Alcatel-Lucent omniaccess User Manual
OmniAccess RN: User Guide
22
Part 031650-00
May 2005
Also the role created for the Secure Remote Access Point Service in Step 3
needs to be added into aaa vpn-authentication as well by entering:
needs to be added into aaa vpn-authentication as well by entering:
(Alcatel6000) #configure terminal
(Alcatel6000) (config) #aaa vpn-authentication default-role remote-ap
(Alcatel6000) (config) #
(Alcatel6000) (config) #aaa vpn-authentication default-role remote-ap
(Alcatel6000) (config) #
For more information on configuring IPSec and VPNs, see “Configuring Virtual
Private Networks” on page 143 and see “Configuring AAA Servers” on
page 81 for more information on configuring the AAA server.
Private Networks” on page 143 and see “Configuring AAA Servers” on
page 81 for more information on configuring the AAA server.
5
Configuring the NAT device that is connected to the Alcatel Mobility Con-
troller.
The AP and secure switch communication uses the UDP 4500 port. When both
the switch and the AP are behind NAT devices, the AP is configured to use the
NAT device’s public address as its master address. On the NAT device, it is
necessary to enable NAT-T (UDP port 4500 only) and forward all packets to the
public address of the NAT device on UDP port 4500 to the Alcatel Mobility
Controller to ensure that the Remote AP bootstraps successfully.
the switch and the AP are behind NAT devices, the AP is configured to use the
NAT device’s public address as its master address. On the NAT device, it is
necessary to enable NAT-T (UDP port 4500 only) and forward all packets to the
public address of the NAT device on UDP port 4500 to the Alcatel Mobility
Controller to ensure that the Remote AP bootstraps successfully.
Double Encryption
The Remote AP control traffic sent to the switch is over an IPSec tunnel. The
user traffic will be encrypted as per the AP/user authentication/encryption
configured. If the administrator wants the user traffic to be further encrypted
using IPSec, then enable double encryption.
user traffic will be encrypted as per the AP/user authentication/encryption
configured. If the administrator wants the user traffic to be further encrypted
using IPSec, then enable double encryption.
(Alcatel4324) (config)# ap location 10.0.0
(Alcatel4324) (sap-config location 10.0.0)# double-encrypt enable
(Alcatel4324) (sap-config location 10.0.0)# exit
(Alcatel4324) (config)#
(Alcatel4324) (sap-config location 10.0.0)# double-encrypt enable
(Alcatel4324) (sap-config location 10.0.0)# exit
(Alcatel4324) (config)#
N
OTE
—Alcatel recommends that double-encryption not be turned on for
inter-device communication over untrusted networks in AOS-W 2.4 or
higher, as doing so is redundant and adds significant processing overhead
for APs.
higher, as doing so is redundant and adds significant processing overhead
for APs.