User GuideTable of ContentsNortel WLAN-Security Switch 2300 Series Configuration Guide1Contents9How to get help37Introducing the Nortel WLAN 2300 system39Nortel WLAN 2300 system39Documentation40Safety and advisory notices41Nortel manuals use the following text and syntax conventions:41Using the command-line interface43CLI conventions43Command prompts44Syntax notation45Text entry conventions and allowed characters46MAC address notation46IP address and mask notation46User wildcards, MAC address wildcards, and VLAN wildcards47User wildcards47MAC address wildcards47VLAN wildcards48Matching order for wildcards48Port lists49Virtual LAN identification50Command-line editing51Keyboard shortcuts51History buffer51Tabs51Single-asterisk (*) wildcard character52Double-asterisk (**) wildcard characters52Using CLI help52Understanding command descriptions53WSS setup methods55Overview56Quick starts56WLAN Management Software56CLI57Web View57How a WSS gets its configuration58Web Quick Start (2350 and 2360/2361)59Web Quick Start parameters59Web Quick Start requirements59Accessing the Web Quick Start60CLI quickstart command62Quickstart example64Remote WSS configuration66Opening the QuickStart network plan in WLAN Management Software67Configuring Web-based AAA for administrative and local access69Overview of Web-based AAA for administrative and local access69Before you start71About Administrative Access71Access modes71Types of Administrative Access72First-time configuration via the console72Enabling an administrator72Setting the WSS enable password73Setting the WSS enable password for the first time73WMS enable password74Authenticating at the console75Customizing Web-based AAA with “wildcards” and groups76Setting user passwords77Adding and clearing local users for Administrative Access77Configuring accounting for administrative users77Displaying the Web-based AAA configuration78Saving the configuration79Administrative Web-based AAA configuration scenarios79Local authentication80Local authentication for console users and RADIUS authentication for Telnet users80Local override and backup local authentication81Authentication when RADIUS servers do not respond82Managing User Passwords83Passwords Overview83Configuring Passwords84Setting passwords for local users84Enabling password restrictions84Setting the maximum number of login attempts85Specifying minimum password length85Configuring password expiration time86Restoring access to a locked-out user86Displaying Password Information87Configuring and managing ports and VLANs89Configuring and managing ports89Setting the port type89Setting a port for a directly connected AP91Configuring for a AP92Setting a port for a wired authentication user92Clearing a port93Clearing a AP94Configuring a port name94Setting a port name94Removing a port name95Configuring media type on a dual-interface gigabit ethernet port (2380 only)95Configuring port operating parameters9610/100 Ports-autonegotiation and port speed96Gigabit Ports-autonegotiation and flow control97Disabling a port97Disabling power over ethernet97Resetting a port98Displaying port information98Displaying port configuration and status98Displaying PoE state99Displaying port statistics99Clearing statistics counters99Monitoring port statistics100Configuring load-sharing port groups101Load sharing101Link redundancy101Configuring a port group101Removing a port group102Displaying port group information102Interoperating with Cisco Systems EtherChannel103Configuring and managing VLANs103Understanding VLANs in Nortel WSS software103VLANs, IP subnets, and IP addressing104Users and VLANs104VLAN names104Roaming and VLANs104Traffic forwarding105802.1Q tagging105Tunnel affinity105Configuring a VLAN106Creating a VLAN106Adding ports to a VLAN106Removing an entire VLAN or a VLAN port107Changing tunneling affinity108Restricting layer 2 forwarding among clients108Displaying VLAN information109Managing the layer 2 forwarding database111Types of forwarding database entries111How entries enter the forwarding database111Displaying forwarding database information111Displaying the size of the forwarding database111Displaying forwarding database entries112Adding an entry to the forwarding database113Removing entries from the forwarding database113Configuring the aging timeout period113Displaying the aging timeout period113Changing the aging timeout period114Port and VLAN configuration scenario114Configuring and managing IP interfaces and services121MTU support122Configuring and managing IP interfaces123Adding an IP interface123Statically configuring an IP interface123Enabling the DHCP client123Disabling or reenabling an IP interface125Removing an IP interface125Displaying IP interface information125Configuring the system IP address126Designating the system IP address126Displaying the system IP address126Clearing the system IP address126Configuring and managing IP routes126Displaying IP routes127Adding a static route128Removing a static route129Managing the management services130Managing SSH130Login timeouts130Enabling SSH130Adding an SSH user131Changing the SSH service port number131Managing SSH server sessions132Managing Telnet132Telnet login timers132Enabling Telnet132Adding a Telnet user133Displaying Telnet status133Changing the Telnet service port number133Resetting the Telnet service port number to its default133Managing Telnet server sessions134Managing HTTPS134Enabling HTTPS134Displaying HTTPS information135Changing the idle timeout for CLI management sessions135Configuring and managing DNS136Enabling or disabling the DNS client136Configuring DNS servers136Adding a DNS server136Removing a DNS server136Configuring a default domain name136Adding the default domain name137Removing the default domain name137Displaying DNS server information137Configuring and managing aliases137Adding an alias138Removing an alias138Displaying aliases138Configuring and managing time parameters139Setting the time zone139Displaying the time zone140Clearing the time zone140Configuring the summertime period140Displaying the summertime period141Clearing the summertime period141Statically configuring the system time and date141Displaying the time and date142Configuring and managing NTP142Adding an NTP server142Removing an NTP server143Changing the NTP update interval143Resetting the update interval to the default143Enabling the NTP client143Displaying NTP information143Managing the ARP table144Displaying ARP table entries144Adding an ARP entry144Changing the aging timeout145Pinging another device145Logging in to a remote device146Tracing a route147IP interfaces and services configuration scenario148Configuring SNMP151Overview151Configuring SNMP151Setting the system location and contact strings152Enabling SNMP versions153Configuring community strings (SNMPv1 and SNMPv2c only)154Creating a USM user for SNMPv3155Command examples156Setting