AOS W 3.1 User Guide 3 1

User Manual: AOS 3-1 User Guide

Open the PDF directly: View PDF .
Page Count: 530

Download
Open PDF In Browser	View PDF

AOS-W
User Guide

AOS-W Version 3.1

Copyright
Copyright © 2007 Alcatel Internetworking, Inc. All rights reserved.
Specifications in this manual are subject to change without notice.
Originated in the USA.

Trademarks
AOS-W, Alcatel 4308, Alcatel 4324, Alcatel 6000, Alcatel 41, Alcatel 60/61/65,
Alcatel 70, and Alcatel 80 are trademarks of Alcatel Internetworking, Inc. in the
United States and certain other countries.
Any other trademarks appearing in this manual are the property of their respective
companies.

Legal Notice
The use of Alcatel Internetworking Inc. switching platforms and software, by all
individuals or corporations, to terminate Cisco or Nortel VPN client devices
constitutes complete acceptance of liability by that individual or corporation for
this action and indemnifies, in full, Alcatel Internetworking Inc. from any and all
legal actions that might be taken against it with respect to infringement of
copyright on behalf of Cisco Systems or Nortel Networks.

AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Contents

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Document Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Related Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Text Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contacting Alcatel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

17
17
17
18
19

Volume 1
Introducing the Alcatel OmniAccess System
Chapter 1 Overview of the Alcatel OmniAccess System
Alcatel OmniAccess System Components . . . . . . . . . . . . . . . . . . . 24
Alcatel Access Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Alcatel WLAN Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
AOS-W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Basic WLAN Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
User Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Wireless Client Access to the WLAN . . . . . . . . . . . . . . . . . . . . . . . . 39
Association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Client Mobility and AP Association. . . . . . . . . . . . . . . . . . . . . . . . 41
Configuring and Managing the Alcatel OmniAccess System . . 42
Volume 2
Installing the Alcatel OmniAccess System
Chapter 2 Deploying a Basic OmniAccess System
Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Deployment Scenario #1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Deployment Scenario #2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Deployment Scenario #3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

AOS-W 3.1
User Guide

46
46
47
48

Contents

Configuring the Alcatel WLAN Switch . . . . . . . . . . . . . . . . . . . . . . .
Run the Initial Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure a VLAN for Network Connection . . . . . . . . . . . . . . . .
Connect the WLAN Switch to the Network . . . . . . . . . . . . . . . .
Configure the Loopback for the WLAN Switch . . . . . . . . . . . . .
Deploying APs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Run Alcatel RF Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Enable APs to Connect to the WLAN Switch . . . . . . . . . . . . . .
Install APs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Update RF Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Additional Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

50
50
51
53
54
55
55
55
58
59
59

Chapter 3 Configuring Network Parameters
Configuring VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
VLAN Assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Assigning a Static Address to a VLAN . . . . . . . . . . . . . . . . . . . . .
Configuring a VLAN to Receive a Dynamic Address . . . . . . . .
Configuring Source NAT for VLAN Interfaces . . . . . . . . . . . . . .
Configuring Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring the Loopback IP Address . . . . . . . . . . . . . . . . . . . . . . .

62
62
63
64
64
68
70
71

Chapter 4 RF Plan
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Task Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Planning Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Using RF Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Campus List Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Building List Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Building Specifications Overview Page . . . . . . . . . . . . . . . . . . . . 79
Building Dimension Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
AP Modeling Parameters Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
AM Modeling Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Planning Floors Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
AP Plan Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
AM Plan Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Exporting and Importing Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Locate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
FQLN Mapper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Contents

RF Plan Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Sample Building . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Create a Building . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Model the Access Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Model the Air Monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Add and Edit a Floor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Defining Areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Running the AP Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Running the AM Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

103
103
104
105
106
106
107
110
112

Volume 3
Configuring APs
Chapter 5 Configuring Access Points
AP Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
AP Names and Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Virtual APs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Example Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring the Corpnet WLAN . . . . . . . . . . . . . . . . . . . . . . . . . .
Guest WLAN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Advanced Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . .
Channel Switch Announcement . . . . . . . . . . . . . . . . . . . . . . . . .

116
116
120
121
126
127
132
135
135

Chapter 6 Configuring Remote APs
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring the Secure Remote Access Point Service . . . . . . .
Configure a Public IP Address for the WLAN Switch . . . . . .
Configure the VPN Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure the Remote AP User Role . . . . . . . . . . . . . . . . . . . . . .
Configure VPN Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . .
Provision the AP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Deploying a Branch Office/Home Office Solution . . . . . . . . . . . .
Troubleshooting the Branch Office Configuration . . . . . . . . .
Double Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

138
140
140
141
142
144
145
146
148
148

Volume 4
Configuring Wireless Encryption and Authentication

AOS-W 3.1
User Guide

Contents

Chapter 7 Configuring Roles and Policies
Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Access Control Lists (ACLs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Creating a Firewall Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Creating a User Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Assigning User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Default User Role in AAA Profile . . . . . . . . . . . . . . . . . . . . . . . . .
User-Derived Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Default Role for Authentication Method . . . . . . . . . . . . . . . . . .
Server-Derived Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
VSA-Derived Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Firewall Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

152
152
153
156
160
160
161
163
164
165
166

Chapter 8 Configuring Authentication Servers
Servers and Server Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring a RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring an LDAP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring a TACACS+ Server . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring the Internal Database . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Server Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Server Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Assigning Server Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Authentication Timers . . . . . . . . . . . . . . . . . . . . . . . . .

170
171
171
173
174
175
177
177
180
182

Chapter 9 Configuring 802.1x Authentication
Overview of 802.1x Authentication . . . . . . . . . . . . . . . . . . . . . . . . .
Authentication with a RADIUS Server . . . . . . . . . . . . . . . . . . . .
Authentication Terminated on WLAN Switch . . . . . . . . . . . . .
Configuring 802.1x Authentication . . . . . . . . . . . . . . . . . . . . . . . . .
802.1x Authentication Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring User and Computer Authentication . . . . . . . . . .
Example Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Authentication with an 802.1x RADIUS Server . . . . . . . . . . . .

186
187
188
190
191
193
196
196
Authentication with the WLAN Switch’s Internal Database 211
Advanced Configuration Options for 802.1x . . . . . . . . . . . . . . . . 224
Reauthentication with Unicast Key Rotation . . . . . . . . . . . . . . 224

Chapter 10 Configuring Captive Portal
Overview of Captive Portal Functions . . . . . . . . . . . . . . . . . . . . . .
Policy Enforcement Firewall License . . . . . . . . . . . . . . . . . . . . .
WLAN Switch Server Certificate . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Captive Portal in the Base AOS-W . . . . . . . . . . . . . .

