and source MAC address. If desired, multiple attributes may be
configured for each rule. When finished adding new rules, click Apply.
Adhoc Detection Quiet Time - After an alarm has been triggered, the amount
of time that must pass before another identical alarm may be triggered.
Wireless Bridge Detection Quiet Time - After an alarm has been triggered,
the amount of time that must pass before another identical alarm may be
triggered.
Misconfigured AP Protection
If desired, a list of parameters can be configured that defines the
characteristics of a valid AP. This is primarily used when non-Alcatel APs are
being used in the network, since the Wireless LAN switch cannot configure
the 3rd-party APs. These parameters can include preamble type, WEP
configuration, OUI of valid MAC addresses, valid channels, DCF/PCF
configuration, and ESSID. The system can also be configured to detect an AP
using a weak WEP key. If a valid AP is detected as misconfigured, the system
will deny access to the misconfigured AP. In cases where someone gains
configuration access to a 3rd-party AP and changes the configuration, this
Disable Misconfigured Access Points – When valid APs are found that violate
the list of allowable parameters, prevents clients from associating to those
APs using a denial of service attack.
Valid Enterprise 802.11 b/g Channels – Defines the list of valid 802.11b/g
channels that 3rd-party APs are allowed to use.
Enforce WEP Encryption for all Traffic – Any valid AP not using WEP will be
flagged as misconfigured.
Enforce WPA Encryption for all Traffic – Any valid AP not using WPA will be
flagged as misconfigured.
Valid Access Point Manufacturers OUI List – A list of MAC address OUIs that
define valid AP manufacturers. Any valid AP with a differing OUI will be
flagged as misconfigured.
The equivalent CLI configuration for the example shown above is:
wms
ap-policy protect-mt-ssid enable
valid-ssid OurSSID mode enable
ap-policy protect-mt-channel-split enable
reserved-11b-channel 1 mode enable
MAC OUI Quiet Time - After an alarm has been triggered, the amount of time
that must pass before another identical alarm may be triggered.
The equivalent CLI configuration for the example shown above is:
wms
ids-policy mac-oui-check enable
ids-policy mac-oui-quiet-time 900
Introduction
RADIUS authentication servers are the most often used servers. They are
flexible, extensible, and possess a high degree of interoperability.
The RADIUS Servers page displays all the currently configured RADIUS servers.
You may use the Edit and Delete buttons to change the configuration or delete
it all together.
The Add RADIUS Server page appears. Enter information about a RADIUS
server on this page then click Apply and Save configuration when you are
finished.
The following parameters and options may be configured through Web UI.
Server Rules
Server rules may be defined for each server to determine role and VLAN
assignments. Multiple rules may be defined for each server and each is
executed in order.
Server rules are displayed at the bottom of the Edit RADIUS Server page.
The following parameters may be configured for server rules using Web UI:
Configuring Attributes
To add an attribute, from the Add Server Rule page click Add Attribute. The
following screen appears.
where:
Attribute ID TBC
Vendor ID TBC
Alcatel switches allow for authentication using LDAP servers. Configure LDAP
servers from the Configuration > Security > AAA Servers > LDAP page in Web UI
You may add, edit, or delete an LDAP server from the LDAP page. When the
Add or Edit button is clicked the following page is displayed.
where:
Attribute is TBC
Condition is TBC
Value is TBC
Role/Vlan is TBC
You may configure the internal database by navigating to the Configuration >
Security > AAA Servers > Internal DB page.
The internal database enables you to store information for user name,
password, role, and email.
You may also allow the switch to configure the role or you may create
additional role or VLAN assignments using the interface on this page.
Alcatel AOS-W supports RADIUS accounting, tracking login and logout times.
Add configured servers by clicking Add then selecting a server from the
pull-down menu.
Several protocols are well suited for wireless networks and include:
z EAP-TLS
z PEAP
z TTLS
You may configure the following VPN options and parameters using Web UI.
The following options and parameters may be configured using Web UI.
Default = HTTPS
Redirect Pause Time The length of time in seconds during
which the browser will display the
“Authorization Succeeded” page
containing additional options do download
the VPN dialer. After the pause the
browser will be redirected to the originally
requested URL.
Logon Wait Interval This parameter specifies the maximum
time the logon process will be delayed if
the CPU is occupied with a large load of
high priority traffic.
CPU Utilization Threshold This parameter specifies the CPU load
which must be exceeded before a captive
portal delay takes effect.
MAC Address role mapping provides identification and role mapping based on
the Client MAC Address. This feature should not be considered an
authentication method because no secure password is employed. This feature
should ALWAYS be combined with L2 encryption and appropriate firewall
policies.
The following options and parameters may be configured with Web UI.
The following options and parameters may be configured with Web UI.
Role Mapping
From the Web UI, you can perform role mapping based on SSID and
encryption. These two methods are discussed in the following sections. From
the CLI, you can perform role mapping on BSSID, location, and MAC address in
addition to SSID and encryption. To access role mapping from the CLI, enter:
Adding a Condition
TBC
where:
Rule Type–specifies what rule will apply such as on MAC addresses, BSSIDs,
or location.
Condition–specifies how the rule type is treated, for example a MAC address
equal to a value.
Value–specifies the value of the condition, for example when location is not
equal to Headquarters.
Configure the general AAA settings using the aaa timers com-
mand
(Alcatel) (config) #aaa timers idle-timeout 5
(Alcatel) (config) #aaa timers dead-time 10
The configured RADIUS server settings may be viewed using the show aaa
radius-server server-name <name> command.
Server Rules
Define server rules for deriving roles or VLANS using the aaa derivation-rules
command from the CLI.
Conditionals:
z contains
z ends-with
z equals
z not-equals
z starts-with
z value-of
You may view the rule you create using the show aaa derivation-rules
command from the CLI.
Configure LDAP servers using the aaa ldap-server command from the CLI.
7 Specify the key attribute to use when searching for the server.
(Alcatel) (config-ldapserver-horseradish_2_ldap)#key-attribute
sAMAaccountName
8 Select a filter
(Alcatel) (config-ldapserver-horseradish-2-ldap)#filter
"(objectclass=*)"
View the LDAP server settings using the show aaa ldap-server
<Name> command from the CLI.
(Alcatel) (config) # show aaa ldap-server horseradish_2_ldap
Server Rules
The steps and commands for deriving roles and VLANs for LDAP are exactly
the same as for RADIUS servers, above.
Users may be deleted using the local-userdb delete option from the CLI.
The users in the local database may be viewed using the show local-userdb
command from the CLI.
User Details
------------
Name Password Role E-Mail Enabled
---- -------- ---- ------ -------
NewGuy ******** foo-user Yes
OldGuy ******** foo-user Yes
BIGGuy ******** foo-user Yes
Peonski ******** foo-user Yes
User Entries: 4
You may view the 802.1x configuration settings using the show aaa dot1x
command from the CLI.
Mode = 'Enabled'
Default Role = 'foo-user'
Max authentication failures = 0
Auth Server Table
-----------------
Pri Name Type IP addr AuthPort Status Inservice Applied Users
--- ---- ---- ------- -------- ------ --------- ------- -----
2 Set the VPN Default role. This role will be assigned to the client if no other
role is supplied by the authentication server.
NOTE—You may view the roles currently defined on the switch using the show rights
command from the CLI.
Configure Captive Portal using the aaa captive-portal commands from the
CLI.
1 Set the default role. This is the role which will be assigned to the client if
the authentication server provides no role information about the client
when they authenticate.
2 Set the default role. This is the role which will be assigned to the client if
the authentication server provides no role information about the client
when they authenticate.
You may see the MAC Address Role Mapping settings by using the show aaa
mac-authentication command from the CLI.
This procedure configures stateful 802.1x for third-party Access Points using
the CLI.
Define the configuration. This must contain all the elements shown in the
example below.
Role Mapping
2 Specify the rule for assigning a role based on the client SSID
2 Specify the rule for assigning a role based on the client SSID
The Advanced AAA feature pack for AOS-W unlocks a number of extended
authentication and authorization features for enterprise and service provider
networks. With the Advanced AAA feature pack, the standard AOS-W
authentication features are augmented with the following:
z Per-SSID selection of authentication server for wireless networks
z Domain and realm selection of authentication server
z Dynamic authorization and authentication API using RFC 3576
The Problem
Most enterprise networks have a single authentication infrastructure, typically
based on directory services such as Microsoft Active Directory or Novell NDS.
For these enterprise networks, the standard authentication capabilities of
AOS-W are sufficient because all users on the system can be found in the
same authentication database. However, a number of occasions arise where
multiple distinct authentication infrastructures must be supported. For
example, when two companies merge it often takes months or even years for
the IT infrastructure to consolidate, meaning that user identity is often
contained in multiple different user databases. For these networks, the ability
to support multiple authentication systems is critical.
One application for this API is in providing guest access. Nearly all corporate
locations receive visitors, in the form of meeting attendees, vendors,
customers, training class attendees, and so on. These visitors are increasingly
equipped with mobile computing devices such as laptops, and often request or
require access to their home office network or to the Internet. Corporate IT
managers wish to be flexible in providing such access, but at the same time
want to minimize the risk of unauthorized access because of concerns over
legal liability. The ideal goal is to provide customized guest access, allowing
only those services required by each individual visitor and only for the exact
period of time the access is actually required.
1 Click Start on task bar, click Settings, click Administrative Tools, click Services,
select and double-click on Internet Authentication (See Figure). The Internet
Authentication Service Properties dialog box appears.
2 Click the General tab at the top of the IAS Properties dialog box.
1 Click Start on the task bar, click Programs, then Administrative Tools, and then
Internet Authentication Service. The Internet Authentication Service (IAS) window
appears.
4 Use the Protocol pull-down menu to select RADIUS for the protocol.
7 Enter a word in the Shared secret text box, then re-enter the same word in the
Confirm shared secret text box.
A shared secret is a text string that serves as a password between client and
server, client and proxy, or a proxy and a server.
http://www.microsoft.com/technet
8 Click Finish.
Remote access policies are created using the IAS Administration Tool. If the
IAS Administration Tool is not already open, open it by Clicking Start on the
task bar, then Programs, then Administrative Tools, and then Internet
Authentication Service.
2 Click on New Remote Access Policy. The Add Remote Access Policy dialog
appears.
Type a name for the policy in the Policy friendly name text box.
4 Click the Add button. The Select Attribute list window appears.
5 Select the attributes (s) to add to the policy, then click the Add button. The
NAS-IP-Address dialog box appears.
When finished adding conditions, click the Next button on Add Remote
Access Policy dialog.
7 Click Next. The Add Remote Access Policy User Profile dialog appears.
8 Click the Edit Profile button. The Edit Dial-In Profile window appears.
After the EAP type is selected, click OK and the Finish to set the properties.
Adding a User
1 Click Start, then Run, then type mmc and press Enter. The Console window
appears.
2 Click Console and select Add/Remove Snap-in. The Add/Remove Snap-In dialog
appears.
3 Select the Active Directory User and Computer item in the Add Standalone Snap-in
list window.
Click Add, then the Close at the bottom of the list window.
Right-click the Users folder in the tree pane of the Console window.
NOTE—You may find the Users folder along the path Console Root/Active Direc-
tor Users and Computers/network name/Users.
4 Click New, then User. The New Object - User dialog appears
Type the user’s name information in the appropriate text fields., then click
Next.
Enter the password in the Password text field and re-enter it in the Confirm
Password text field.
5 Click Next. The New Object - User dialog below appears, then click Finish.
Configuring ACS
TBC
Configuring SBR
TBC
Configuring Funk
TBC
Aliases
Aliases are a convenient way to associate a human
understandable name with a specific object. AOS-W enables
administrators to assign easily understandable names to network
ports (services) and specific IP Addresses or groups of IP
Addresses
Navigate to the Configuration > Security > Advanced > Services page.
Add a new Service Alias. Click Add. The Add Service page appears.
The options and parameters available for configuration on the Add Service
page are:
Navigate to the Configuration > Security > Advanced > Destinations page.
You may add, delete, or modify source and destination aliases on this page.
Add a new alias by clicking Add, the Add Destinations page appears.
1 Click Add to expand the page and expose the Add Rule section,
near the bottom.
2 Enter a name for the new destination in the Destination Name
text box.
3 Select a rule type using the Rule Type pull-down menu.
The choices for rule types are:
Firewall Policies
Alcatel AOS-W firewall policies are stateful and bi-directional. Stateful policies
mean that when a packet matches a rule, they must match exactly, the policy
will create a session entry so that the session may continue in both directions.
Firewall policies consist of a set of rules that are applied in a specific order
against network traffic presented at the firewall. The rule at the top of the list
is applied first.
Rules are organized in top-down lists where the first rule applied to the traffic
is at the top of the list. Traffic is tested against each rule in order until a match
is found. When a match occurs the rule is applied and no other testing occurs.
From the Firewall Policies page you may Edit, Delete, or Add policies.
The Source and Destination elements of a rule have the same 5 options. Those
options are:
5. redirect
Add a policy by clicking Add, the Add New Policy page appears.
The Add New Policy page is where you name your new policy and define rules
for that policy.
7 Click Add.
8 When you are done adding rules, click Apply and Save Configuration.
Select the port to which you wish to apply a policy, then use the pull-down
menu to select a policy to apply.
Role Design
A role is assigned to a user when they connect to the network, and possibly
again after they are authenticated.
Roles determine what network resources the user may access. Roles may be
very broad-based, allowing access to many resources or they may be very
narrow in scope, allowing access to very limited resources. Sometimes, a role
is used to grant a particular user, or group of users, access to a specific
resource that other users are not.
Configuring Roles
Navigate to the Configuration > Security > Roles page to view roles.
Click Add to begin adding a new role to the list. The Add Role page appears.
3 Create a new policy in exactly the same way you would in “Fire-
wall Policies” on page 385.
additional options.
You may define a service alias by giving it a name, then choosing to specify
one of three options:.
The current service alias configurations may be viewed using the show
netservice command from the CLI.
Services
--------
Name Protocol Ports
---- -------- -----
svc-snmp-trap udp 162
svc-syslog udp 514
svc-l2tp udp 1701
svc-ike udp 500
svc-https tcp 443
svc-smb-tcp tcp 445
svc-dhcp udp 67 68
.
.
.
After entering the config-dest mode you may specify one of 3 types of
destinations for your alias:
1 Enter the config-dest mode and define the name for the alias
(Alcatel) (config) #netdestination dest-foo-any
Firewall Policies
Firewall policies are configured using the ip access-list session <name>
command from the CLI.
If you wish to change the position of a rule in the list, use the position option
to move the rule to a specific line.
Use the show access-list <aclName> command from the CLI to view a specific
firewall policy.
Use the show access-list brief command to see a listing of the current ACLs
Configuring Roles
Roles are configured in the CLI using the config-role mode commands.
Standard ACLs
Create standard ACLs using the standard option of the access-list
command.
Extended ACLs
Create extended ACLs using the extended option of the access-list
command.
MAC ACLs
Create MAC ACLs using the mac option of the access-list command.
Ethertype ACLs
Create Ethertype ACLs using the eth option of the access-list command.
Overview
Otherwise, users must be added to the Wireless LAN switch internal database.
The internal database includes a default guest account. If no other specialized
accounts are needed, no further server configuration is required and you can
skip to the next section.
For example:
(config) # aaa radius-server <name> [host <IP address>] [key <shared secret>]
[authport <port number>] [acctport <port-number>] [timeout <seconds>]
[inservice] [retransmit <retries>] [mode {enable|disable}]
Parameters:
For example:
Use the no prefix to remove the server information from the database. For
example:
NOTE—The name of Wireless LAN switch internal database server (Internal) cannot
be changed.
z If using an external RADIUS server, use the name specified in the aaa
radius-server command. For example:
You can remove rules using the no form of the same command
Normally, the captive portal ACL need not be modified. However, you can add
rules to ACL the if necessary:
You can remove rules using the no form of the same command:
To view the ACLs assigned to the various roles, use the following command:
RoleTable
---------
Name ACL Bandwidth ACL List
---- --- --------- --------
ap-role 3 No Limit control
trusted-ap 5 No Limit allowall
guest 2 No Limit allowall
stateful-dot1x 4 No Limit stateful-dot1x control
logon 1 No Limit control vpnlogon captiveportal
In this case, the logon role shown at the bottom of the list has three ACLs:
control, vpnlogon, and captiveportal. The vpnlogon ACL should be removed:
For example, to deny guests all access to the internal class B network but
allow access to the internet, the following configuration commands could be
used:
In the example above, the guest ACL denies internal network access and
allows all else. The guest ACL is then assigned to the guest role.
In the following example, we will create two session ACLs (noilabs and nonoc)
and then use them to configure three user roles.
ip access-list session noilabs (This policy denies access to the iLabs network)
any network 45.128.0.0 255.128.0.0 any deny
exit
ip access-list session nonoc (This policy denies access to the NOC network)
user host 45.0.12.20 dns permit
any network 45.0.0.0 255.255.0.0 any deny
any network 45.2.0.0 255.255.0.0 any deny
any network 45.125.0.0 255.255.0.0 any deny
any network 45.120.0.0 255.255.0.0 any deny
any network 192.16.170.0 255.255.255.0 any deny
exit
user-role ilabs (iLabs users do not have access to the NOC network)
session-acl nonoc
session-acl allowall
exit
user-role guest (Guest users do not have access to either NOC or iLabs)
no session-acl control
no session-acl guest
session-acl nonoc
session-acl noilabs
session-acl allowall
exit
user-role noc (NOC users have complete access)
session-acl allowall
Otherwise, if the internal database is used and the role configured in the
database is to be used as the role after authentication, the following server rule
must be configured:
This means that if the Role attribute is present, its value is used for the role.
The following commands can be used to allow the Wireless LAN switch to
derive the role from a valid server attribute:
This means that if the Role attribute is present, its value is used for the role.
If no role value is found, the default role for the captive portal will remain guest.
For more information on how role derivation works, refer to “Setting Access
Rights” on page 419.
To prevent the warning message, use the Alcatel Web Interface to import a
valid x509 PEM server certificate.
To access the certificate import page, enter the following URL in your Web
browser:
http://<switch IP address or hostname>/screens/certificate_import.html
Type the filename or use the Browse button to the locate a properly formatted
x509 PEM server certificate file that includes both public and private key
information.
Click on the upload button to load and install the certificate. Once the
certificate is installed, the Alcatel Web Interface will automatically restart (this
could take a few moments). When ready, clients using captive portal should no
longer receive the security warning message.
The same certificate may be installed in multiple switches. The switch will
parse the FQDN (Fully Qualified Domain Name) in the certificate and use that as
the redirection URL for captive portal users.
When the user's machine issues a DNS query for that FQDN upon receiving the
redirection URL, the switch will intercept that DNS request and reply to it with
the FQDN and switch loopback IP address.
The user’s browser will be redirected to a captive portal page with a valid
FQDN address after the switch receives the DNS reply.
Type the filename or use the Browse button to the locate a valid GIF, JPG, or
PNG formatted graphic file.
Click on the upload button to load and install the graphic. Once installed, new
logins using captive portal should see the new background graphic.
NOTE—To revert to the default image, use the CLI del command to remove the
cp_image file.
Sample Configuration
Listed below are the commands relevant to the captive portal configuration on
an actual Alcatel Wireless LAN Switch places on an N+I network:
ip access-list session noilabs
any network 45.128.0.0 255.128.0.0 any deny
exit
ip access-list session nonoc
user host 45.0.12.20 dns permit
any network 45.0.0.0 255.255.0.0 any deny
any network 45.2.0.0 255.255.0.0 any deny
any network 45.125.0.0 255.255.0.0 any deny
any network 45.120.0.0 255.255.0.0 any deny
any network 192.16.170.0 255.255.255.0 any deny
exit
ip access-list session captiveportal
user any http dst-nat 8080
user host 45.1.14.1 https permit
user any https dst-nat 8081
exit
user-role ilabs
session-acl nonoc
session-acl allowall
exit
user-role guest
no session-acl control
no session-acl guest
session-acl nonoc
session-acl noilabs
session-acl allowall
exit
user-role noc
no session-acl noc
session-acl allowall
exit
user-role logon
no session-acl control
no session-acl logon
session-acl nonoc
session-acl noilabs
session-acl captiveportal
session-acl allowall
exit
user-role ap
session-acl nonoc
session-acl noilabs
exit
aaa captive-portal default-role noc
aaa captive-portal auth-server infoblox priority 1
aaa captive-portal auth-server infoblox
aaa radius-server infoblox host 45.0.12.60 key infoblox
aaa server-rule server infoblox
set role condition User-Name starts-with ilab set-value ilabs
exit
interface vlan 1
ip address 45.1.14.1 255.255.0.0
exit
ip default-gateway 45.1.0.1
Show Commands
The following show commands will help you obtain information important for
configuring and debugging captive portal features.
show rights
This command gives an overview of all configured roles. It shows the
component session ACL of each role.
RoleTable
---------
Name Bandwidth ACL List
---- --------- --------
ap No Limit allowall
employee No Limit employee
guest No Limit control guest
stateful No Limit stateful allowall
logon No Limit control logon
employee
--------
Source Destination Service Action Opcode TimeRange Log Expired
------ ----------- ------- ------ ------ --------- --- -------
any any any permit
show user-table
This command shows all the users currently known to the system:
Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link location Roaming Essid/Bssid/Phy
---------- ------------ ------ ---- ---------- ---- -------- -------- ------- ---------------
10.2.15.4 00:01:24:60:03:99 pdedhia employee 00:09:52 VPN 10.3.25.169 52.1.3 Associated Alcatel-alpha-ap/00:0b:8
6:80:60:78/a
(OmniAccess 6000) #
Introduction
User rights are controlled by the ACL assigned to the user’s role.
User roles are derived from information about the user obtained
through the authentication process.
Defining Alias’
(Alcatel) (config) #
(Alcatel) (config) #
Predefined ACLs
A predefined session ACL named control, the predefined filters for the default
control ACL are shown below:
z svc-icmp
z svc-dns
z svc-dhcp
z svc-papi
z svc-tftp
z svc-bootp
If a WINS server is configured then the following filter should be added to the
control ACL:
z svc-nbns
Another predefined ACL named captive portal allows only that traffic
necessary for captive portal authentication. The filters associated with this
ACL are:
z scv-http dst-nat 8080
z svc-https
z svc-https dest-nat 8081
A separate ACL(s) should be created for use after the user has been
authenticated and assigned a role.
After a Session ACL has been created it must be assigned to a role(s) using
the user-role command. See “Role Sub-Mode” on page 819.
Role Derivation
The simplest way to assign a role is to create a default role for the
authentication method being used, then assign that role to all or most of the
users when they are authenticated.
Create a role using the aaa captive-portal command. See “AAA Commands” on
page 823.
Show Commands
This chapter covers the following topics for the Alcatel Wireless
Access Point (AP):
z Overview of the system components and supported network
topology
z Description of AP setup, including requirements, boot access,
initial configuration, and advanced configuration.
z Description of switch setup for new APs, including profiles
and setting attributes.
System Overview
Components
The Alcatel Wireless LAN solution consists of the three major components:
z The Alcatel Wireless LAN Switch. This is an enterprise-class switch into
which multiple wireless Access Points (APs) are connected and controlled.
z The Alcatel Wireless Access Point. This is a next-generation wireless trans-
ceiver which functions as AP or Air Monitor (AM). Although third-party APs
can be used with the Alcatel Wireless LAN system, the Alcatel AP provides
the best features and easiest integration.
z The Alcatel AOS-W Switch Software. This software intelligently integrates
the Wireless LAN switch and APs to provide load balancing, rate limiting,
self healing, authentication, mobility, security, centralization for monitoring
and upgrades, and more.
WLAN Switch
Wireless Wireless
Clients LAN Clients
Direct Connection
The Alcatel AP can be connected directly to one of the FE ports on Alcatel
Wireless LAN Switch. In this topology, the port on which the AP is connected
is considered untrusted; all users associating with the AP are untrusted and
must be authenticated, and all traffic is checked against per-user firewall rules.
APs with a direct connection to the Wireless LAN switch can also utilize
optional Serial and Power Over Ethernet (SPOE) and support the Wireless LAN
switch Access Point Status LEDs .(When multiple APs are connected to a port
indirectly, the LEDs provide information about the aggregate connection, not
about a specific AP.)
NOTE—To use SPOE, the AP must be connected to the Alcatel Wireless LAN
Switch without any intervening hubs, routers, or other networking equip-
ment.
Indirect Connection
The Alcatel AP can be also be connected to the Alcatel Wireless LAN Switch
through a Layer 2/Layer 3 network. In this topology, the Wireless LAN switch
port connected to the network is considered trusted; the traffic is verified to
ensure it is a recognized part of the internal network. Indirect deployment
results in minimal disruption to existing infrastructure.
Requirements
You must have the following:
z An operational Alcatel Wireless LAN Switch with a valid IP route to the
LAN segment to which the AP will be connected.
z An appropriate physical location for the new AP.
We recommend an up-to-date site survey using the Web UI’s RF Plan tool to
help determine the optimal location for your AP.
AP Provisioning
There are several methods for setting up and configuring Alcatel APs for use
with the Wireless LAN switch. Depending on your network configuration, the
following methods are available, each of which is explained in greater detail
below:
z Plug and Play–A limited situation where APs can be connected to the Wire-
less LAN switch and brought into operation with only default configuration
settings.
z AP Programming Mode–AP configuration parameters are set using the
switch CLI or Web interface and then pushed to APs connected to specially
designated switch ports. This method is useful for adding Alcatel APs to a
highly customized network. See page 430.
z Simplified AP Provisioning–A streamlined example for specifying only the IP
address of the AP’s host Wireless LAN switch. This is the most common
customizing. See page 429.
z Manual Provisioning–APs can be individually provisioned using a terminal
connected directly to the AP serial port. This method should be used only
as a last resort. For more information, refer to the Alcatel AP Installation
Guide and the Alcatel AOS-W User’s Guide.
z Reprovisioning–This method allows you to make configuration changes to
APs which are already configured and deployed. See page 436.
If the AP and your network meet these requirements, you can connect the AP
to the switch with no further configuration. When the AP boots, it will be
assigned a default location ID of 255.255.65535.
NOTE—If the AP has been previously used in another network and configured
with settings compatible to the new Wireless LAN switch, plug and play may
function correctly. However, if the AP uses settings incompatible with the
new network (wrong hostname or static IP address), plug and play will fail. If
the AP does not work with the new Wireless LAN switch, return the AP to
its original network and reset the AP to its factory defaults before moving it
again, or perform manual provisioning.
Simplified AP Provisioning
This is a streamlined example of the AP Programming Mode. This procedure
represents the most typical customization: setting the master Wireless LAN
switch IP address on the AP. In this example, DNS is not required.
NOTE—If you would like more control over AP configuration settings, or for
more details on any of the commands in the procedure, see “AP Program-
ming Mode” on page 430.
To perform simplified AP provisioning through the CLI, use the following pro-
cedure:
This command displays the settings that are ready to be uploaded to the APs.
Make any changes necessary before proceeding.
7 Once the settings are correct, push the configuration to the APs.
AP Programming Mode
The AP Programming Mode offers extended provisioning for adding Alcatel
APs to a highly customized network. To perform extended provisioning
through the CLI, use the following procedure:
Any switch port (or range) can be placed in AP Programming Mode. While in
AP Programming Mode, normal network traffic on the designated ports is sus-
pended. When AP configuration is complete, the AP Programming Mode must
be disabled so that the ports can resume their normal network functions.
NOTE—Before enabling AP programming mode on any port, make sure that the
port is available and is not connected to working APs or other networking
equipment.
The CLI command to set a port or port range for AP provisioning is as follows:
port-range <Physical Switch Slot>/<Port>[-<End port of range)>]
Use the following command to list the APs detected on the AP programming
ports:
NOTE—It may take a couple of minutes for all APs to be detected. Repeat the
command until all expected APs appear on the list.
If expected APs do not appear on the list, check the following troubleshooting
points:
z Make sure there is no Layer 3 routing device between the AP and Wireless
LAN switch.
z Make sure that the correct Wireless LAN switch ports are set for AP pro-
gramming mode and that the enable command has been executed (see
Step 2).
z Make sure that the AP is powered on and connected to the correct Wire-
less LAN switch port.
z Disconnect and reconnect the AP from the switch port. If the AP list had
previously been cleared using the clear-provisioning-ap-list command, the
AP should now reappear.
z If the AP was previously configured on a different network with settings
incompatible with the current network (wrong hostname or static IP
address), return the AP to its old network and reset the AP to its factory
defaults before moving it again (see “AP Reprovisioning” on page 436).
z If the AP still cannot be detected on the Wireless LAN switch, manual provi-
sioning may be required for the AP.
6 Configure the Host information, if necessary.
In order to provide centralized management of the APs, each Alcatel AP down-
loads its software image and configuration files from the master Alcatel Wire-
less LAN Switch.
Setting the correct host information depends on the following:
z Does your network use direct IP addresses or DNS with host names?
z If using host names, is Alcatel-master acceptable for the master Wireless
LAN switch, or do you need to define a different name?
Depending on your answers, select one of the following lettered steps.
A My network uses DNS. The Alcatel-master host name is acceptable.
This is the default. This requires that your DNS be configured to resolve the
“Alcatel-master” host name to the IP address of the master Alcatel Wireless
LAN Switch. Unless your system has been previously configured for different
settings, you can skip to Step 3 on page 443.
Otherwise, if your system was previously configured for a different setup, you
should manually set the host name to its default value:
NOTE—The masterip and hostip commands (below) also affect how source files are selected and if previously set
should be cleared when using this approach. To clear settings, use the no masterip and no hostip commands.
When finished, proceed to Step 3 on page 443.
B My network uses DNS, but I want to use a different host name for the Wireless
LAN switch.