SNMP security157Configuring a notification profile158Command examples159Configuring a notification target161Command examples162Enabling the SNMP service163Displaying SNMP information163Displaying SNMP version and status information163Displaying the configured SNMP community strings163Displaying USM settings163Displaying notification profiles163Displaying notification targets164Displaying SNMP statistics counters164Configuring and managing Mobility Domain roaming165About the Mobility Domain feature165Configuring a Mobility Domain166Configuring the seed166Configuring member WSSs on the seed166Configuring a member167Configuring mobility domain seed redundancy167Displaying Mobility Domain status169Displaying the Mobility Domain configuration170Clearing a Mobility Domain from a WSS170Clearing a Mobility Domain member from a seed170Configuring secure WSS to WSS communications170Monitoring the VLANs and tunnels in a Mobility Domain173Displaying roaming stations173Displaying roaming VLANs and their affinities174Displaying tunnel information174Understanding the sessions of roaming users174Requirements for roaming to succeed175Effects of timers on roaming175Monitoring roaming sessions175Mobility Domain scenario176Configuring network domains179About the network domain feature179Network domain seed affinity182Configuring a network domain183Configuring network domain seeds184Specifying network domain seed peers185Configuring network domain members186Displaying network domain information187Clearing network domain configuration from a WSS188Clearing a network domain seed from a WSS189Clearing a network domain peer from a network domain seed190Clearing network domain seed or member configuration from a WSS191Network domain scenario191Configuring RF load balancing for APs195RF load balancing overview195Configuring RF load balancing195Disabling or re-enabling RF load balancing196Assigning radios to load balancing groups196Specifying band preference for RF load balancing196Setting strictness for RF load balancing197Exempting an SSID from RF load balancing197Displaying RF load balancing information197Configuring APs199AP overview199Country of operation201Directly connected APs and distributed APs201Distributed AP network requirements202Distributed APs and STP202Distributed APs and DHCP option 43203AP parameters204Resiliency and dual-homing options for APs204Boot process for distributed APs208Establishing connectivity on the network209Contacting a WSS209Loading and activating an operational image212Obtaining configuration information from the WSS212AP boot examples213Session load balancing220Service profiles220Public and private SSIDs224Encryption225Radio profiles225Auto-RF227Default radio profile227Radio-specific parameters227Configuring global AP parameters228Specifying the country of operation229Configuring an auto-AP profile for automatic AP configuration230How an unconfigured AP finds a WSS to configure it230Configured APs have precedence over unconfigured APs231Configuring an auto-AP profile232Configuring AP port parameters235Setting the port type for a directly connected AP236Configuring an indirectly connected AP237Configuring static IP addresses on distributed APs237Clearing an AP from the configuration239Changing AP names239Changing bias240Configuring a load-balancing group240Disabling or reenabling automatic firmware upgrades240Forcing an AP to download its operational image from the WSS240Enabling LED blink mode241Configuring AP-WSS security241Encryption key fingerprint241Encryption options242Verifying an AP’s fingerprint on a WSS242Setting the AP security requirement on a WSS244Fingerprint log message244Configuring a service profile244Creating a service profile245Removing a service profile245Changing a service profile setting245Disabling or reenabling encryption for an SSID245Disabling or reenabling beaconing of an SSID245Changing the fallthru authentication type246Changing transmit rates246Enforcing the Data Rates248Disabling idle-client probing249Changing the user idle timeout249Changing the short retry threshold250Changing the long retry threshold250Configuring a radio profile250Creating a new profile251Changing radio parameters251Resetting a radio profile parameter to its default value254Removing a radio profile254Configuring radio-specific parameters255Configuring the channel and transmit power255Configuring the external antenna model256External antenna selector guides for the AP-2330, AP-2330A, AP-2330B and Series 2332 APs258Antenna selection decision trees268Specifying the external antenna model270Mapping the radio profile to service profiles270Assigning a radio profile and enabling radios271Disabling or reenabling radios271Enabling or disabling individual radios271Disabling or reenabling all radios using a profile271Resetting a radio to its factory default settings272Restarting an AP272Displaying AP information273Displaying AP configuration information273Displaying connection information for APs274Displaying a list of APs that are not configured274Displaying active connection information for APs275Displaying service profile information275Displaying radio profile information276Displaying AP status information276Displaying static IP address information for APs277Displaying AP statistics counters278Configuring WLAN mesh services281WLAN mesh services overview281Configuring WLAN mesh services283Configuring the Mesh AP284Configuring the Service Profile for Mesh Services285Configuring Security286Enabling Link Calibration Packets on the Mesh Portal AP287Deploying the Mesh AP288Configuring Wireless Bridging288Displaying WLAN Mesh Services Information289Configuring user encryption291Configuring WPA294WPA cipher suites295TKIP countermeasures298WPA authentication methods299WPA information element300Client support301Configuring WPA303Creating a service profile for WPA303Enabling WPA303Specifying the WPA cipher suites303Changing the TKIP countermeasures timer value304Enabling PSK authentication304Displaying WPA settings305Assigning the service profile to radios and enabling the radios306Configuring RSN (802.11i)307Creating a service profile for RSN307Enabling RSN307Specifying the RSN cipher suites308Changing the TKIP countermeasures timer value308Enabling PSK authentication308Displaying RSN settings309Assigning the service profile to radios and enabling the radios309Configuring WEP309Setting static WEP key values311Assigning static WEP keys312Encryption configuration scenarios312Enabling WPA with TKIP313Enabling dynamic WEP in a WPA network315Configuring encryption for MAC clients317Configuring Auto-RF321Auto-RF overview321Initial channel and power assignment321How channels are selected322Channel and power tuning322Power tuning322Channel tuning322Tuning the transmit data rate323Auto-RF parameters323Changing Auto-RF settings325Changing channel tuning settings325Disabling