AOS-W 3.1
User Guide

228
228
228
229

032063-00 Rev A
February 2007

Contents

Configuring Captive Portal with the Policy Enforcement Firewall
License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Example Authentication with Captive Portal . . . . . . . . . . . . . . . . 236
Configuring Policies and Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Configuring the Guest VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Configuring Captive Portal Authentication . . . . . . . . . . . . . . . . 246
Modifying the Initial User Role . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Configuring the AAA Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Configuring the WLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
User Account Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Captive Portal Configuration Parameters. . . . . . . . . . . . . . . . . . . . 250
Optional Captive Portal Configurations . . . . . . . . . . . . . . . . . . . . . 253
Per-SSID Captive Portal Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Changing the Protocol to HTTP . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Proxy Server Redirect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Redirecting Clients on Different VLANs . . . . . . . . . . . . . . . . . . . 257
Web Client Configuration with Proxy Script . . . . . . . . . . . . . . 257
Personalizing the Captive Portal Page . . . . . . . . . . . . . . . . . . . . . . 259

Chapter 11 Configuring Virtual Private Networks
VPN Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring VPN with L2TP IPSec . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring VPN with PPTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Alcatel Dialer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Captive Portal Download of Dialer . . . . . . . . . . . . . . . . . . . . . . .
Configuring Site-to-Site VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Dead Peer Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

262
263
266
267
268
269
271

Chapter 12 Configuring Advanced Security
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Securing Client Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Securing Wireless Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Securing Wired Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Securing Wireless Clients Through Non-Alcatel APs . . . . . .
Securing WLAN Switch-to-WLAN Switch Communication . . .
Configuring the Odyssey Client on Client Machines . . . . . . . . .

274
275
275
278
280
282
284

Chapter 13 Configuring MAC-Based Authentication
Configuring MAC-Based Authentication . . . . . . . . . . . . . . . . . . . . 290
Configuring the MAC Authentication Profile . . . . . . . . . . . . . . 290
Configuring Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292

AOS-W 3.1
User Guide

Contents

Volume 5
Configuring Multiple
WLAN Switch Environments
Chapter 14 Adding Local WLAN Switches
Moving to a Multi-WLAN Switch Environment . . . . . . . . . . . . . .
Preshared Key for Inter-WLAN Switch Communication . . . .
Configuring Local WLAN Switches . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring the Local WLAN Switch . . . . . . . . . . . . . . . . . . . . .
Configuring Layer-2/Layer-3 Settings . . . . . . . . . . . . . . . . . . . .
Configuring Trusted Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring APs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

296
296
298
298
299
300
300

Chapter 15 Configuring IP Mobility
Alcatel Mobility Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Mobility Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring a Mobility Domain . . . . . . . . . . . . . . . . . . . . . . . . . . .
Joining a Mobility Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Example Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Tracking Mobile Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Mobile Client Roaming Status . . . . . . . . . . . . . . . . . . . . . . . . . . .
Mobile Client Roaming Locations . . . . . . . . . . . . . . . . . . . . . . . .
Advanced Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Proxy Mobile IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Proxy DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Revocations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

304
305
306
308
308
311
311
313
313
313
314
314

Chapter 16 Configuring Redundancy
Virtual Router Redundancy Protocol . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Local WLAN Switch Redundancy . . . . . . . . . . . .
Master WLAN Switch Redundancy. . . . . . . . . . . . . . . . . . . . . . .
Master-Local WLAN Switch Redundancy . . . . . . . . . . . . . . . . .

316
317
318
319
321

Volume 6
Configuring Intrusion Protection

AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Contents

Chapter 17 Configuring Wireless Intrusion Prevention
IDS Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Unauthorized Device Detection . . . . . . . . . . . . . . . . . . . . . . . . . .
Denial of Service (DoS) Detection . . . . . . . . . . . . . . . . . . . . . . . .
Impersonation Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Signature Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IDS Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IDS Profile Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring the IDS General Profile . . . . . . . . . . . . . . . . . . . . . .
Configuring Denial of Service Attack Detection . . . . . . . . . . .
Configuring Impersonation Detection . . . . . . . . . . . . . . . . . . . .
Configuring Signature Detection . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Unauthorized Device Detection . . . . . . . . . . . . . .
Client Blacklisting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Methods of Blacklisting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Blacklist Duration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Removing a Client from Blacklisting . . . . . . . . . . . . . . . . . . . . . .

328
328
330
330
331
332
332
333
335
338
341
344
354
354
356
357

Volume 7
Managing the OmniAccess System
Chapter 18 Configuring Management Access
Management Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Web Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
CLI Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Alcatel Mobility Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Managing Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
About Digital Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Obtaining a Server Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Obtaining a Client Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Importing Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Updating CRLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Service-Specific Use of Certificates . . . . . . . . . . . . . . . . . . . . . .
Configuring SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SNMP for the WLAN Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SNMP for Access Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SNMP Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Creating Guest Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring the Guest Provisioning User . . . . . . . . . . . . . . . . .
Guest-Provisioning User Tasks . . . . . . . . . . . . . . . . . . . . . . . . . .
Optional Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

AOS-W 3.1
User Guide

362
363
367
371
373
373
374
375
375
377
378
381
381
383
385
391
393
393
394
395

Contents

Setting the System Clock . . . . . . . . . . . . . . . . . . . .
Manually Setting the Clock . . . . . . . . . . . . . . . .
Configuring an NTP Server . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . 396
. . . . . . . . . . . . . . 396
. . . . . . . . . . . . . . 397

Chapter 19 Managing Software Feature Licenses
Alcatel Software Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Software License Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The Software Licensing Process . . . . . . . . . . . . . . . . . . . . . . . . . . .
Obtaining a Software License Certificate . . . . . . . . . . . . . . . . .
Software License Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Locating the System Serial Number . . . . . . . . . . . . . . . . . . . . . .
Obtaining a Software License Key . . . . . . . . . . . . . . . . . . . . . . .
Applying the Software License Key . . . . . . . . . . . . . . . . . . . . . .
Additional Software License Information . . . . . . . . . . . . . . . . . . . .
Permanent Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Evaluation Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Deleting a License Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Moving Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Resetting the WLAN Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Getting Help with Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