This requires that the hostname setting be configured with your chosen host
name for the master Alcatel Wireless LAN Switch and that your DNS be config-
ured to resolve the specified host name to the IP address of the master Alcatel
Wireless LAN Switch.
NOTE—The masterip and hostip commands also affect how source files are selected and if previously set should be
cleared when using this approach. To clear settings, use the no masterip and no hostip commands.
When finished, proceed to Step 3 on page 443.
If using DHCP, the AP will obtain its IP address automatically and you can skip
this step. Otherwise, configure the AP with a static IP address using the fol-
lowing commands:
Location settings depend on how much control you want over configuring
logical groups of APs in the future.
z Default Locations
If you wish all APs to be treated as a single entity for configuration and
accounting purposes, you can use the default location profile (255.255.65535)
and skip to Step 11 on page 435.
z Specific Locations
By setting specific location IDs for each AP, you can later apply configuration
changes or collect statistics and information for specific groups of APs (for
example, all APs on a particular floor in a particular building).
To set a specific location for an individual AP, the following command is used:
If you performed the recommended site survey using the Alcatel RF Plan tool,
the location data for all access points and air monitors can be found on the
tool’s deployment screen.
If you prefer to manually generate the location data, record the location you set
for each access point and air monitor along with the following:
Device Descrip- Note the intended function of the device (access point
tion or dedicated air monitor) and a brief description of its
service location.
X, Y Coordi- For each access point and air monitor, measure its X
nates and Y position (in feet) relative to the bottom-left corner
of the building plan as seen from overhead. For exam-
ple:
262 ft.
Y
98
X
0,0 126 418 ft.
Use the same fixed point and orientation for all floors in
a building.
Use the following command to examine the settings which will be used for
provisioning:
Any items listed as NA are blank and will erase the corresponding item from
the AP when provisioning is executed. Make any necessary changes to the
settings before proceeding.
Once configured, the state of the APs (shown using show provisioning-ap-list
command) will be shown as provisioned. The configured APs can then be dis-
connected from the switch, deployed to their final locations, and reconnected
to the network.
Disconnect the provisioned APs from the Wireless LAN switch, set them aside
for deployment, and use the following command to clear the AP provisioning
list:
Then collect the next set of APs to be provisioned and repeat this procedure
from Step 3 on page 431.
This will return all AP programming ports to their previously defined network
settings.
Manual AP Provisioning
APs can be individually provisioned using a terminal connected directly to the
AP serial port. This method should be used only as a last resort, as it provides
no command error feedback and can result in misconfiguring the AP if not per-
formed correctly.
Details on manually performing initial setup and configuration of the AP can be
found in the Alcatel AP Installation Guide and the Alcatel AOS-W User’s Guide.
AP Reprovisioning
The following reprovisioning commands can be used to make configuration
changes to APs which are already configured and deployed.
NOTE—Reprovisioning does not require AP programming mode to be enabled
on the Wireless LAN switch ports. Do not use the AP programming
sub-mode port-range or enable commands for reprovisioning, as this will dis-
rupt normal network operation.
1 Enter the AP programming sub-mode on the switch:
You can repeat this command for as many deployed APs as you wish. The
configuration information for each AP will be added to the AP provisioning list,
which can be displayed using show provisioning-ap-list command.
Otherwise, attach your local terminal to the AP serial console port. See the
Alcatel AP Installation Guide for port and cable characteristics.
By default, the Wireless LAN switch does not permit Telnet access to the serial
portion of the SPOE interface. To enable the serial interface for remote access
to APs, log in to the Alcatel Wireless LAN Switch as the administrator and
perform the following configuration command:
user: admin
password: <administrator password (not displayed)>
This will present you with the Alcatel Wireless LAN Switch SOE console
prompt:
Available commands:
baud [9600|19200|38400|57600|115200]
connect <slot/port>
exit (no args)
soe>
Connect to the Alcatel Wireless LAN Switch port to which the OmniAccess
Reference is physically attached:
where slot number is the physical slot of the line card in the Wireless LAN switch,
and port number is the physical port.
When power is first connected, the AP will begin its initialization process. At
any time before the autoboot timer expires, you can press any key to interrupt
this process. For example:
If no key is pressed before the autoboot timer expires (default of 3 seconds), the
AP will resume normal software loading and initialization functions:
Once the AP has booted and the # prompt appears, you must turn the AP off
and back on, and then press any key while the AP is initializing (see Step 3-A on
page 439).
To turn the AP off, disconnect its power by either unplugging its power adapter
(if used) or disconnecting the FE cable (if Power Over Ethernet is used).
If the AP cannot connect to the Wireless LAN switch, the AP will remain in a
boot cycle looking for a switch from which to download its software and
configuration:
BOOTP broadcast 1
DHCP IP address: 10.3.9.172
DHCP subnet mask: 255.255.255.0
DHCP def gateway: 10.3.9.254
DHCP DNS server: 10.1.1.2
ARP broadcast 1 for 10.3.9.254
TFTP from server 10.10.10.10; our IP address is 10.3.9.172; sending
through gateway 10.3.9.254
Filename 'sap.bin'.
Load address: 0x100000
Loading: T T T T T T T T T
Retry count exceeded; starting again
Press <Control-C> at any time to interrupt the boot cycle. You will be presented
with the AP boot prompt (apboot>).
Initial Configuration
The Alcatel AP requires some initial configuration before it will operate. All
direct configuration of the AP is done using the AP boot prompt (see
page 437). Once connected to the AP boot prompt, configure the AP as
follows:
1 From the AP boot prompt, set the intended location for the AP:
If you performed the recommended site survey using the built-in RF Plan tool,
the location data for all access points and air monitors can be found on the
tool’s deployment screen.
If you plan to manually generate the location data, record the following
information for each access point and air monitor. It will be required when
configuring the Alcatel Wireless LAN Switch.
98
X
0,0 126 418 ft.
Use the same fixed point and orientation for all floors in a
building.
This is the default. This requires that your DNS be configured to resolve the
“Alcatel-master” host name to the IP address of the master Alcatel Wireless
LAN Switch.
NOTE—The master and serverip environment variables also affect how source files are
selected and if previously set should be cleared when using this approach. To
clear a variable, enter the setenv variable command with no host or address value.
When finished, proceed to Step 3 on page 443.
B My network uses DNS. I want to use a different host name for the Wireless
LAN switch.
This requires that the servername environment variable be configured with your
chosen host name for the master Alcatel Wireless LAN Switch and that your
DNS be configured to resolve the specified host name to the IP address of the
master Alcatel Wireless LAN Switch.
NOTE—The master and serverip environment variables also affect how source files are
selected and if previously set should be cleared when using this approach. To
clear a variable, enter the setenv variable command with no host or address value.
When finished, proceed to Step 3 on page 443.
C My network uses direct IP addresses instead of DNS.
apboot> save
apboot> boot
Once the AP has been configured with initial settings, the Wireless LAN
switch must be configured with the appropriate AP settings (see “Wireless
LAN Switch Setup for APs” on page 454).
Advanced AP Configuration
The following sections cover the following:
z How to access the Alcatel AP configuration prompt
z Commands and settings that can be configured
z Example configurations for common scenarios
APBoot Commands
The following commands are available from the apboot prompt:
z help
List the available commands and a brief explanation of each.
z printenv
List the environment variables and their current settings. The environmental
variables represent the APs configurable parameters See page 445 for a list of
variables.
z saveenv
Save the environment variables to persistent storage. Make sure to save
configuration changes before rebooting the AP.
z boot
Boot the AP using the currently saved environmental variables. Any unsaved
changes to the variables will be lost.
z reset
Restart the AP. This is similar to cycling the power on the AP.
Variable Description
bootdelay The length of time (in seconds) of the autoboot timer. This is
the delay during which the user can interrupt the boot
process and access the apboot prompt (see page 437).
Default = 3
location The location where the AP will be permanently installed,
specified as:
<building number>.<floor number>.<device number>
Variable Description
servername This is the hostname of the Alcatel Wireless LAN Switch (or
TFTP server) that holds the AP software image and/or
configuration files.
Variable Description
autostart Default = yes
baudrate Default = 9600
bootcmd Default = localflash
Variable Description
bootfile This is the file name of the AP image.
Default = sap.bin
ethaddr This is the MAC address of the Ethernet interface in the AP.
This is unique for each AP.
stderr Default = serial
stdin Default = serial
stdout Default = serial
AP Configuration Examples
apboot> printenv
bootcmd=localflasha
bootdelay=2
baudrate=9600
servername=Alcatel-master
bootfile=sap.bin
autostart=yes
ethaddr=00:30:f1:71:d6:1d
stdin=serial
stdout=serial
stderr=serial
z The AP location is set to -1.-1.-1 (unconfigured) and uses the default loca-
tion profile.
You can, however, specify different TFTP sources (with or without DNS) for
downloading the software and/or configuration files. In the following example,
mytftp is the DNS name of the TFTP server to be used by the AP:
When booted normally (without entering APBoot mode), the AP will use the
new settings and the AP console will display the following kind of
information:
apboot> boot
ARP broadcast 1 for 10.3.3.1
TFTP from server 10.3.3.1; our IP address is 10.3.3.3
Filename 'sap.bin'.
Load address: 0x100000
Loading: T ################################################################
################################################################
################################################################
###
Done
Bytes transferred = 1622016 (18c000 hex)
Automatic boot of image at addr 0x00100000 ...
If DNS is not used or if you need to assign different TFTP servers for the
software and configuration files, the following environment variables can be
configured:
The location of the AP can be set manually, using the following APBoot
command:
setenv location <building number>.<floor number>.<device number>
For example:
If you performed a site survey using the Alcatel Wireless LAN Switch planning
tools, the location data for all access points and air monitors can be found on
the tool’s deployment screen.
If you plan to manually generate the location data, record the following
information for each access point and air monitor. It will be needed later when
configuring the Alcatel Wireless LAN Switch.
z Building number
A unique number (1-255) is required for each building in your campus.
z Floor number
Within any building, a unique number (1-255) is required for each floor.
z Device number
Within any floor, a unique number (1-65535) is required for each access point or
air monitor.
z Device description
Although not strictly required, we recommend that you note the intended
function of the device (access point or dedicated air monitor) and a brief
description of its service location.
z X, Y coordinates
For each access point and air monitor, measure its X and Y position (in feet)
relative to the bottom-left corner of the building plan as seen from overhead.
Use the same fixed point and orientation for all floors in a building.
GRE Tunnels
Regardless of the network topology between the AP and the Wireless LAN
switch, the AP will open one GRE tunnel per radio interface to the Wireless
LAN switch.
One end of the GRE tunnel will be the IP address of the AP. The other end of
the GRE tunnel is specified (in descending order of priority) by the master,
servername, and then serverip variables. If these variables are left to default
values, the AP will use DNS to look up the well known name Alcatel-master to
discover the OmniAccess 6000 Wireless LAN Switch.
Once the IP address is discovered, the AP uses its closest address (in terms of
router hops) as the GRE tunnel end point at the Wireless LAN switch. You can
determine the Wireless LAN switch tunnel end-point using the following AP
console commands:
The value of lms_address is the Wireless LAN switch tunnel end point in use by
AP.
The tunnel interface defines the local and remote end-points for the GRE tun-
nel, as well as the IP address (or range) of the tunnel network. The following
commands are used to configure a tunnel on the Wireless LAN switch:
Traffic can be directed into the tunnel using static routes and/or ACLs:
z Using the tunnel as the next hop for a static route.
(Alcatel) (config) # ip route <dest. address> <dest. netmask> <tunnel IP address>
NOTE—This example assumes that the guest user-role has already been defined.
Configuration Profiles
Many AP attributes are configured and stored in profiles on the Wireless LAN
switch. The profiles can be based on location index or BSSID.
Location-Based Profiles
AP configuration profiles can be based on the unique location index
(building.floor.device) assigned to each AP during its initial setup (see page 451).
These location-based configuration profiles are stored on the Wireless LAN
switch and are downloaded to the appropriate APs during their startup
process.
The profile system is also hierarchical: the attributes in more generic profiles
(those with more wildcards) are overridden by the attributes in the more
specific profiles (those with fewer wildcards). This lets you create a set of
default attributes for all APs, and then add layers of attribute overrides for each
building, floor, and AP.
z The Base Profile
The base profile uses location index 0.0.0 (all wildcards). This special profile
holds the default attributes used for all APs in the system, but can be
overridden by any other profile.
z Building Profiles
A building profile uses the location index <building>.0.0 (wildcards for floor and
device). Attributes configured in building profiles override those in the base profile.
Unless overridden by floor or individual profiles, these attributes affect all APs
in the specified building.
z Floor Profiles
A floor profile uses the location index <building>.<floor>.0 (wildcard for device).
Attributes configured in floor profiles override those in the base and building
profiles. Unless overridden by individual profiles, these attributes affect all APs
on the specified floor.
z Individual AP Profiles
Attributes configured for an individual AP (no wildcards) always override those
in the base, building, and floor profiles.
Attributes in the various profiles are treated individually. Only the attributes
which are specifically configured in one profile will override the more generic
profiles. For example:
For example, if you wanted to be sure that unconfigured APs were disabled,
you could specify the ap-enable disable attribute in the profile. See page 459
for attribute details.
BSSID-Based Profiles
AP profiles can also be specified for a BSSID. There is no hierarchical lookup
for BSSID-based profiles. Each specific BSSID profile is applied to the AP radio
interface with a matching BSSID.
The following Wireless LAN switch commands are issued to enter the AP
BSSID configuration sub-mode:
AP Attribute Commands
AP Configuration Mode
The following commands are available from the AP location or BSSID
configuration sub-modes:
z ageout <number of seconds>
Specify the amount of time a client is allowed to remain idle before being aged
out. The default is 1000 seconds.
z ap-enable {enable|disable}
Enable or disable the AP. The default is enabled.
z mode {ap_mode|am_mode}
Specify the mode for the AP:
z no <command>
Clear the specified command attributes in the current profile.
NOTE—If using location-based profiles, any specific AP will use the first defined
(non-cleared) attribute in profile hierarchy: favoring AP, floor, building, base, or
system default profile (in order of descending priority).
z phy-type {a|g}
Enter the configuration sub-mode for either the 802.11a or 802.11g physical
layer type. Subsequent configuration commands apply only the selected
physical layer type. In addition to the regular location and BSSID mode
commands, channel and rate can be set (see page 462).
z power-mgmt {enable|disable}
Enable or disable power management. The default is enabled. Disabling power
management can provide a slight increase in network performance, but should
be done only in networks where power management is disabled on all wireless
clients.
z For 80211.a: 36, 40, 44, 48, 52, 56, 60, 64, 149, 153, 157, or 161. The
default is 36.
z For 80211.g: 1 through 11. The default is 1.
z rates <list of rates>
Set the rates available for the AP physical layer.
z For 802.11a: Specify from a comma separate list of 6, 9, 12, 18, 24, 36,
48, and 54.
z For 802.11g: Specify from a comma separate list of 1, 2, 5 and 11.
By default, all rates are enabled.
z short-preamble {enable|disable}
For 802.11g. Enable or disable short preamble. The default is enabled. In a
mixed radio environment, some wireless client stations operating 802.11g
radios in 802.11b mode may experience difficulty associating with the AP using
short preamble. To use only long preamble, disable short preamble.
Mode
The AP can operate in three modes:
z ap - Operating as an access point for wireless clients
z am - Operating as a dedicated air monitor
z apm - Operating as an air monitor which can transition to an access point if
a neighboring AP goes down
The setting for the AP mode is obtained using the following priorities (highest
to lowest):
Other Attributes
The setting for all other AP attributes is obtained using the following priorities
(highest to lowest):
(Alcatel) (config) # ap ?
bssid Specify the BSSID
location Specify location as bldg.floor.location(0 is wildcard)
The 0.0.0 location index uses wildcards (0) in all the location fields. This
selects all APs (regardless of the building, floor, or device number) for
configuration in the commands that follow.
To enable static WEP for all APs in the specified building, the following
commands are issued:
In this example, all APs are first selected using the base location index (0.0.0).
Then the selection is narrowed by entering the sub-mode for the 802.11g
physical layer type. The final essid command affects all 802.11g APs.
In this example, only one AP is selected. The AP with the matching BSSID is
set to channel 6.
CONFIG_AP_RESULT
----------------
PARAMETER 802.11b/g 802.11a
--------- --------- -------
Location (Bldg.Flr.Loc) 1.0.0 1.0.0
BSSID N/A N/A
Channel 1 36
ESSID alpha-guest alpha-guest
Encryption staticWep staticWep
Device Type ap_mode ap_mode
Authentication opensystem opensystem
Short Preamble Enabled N/A
RTS Threshold (Bytes) 2333 2333
Transmit Power (Level) 2 2
Retry Limit 8 8
DTIM Interval (beacon periods) 1 1
Max Associations 64 64
Beacon Period (millisecs) 100 100
Basic Rates 1,2 6,9,12,18,24,36,48,54
Transmit Rates 1,2,5,11 6,9,12,18,24,36,48,54
AP Radio Enabled Enabled
Power Management Enabled Enabled
Station Ageout Time (secs) 1000 1000
VLAN ID 7 7
Hidden SSID Disabled Disabled
Deny_Broadcast Probes Disabled Disabled
b/g Mode mixed N/A
Country Code US US
WPA Hexkey N/A N/A
WPA Passphrase N/A N/A
LMS IP N/A N/A
Backup LMS 0.0.0.0 0.0.0.0
CONFIG_AP_RESULT
----------------
PARAMETER Value
--------- -----
Location (Bldg.Flr.Loc) 1.0.0
BSSID 01:02:03:04:05:06
Channel 6
ESSID alpha-guest
Encryption staticWep
...
CONFIG_AP_RESULT
----------------
LOC PHYTYPE WEPKEY1 WEPKEY2 WEPKEY3 WEPKEY4
--- ------- ------- ------- ------- -------
0.0.0 802.11a ********************** Needs-Value Needs-Value Needs-V+
0.0.0 802.11g ********************** Needs-Value Needs-Value Needs-V+
NOTE—For security, passwords and keys are encrypted by default. Where dis-
played in show commands, encrypted items appear only as asterisks (*). To
turn the encryption feature off and display passwords and keys as plain
text, the encrypt disable command is available in the configuration mode.
CONFIG_AP_RESULT
----------------
PARAMETER Value
--------- -----
Location (Bldg.Flr.Loc) 1.0.0
BSSID 01:02:03:04:05:06
Channel 6
ESSID alpha-guest
Encryption staticWep
...
STM Configuration
-----------------
key value
--- -----
strict-compliance enable
dos-prevention enable
AP_REGISTRATIONS_RESULT
-----------------------
LOC SAP_IP LMS_IP .b_MAC .a_MAC STATE
--- ------ ------ ------ ------ -----
1.1.1 10.2.13.194 10.2.13.254 00:30:f1:70:49:93 00:30:f1:71:93:8f 7
1.1.2 10.2.12.253 10.2.12.254 00:30:f1:70:49:4c 00:30:f1:71:93:7d 7
1.1.3 10.1.1.56 10.3.25.1 00:30:f1:70:49:6f 00:30:f1:71:93:d5 7
1.1.4 10.2.12.212 10.2.12.254 00:30:f1:70:49:65 00:30:f1:71:93:54 7
1.2.1 10.3.25.252 10.3.25.1 00:30:f1:70:49:7e 00:30:f1:71:93:53 7
1.2.2 10.3.25.237 10.3.25.1 00:30:f1:70:49:71 00:30:f1:71:93:5c 7
1.2.3 10.3.25.253 10.3.25.1 00:30:f1:70:49:ad 00:30:f1:71:94:08 7
Num APs:7
For STATE, the expected value is 2 (sent tunnel response) or 7 (steady state)
Alcatel AP Table
--------------
bss ess s/p ip phy type max-cl loc +
--- --- --- -- --- ---- ------ --- +
00:30:f1:70:49:6f Alcatel-alpha-ap 2/23 10.1.1.56 g ap 42 1.1.3 +
00:30:f1:70:49:71 Alcatel-alpha-ap 2/2 10.3.25.237 g am 42 1.2.2 +
00:30:f1:71:93:5c Alcatel-alpha-ap 2/2 10.3.25.237 a am 42 1.2.2 +
00:30:f1:71:93:8f Alcatel-alpha-ap 2/15 10.2.13.194 a ap 42 1.1.1 +
00:30:f1:70:49:4c Alcatel-alpha-ap 2/12 10.2.12.253 g apm 42 1.1.2 +
...
Num APs:14
Association Table
-----------------
mac auth assoc aid
--- ---- ----- ---
00:08:21:31:b1:17 y y 6
00:80:c8:cf:32:7e y y 1
00:40:96:35:84:8a y y 3
00:d0:59:bd:2d:41 y y 4
STA Table
---------
bssid auth assoc aid
----- ---- ----- ---
00:30:f1:70:49:93 y n
00:30:f1:70:49:65 y y 6
Association Info
---------------
bssid aid
----- ---
00:30:f1:70:49:65 6
Use the following command to view the state of the Access Point Status LED
for a specific line card:
(Alcatel) # show ap-leds 2 (View LED states for the line card in slot 2)
LED State
---------
s/p led reason
--- --- ------
2/0 1 unsecure ap found
2/1 1 unsecure ap found
2/2 1 unsecure ap found
2/3 6 no ap connected
2/4 6 no ap connected
2/5 6 no ap connected
2/6 6 no ap connected
2/7 6 no ap connected
2/8 6 no ap connected
2/9 6 no ap connected
2/10 6 no ap connected
2/11 6 no ap connected
2/12 1 unsecure ap found
2/13 6 no ap connected
2/14 5 ok
2/15 5 ok
2/16 6 no ap connected
2/17 6 no ap connected
2/18 6 no ap connected
2/19 6 no ap connected
2/20 6 no ap connected
2/21 6 no ap connected
2/22 6 no ap connected
2/23 5 ok
Frame rates
-----------
retry low-speed non-unicast recv-error frag bwidth
----- --------- ----------- ---------- ---- ------
0 33 100 0 0 8
RSSI
----
cur-signal low-signal high-signal cur-noise low-noise high-noise
---------- ---------- ----------- --------- --------- ----------
100 100 165 13 9 39
Frame rates
-----------
retry low-speed non-unicast recv-error frag bwidth
----- --------- ----------- ---------- ---- ------
0 9 100 0 0 7
RSSI
----
cur-signal low-signal high-signal cur-noise low-noise high-noise
---------- ---------- ----------- --------- --------- ----------
100 100 165 12 9 39
Raw Stats
---------
tx-pkt tx-byte rx-pkt rx-byte tx-retry-pkt rx-retry-pkt tx-frag-pkt rx+
------ ------- ------ ------- ------------ ------------ ----------- --+
247960 19878186 27075 4577596 18 3559 0 0 +
Tx Frame Type Stats
-------------------
mgmt-pkt mgmt-byte ctrl-pkt ctrl-byte data-pkt data-byte
-------- --------- -------- --------- -------- ---------
247568 19804838 0 0 392 73348
Rx Frame Type Stats
-------------------
mgmt-pkt mgmt-byte ctrl-pkt ctrl-byte data-pkt data-byte
-------- --------- -------- --------- -------- ---------
548 25264 0 0 26527 4552332
Dest Addr Type Stats
--------------------
bcast-pkt bcast-byte mcast-pkt mcast-byte ucast-pkt ucast-byte
--------- ---------- --------- ---------- --------- ----------
247684 19833378 7 975 269 43833
Frame Size Packet Stats
-----------------------
type 0-63 64-127 128-255 256-511 512-1023 1024+
---- ---- ------ ------- ------- -------- -----
tx 96 134 114 42 3 3
rx 10397 9292 4241 1982 66 549
Tx Frame Rate Stats
-------------------
pkt-1m byte-1m pkt-2m byte-2m pkt-5.5m byte-5.5m pkt-11m byte-11m
------ ------- ------ ------- -------- --------- ------- --------
14 518 0 0 0 0 34 2949
Rx Frame Rate Stats
-------------------
pkt-1m byte-1m pkt-2m byte-2m pkt-5.5m byte-5.5m pkt-11m byte-11m
------ ------- ------ ------- -------- --------- ------- --------
1568 135551 5699 768444 5736 924896 14072 2748705
Station Table
-------------
MAC BSSID Assoc_State AID PS_State Tx_Pkts Rx_Pkts PS_Pkts Tx_Retries Tx_Rate Rx_Rate Last_ACK_SNR Last_Rx_SNR Tx_Times
tamp Rx_Timestamp
--- ----- ----------- --- -------- ------- ------- ------- ---------- ------- ------- ------------ ----------- --------
---- ------------
Descriptor Usage
----------------
Interface Queue Alloc Free In-use Max Failed
--------- ----- ----- ---- ------ --- ------
Interface counters
------------------
Interface Rx_pkts Rx_errors Rx drops Tx_pkts Tx_errors Tx_drops Resets
--------- ------- --------- -------- ------- --------- -------- ------
wifi0 112364636 1715080 2037663 311285 105368 0 41
wifi1 9519548 90112 51 381002 21652 0 1506
ARP Cache
---------
IP address HW type Flags HW address Mask Device
------------------------------------------------------------------------------
10.1.1.254 0x1 0x2 00:0B:86:00:0B:00 * eth0
Kernel Log
----------
(OmniAccess 6000) #
AP Reprovisioning
If the AP is already configured and you want to change the AP parameters, use
the Reprovisioning option. (You must have a network connection between the
AP and the configured Alcatel Wireless LAN Switch.
2. Click Reprovisioning
This page displays all the APs currently configured DHCP pool of the Alcatel
Wireless LAN Switch.
4. Click Enable.
The selected AP should be seen in the Provisioning list.
If the AP will use DHCP for its IP address information, select DHCP.
6. After configuring the required parameters, select the entry from the list
(the AP to which the configuration is to be applied) and click Apply.
7. Click the Refresh link after 10 seconds and the State is changed to
Provisioned.
The Configured Parameters should be reflect in the AP list entry.
Click Back to go into the previous page and see that the entry of the AP is still
selected.
Wireless connection
Direct Connection
Access Point
Wireless LAN Switch
Wireless user
Layer 3 Connection
Layer 3 Connection
Prerequisites
You will need to make sure the following prerequisites are met
before attempting to setup your VPN.
z Obtain a valid RADIUS server IP Address (if you are not using an internal
database)
z RADIUS password and access port number, typically UDP port 1645
z A routable IP Pool for VPN.
The pool must not conflict with any other VLAN subnet.
This item is not required if you are using source NAT. Contact Alcatel support to
setup source NAT.
z VLAN topology and switch loopback IP.
z Windows 2000 or Windows XP are required to run the VPN Dialer.
Throughout this document you will find IP addresses and names of servers,
users, passwords, etc. Do not use the values given in the examples, use actual
values from the network to which you are connecting the switch.
Network Setup
If your network is already setup, SKIP this section and GO TO the appropriate
authentication server setup (RADIUS or Internal Database).
(Alcatel) (config-if) # trusted <Enter> [Makes the port 2/0 a trusted port]
(Alcatel) (config-if) # switchport access vlan 1 <Enter> [Puts port 2/0 on VLAN
1]
(Alcatel) (config-if) # exit <Enter>
This section describes the steps necessary to setup the Alcatel switch to use
a RADIUS server for authentication.
NOTE—If you are using an internal database for authentication, SKIP THIS SEC-
TION.
CAUTION—Make sure you use the same name (RADIUS server) in each step.
1 Set the authport, host IP, and RADIUS server key for a named RADIUS server.
5 Test the RADIUS server setup using the following CLI command.
Setup and test an internal database for authentication by using the following
CLI commands.
CAUTION—Make sure you use the same server name for both the VPN and
Captive Portal authentication servers.
This section describes the steps necessary to configure the Alcatel switch as
a VPN server.
1 Enter the policy sub-mode and define a policy with a specified priority.
2 Specify the authentication method (pre-shared key) using the following CLI
command.
4 Set the value (string) of the IKE key to be used. This command also
specifies a group IP address and subnet mask. The IP address and mask
should be set as shown in the example below (IP = 0.0.0.0, netmask =
0.0.0.0) as these values will make the key global.
6 Enter the VPN L2TP Sub-Mode using the following CLI command.
7 Set the PPP authentication type using the following CLI command.
8 Turn off the default mschapv2 authentication using the following CLI
command.
9 Specify the DNS IP address that will be pushed to the VPN Dialer using the
following CLI command.
10 Specify the WINS IP address that will be pushed to the VPN Dialer using
the following CLI command.
1 Enter the VPN dialer mode using the following CLI command. This
command creates a VPN dialer with the name specified in the DialerName
argument.
NOTE—Because the dialer name will be displayed on the client machine (laptop,
etc), care should be taken to choose an appropriate and meaningful name.
2 Specify the IKE authentication key to be used with this VPN dialer. It should
be the same key string specified above.
5 Enter the role sub-mode and create a role using the following CLI
command.
7 Assign a session ACL to the role using the following CLI command.
command.
10 Apply a default role to Captive Portal authentication using the following CLI
command.
VPN Dialer
2 Enter your username and password, then click the Log In button.
NOTE—You might see a Security Alert Dialog appear. If this happens it probably
means that the server certificate is either expired or not signed. The client is
shipped with a self-signed certificate. You will need to purchase a certificate
for your server that is signed by a well known CA.
After you have been authenticated two browser windows appears, the larger will
remain for approximately 10 seconds to allow you to download the VPN Dialer.
The smaller of the two appears in the lower right corner of your screen and has a
link that allows you to log out of the switch.
NOTE—If you close the Alcatel Logout window you can access it again to
logout of the switch by opening a browser and going to the following URL
https://switch IP Address/logout.html.
The download process will begin and installation will begin automatically.
Installation
When the setup file is finished downloading the Dialer Setup Wizard will open.