or reenabling channel tuning325Changing the channel tuning interval325Changing the channel holddown interval325Changing power tuning settings326Enabling power tuning326Changing the power tuning interval326Changing the maximum default power allowed on a radio326Locking down tuned settings327Displaying Auto-RF information327Displaying Auto-RF settings327Displaying RF neighbors328Displaying RF attributes329Configuring APs to be AeroScout listeners331Configuring AP radios to listen for AeroScout RFID tags331Locating an RFID tag332Using an AeroScout engine333Using WMS334AirDefense integration with the Nortel WLAN 2300 system335About AirDefense integration335Converting an AP into an AirDefense sensor336Copying the AirDefense sensor software to the WSS338Loading the AirDefense sensor software on the AP339How a converted AP obtains an IP address339Specifying the AirDefense server340Converting an AirDefense sensor back to an AP341Clearing the AirDefense sensor software from the AP’s configuration341Configuring quality of service343About QoS343Summary of QoS features343End-to-End QoS346QoS Mapping346QoS mode347WMM QoS mode348SVP QoS mode356U-APSD support357Call admission control357Broadcast control358Static CoS358Overriding CoS358Changing QoS settings358Changing the QoS mode359Enabling U-APSD support359Configuring call admission control359Enabling CAC359Changing the maximum number of active sessions360Configuring static CoS360Changing CoS mappings360Using the client DSCP value to classify QoS level361Enabling broadcast control361Displaying QoS information361Displaying a radio profile’s QoS settings361Displaying a service profile’s QoS settings362Displaying CoS mappings363Displaying the default CoS mappings363Displaying a DSCP-to-CoS mapping363Displaying a CoS-to-DSCP mapping364Displaying the DSCP table364Displaying AP forwarding queue statistics364Configuring and managing spanning tree protocol367Enabling the spanning tree protocol368Changing standard spanning tree parameters369Changing the bridge priority371Changing STP port parameters372Changing the STP port cost372Resetting the STP port cost to the default value372Changing the STP port priority373Resetting the STP port priority to the default value373Changing spanning tree timers374Changing the STP hello interval374Changing the STP forwarding delay374Changing the STP maximum age374Configuring and managing STP fast convergence features375Configuring port fast convergence377Displaying port fast convergence information378Configuring backbone fast convergence379Displaying the backbone fast convergence state380Configuring uplink fast convergence381Displaying uplink fast convergence information382Displaying spanning tree information382Displaying STP bridge and port information383Displaying the STP port cost on a VLAN basis384Displaying blocked STP ports385Displaying spanning tree statistics386Clearing STP statistics388Spanning tree configuration scenario388Configuring and managing IGMP snooping391Disabling or reenabling IGMP snooping391Disabling or reenabling proxy reporting391Enabling the pseudo-querier392Changing IGMP timers392Changing the query interval393Changing the other-querier-present interval394Changing the query response interval395Changing the last member query interval396Changing robustness397Enabling router solicitation397Changing the router solicitation interval398Configuring static multicast ports398Adding or removing a static multicast router port399Adding or removing a static multicast receiver port400Displaying multicast information400Displaying multicast configuration information and statistics401Displaying multicast statistics only402Clearing multicast statistics402Displaying multicast queriers403Displaying multicast routers404Displaying multicast receivers405Configuring and managing security ACLs407About security access control lists407Overview of security ACL commands408Security ACL filters409Order in which ACLs are applied to traffic410Traffic direction410Selection of user ACLs410Creating and committing a security ACL410Setting a source IP ACL411Wildcard masks412Class of Service412Setting an ICMP ACL414Setting TCP and UDP ACLs416Setting a TCP ACL416Setting a UDP ACL416Determining the ACE order418Committing a Security ACL419Viewing security ACL information420Viewing the edit buffer420Viewing committed security ACLs420Viewing security ACL details421Displaying security ACL hits421Clearing security ACLs422Mapping security ACLs422Mapping user-based security ACLs423Mapping security ACLs to ports, VLANs, virtual ports, or distributed APs425Displaying ACL maps to ports, VLANs, and virtual ports425Clearing a security ACL map425Modifying a security ACL426Adding another ACE to a security ACL427Placing one ACE before another428Modifying an existing security ACL429Clearing security ACLs from the edit buffer430Using ACLs to change CoS431Filtering based on DSCP values433Using the dscp option433Using the precedence and ToS options433Enabling prioritization for legacy voice over IP434General guidelines435Enabling VoIP support for TeleSym VoIP436Enabling SVP optimization for SpectraLink phones437Known limitations437Configuring a service profile for RSN (WPA2)437Configuring a service profile for WPA438Configuring a radio profile438Configuring a VLAN and AAA for voice clients439Configuring an ACL to prioritize voice traffic439Setting 802.11b/g radios to 802.11b (for Siemens SpectraLink VoIP phones only)440Disabling Auto-RF before upgrading a SpectraLink phone440Restricting client-to-client forwarding among IP-only clients441Security ACL configuration scenario442Managing keys and certificates443Why use keys and certificates?443Wireless security through TLS444PEAP-MS-CHAP-V2 security445About keys and certificates445Public key infrastructures447Public and private keys448Digital certificates449PKCS #7, PKCS #10, and PKCS #12 object files450Certificates automatically generated by WSS software450Creating keys and certificates451Choosing the appropriate certificate installation method for your network452Creating public-private key pairs454Generating self-signed certificates455Installing a key pair and certificate from a PKCS #12 object file456Creating a CSR and installing a certificate from a PKCS #7 object file457Installing a CA’s own certificate458Displaying certificate and key information458Key and certificate configuration scenarios459Creating self-signed certificates460Installing CA-signed certificates from PKCS #12 object files462Installing CA-signed certificates using a PKCS #10 object file (CSR) and a PKCS #7 object file464SSID name “Any”465Last-resort processing465User credential requirements466Configuring AAA for network users467About AAA for network users467Authentication468Authentication types468Authentication algorithm469Accounting474Summary of AAA features475AAA tools for network users475“Wildcards” and