400
400
401
401
402
403
403
404
405
405
405
406
406
406
407

Volume 8
Configuring Advanced Services
Chapter 20 Configuring QoS for Voice
Roles and Policies for Voice Traffic . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring a User Role for SIP Phones . . . . . . . . . . . . . . . . . .
Configuring a User Role for SVP Phones . . . . . . . . . . . . . . . . .
Configuring a User Role for Vocera Badges . . . . . . . . . . . . . . .
Configuring a User Role for SCCP Phones . . . . . . . . . . . . . . . .
Configuring User-Derivation Rules . . . . . . . . . . . . . . . . . . . . . . .
Optional Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Wi-Fi Multimedia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Battery Boost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
WPA Fast Handover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

AOS-W 3.1
User Guide

412
412
415
417
420
422
424
424
425
426

032063-00 Rev A
February 2007

Contents

Voice Services Module Features . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring the VoIP CAC Profile . . . . . . . . . . . . . . . . . . . . . . . .
Dynamic WMM Queue Management . . . . . . . . . . . . . . . . . . . . .
TSPEC Signaling Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . .
WMM Queue Content Enforcement . . . . . . . . . . . . . . . . . . . . . .
Voice-Aware 802.1x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SIP Authentication Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SIP Call Setup Keepalive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Mobile IP Home Agent Assignment . . . . . . . . . . . . . . . . . . . . . .

428
428
430
432
433
433
434
435
435

Chapter 21 External Services Interface
Understanding ESI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Understanding the ESI Syslog Parser . . . . . . . . . . . . . . . . . . . . . . .
ESI Parser Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Peer WLAN Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Syslog Parser Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ESI Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Health-Check Method, Groups, and Servers . . . . . . . . . . . . . .
Redirection Policies and User Role . . . . . . . . . . . . . . . . . . . . . . .
ESI Syslog Parser Domains and Rules . . . . . . . . . . . . . . . . . . . .
Monitoring Syslog Parser Statistics . . . . . . . . . . . . . . . . . . . . . .
Example Route-mode ESI Topology . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring the Example Routed ESI Topology . . . . . . . . . . .
Example NAT-mode ESI Topology . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring the Example NAT-mode ESI Topology . . . . . . . .
Basic Regular Expression Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . .
Character-Matching Operators . . . . . . . . . . . . . . . . . . . . . . . . . . .
Regular Expression Repetition Operators . . . . . . . . . . . . . . . . .
Regular Expression Anchors . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

438
440
440
441
442
443
444
448
452
462
463
464
474
475
481
481
482
482
483

Volume 9
Appendices
Appendix A Configuring DHCP with Vendor-Specific
Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488
Windows-Based DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488
Configuring Option 60. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488
Configuring Option 43. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489
Linux DHCP Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491

AOS-W 3.1
User Guide

Contents

Appendix B External Firewall Configuration . . . . . . . . . . 493
Communication Between Alcatel Devices . . . . . . . . . . . . . . . . . . . 494
Network Management Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
Other Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
Appendix C Alcatel System Defaults . . . . . . . . . . . . . . . . 497
Basic System Defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
Firewall Defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
Network Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499
System Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500
Default Open Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
Appendix D Windows Client Example Configuration for
802.1x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505
Window XP Wireless Client Example Configuration . . . . . . . . . 505
Appendix E Internal Captive Portal . . . . . . . . . . . . . . . . . . 511
Creating a New Internal Web Page . . . . . . . . . . . . . . . . . . . . . . . . . 512
Basic HTML Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513
Installing a New Captive Portal Page . . . . . . . . . . . . . . . . . . . . . . . 514
Displaying Authentication Error Message . . . . . . . . . . . . . . . . . . . 515
Reverting to the Default Captive Portal . . . . . . . . . . . . . . . . . . . . . 516
Language Customization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
Customizing the Welcome Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
Customizing the Pop-Up box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
Customizing the Logged Out Box . . . . . . . . . . . . . . . . . . . . . . . . . . 525
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527

AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

List of Tables

Text Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Table 1-1 Optional Software Modules . . . . . . . . . . . . . . . . . . . . . . . . .
Table 1-2 Encryption Options by Authentication Method . . . . . . . . . . .
Table 5-3 Default AP Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Table 5-4 AP Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Table 5-5 Profiles for Example Configuration . . . . . . . . . . . . . . . . . . . .
Table 7-6 Firewall Policy Rule Parameters . . . . . . . . . . . . . . . . . . . . . . .
Table 7-7 User Role Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Table 7-8 Conditions for User-Derived Role . . . . . . . . . . . . . . . . . . . . . .
Table 7-9 Conditions for Server-Derived Role . . . . . . . . . . . . . . . . . . . .
Table 7-10 Firewall Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Table 8-11 RADIUS Server Configuration Parameters . . . . . . . . . . . . . .
Table 8-12 LDAP Server Configuration Parameters . . . . . . . . . . . . . . . .
Table 8-13 TACACS+ Server Configuration Parameters . . . . . . . . . . . . .
Table 8-14 Internal Database Configuration Parameters . . . . . . . . . . . .
Table 8-15 Server Group Configuration Parameters . . . . . . . . . . . . . . .
Table 8-16 Server Rule Configuration Parameters . . . . . . . . . . . . . . . . .
Table 8-17 Server Types and Purposes . . . . . . . . . . . . . . . . . . . . . . . . .
Table 8-18 Authentication Timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Table 9-19 802.1x Authentication Profile Basic WebUI Parameters . . . .
Table 9-20 User and Machine Authentication Scenarios . . . . . . . . . . . .
Table 10-21 Captive Portal Authentication Profile Parameters . . . . . . .
Table 13-22 MAC Authentication Profile Configuration Parameters . . .
Table 16-23 VRRP Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Table 17-24 IDS Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Table 17-25 IDS General Profile Configuration Parameters . . . . . . . . . .
Table 17-26 IDS Denial of Service Profile Configuration Parameters . . .
Table 17-27 IDS Rate Thresholds Profile Configuration Parameters . . .
Table 17-28 IDS Impersonation Profile Configuration Parameters . . . . .
Table 17-29 Predefined Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Table 17-30 Signature Rule Attributes . . . . . . . . . . . . . . . . . . . . . . . . . .
Table 17-31 IDS Unauthorized Device Profile Configuration Parameters
Table 17-32 WMS Configuration Parameters . . . . . . . . . . . . . . . . . . . .
Table 17-33 Valid SSIDs with Multi-Tenancy and Misconfigured AP
Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Table 18-34 WebUI Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Table 18-35 Configuration Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Table 18-36 Line Editing Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Table 18-37 SNMP Parameters for the WLAN Switch . . . . . . . . . . . . . .