The Installation Progress dialog appears, when the installation is finished the
“Completing the Alcatel VPN Setup Wizard” dialog appears.
The Alcatel VPN Dialer dialog will launch and the dialog appears.
You may launch the VPN Dialer by double-clicking on the icon or you may
launch it from the Windows Start Menu.
1 Type your username and password in the text boxes on the VPN Dialer
dialog and click the Connect button.
Launch at Boot-up
When selected, this feature will cause the VPN Dialer to launch automatically
each time you start or restart your computer.
Connect at Launch
When selected, this feature allows the Dialer to automatically connect every
time the application is launched. When you select this feature the Save
Password check box will be automatically checked, however you may elect to
enter your password manually each time you login by unchecking the Save
Password box.
Network Info
This feature will display a static window showing important network
information.
test
Troubleshooting
Common Dialer Error Messages
Common Problems
1 Use the show crypto isakmp sa command on the switch to make sure the user
is authenticating.
Responder IP 10.1.1.158
Initiator IP 10.1.1.122
Initiator cookie ce91845e68f75026 Responder cookie 9635499cf2dad66e
Life secs 28800
transform: 3DES - Secure Hash Standard
Authentication method: Pre-Shared Key
If the initiator and client IP match, then the client has successfully started IPSec
authentication. Otherwise, make sure that the pre-shared keys in the
vpn-default dialer. You may see the key by using the vpn-dialer command,
page 833. Be sure that the encrypt feature is disabled, page 446.
default-dialer
--------------
Attribute Value
--------- -----
PPTP disabled
.
.
IKEPASSWD ********
.
.
IPSecAUTH ESP-SHA-HMAC
2 Use the show crypto ipsec sa command on the switch to make sure the user
is doing IPSec encryption correctly.
Responder IP 10.1.1.158
Initiator IP 10.1.1.122
Initiator cookie ce91845e68f75026 Responder cookie 9635499cf2dad66e
Life secs 7200
transform: esp-3des esp-sha-hmac
If the initiator IP matches the client IP, then IPSec encryption is good.
3 Use the show vpdn l2tp pool command on the switch to check the availability
of VPN IP addresses.
RSA SecurID users having this problem may nave been locked out, check the
RSA SecurID server. For more information, see
http://rsasecurity.agora.com/rsasecured/detail.asp?product_id=1404
Dialer connects but no traffic moves from applications.
This indicates that the L2TP/PPTP IP pool is not routable.
"L2TP"=DWORD:1
"DNETCLEAR"=DWORD:0
"MSCHAPV2"=DWORD:0
"CACHE-SECURID"=DWORD:1
"IKESECS"=DWORD:28800
"IKEENC"="3DES"
"IKEGROUP"="TWO"
"IKEHASH"="SHA"
"IPSECSECS"=DWORD:7200
"IPSECGROUP"="GROUP2"
"IPSECENC"="ESP-3DES"
"IPSECAUTH"="ESP-SHA-HMAC"
"PAP"=DWORD:1
"CHAP"=DWORD:0
"MSCHAP"=DWORD:0
"IKEPASSWD"="changeme"
"IKEAUTH"="PRE-SHARE"
"WIREDNOWIFI"=DWORD:1
"SETUPIP"="1.1.1.1"
"NovellLogin"=DWORD:0
3. Modify IKEPASSWD to the pre-shared key you use and SETUPIP to the IP
address of the switch. Quotes below are important. "DIALER_NAM" will be
the name displayed on the window title bar.
4. After creating config.htm,zip all the files including the new config.htm into
a self-extracting package. Maintain the directory structure as the .msi file
expects the same directory hierarchy.
The following parameters and options may be configured through Web UI.
The Configuration > VPN Settings > IPSec > Add Address Pool page appears.
1 Enter a unique name for the address pool you are defining.
2 Enter the start and end addresses for the pool.
3 Click done.
4 Click Save configuration on the Configuration > VPN Settings IPSec page.
The Configuration> Security > VPN Settings > IPSec > Add IKE Secret page appears.
The Configuration> Security > VPN Settings > IPSec > Add Policy page appears.
1 Specify a priority.
2 Select an encryption type from the Encryption pull-down box.
3 Select a hash algorithm from the Hash Algorithm pull-down box.
4 Select an authentication type from the Authentication pull-down
box.
5 Select a Diffie-Hellman group from the Diffie Hellman pull-down
box.
6 Specify a lifetime (in seconds).
L2TP
The following parameters and options may be configured through Web UI.
Add address pools by clicking Add in the Address Pools section of the PPTP
page. The PPTP > Add Address Pool page appears.
You may configure the VPN dialer by navigating to the Configuration > VPN
Settings > Dialers page.
Add a new dialer by clicking Add. The Configuration > VPN Settings > Dialers > Add
Dialers page appears.
The following parameters and options may be configured through Web UI.
Alcatel AOS-W allows caching of SecureID tokens so that the user doesn’t
need to perform a new authentication procedure each time a network
connection is lost.
1 Enter the config-vpdn-l2tp submode using the vpdn group l2tp command from
the CLI.
5 Define an address pool for VPN users. This is done from the config prompt.
If the CLI is still in the config-vpdn-l2tp submode, type exit to return to the
config prompt.
7 Specify an IKE Shared Secret for clients connecting through the specified
subnet. This allows multiple shared secrets to be employed.
2 Define rules.
(Alcatel) (config-sess-vpn-dst-nat)#!
2 Enter the following two commands to enable caching and set the period for
which a token will be cached.
Setting Up a VPN
Perform the following steps:
1 Set up network
2 Set up and test RADIUS Server
3 Set up VPN server on Alcatel Switch
4 Set up roles and VPN Dialer on Alcatel Switch
5 Set up client
1. Set up Network
The steps necessary to set up a network are:
(Alcatel6000) (config) # vlan 1
(Alcatel6000) (config) # interface vlan 1
(Alcatel6000) (config-subif) # ip address 3.3.3.1 255.255.255.0
(Alcatel6000) (config-subif) # exit
(Alcatel6000) (config) # interface fastethernet 2/0
(Alcatel6000) (config-if) # trusted
(Alcatel6000) (config-if) # switchport access vlan 1
(Alcatel6000) (config-if) # exit
(Alcatel6000) (config) # ip default-gateway 3.3.3.254
(test connectivity to default gateway and RADIUS)
(Alcatel6000) (config) # ping 3.3.3.254
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/0 ms
(Alcatel6000) (config) # ping 4.4.4.1
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/0 ms
Set up IKE with a customer provided pre-shared key, keep 0.0.0.0 as is:
(Alcatel6000) (config) # crypto isakmp key f00xYz123BcA address 0.0.0.0
netmask 0.0.0.0
Set up L2TP:
(Alcatel6000) (config) # vpdn group l2tp
PAP will work with most RADIUS servers, use “CACHE-SECURID” if using
RSA SecurID):
Set up a role (here the role is called employee) for VPN and the captive portal:
(Alcatel6000) (config) # user-role employee
(Alcatel6000) (config-role) # dialer Default-dialer
(Alcatel6000) (config-role) # session-acl allowall
(Alcatel6000) (config-role) # exit
Type in username foo, password bar. You should see a page with the link to
download VPN-dialer. Select that link and open setup.exe.
Follow the onscreen instructions. For more information refer to “VPN Setup”
on page 483
If the laptop receives a notice to reboot, comply. Once the laptop is back and
the dialer is running, type in username foo and password bar. The user should
connect.
If there is an initiator IP that matches the client’s IP, it means the client
successfully started IPSec authentication. Otherwise, check the IKE pre-shared
key on the crypto isakmp key command and vpn-dialer default-dialer
command. The two must match.
Responder IP 10.1.1.158
Initiator IP 10.1.1.103
Initiator cookie 0a6c4974a8538522 Responder cookie dc42860c619f3ac4
Life secs 7200
transform: esp-3des esp-sha-hmac
If there is an initiator IP that matches the client’s IP, then that means the client
is successfully doing IPSec encryption but may have trouble authenticating the
actual user foo.)
If there are no IP addresses free, then you’ve run out of IP addresses for VPN.
If the dialer connects, but no traffic goes through from applications, make sure
the inner IP pool is routable. The only way to check this is to sniff between the
router and switch.
NOTE—Just because the switch IP can ping the default router doesn’t mean the
VPN IP pool is routable. Check the router. There may be OSPF or other
issues.
Verifications:
Use the following commands to verify functionality:
Mode = Enabled
Default Role = 'employee'
Dialer download location = /auth/dialer.html
Auth Server List
----------------
Pri Name Type Status Inservice Applied
--- ---- ---- ------ --------- -------
1 ias RADIUS Enabled Yes 3 ÅIMPORTANT LINE
ISAKMP ENABLED
Protection suite priority 10
encryption algorithm: 3DES - Triple Data Encryption Standard
(168 bit keys)
hash algorithm: Secure Hash Algorithm
authentication method: Pre-Shared Key ÅIMPORTANT
Diffie-Hellman Group: #2 (1024 bit)
lifetime: [300 - 86400] seconds, no volume limit
Default protection suite
encryption algorithm: 3DES - Triple Data Encryption Standard
(168 bit keys)
hash algorithm: Secure Hash Algorithm
authentication method: Rivest-Shamir-Adelman Signature
Diffie-Hellman Group: #2 (1024 bit)
lifetime: [300 - 86400] seconds, no volume limit
Enabled
default-dialer
--------------
Attribute Value
--------- -----
PPTP disabled
L2TP enabled
DNETCLEAR disabled
WIREDNOWIFI disabled
PAP enabled
CHAP enabled
MSCHAP enabled
MSCHAPV2 disabled
CACHE-SECURID disabled
IKESECS 28800
IKEENC 3DES
IKEGROUP TWO
IKEHASH SHA
IKEAUTH PRE-SHARE ÅIMPORTANT
IKEPASSWD f00xYz123BcA ÅIMPORTANT
IPSecSECS 7200
IPSecGROUP GROUP2
IPSecENC ESP-3DES
IPSecAUTH ESP-SHA-HMAC
This section includes sample VPN clients terminating on Alcatel Wireless LAN
switches.
Requirements
The following requirements apply to Cisco VPN clients terminating on Alcatel
Wireless LAN switches.
z Release 2.4.0.0 and higher will support Cisco VPN client, version 4.0.2b
z Native Cisco profiles, (151.151.1.1 is your Cisco VPN concentrator)
z Direct Cisco VPN termination, (10.10.1.1 is your Alcatel loopback IP
address)
NOTE—The DNS server and the DHCP server can not be the same host.
If you are using the native Cisco VPN profile, Alcatel can emulate the Cisco
concentrator.
When you select Emulate VPN Servers, as shown below, a vpn-dst-nat ACL is
added to your logon role.
Go to Configuration > Security > Roles > Edit Role (logon) to verify that the
vpn-dst-nat ACL is associated with the log on role.
Make sure the IKE shared secrets match by going to Configuration > Security >
VPN Settings > IPSec.
The IKE Aggressive Group Name is the same as the Cisco dialog box
Authentication tab Group Authentication Name. The IKE Shared Secret is the
same as the Cisco dialog box Authentication tab Group Authentication
Password.
Default Values
The following figures show the default values for the Cisco dialog box
Transport, Backup Servers and Dial Up tabs
Verify the IKE policy settings by selecting Configuration > Security > VPN Settings
> IPSec > Edit. Make sure the IKE key matches, that the IKE policy is pre-shared
key, and that the Group ID is defined.
Verify the basic logon role by selecting Configuration > Security > Roles > Edit
Role (logon).
Modify the basic logon role by adding an ACL to allow TCP on port 17 by
selecting Configuration > Security > Roles > Edit Role (logon) > Edit Policy
(Control).
If you need further assistance, see “Contacting Alcatel” on page xxi for
support.
The setup for Cisco is actually the same as for Alcatel VPN (w/o dialer). You can
ignore input of the XAuth groupname (that's just for show). To include AES-256, you
need to (assuming GUI):
1. Navigate to Configuration->Security->VPN Settings->IPSEC:
2. Add an IKE policy with AES-256, pre-share, and SHA.
3. Navigate to Configuration->Security->VPN Settings->Advanced.
4. Add or change the IPSec transform to AES-256 and SHA.
Image Management
Navigate to Maintenance > Switch > Image Management to access the
image management screen:
Reboot Switch
To reboot the switch, typically after an image update, click Maintenance > Switch
> Reboot Switch.
To save any changes to the current switch configuration, click Yes. To leave
the configuration file unchanged, click No.
To proceed with the switch reboot, click Continue and follow any prompts.
Clear Config
To reset the switch configuration to factory default settings, use the
Maintenance > Switch > Clear Config option.
The current configuration is erased and the factory default configuration is set
as the boot configuration. This option forces the switch to reboot using the
factory default configuration. (The persistent state data maintained in the
switch is preserved.)
When ready to revert to the original, factory configuration, click Continue and
follow any prompts.
Make sure you do this from the serial console as this removes all IP and port
configurations. The switch will reboot and display the Setup Dialog.
Synchronize
This feature is only valid in redundant Master-Master configurations.
To synchronize the database with the other master, use the Maintenance >
Switch > Synchronize Database option and click Sync.
The system will prompt you to confirm that you want to synchronize the
database.
Boot Parameters
The boot parameters are the name of the boot file and its boot partition
location. Access these parameters by accessing Maintenance > Switch > Boot
Parameters.
The following parameters and options may be configured through Web UI.
File Maintenance
The four options available in the Maintenance > File menu are:
z Copy Files
z Copy Logs
z Copy Crash Files
z Delete Files
Copy Files
You can copy files on the switch to off-switch locations by selecting
Maintenance > File > Copy Files.
Copy Logs
To copy logs from the switch to another system, go to Maintenance > File >
Copy Logs.
You can copy the logs using an FTP server or TFTP server. Once you have
specified the transfer protocol, specify the IP address and file name to be used
for the log file.
You can copy the crash files using an FTP server or TFTP server. Once you
have specified the transfer protocol, specify the IP address and file name to be
used for the crashfile.
Backup Flash
To copy the files in flash, go to Maintenance > File > Backup Flash.
Click Create Backup to start the backup process. The system will report the
backup being created when finished. Clicking Copy Backup is the same as
selecting “Copy Files”.
Restore Flash
To restore Flash files which have previously been backed up, go to Maintenance
> File > Restore Flash.
The system must reboot before it can use the restored Flash files.
Delete Files
To keep from running out of flash file space, you should delete files you no
longer need. You can also delete files that you have copied off the switch. To
remove unwanted or no longer needed files, go to Maintenance > File > Delete
Files.
Click the file(s) to be deleted, and click Delete. To select multiple files:
Click the Access Point(s) you want to reboot, and click Reboot. To find an AP,
click Search and enter any information you have (such as location, IP or MAC
address). To organize the display to make finding APs easier, you can sort
(ascending or descending) on location, IP and MAC address.
The display is limited to ten APs per page. Use the page navigator to scroll
through the listings of APs controlled by this switch.
The captive portal is the screen users see when their wireless device connects
to the network through the switch. This screen allows network administrators
to control what users and guests see, and what they can do once they log in
and are authenticated.
From this screen you can select a background login page or upload your own
login page. You can also edit your policy for guests. When you are finished
customizing the login page, click Submit. To erase any changes without saving
them, click Reset. To see what the captive portal will look like with the
changes you have made, click the View CaptivePortal link.
Upload Certificate
To manually upload a authentication certificate for the captive portal, go to
Maintenance > Captive Portal > Upload Certificate.
Specify the name of the certificate file to be imported in the File to be imported
field. You can click Browse to search for the file. When ready, click Upload.
As the onscreen notice advises, the switch expects the certificate file to be an
X.509 PEM file. The onscreen notice also warns that the uploading of a new
certificate will cause the switch to shutdown all Web Server connections while
the certificate is being installed.
TBC
Monitoring and
Troubleshooting
559
OmniAccess Reference: AOS-W System Reference
Network Monitoring
Wireless LAN Performance Summary shows throughput metrics (the last five
minutes, the past hours, and overall) for Load Balancing Events, Interference
Events, Bandwidth Exceeded, and Error Threshold Exceeded.
The Security Summary statistics shows the last five minutes, last hour, and
overall summaries for Wireless LAN Attack statistics, Rogue AP Classification
Summary, and Client Classification Summary data. Wireless LAN Attack
Summary data includes: Denial of Service Attacks, Man in the Middle Attacks,
Signature Pattern Matches, and Policy Violations statistics.
Select Monitoring > Network > All Wireless LAN Switches to see details about each
Wireless LAN switch. Details include IP address, location (from RF Plan), Type
(Master or local), and AOS-W version running.
Select Monitoring > Network > All Access Points to see details about each Access
Point. Details include Name, Location, IP Address, Type, IP address of the
Wireless LAN switch, number of, and channels used by, 802.11b and g clients,
and number of 802.11a clients and the channels they are using.
Select Monitoring > Network > All Air Monitors to see details about air monitors.
Details include Name, Location, IP Address, Type, Switch IP, Last Seen, and
Status.
Select Monitoring > Network > All Wireless LAN Clients to see details about
wireless clients. Details include MAC Address, Name, IP Address, Role,
Authentication Method, Home Switch, and Current Switch.
Select Monitoring > Network > Global Events to see details about wireless activity.
Event details include Event ID, Type, Info(mation), Device type, MAC Address,
Count (which is a count of how many times the event has occurred), and
Occurred Time. Selecting Global Events is the same as clicking Events on the
toolbar.
Switch Monitoring
The Monitoring > Switch screens provide details about the Wireless LANs in the
wireless network.
Select Monitoring > Switch Summary to see details about the Wireless LAN
switch including its Model, AOS-W Version, IP Address, and MAC Address.
Select Monitoring > Switch > Access Points to see details about the APs
connected to this Wireless LAN switch. Details include Name, Location, IP
address, Type, 802.11b and g Clients, 802.11a clients, the Channel Power
Levels for these a, b, and g client, and the uptime for each AP.
Click:
Select Monitoring > Switch > Air Monitors to see details about air monitors
connected to this Wireless LAN switch. Details include NAme, Location, IP
address, Type, and Uptime for each AM. Click Overview, Channel, APs, Clients,
and Packet Capture for additional information.
Select Monitoring > Switch > Clients to see details about wireless clients. Details
include User Name, MAC Address, Client IP address, User Role, Access
Method, Age, and Status.
Select Monitoring > Switch > Blacklist Clients to see details about users who are
not welcome. Details include Client MAC address, Reason, and Block Time.
(Block Time is the time in seconds that a blacklisted user is blocked from
attempting to connect.) Click Enable to turn on DoS prevention. Click Remove
from Blacklist to allow the selected user to access the wireless network
without restriction.
Select Monitoring > Switch > Firewall Hits to see details about attacks on the
switch. Details include User Role Hits (including Role, Policy, source and
destination addresses, Service, Action, Dest/Opcode, New Hits, Total Hits,
and Index), Port Based Session ACL Hits (including Policy, source and
destination addresses, Action, Dest/OPcode, New Hits, Total Hits, and Index),
and Port ACL Hits (including ACL, ACE, New Hits, Total Hits, and Index. ACE is
the individual permit or deny rule that makes up an ACL. The index number is
the priority of each ACE starting with 1.)
Select Monitoring > Switch >Ports to see details about port activity. Details
include Admin State, Operational State, Port Mode, VLAN Association, Trusted
or untrusted. Click Status, Profile, Activity, or Diagnostics for additional
information.
Select Monitoring > Switch > Inventory to see details about switch components,
software, and environment. Details for Supervisor cards include Status, FPGA
Revision, SC Assembly Number, SC Serial Number, Crypto Assembly Number,
Crypto Serial Number, management Port NW MAC Address, Switch Base MAC
Address, Peer Supervisor Card. Details for line cards are reported for each slot
occupied by a line card and include: FPGA Revision Number, Gigabitethernet
Daughter Card, SPOE1 Daughter Card, Supervisor Card 0, and Supervisor Card
1. Fan and Power Supply details include status for Fan 0, Fan 1, and Fan 2 as
well as for Power Supply 0, Power Supply 1, and Power Supply 2.
Select Monitoring > Switch to see the switch log. Selecting the Events tab
displays the same screen. (See “Events” below.)
From the screen shown in Figure 25-2, you can select to view information on:
z Overview—see Figure 25-3.
z Channel—see Figure 25-4 and Figure 25-5.
z APs—see Figure 25-6.
z Clients—see Figure 25-7
z Packet Capture—see Figure 25-8.
Overview Information
Click Overview to see the following information.
Channel Information
Click Channel to see the following information.
The details on the selected change are shown in the figure below.
AP Information
Click APs to see the following information.
Client Information
Click Clients to see the following information.
Status Information
Click Status to see the following types of information.
Events
Events consists of
You can sort the events on any of these categories by using the Group By
drop-down menu. Click Search to find a specific event, or use the page
navigation links to display additional pages of events. To manage the number
of events reported, you can delete events that are no longer of interest. To
delete unwanted events, click the selection box to the left of each event to be
removed, and click Delete Selected Events.
The Custom Reports option allows you to tailor event reports to suit your
needs. For example, you can create a report that just shows Rogue APs, or
track times when bandwidth rates were exceeded.
To create a custom report, click Search and enter the criteria and click Save As
to name the report.
Displays network information for each Wireless LAN based on the SSID of each
Wireless LAN.
Debug Information
You can set debugging levels on an Alcatel Wireless LAN switch to capture
information on local clients. To enable this feature, select Monitoring > Debug >
Local Clients. Wireless users will have their MAC Address, IP Address, and User
Name recorded
To view the resulting debug activity, select Monitoring > Debug > Process Logs.
Log details are shown in Figure 25-17.
Using the information collected by the logging process, you can tailor custom
logs that suit your needs.
Reports
The reporting capability of AOS-W is located in the Reports tab. The most
commonly used types of reports are prepackaged and include:
z Active rogue Access Points (Active Rogue APs)
z All rogue Access Points (All Rogue APs)
z All active and valid Access Points (Active Valid APs)
z All inactive and valid Access Points (Inactive Valid APs)
z All valid Access Points - active and inactive (All Valid APs)
z All Access Points that are interfering with other Access Points (Active Inter-
fering APs)
z All Access Points that are causing interference (All Interfering APs)
z All active interfering Access Points (Active Known Interfering APs)
z All known interfering Access Points (All Known Interfering APs)
z The most congested Access Points (Top Congested APs)
z Active interfering wireless clients (Active Interfering Clients)
z All interfering wireless clients active or not (All Interfering Clients)
z All valid and active wireless clients (Active Valid Clients)
z All valid wireless client active or not (All Valid Clients)
z The wireless clients using the most bandwidth (Top Talker Clients)
You can change the status of a rogue or interfering device by clicking Set as
Valid, Set as Interfering, Set as Known Interfering, etc. If necessary, you can also
turn off any device by clicking Disable.
AP Reports
To see a typical AP report, select Reports > AP > Active Valid APs. The following
type of report displays.
Status
To get details on a specific device on a report, click the checkbox to the left of
the device and click Status. Detailed information for this device displays as
shown in Figure 25-20.
a Networks
Custom Reports
You can customize reports to suit your needs. Go to Reports > Create AP Report
to create a custom Access Point report. Go to Reports > Create Client Report to
create a custom wireless client report as shown below.
asf
asf
z Created
z Edited
z Deleted
z Created
z Edited
z Deleted
z Created
z Edited
z Deleted
z Created
z Edited
z Deleted
Basic Connectivity
Verify
General
The Wi-Fi Alliance has made great strides in testing interoperability between
802.11 devices from many different manufacturers. Despite these efforts,
however, client incompatibility remains the primary complaint from network
managers deploying wireless LANs. A wide range of wireless hardware and
software is in use, with a corresponding wide range of quality – a given client
adapter card may work fine with one revision of driver software, but
experience numerous problems with another. A given operating system may
perform poorly on a wireless network until specific vendor patches are
applied. For this reason, Alcatel recommends that enterprise network
managers develop standard supported configurations for their deployment.
This configuration should consist of:
z Device type and model (laptops, PDAs, handheld devices, voice handsets,
etc.)
z Operating system (Windows 2000, Windows XP, MacOS X, Linux, etc.)
z Wireless NIC hardware manufacturer and model
z Wireless NIC software driver
z Wireless NIC firmware revision, if required
z Wireless NIC client utility or radio manager, if needed
z Authentication and encryption software (VPN client, 802.1x supplicant,
etc.)
Spending the time up front to develop and test such configurations will
greatly reduce troubleshooting time and effort after the network is deployed
and operational. A table of configurations tested by Alcatel appears in the
Design Guide, but this testing cannot take into account all possibilities.
Network managers can use these recommendations but should always
perform testing in their own environments with their own applications.
Authenticate
Authenticate Response
Associate
Associate Response
If the client and AP are configured differently, association will typically fail.
Very little information is given to the user when an association fails, so most
troubleshooting must be done from the network side. The most likely cause
for an authentication or association failure is client misconfiguration.
Association Fails
During the association request/response exchange, a number of capabilities
are exchanged. If there is a mismatch between the client and network
configuration, the association will often be rejected by the AP. On the client,
there is often no indication that an association has failed other than a lack of
association. For example, under Windows XP using the built-in “Zero
Configuration” service, Windows will continually display “One or more
wireless networks are available…”
z Enable client debugging for the client device in question. From the Alcatel
CLI, use the command “aaa user debug mac <MAC address of client>”. Log
output from the debug process can be viewed by issuing the command
“show log intuser 30” (to display the last 30 lines of the log file). The log
should indicate the reason for a failed authentication or association. Often
the cause is a capability mismatch between the client and AP.
z Verify that the AP has not reached the maximum number of users. If the
system has been configured to allow only 20 associations per AP, the 21st
client will be rejected. A simple way to do this is using the “show ap-leds”
command to view the status of AP LEDs on the switch. An AP that is full
will indicate such via the AP LEDs.
z If the client fails association, the likely cause is a client misconfiguration. If
the network has been configured for WPA and TKIP encryption, and the cli-
ent has been configured for open system and WEP encryption, association
will fail.
z Ensure that the user is physically located in an area with AP coverage. If
signal strength is too low, radio transmission may be garbled to the point
that authentication or association is impossible. The Station Manager log
will indicate with which AP the client is attempting to associate – ensure
that this AP is near the user’s physical location.
z In a dense-mode AP deployment, the AP’s minimum rate may have been
adjusted to a higher value. If the client cannot support this higher value
because of signal impediments or configuration, association will fail.
z Perform a wireless packet capture. If the Station Manager log provides no
useful information or is inaccessible, a packet capture will always show the
reason for a failed association.
z Reset the client NIC. In the case of malfunctioning client software, this
does not fix the underlying problem but is often the fastest way to get the
user back on the network.
z If “Authentication Failure Auto-Blacklisting” has been enabled on the Alca-
tel switch, multiple authentication failures will cause a client to be denied
association. If this feature has been enabled, check the current “Black List”
in the management GUI by navigating to MonitoringÆClientÆClient Black-
list. Ensure that the authentication problem has been fixed before
re-attempting association.
z Verify that no denial of service attack is underway. From the client per-
spective, a successful association followed by an immediate disassociation
appears the same as an unsuccessful association. Examine the Wireless
Management System (WMS) log files on the Alcatel switch by navigating in
the management GUI to the Events tab. A packet capture will also reveal
the presence of a denial of service attack.
z Reset the client NIC. If an internal error has caused the dropped associa-
tion, a reset of the NIC may restore connectivity.
The Alcatel Access Points support auto duplex and auto speed. When one
side of the link is hard coded for 100/full and the Access or Grid Point is set to
auto speed/duplex, the resulting connection will be half duplex. This
configuration causes the Access/Grid Point to fail.
Resultant
Switch Resultant NIC
NIC Speed/Duplex Switch
Speed/Duplex Speed/Duplex Observations
Configuration Speed/Duplex
Configuration Configuration
Configuration
Auto Auto 1000Mbps/F 1000Mbps/F Proper
ull-duplex ull-duplex configuration.
If this
configuration
causes
problem, verify
that the NIC is
operating as
configured.
1000Mbps/Full-d Auto 1000Mbps/F 1000Mbps/F Link is good
uplex ull-duplex ull-duplex but the switch
will not see
any
autonegotiatio
n information
from the NIC.
So the
Wireless LAN
switches
(which only
support
full-duplex
operation with
1000 Mbps),
will default to
full-duplex.
1000Mbps/Full-d 1000Mbps/Full- 1000Mbps/F 1000Mbps/F Proper
uplex duplex ull-duplex ull-duplex configuration.
If this
configuration
causes
problem, verify
that the NIC is
operating as
configured.
Resultant
Switch Resultant NIC
NIC Speed/Duplex Switch
Speed/Duplex Speed/Duplex Observations
Configuration Speed/Duplex
Configuration Configuration
Configuration
100Mbps/Full-du 1000Mbps/Full- No link No link Because the
plex duplex speeds do not
match, no
link is
established.
100Mbps/Full-du Auto 100Mbps/Fu 100Mbps/H There is a
plex ll-duplex alf-duplex
duplex
mismatch (half
and full) which
may provide
connectivity,
but there will
likely be
performance
problems and
poor quality,
intermittent
connectivity.
Auto 100Mbps/Full-d 100Mbps/H 100Mbps/Fu There is a
uplex alf-duplex ll-duplex
duplex
mismatch (half
and full) which
may provide
connectivity,
but there will
likely be
performance
problems and
poor quality,
intermittent
connectivity.
Resultant
Switch Resultant NIC
NIC Speed/Duplex Switch
Speed/Duplex Speed/Duplex Observations
Configuration Speed/Duplex
Configuration Configuration
Configuration
100Mbps/Full-du 100Mbps/Full-d 100Mbps/Fu 100Mbps/Fu Proper
plex uplex ll-duplex ll-duplex configuration.