groups for network user classification476Wildcard “Any” for SSID matching476AAA methods for IEEE 802.1X and Web network access477AAA rollover process477Local override exception477Remote authentication with local backup478IEEE 802.1X Extensible Authentication Protocol types480Ways a WSS can use EAP481Effects of authentication type on encryption method482Configuring 802.1X authentication482Configuring 802.1X Acceleration484Using pass-through485Authenticating through a local database486Binding user authentication to machine authentication487Authentication rule requirements487Bonded Authentication period488Bonded Authentication configuration example489Displaying Bonded Authentication configuration information489Configuring authentication and authorization by MAC address490Adding and clearing MAC users and user groups locally491Adding MAC users and groups491Clearing MAC users and groups491Configuring MAC authentication and authorization492Changing the MAC authorization password for RADIUS493Configuring Web portal Web-based AAA493How Web portal Web-based AAA works495Display of the login page495Web-based AAA requirements and recommendations497WSS requirements497Network requirements500WSS recommendations500Client NIC recommendations500Client Web browser recommendations500Configuring Web portal Web-based AAA501Web portal Web-based AAA configuration example501Displaying session information for Web portal Web-based AAA users503Using a custom login page505Copying and modifying the Web login page506Custom login page scenario506Using dynamic fields in Web-based AAA redirect URLs509Using an ACL other than portalacl511Configuring the Web portal Web-based AAA session timeout period512Configuring the Web Portal Web-based AAA Logout Function513Configuring last-resort access513Configuring last-resort access for wired authentication ports516Configuring AAA for users of third-party APs516Authentication process for users of a third-party AP517Requirements518Third-party AP requirements518WSS requirements518RADIUS server requirements518Configuring authentication for 802.1X users of a third-party AP with tagged SSIDs519Configuring authentication for non-802.1X users of a third-party AP with tagged SSIDs521Configuring access for any users of a non-tagged SSID522Assigning authorization attributes522Assigning attributes to users and groups528Assigning SSID default attributes to a service profile529Assigning a security ACL to a user or a group530Assigning a security ACL locally530Assigning a security ACL on a RADIUS server531Clearing a security ACL from a user or group531Assigning encryption types to wireless users532Assigning and clearing encryption types locally532Assigning and clearing encryption types on a RADIUS server533Keeping users on the same VLAN even after roaming534Overriding or adding attributes locally with a location policy537About the location policy538How the location policy differs from a security ACL539Setting the location policy540Applying security ACLs in a location policy rule540Displaying and positioning location policy rules541Clearing location policy rules and disabling the location policy542Configuring accounting for wireless network users542Configuring periodic accounting update records544Enabling system accounting messages545Viewing local accounting records546Viewing roaming accounting records547Displaying the AAA configuration548Avoiding AAA problems in configuration order549Using the wildcard “Any” as the SSID name in authentication rules549Using authentication and accounting rules together551Configuration producing an incorrect processing order551Configuration for a correct processing order551Configuring a Mobility Profile552Network user configuration scenarios553General use of network user commands554Enabling RADIUS pass-through authentication556Enabling PEAP-MS-CHAP-V2 authentication557Enabling PEAP-MS-CHAP-V2 offload558Combining 802.1X Acceleration with pass-through authentication559Overriding AAA-assigned VLANs560SSID name “Any”472Last-resort processing472User credential requirements472Configuring communication with RADIUS561RADIUS overview561Before you begin563Configuring RADIUS servers563Configuring global RADIUS defaults564Setting the system IP address as the source address565Configuring individual RADIUS servers566Deleting RADIUS servers567Configuring RADIUS server groups567Creating server groups568Ordering server groups568Configuring load balancing568Adding members to a server group569Deleting a server group571RADIUS and server group configuration scenario571Managing 802.1X on the WSS573Managing 802.1X on wired authentication ports573Enabling and disabling 802.1X globally574Setting 802.1X port control575Managing 802.1X encryption keys575Enabling 802.1X key transmission576Configuring 802.1X key transmission time intervals577Managing WEP keys578Configuring 802.1X WEP rekeying578Configuring the interval for WEP rekeying578Setting EAP retransmission attempts579Managing 802.1X client reauthentication579Enabling and disabling 802.1X reauthentication580Setting the maximum number of 802.1X reauthentication attempts581Setting the 802.1X reauthentication period582Setting the bonded authentication period583Managing other timers583Setting the 802.1X quiet period584Setting the 802.1X timeout for an authorization server585Setting the 802.1X timeout for a client586Displaying 802.1X information586Viewing 802.1X clients587Viewing the 802.1X configuration588Viewing 802.1X statistics589Configuring SODA endpoint security for a WSS591About SODA endpoint security591SODA endpoint security support on WSSs593How SODA functionality works on WSSs594Configuring SODA functionality594Configuring Web Portal Web-based AAA for the service profile596Creating the SODA agent with SODA manager597Copying the SODA agent to the WSS598Installing the SODA agent files on the WSS599Enabling SODA functionality for the service profile600Disabling enforcement of SODA agent checks601Specifying a SODA agent success page602Specifying a SODA agent failure page603Specifying a remediation ACL604Specifying a SODA agent logout page605Specifying an alternate SODA agent directory for a service profile606Uninstalling the SODA agent files from the WSS607Displaying SODA configuration information608Managing sessions609About the session manager609Displaying and clearing administrative sessions609Displaying and clearing all administrative sessions610Displaying and clearing an administrative console session611Displaying and clearing administrative Telnet sessions612Displaying and clearing client Telnet sessions613Displaying and clearing network sessions613Displaying verbose network session information615Displaying and clearing network sessions by username616Displaying and clearing network sessions by MAC address617Displaying and clearing network sessions by VLAN name618Displaying and clearing network