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

. . 18
. . 31
. . 35
. 117
. 121
. 127
. 153
. 156
. 161
. 165
. 166
. 171
. 173
. 174
. 176
. 177
. 178
. 180
. 182
. 192
. 194
. 250
. 290
. 317
. 332
. 333
. 335
. 337
. 339
. 341
. 343
. 344
. 348

.
.
.
.
.

. 352
. 365
. 366
. 369
. 381

AOS-W 3.1
User Guide

List of Tables

Table
Table
Table
Table
Table
Table
Table
Table
Table
Table

18-38 SNMP Profile Configuration Parameters . . . . . . . . . .
18-39 SNMP User Profile Configuration Parameters . . . . . .
18-40 Software Modules . . . . . . . . . . . . . . . . . . . . . . . . . . .
18-41 Logging Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
20-42 WMM Access Category to 802.1D Priority Mapping .
20-43 WMM Access Categories and 802.1d Tags . . . . . . . .
21-44 Character-matching operators in regular expressions
21-45 Regular expression repetition operators . . . . . . . . . . .
21-46 Regular expression anchors . . . . . . . . . . . . . . . . . . . .
C-47 Default (Trusted) Open Ports . . . . . . . . . . . . . . . . . . . .

AOS-W 3.1
User Guide

.
.
.
.
.
.
.
.
.
.

. 383
. 384
. 391
. 392
. 424
. 431
. 481
. 482
. 482
. 501

032063-00 Rev A
February 2007

List of Figures

Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure

1-1 Connecting APs to the Alcatel WLAN Switch . . . . . . . . . . . .
1-2 Alcatel APs Establish GRE Tunnels to the WLAN Switch . . .
1-3 Client Traffic is Tunneled to the WLAN Switch . . . . . . . . . . .
1-4 Master and Local WLAN Switches . . . . . . . . . . . . . . . . . . . .
1-5 VLANs for Wireless Clients Configured on WLAN Switch . .
2-6 APs Connected to WLAN Switch . . . . . . . . . . . . . . . . . . . . .
3-7 IP Address Assignment to VLAN via DHCP or PPPoE . . . . . .
3-8 Example: Source NAT using WLAN Switch IP Address . . . .
5-9 AP Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5-10 Virtual AP Configurations Applied to the Same AP . . . . . . .
5-11 Applying AP Profiles to AP Groups . . . . . . . . . . . . . . . . . .
5-12 Applying WLAN Profiles to AP Groups . . . . . . . . . . . . . . . .
5-13 Excluding a Virtual AP Profile from an AP . . . . . . . . . . . . . .
6-14 Remote AP with a Private Network . . . . . . . . . . . . . . . . . .
6-15 Remote AP with WLAN Switch on Public Network . . . . . .
6-16 Remote AP with WLAN Switch Behind Firewall . . . . . . . . .
6-17 Remote AP in a Multi-WLAN Switch Environment . . . . . . .
8-18 Server Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
9-19 802.1x Authentication with RADIUS Server . . . . . . . . . . . .
9-20 802.1x Authentication with Termination on WLAN Switch .
10-21 Captive Portal in Base Operating System Example . . . . . .
11-22 Site-to-Site VPN Configuration Components . . . . . . . . . .
12-23 Wireless xSec Client Example . . . . . . . . . . . . . . . . . . . . . .
12-24 Wired xSec Client Example . . . . . . . . . . . . . . . . . . . . . . . .
12-25 WLAN Switch-to-WLAN Switch xSec Example . . . . . . . . .
12-26 The regedit Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
12-27 Modifying a regedit Policy . . . . . . . . . . . . . . . . . . . . . . . .
12-28 The Funk Odyssey Client Profile . . . . . . . . . . . . . . . . . . . .
12-29 Certificate Information . . . . . . . . . . . . . . . . . . . . . . . . . . .
12-30 Network Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
15-31 Routing of Traffic to Mobile Client within Mobility Domain
15-32 Example Configuration: Campus-Wide Mobility . . . . . . . .
16-33 Redundant Topology: Master-Local Redundancy . . . . . . .
18-34 Creating a Guest Account . . . . . . . . . . . . . . . . . . . . . . . .
18-35 Guest Account Information . . . . . . . . . . . . . . . . . . . . . . .
18-36 Guest Provisioning Page . . . . . . . . . . . . . . . . . . . . . . . . .
21-37 The ESI-Fortinet Topology . . . . . . . . . . . . . . . . . . . . . . . .
21-38 Load Balancing Groups . . . . . . . . . . . . . . . . . . . . . . . . . . .
21-39 ESI Parser Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

AOS-W 3.1
User Guide

. . 25
. . 26
. . 27
. . 30
. . 37
. . 59
. . 65
. . 69
. 118
. 120
. 123
. 124
. 124
. 138
. 139
. 139
. 139
. 170
. 187
. 188
. 230
. 269
. 276
. 278
. 282
. 284
. 285
. 285
. 286
. 287
. 305
. 309
. 322
. 393
. 393
. 394
. 438
. 439
. 440
15

List of Figures

21-40 Peer WLAN Switches . . . . . . . . . . . . . . .
21-41 The External Services View . . . . . . . . . . .
21-42 The User Roles View . . . . . . . . . . . . . . . .
21-43 The Add Role View . . . . . . . . . . . . . . . . .
21-44 Firewall Polices Choices . . . . . . . . . . . . .
21-45 Firewall Policy Attributes . . . . . . . . . . . .
21-46 Setting Firewall Policy Parameters . . . . .
21-47 Selecting Parameters in Drop-down Lists
21-48 The External Services View . . . . . . . . . . .
21-49 The Syslog Parser Domains View . . . . . .
21-50 The Add Domain View . . . . . . . . . . . . . .
21-51 The Edit Domain View . . . . . . . . . . . . . .
21-52 The Syslog Parser Rules View . . . . . . . .
21-53 The New Rule View . . . . . . . . . . . . . . . .
21-54 The Edit Rule View . . . . . . . . . . . . . . . . .
21-55 The Syslog Parser Rule Test View . . . . .
21-56 The Syslog Parser Statistics View . . . . .
21-57 Example Route-Mode Topology . . . . . . .
21-58 The User Roles View . . . . . . . . . . . . . . . .
21-59 The Add Role View . . . . . . . . . . . . . . . . .
21-60 Firewall Polices Choices . . . . . . . . . . . . .
21-61 Firewall Policy Attributes . . . . . . . . . . . .
21-62 Setting Firewall Policy Parameters . . . . .
21-63 Selecting Parameters in Drop-down Lists
21-64 Example NAT-Mode Topology . . . . . . . .
A-65 Scope Options Dialog Box . . . . . . . . . . . .
A-66 DHCP Scope Values . . . . . . . . . . . . . . . . .
D-67 Wireless Networks . . . . . . . . . . . . . . . . . .
D-68 Networks to Access . . . . . . . . . . . . . . . . .
D-69 Wireless Network Association . . . . . . . . .
D-70 Wireless Network Authentication . . . . . . .
D-71 Protected EAP Properties . . . . . . . . . . . . .
D-72 EAP MSCHAPv2 Properties . . . . . . . . . . .