If this
configuration
causes
problem, verify
that the NIC is
operating as
configured.
100Mbps/Half-d Auto 100Mbps/H 100Mbps/H The switch,
uplex alf-duplex alf-duplex which is
configured for
Auto, will
default to half
duplex for
10/100Mbps
settings.
10Mbps/Half-du Auto 10Mbps/Hal 10Mbps/Hal The switch,
plex f-duplex f-duplex which is
configured for
Auto, will
default to half
duplex for
10Mbps
settings.
Resultant
Switch Resultant NIC
NIC Speed/Duplex Switch
Speed/Duplex Speed/Duplex Observations
Configuration Speed/Duplex
Configuration Configuration
Configuration
10Mbps/Half-du 100Mbps/Half- No Link No Link Because the
plex duplex speeds do not
match, no
link is
established.
Auto 100Mbps/Half- 100Mbps/H 100Mbps/H The switch,
duplex alf-duplex alf-duplex which is
configured for
Auto, will
default to half
duplex for
100Mbps
settings.
Auto 10Mbps/Half-d 10Mbps/Hal 10Mbps/Hal The switch,
uplex f-duplex f-duplex which is
configured for
Auto, will
default to half
duplex for
10Mbps
settings.
Authentication
802.1x
Authentication using 802.1x may be accomplished in combination with
dynamic WEP key exchange, WPA with TKIP, or 802.11i with AES. The
troubleshooting process for the authentication portion is identical in all cases.
Certificate errors may or may not be indicated by the client. For example, the
Funk Odyssey client will turn an icon red and indicate an explicit error when a
certificate problem occurs. The Microsoft supplicant built into Windows XP
will not.
z If a certificate problem is suspected, most 802.1x supplicants provide an
option to disable server certificate validation. As a troubleshooting mecha-
nism, temporarily disable this option if available. If authentication is suc-
cessful after this option is disabled, a certificate problem has been
confirmed. Note: Do not leave the “validate server certificate” option
turned off in the 802.1x supplicant. This opens a security vulnerability
making a man-in-the-middle attack possible.
z Verify that the client configuration matches the standard enterprise client
configuration. Most 802.1x problems are caused by a misconfigured client.
For example, the wrong certificate authority or wrong server domain name
may have been selected, or password authentication may be selected when
one-time token use is required by the authentication server.
VPN
VPN Dialer displays “Interface is down or no route”
This message indicates that the client does not have an IP address or a route
to reach the Alcatel switch. To view the IP address and default gateway for
the client, click the “Network Info” button in the VPN dialer.
z If there is no IP address on the interface, verify that the interface is config-
ured to obtain an address via DHCP.
z Verify that association to the wireless network succeeded. Examine the
output of “show user” on the Alcatel switch to view the client’s associa-
tion state.
z Verify that the DHCP server is active. If the Alcatel internal DHCP server is
in use, the command “show log dhcp” will provide information on DHCP
server activity.
The likely cause of this error message is that the client has no DNS server
configured or learned through DHCP. If the client has no DNS server to use
for lookups, the client will not generate DNS requests, and the Alcatel switch
will not be able to intercept the request and respond to it. There are three
possible solutions:
z Configure the DHCP server so that it supplies clients with a DNS server
address.
z Statically configure the client with the address of a DNS server.
z In the Alcatel VPN dialer, turn off the option labeled “Wait for wireless”.
Note that with this option disabled, the VPN dialer will try to establish a
connection any time the wireless NIC is connected to a network and has
an IP address.
z Examine the output of “show crypto ipsec sa”. Once IKE negotiation has
succeeded (an IKE SA appears for the client), this command will list all
IPSec security associations (SAs) currently active in the switch. If no SA
appears for the client in question, it is likely that the client and switch have
mismatching lifetimes, encryption types, or hash configuration.
IPSec is up, but dialer does not display “Logging on” message
This message indicates that IPSec was successful, but L2TP was not.
z Verify the diagnosis by examining the output of show crypto ipsec sa. If a
security association exists for the client, IPSec was successful. Examine
the output of show vpdn tunnel l2tp. If L2TP has failed, no tunnel will exist
for the client in question.
z This is an error condition. Contact Alcatel Technical Support for assis-
tance.
Duration: 0 Microseconds
Destination: FF:FF:FF:FF:FF:FF Ethernet Broadcast
Source: 00:04:E2:64:C1:C0 SMC Net:64:C1:C0
BSSID: FF:FF:FF:FF:FF:FF Ethernet Broadcast
Seq. Number: 349
Frag. Number: 0
Supported Rates
Element ID: 1 Supported Rates
Length: 8
Supported Rate: 1.0 (Not BSS Basic Rate)
Supported Rate: 2.0 (Not BSS Basic Rate)
Supported Rate: 5.5 (Not BSS Basic Rate)
Supported Rate: 11.0 (Not BSS Basic Rate)
Supported Rate: 6.0 (Not BSS Basic Rate)
Supported Rate: 12.0 (Not BSS Basic Rate)
Supported Rate: 24.0 (Not BSS Basic Rate)
Supported Rate: 36.0 (Not BSS Basic Rate)
Duration: 0 Microseconds
Destination: FF:FF:FF:FF:FF:FF Ethernet Broadcast
Source: 00:04:E2:64:C1:C0 SMC Net:64:C1:C0
BSSID: FF:FF:FF:FF:FF:FF Ethernet Broadcast
Seq. Number: 349
Frag. Number: 0
Supported Rates
Element ID: 1 Supported Rates
Length: 8
Supported Rate: 1.0 (Not BSS Basic Rate)
Supported Rate: 2.0 (Not BSS Basic Rate)
Supported Rate: 5.5 (Not BSS Basic Rate)
Supported Rate: 11.0 (Not BSS Basic Rate)
Supported Rate: 6.0 (Not BSS Basic Rate)
Supported Rate: 12.0 (Not BSS Basic Rate)
Supported Rate: 24.0 (Not BSS Basic Rate)
Supported Rate: 36.0 (Not BSS Basic Rate)
Beacon Frame
Packet Information
Flags: 0x00
Status: 0x00
Packet Length: 97
Timestamp: 17:04:36.139436600 04/09/2004
Data Rate: 2 1.0 Mbps
Channel: 1 2412 MHz
Signal Level: 38%
Signal dBm: -73
Noise Level: 0%
Duration: 0 Microseconds
Destination: FF:FF:FF:FF:FF:FF Ethernet Broadcast
Source: 00:0B:86:80:48:80 Alcatel Net:80:48:80
BSSID: 00:0B:86:80:48:80 Alcatel Net:80:48:80
Seq. Number: 3635
Frag. Number: 0
SSID
Element ID: 0 SSID
Length: 16
SSID: wireless-network
Supported Rates
Element ID: 1 Supported Rates
Length: 4
Supported Rate: 1.0 (BSS Basic Rate)
Supported Rate: 2.0 (BSS Basic Rate)
Supported Rate: 5.5 (Not BSS Basic Rate)
Supported Rate: 11.0 (Not BSS Basic Rate)
ERP Information
Element ID: 42 ERP Information
Length: 1
ERP Flags: %00000010
x... .... Reserved
.x.. .... Reserved
..x. .... Reserved
...x .... Reserved
.... x... Reserved
.... .0.. Not Barker Preamble Mode
.... ..1. Use Protection
.... ...0 Non-ERP Not Present
Reserved 171
Element ID: 171 Reserved 171
Length: 11
Value: 0x000B86080400010A040026
SSID
Element ID: 0 SSID
Length: 4
SSID: air1
Supported Rates
Element ID: 1 Supported Rates
Length: 4
Supported Rate: 1.0 (BSS Basic Rate)
Supported Rate: 2.0 (BSS Basic Rate)
Supported Rate: 5.5 (Not BSS Basic Rate)
Supported Rate: 11.0 (Not BSS Basic Rate)
Noise Level: 0%
Noise dBm: 0
Listen Interval: 1
SSID
Element ID: 0 SSID
Length: 4
SSID: air1
Supported Rates
Element ID: 1 Supported Rates
Length: 8
Supported Rate: 1.0 (Not BSS Basic Rate)
Supported Rate: 2.0 (Not BSS Basic Rate)
Supported Rate: 5.5 (Not BSS Basic Rate)
Supported Rate: 11.0 (Not BSS Basic Rate)
Supported Rate: 6.0 (Not BSS Basic Rate)
Supported Rate: 9.0 (Not BSS Basic Rate)
Supported Rate: 12.0 (Not BSS Basic Rate)
Supported Rate: 24.0 (Not BSS Basic Rate)
WPA
Element ID: 221 WPA
Length: 24
OUI: 0x00-0x50-0xF2-0x01
Version: 1
Multicast cipher OUI: 0x00-0x50-0xF2-02 TKIP
Number of Unicast 1
Unicast cipher OUI: 0x00-0x50-0xF2-02 TKIP
Number of Auths 1
Association Response
Packet Info
Flags: 0x00
Status: 0x00
Packet Length: 40
Timestamp: 14:33:23.627186000 02/10/2004
Data Rate: 2 1.0 Mbps
Channel: 1 2412 MHz
Signal Level: 47%
Signal dBm: 0
Noise Level: 0%
Noise dBm: 0
Supported Rates
Element ID: 1 Supported Rates
Length: 4
Supported Rate: 1.0 (BSS Basic Rate)
Supported Rate: 2.0 (BSS Basic Rate)
Supported Rate: 5.5 (Not BSS Basic Rate)
Supported Rate: 11.0 (Not BSS Basic Rate)
Packet Sniffing
As of AOS-W 2.3 and later, two types of packet sniffing have been added to
existing remote sniffing from APs and IKE (VPN) sniffing:
Packet Capture
This CLI utility allows sniffing of all control path packets. This is useful for
sniffing RADIUS, 802.1x, VPN control path (IKE is encrypted, L2TP is not),
station up/down opcodes, mobility, DHCP, and virtually any other packets that
traverse the control path CPU.
These commands create a file named filter.pcap in the logs directory that
can then be extracted using tar logs. The file is also copied into the crash
directory in the event of a crash. The file is limited to 1.5MB and will be backed
up to filter.1.pcap if filled. So up to 3MB of captured packets can be retained
for future inspection. These commands allow a complete playback of what
happened.
NOTE—Be careful when using these commands as use passwords and keys
may be stored inside filter.pcap.
or
# show packet-capture-defaults
You can enable/disable sniffing on TCP, UDP, Alcatel messages, or any other
types of packets. Note that "ports" and "opcodes" are comma separated
values and you can sniff up to 10 of them. Whenever they're present, only
those ports or opcodes are captured.
Examples
Debugging a wireless WEP station doing VPN would typically require:
z station up/down: Alcatel msg opcode 30
z wep key plumbing: Alcatel msg opcode 29
z DHCP: Alcatel msg opcode 90 (not udp 67 as that won't catch mobility packets)
z ike: udp port 500 & 4500
z l2tp: udp port 1701
Enter:
Enter:
NOTE—These examples give you all the messaging plus timestamps associated
to them. This is useful for seeing whyfor example, users got associated but
took 2 minutes to get an IP.
SESSION MIRRORING
As of AOS-W 2.3.0.0 and later code you can mirror Ethernet packets on a per
session basis. This feature is only accessible from the CLI.
For each ACL you want to be able to mirror, add the mirror flag and
destination IP. For example, to see L2TP control packets unencrypted, enter:
firewall session-mirror-destination 1.2.3.4
ip access-list session vpnlogon
any any svc-l2tp permit mirror
Use ethereal on the target machine, in the above example, that's 1.2.3.4. It
does not require an Alcatel specific ethereal as the packet format is GRE w/
Ethernet bridging. The target does not need to be trusted, the packet will be
sent to the target regardless of being trusted or untrusted.
Network Utilities
Ping
To launch a ping from the WebUI, navigate to Diagnostics > Ping.
Traceroute
To see the path traffic is taking by using the WebUI, navigate to Diagnostics >
Traceroute. Enter the destination IP address anc click Trace.
General Information
The Access Point section of the Diagnostics tab provides support information
on your Access Point devices.
Received Configuration
To capture AP configurations, navigate to Diagnostics > Received Configuration.
Enter the AP IP address and ESSID and click Show Configuration.
Software Status
To display software status information for specified APs, navigate to
Diagnositcs > Software Status, enter the IP address of the target AP and click
Show Status.
Debug Log
To display the debug log when you have run debug tests, navigate to
Diagnostics > Debug Log, enter the IP address of the logging device, and click Show
Debug Log.
Detailed Statistics
To examine statistics for APs, navigate to Diagnostics > Detailed Statistics, enter
the IP address of the target AP, then click Show Statistics.
Web Diagnostic
To see diagnostics information from an AP’s Web Server, navigate to
Diagnostics > Web Diagnostics, enter the IP address of the target AP, and click
Link to AP Web Server.
NOTE—The AP’s Web server can only be accessed while the AP is booting.
5 Command
Reference
633
OmniAccess Reference: AOS-W System Reference
Getting Help
Online help is available for all commands by pressing ?. There are two levels of
help.
To see what other command strings match what you have entered, type ? at
the end of the string (no space) for which you want information. For example:
(switch) #reload?
To see help text for a command, enter the command for which you want help,
enter a space, then type ?. For example:
(switch) #ping ?
Tips
To save time in entering commands, you only need to enter the first unique
characters, then press Tab. The CLI will complete the rest of the command
string.
The following sections explain the commands that are available at each mode.
Notice that AOS-W Wireless LAN Switch commands are not listed
alphabetically as one might expect in a reference manual. Because commands
only apply in the mode, or context, in which they are executed, this chapter
lists commands alphabetically by mode. This is intended to help you
understand the difference, for example, of a aaa command in Privileged mode
versus a aaa command in Configuration Terminal mode. Commands that
function the same across all modes, (exit or traceroute, for example) are
defined once and cross referenced.
Exec mode commands allow very basic administrative access to the switch.
Users who know the username and password for this level, but not the
Privileged mode password, can only confirm basic Layer-3 connectivity.
enable
Changes the CLI mode from the current Exec mode to Privileged mode.
Privileged mode commands allow users to perform basic file management and
system management functions.
Example
(switch)> enable
(switch)#
exit
Typically leaves the current mode and returns the previous mode. In the case,
since the Exec mode is the entry-level mode, entering this command
terminates the connection to the switch.
Example
(switch)> exit
_
See logout.
logout
Terminates the session.
Example
(switch)> logout
_
See exit.
ping
Equivalent to the Unix ping command (with default options). This command
issues a query to the specified device such that if the specified device is active
and online, that device will respond back to the device issuing the ping. Useful
for determining network connectivity between devices.
Syntax
ping <ipaddr>
where ipaddr is the IP address of the device to send ping (or ICMP echo)
packets.
Example
(switch)> ping 10.1.1.1
Press 'q' to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max =
56.73/61.485/75.943 ms
(switch)>
traceroute
Equivalent to the Unix traceroute command (with default options). This
command traces the path packets take to go from the switch to the specified
device.
Syntax
traceroute <ipaddr>
where ipaddr is the IP address of the destination device. The path to be traced
is that between the switch and the specified device.
Example
(switch)#traceroute 10.1.2.3
Press 'q' to abort.
Tracing the route to 10.1.2.3
(switch) #
Users who know the Privileged mode password have access to the
commands that control the switch’s file operating system, and such modes as
the AAA and Air Monitor modes. This mode also allows access to the
Configuration Terminal mode which is the mode that controls the switch
configuration.
aaa Commands
The Privileged mode aaa commands include:
(switch) #aaa ?
inservice Bring authentication server into service
stateful-authentication
test-server Test authentication server
Syntax
aaa inservice <string> where string is the name of the authentication server to
be enabled.
Example
(switch)# aaa inservice Alcatel.com
See also:
aaa test-server
Syntax
[no] aaa inservice stateful-authentication
Example
(switch)# aaa inservice stateful-authentication
To disable stateful-authentication, enter:
Syntax
aaa stateful-authentication dot1x delete-all
Example
Syntax
aaa test-server <string>
Example
The following example verifies that the authentication server Alcatel is enabled
and working.
Syntax
add <ipaddr> Adds the IP address of a
user
clear-sessions <ipaddr> Clears the specified user
session.
debug <ipaddr|mac|name <string>> Debugs user by user’s IP
address, MAC address, or
name.
delete <ipaddr|all|mac|name Deletes specified user. Use
<string>|role<string>> all to delete all connected
users.
logout <ipaddr> Logs the specified user out
Examples
The following examples show a user being added, their sessions being cleared,
a user being debugged, a user being deleted, and a user being logged out.
Syntax
ads netad learn <anomaly-id>
Example
(switch) #ads netad learn
am
Configures scanning on the specified channel for the specified Air Monitor.
Syntax
am scan <am-ip> <channel> <bssid>
where:
Example
(switch) #am scan 10.4.4.4 11
Module AM is busy. Please try later
ap-upgrade-config
Allows you to convert your existing 802.11b configurations to support 802.11g
as well.
Example
(switch) #ap-upgrade-config
(switch) #
apflash
Reflashes the specified Access Point.
Syntax
(switch) #apflash <ipaddr>
Example
(switch) #apflash 192.10.10.1
audit-trail
Example
(switch) #audit-trail
backup
Backs up and compresses critical files to flashbackup.tar.gz.
Example
(switch) #backup flash
boot
Specifies the configuration file and the partition the switch uses to boot.
Syntax
boot <config-file> <filename> | <system> <0|1>
Example
The following example directs the switch to boot from config file 9147.
clear Commands
Parameter Description
ads Anomaly Detection System Commands
arp Clear arp table
counters Clear counters on one or all interfaces
crypto Clear crypto state
ip
loginsession Login Session
mobile mobility manager
rap-wml Rogue AP Wired MAC Lookup Commands
site-survey Site Survey Clear Commands
stm Station Management commands
vpdn Clear vpdn state
Parameter Description
wms Wireless LAN Management system commands
Parameter Description
all Resets all NETAD anomaly counters to zero.
id Resets the specified NETAD anomaly counter to zero.
Example
(switch) #clear ads netad anomaly all
clear arp
Clears the Address Resolution Protocol statistics.
Example
Syntax
clear counters fastethernet <slot/port>
where the <slot>/<port> specifies which card and which port is to be reset.
Example
(switch) #clear counters fastethernet 1/1
Syntax
clear counters fastethernet <slot/port>
where the <slot>/<port> specifies which card and which port is to be reset.
Example
(switch) #clear counters gigabitethernet 1/1
Syntax
clear counters vrrp <id>
where <id> is the Virtual Router ID. Valid ID range is 1-255.
Example
(switch) #clear counters vrrp 1
(switch) #clear arp
clear crypto
Turns off cryptographic state.
Syntax
dp Clear crypto latest DP pack-
ets
ipsec {sa | <peer> <ipaddr>} Clear crypto isakmp state
isakmp Clear crypto isakmp state
Example
To clear dp packets, enter:
clear loginsession
Clears the specified logging session.
Syntax
clear loginsession <id>
where:
Example
To clear login session 2, enter:
<cr>
<cr>
<cr>
channel-plan
<cr>
id Tunnel ID to clear
<cr>
<cr>
ap Clear AP information
probe
<bssid>
<bssid> BSSID of AP
(switch) #
clock
Syntax
clock set <year> <month> <day> <hour> <min> <sec>
where <year> is the four-digit year, <month> is the name of the month, <day> is
the number of the day (1-31), hour is the time in hours (0-24) , <min> is the
number of minutes in the hour (0-60), and <sec> is the number of seconds in
the minute (0-60).
Example
configure terminal
Accesses the switch configuration mode.
Example
(switch)#configure terminal
(switch)(config)#
copy
Duplicates files.
Syntax
flash:
ftp: ftp file system
log Logging
running-config Running Configuration
startup-config Startup Configuration
system: System Partition
tftp: Tftp file system
copy flash
Copies the flash file to a backup file on the switch or to an external host using
TFTP.
Syntax
copy flash <srcfilename> <flash:destfilename> |<tftp:tftphost>
Examples
(switch) #copy flash: 9147 tftp:10.1.1.55
copy system
Copies the system from one partition to the other.
Syntax
copy system: <source partition 0|1> <destination partition 0|1>
Example
(switch) #copy system: partition 1 0
copy log
Copies the specified log file to the specified location.
Syntax
copy <module> <destination>
where modules are:
copy running-config
Copies the running-config file to the specified location.
Syntax
copy running-config <flash:destfilename> |<tftp:tftphost>
copy startup-config
Copies the startup-config file to the specified location.
Syntax
copy startup-config <flash:destfilename> |<tftp:tftphost>
copy tftp
Copies the specified file to the specified location using TFTP.
Syntax
copy tftp: <tftphost> <filename> <flash | system partition>
where:
flash Specifies that the file be copied to the flash file system.
Example
The following example specifies that the file main be copied to system partition
1 using TFTP.
(switch) #copy tftp: main 9147 system: partition 1
copy ftp
Copies the specified file to the specified location using FTP.
Syntax
copy ftp: <filename> <flash | system partition>
where:
flash Specifies that the file be copied to the flash file system.
Example
The following example specifies that the file main be copied to system
partition 1 using FTP.
(switch) #copy ftp:
crypto
Configures IKE.
Syntax
cyrpto isakmp
Example
(switch) #crypto isakmp
database
Syncs the database.
Example
(switch) #database synchronize
debug
Enables debugging for the following switch features:
Example
The following examples turns on debugging for all aaa module functions.
delete
Removes the specified file name from flash. The file must exist in flash and be
correctly specified before the delete command can remove it.
Syntax
delete <filename>
Example
The following example removes the file named test from flash.
(switch) #delete test
dir
Displays a listing of all the files in flash. This command is the same as the DOS
dir command (similar to the Unix ls command).
Example
The following example lists all the files in the root directory of flash.
(switch) #dir
(switch) #
halt
Gracefully stops all processes on the switch. Uses should halt the switch
before rebooting or shutting down to avoid interrupting processes underway.
Example
(switch) #halt
(switch) #
local-userdb
Manages the user database.
Syntax
local-userdb {add <username> | del | del-all | export | fix-database | import |
modify}
where
add Add a user
del Delete a user
del-all Delete all users
export Export the Local User Database to a file
fix-database Use this command with CAUTION, it will wipe out
the whole database. To save existing data use the export command.
import Use this command with CAUTION, it will Replace
the existing users with the user entries from the imported file.
modify Modify the User Attributes.
Example
The following example illustrates adding the user Vipin to the local user
database.
(switch) #local-userdb add Vipin
no
Disables the feature specified.
Syntax
(switch) #no ?
aaa Authentication commands
audit-trail Enable Audit Trail
crypto Configure IPSec, IKE, and CA
debug Debugging Functions
paging Output paging
Example
To disable IKE, enter:
packet-capture
Configures monitoring the specified types of traffic. This is useful for
diagnostic purposes.
Syntax
packet-capture {Alcatelmsg <opcodes> | other <enable | disable> | tcp
<ports> | udp <ports>}
where:
Example
(switch) #packet-capture Alcatelmsg all tcp all
page
TBD
Syntax
page <length>
where <length> specifies the size of the page. Valid range is 24 - 100.
Example
The following example sets the page size to 80
(switch) #page 80
(switch) #
paging
TBD
Example
TBD
(switch) #paging
(switch) #
panic
Manages files created during a system crash.
Syntax
panic {clear | info <file filename | nvram symbolfile> | list <file |
nvram> | save filename}
where:
info prints out the specified panic file information from either NVRAM or flash.
save saves the panic file with the specified file name.
Example
The following example shows how to display any panic files in NVRAM. (There
are no panic files.)
(switch) #panic list nvram
# Date PN PANIC/EX ver built by Process
0 IS EMPTY
1 IS EMPTY
pcap
Starts or stops packet capture sessions. Info
Syntax
pcap {<start | stop | resume> | clear | interactive ipaddr | raw-start
<ipaddr> <target-ipaddr> <target-port> <format> [bssid | channel]}
where:
Example
The following example starts a raw packet capture session for the AM at
10.100.100.1 and sends the frames to the target IP address 192.168.22.44 on
port 604 with pcap format .
ping
Syntax
ping <ipaddr>
where ipaddr is the IP address of the device to send ping (or ICMP echo)
packets.
Example
(switch)> ping 10.1.1.1
Press 'q' to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max =
56.73/61.485/75.943 ms
(switch)>
reload
Resets the system to boot to the configuration file.
Example
(switch) #reload
Do you really want to reset the system(y/n) : y
System will now restart!
...
Restarting system.
reload-peer-sc
Example
(switch) #reload-peer-SC
rename
Changes the specified file name to a new file name.
Syntax
(switch) #rename <filename> <newfilename>
Example
The following example changes the file named bud to pub.
restore
Reinstates the backed up flash directories in flashbackup.tar.gz. The tar backup
file is untarred and uncompressed.
Syntax
restore flash
Example
(switch) #restore flash
secret
These commands are intended for use by authorized support personnel. Do not
use these command unless directed to do so by Alcatel Support.
show
The show commands display information on the following modules:
(switch) #show ?
aaa Show AAA configuration
access-list Show access-lists
acl Show internal ACL tables
adp ADP related commands
ads Show Anomaly Detection System state
am Air Monitor commands
ap Access Point commands
ap-leds Show AP LED array state for a slot
ap-params AP environment variables to be programmed
arp ARP information
audit-trail Show Audit Trail Log
banner
boot Display boot parameters
clock
configuration Show saved configuration
country Displays the country code setting
cpuload Display CPU Load
crypto Show crypto configuration
database Database management
datapath Datapath statistics
debugging State of each debugging option
destination Show network destination information
dot1x Show 802.1X Information
firewall Show global firewall configuration
hostname Display the host name
image Show System image version information
interface Interface Status and Configuration
inventory Show hardware inventory
ip IP information
keys Show optional keys/features enabled
local-switches Local switches connected to the master
local-userdb User's in the Local User DataBase
location Show the switch location
log Show the contents of the logging buffers
logging Show Logging Levels for applications
loginsessions Show administrator login sessions
mac-address-table MAC Forwarding Table
master-redundancy Master Switch Redundancy Configuration
memory Display the memory information
mgmt-modules Show the predefined Management Modules
mgmt-role Management Role Definition
mgmt-user Show Management User Information
mobile Displays mobility information
mux Show MUX Information
netdestination Show network destinations
netservice Show network services
netstat Show current active network connections
ntp NTP Server Info
packet-capture Show packet-capture settings.
packet-capture-defaul.. Show packet-capture default settings (saved in
config
file).
pcap Packet Capture commands
port Show switch port configuration
processes Show system processes
provisioning-ap-list
rap-wml Rogue AP Wired MAC Lookup Commands
rfsm Show RF Spectrum Management Information
rights Show access rights for user roles
roleinfo Show the switch role
routerid Router Id of the Switch
running-config Show running configuration
sapm
session-access-list Show session access-list
site-survey Show Site Survey information
slots Slots which have line cards in them.
snmp Display the SNMP Configured
spanning-tree Spanning tree topology
spantree Global spanning tree topology
ssi Show Security Service Interface information
startup-config Show saved configuration
station-table Show internal station table
stm Show 802.11 station management information
storage Display the switch storage information
switch Switch Configuration
switches M-switches connected to the master and the master
included
switchinfo Display the switch system information
syscontact Display the system contact
syslocation Display the system location
tech-support Display the general switch information
time-range Show time-range
trunk Vlan Trunk Port Information
un-provisioned
user
user-table Show internal user table
users Show administrative users
version Show System version
virt-ap Show virtual APs configured at a location
vlan VLAN IP Interface
vpdn Show vpdn state
vpn-dialer Show VPN dialers
vrrp VRRP configuration information
Wireless LAN Show Wireless LAN Information
wms Commands for viewing Wireless IDS configuration
(switch) #
site-survey
Syntax
Example
(switch) #site-survey ?
<bssid> AP bssid
stm
Manages the station manager commands.
Syntax
Example
(switch) #stm ?
<cr>
<cr>
<mac>
(switch) #
swkey
The software licenses key. Enables the specified feature.
Syntax
swkey <softwareKey>
where <softwareKey> is the Software activation Key.
Example
TBD
tar
Creates a file in Unix tar file format.
Syntax
tar {clean | crash | flash | logs}
where:
clean Removes a tar file
crash tar the crash directory to crash.tar
flash tar and compress the /flash directory to flash.tar.gz
logs tar the logs directory to logs.tar
Example
To create a tar file for the directories in flash, enter:
traceroute
Equivalent to the Unix traceroute command (with default options). This
command traces the path packets take to go from the switch to the specified
device.
Syntax
traceroute <ipaddr>
where ipaddr is the IP address of the destination device. The path to be traced
is that between the switch and the specified device.
Example
(switch)#traceroute 10.1.2.3
Press 'q' to abort.
Tracing the route to 10.1.2.3
(switch) #
See also the traceroute command in Configuration mode and Exec mode.
whoami
This command returns the name of the user who is logged in to this session. It
is the same as the Unix command of the same name.
Example
(switch) #whoami
user admin - role root
wms
Syntax
Example
(switch) #wms ?
ap configure AP mode
(switch) #wms ap ?
<bssid> bssid of AP
<cr>
<cr>
<cr>
<cr>
(switch) #
write
Saves the running configuration to memory or to the terminal computer. Can
also be used to erase the running configuration and return the switch to factory
defaults.
Syntax
write {erase all | memory | terminal}
Example
To delete the running configuration and databases and return the switch to
factory default settings, enter:
The following command allow you to configure your Wireless LAN Switch and
APs.
aaa Commands
This command controls user authorization and authentication for the switch.
Use the no form of this command to disable AAA functions.
Syntax
aaa {bandwidth-contract | captive-portal | derivation-rules | dot1x | kerberos |
ldap-server | mac-authentication | mgmt-authentication |
pubcookie-authentication | radius-accounting | radius-attributes | radius-server |
stateful-authentication | timers | trusted-ap | vpn-authentication | web}
aaa bandwidth-contract
Configures the bandwith contract.