sessions by session ID619Displaying and changing network session timers620Disabling keepalive probes622Changing or disabling the user idle timeout623Rogue detection and counter measures625About rogues and RF detection625Rogue access points and clients625Rogue classification626Rogue detection lists626RF detection scans629Dynamic Frequency Selection (DFS)629Countermeasures629Mobility Domain requirement630Summary of rogue detection features630Configuring rogue detection lists631Configuring a permitted vendor list631Configuring a permitted SSID list632Configuring a client black list633Configuring an attack list634Configuring an ignore list635Enabling countermeasures636Using on-demand countermeasures in a Mobility Domain637Disabling or reenabling Scheduled RF Scanning637Enabling AP signatures637Disabling or reenabling logging of rogues638Enabling rogue and countermeasures notifications638IDS and DoS alerts638Flood attacks638DoS attacks639Netstumbler and Wellenreiter applications639Wireless bridge640Ad-Hoc network640Weak WEP key used by client640Disallowed devices or SSIDs640Displaying statistics counters640IDS log message examples641Displaying RF detection information643Displaying rogue clients644Displaying rogue detection counters645Displaying SSID or BSSID information for a Mobility Domain646Displaying RF detect data647Displaying the APs detected by an AP radio647Displaying countermeasures information648Testing the RFPing649Managing system files651About system files651Displaying software version information652Displaying boot information653Working with files653Displaying a list of files653Copying a file655Using an image file’s MD5 checksum to verify its integrity657Deleting a file657Creating a subdirectory658Removing a subdirectory659Managing configuration files659Displaying the running configuration659Saving configuration changes660Specifying the configuration file to use after the next reboot661Loading a configuration file661Specifying a backup configuration file662Resetting to the factory default configuration662Backing up and restoring the system663Managing configuration changes664Backup and restore examples664Upgrading the system image665Preparing the WSS for the upgrade665Upgrading an individual switch using the CLI666Upgrade scenario666Command changes during upgrade667Appendix A: Troubleshooting a WSS669Fixing common WSS setup problems670Recovering the system when the enable password is lost6712382, 2380 or 2360/2361671Configuring and managing the system log672Log message components673Logging destinations and levels673Using log commands674Logging to the log buffer675Logging to the console676Logging messages to a syslog server676Setting Telnet session defaults677Changing the current Telnet session defaults677Logging to the trace buffer677Enabling mark messages677Saving trace messages in a file678Displaying the log configuration678Running traces679Using the trace command679Tracing authentication activity679Tracing session manager activity679Tracing authorization activity679Tracing 802.1X sessions680Displaying a trace680Stopping a trace680About trace results680Displaying trace results681Copying trace results to a server681Clearing the trace log682List of trace areas682Using show commands682Viewing VLAN interfaces682Viewing AAA session statistics682Viewing FDB information683Viewing ARP information683Port mirroring684Configuration requirements684Configuring port mirroring684Displaying the port mirroring configuration684Clearing the port mirroring configuration684Remotely monitoring traffic685How remote traffic monitoring works685All snooped traffic is sent in the clear685Best practices for remote traffic monitoring685Configuring a snoop filter686Displaying configured snoop filters687Editing a snoop filter687Deleting a snoop filter687Mapping a snoop filter to a radio688Displaying the snoop filters mapped to a radio688Displaying the snoop filter mappings for all radios688Removing snoop filter mappings688Enabling or disabling a snoop filter689Displaying remote traffic monitoring statistics689Preparing an observer and capturing traffic689Capturing system information and sending it to technical support690The show tech-support command691Core files691Debug messages692Sending information to NETS693Appendix A: Enabling and logging onto Web View695System requirements695Browser requirements695WSS requirements695Logging onto Web View696Appendix A: Supported RADIUS attributes697Supported standard and extended attributes697Nortel vendor-specific attributes701Appendix A: Traffic ports used by WSS software703Appendix A: DHCP server705How the WSS software DHCP server works706Configuring the DHCP server706Displaying DHCP server information707Appendix A: Glossary709Index731Command Index751Size: 6.08 MBPages: 758Language: EnglishOpen manual
Quick Setup GuideTable of ContentsNortel WLAN - Security Switch 2300 Series Quick Start Guide1Copyright © 2007 Nortel Networks. All rights reserved.2Trademarks2International Regulatory Statements of Conformity for the WSSs2National Electromagnetic Compliance (EMC) Statements of Compliance2FCC statement (USA only)2ICES statement (Canada only)2CE marking statement (Europe only)2European Union and European Free Trade Association (EFTA) notice3VCCI statement (Japan/Nippon only)3BSMI statement for Nortel WLAN Security Switch 2300 Series switches (Taiwan only)3MIC notice (Republic of Korea only)3National Safety Statements of Compliance4EN 60950 statement4NOM statement (Mexico only)4Información NOM (unicamente para México)4Denan Statement (Japan/Nippon only)5Contents7Introduction9Audience9How to get help9Finding the latest updates on the Nortel web site9Getting help over the phone from a Nortel Solutions Center9Getting help from a specialist by using an Express Routing Code9Getting help through a Nortel distributor or reseller9Precautions10Protecting cables and connectors10Preventing electrostatic discharge damage10Preventing electrostatic damage in new cable installations11Before you begin13Planning a WLAN installation13Gathering required information14Quick Start - Physical Installation15Installing the Nortel WLAN Security Switch15Tabletop Installation15Equipment Rack Installation15Installing a new power supply17Powering on the Nortel WLAN Security Switch17Powering on a 235017Powering on a 2360/236118Powering on a 238018Powering on a 238218Connecting to a Serial Management Console19Connecting to the network19Connecting Access Points19Connecting other ethernet network devices20Connecting to fiber gigabit devices (WSS 2380 and WSS 2382 only)21Connecting to copper gigabit devices (WSS 2380 and WSS 2382 only)22Quick Start - Basic Configuration23WSS startup algorithm23WSS sample network configuration24Configuring the Nortel WLAN Security Switch24Creating a scope on the DHCP server25Configuring DHCP for APs25Accessing the WSS CLI quickstart wizard26Installing and using WMS28Installing WMS28Opening WMS29Configuring WMS users30Configuring WSS using WMS31Creating a new network plan31Uploading the WSS configuration31Creating a Service Profile32Add the last resort user33Adding and enabling Access Points33Deploying the configuration34Test the solution35Where to go next35Translated caution statements, warning conventions and warning messages36Caution statements36Lithium Battery Caution37Radio safety advisories for Access Points38Warning conventions39Qualified service personnel warning40Laser warning41Earth ground warning42Overcurrent warning43Size: 725 KBPages: 44Language: EnglishOpen manual