AOS-W 3.1
User Guide

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

. 441
. 444
. 448
. 448
. 449
. 449
. 450
. 450
. 452
. 453
. 454
. 455
. 456
. 457
. 459
. 460
. 462
. 463
. 468
. 468
. 469
. 469
. 470
. 470
. 474
. 490
. 490
. 506
. 506
. 508
. 509
. 510
. 510

032063-00 Rev A
February 2007

Preface

This preface includes the following information:

An overview of the contents of this manual

A list of related documentation for further reading

A key to the various text conventions used throughout this manual

Alcatel support and service information

Document Organization
This user guide includes instructions and examples for commonly-used wireless
LAN (WLAN) Switch configurations such as Virtual Private Networks (VPNs),
authentication, and redundancy.
Volume 1 contains an overview of the Alcatel OmniAccess system. Volume 2
describes how to install the Alcatel OmniAccess system in a wired network.
Volume 3 describes how to configure Alcatel access points (APs), including
remote APs. The remaining volumes of the user guide describe other features of
the Alcatel OmniAccess system.

Related Documents
The following items are part of the complete documentation for the Alcatel
OmniAccess system:

Alcatel WLAN Switch Installation Guides

Alcatel Access Point Installation Guides

Release Notes

AOS-W 3.1
User Guide

Preface

Text Conventions
The following conventions are used throughout this manual to emphasize
important concepts:

TABLE 1

Text Conventions

Type Style

Description

Italics

This style is used to emphasize important terms and to mark
the titles of books.

System items

This fixed-width font depicts the following:

Sample screen output

System prompts

Filenames, software devices, and specific commands
when mentioned in the text

Commands

In the command examples, this bold font depicts text that
you must type exactly as shown.

In the command examples, italicized text within angle
brackets represents items that you should replace with
information appropriate to your specific situation. For
example:
# send
In this example, you would type “send” at the system
prompt exactly as shown, followed by the text of the
message you wish to send. Do not type the angle brackets.

[ Optional ]

In the command examples, items enclosed in brackets are
optional. Do not type the brackets.

{ Item A | Item B }

In the command examples, items within curled braces and
separated by a vertical bar represent the available choices.
Enter only one choice. Do not type the braces or bars.

AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Preface

Contacting Alcatel
Contact Center Online

Main Site

http://www.alcatel.com/enterprise

Support Site

http://eservice.ind.alcatel.com

support@ind.alcatel.com

Sales & Support Contact Center Telephone

North America

1-800-995-2696

Latin America

1-877-919-9526

Europe

+33 (0) 38 85 56 92 9

Asia Pacific

+65 6586 1555

Worldwide

1-818-880-3500

AOS-W 3.1
User Guide

Preface

AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Volume 1
Introducing the
Alcatel
OmniAccess
System
AOS-W Version 3.1

AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Overview of the Alcatel
OmniAccess System

Wireless local area networks (WLANs) allow users of personal computers with
wireless network interface adapters to communicate with each other and connect
to existing wired networks. The Alcatel OmniAccess system allows you to
implement WLANs in enterprise environments with lower cost of deployment,
simplified management, and multiple layers of security.
This chapter describes the components and features of the Alcatel OmniAccess
system, in the following topics:

“Alcatel OmniAccess System Components” on page 24

“Basic WLAN Configuration” on page 33

“Wireless Client Access to the WLAN” on page 39

“Configuring and Managing the Alcatel OmniAccess System” on page 42

AOS-W 3.1
User Guide

Overview of the Alcatel OmniAccess System
Chapter 1

Alcatel OmniAccess System Components
The Alcatel OmniAccess system consists of the following components:

Alcatel Access Points

Alcatel WLAN Switches

AOS-W

The following sections describe each of these components.

Alcatel Access Points
Alcatel Access Points (APs) operate exclusively with Alcatel WLAN Switches to
provide network access for wireless clients. Alcatel APs support Institute of
Electrical and Electronics Engineers (IEEE) 802.11a/b/g standards for wireless
systems.
NOTE:

Alcatel offers a range of APs that support various antenna types and
radio specifications. Refer to the Installation Guide for your Alcatel AP for
specific information about supported features.

An AP broadcasts its configured service set identifier (SSID), which corresponds
to a specific wireless local area network (WLAN). Wireless clients discover APs by
listening for broadcast beacons or by sending active probes to search for APs
with a specific SSID.
You can connect an Alcatel AP to an Alcatel WLAN Switch either directly with an
Ethernet cable or remotely through an IP network. Figure 1-1 shows two Alcatel
APs connected to an Alcatel WLAN Switch. One AP is connected to a switch in
the wiring closet that is connected to a router in the data center where the WLAN
Switch is located. The Ethernet port on the other AP is cabled directly to a port on
the WLAN Switch.

AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Overview of the Alcatel OmniAccess System
Chapter 1

ALCATEL AP CONNECTED
THROUGH AN IP NETWORK
FLOOR

WIRING
CLOSET

INTERNET

ALCATEL AP CONNECTED
WITH AN ETHERNET CABLE

ALCATEL WLAN SWITCH
DATA CENTER

FIGURE 1-1

Connecting APs to the Alcatel WLAN Switch

Alcatel APs are thin APs, which means their primary function is to receive and
transmit electromagnetic signals; other WLAN processing is left to the WLAN
Switch. When powered on, an Alcatel AP locates its host WLAN Switch through
a variety of methods, including the Alcatel Discovery Protocol (ADP), Domain
Name Service (DNS), or Dynamic Host Configuration Protocol (DHCP). When an
Alcatel AP locates its host WLAN Switch, it automatically builds a secure Generic
Routing Encapsulation (GRE) tunnel (Figure 1-2) to the WLAN Switch. The AP
then downloads its software and configuration from the WLAN Switch through
the tunnel.

AOS-W 3.1
User Guide

Overview of the Alcatel OmniAccess System
Chapter 1

ALCATEL AP

FLOOR
GRE TUNNEL

WIRING
CLOSET

INTERNET

GRE TUNNEL

ALCATEL WLAN SWITCH
DATA CENTER

FIGURE 1-2

Alcatel APs Establish GRE Tunnels to the WLAN Switch

Client traffic received by the AP is immediately sent through the tunnel to the host
WLAN Switch (Figure 1-3), which performs packet processing such as encryption
and decryption, authentication, and policy enforcement.

AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Overview of the Alcatel OmniAccess System
Chapter 1

WIRELESS CLIENTS

ALCATEL AP
FLOOR

WIRING
CLOSET

INTERNET

ALCATEL WLAN SWITCH
DATA CENTER

FIGURE 1-3

Client Traffic is Tunneled to the WLAN Switch

Automatic RF Channel and Power Settings
Adaptive Radio Management (ARM) is a radio frequency (RF) resource allocation
algorithm that you can enable and configure in the Alcatel Mobility Edge system.
When ARM is enabled, each Alcatel AP can determine the optimum channel
selection and transmit power setting to minimize interference and maximize
coverage and throughput. The APs scan for better channels at periodic intervals
and report information to the WLAN Switch. The WLAN Switch analyzes reports
from all APs and coordinates changes, resulting in a higher performing RF
environment.
If an AP fails for any reason, the Alcatel OmniAccess system’s self-healing
mechanism automatically ensures coverage for wireless clients. The WLAN
Switch detects the failed AP and instructs neighboring APs to increase power
levels to compensate.
You can also enable the system to detect coverage holes, or areas where a good
RF signal is not adequately reaching wireless clients.

AOS-W 3.1
User Guide

Overview of the Alcatel OmniAccess System
Chapter 1

RF Monitoring
An Alcatel AP can function as either a dedicated or shared Air Monitor (AM) to
monitor radio frequency (RF) spectrums to detect intrusions, denial of service
(DoS) attacks, and other vulnerabilities. A dedicated AM performs monitoring
functions exclusively and does not service wireless clients or advertise SSIDs. A
shared AM performs monitoring functions in addition to servicing wireless
clients.
Every AP automatically monitors the channel on which it services wireless clients.
You can configure the AP to perform off-channel scanning, where the AP spends
brief time intervals scanning other channels. However, the more clients an AP
services, the less time it has to perform off-channel scanning. If air monitoring
functions are critical to your network, Alcatel recommends that a few APs be
designated as dedicated AMs.
For example, you can configure dedicated AMs to perform the following
functions:

Detect, locate, and disable rogue APs (APs that are not authorized or
sanctioned by network administrators)

Detect and disable ad-hoc networks

Detect and disable honeypot APs

Detect wireless bridges

Capture remote packets

If air monitoring functions are only needed periodically, you can configure APs to
operate temporarily as AMs. You can also configure dedicated AMs to
automatically convert into APs if there is an AP failure or when there is high level
of traffic on the network.

Alcatel WLAN Switches
All Alcatel APs are connected either directly or remotely through an IP network to
an Alcatel WLAN Switch. The WLAN Switch is an enterprise-class switch that
bridges wireless client traffic to and from traditional wired networks and performs
high-speed Layer-2 or Layer-3 packet forwarding between Ethernet ports. While
Alcatel APs provide radio services only, the WLAN Switch performs upper-layer
media access control (MAC) processing, such as encryption and authentication,
as well as centralized configuration and management of SSIDs and RF
characteristics for Alcatel APs. This allows you to deploy APs with little or no
physical change to an existing wired infrastructure.
WLAN Switches provide 10/100 Mbps Fast Ethernet, IEEE 802.3af-compliant
ports that can provide Power over Ethernet (PoE) to directly-connected APs.
When you connect a PoE-capable port on the WLAN Switch to a PoE-compatible
device such as an Alcatel AP, the port automatically detects the device and

AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Overview of the Alcatel OmniAccess System
Chapter 1

provides operating power through the connected Ethernet cable. This allows APs
to be installed in areas where electrical outlets are unavailable, undesirable, or not
permitted, such as in the plenum or in air handling spaces.
NOTE:

Alcatel offers a range of WLAN Switches that provide different port types
and traffic capacities. Refer to the Installation Guide for your Alcatel
WLAN Switch for specific information about supported features.

In an Alcatel OmniAccess system, at least one WLAN Switch is the master WLAN
Switch while non-master WLAN Switches are referred to as local WLAN Switches
(Figure 1-4). A master WLAN Switch offers a single point of configuration that is
automatically replicated from the master to local WLAN Switches throughout the
network.
Local WLAN Switches offer local points of traffic aggregation and management
for Alcatel APs and services. A local WLAN Switch can perform any supported
function (for example, WLAN management, policy enforcement, VPN services,
and so on), however these services are always configured on the master WLAN
Switch and are “pushed” to specified local WLAN Switches.
An Alcatel AP obtains its software image and configuration from a master WLAN
Switch; it can also be instructed by a master WLAN Switch to obtain its software
from a local WLAN Switch.

AOS-W 3.1
User Guide

Overview of the Alcatel OmniAccess System
Chapter 1

LOCAL WLAN
SWITCH

MASTER WLAN
SWITCH

LOCAL WLAN
SWITCH

FIGURE 1-4

Master and Local WLAN Switches

A typical OmniAccess system includes one master WLAN Switch, one or more
backup master WLAN Switches and any number of local WLAN Switches. It is
important to note that master WLAN Switches do not share information with
each other. Thus, APs that share roaming tables, security policies, and other
configurations should be managed by the same master WLAN Switch.

AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Overview of the Alcatel OmniAccess System
Chapter 1

AOS-W
AOS-W is a suite of mobility applications that runs on all Alcatel WLAN Switches
and allows you to configure and manage the wireless and mobile user
environment.
AOS-W consists of a base software package with optional software modules that
you can activate by installing the appropriate license key (Table 1-1). The base
AOS-W software includes the following functions:

Centralized configuration and management of APs

Wireless client authentication to an external authentication server or to the
WLAN Switch’s local database

Encryption

Mobility with fast roaming

RF management and analysis tools

TABLE 1-1

Optional Software Modules

Optional Software Module

Description

Policy Enforcement
Firewall

Provides identity-based security for wired and
wireless clients. Stateful firewall enables
classification based on client identity, device type,
location, and time of day, and provides
differentiated access for different classes of users.

Wireless Intrusion
Protection

Detects, classifies and limits designated wireless
security threats such as rogue APs, DoS attacks,
malicious wireless attacks, impersonations, and
unauthorized intrusions. Eliminates need for
separate system of RF sensors and security
appliances.