Syntax
aaa bandwidth-contract <STRING> <kbits | mbits> <bandwidth>
Where: STRING is the name of the bandwidth contract
Example
The following example sets the amount of bandwidth for the bandwidth
contract named test to 48 mbits per second.
aaa captive-portal
Configures the Captive Portal.
Syntax
aaa captive-portal {auth-server <string> <position> <range> | default-role
<string> | guest-logon | login-page <string> | logon-wait <cpu-utilization> <%> |
<range> <value> | logout-popup-window | max-authentication-failures <value> |
protocol-http | redirect-pause <time> | show-fqdn |sygate-on-demand
<enable> <remediation-failure {role <name> | url <name>} | theme <name> |
user-logon | welcome-page <string>}
where:
login-page Specifies the name of the alternate login page HTML file.
logon-wait Configures a logon wait when the CPU is overloaded. Specify either
the percentage of CPU utilization when a logon wait is to be enforced, or
specify a number of seconds (range) to wait for captive portal logons. The
minimum wait is one second.
show-fqdnAllows the user to see and select the fully qualified domain name
(FQDN).
themeSelected the theme for the captive portal page. Specify default1,
default2, default3, or custom.
Example
The following example shows how to blacklist any user unsuccessfully
attempting more than three times to log onto the captive portal.
Syntax
aaa derivation-rules server <STRING>
where STRING is the name of the authentication server. (The server must have
already been configured.)
Example
(Alcatel6000) (config) #aaa derivation-rules server Alcatel
Syntax
aaa derivation-rules user
Example
(Alcatel6000) (config) #aaa derivation-rules server user
Syntax
aaa dot1x auth-server <name>
where name is the name of the authentication server.
Example
(Alcatel6000) (config) #aaa dot1x auth-server Alcatel
Syntax
aaa dot1x default-role STRING
where STRING is the name of the default role.
Example
(Alcatel6000) (config) #aaa dot1x default-role guest
Syntax
none
Example
(Alcatel6000) (config) #aaa dot1x enforce-machine-authentication
Syntax
aaa dot1x max-authentication-failures NUMBER
where NUMBER is the number of times a user can attempt to authenticate
before being blacklisted. Valid range is .
Example
(Alcatel6000) (config) #aaa dot1x max-authentication-failures 4
Syntax
aaa dot1x mode <disable> <enable>
where disable turns of 802.1x authentication and enable turns it on.
Example
(Alcatel6000) (config) #aaa dot1x mode enable
Syntax
aaa kerberos <name> <domain-name> <host> <mode> <timeout>
where name is the name of the KDC., domain-name is the fully qualified
domain name, host is the address of the KDC, mode enables or disables
Kerberos authentication, timeout configures the time period allowed between
Kerberos requests and responses. The valid range is 0-60 seconds.
Example
(Alcatel6000) (config) #aaa kerberos Alcatel.com domain-name Alcatel.com
host paul mode enable timeout 30
aaa ldap-server
Configures an LDAP server.
Syntax
aaa ldap-server STRING
where STRING is the name of the LDAP server
Example
(Alcatel6000) (config) #aaa ldap-server paul
(Alcatel6000) (config-ldapserver-paul)#
Syntax
admin-dn STRING
Example
(Alcatel6000) (config-ldapserver-paul)#admin-dn pauldn
(Alcatel6000) (config-ldapserver-paul)#
Syntax
admin-passwd [STRING] <cr >
where STRING is the password for the Admin user who can search for the
LDAP user.
and <cr>
Example
(Alcatel6000) (config-ldapserver-paul)#admin-passwd paul
(Alcatel6000) (config-ldapserver-paul)#
Syntax
[no] allow-noencrypt
Example
(Alcatel6000) (config-ldapserver-paul)#allow-noencrypt
(Alcatel6000) (config-ldapserver-paul)#
(Alcatel6000) (config-ldapserver-paul)#allow-noencrypt
Syntax
[no] authport INTEGER
Example
(Alcatel6000) (config-ldapserver-paul)#authport 65000
(Alcatel6000) (config-ldapserver-paul)#
Syntax
base-dn STRING
where STRING is the Base Distinguished Name for searching the LDAP server.
Example
(Alcatel6000) (config-ldapserver-paul)#base-dn paulbase
(Alcatel6000) (config-ldapserver-paul)#
Syntax
[no] filter STRING
where STRING is the filter that is used as a key when searching the LDAP
server.
Example
(Alcatel6000) (config-ldapserver-paul)#filter filter
(Alcatel6000) (config-ldapserver-paul)#
Syntax
host STRING
Example
(Alcatel6000) (config-ldapserver-paul)#host 192.11.2.0
(Alcatel6000) (config-ldapserver-paul)#
Syntax
[no] inservice
Example
(Alcatel6000) (config-ldapserver-paul)#inservice
(Alcatel6000) (config-ldapserver-paul)#
Syntax
key-attribute keyattribute STRING
where STRING is the name of the attribute to be used as the key when
searching the LDAP server.
Example
(Alcatel6000) (config-ldapserver-paul)#key-attribute keyattribute
(Alcatel6000) (config-ldapserver-paul)#
Syntax
inservice
Example
(Alcatel6000) (config-ldapserver-paul)#inservice
(Alcatel6000) (config-ldapserver-paul)#
aaa ldap-server no
Disables the following commands:
allow-noencrypt
authport
filter
inservice
timeout
Syntax
[no] timeout <seconds>
where seconds is the timeout value in seconds. Valid range is 1-30 seconds.
Example
(Alcatel6000) (config-ldapserver-paul)#timeout 25
(Alcatel6000) (config-ldapserver-paul)#
syntax
aaa mac-authentication auth-server STRING position
where STRING is the name of the authentication server and position is the
server priority. Valid range is . Specify 1 for the highest position. The default is
lowest position.
Example
(Alcatel6000) (config) #aaa mac-authentication auth-server internal-db 5
syntax
aaa mac-authentication default-role STRING
where STRING is the name of the default role.
Example
(Alcatel6000) (config) #aaa mac-authentication default-role guest
syntax
(Alcatel6000) (config) #aaa mac-authentication
max-authentication-failures NUMBER
where NUMBER is the number of times a user can attempt unsuccessfully to
login before the system blocks them out by blacklisting them.
Example
(Alcatel6000) (config) #aaa mac-authentication
max-authentication-failures 4
syntax
(Alcatel6000) (config) #aaa mac-authentication mode <disable | enable>
where enable turns MAC-based authentication on, and disable turns it off.
Example
To turn MAC-based authentication on, enter:
syntax
aaa mgmt-authentication auth-server STRING position
where STRING is the name of the authentication server and position is the
server priority . Valid range is . Specify 1 for the highest position. The default is
lowest position.
Example
(Alcatel6000) (config) #aaa mgmt-authentication auth-server internal-db
5
syntax
aaa mgmt-authentication default-role STRING
where STRING is the name of the default role.
Example
(Alcatel6000) (config) #aaa mgmt-authentication default-role guest
syntax
(Alcatel6000) (config) #aaa mgmt-authentication mode <disable | enable>
where enable turns MAC-based authentication on, and disable turns it off.
Example
To turn MAC-based authentication on, enter:
aaa pubcookie-authentication
Configures pubcookie authentication.
Syntax
aaa pubcookie-authentication
Example
(Alcatel6000) (config) #aaa pubcookie-authentication
aaa radius-accounting
Configures RADIUS accounting.
Syntax
aaa radius-accounting
Example
(Alcatel6000) (config) #aaa radius-accounting
aaa radius-attributes
Configure RADIUS attribute
Syntax
aaa radius-attributes add STRING INT <date | integer | ipaddr | string> [vendor
<STRING > <INTEGER>]
where STRING is the name of the attribute to be added, INT is the attribute type
of:
date Attribute type is Date
vendor STRING is the name of the vendor specific attribute, and INTEGER is the
vendor Identifier.
Example
The following example adds the RADIUS name-value pair:
employee-type-admin.
aaa radius-server
Configures a RADIUS server.
Syntax
(Alcatel6000) (config) #aaa radius-server STRING [acctport <port_num> | authport
<port_num> | host <hostname> | inservice | key <key_name> | match-essid <essid> |
match-fqdn <fqdn> | mode <disable|enable> | nas-identifier <nas_ID> | retransmit
<retransmit_num> | timeout <timeout_value> | trim-fqdn]
authport specifies the port number used for authentication (default is port
1812)
timeout specifies the timeout period for RADIUS request. The default is
10 seconds.
trim-fqdn trims the FQDN from the user name before sending to server
<cr>
Example
Syntax
aaa stateful-authentication dot1x ap-config <name> ap-ipaddr
radius-server-name <name> [key <keyvalue>]
Where
radius-server-name is the name of the RADIUS Server used for stateful 802.1X
Authentication
Example
(Alcatel6000) (config) #aaa stateful-authentication dot1x ap-config
paulconfig ap-ipaddr 1.1.2.3 radius-server-name paulserver key boo
Syntax
aaa stateful-authentication dot1x auth-server <auth-server-name>
Where
Example
(Alcatel6000) (config) #aaa stateful-authentication dot1x auth-server
paulauthser
(Alcatel6000) (config) #
Syntax
aaa stateful-authentication dot1x default-role STRING
Example
(Alcatel6000) (config) #aaa stateful-authentication dot1x default-role
pauldefrole
(Alcatel6000) (config) #
Syntax
aaa stateful-authentication dot1x mode <disable | enable >
Where:
<cr>
Example
(Alcatel6000) (config) #aaa stateful-authentication dot1x mode enable
(Alcatel6000) (config) #
Syntax
aaa stateful-authentication dot1x timeout <0-20>
Where
<0-20> is the valid range of time that can elapse in the reply
Example
(Alcatel6000) (config) #aaa stateful-authentication dot1x timeout 10
(Alcatel6000) (config) #
Syntax
aaa stateful-authentication kerberos enable
Example
(Alcatel6000) (config) #aaa stateful-authentication kerberos enable
(Alcatel6000) (config) #
<cr>
<cr>
<cr>
<cr>
<cr>
<cr>
<cr>
<cr>
<cr>
aaa trusted-ap
Configure trusted third party APs.
Syntax
Example
(Alcatel6000) (config) #
Syntax
Example
(Alcatel6000) (config) #
Syntax
<cr>
<cr>
Example
aaa web
Web server configuration
Syntax
(Alcatel6000) (config) #aaa web admin-port https port number
where :
Port Number is the number of the HTTPS port. Valid range is 0-65535.
Example
(Alcatel6000) (config) #aaa web admin-port https 6500
(Alcatel6000) (config) #
Syntax
aaa xml-api client IPaddress
where:
(Alcatel6000) (config) #
Example
(Alcatel6000) (config) #aaa xml-api client 1.2.3.4
(Alcatel6000) (config) #
adp Commands
These commands control Access Point configuration and management using
the Alcatel Discovery Protocol.
adp
Enables the Automatic Discovery Protocol commands.
adp discovery
Enables or disables ADP.
Syntax
Where:
igmp-vlan specifies which VLAN to send IGMP Reports to. Default 0. Uses
default route VLAN.
Example
(Alcatel6000) (config) # adp discovery enable igmp-join enable igmp-vlan
565
(Alcatel6000) (config) #
ads Commands
(Alcatel6000) (config) #ads ?
netad
Configure Network Traffic Anomaly Detection (NETAD)
<cr>
<cr>
<cr>
ap Commands
Configures Access Points either by BSSID or by location.
ap bssid
Configures APs by their MAC address (BSSID).
Syntax
ap bssid <bssid>
Where:
<bssid> specifies the BSSID in typical MAC address format:
AA:BB:CC:DD:EE:FF
Example
(Alcatel6000) (config) #ap bssid 00:00:00:01:02:ff
ap location
Accesses the AP location mode.
arm Commands
Configures the Adaptive Radio Management commands.
Syntax
arm [acceptable-coverage-index <index> | backoff-time <backoff time> |
error-rate-threshold <threshold value> | error-rate-wait-time <wait time> |
free-channel-index <free channel index value> | ideal-coverage-index
<coverage index value> | min-scan-time <scan time> | wait-time <wait time
value> ] <cr>]
Where:
Option Description
acceptable-coverag This specifies to the AP how good the coverage in on this
e-index <index> channel should be. The range is .
Example
(Alcatel6000) (config) #arm acceptable-coverage-index 2 arm backoff-time
230 arm error-rate-threshold 3 arm error-rate-wait-time 50 arm
free-channel-index 30 arm ideal-coverage-index 2 arm min-scan-time 30 arm
wait-time 40
arp
Adds a static Address Resolution Protocol entry to the routing table.
Syntax
arp <ipaddr> <mac>
where:
<mac> is the 48-bit hardware address of the device, entered in the following
format:
xx:xx:xx:xx:xx:xx
Example
(Alcatel6000) (config) #arp 64.121.71.218 00:00:01:01:02:ae
NOTE— If the IP address does not belong to a valid IP subnet, the ARP entry
will not be added. If the IP interface that defines the subnet for the static
ARP entry is deleted, you will be unable to use the arp command to over-
write the entry’s current values. Do a no arp a.b.c.d, and then issue the new
arp command.
banner motd
Creates a message (the Message Of The Day, or motd) that allusers see when
logging into the CLI.
Synatx
banner motd <delimiter> <message body>
where:
delimiter is a character that ends the message creation session and returns to
the prompt.
Example
In the following exmaple, the letter E (capital E) terminates the entering of the
message text and returns to the CLI prompt.
Hello TuesdayE
(Alcatel6000) (config) #
clock Commands
Configures the Wireless LAN Switch’s clock to show the Switch’s timezone
and to toggle to Daylight Saving Time as appropriate for the timezone setting.
clock summer-time
Syntax
clock summer-time <WORD> recurring [<1-4>|first|last>] [day] [month]
{hh:mm] [<1-4>|first|last>] [day] [month] {hh:mm] [<-23-23] [<0-59>] <cr>
where:
<WORD> is the label of the timezone. This label should be no less than three and
no more than five characters long and should not start with a colon (:).'
recurring specifies that the Switch should start daylight saving time everytime
the starting specifications are met.
Example
The following example specifies that daylight saving time should start the first
Sunday in April at 2 AM and end the last Sunday in October also at 2 AM. The
timezone is Pacific Standard Time and the offset from Grenwhich time is -8
hours.
(Alcatel6000) (config) # clock summer-time PST recurring 1 Sunday April
02:00 4 Sunday )October 02:00 -8 0
(Alcatel6000) (config) #
NOTE—Be sure to configure clock timezone when configuring summer-time.
clock timezone
Syntax
clock summer-time <WORD> [<-23-23] [<0-59>] <cr>
where:
<WORD> is the label of the timezone. This label should be no less than three
and no more than five characters long and should not start with a colon (:).'
Example
The following example configures the timezone label to show PST and sets
this timezone to be 8 hours behind Grenwhich time.
crypto Commands
Configures the cryptographic settings including IPSec tunnels, ISAKMP keys,
and dynamic maps.
crypto dynamic-map
Configure Dynamic Maps commands in crypto dynamic-map mode.
syntax
dynamic-map <dynamic-map-name> <dynamic-map-number> <no|set<pfs>
<group>|secrity-association <lifetime> <seconds> |transform-set >>
where:
pfs enables Perfect Forward Secrecy mode for group 1 (768-bit Diffie Hellman
prime modulus group) or group2 (1024-bit Diffie Hellman prime modulus group).
security-association configures the Security Association by specifying the life-
time with a valid range of 300 to 86400 seconds.
transform-set configures a Transform Set for this dynamic map. Specify up to
four transform sets.
Example
(Alcatel6000) (config) #crypto dynamic-map PAULMAP 6655
(Alcatel6000) (config-crypto-map)#
crypto ipsec
Configure IPSec paramters.
Syntax
crypto ipsec <mtu> <size> | < transform-set> <transform-set-name>
<encryption> <auth>
Where:
and
(Alcatel6000) (config) #
isakmp
Configures the IETF’s Internet Security Association and Key Management
Protocol.
Syntax
crypto isakmp <address> <disable> <enable> <groupname> <key> <policy>
Where:
Example
(Alcatel6000) (config) #crypto isakmp ?
<cr>
Key:********************
Re-Type Key:********************
(Alcatel6000) (config) #
Key:**********
Re-Type Key:**********
Not Supported
(Alcatel6000) (config) #
<cr>
<cr>
<cr>
% Incomplete command.
% Incomplete command.
<cr>
(Alcatel6000) (config) #
(Alcatel6000) (config-isakmp)# ?
<cr>
<cr>
<cr>
<cr>
<cr>
<cr>
(Alcatel6000) (config-isakmp)# ?
(Alcatel6000) (config-isakmp)#
map
Configures the crypto map.
syntax
crypto map <global-map > <map-number> <ipsec-isakmp> <dynamic>
<dynamic-map-name>
Where:
<global map> configures the default global map
Example
(Alcatel6000) (config) # crypto map global-map 5 ipsec-isakmp dynamic
Paulmap
(Alcatel6000) (config) #
database synchronize
Synchronizes the internal database or RF Plan data on redundant master
switches.
Syntax
database synchronize <period> <interval> | rf-plan-data
Where:
Example
(Alcatel6000) (config) #database synchronize period 60
(Alcatel6000) (config) #
(Alcatel6000) (config) #
destination
Syntax
destination STRING <IP address><subnet mask> [invert | <cr>]
Where:
Example
(Alcatel6000) (config) #destination farleytech 67.121.71.218
(Alcatel6000) (config) #
dot1x Commands
Controls the 802.1x configuration which includes the following commands:
default Set global 802.1X parameters to default values
framed-mtu Set the Framed-MTU attribute sent to the
authentication server
key-retries Set the number of retries for the unicast and
multica
st key rotation message
key-size Set the Dynamic WEP Key Size, Default Key Size
is 128
-Bit
max-req Set maximum number of identity requests
multicast-keyrotation Enable Multicast WEP Key Rotation
opp-key-caching Enable Opportunistic Key Caching
re-authentication Enable periodic 802.1X authentication
reauth-max Maximum number of reauthentication attempts
server Set authentication server parameters
dot1x default
Sets global 802.1X parameters to their default values.
Syntax
dot1x default
Example
(Alcatel6000) (config) # dot1x default
(Alcatel6000) (config) #
dot1x framed-mtu
Sets the Framed-MTU attribute that is sent to the authentication server,
Syntax
dot1x framed-mtu <mtu-size>
where
<mtu-size> is the size of the Frame MTU. Valid range is 400 to 1500 bytes.
Example
(Alcatel6000) (config) # dot1x framed-mtu 555
(Alcatel6000) (config) #
dot1x key-retries
Sets the number of retries for the unicast and multicast key rotation message
Syntax
dot1x key-retries <number>
where
<number> is the number of times the system will . Valid range is 1-3.
Example
(Alcatel6000) (config) # dot1x key-retries 3
(Alcatel6000) (config) #
dot1x key-size
Set the Dynamic WEP Key Size.
Syntax
dot1x key-size <128> |<40>
where
Example
(Alcatel6000) (config) # dot1x key-size 40
dot1x max-req
Sets the maximum number of identity requests.
Syntax
dot1x max-req <retry>
where
Example
(Alcatel6000) (config) # dot1x max-req 5
(Alcatel6000) (config) #
dot1x multicast-keyrotation
Enable Multicast WEP Key Rotation
Syntax
dot1x multicast-keyrotation
Example
(Alcatel6000) (config) # dot1x multicast-keyrotation
(Alcatel6000) (config) #
dot1x opp-key-caching
Enable Opportunistic Key Caching
Syntax
dot1x opp-key-caching ?
Example
(Alcatel6000) (config) # dot1x opp-key-caching
(Alcatel6000) (config) #
dot1x re-authentication
Enables periodic 802.1X authentication.
Syntax
dot1x opp-key-caching
Example
(Alcatel6000) (config) # dot1x opp-key-caching
(Alcatel6000) (config) #
dot1x reauth-max
Maximum number of reauthentication attempts
Syntax
ot1x reauth-max <auth-count>
where
Example
(Alcatel6000) (config) # dot1x reauth-max 3
(Alcatel6000) (config) #
dot1x server
Sets authentication server parameters.
Syntax
dot1x server <server-retry><number> |<server-timeout> <timeout>
where:
Example
(Alcatel6000) (config) # dot1x server server-retry 3
(Alcatel6000) (config) #
(Alcatel6000) (config) # dot1x server server-timeout 244
(Alcatel6000) (config) #
Syntax
dot1x timeout idrequest-period <1-65535>
where
Example
(Alcatel6000) (config) # dot1x timeout idrequest-period 2
(Alcatel6000) (config) #
Syntax
dot1x timeout mcastkey-rotation-period <period>
where:
Example
(Alcatel6000) (config) # dot1x timeout mcastkey-rotation-period 333
(Alcatel6000) (config) #
Syntax
#dot1x timeout quiet-period <period>
where:
<period> is the number of seconds the quiet period lasts. Valid range is
1-65535 seconds.
Example
(Alcatel6000) (config) # dot1x timeout quiet-period 22
(Alcatel6000) (config) #
Syntax
dot1x timeout reauthperiod <period | server>
where:
Example
(Alcatel6000) (config) # dot1x timeout reauthperiod server
Syntax
dot1x timeout ucastkey-rotation-period <period>
where:
<period> is the number of seconds between unicast key rotations. Valid range is
60-2147483647 seconds.
Example
(Alcatel6000) (config) # dot1x timeout ucastkey-rotation-period 232
(Alcatel6000) (config) #
Syntax
dot1x timeout wpa-key-timeout <period>
where:
<period> is the timeout in seconds for each WPA key exchange. Valid range is
1-5 seconds.
Example
(Alcatel6000) (config) # dot1x timeout wpa-key-timeout 4
(Alcatel6000) (config) #
dot1x unicast-keyrotation
Enables Unicast Key Rotation.
Syntax
dot1x unicast-keyrotation
Example
(Alcatel6000) (config) # dot1x unicast-keyrotation
(Alcatel6000) (config) #
dot1x use-session-key
Use Radius Session Key as the Unicast WEP key.
Syntax
dot1x use-session-key
Example
(Alcatel6000) (config) # dot1x use-session-key
(Alcatel6000) (config) #
dot1x use-static-key
Uses a static key.
Syntax
dot1x use-static-key
Example
(Alcatel6000) (config) # dot1x use-static-key
(Alcatel6000) (config) #
dot1x wired-clients
Enable 802.1x for wired supplicants
Syntax
dot1x wired-clients
Example
(Alcatel6000) (config) # dot1x wired-clients
(Alcatel6000) (config) #
dot1x wpa-key-retries
Set the number of retries for the WPA key handshake.
Syntax
dot1x wpa-key-retries <number>
where:
Example
(Alcatel6000) (config) # dot1x wired-clients 5
(Alcatel6000) (config) #
xSec-MTU
Specifies the xSec MTU.
Syntax
dot1x xSec-MTU <number>
where:
<number> is the size of the xSEC MTU. Valid MTU sizes are from 1024-1500
bytes.
Example
(Alcatel6000) (config) # dot1x xSec-MTU 1200
(Alcatel6000) (config) #
enable
Configures the enable-level password.
Syntax
enable <password:> <re-typed password>
Example
(Alcatel6000) (config) # enable
Password:******
Re-Type password:******
(Alcatel6000) (config) #
encrypt
Enables encryption on the switch.
Syntax
encrypt <disable | enable>
Example
To turn on encryption, enter:
(Alcatel6000) (config) # encrypt enable
(Alcatel6000) (config) #
firewall Commands
Use these commands to configure the firewall.
firewall allow-tri-session
Allow three way session when performing destination NAT.
Syntax
firewall allow-tri-session
Example
(Alcatel2400) (config) #firewall allow-tri-session
(Alcatel2400) (config) #
Syntax
firewall attack-rate ping <number>
where
<number>
is the number of pings per second allowed. Higher number of pings per
second are deemed to be an attack. Valid range is 1-255 pings per
second.
Example
Syntax
firewall attack-rate session <number>
where
<number> is the limit of the number of IP sessions that can occur. Higher
numbers of IP sessions than this limit are considered an attack. Valid
range is 1-255 IP sessions per second.
Example
(Alcatel2400) (config) #
Syntax
firewall attack-rate tcp-syn <number>
where <number> is the threshold above which incoming TCP SYN traffic will
be considered an attack. Valid range is 1-255 SYN messages per second.
Example
(Alcatel2400) (config) #
firewall deny-inter-user-bridging
Disallow forwarding non-IP frames between untrusted users .
Syntax
firewall deny-inter-user-bridging
Example
(Alcatel2400) (config) #
firewall disable-ftp-server
Disables the FTP server.
Syntax
(firewall disable-ftp-server
Example
(Alcatel2400) (config) #
firewall disable-stateful-sip-processing
Disable stateful SIP processing. Default is enabled.
Syntax
firewall disable-stateful-sip-processing
Example
(Alcatel2400) (config) #
firewall drop-ip-fragments
Drops all IP fragments.
Syntax
firewall drop-ip-fragments
Example
(Alcatel2400) (config) #
firewall enable-per-packet-logging
Enable per-packet logging. Default is per-session logging.
Syntax
firewall enable-per-packet-logging
Example
firewall enforce-tcp-handshake
Enfroce TCP handshake before allowing data
Syntax
firewall enforce-tcp-handshake
Example
(Alcatel2400) (config) #
firewall log-icmp-error
Log all received ICMP errors.
Syntax
firewall log-icmp-error
Example
(Alcatel2400) (config) #
firewall prohibit-ip-spoofing
Prohibits IP spoofing.
Syntax
firewall prohibit-ip-spoofing
Example
(Alcatel2400) (config) #
firewall prohibit-rst-replay
Prohibits TCP RST replay attack.
Syntax
firewall prohibit-rst-replay
Example
(Alcatel2400) (config) #
firewall session-mirror-destination
Configures a destination for a mirrored session.
Syntax
firewall session-mirror-destination ip-address <ipaddr>
where
<ipaddr> is the IP address of the device acting as the mirror
destination
Example
foreign-agent
Accesses the foreign-agent mode commands ((Alcatel6000) (config-fa) #).
secure delete
Removes the specified Foreign-agent Home-agent security association.
Syntax
secure delete <spi_value>
where
Example
(Alcatel2400) (config) #
secure host
Configures the security association parameters between the foreign agent and
the home agent
Syntax
secure host <ip> spi <spi_value> shared-secret <shared_secret>
where:
Example
(Alcatel6000) (config-fa) # secure host 192.168.1.10 spi 5500 shared-secret paul
(Alcatel6000) (config-fa) # exit
(Alcatel6000) (config) #
home-agent
Accesses the home-agent command mode ((Alcatel6000) (config-ha)).
secure-foreign delete
Syntax
home-agent delete <spi_value>
where:
Example
(OAW-Wireless LAN) (config-ha) #secure-foreign delete 400
secure-foreign spi
Configures the security association parameters between the home agent and
the foreign agent.
Syntax
secure-foreign spi <spi_value> host <ipaddr> shared_secret <secret>
where:
Example
(Alcatel6000) (config-ha) #secure-foreign spi 5500 host 192.168.2.2
shared-secret paul
(Alcatel6000) (config-ha) #exit
(Alcatel6000) (config)#
hostname
Configures the name string that appears in the system prompt.
Syntax
hostname <hostname>
where:
Example
(Alcatel6000) (config-ha) #hostname labtest
(labtest) >
NOTE— When you change the hostname you are returned to Exec mode and
must log back in.
Interface Commands
Allows access to the interface type commands. This release supports the
following interfaces:
z FastEthernet IEEE 802.3
z GigabitEthernet
z Loopback
z Management (Ethernet)
z Tunnel
z VLAN
Syntax
interface fastethernet <slot/port>
where:
Example
(switch) (config) # interface fastethernet 1/1
(switch) (config-if) #
description
Syntax
description <text>
where
Example
(Alcatel6000) (config-if)# description this_is_a test
(Alcatel6000) (config-if)#
duplex
Configures the interface to support duplex and half duplex traffic.
Syntax
duplex <auto | full | half>
where
Example
(Alcatel6000) (config-if)# duplex auto
(Alcatel6000) (config-if)#
ip
Configures the IP parameters for this FastEthernet port.
Syntax
ip access-group <name> <in | out | session>
where
Example
(Alcatel6000) (config-if)# ip access-group test session
(Alcatel6000) (config-if)#
muxport
Syntax
where
Example
(Alcatel6000) (config-if)#
no Delete Command
Syntax
where
Example
(Alcatel6000) (config-if)#
interface fastethe
Syntax
where
Example
(Alcatel6000) (config-if)#
rnet <slot/port>
Syntax
where
Example
(Alcatel6000) (config-if)#
Syntax
where
Example
(Alcatel6000) (config-if)#
Syntax
where
Example
(Alcatel6000) (config-if)#
Syntax
where
Example
(Alcatel6000) (config-if)#
Syntax
where
Example
(Alcatel6000) (config-if)#
Syntax
where
Example
(Alcatel6000) (config-if)#
Syntax
where
Example
(Alcatel6000) (config-if)#
Syntax
where
Example
(Alcatel6000) (config-if)#
interface gigabitethernet
GigabitEthernet Interface
Syntax
Example
interface loopback
Loopback Interface
interface mgmt
Management Ethernet Interface
Syntax
Example
interface port-channel
Ethernet channel of interfaces
Syntax
Example
interface range
Interface range
interface tunnel
Syntax
Example
interface vlan
Switch VLAN Virtual Interface
(switch) (config-if)#
(Alcatel6000) (config-if)#
<cr>
(Alcatel6000) (config-loop)#?
(Alcatel6000) (config-loop)#ip ?
as switch ip.
<cr>
(switch) (config-loop)#?