Reference GuideTable of ContentsNortel WLAN- Management Software 2300 Series Reference Guide1Contents7How to get help23Introducing the Nortel WLAN 2300 System25Nortel WLAN 2300 System25Documentation26Safety and Advisory Notices26Text and Syntax Conventions27Installing WLAN Management Software29Hardware Requirements29Hardware Requirements for WLAN Management Software Client29Hardware Requirements for WLAN Management Software Monitoring Service30Software Requirements31Preparing for Installation31Serial Number and License Key31Installation Task Overview32Unpacking Files32Using the Installation Wizard34Installation Log File35Upgrading WLAN Management Software36Uninstalling WLAN Management Software on Windows Systems36Uninstalling WLAN Management Software on Linux Systems37Working with the WLAN Management Software User Interface39Display Panels40Organizer Panel41Alerts Panel42Content Panel42Task List Panel43Resizing a Display Panel45Menu Bar Options45Tool Bar Options45Status Counters48Copying, Pasting, and Deleting Objects49Copy and Paste in the Organizer Panel49Copy and Paste Replace in the Organizer Panel49Copy and Paste in the Content Panel49Enabling Keyboard Shortcut Mnemonics (Windows XP Only)50Getting Started53Starting WLAN Management Software53Restricting Access to WLAN Management Software55Creating an Administrator Account55Creating Provision or Monitor Accounts57Deleting WLAN Management Software User Accounts57Disabling Access Control57Working with Network Plans59Creating a Network Plan59Managing Network Plans61Saving a Network Plan61Opening a Network Plan62Importing a Network Plan62Closing a Network Plan64Deleting a Network Plan64Sharing a Network Plan65Defining a Mobility Domain66Roaming Behavior66Traffic Ports Used by WSS Software67Creating a Mobility Domain68Enabling Secure WSS to WSS communications69Creating a WSS69Creating a Third-Party AP69Changing the Country Code70Applying the Network’s Auto-RF Settings to the Network Plan71Configuring AirDefense72Configuring WLAN Management Software to Receive Traps from an AirDefense Server72Launching the AirDefense Server User Interface73Converting DAPs to AirDefense Sensors73Specifying the AirDefense Server as a Trap Receiver on WSSs73Uploading a WSS into the Network Plan74Converting Auto DAPs into Statically Configured APs74Creating a Network Domain75Planning the Nortel WLAN 2300 System77RF Planning Overview78Accessing the RF Planning Tools78Creating or Modifying a Site80Creating or Modifying Buildings in a Site81Creating or Modifying Floors83Importing or Drawing Floor Details85Importing a Drawing of a Floor85Cropping the Paper Space90Adjusting the Scale of a Drawing91Adjusting the Origin Point91Working with Layers93Cleaning Up a Drawing95Drawing Floor Objects Manually99Specifying the RF Characteristics of a Floor100Recommendations100Converting Objects into RF Obstacles100Drawing RF Obstacles103Importing RF Obstacle Data from a Site Survey104Defining Wireless Coverage Areas114Creating a Wiring Closet114Defining a Coverage Area116Editing Coverage Areas128Placing Third-Party Access Points131Moving a Third-Party AP Icon to its Floor Location132Creating and Placing an Icon for a Third-Party Access Point132Placing Installed and Auto-Configured APs136Computing AP Placement136Computing and Placing APs for a Coverage Area137Assigning AP Channels144Computing Optimal Power147Verifying the Wireless Network149Showing RF Coverage149Placing RF Measurement Points150Using RF Interactive Measurement Mode152Reading the RF Measurement Table152Generating RF Network Design Information154Configuring WSS System Parameters157WSS Configuration Objects158Adding a WSS to the Network Plan160Creating a WSS as Part of RF Planning160Creating a WSS Using the Create WLAN-Security Switch Wizard161Creating a New WSS Based on a Configured Switch in the Network Plan161Adding a Switch by Uploading its Configuration from the Network162Adding a Switch by Importing a Configuration File162Configuring Basic and Advanced Settings163Reviewing and Deploying Changes163Reviewing Changes163Deploying Changes163Using the Create WLAN-Security Switch Wizard164Setting Up a Switch165Modifying Basic Switch Parameters168Changing the WSS Software Version169Changing the WSS Model169Changing Time zone Properties170Changing System Information170Converting Auto DAPs into Statically Configured DAPs171Deleting Auto DAPs172Launching a Telnet Management Session with the Switch172Launching a Web View Management Session with the Switch173Viewing and Changing Port Settings173Viewing Port Settings173Changing Port Settings173Configuring a Port for a Directly Connected AP175Configure a Port for Wired Authentication176Viewing and Changing Port Groups180Viewing Port Groups180Creating a Port Group180Changing a Port Group181Viewing and Changing Management Settings181Viewing Management Service Settings181Changing Management Service Settings181Configuring SNMP182Viewing and Setting Log and Trace Settings190Viewing Log Settings191Changing Log Settings191Viewing and Configuring IP Services Settings193Viewing IP Services Setting193Creating a Static Route193Create an IP Alias194Configuring DNS195Configuring NTP195Configuring ARP196Viewing and Configuring VLANs196Viewing VLANs198Creating a VLAN198Changing VLAN Membership199Changing VLAN Spanning Tree Settings200Changing VLAN IGMP Settings203Restricting Layer 2 Traffic Among Clients in a VLAN205Restricting Layer 3 Traffic Among Clients in a VLAN206Changing a VLAN’s Tunnel Affinity206Configuring the WSS Software DHCP Server207Changing the Aging Time for FDB Entries208Viewing and Configuring ACLs208Viewing ACLs208Creating an ACL209Configuring Advanced ACL Settings212Adding a New ACE to a Configured ACL214Mapping an ACL215Deleting an ACL216Deleting an Individual ACE from an ACL216Viewing and Changing CoS Mappings217Viewing CoS Mappings217Changing a DSCP-to-CoS Mapping217Changing a CoS-to-DSCP Mapping218Setting a Range of DSCP Values to a Single CoS Value218Resetting CoS Mapping to their Default Values218Configuring Wireless Parameters221Viewing and Configuring Wireless Services221Wireless Service Parameters221Viewing Wireless Services226Configuring an 802.1X Wireless Service226Configuring a Voice over