VPN Server

Enables WLAN Switches to provide Virtual Private
Networks (VPN) tunnel termination to local and
remote clients. Provides site-to-site VPN tunnels
between Alcatel WLAN Switches and third-party
VPN concentrators.

AOS-W 3.1
User Guide

Overview of the Alcatel OmniAccess System
Chapter 1

TABLE 1-1

Optional Software Modules (Continued)

Optional Software Module

Description

Remote AP

Allows an Alcatel AP to be securely connected
from a remote location to a WLAN Switch across
the Internet. Allows the remote AP to be plugged
directly into an Internet-connected DSL router; a
WLAN Switch does not need to be installed at the
remote location.
There are three Remote AP licenses available that
allow the WLAN Switch to support a maximum of
6, 128, or 256 Remote APs.

xSec

Enables support for xSec, a Federal Information
Processing Standard (FIPS)-certifiable Layer-2
encryption protocol.

Client Integrity

Enables wireless and wired client remediation
services before network access is granted.
Integrates Sygate Technologies Sygate
On-Demand Agent (SODA).

External Services Interface
(ESI)

Supports automatic redirect of clients to external
devices that provide inline network services such
as anti-virus, intrusion detection system (IDS), and
content filtering.

Each optional module has a software license (either permanent or evaluation) that
you must install on an Alcatel WLAN Switch as a software license key. Contact
your sales account manager or authorized reseller to obtain software licenses.
NOTE:

After installing one or more software license keys, you must reboot the
Alcatel WLAN Switch for the new feature to become available.

AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Overview of the Alcatel OmniAccess System
Chapter 1

Basic WLAN Configuration
You have a wide variety of options for authentication, encryption, access
management, and user rights when you configure a WLAN in the Alcatel
OmniAccess system. However, you must configure the following basic elements:

An SSID that uniquely identifies the WLAN

Layer-2 authentication to protect against unauthorized access to the WLAN

Layer-2 encryption to ensure the privacy and confidentiality of the data
transmitted to and from the network

A user role and virtual local area network (VLAN) for the authenticated client

This section describes authentication, encryption, VLAN, and user role
configuration in the Alcatel OmniAccess system.

Authentication
A wireless client must authenticate to the Alcatel OmniAccess system in order to
access WLAN resources. There are several types of Layer-2 security mechanisms
allowed by the IEEE 802.11 standard that you can employ in the OmniAccess
system, including those that require an external RADIUS authentication server:

Authentication
Method
None

Description
(Also called open system authentication) This is the default
authentication protocol. The client’s identity, in the form of the
Media Access Control (MAC) address of the wireless adapter
in the wireless client, is passed to the WLAN Switch.
Essentially any client requesting access to the WLAN is
authenticated.

AOS-W 3.1
User Guide

Overview of the Alcatel OmniAccess System
Chapter 1

Authentication
Method
IEEE 802.1x

Description
The IEEE 802.1x authentication standard allows for the use of
keys that are dynamically generated on a per-client basic (as
opposed to a static key that is the same on all devices in the
network).
NOTE:

The 802.1x standard requires the use of a RADIUS
authentication server. Most Lightweight Directory
Access Protocol (LDAP) servers do not support
802.1x.

With 802.1x authentication, a supplicant is the wireless client
that wants to gain access to the network and the device that
communicates with both the supplicant and the
authentication server is the authenticator. In the Alcatel
OmniAccess system, the WLAN Switch is the 802.1x
authenticator, relaying authentication requests between the
authentication server and the supplicant.
NOTE:

During the authentication process, the supplicant (the
wireless client) and the RADIUS authentication server
negotiate the type of Extensible Authentication
Protocol (EAP) they will use for the authentication
transaction. The EAP type is completely transparent
to the WLAN Switch and has no impact on its
configuration.

Wi-Fi Protected
Access (WPA)

WPA implements most of the IEEE 802.11i standard. It is
designed for use with an 802.1x authentication server (the
Wi-Fi Alliance refers to this mode as WPA-Enterprise). WPA
uses the Temporal Key Integrity Protocol (TKIP) to dynamically
change keys and RC4 stream cipher to encrypt data.

WPA in
pre-shared key
(PSK) mode
(WPA-PSK)

With WPA-PSK, all clients use the same key (the Wi-Fi Alliance
refers to this mode as WPA-Personal).

WPA2

WPA2 implements the full IEEE 802.11i standard. In addition
to WPA features, WPA2 provides Counter Mode with Cipher
Blocking Chaining Message Authentication Code Protocol
(CCMP) for encryption which uses the Advanced Encryption
Standard (AES) algorithm. (The Wi-Fi Alliance refers to this
mode as WPA2-Enterprise.)

AOS-W 3.1
User Guide

NOTE:

In PSK mode, users must enter a passphrase from
8-63 characters to access the network. PSK is
intended for home and small office networks where
operating an 802.1x authentication server is not
practical.

032063-00 Rev A
February 2007

Overview of the Alcatel OmniAccess System
Chapter 1

Authentication
Method
WPA2-PSK

Description
WPA2-PSK is WPA2 used in PSK mode, where all clients use
the same key. (The Wi-Fi Alliance refers to this mode as
WPA2-Personal.)

Encryption
The Layer-2 encryption option you can select depends upon the authentication
method chosen (Table 1-2).

TABLE 1-2

Encryption Options by Authentication Method

Authentication Method

Encryption Option

None

Null or Static WEP

802.1x

Dynamic WEP

WPA or WPA-PSK only

TKIP

WPA2 or WPA2-PSK only

AES

Combination of WPA or WPA-PSK
and WPA2 or WPA2-PSK

Mixed TKIP/AES

You can configure the following data encryption options for the WLAN:

Encryption Method

Description

Null

Null means that no encryption is used and packets passing
between the wireless client and WLAN Switch are in clear
text.

Wired Equivalent
Protocol (WEP)

Defined by the original IEEE 802.11 standard, WEP uses
the RC4 stream cipher with 40-bit and 128-bit encryption
keys. The management and distribution of WEP keys is
performed outside of the 802.11 protocol. There are two
forms of WEP keys:

Static WEP requires you to manually enter the key for
each client and on the WLAN Switch.

Dynamic WEP allows the keys to be automatically
derived for each client for a specific authentication
method during the authentication process. Dynamic
WEP requires 802.1x authentication.

AOS-W 3.1
User Guide

Overview of the Alcatel OmniAccess System
Chapter 1

Encryption Method

Description

Temporal Key
Integrity Protocol
(TKIP)

TKIP ensures that the encryption key is changed for every
data packet. You specify TKIP encryption for WPA and
WPA-PSK authentication.