(switch) (config-loop)# ip ?
as switch ip.
<cr>
<cr>
(switch) (config-loop)#
IP Commands
These commands configure the Internet Protocol attributes of the Wireless
LAN switch, including:
Default-gateway which specifies the default gateway (if not routing IP).
ip access-list eth
Configures an Ethernet type access list.
Syntax
ip access-list eth <accname>
where
<accname> is the access list name or number. If you specify a number it must
be between 200 and 299.
Example
(hostswitch) (config) #ip access-list eth 209
(hostswitch) (config) #
ip access-list extended
Configures an extended access list.
Syntax
ip access-list extended STRING
where STRING is a name or number. If you specify a number, the
valid ranges are betwen 100 and 199 and between 2000 and 2699.
Example
(hostswitch) (config) #ip access-list extended 109
(hostswitch) (config) #
ip access-list mac
Configures a MAC type access list.
Syntax
ip access-list mac STRING
Where:
Example
(hostswitch) (config) #ip access-list mac 709
(hostswitch) (config) #
ip access-list session
Configures a session access list.
Syntax
ip access-list session <accname>
Where:
Example
(hostswitch) (config) #ip access-list session corporate
(hostswitch) (config) #
ip access-list standard
Configures a standard access list.
Syntax
ip access-list standard STRING
Where:
STRING is the access list name or number.If you specify a number is must be
between 1 and 99, or between 1300 and 1399.
Example
ip default-gateway
Specifies the default gateway. Specify the default gateway if you are not
routing IP.
Syntax
ip default-gateway <nexthop> [mgmt]
Where:
<nexthop> is the IP address of the default gateway
mgmt identifies this as the default gateway for the Management port.
Example
ip dhcp excluded-address
Configures the DHCP server’s excluded address range.
Syntax
ip dhcp excluded-address <low-address> [var2]
Where:
Example
(hostswitch) (config) #ip dhcp excluded-address 1.1.1.1 20.2.2.2
(hostswitch) (config) #
ip dhcp pool
Configures the name of the DHCP address pool.
Syntax
ip dhcp pool <pool_name>
Where:
Example
(hostswitch) (config) #ip dhcp pool Lab_pool
(hostswitch) (config) #
(hostswitch) (config-dhcp)#?
authoritative DHCP server will NAK for DHCP discovers and
requests
not valid on the configured subnet
default-router Configure DHCP default router
dns-server Configure DHCP DNS server
domain-name Configure DHCP Domain Name
lease Configure DHCP lease time
netbios-name-server Configure DHCP NETBIOS server
network Configure DHCP network number
no Delete Command
option Configure client specific options
ip igmp
Configure Internet Group Management Protocol
Syntax
Example
ip local
Configures the local address pool for L2TP.
Syntax
[no] ip local pool <pool_name> <pool_start_address> <pool_end_address>
Where:
pool configures a local IP pool for L2TP
<pool_name> is the local IP pool's name
<pool_start_address> specifies the starting address of the local pool
<pool_end_address> specifies the ending address of the local pool
Example
(hostswitch) (config) #ip local pool lab_Pool_Tunnel 1.1.1.1 2.2.2.2 ?
(hostswitch) (config) #
ip nat
Configure the NAT address pool and specifies the name of the pool.
Syntax
ip nat pool STRING A.B.C.D A.B.C.D
Where:
[no] STRING is the pool name
A.B.C.D specifies the starting IP address in the pool
A.B.C.D specifies the ending IP address in the pool.
Example
ip radius dynamic-authorization
Configures a RFC-3576 compliant RADIUS client.
Syntax
ip radius dynamic-authorization client A.B.C.D
Where:
A.B.C.D is the IP address of the RADIUS client.
Example
ip radius nas-ip
Configures the NAS IP address sent in RADIUS packets.
Syntax
ip radius nas-ip A.B.C.D
Where:
Example
ip radius source-interface
Selects the source address of outgoing RADIUS requests.
Syntax
ip radius source-interface <loopback | <vlan><vlanid>
Where:
Example
ip route
Establishes static routes.
Syntax
ip route <destip> <destmask> <nexthop> [cost]
Where:
<destip> is the IP address of the destination host
<destmask> is the subnet mask of the destination host
<nexthop> is the IP address of the forwarding router
<cost> is the dstance metric for this route info-
Example
The following example establishes a static route to the host at 1.1.1.1 and
specifies that the route has a cost of 4.
ip router
Enables RIP (Routing Information Protocol).routing protocol.
Synatx
ip router rip
Example
(hostswitch) (config) #ip router rip
(hostswitch) (config) #
key
(switch) (config) # key ?
<cr>
(switch) (config) #
location
Specifies the switch location.
Syntax
location <switchlocation>
Where:
Example
(switch) (config) # location 10.4.21.1 ?
(switch) (config) #
logging Commands
(switch) (config) # logging ?
logging <A.B.C.D>
Set Remote logging Server
Syntax
Example
logging console
Set Console Logging level
Syntax
Example
logging level
Set Facility Logging level
logging monitor
Set Terminal Line (monitor) logging level
loginsession timeout
Specifies how long a session will stay active without activity.
Syntax
loginsession timeout <val>
Where:
<val> is the time out value in minutes. Specify from 5 to 60 minutes. The
default is 15 minutes.
Example:
(hostswitch) (config) # loginsession timeout 30
(hostswitch) (config) #
mac-address-table static
Configures the MAC address table for Fastethernet and Gigabitethnet.
Syntax
mac-address-table static <macaddr> <fastethernet | gigabitethent> <slot/port>
<vlan><vlanid>
Where:
<slot/port> specifes the module slot and port number on that module
Example
(hostswitch) (config) # mac-address-table static 00:00:00:1:2:3 fastethernet
3/4 vlan
(hostswitch) (config) #
master-redundancy
Accesses the commands that configure redundancy (VRRP) on the Master
Switch.
master-vrrp
Configures the VRRP router ID.
Syntax
master-vrrp <id>
Where:
<id> specifies the Master Switch virtual router ID. Valid range is
1-255.
Example
(hostswitch) (config-master-redundancy)#master-vrrp 24
(hostswitch) (config-master-redundancy)#
no
Disables VRRP configurations.
Syntax
no <master-vrrp | peer-ip-address >
Where:
selecting master-vrrp disables the master switch virtual router ID, and
Example
(hostswitch) (config-master-redundancy)# no master-vrrp
(hostswitch) (config-master-redundancy)#
(hostswitch) (config-master-redundancy)# no peer-ip-address
(hostswitch) (config-master-redundancy)#
peer-ip-address
Configures the redundant host.
Syntax
peer-ip-address A.B.C.D
Where:
Example
(hostswitch) (config-master-redundancy)#peer-ip-address 10.1.1.1
(Alcatel6000) (config-master-redundancy)#
masterip
Specifies the IP address of the Wireless LAN Switch configured as the Master
Switch.
Syntax
masterip <masterip>
Where:
Example
(Alcatel6000) (config) #masterip 10.10.10.1
(Alcatel6000) (config) #
mgmt-role
Access the commands that define the Management Role.
Syntax
mgmt-role <rolename>
Where:
<rolename> is the name of the Management Role. Valid name length is 1-32
characters.
Example
(hostswitch) (config) #mgmt-role bigboss
(Alcatel6000) (mgmt-role)#
Description
Syntax
description
Example
no
Syntax
no
Example
Tbd
permit
Syntax
permit
Example
TBD
mgmt-user
(Alcatel6000) (config) #mgmt-user ?
<cr>
<cr>
(Alcatel6000) (config) #
mobagent
Accesses mobilty agent mode commands.
(Alcatel6000) (config) #mobagent
(Alcatel6000) (config-mobagent) #?
foreign-agent
Foreign Agent Global Configuration
home-agent
Home Agent Global Configuration
secure-mobile
Configure the security association parameters between
(Alcatel6000) (config-mobagent) #
mobility
Accesses the mobility mode commands.
(Alcatel6000) (config-mobagent) #mobility ?
<cr>
event-threshold
Syntax
Example
ignore-l2-broadcast
Ignore layer 2 broadcasts for making mobility decisions. Default disabled.
Syntax
Example
inter-essid
Enable/disable mobility across different essids
Syntax
Example
ip-release
Quit proxy dhcp for client
Syntax
Example
manager
Enables/disables mobility management for the mswitch
Syntax
Example
max-dhcp-requests
Maximum number of DHCP DISCOVERS/REQUESTS after which Proxy DHCP
should quit
Syntax
Example
no
Delete Command
Syntax
Example
on-association
Enable/disable mobility to trigger on station association
Syntax
Example
parameters
Set the global parameters for the mobility manager
Syntax
Example
proxy-dhcp
Enables/disables proxy dhcp support for the mswitch
secure
Configure the global security association parameters for the mobility manager.
Syntax
Example
station-masquerade
Enable/disable station masquerading. Enable this if uplink routers do not
accept Gratuitous ARPs
Syntax
Example
trusted-roaming
Mobility handles roam from untrusted to trusted. Default disabled.
(Alcatel6000) (config-mob) #
Syntax
Example
mobility-local
Accesses the mobility manager mode commands for the local switch.
(Alcatel6000) (config-mob) #mobility-local ?
<cr>
exclude-vlan
Quit mobility management for users moving to/from this VLAN
Syntax
Example
ha-priority
Set Home Agent priority for this VLAN
Syntax
Example
local-ha
If enabled, sets mswitch as HA for all subnet it owns else accepts HA
designated by master
Syntax
Example
no
Delete Command
(Alcatel6000) (config-mob-local) #
mobmaster primary-subnet
Syntax
Example
mux-address
(Alcatel6000) (config) #mux-address ?
<mux-ip-address> A.B.C.D IP address
mux-vlan
(Alcatel6000) (config) #mux-vlan ?
MUX VLANs
---------
VLAN ID
-------
24
% Incomplete command.
MUX VLANs
---------
VLAN ID
-------
(Alcatel6000) (config) #
netdestination
(Alcatel6000) (config) #netdestination ?
<cr>
newbury
(Alcatel6000) (config) # newbury ?
(Alcatel6000) (config) #
no
Disables the following actions:
no aaa
Configure Authentication
Syntax
Example
no ap
Specify configuration of an AP by location or by BSSID
Syntax
Example
no arp
Configure ARP parameters.
Syntax
Example
no cap
Cisco Access point
no clock
Configure time-of-day clock
Syntax
Example
no crypto
Configure IPSec, IKE, and CA
Syntax
Example
no database
Database management
no destination
Configure network destination (deprecated; use netdestination)
Syntax
Example
no dot1x
Configure IEEE 802.1X Authenticator
Syntax
Example
no enable
Modify the enable password
Syntax
Example
no firewall
Configure global firwall policies
Syntax
Example
no interface
Select an interface to configure
Syntax
Example
no ip
Interface Internet Protocol config commands
Syntax
Example
no logging
Modify Message Logging Facilities
Syntax
Example
no loginsession
Login Session
Syntax
Example
no mac-address-table
Configure the MAC address table
Syntax
Example
no masterip
Configure the master ip address for the switch
Syntax
Example
no mgmt-role
Management Role Definition
no mgmt-user
Configure a management user.
Syntax
Example
no mux-vlan
Enable MUX functionality on a VLAN
Syntax
Example
no netdestination
Configure network destination
no netservice
Configure a network service
Syntax
Example
no newbury
Specify Newbury Locate Server Information
Syntax
Example
no ntp
Configure NTP
no pptp
Configure IP information for PPTP
Syntax
Example
no rap-wml
Wired MAC Lookup for AP Classification commands
Syntax
Example
no router
Router Mobile
Syntax
Example
no service
Configure services
Syntax
Example
no shutdown
Shut down interface
Syntax
Example
no snmp-server
Enable SNMP; Modify SNMP parameters
Syntax
Example
no spanning-tree
Spanning Tree Subsystem
Syntax
Example
no telnet
Enable telnet port
Syntax
Example
no time-range
Configure a time range
Syntax
Example
no trusted
Make this a trusted port
Syntax
Example
no udp-port
Configure the UDP port to receive Discennect-Requests. Default is 3999.
no user-role
Configure user role
Syntax
Example
no vlan
Create Switch VLAN Virtual Interface
Syntax
Example
no vpn-dialer
Configure the VPN dialer
no vrrp
Virtual Router Redundancy Protocol Configuration
ntp server
(Alcatel6000) (config) #ntp ?
packet-capture-defaults
(Alcatel6000) (config) #
(Alcatel6000) (config) #packet-capture-defaults ?
packet-capture-defaults Alcatelmsg
Enable or disable Alcatel internal messaging packet capturing. For
debugging only.
Syntax
Example
packet-capture-defaults other
Enable or disable all other types of packets.
packet-capture-defaults tcp
Enable or disable TCP packet capturing.
packet-capture-defaults udp
Enable or disable TCP packet capturing.
(Alcatel6000) (config) #
ping
(Alcatel6000) (config) #ping ?
<ipaddr> Send ICMP echo packets to a specified IP
address.
(Alcatel6000) (config) #
pptp
(Alcatel6000) (config) #pptp ?
ip Configure IP information for PPTP
(Alcatel6000) (config) #
Syntax
Example
program-ap
(Alcatel6000) (config) # program-ap ?
<cr>
prompt
(Alcatel6000) (config) #prompt ?
<prompt> Enter the new prompt
(Alcatel5050) >
(Alcatel5050) >enable
Password:******
(Alcatel5050) #configure terminal
Enter Configuration commands, one per line. End with CNTL/Z
(Alcatel6000) >enable
Password:******
(Alcatel6000) #configure terminal
Enter Configuration commands, one per line. End with CNTL/Z
(Alcatel6000) (config) #
NOTE—resetting prompt dumps you back to Exec mode.
rap-wml
(Alcatel6000) (config) # show rap-wml ?
% Incomplete command.
<cr>
WML DB Servers
--------------
WML DB Tables
-------------
% Incomplete command.
WML DB Servers
--------------
WML DB Tables
-------------
(Alcatel6000) (config) #
router
(Alcatel6000) (config) #router ?
mobile Enable Mobile IP
(Alcatel6000) (config) #
(Alcatel6000) (config) #
sapm
(Alcatel6000) (config) #
(Alcatel6000) (config) #sapm ?
general
SAPM_COUNTERS_RESULT
--------------------
LOC SAP_IP Updates Sent ACKs Rcvd APBoots Sent APBoots Rcvd
Bootstraps Reboots Calibration .g Calibration .a
--- ------ ------------ --------- ------------ ------------
---------- ------- -------------- --------------
Num APs:0
(Alcatel6000) (config) #
service
Enable disable DHCP.
(Alcatel6000) (config) # service ?
dhcp Enable DHCP service
shutdown
(switch) (config) # shutdown ?
all All the physical interfaces in the switch
site-survey
site-survey calibration-max-packets
site-survey ha compute-time
(switch) (config) #site-survey ha-compute-time ?
<ha-compute-time> time in milliseconds when HA reconvergence
algorithms
are kicked off
site-survey max-ha-neighbors
(switch) (config) #site-survey max-ha-neighbors ?
<max-ha-neighbors> max neighbor to increase to increase tx power
for HA recovery
site-survey neighbor-tx-power-bump
(switch) (config) #site-survey neighbor-tx-power-bump 30 ?
calibration-max-packe.. max packets to send per tx power and rate
calibration-transmit-.. transmit rate of Alcatel ap
ha-compute-time time in milliseconds when HA reconvergence
algorithms
are kicked off
max-ha-neighbors max neighbor to increase to increase tx power for
HA
recovery
rra-max-compute-time max time in seconds for RRA computation
<cr>
site-survey rra-max-compute-time
(switch) (config) #site-survey rra-max-compute-time ?
<rra-max-compute-time> max time in seconds for RRA computation
(switch) (config) #
snmp-server
(switch) (config) #snmp-server ?
community set read-only community string
enable
host Specify host address to receive SNMP
notifications.
new Traps defined in the new MIB's supported.
user User Name configuration for the USM security
model
<cr>
snmp-server community
Syntax
Example
snmp-server enable
(switch) (config) #snmp-server enable ?
trap Enable SNMP Traps
snmp-server host
(switch) (config) #snmp-server host ?
A.B.C.D IP address of SNMP notofication host.
??
(switch) (config) #snmp-server new ?
traps The system will generate new versions of the
trap.
snmp-server user
(switch) (config) #snmp-server user ?
WORD USM Security Model User Name
spanning-tree
(switch) (config) #show span?
spanning-tree Spanning tree topology
spantree Global spanning tree topology
spanning-tree forward-time
(switch) (config) #spanning-tree forward-time ?
<value> Set a Spanning Tree FORWARD Interval <4-30>
spanning-tree hello-time
(switch) (config) #spanning-tree hello-time ?
<value> Set a Spanning Tree HELLO Interval <1-10>
spanning-tree max-age
(switch) (config) #spanning-tree max-age 20
spanning-tree priority
(switch) (config) #spanning-tree priority ?
<value> Set a Spanning Tree Priority <0 - 65535>
H:\>
stm
(switch) (config) #stm ?
ap-inactivity-timeout Amount of time after which AP is aged out. in seconds
this value
sta-dos-block-time Amount of time to block a STA on with DoS is detected
. In seconds. 0 blocks indefinitely
sta-dos-prevention Enable/Disable STA DoS prevention.
strict-compliance Enable/Disable strict WECA compliance
<cr>
stm ap-inactivity-timeout
(switch) (config) #stm ap-inactivity-timeout ?
<ap-inactivity-timeou.. Amount of time after which AP is aged out. in seconds
good-sta-ageout Amount of time after with STA with good RSSID to one
of the APs is aged out. in seconds
hole-detection-interv.. Amount of time after with hole detection event is gen
erated. in seconds
idle-sta-ageout Amount of time after which STA with potential hole in
fo with bad RSSI to one of the APs is aged out. in se
conds
poor-rssi-threshold kick off hole detection if RSSI from STA is less than
this value
sta-dos-block-time Amount of time to block a STA on with DoS is detected
. In seconds. 0 blocks indefinitely
sta-dos-prevention Enable/Disable STA DoS prevention.
strict-compliance Enable/Disable strict WECA compliance
<cr>
stm auth-failure-block-time
Syntax
Example
stm coverage-hole-dectection
Syntax
Example
stm dos-prevention
(switch) (config) #
(switch) (config) #stm dos-prevention ?
disable Disable
enable Enable
stm fast-roaming
(switch) (config) #stm dos-prevention enable fast-roaming ?
disable Disable
enable Enable
stm good-rssi-threshold
(switch) (config) #stm dos-prevention enable fast-roaming enable
good-rssi-threshold ?
<good-rssi-threshold> stop hole detection if RSSI from STA is more than thi
s value
this value
sta-dos-block-time Amount of time to block a STA on with DoS is detected
. In seconds. 0 blocks indefinitely
sta-dos-prevention Enable/Disable STA DoS prevention.
strict-compliance Enable/Disable strict WECA compliance
<cr>
stm idle-sta-ageout
(switch) (config) #
(switch) (config) #
(switch) (config) #stm idle-sta-ageout ?
<idle-sta-ageout> Amount of time after which STA with potential hole in
fo with bad RSSI to one of the APs is aged out. in se
conds
stm hole-detection-interval
stm idle-sta-ageout
Syntax
Example
stm poor-rssi-threshold
Syntax
Example
stm sta-dos-block-time
Syntax
Example
stm sta-dos-prevention
stm strict-compliance
Syntax
Example
syscontact
Rama
syslocation
Crossman_Main_lab
(switch) (config) #
telnet cli
(switch) (config) # telnet ?
cli Enable telnet to Command Line Interface (CLI) port
soe Enable telnet to Serial Over Ethernet (soe) port
telnet soe
(switch) (config) # telnet soe ?
<cr>
(switch) (config) #
time-range
Informs the Switch when a time-restricted feature, like an access list, is to be used.
(switch) (config) #time-range ?
STRING Name of time range
(switch) (config) #
traceroute
(switch) (config) #traceroute ?
<ipaddr> Trace route to specified IP address.
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
(switch) (config) #
trusted
(switch) (config) #trusted all ?
<cr>
(switch) (config) #
udp-port
user
(switch) (config) # user ?
<username> Enter a user name
<cr>
Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link location
Roaming Essid/Bssid/Phy
---------- ------------ ------ ---- ---------- ---- -------- --------
------- ---------------
Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link
location Roaming E
---------- ------------ ------ ---- ---------- ---- --------
-------- ------- -
(switch) (config) #
user-role
(switch) (config) #user-role
% Incomplete command.
Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link
location Roaming E
---------- ------------ ------ ---- ---------- ---- --------
-------- ------- -
10.4.21.102 00:00:00:00:00:00 rama ap-role 00:00:26 VPN 10.4.21.229
1/0 Wired
10.4.21.104 00:00:00:00:00:00 rama ap-role 00:23:29 VPN 10.4.21.193
1/0 Wired
Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link location
Roaming Essid/Bssid/Phy
---------- ------------ ------ ---- ---------- ---- -------- --------
------- ---------------
Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link location
Roaming Essid/Bssid/Phy
---------- ------------ ------ ---- ---------- ---- -------- --------
------- ---------------
(switch) (config-role) #
(switch) (config-role) #no user-role visitor
^
% Invalid input detected at '^' marker.
version
(switch) (config-role) #version ?
<versionnum>
<versionnum>
<cr>
<cr>
Website: http://www.alcatel.com
Alcatel Processor (revision 16.20 (pvr 8081 1014)) with 256M bytes of
memory.
(switch) (config) #
vlan
(switch) (config) # vlan <id>
VLAN CONFIGURATION
------------------
VLAN Name Ports
---- ---- -----
1 Default Fa1/0-23 Gig1/24-25 Pc0-7
VLAN CONFIGURATION
------------------
VLAN Name Ports
---- ---- -----
2 VLAN0002
VLAN CONFIGURATION
------------------
VLAN Name Ports
---- ---- -----
1 Default Fa1/0-23 Gig1/24-25 Pc0-7
2 VLAN0002
(switch) (config) #
vpdn
(switch) (config) #vpdn ?
group Configure vpdn groups
Enabled
Hello timeout: 60 seconds
DNS primary server: 0.0.0.0
DNS secondary server: 0.0.0.0
WINS primary server: 0.0.0.0
WINS secondary server: 0.0.0.0
PPP client authentication methods:
PAP
CHAP
MSCHAP
MSCHAPv2
IP LOCAL POOLS:
remoteappool: 10.4.21.101 - 10.4.21.110
Enabled
Hello timeout: 60 seconds
DNS primary server: 0.0.0.0
DNS secondary server: 0.0.0.0
WINS primary server: 0.0.0.0
WINS secondary server: 0.0.0.0
PPP client authentication methods:
MSCHAPv2
MPPE Configuration
128 bit encryption enabled
IP LOCAL POOLS:
<cr>
(switch) (config) #
vpn-dialer
(switch) (config) #vpn-dialer ?
STRING Configuration Name of the VPN dialer
default-dialer
--------------
Attribute Value
--------- -----
PPTP disabled
L2TP enabled
DNETCLEAR disabled
WIREDNOWIFI disabled
PAP enabled
CHAP enabled
MSCHAP enabled
MSCHAPV2 enabled
CACHE-SECURID disabled
IKESECS 28800
IKEENC 3DES
IKEGROUP TWO
IKEHASH SHA
IKEAUTH PRE-SHARE
IKEPASSWD ********
IPSECSECS 7200
IPSECGROUP GROUP2
IPSECENC ESP-3DES
IPSECAUTH ESP-SHA-HMAC
SECURID_NEWPINMODE disabled
default-dialer
--------------
Attribute Value
--------- -----
PPTP disabled
L2TP enabled
DNETCLEAR disabled
WIREDNOWIFI disabled
PAP enabled
CHAP enabled
MSCHAP enabled
MSCHAPV2 enabled
CACHE-SECURID disabled
IKESECS 28800
IKEENC 3DES
IKEGROUP TWO
IKEHASH SHA
IKEAUTH PRE-SHARE
IKEPASSWD ********
IPSECSECS 7200
IPSECGROUP GROUP2
IPSECENC ESP-3DES
IPSECAUTH ESP-SHA-HMAC
SECURID_NEWPINMODE disabled
test
----
Attribute Value
--------- -----
PPTP disabled
L2TP enabled
DNETCLEAR disabled
WIREDNOWIFI disabled
PAP enabled
CHAP enabled
MSCHAP enabled
MSCHAPV2 enabled
CACHE-SECURID disabled
IKESECS 28800
IKEENC 3DES
IKEGROUP TWO
IKEHASH SHA
IKEAUTH PRE-SHARE
IKEPASSWD ********
IPSECSECS 7200
IPSECGROUP GROUP2
IPSECENC ESP-3DES
IPSECAUTH ESP-SHA-HMAC
SECURID_NEWPINMODE disabled
(switch) (config-vpn-dialer)#
(switch) (config-vpn-dialer)#?
auto-dial-wpn Bind the VPN dialer to the wireless link
dialup Configure dialup information for the Dialer.
enable Enable PPTP, L2TP, dnetclear, wirednowifi, or
securid
_newpinmode for the dialer
ike Configure the IKE
ipsec Configure the IPSEC lifetime in seconds
no Delete Command
ppp Configure PPP
vpngateway Configure the VPN gateway
(switch) (config-vpn-dialer)#
vrrp
(switch) (config) #vrrp ?
<id> <1-255> Virtual Router ID
(switch) (config-vrrp)#no ?
(switch) (config-vrrp)#?
no Delete Command
shutdown Disable VRRP intra-switch
(switch) (config-vrrp)#
web-server
(switch) (config) #web-server ?
<cr>
(switch) (config-webserver)#?
admin-port Configure port for WEB administration
ciphers Configure cipher suite strength. Default is high
no Delete Command
ssl-protocol Configure SSL/TLS protocol. Default is to use
SSLv2,
admin-port
(switch) (config-webserver)#admin-port ?
https Specify https port
ciphers
(switch) (config-webserver)#ciphers ?
high Cipher suite with encryption keys larger than 128
bit
s
low Cipher suite with 56 or 64 bit encryption keys
medium Cipher suite with 128 bit encryption keys
(switch) (config-webserver)#ciphers no ?
no
(switch) (config-webserver)#no ?
admin-port Configure port for WEB administration
ciphers Configure cipher suite strength. Default is high
ssl-protocol Configure SSL/TLS protocol. Default is to use
SSLv2,
SSLv3 and TLSv1
(switch) (config-webserver)#ssl-protocol ?
sslv2 Use SSLv2
sslv3 Use SSLv3
tlsv1 Use TLSv1
<cr>
ssl-protocol
(switch) (config-webserver)#ssl-protocol tlsv1 ?
sslv2 Use SSLv2
sslv3 Use SSLv3
<cr>
(switch) (config-webserver)#
web-ui
(switch) (config) # webui ?
user Configure the web ui administrator password
(switch) (config) #
wms
(switch) (config) #wms
(switch) (wms) #?
ap-config Setup Valid AP Configuration
ap-policy Configure ap policies
event-threshold Configure Statistics event thresholds
general Configure general attributes
global-policy Configure global policy applied for AP and STA
ids-policy configure IDS Policy for AP and AM
ids-signature configure a signature for the IDS check
no Delete Command
ap-config
(switch) (wms) #ap-config ?
privacy enable/disable Encryption as valid ap configuration
short-preamble enable/disable short preamble as valid ap configurati
on
wpa enable/disable WPA support as valid ap configuration
<cr>
ap-policy
(switch) (wms) #ap-policy ?
(switch) (wms) #
(switch) (wms) #ap-policy ?
ap-lb-max-retries max tries to encourage STA to move to a unloaded
AP
ap-lb-user-high-wm High WM on max users that triggers enabling ap
load b
alancing
ap-lb-user-low-wm Low WM on max users that triggers disabling ap
load b
alancing
ap-lb-util-high-wm High WM on utilization that triggers enabling ap
load
balancing
ap-lb-util-low-wm Low WM on utilization that triggers disabling ap
load
balancing
ap-lb-util-wait-time Time in seconds to wait before enabling or
disabling
load balancing once threshold is hit
ap-load-balancing enable/disable AP load balancing
beacon-diff-threshold percent increase in beacon rate that should
trigger a
n ap impersonation event. Default 50
beacon-inc-wait-time Amount of time to wait in seconds before
generating a
n ap impersonation event when AP impersonation is
sus
pected. Default 3
classification enable/disable AP Classification.
detect-ap-impersonati.. enable/disable AP Impersonation Detection
detect-misconfigured-.. enable/disable detect misconfigured ap policy
learn-ap enable/disable learn AP.
min-pot-ap-beacon-rate Min beacon rate acceptable from a potential AP.