Wireless Service228Configuring a Web-Portal (Web-based AAA) Service231Configuring an Open Access Service233Configuring a Mesh Services Profile235Configuring a Custom Service236Modifying Service Profile Settings236Viewing SSID Encryption Settings and Access Rules241Modifying SSID Encryption Settings and Access Rules242Viewing and Configuring Radio Profiles245Viewing Radio Profile Settings245Creating a Radio Profile245Moving Radios Back to the Default Radio Profile247Configuring Advanced Radio Profile Settings247Viewing and Changing the Auto-DAP Profile250Viewing Auto-DAP Profile Settings251Changing Auto-DAP Profile Settings251Converting Auto DAPs into Statically Configured DAPs252Deleting Auto DAPs252Viewing and Configuring APs252Viewing the Configured APs252Creating a Distributed AP253Configuring a Directly Connected AP254Setting Up AP Redundancy257Changing the AP Model258Changing the Radio Type for an AP258Changing the AP-WSS Security Mode259Configuring Advanced AP Settings259External antenna selector guides for AP-2330, AP-2330A, AP-2330B and Series 2332 APs262Viewing and Changing Radio Settings272Viewing Radio Settings272Changing Radio Settings273Viewing and Changing RF Detection Settings273Viewing RF Detection Settings273Adding an Entry to the Permitted Vendor OUI List274Adding an Entry to the Permitted SSID List274Adding an Entry to the Ignore List274Adding an Entry to the Rogue List275Adding an Entry to the Client Black List275Enabling Countermeasures275Enabling AP Signatures276Configuring Authentication, Authorization, and Accounting Parameters277Viewing and Configuring Users in the Local Database277Viewing Users and Groups in the Local Database278Creating a Named User278Creating a User Group and Assigning Users To It279Creating a MAC User280Creating a MAC User Group and Assigning Users To It280Authorization Attributes281Viewing and Configuring RADIUS Settings285Viewing RADIUS Settings, Servers, and Server Groups286Creating a RADIUS Server286Modifying a RADIUS Server286Creating a RADIUS Server Group287Changing Default RADIUS Settings288Configuring RADIUS System Accounting289Viewing and Configuring Global 802.1X Settings290Viewing Global 802.1X Settings290Changing Global 802.1X Settings290Viewing and Configuring 802.1X Network Access Rules292Viewing 802.1X Network Access Rules292Creating an 802.1X Network Access Rule292Viewing and Configuring MAC Network Access Rules295Viewing MAC Network Access Rules295Creating a MAC Network Access Rule295Viewing and Configuring Web-based AAA Network Access Rules297Viewing Web-based AAA Network Access Rules297Creating a Web-based AAA Network Access Rule297Viewing and Configuring WSS Administrator Access Rules299Viewing WSS Administrator Access Rules299Creating an Access Rule for Console Access299Creating an Access Rule for Telnet or SSH Access300Viewing and Configuring AAA Support for Third-Party AP Users301Viewing Settings for Third-Party AP AAA Support302Creating a Proxy Access Rule302Configuring a RADIUS Proxy for a Client303Specifying the WSS Port Connected to the Third-Party AP304Viewing and Changing Location Policy Rules304Viewing Location Policy Rules304Creating a Location Policy Rule305Viewing and Changing Mobility Profiles306Viewing Mobility Profiles306Creating a Mobility Profile306Configuring WSSs Remotely309How Remote WSS Configuration Works309Drop Ship (2350 Only)309Staged WSS311WLAN Management Software Requirements312Staging a WSS for Configuration by WLAN Management Software312Example 1: Deployment Site has DHCP and Local DNS313Example 2: Deployment Site has no DHCP and no DNS313Example 3: Deployment Site has DNS but no DHCP314Example 4: Deployment Site has DHCP but Local DNS Domain differs from Corporate DNS Domain315Preconfiguring a switch in WLAN Management Software316Uploading a Partially Configured Switch and Completing its Configuration with WLAN Management Software317Replacing a switch and reusing its configuration318Requirements318How Switch Replacement Works318Enabling Replacement of Remote Switches319Replacing a Switch319Managing WSS System Images and Configurations321WSS File Management Options321Devices Tab322Task List Options322Toolbar Options324Synchronizing Local and Network Changes325Reviewing Switch Configuration Changes325Accepting Network Changes326Undoing Local or Network Changes326Deploying Switch Configuration Changes326Synchronizing when the Network and WLAN Management Software have Nonmatching Changes328Distributing System Images328Using the Image Repository328Distributing System Images329Rebooting WSSs or APs330Enabling or Disabling Management of a Switch by WLAN Management Software331Viewing the Operation Log331Canceling a Scheduled Operation332Importing and Exporting Switch Configuration Files332Modifying Configuration Change Polling Options334Verifying Configuration Changes335Verification Panel335Toolbar Options335Filtering the Message List336Resolving an Error or Warning336Disabling a Rule from the Message List337Changing Verification Options337Disabling and Reenabling Rules338Managing Certificates341Processing Certificates342Managing Certificates342Reviewing Certificate Details343Deleting Certificates343Distributing Certificates to WSSs343Configuring and Applying Policies345How Changes Are Managed345Viewing Policies345Creating a Policy346Configuring Feature Settings in a Policy346Applying Policy Changes to Switches347Managing Alarms349Setting Up the Fault Management System349Classifying and Organizing Alarms350Search Capabilities352Fault States353Managing Faults354Alarm Summary355Top 5 Sources of Alarms357Intrusion Detection System (IDS) Alarms358Denial of Service (DoS) Alarms360Storing Faults and Retrieving Fault History360Reporting Faults362Alarm Summary Report362Alarm History Report363Using the Event Log365Displaying the Event Log365Toolbar Options365Refreshing Event Data366Reviewing Event Details366Filtering Event Messages366Using Predefined Event Filters366Filtering Events by Content366Filtering Events by Severity368Filtering Events by Facility368Creating and Saving Filters369Deleting Filters369Exporting Filtered Data369Generating Reports371Scheduling and E-mailing Reports372Configuration Requirements374Generating an Inventory Report375Generating a Mobility Domain Configuration Report376Generating a WSS Configuration Report377Generating a Client Summary Report378Generating a Client Details Report379Generating a Client Errors Report380Generating a Network Usage Report (Port Traffic)381Generating a Network Usage Report (Radio Traffic)382Generating an RF Summary Report383Generating a Radio Details Report384Generating a Rogue Details Report385Generating a Rogue Summary Report385Generating an Alarm Summary386Generating an Alarm History387Generating a Security Alarm Report388Generating an Alarm Report for Client OUIs388Generating a Site Survey Order388Generating a Work