In %
of configured beacon interval
min-pot-ap-monitor-ti.. Min time a potential AP has to be up before it is
cla
ssified as a real AP. In seconds
protect-ap-impersonat.. enable/disable AP Impersonation Protection
protect-ibss enable/disable protect Adhoc Network Policy
protect-misconfigured.. enable/disable protect misconfigured ap policy
protect-mt-channel-sp.. enable/disable protect multi tenancy channel
split po
licy
protect-mt-ssid enable/disable multi tenancy ssid protection
policy
protect-unsecure-ap enable/disable protect unsecure ap policy
<cr>
(switch) (wms) #?
ap-config Setup Valid AP Configuration
ap-policy Configure ap policies
event-threshold Configure Statistics event thresholds
general Configure general attributes
global-policy Configure global policy applied for AP and STA
ids-policy configure IDS Policy for AP and AM
event-threshold
(switch) (wms) #event-threshold ?
bwr-high-wm Bandwidth Rate High Watermark in %
bwr-low-wm Bandwidth Rate Low Watermark in %
fer-high-wm Frame Error Rate High Watermark in %
fer-low-wm Frame Error Rate Low Watermark in %
ffr-high-wm Frame Fragmentation Rate High Watermark in %
ffr-low-wm Frame Fragmentation Rate Low Watermark in %
flsr-high-wm Frame Low Speed Rate High Watermark in %
flsr-low-wm Frame Low Speed Rate Low Watermark in %
fnur-high-wm Frame Non Unicast Rate High Watermark in %
fnur-low-wm Frame Non Unicast Rate Low Watermark in %
frer-high-wm Frame Receive Error Rate High Watermark in %
frer-low-wm Frame Receive Error Rate Low Watermark in %
frr-high-wm Frame Retry Rate High Watermark in %
frr-low-wm Frame Retry Rate Low Watermark in %
<cr>
general
(switch) (wms) #general ?
ap-ageout-interval AP ageout interval in minutes. 0 to disable
ap-inactivity-timeout AP inactivity timeout in scan seconds.
grace-time am & wms comm. latency grace time in
milliseconds
laser-beam enable or disable force station deauthentication
for policy enforcement
laser-beam-debug enable or disable laser beam debug mode
poll-interval am poll interval in milliseconds
global-policy
(switch) (wms) #global-policy ?
detect-bad-wep enable or disable detect bad/weak WEP policy
detect-interference enable or disable interference detection
interference-inc-thre.. % increase in frame retry rate or frame receiver
erro
r rate after with interference is reported
interference-inc-time.. Amount of time FRR or FRER
interference-wait-time Amount of time in seconds air monitor should
learn st
ate of link between AP and STA to create FRR and
FRER
baselines
<cr>
ids-policy
(switch) (wms) #ids-policy ?
adhoc-check IDS Adhoc Network Detection
adhoc-quiet-time Time to wait in seconds after detecting Adhoc
activit
y after which the check can be resumed
ap-flood-check IDS Fake AP Flood Detection
ap-flood-inc-time Number of consecutive seconds over which the AP
count
is more than the threshold
ap-flood-quiet-time Time to wait in seconds after detecting an AP
flood b
efore continuing the check
ap-flood-threshold The number of spurious APs in the system
dsta-check IDS Disconnect Station Analysis
dsta-quiet-time Time to wait in seconds after detecting
disconnect st
ation attack after which the check can be resumed
eap-check IDS EAP Handshake Anomaly Detection
eap-rate-quiet-time Time to wait in seconds after detecting an EAP
handsh
ids-signature
(switch) (wms) #ids-signature ?
<name> name of signature
(switch) (wms) #
(switch) (wms) #?
ap-config Setup Valid AP Configuration
ap-policy Configure ap policies
event-threshold Configure Statistics event thresholds
general Configure general attributes
global-policy Configure global policy applied for AP and STA
ids-policy configure IDS Policy for AP and AM
ids-signature configure a signature for the IDS check
no Delete Command
reserved-11a-channel enable/disable 80211a channel as multi tenancy
protec
ted channel
reserved-11b-channel enable/disable 80211b channel as multi tenancy
protec
ted channel
station-policy Configure Station Policy
valid-11a-channel enable/disable 80211a channel as valid
valid-11b-channel enable/disable 80211b channel as valid
valid-oui configure valid OUI for AP
valid-ssid configure valid SSID for AP
wired-mac configure Wired MAC of router or server
no
reserved-11a-channel
reserved-11b-channel
(switch) (wms) #reserved-11b-channel ?
<reserved-11b-channel> enable/disable 80211b channel as multi tenancy
protec
ted channel
station-policy
(switch) (wms) #station-policy ?
detect-association-fa.. enable/disable STA association failure detection
detect-sta-impersonat.. enable/disable station impersonation detection
handoff-assist enable/disable AP assisted handoff
ista-detection-interv.. Impersonating station detection interval in
milliseco
nds
ista-max-retries max retries to detect station impersonation
low-rssi-threshold Min RSSI above with deauth should never be sent
protect-valid-sta enable/disable protect valid station policy
rssi-check-frequency How often in seconds to sample RSSI value
rssi-falloff-wait-time Seconds(max 8) to wait with decreasing RSSI
before de
auth is sent to the client
<cr>
NOTE—The handoff-assist option allows the switch to force a sticky client off of an AP
when the RSSI drops below the defined minimum threshold. This is useful when a client
will not let go of an AP as long as it was getting any Acks (even at 1 Mbps) and will only
look for new AP after about 10 seconds of not getting Ack responses from the old AP.
valid-11a-channel
(switch) (wms) #valid-11a?
valid-11a-channel enable/disable 80211a channel as valid
valid-11b-channel
(switch) (wms) #valid-11b-channel ?
<valid-11b-channel> enable/disable 80211b channel as valid
valid-oui
(switch) (wms) #valid-oui ?
<valid-oui> configure valid OUI for AP
valid-ssid
(switch) (wms) #valid-ssid ?
<valid-ssid> configure valid SSID for AP
wired-mac
(switch) (wms) #wired-mac ?
<wired-mac> configure Wired MAC of router or server
For more information on the commands, use the CLI help feature
described on page 18.
User mode is entered when you first log in to the Alcatel Wireless
LAN Switch. This mode is indicated by the host> prompt, where
host is the host name of the switch, if defined. From any other
mode or sub-mode, you can return to the user mode using the
global exit command.
enable
Type this command to enter the privileged mode. You will be prompted for the
password.
logout
Close this CLI session. Any configuration changes which have not yet been
saved are lost.
Privileged mode is entered from the user mode through the enable command
(see page 820). This mode provides access to configuration and information
collection commands. Privileged mode is indicated by the host# prompt, where
host is the host name of the switch, if defined. From any privileged mode or
sub-mode, you can exit to the user mode using the global exit command.
boot...
Set the configuration file or software image to be used the next time the
system boots.
Variations:
Parameters:
configure terminal
Enter the configuration mode. This mode provides access to system
configuration commands. The commands available depends on the switch
mode. Local configuration commands (see page 445) are available on any
switch. Master configuration commands (page 797) are only available on the
master switch.
copy...
Copy file or image items from one location to another.
Variations:
Parameters:
z authmgr z master
z cfgm z mmgr
z crypto z mobagent
z errorlog z ppp
z fpapps z pptp
z ha z sapm
z intuser z stm
z l2tp z user
z localdb z wms
destination IP The IP address of the FTP destination for the type.log file.
address
user name If required, the name of a valid user account at the
destination.
password If required, the password for the user account at the
destination.
delete <filename>
Delete the specified file from the system. To view a list of files, use the dir
command.
dir
List the system files.
exit
Exit the current mode or sub-mode and return to one above it. When entered
from the privileged mode main prompt (#), this commend returns you to the
user mode.
Use this command to change the role of the switch from Master to Local or
back to Master. Setting the switch’s IP address to the IP address of another
switch configures the switch as a local switch, returning it to its own IP
address makes the switch a Master Switch. In either case, you will have to
reboot the switch to make the changes effective and you will be prompted to
reboot after you enter the new IP address.
reload
Reboot the system after prompting the user to verify the command. If there are
any unsaved configuration changes, you will be prompted whether you wish to
save them first.
halt
Shuts down the switch (the switch will not reboot automatically).
show
Enter the Show mode (see page 833). The Show mode is used to display a
variety of system information and statistics.
write...
Variations:
z write erase
Erase the system configuration file. The next time the system boots, the configu-
ration will be reset to factory defaults.
z write file <filename>
Save the current configuration to the specified system file.
z write memory
Save the current configuration to the system configuration file. Any configura-
tion changes made during this session will be made permanent.
z write terminal
Display the current configuration.
pcap...
Variations:
z pcap clear <air monitor IP address> <pcap ID> [bssid <MAC address>]
z pcap interactive <air monitor IP address> <filter> <target IP address> <target UDP port>
[bssid <MAC address>] [channel <channel>]
z pcap pause <air monitor IP address> <pcap ID> [bssid <MAC address>]
z raw-start <target IP address>
z raw-start <air monitor IP address>
z pcap resume <air monitor IP address> <pcap ID> [bssid <MAC address>]
z pcap start <air monitor IP address> <filter> [bssid <MAC address>] [channel <channel>]
[max-packet-size <size>]
[max-packets <number>]
z pcap stop <air monitor IP address> <pcap ID> [bssid <MAC address>]
WMS Commands
wms reinit-db
This command re-initializes the WMS database to the factory defaults. No
automatic backup of the current database is made.
site-survey...
Variations:
Authentication Commands
AAA Commands
The following immediate commands are used for Accounting, Authentication,
& Authorization (AAA). Other AAA commands can be found starting on
page 823.
Parameters:
aaa user...
Variations:
z aaa user add <IP address> [name <user name>] [role <role>] [mac <MAC address>]
z aaa user delete {<IP address>|all}
z aaa user logout <IP address>
local-userdb...
Variations:
Clear Commands
clear arp
This command clears the ARP table.
clear crypto dp
This command displays the last few commands in the debug buffer that were
sent from the control path to the data path, adding or deleting IPSec SAs and
routes.
The buffer is cleared after the stored commands have been displayed.
Debug Commands
debug...
Variations:
Type Sub-type
authmgr [all] [acl] [config] [dot1xcfg] [dot1xeapol] [dot1xkeymgt]
[dot1xsapmmsg] [dot1xsm] [messages] [mobility] [user]
Alcatelcert [all]
crypto [ipsec] [isakmp]
fp [cli] [emweb] [nim]
ha [api] [datapath] [dhcp] [flag] [info] [messages] [states]
[timers]
l2tp [packets]
localdb [all]
master [api] [datapath] [dhcp] [flag] [info] [messages] [states]
[timers]
mmgr [api] [datapath] [dhcp] [flag] [info] [messages] [states]
[timers]
mobagent [api] [datapath] [dhcp] [flag] [info] [messages] [states]
[timers]
ppp [packets]
pptp [packets]
sapm [all]
stm [all]
wms [all]
Panic Commands
panic clear
This command Clears all panic information from NVRAM.
encrypt <enable|disable>
This command enables and disables the on-screen encryption of keys and
passwords. It must be executed from the configuration mode.
(Alcatel) (config) #
page <length>
This commands sets the number of lines of text the terminal will display when
paging is turned on. Valid lengths are from 24 to 100 lines.
paging
This command turns paging on. Use the no form of this command to turn
paging off.
show country
This command displays the configured country code for the
switch.
show keys
This command displays the status of features on the Alcatel switch.
show users
This command displays administrative users and their access modes.
show loginsessions
This command displays information about current sessions.
z ID: Session ID
z User Name: The login name of the connected user
z Connection From: IP Address of the connected user
z Idle Time: The time the session has been idle
z Session Time: The total time the session has been running
show memory
This command shows the status of memory on the Alcatel switch.
show mgmt-user
This command displays the management user table.
show startup-config
This command displays a table with all the information about the startup
configuration for the switch.
show station-table
This command displays information about the stations connected to the
switch. Executing this command with no options will display all the stations on
the switch.
Options:
z mac <MACaddr> Show the station with the specified MAC address.
show trunk
This command displays the Trunk Port table.
show version
This command shows the current versions of the boot code, processor, and
assembly. It also displays the switch uptime, processor memory, and
non-volatile configuration memory.
show firewall
This command displays the current status of the firewall.
show inventory
This commands shows the physical contents of the switch. It also shows the
status of each power supply and fan.
server 216.244.192.3
show processes
This command shows which processes are currently running and their
command paths.
show clock
This command displays the current date and time.
show boot
This command displays the current configuration file name and the boot
partition.
show hostname
This command displays the name of the switch, if one has been specified in the
configuration file.
show switch ip
This command displays the switch’s IP address.
show syslocation
This command displays the physical location of the switch, if it has been
specified in the configuration file.
show roleinfo
This command displays the role of the switch.
show local-switches
This command displays the IP Address and location of each local switch.
show location
This command displays the physical location of the switch.
show switches
This command displays the IP addresses and physical location of all the
switches on the network segment.
All Switches
------------
Ip Address Location
---------- --------
10.3.25.1 Building1.floor1
Layer 2 Commands
show mac-address-table
Displays the MAC addresses that have either been learned or that have been
manually configured for each device.
show spantree
This command display information about the status of spanning-tree ports.
Execute this command with no options to view the spanning tree configuration
for all the ports on the switch.
Options:
show spanning-tree
This command displays information about the spanning tree topology.
This command displays spanning information about the specified slot-port pair
for the interface specified in the command.
VLAN CONFIGURATION
------------------
VLAN Name Ports
---- ---- -----
213 VLAN0213 Fa2/13,Fa2/15
Fa Fast Ethernet
Pc Port channel
Gig Gigabit Ethernet
Layer 3 Commands
show routerid
This command displays the IP Address of the switch.
Router Id : 10.3.25.1
show arp
(Alcatel) # show arp
DHCP Commands
# 212
subnet 10.2.12.0 netmask 255.255.255.0 {
option domain-name "Alcatelnetworks.com";
option domain-name-servers 10.1.1.2;
option netbios-name-servers 10.1.1.2;
option routers 10.2.12.254;
range 10.2.12.21 10.2.12.253;
}
# 213
subnet 10.2.13.0 netmask 255.255.255.0 {
option domain-name "Alcatelnetworks.com";
option domain-name-servers 10.1.1.2;
option netbios-name-servers 10.1.1.2;
option routers 10.2.13.254;
range 10.2.13.21 10.2.13.253;
Interface Commands
Port Status
-----------
Slot-Port PortType adminstate operstate poe Trusted SpanningTree PortMode
--------- -------- ---------- --------- --- ------- ------------ --------
2/0 FE Enabled Up Enabled Yes Forwarding Access
2/1 FE Enabled Down Disabled Yes Disabled Access
2/2 FE Enabled Down Disabled Yes Disabled Access
2/3 FE Enabled Down Disabled No Disabled Access
2/4 FE Enabled Up Enabled No Forwarding Access
2/5 FE Enabled Down Disabled No Disabled Access
2/6 FE Enabled Up Enabled No Forwarding Access
2/7 FE Enabled Down Disabled No Disabled Access
2/8 FE Enabled Down Disabled No Disabled Access
2/9 FE Enabled Down Disabled No Disabled Access
2/10 FE Enabled Down Disabled No Disabled Access
2/11 FE Enabled Down Disabled No Disabled Access
z slot-port
z Port Type
z Administrate
z Operstate
z POE
z Trusted
z SpanningTree
z PortMode
Fa 2/0
Fa 2/1
Fa 2/2
Fa 2/23
Variants of the show interface command envoked with arguments are shown
below.
Name: Fa2/1
Switchport: Enabled
Administrative mode: static access
Operational mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Access Mode VLAN: 1 (Default)
Trunking Native Mode VLAN: 1 (Default)
Trunking Vlans Enabled: NONE
Trunking Vlans Active: NONE
1 (Default)
Port-Channel id 0 is administratively up
Hardware is Port-Channel, address is 00:0B:86:00:15:81 (bia
00:0B:86:00:15:81)
Description: Unit: 0, Slot: 4, Port: 0, Link Aggregate, cardID:
0xff010001
Spanning Tree is disabled
VLAN membership: 1
Member port:
Last clear of "show interface" counters 1 day 12 hr 29 min 14 sec
link status last changed 1 day 12 hr 29 min 14 sec
0 packets input, 0 bytes
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input error bytes, 0 CRC, 0 frame
0 multicast, 0 unicast
0 packets output, 0 bytes
0 output errors bytes, 0 deferred
0 collisions, 0 late collisions, 0 throttles
Port-Channel id 0 is NOT TRUSTED
User Details
------------
Name Password Role E-Mail Enabled
---- -------- ---- ------ -------
mprashant ******** employee Yes
aagarwal ******** employee Yes
rchou ******** employee Yes
kmelkote ******** employee Yes
kent ******** employee Yes
pmanglik ******** employee Yes
jtaylor ******** employee Yes
tfroess ******** employee Yes
ysato ******** employee Yes
dcallisch ******** employee Yes
test1 ******** test1 Yes
khuey ******** employee Yes
kester ******** employee Yes
rbalay ******** employee Yes
partha ******** employee Yes
sdekate ******** employee Yes
ghuber ******** employee Yes
kperedia ******** employee Yes
VPN Commands
IPSec Commands
show crypto dp
This command displays the last few add and delete commands sent from the
control path to the data path.
Policy option
ISAKMP ENABLED
Protection suite priority 10
encryption algorithm: 3DES - Triple Data Encryption
Standard (168 bit keys)
hash algorithm: Secure Hash Algorithm
authentication method: Pre-Shared Key
Diffie-Hellman Group: #2 (1024 bit)
lifetime: [300 - 86400] seconds, no volume limit
Key option
L2TP Commands
NOTE—The tunnel id used in the command below is the remote id reported in the dis-
play above.
L2TP option
Enabled
Hello timeout: 60 seconds
DNS primary server: 10.1.1.2
DNS secondary server: 0.0.0.0
WINS primary server: 10.1.1.2
WINS secondary server: 0.0.0.0
PPP client authentication methods:
CACHE-SECURID: timeout 1440 minutes
IP LOCAL POOLS:
pool1: 10.2.15.1 - 10.2.15.100
PPTP option
Enabled
Hello timeout: 60 seconds
DNS primary server: 0.0.0.0
DNS secondary server: 0.0.0.0
WINS primary server: 0.0.0.0
WINS secondary server: 0.0.0.0
PPP client authentication methods:
MSCHAPv2
MPPE Configuration
40 bit encryption enabled
128 bit encryption enabled
Encryption REQUIRED
IP LOCAL POOLS:
default-dialer
--------------
Attribute Value
--------- -----
PPTP disabled
L2TP enabled
DNETCLEAR disabled
WIREDNOWIFI disabled
PAP enabled
CHAP enabled
MSCHAP enabled
MSCHAPV2 enabled
CACHE-SECURID enabled
IKESECS 28800
IKEENC 3DES
IKEGROUP TWO
IKEHASH SHA
IKEAUTH PRE-SHARE
IKEPASSWD w3lc0m3
IPSecSECS 7200
IPSecGROUP GROUP2
IPSecENC ESP-3DES
IPSecAUTH ESP-SHA-HMAC
PPTP Commands
Enabled
Hello timeout: 60 seconds
DNS primary server: 0.0.0.0
DNS secondary server: 0.0.0.0
WINS primary server: 0.0.0.0
WINS secondary server: 0.0.0.0
PPP client authentication methods:
MSCHAPv2
MPPE Configuration
40 bit encryption enabled
128 bit encryption enabled
Encryption REQUIRED
IP LOCAL POOLS:
Mobility Commands
Mobile Nodes
------------
Id Mac Ip HomeAgent Vlan Location
-- --- -- --------- ---- --------
1 00:30:f1:71:d5:bd 10.3.25.237 10.3.25.1 1 2/4
2 00:30:f1:71:d5:bf 10.2.12.253 10.3.25.1 212 2/12
3 00:30:f1:71:d6:26 10.3.25.182 10.3.25.1 1 2/6
4 00:80:c8:1f:9f:d3 10.3.25.170 10.3.25.1 1 1.2.2
5 00:30:f1:71:d5:ce 10.2.13.174 10.3.25.1 213 2/13
6 00:09:5b:06:3e:e1 10.1.5.1 10.3.25.1 7 2/22
7 00:0b:86:ff:ff:b6 10.1.5.11 10.3.25.1 7 2/22
8 00:04:e2:38:3f:e8 10.1.5.254 10.3.25.1 7 2/22
9 00:30:48:51:05:d5 10.1.5.10 10.3.25.1 7 2/22
z ID
z Time: The time the m-manager dropped the proxy
z Mac: The MAC address for which the proxy was dropped
z IP: The IP address of the MAC for which the proxy was dropped
z Reason: The reason the proxy was dropped
Datapath Messages
-----------------
Opcode Type Sent Recvd
------ ---- ---- -----
0x4 Session 0 N/A
0x5 Forward 84 N/A
0x2 Bridge 515 N/A
0x15 Mac 12239 10972
0x17 Tunnel 0 0
0x8 Arp 262 8
The messages shown by the mobile messages command are listed below, each
message table contains the opcode, type of message, number sent, and
number received.
z Datapath Messages
z Master Messages
z Authentication Messages
z Station Management Messages
z Control Messages
Packet Count
------------
Type ARP TCP UDP DHCP ICMP IGMP IPIP GRE OTHERIP MISC TOTAL
---- --- --- --- ---- ---- ---- ---- --- ------- ---- -----
Recvd 295 20 183 348 1 3 0 296 4 47 1197
Sent 301 20 134 347 1 3 0 296 4 47 1144
Packet History
--------------
No. Time Opcode Vlan Slot Port SrcMac DestMac SrcIp
DestIp Type Action
--- ---- ------ ---- ---- ---- ------ ------- -----
------ ---- ------
1 Fri Aug 8 07:26:47 2003 0x2f 1 2 4 00:30:f1:71:d5:bd 00:0b:86:00:15:80
10.3.25.237 10.3.25.1 GRE HANDLED
2 Fri Aug 8 07:26:47 2003 0x2f 1 2 4 00:30:f1:71:d5:bd 00:0b:86:00:15:80
10.3.25.237 10.3.25.1 GRE HANDLED
3 Fri Aug 8 07:26:47 2003 0x2f 1 2 4 00:30:f1:71:d5:bd 00:0b:86:00:15:80
10.3.25.237 10.3.25.1 GRE HANDLED
4 Fri Aug 8 07:26:47 2003 0x2f 1 2 4 00:30:f1:71:d5:bd 00:0b:86:00:15:80
10.3.25.237 10.3.25.1 GRE HANDLED
5 Fri Aug 8 07:26:47 2003 0x2f 1 2 4 00:30:f1:71:d5:bd 00:0b:86:00:15:80
10.3.25.237 10.3.25.1 GRE HANDLED
z No
z Time
z Opcode: manufacturing information.
z Vlan: VLAN on which the packet arrived.
z Slot: Slot on which the packet arrived.
z Port: Port on which the packet arrived.
z SrcMac: Source MAC extracted from the ethernet frame.
z DestMac: Destination MAC extracted from the ethernet frame.
z SrcIP: Source IP address extracted from the ethernet frame.
z DestIP: Destination IP address extracted from the ethernet frame
z Type: Type of packet.
z Action: What action the Mobility Manager took on the packet. The pos-
sible actions are:
Tunnel Users
------------
Id Mac Ip
-- --- --
1 00:05:5d:79:85:fe 10.3.18.251
Sap Tunnels
-----------
No. TunnelId Bssid Essid IP Vlan Location
--- -------- ----- ----- -- ---- --------
1 0x1069 00:0b:86:9d:5e:28 Alcatel-alpha-ap 10.3.25.249 1 1.2.3
2 0x106a 00:0b:86:9d:5e:28 alpha-guest 10.3.25.249 7 1.2.3
3 0x106b 00:0b:86:9d:5e:20 Alcatel-alpha-ap 10.3.25.249 1 1.2.3
4 0x106c 00:0b:86:9d:5e:20 alpha-guest 10.3.25.249 7 1.2.3
5 0x106d 00:0b:86:9d:5b:f0 alpha-guest 10.2.12.252 7 1.1.2
Mobile IP Tunnels
-----------------
No. TunnelId Local Remote
--- -------- ----- ------
1 4217 10.3.25.1 10.3.18.1
Options:
Summary
-------
Id Mac Ip User HomeAgent Role
-- --- -- ---- --------- ----
32 00:30:f1:71:d6:26 10.3.25.182 10.3.25.1 logon
31 00:30:f1:71:d5:bd 10.3.25.237 10.3.25.1 logon
33 00:30:f1:71:d5:bf 10.2.12.253 10.3.25.1 logon
25 00:0b:86:00:0b:00 10.2.15.1 jtaylor employee
44 00:30:f1:71:d5:ce 10.2.13.174 10.3.25.1 logon
45 00:30:48:51:05:d5 10.1.5.10 10.3.25.1 logon
Vlan Configuration
------------------
Vid Subnet Netmask
--- ------ -------
1 10.3.25.0 255.255.255.0
7 10.1.5.0 255.255.255.0
212 10.2.12.0 255.255.255.0
213 10.2.13.0 255.255.255.0
999 64.60.249.192 255.255.255.240
free-memory:1027072 bytes
This command displays the amount of memory available for pcap batch files.
BSSID Scanned
-------------
bssid beacon rssi active-time inactive-time
----- ------ ---- ----------- -------------
00:06:25:0f:6e:1f n 19 0 0
00:0b:86:20:27:19 n 14 0 0
00:00:00:00:00:00 n 50 0 0
00:0b:86:80:04:30 y 3 0 0
00:0b:86:80:20:f0 y 23 0 0
00:0b:86:80:13:60 y 13 0 0
00:0b:86:20:37:30 y 23 0 0
00:0b:86:20:27:1b n 16 0 0
00:0b:86:20:27:a5 y 40 0 0
00:0b:86:20:27:8e y 3 0 0
00:0b:86:80:08:10 y 6 0 0
00:0c:41:13:f9:cd n 49 0 0
00:30:bd:62:4b:48 y 12 0 0
00:0b:86:b0:01:cb y 0 0 0
00:0b:86:b0:02:55 y 17 0 0
00:0b:86:20:27:8f y 6 0 0
00:06:25:b5:6f:0a n 1 0 0
00:80:c8:b0:55:66 n 57 0 0
00:0b:86:20:27:1d y 27 0 0
Options:
Potential AP Table
------------------
bssid channel phy num-beacons tot-beacons mt at
----- ------- --- ----------- ----------- -- --
00:0b:86:a0:01:fc 36 80211a 0 9 27 0
00:0b:86:20:27:8e 1 80211b 0 9 12 0
00:0b:86:a0:04:15 36 80211a 0 9 13 0
00:0b:86:b0:01:47 1 80211b 0 9 5 0
00:0b:86:20:27:7f 1 80211b 0 9 18 0
00:0b:86:20:27:24 6 80211b 0 9 19 0
00:0b:86:20:27:af 1 80211b 0 9 28 0
Num Potential APs:7
Frame rates
-----------
retry low-speed non-unicast recv-error frag bwidth
----- --------- ----------- ---------- ---- ------
0 33 100 0 0 8
RSSI
----
cur-signal low-signal high-signal cur-noise low-noise high-noise
---------- ---------- ----------- --------- --------- ----------
100 100 165 13 9 39
Frame rates
-----------
retry low-speed non-unicast recv-error frag bwidth
----- --------- ----------- ---------- ---- ------
0 9 100 0 0 7
RSSI
----
cur-signal low-signal high-signal cur-noise low-noise high-noise
---------- ---------- ----------- --------- --------- ----------
100 100 165 12 9 39
Raw Stats
---------
tx-pkt tx-byte rx-pkt rx-byte tx-retry-pkt rx-retry-pkt tx-frag-pkt
rx+
------ ------- ------ ------- ------------ ------------ -------- --+
247960 19878186 27075 4577596 18 3559 0 0 +
Tx Frame Type Stats
-------------------
mgmt-pkt mgmt-byte ctrl-pkt ctrl-byte data-pkt data-byte
-------- --------- -------- --------- -------- ---------
247568 19804838 0 0 392 73348
Rx Frame Type Stats
-------------------
mgmt-pkt mgmt-byte ctrl-pkt ctrl-byte data-pkt data-byte
-------- --------- -------- --------- -------- ---------
548 25264 0 0 26527 4552332
Dest Addr Type Stats
--------------------
bcast-pkt bcast-byte mcast-pkt mcast-byte ucast-pkt ucast-byte
--------- ---------- --------- ---------- --------- ----------
247684 19833378 7 975 269 43833
Frame Size Packet Stats
-----------------------
type 0-63 64-127 128-255 256-511 512-1023 1024+
---- ---- ------ ------- ------- -------- -----
tx 96 134 114 42 3 3
rx 10397 9292 4241 1982 66 549
Tx Frame Rate Stats
-------------------
pkt-1m byte-1m pkt-2m byte-2m pkt-5.5m byte-5.5m pkt-11m byte-11m
------ ------- ------ ------- -------- --------- ------- --------
14 518 0 0 0 0 34 2949
Rx Frame Rate Stats
-------------------
pkt-1m byte-1m pkt-2m byte-2m pkt-5.5m byte-5.5m pkt-11m byte-11m
------ ------- ------ ------- -------- --------- ------- --------
1568 135551 5699 768444 5736 924896 14072 2748705
Association Table
-----------------
mac rsta-type auth phy-type
--- --------- ---- --------
00:0b:fd:52:dc:f6 valid yes 80211b
AP Table
--------
bssid essid chan ap-type phy-type dos mt it load-bal
----- ----- ---- ------- -------- --- -- -- -------
00:0b:86:16:b7:9c ethersphere 1 valid 80211b disable 3273 0 disable
00:30:f1:71:94:08 guest-Wireless LAN 36 valid 80211a disable 1073 0
disable
00:0b:86:a0:00:ac Alcatel-test 36 valid 80211a enable 1073 0
disable
STA Table
---------
mac bssid essid sta-type auth
phy-type mt it
--- ----- ----- -------- ----
-------- -- --
00:e0:00:d3:47:15 00:0b:86:16:b7:9c ethersphere valid yes
80211b 205 2
00:80:c8:17:14:3e 00:09:5b:2f:37:a8 qa_netgear_wab102b valid no
80211b 295 0
00:0b:fd:52:dc:d4 00:30:f1:70:49:5e smoketest_ap_b interfering no
80211b 1412 5
00:80:c8:18:93:95 00:30:f1:71:93:da ethersphere valid yes
80211a 591 1
00:0c:41:15:1d:be 00:0b:86:16:a7:7b ethersphere valid yes
80211b 96 1
Num STAs:5
$Id: //depot/margot/FCS1.1/soft-ap/asap_module/release.h#51 $
$Revision: #51 $
$Author: p4build $
Counters
--------
Name Value
---- -----
Remove Event 4
Probe Register 4
Set Mode 3
AP Message 258
Set RAP Type 158
STA Message 278
Set RSTA Type 44
Configuration Update 4
Poll Request 777
Poll Response 387
Probe AP Type 101
Probe Get Mode 3
Probe Wired MAC Update 4
Add Event 39
WMS Commands
WMS commands are privileged commands entered from the WMS sub-mode.
show wms
This command displays information about the wireless management system
and its components.