Order389Monitoring the Network391Requirements for Monitoring391Network Types392Accessing Monitored Data392Using the Monitor View393Status Summary394Alarm Summary394Client Summary395Traffic Summary395Using the Status Summary View395Status Monitor or Status Summary Details396Using the Alarm Summary View398Alarm Summary Details399Additional Alarm Options403Using the Client Summary View405Client Details406Additional Client Options407Finding a Client410Refreshing Client Data412To perform an RF Link Test413Using the Traffic Summary View414Traffic Details415Additional Traffic Options415Voice Monitoring with Traffic Views416Using the floor view monitor417On-Demand Statistics Monitoring418Viewing Performance Data418Creating and Viewing Reports418Detecting and Combatting Rogue Devices421Rogue Detection Requirements421Mobility Domain Requirement423Rogue Detection Lists423Displaying Rogue Information426Displaying Rogue Details427Toolbar Options430Filtering the Rogue List431Displaying a Rogue’s Geographical Location434Ignoring Friendly Third-Party Devices438Adding a Device to the Rogue List439Converting a Rogue into a Third Party AP439Adding a Rogue’s Clients to the Black List440Configuring RF Detection Options from the Organizer Panel441Optimizing a Network Plan443Importing RF Measurements443Importing the Measurements443Applying the RF Measurements to the Floor Plan444Locating and Fixing Coverage Holes445Locating a Coverage Hole445Fixing a Coverage Hole447Computing and Placing New APs447Adding New APs that Are Already Installed to the Network Plan447Changing WLAN Management Software Preferences449Resetting Preferences Values449Changing Network Synchronization Options449Changing User Interface Options450Changing Persistence Options451Changing Tools Options451Changing Certificate Management Options452Changing Options for RF Planning452Configuring the Typical Client’s Transmit Power452Changing Colors453Changing WLAN Management Software Logging Options455Changing WLAN Management Software Services Preferences457Starting or Stopping WMS Services458Starting or Stopping WLAN Management Software Services on Windows Systems459Starting or Stopping WLAN Management Software Services on Linix Systems460Connecting to WMS Services461Certificate Check462Verifying that the WLAN Management Software Client is Receiving Service Data463Changing Service Settings464Changing WSS Connection Settings465Changing Monitoring Settings466Accessing WMS Services Log469Managing Network Plans469Backing Up a Plan470Changing Backup Settings470Restoring a Plan from a Backup471Copying a Plan Backup from One Server to Another471Deleting a Plan Backup472Index473Size: 5.35 MBPages: 480Language: EnglishOpen manual
User GuideTable of ContentsNortel WLAN Management Software 2300 Series User Guide1Contents7How to get help13Introducing the Nortel WLAN 2300 Series System15Nortel WLAN 2300 System15Documentation16Safety and Advisory Notices17Text and Syntax Conventions17Getting Started19Hardware Requirements for WLAN Management Software Client19Hardware Requirements for WMS Services20Software Requirements20Preparing for Installation21User Privileges21Serial Number and License Key21HP OpenView Network Node Manager22Resource Allocation22WMS Services Options23Installing WLAN Management Software23Unpacking Files24Using the Installation Wizard24WLAN Management Software Access Control29WLAN Management Software Interface30Displaying the Main Window30Using the Toolbar and Menu Bar31Setting Preferences31Easy Configuration Using Wizards32Getting Help32Planning and Managing Your Wireless Network with WMS35Which Services to Provide?35Network Plan36RF Coverage Area36Auto-RF37Auto-RF with Modelling37RF Planning37Which Planning Method Should I Use?38Configuration39Wireless Configuration40AAA Security Configuration42System and Administration Configuration45Equipment Installation46Deployment47Management and Monitoring47Network Status48RF Monitoring48Client Monitoring48Fault Management49Rogue Detection49Verification49RF Plan Optimization51Configuring Wireless Services53What Are Services?53Configure Employee Access Services54Task Table54Step Summary56Example: Configure Employee Access56What’s Next?69Configure Guest Access Services69Task Table70Step Summary72Optional: Configure Mobility Profiles84What’s Next?85Configure Voice over Wireless IP Service85Task Table86Step Summary87Create a Radio Profile for Voice88Create a Service Profile for Voice89What’s Next?100Using Auto-RF101What Is Auto-RF?101Place the Equipment102Configure Initial WSS Connectivity102Upload the WSS Configuration into a WMS Network Plan102Create a Service Profile103Create a Radio Profile and Map the Service Profile to It104Create Your APs104Apply a Radio Profile to Each Radio107What’s Next?108Using Auto-RF with Modelling109What Is Auto-RF with Modelling?109Add Site Information109Insert RF Obstacles113Create Your RF Coverage Area115Create a Wiring Closet115Create Your RF Coverage Area116Add APs124Associate APs to the Coverage Area124What’s Next?127Using RF Planning129What Is RF Planning?129Prepare the Floor Drawings130Define Site Information131Import a Floor Plan136Set the Scale137Clean Layout138Model RF Obstacles140Import a Site Survey142Plan RF Coverage142Add Wiring Closets143Create Coverage Areas144Compute and Place APs151Assign Channel Settings154Calculate Optimal Power155Display Coverage156Generate a Work Order157Install the Equipment158What’s Next?159Managing and Monitoring Your Network161What Is Network Management?161What Is Network Monitoring?161Deploy Your Configuration162Perform Basic Administrative Tasks163Configuring WSS Management Services163Distribute System Images164Using the Image Repository164Distributing System Images165Saving Versions of Network Plans166Import and Export Switch Configuration Files167Monitoring Examples168Monitor an Individual User169Monitor a Group of Users179What’s Next?182Managing Alarms183What Is Fault Management?183Set Up the Fault Management System183Classify and Organize Faults185Search Capabilities185Manage Faults186Alarm Summary186Top 5 Sources of Alarms187Intrusion Detection System (IDS) Alarms188Denial of Service (DoS) Alarms188Store Faults and Retrieve Fault History189Generate Alarm Reports190Alarm Summary Report190Alarm History Report191Security and Client OUI Reports192Use the Fault Management System to Locate a Rogue192What’s Next?200Optimizing a Network Plan201Using RF Measurements from APs201Using RF Measurements from an Ekahau Site Survey202Generating an Ekahau Site Survey Work Order203Importing RF Measurements from the Ekahau Site Survey206Optimizing the RF Coverage Model208Locating and Fixing Coverage Holes209Displaying the RF Coverage Area210Locking Down APs210Fixing a Coverage Hole210Computing and Placing New APs211Replanning Your Network211What’s Next?211Index213Size: 3.28 MBPages: 218Language: EnglishOpen manual