Options:
AP Info
-------
BSSID SSID Channel Type RAP_Type Status
----- ---- ------- ---- -------- ------
00:0b:86:20:28:13 alpha-guest 1 soft-ap valid up
Probe Info
----------
MAC IP Loc Type Status
--- -- --- ---- ------
00:0b:86:20:27:a0 10.3.25.249 1.2.3 air-monitor up
00:0b:86:20:28:13 10.2.13.252 1.1.1 soft-ap up
00:0b:86:20:27:ac 10.2.12.252 1.1.2 air-monitor up
00:0b:86:20:27:a1 10.1.1.150 1.1.3 sap-monitor up
00:0b:86:20:27:a6 10.3.25.248 1.1.4 air-monitor up
AP Info
-------
BSSID SSID Channel Type RAP_Type Status
----- ---- ------- ---- -------- ------
00:30:f1:71:93:d5 alpha-guest 48 soft-ap valid up
Probe Info
----------
MAC IP Loc Type Status
--- -- --- ---- ------
00:30:f1:71:94:08 10.3.25.249 1.2.3 air-monitor up
00:0b:86:a0:00:5a 10.2.12.252 1.1.2 air-monitor up
00:30:f1:71:93:54 10.3.25.248 1.1.4 air-monitor up
00:30:f1:71:93:d5 10.1.1.150 1.1.3 soft-ap up
Counters
--------
Name Value
---- -----
DB Reads 2266
DB Writes 382945
Remove Event 206
Probe Register 105
AP Message 10196
Set RAP Type 5221
STA Message 14332
Set RSTA Type 2480
Configuration Update 110
Poll Request 19091
Poll Response 19080
Probe AP Type 76
Probe Unsecure AP 1
SAP Down 13
Probe Wired MAC Update 107
Add Event 371
Options:
Options:
CONFIG_AP_RESULT
----------------
PARAMETER 802.11b/g 802.11a
--------- --------- -------
Location (Bldg.Flr.Loc) 1.1.2 1.1.2
BSSID N/A N/A
Channel 1 36
ESSID alpha-guest alpha-guest
Encryption staticWep staticWep
Device Type am_mode am_mode
Authentication opensystem opensystem
Short Preamble Enabled N/A
RTS Threshold (Bytes) 2333 2333
Transmit Power (Level) 2 2
.
.
.
Hidden SSID Disabled Disabled
Deny_Broadcast Probes Disabled Disabled
b/g Mode mixed N/A
Country Code US US
WPA Hexkey N/A N/A
WPA Passphrase N/A N/A
LMS IP N/A N/A
Backup LMS 0.0.0.0 0.0.0.0
show ap configs
This command displays the configuration information for all APs.
The BSSID of the access point may be obtained using the show stm connectivity
command.
CONFIG_AP_RESULT
----------------
PARAMETER 802.11b/g
--------- ---------
Location (Bldg.Flr.Loc) 1.1.3
BSSID 00:0b:86:9d:63:e0
Channel 1
ESSID alpha-guest
Encryption staticWep
Device Type ap_mode
Authentication opensystem
Short Preamble Enabled
RTS Threshold (Bytes) 2333
Transmit Power (Level) 2
Retry Limit 8
DTIM Interval (beacon periods) 1
Max Associations 64
Beacon Period (millisecs) 100
Basic Rates 1,2
Transmit Rates 1,2,5,11
AP Radio Enabled
Power Management Enabled
Station Ageout Time (secs) 1000
VLAN ID 7
Hidden SSID Disabled
Deny_Broadcast Probes Disabled
b/g Mode mixed
Country Code US
WPA Hexkey N/A
WPA Passphrase N/A
LMS IP 10.3.25.1
Backup LMS 0.0.0.0
Number Condition
0 AP radio down
1 Unsecure AP found
2 Wireless LAN IDS event
3 Interference detected
4 AP overload
5 OK
6 No AP connected
show ap locations
This command displays a simple table of AP locations. Use this command to
get location information to use in other show ap commands.
AP_REGISTRATIONS_RESULT
-----------------------
LOC SAP_IP LMS_IP .b_MAC .a_MAC STATE
--- ------ ------ ------ ------ -----
1.1.1 10.2.13.194 10.2.13.254 00:30:f1:70:49:93 00:30:f1:71:93:8f 7
1.1.2 10.2.12.253 10.2.12.254 00:30:f1:70:49:4c 00:30:f1:71:93:7d 7
1.1.3 10.1.1.56 10.3.25.1 00:30:f1:70:49:6f 00:30:f1:71:93:d5 7
1.1.4 10.2.12.212 10.2.12.254 00:30:f1:70:49:65 00:30:f1:71:93:54 7
1.2.1 10.3.25.252 10.3.25.1 00:30:f1:70:49:7e 00:30:f1:71:93:53 7
1.2.2 10.3.25.237 10.3.25.1 00:30:f1:70:49:71 00:30:f1:71:93:5c 7
1.2.3 10.3.25.253 10.3.25.1 00:30:f1:70:49:ad 00:30:f1:71:94:08 7
Num APs:7
Authentication Commands
Services
--------
Name Protocol Ports
---- -------- -----
Alcatel1645 udp 1645
Services
--------
Name Destination Inverted
---- ----------- --------
Alcatel 10.1.1.2 No
user 255.255.255.255 0.0.0.0 No
RSA 10.1.1.58 No
mswitch 10.3.25.1 No
Alcatel2 10.1.1.3 No
any 0.0.0.0 0.0.0.0 No
show user
This command displays information about users, including: roles, IP addresses,
MAC addresses, user names, location, associations, and authentication
methods. Executing this command without options displays all users.
Options:
show rights
(Alcatel) (config) #show rights
RoleTable
---------
Name ACL Bandwidth ACL List Type
---- --- --------- -------- ----
ap-role 3 No Limit control ap-acl System
trusted-ap 5 No Limit allowall System
employee 18 No Limit vpnlogon employee User
vpnemployee 19 No Limit vpnemployee User
marketing 20 No Limit marketing User
guest 2 No Limit control cplogout User
stateful-dot1x 4 No Limit System
stateful 21 No Limit control User
logon 1 No Limit control captiveportal vpnlogon User
When the command is executed the system will display a screen similar to the
one below.
Options:
When this command is executed the system returns a screen containing a table
the includes the following information about each of the supplicants.
Options:
Options:
Mode = Enabled
Default Role = 'employee'
Dialer download location = /auth/dialer.html
Auth Server List
----------------
Pri Name Type Status Inservice Applied
--- ---- ---- ------ --------- -------
1 RSA RADIUS Enabled Yes 1
PAPI Messages
-------------
Msg ID Name Since last Read Total
------ ---- --------------- -----
13 mm inter move 13 13
5004 set master ip 1 1
7005 Set switch ip 1 1
16 mm move user 11 11
Sibyte Messages
---------------
Opcode Name Since last Read Total
------ ---- --------------- -----
3 route 24 24
15 acl 19 19
16 ace 77 77
17 user 80 80
29 wkey 78 78
30 station 10 10
42 nat 1 1
43 user tmout 117 117
53 ace log 62 62
56 forw unenc 50 50
64 auth 24 24
Role Derivation:
ACL Hits:
When the command is executed the system will display a screen similar to the
one below.
Mode = 'Enabled'
Default Role = 'guest'
Auth Server List
----------------
Pri Name Type Status Inservice Applied
--- ---- ---- ------ --------- -------
1 Alcatel RADIUS Enabled Yes 1
2 IAS RADIUS Enabled Yes 1
Dialer Commands
show acl]
This command displays information from the acl and ace tables.
Options:
show session-access-list
This command displays a list of access control lists.
control
dew
airmon
employee
captiveportal
allowall
vpnlogon
guest
stateful-dot1x
stateful-kerberos
89
show time-range
This command displays currently configured time ranges.
MUX Commands
show mux
This command displays information about the MUX configured on the switch.
Options:
Depending on the target of the show command, the output is more clearly for-
matted in summary or detail tables:
z Summary Tables
The show commands that display information for a general feature or a large set
of items output columns of information in a summary table. For example:
NOTE—You can also force most general show commands to present information in the detail list format by adding the
verbose option to the end of the command (such as show Wireless LAN verbose)
z Detail Lists
The show commands that display information for a specific device, protocol, or
event present detailed information in a list format. For example.
CONFIG_AP_RESULT
----------------
PARAMETER 802.11b/g 802.11a
--------- --------- -------
Location (Bldg.Flr.Loc) 0.0.0 0.0.0
BSSID N/A N/A
Channel 1 36
ESSID ether sphere
Encryption staticWep,dynamicWep TKIP
Device Type ap_mode ap_mode
Authentication opensystem opensystem
Short Preamble Disabled N/A
RTS Threshold (Bytes) 2333 2333
Transmit Power (Level) 2 2
Retry Limit 8 3
DTIM Interval (beacon periods) 1 1
Max Associations 50 50
Beacon Period (millisecs) 100 100
Basic Rates 1,2,5,11 48.54
Transmit Rates 1,2,5,11 48,54
AP Radio Enabled Enabled
Power Management Enabled Enabled
Station Ageout Time (secs) 1000 1000
VLAN ID 0 0
Hidden SSID Disabled Enabled
Deny_Broadcast Probes Disabled Enabled
b/g Mode mixed N/A
Country Code US US
WPA Hexkey N/A N/A
WPA Passphrase N/A N/A
LMS IP N/A N/A
Backup LMS 0.0.0.0 0.0.0.0
Appendices
909
OmniAccess Reference: AOS-W System Reference
802.11 standard*
802.11, or IEEE 802.11, is a type of radio technology used for
wireless local area networks (Wireless LANs). It is a standard that
has been developed by the IEEE (Institute of Electrical and
Electronic Engineers), http://standards.ieee.org. The IEEE is an
international organization that develops standards for hundreds
of electronic and electrical technologies. The organization uses a
series of numbers, like the Dewey Decimal system in libraries, to
differentiate between the various technology families.
The 802 subgroup (of the IEEE) develops standards for local and
wide area networks with the 802.11 section reviewing and
creating standards for wireless local area networks.
802.11a*
An IEEE specification for wireless networking that operates in the
5 GHz frequency range (5.725 GHz to 5.850 GHz) with a
maximum 54 Mbps data transfer rate. The 5 GHz frequency band
is not as crowded as the 2.4 GHz frequency, because the 802.11a
specification offers more radio channels than the 802.11b. These
additional channels can help avoid radio and microwave
interference.
Glossary 911
OmniAccess Reference: AOS-W System Reference
802.11b*
International standard for wireless networking that operates in the 2.4 GHz
frequency range (2.4 GHz to 2.4835 GHz) and provides a throughput of up to
11 Mbps. This is a very commonly used frequency. Microwave ovens, cordless
phones, medical and scientific equipment, as well as Bluetooth devices, all
work within the 2.4 GHz frequency band.
802.11g*
Similar to 802.11b, but this standard provides a throughput of up to 54 Mbps.
It also operates in the 2.4 GHz frequency band but uses a different radio
technology in order to boost overall bandwidth.
Access point*
A wireless LAN transceiver or “base station” that can connect a wired LAN to
one or many wireless devices. Access points can also bridge to each other.
There are various types of access points and base stations used in both
wireless and wired networks. These include bridges, hubs, switches, routers
and gateways. The differences between them are not always precise, because
certain capabilities associated with one can also be added to another. For
example, a router can do bridging, and a hub may also be a switch. But they
are all involved in making sure data is transferred from one location to another.
A bridge connects devices that all use the same kind of protocol. A router can
connect networks that use differing protocols. It also reads the addresses
included in the packets and routes them to the appropriate computer station,
working with any other routers in the network to choose the best path to send
the packets on. A wireless hub or access point adds a few capabilities such as
roaming and provides a network connection to a variety of clients, but it does
not allocate bandwidth. A switch is a hub that has extra intelligence: It can
read the address of a packet and send it to the appropriate computer station. A
wireless gateway is an access point that provides additional capabilities such
as NAT routing, DHCP, firewalls, security, etc.
Air Monitor
A wireless access point used to detect wireless devices within range of itself
for the purpose of determining the existence near the network and to monitor
their activity.
Application software*
A computer program that is designed to do a general task. For example, word
processing, payroll, Internet browsers and graphic design programs would all
be considered applications.
Authenticator
An entity at one end of a point-to-point LAN segment that facilitates
authentication of the entity attached to the other end of that link. Example:
OmniAccess-6000 is an 802.1x Authenticator.
Backbone*
The central part of a large network that links two or more subnetworks and is
the primary path for data transmission for a large business or corporation. A
network can have a wired backbone or a wireless backbone.
Bandwidth*
The amount of transmission capacity that is available on a network at any
point in time. Available bandwidth depends on several variables such as the
rate of data transmission speed between networked devices, network
overhead, number of users, and the type of device used to connect PCs to a
network. It is similar to a pipeline in that capacity is determined by size: the
wider the pipe, the more water can flow through it; the more bandwidth a
network provides, the more data can flow through it. Standard 802.11b
provides a bandwidth of 11 Mbps; 802.11a and 802.11g provide a bandwidth
of 54 Mbps.
Bridge*
A product that connects a local area network (LAN) to another local area
network that uses the same protocol (for example, wireless, Ethernet or token
ring). Wireless bridges are commonly used to link buildings in campuses.
Glossary 913
OmniAccess Reference: AOS-W System Reference
Bus adapter*
A special adapter card that installs in a PC's PCI or ISA slot and enables the
use of PC Card radios in desktop computers. Some companies offer one-piece
PCI or ISA Card radios that install directly into an open PC or ISA slot.
Captive Portal
A secure, dedicated, web connection between a client station and a server.
Certificates
Certificates are digital documents which are commonly used for authenticating
users, computers and for securing information on open networks. Certificates
bind public keys to the entity that possesses the private key and are digitally
signed by the issuing certification authority (CA).
CLI
Command Line Interface
Client*
Any computer connected to a network that requests services (files, print
capability) from another member of the network.
Client devices*
Clients are end users. Wi-Fi client devices include PC Cards that slide into
laptop computers, mini-PCI modules embedded in laptop computers and
mobile computing devices, as well as USB radios and PCI/ISA bus Wi-Fi radios.
Client devices usually communicate with hub devices like access points and
gateways.
Collision avoidance*
A network node characteristic for proactively detecting that it can transmit a
signal without risking a collision.
CSMA-CA*
CSMA/CA is the principle medium access method employed by IEEE 802.11
Wireless LANs. It is a “listen before talk” method of minimizing (but not
eliminating) collisions caused by simultaneous transmission by multiple
radios. IEEE 802.11 states collision avoidance method rather than collision
detection must be used, because the standard employs half duplex radios—
radios capable of transmission or reception—but not both simultaneously.
Unlike conventional wired Ethernet nodes, a Wireless LAN station cannot
detect a collision while transmitting. If a collision occurs, the transmitting
station will not receive an ACKnowledge packet from the intended receive
station. For this reason, ACK packets have a higher priority than all other
network traffic. After completion of a data transmission, the receive station
will begin transmission of the ACK packet before any other node can begin
transmitting a new data packet. All other stations must wait a longer pseudo
randomized period of time before transmitting. If an ACK packet is not
received, the transmitting station will wait for a subsequent opportunity to
retry transmission.
CSMA/CD*
A method of managing traffic and reducing noise on an Ethernet network. A
network device transmits data after detecting that a channel is available.
However, if two devices transmit data simultaneously, the sending devices
detect a collision and retransmit after a random time delay.
DC power module*
Modules that convert AC power to DC. Depending on manufacturer and
product, these modules can range from typical “wall wart” transformers that
plug into a wall socket and provide DC power via a tiny plug to larger,
enterprise-level Power Over Ethernet systems that inject DC power into the
Ethernet cables connecting access points.
Glossary 915
OmniAccess Reference: AOS-W System Reference
DHCP*
A utility that enables a server to dynamically assign IP addresses from a
predefined list and limit their time of use so that they can be reassigned.
Without DHCP, an IT Manager would have to manually enter in all the IP
addresses of all the computers on the network. When DHCP is used, whenever
a computer logs onto the network, it automatically gets an IP address assigned
to it.
Diversity antenna*
A type of antenna system that uses two antennas to maximize reception and
transmission quality and reduce interference.
DNS*
A program that translates URLs to IP addresses by accessing a database
maintained on a collection of Internet servers. The program works behind the
scenes to facilitate surfing the Web with alpha versus numeric addresses. A
DNS server converts a name like mywebsite.com to a series of numbers like
107.22.55.26. Every website has its own specific IP address on the Internet.
DoS
Denial of Service.
EAP
(Extensible Authentication Protocol) is a general protocol for PPP
authentication which supports multiple authentication mechanisms.
EAP-TLS
(EAP-Transport Level Security) is used in certificate-based security
environments. It provides the strongest authentication and key determination
method. EAP-TLS provides mutual authentication, negotiation of the
encryption method, and encrypted key determination between the client and
the authenticator.
EAP-TTLS
(EAP- Tunnelled TLS Authentication Protocol) is an EAP protocol that extends
EAP-TLS. In EAP-TLS, a TLS handshake is used to mutually authenticate a
client and server. EAP-TTLS extends this authentication negotiation by using
the secure connection established by the TLS handshake to exchange
additional information between client and server. In EAP-TTLS, the TLS
handshake may be mutual; or it may be one-way, in which only the server is
authenticated to the client.
Enterprise*
A term that is often applied to large corporations and businesses. The
enterprise market can incorporate office buildings, manufacturing plants,
warehouses and R&D facilities, as well as large colleges and universities.
ESSID*
The identifying name of an 802.11 wireless network. When you specify your
correct ESSID in your client setup you ensure that you connect to your
wireless network rather than another network in range. (See SSID.) The ESSID
can be called by different terms, such as Network Name, Preferred Network,
SSID or Wireless LAN Service Area.
Ethernet*
International standard networking technology for wired implementations.
Basic 10BaseT networks offer a bandwidth of about 10 Mbps. Fast Ethernet
(100 Mbps) and Gigabit Ethernet (1000 Mbps) are becoming popular.
Firewall*
A system that secures a network and prevents access by unauthorized users.
Firewalls can be software, hardware or a combination of both. Firewalls can
prevent unrestricted access into a network, as well as restrict data from
flowing out of a network.
Gateway*
In the wireless world, a gateway is an access point with additional software
capabilities such as providing NAT and DHCP. Gateways may also provide
VPN support, roaming, firewalls, various levels of security, etc.
Hub*
A multiport device used to connect PCs to a network via Ethernet cabling or
via WiFi. Wired hubs can have numerous ports and can transmit data at
speeds ranging from 10 Mbps to multigigabyte speeds per second. A hub
Glossary 917
OmniAccess Reference: AOS-W System Reference
transmits packets it receives to all the connected ports. A small wired hub may
only connect 4 computers; a large hub can connect 48 or more. Wireless hubs
can connect hundreds.
HZ*
The international unit for measuring frequency, equivalent to the older unit of
cycles per second. One megahertz (MHz) is one million hertz. One gigahertz
(GHz) is one billion hertz. The standard US electrical power frequency is 60 Hz,
the AM broadcast radio frequency band is 535—1605 kHz, the FM broadcast
radio frequency band is 88—108 MHz, and wireless 802.11b LANs operate at
2.4 GHz.
I/O*
The term used to describe any operation, program or device that transfers data
to or from a computer.
ICSA
IEEE*
Institute of Electrical and Electronics Engineers, New York, www.ieee.org. A
membership organization that includes engineers, scientists and students in
electronics and allied fields. It has more than 300,000 members and is involved
with setting standards for computers and communications.
IEEE802.11*
A set of specifications for LANs from The Institute of Electrical and Electronics
Engineers (IEEE). Most wired networks conform to 802.3, the specification for
CSMA/CD based Ethernet networks or 802.5, the specification for token ring
networks. 802.11 defines the standard for wireless LANs encompassing three
incompatible (non-interoperable) technologies: Frequency Hopping Spread
Spectrum (FHSS), Direct Sequence Spread Spectrum (DSSS) and Infrared.
WECA’s focus is on 802.11b, an 11 Mbps high-rate DSSS standard for
wireless networks.
IP*
A set of rules used to send and receive messages at the Internet address level.
ISA*
A type of internal computer bus that allows the addition of card-based
components like modems and network adapters. ISA has been replaced by
PCI and is not very common anymore.
ISDN*
A type of broadband Internet connection that provides digital service from the
customer's premises to the dial-up telephone network. ISDN uses standard
POTS copper wiring to deliver voice, data or video.
IKE
Internet Key Exchange. The Internet Key Exchange (IKE) protocol is a key
management protocol standard which is used in conjunction with the IPSec
standard.
IPSec
IPSec is an IP security feature that provides robust authentication and
encryption of IP packets.
Glossary 919
OmniAccess Reference: AOS-W System Reference
L2TP
Layer 2 Tunnelling Protocol. L2TP is an extension of Point-to-Point Protocol
(PPP).
LAN*
A system of connecting PCs and other devices within the same physical
proximity for sharing resources such as an Internet connections, printers, files
and drives. When Wi-Fi is used to connect the devices, the system is known as
a wireless LAN or Wireless LAN.
Laser-beam
A stream of de-authorization packets sent from an Air Monitor (AM) to an
Access Point (AP), enforcing security policies. Typically when a Rogue AP has
been detected.
MAC*
Every wireless 802.11 device has its own specific MAC address hard-coded
into it. This unique identifier can be used to provide security for wireless
networks. When a network uses a MAC table, only the 802.11 radios that have
had their MAC addresses added to that network's MAC table will be able to
get onto the network.
Mapping*
Assigning a PC to a shared drive or printer port on a network.
Mobile professional*
A salesperson or a “road warrior” who travels frequently and requires the
ability to regularly access his or her corporate networks, via the Internet, to
post and retrieve files and data and to send and receive e-mail.
NAT*
A network capability that enables a houseful of computers to dynamically
share a single incoming IP address from a dial-up, cable or xDSL connection.
NAT takes the single incoming IP address and creates new IP address for each
client computer on the network.
NIC*
A type of PC adapter card that either works without wires (Wi-Fi) or attaches
to a network cable to provide two-way communication between the computer
and network devices such as a hub or switch. Most office wired NICs operate
at 10 Mbps (Ethernet), 100 Mbps (Fast Ethernet) or 10/100 Mbps dual speed.
High-speed Gigabit and 10 Gigabit NIC cards are also available. See PC Card.
PC card*
A removable, credit-card-sized memory or I/O device that fits into a Type 2
PCMCIA standard slot, PC Cards are used primarily in PCs, portable
computers, PDAs and laptops. PC Card peripherals include Wi-Fi cards,
memory cards, modems, NICs, hard drives, etc.
PCI*
A high-performance I/O computer bus used internally on most computers.
Other bus types include ISA and AGP. PCIs and other computer buses enable
the addition of internal cards that provide services and features not supported
by the motherboard or other connectors.
PEAP
(Protected EAP) is an authentication protocol that uses TLS to enhance the
security of other EAP authentication methods. PEAP for Microsoft 802.1X
Authentication Client provides support for EAP-TLS, which uses certificates
for both server authentication and client authentication, and Microsoft
Challenge Handshake Authentication Protocol version 2 (EAP-MS-CHAP v2),
which uses certificates for server authentication and password-based
credentials for client authentication.
PHY*
The lowest layer within the OSI Network Model. It deals primarily with
transmission of the raw bit stream over the PHYsical transport medium. In the
case of wireless LANs, the transport medium is free space. The PHY defines
parameters such as data rates, modulation method, signalling parameters,
transmitter/receiver synchronization, etc. Within an actual radio
implementation, the PHY corresponds to the radio front end and baseband
signal processing sections.
Glossary 921
OmniAccess Reference: AOS-W System Reference
PPTP
Point-to-Point Tunnelling Protocol. A secure method of transmitting data on a
virtual private network (VPN).
Proxy server*
Used in larger companies and organizations to improve network operations
and security, a proxy server is able to prevent direct communication between
two or more networks. The proxy server forwards allowable data requests to
remote servers and/or responds to data requests directly from stored remote
server data.
RADIUS
(Remote Authentication Dial-In User Service) is a distributed client/server
system that secures networks against unauthorized access.
OmniAccess-6000 can be configured as a RADIUS Client and send
authentication requests to the configured RADIUS servers that contains all
user authentication and network service access information.
Range*
How far will your wireless network stretch? Most Wi-Fi systems will provide a
range of a hundred feet or more. Depending on the environment and the type
of antenna used, Wi-Fi signals can have a range of up to mile.
RJ-45*
Standard connectors used in Ethernet networks. Even though they look very
similar to standard RJ-11 telephone connectors, RJ-45 connectors can have
up to eight wires, whereas telephone connectors have only four.
Roaming*
Moving seamlessly from one AP coverage area to another with no loss in
connectivity.
Rogue AP
A Rogue AP is an unauthorized access point attached to a network, and
providing unauthorized access to that network.
Server*
A computer that provides its resources to other computers and devices on a
network. These include print servers, Internet servers and data servers. A
server can also be combined with a hub or router.
Site survey*
The process whereby a wireless network installer inspects a location prior to
putting in a wireless network. Site surveys are used to identify the radio- and
client-use properties of a facility so that access points can be optimally
placed.
SSH
Secure SHell, also known as secure socket shell. A UNIX-based command
interface used to gain secure access to a computer or computer network.
Alcatel implements OpenSSH.
NOTE—It is Alcatel’s policy in supporting OpenSSH to continuously apply security
patches and bug fixes. However, Alcatel does not update the OpenSSH version
string when security patches do not update the version. Changing the version
introduces possible incompatibilities with SSH client v3.2.0b267 and 4.1.3.2.
SSID*
A 32-character unique identifier attached to the header of packets sent over a
Wireless LAN that acts as a password when a mobile device tries to connect
to the BSS. (Also called ESSID.) The SSID differentiates one Wireless LAN
from another, so all access points and all devices attempting to connect to a
specific Wireless LAN must use the same SSID. A device will not be permitted
to join the BSS unless it can provide the unique SSID. Because an SSID can be
sniffed in plain text from a packet, it does not supply any security to the
network. An SSID is also referred to as a Network Name because essentially it
is a name that identifies a wireless network.
Glossary 923
OmniAccess Reference: AOS-W System Reference
SSL*
Commonly used encryption scheme used by many online retail and banking
sites to protect the financial integrity of transactions. When an SSL session
begins, the server sends its public key to the browser. The browser then sends
a randomly generated secret key back to the server in order to have a secret
key exchange for that session
Subnetwork or Subnet*
Found in larger networks, these smaller networks are used to simplify
addressing between numerous computers. Subnets connect to the central
network through a router, hub or gateway. Each individual wireless LAN will
probably use the same subnet for all the local computers it talks to.
Supplicant
An entity at one end of a point-to-point LAN segment that is being
authenticated by an authenticator attached to the other end of that link.
Example: Win-XP/2K Wireless station is a supplicant.
Switch*
A type of hub that efficiently controls the way multiple devices use the same
network so that each can operate at optimal performance. A switch acts as a
networks traffic cop: rather than transmitting all the packets it receives to all
ports as a hub does, a switch transmits packets to only the receiving port.
TCP*
A protocol used along with the Internet Protocol (IP) to send data in the form of
individual units (called packets) between computers over the Internet. While IP
takes care of handling the actual delivery of the data, TCP takes care of
keeping track of the packets that a message is divided into for efficient routing
through the Internet. For example, when a web page is downloaded from a
web server, the TCP program layer in that server divides the file into packets,
numbers the packets, and then forwards them individually to the IP program
layer. Although each packet has the same destination IP address, it may get
routed differently through the network. At the other end, TCP reassembles the
individual packets and waits until they have all arrived to forward them as a
single file.
TCP/IP*
The underlying technology behind the Internet and communications between
computers in a network. The first part, TCP, is the transport part, which
matches the size of the messages on either end and guarantees that the
correct message has been received. The IP part is the user's computer address
TLS
(Transport Layer Security) provide privacy and data integrity between two
communicating applications.
Virtual AP
An instance of a unique virtual access point.
VPN*
A type of technology designed to increase the security of information
transferred over the Internet. VPN can work with either wired or wireless
networks, as well as with dial-up connections over POTS. VPN creates a
private encrypted tunnel from the end user's computer, through the local
wireless network, through the Internet, all the way to the corporate servers
and database.
WAN*
A communication system of connecting PCs and other computing devices
across a large local, regional, national or international geographic area. Also
used to distinguish between phone-based data networks and Wi-Fi. Phone
networks are considered WANs and Wi-Fi networks are considered Wireless
Local Area Networks (Wireless LANs).
War Driver
A program or utility used to discover and gain unauthorized access to wireless
access points in order to corrupt or collect information stored on the network.
WEP*
Basic wireless security provided by Wi-Fi. In some instances, WEP may be all
a home or small-business user needs to protect wireless data. WEP is
available in 40-bit (also called 64-bit), or in 108-bit (also called 128-bit)
encryption modes. As 108-bit encryption provides a longer algorithm that
takes longer to decode, it can provide better security than basic 40-bit (64-bit)
encryption.
Glossary 925
OmniAccess Reference: AOS-W System Reference
Wi-Fi*
An interoperability certification for wireless local area network (LAN) products
based on the Institute of Electrical and Electronics Engineers (IEEE) 802.11
standard.
Wireless LAN*
Also referred to as LAN. A type of local-area network that uses high-frequency
radio waves rather than wires to communicate between nodes.
WMS
Wireless LAN Management System
WPA WPA/2
Wireless Protected Access and the update to this standard.