Advanced
Encryption
Standard (AES)

AES is an encryption cipher that uses the Counter-mode
CBC-MAC (Cipher Block Chaining-Message Authentication
Code) Protocol (CCMP) mandated by the IEEE 802.11i
standard. AES-CCMP is specifically designed for IEEE
802.11 encryption and encrypts parts of the 802.11 MAC
headers as well as the data payload. You can specify
AES-CCMP encryption with WPA2 or WPA2-PSK
authentication.

Mixed
TKIP/AES-CCM

This option allows the WLAN Switch to use TKIP
encryption with WPA or WPA-PSK clients and use AES
encryption with WPA2 or WPA2-PSK clients. This option
allows you to deploy the Alcatel OmniAccess system in
environments that contain existing WLANs that use
different authentication and encryption.

xSec (Extreme
Security)

xSec is a Federal Information Processing Standard
(FIPS)-certifiable Layer-2 encryption. xSec can encrypt and
tunnel Layer-2 traffic between a WLAN Switch and wired
and wireless clients, or between two Alcatel WLAN
Switches. To use xSec encryption:

You must use 802.1x authentication, which means
that you must use a RADIUS authentication server.

You must install the AOS-W xSec license in the Alcatel
WLAN Switch. If you are using xSec between two
Alcatel WLAN Switches, you must install a license in
each device.

For encryption and tunneling of data between the
client and WLAN Switch, you must install the Funk
Odyssey client that supports xSec in the wired or
wireless client.

VLAN
Each authenticated client is placed into a VLAN, which determines the client’s
DHCP server, IP address, and Layer-2 connection. While you could place all
authenticated wireless clients into a single VLAN, the Alcatel OmniAccess system
allows you to group wireless clients into separate VLANs. This enables you to
differentiate groups of wireless clients and their access to network resources. For
example, you can place authorized employee clients into one VLAN and itinerant
clients, such as contractors or guests, into a separate VLAN.

AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Overview of the Alcatel OmniAccess System
Chapter 1

NOTE:

You create the VLANs for wireless clients only on the WLAN Switch. You
do not need to create the VLANs anywhere else on your network.
Because wireless clients are tunneled to the WLAN Switch (see
Figure 1-3 on page 27) to the rest of the network it appears as if the
clients were directly connected to the WLAN Switch.

For example, in the topology shown in Figure 1-5, authenticated wireless clients
are placed on VLAN 20. You configure VLAN 20 only on the WLAN Switch; you do
not need to configure VLAN 20 on any other device in the network.
NOTE:

To allow data to be routed to VLAN 20, you need to configure a static
route to VLAN 20 on an upstream router in the wired network.

VLAN 20

FLOOR

WIRING
CLOSET

INTERNET

VLAN 20

DATA CENTER

FIGURE 1-5

VLANs for Wireless Clients Configured on WLAN Switch

A client is assigned to a VLAN by one of several methods and there is an order of
precedence by which VLANs are assigned. For more information about creating
VLANs and how VLANs are assigned, see Chapter 3, “Configuring Network
Parameters.”

AOS-W 3.1
User Guide

Overview of the Alcatel OmniAccess System
Chapter 1

User Role
Every client in an Alcatel OmniAccess system is associated with a user role,
which determines what a client is allowed to do, where and when it can operate,
how often it must re-authenticate, and which bandwidth contracts are applicable.
User roles can be simply defined; for example, you can define an “employee” role
that allows unrestricted access to all network resources at all times of the day
and a “guest” role that allows only HTTP access to the Internet during regular
business hours. Or you can define more granular user roles that are specific to
jobs in an enterprise environment, such as “IT staff” or “payroll”.
NOTE:

User roles and policies require the installation of a Policy Enforcement
Firewall license in the WLAN Switch. See Table 1-1 on page 31 for
descriptions of optional AOS-W software licenses.

In an Alcatel OmniAccess system, a policy identifies a set of rules that applies to
traffic that passes through the WLAN Switch. A policy can consist of firewall
rules that permit or deny traffic, quality of service (QoS) actions such as setting a
data packet to high priority, or administrative actions such as logging.
Whenever you create a user role, you specify one or more policies for the role. You
can apply policies to clients to give different treatment to clients on the same
network. The following example shows policies that might be applied for the user
roles “Employee” and “Guest”:

“Employee” User Role Policy:

“Guest” User Role Policy:

“Permit all traffic from any source to
any destination”

“Permit DHCP traffic from the client to
corporate DHCP server during business
hours”
“Permit DNS traffic from the client to a
public DNS server during business
hours”
“Permit HTTP traffic from the client to
any destination during business hours”
“Permit HTTPS traffic from the client to
any destination during business hours”
“Drop all traffic from the client to the
Internal Corporate network”

NOTE:

In the examples shown above, all clients should be securely
authenticated before network access is granted.

AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Overview of the Alcatel OmniAccess System
Chapter 1

A client is assigned a user role by one of several methods and there is an order or
precedence by which roles are assigned. For more information about configuring
user roles and how user roles are assigned, see Chapter 7, “Configuring Roles
and Policies.”

Wireless Client Access to the WLAN
Wireless clients communicate with the wired network and other wireless clients
through a WLAN in an Alcatel OmniAccess system. There are two phases to the
process by which a wireless client gains access to a WLAN in an Alcatel
OmniAccess system:
1.

Association of the radio network interface card (NIC) in the PC with an AP, as
described by the IEEE 802.11 standard. This association allows data link
(Layer-2) connectivity.

Authentication of the wireless client before network access is allowed.

Association
APs send out beacons that contain the SSIDs of specific WLANs; the client can
select the network they want to join. Wireless clients can also send out probes to
locate a WLAN within range or to locate a specific SSID; APs within range of the
client respond. Along with the SSID, an AP also sends out the following
information:

Data rates supported by the WLAN. Clients can determine which WLAN to
associate with based on the supported data rate.

WLAN requirements for the client. For example, clients may need to use TKIP
for encrypting data transmitted on the WLAN.

The client determines which AP is best for connecting to the WLAN and attempts
to associate with it. It sends an association request to become a member of the
service set. During the association exchange, the client and WLAN Switch
negotiate the data rate, authentication method, and other options.
NOTE:

Because an Alcatel AP is a “thin” AP, all wireless traffic it receives is
immediately sent through a GRE tunnel to the WLAN Switch. The WLAN
Switch responds to client requests and communicates with an
authentication server on behalf of the client. Therefore, the client
authentication and association processes occur between the wireless
client and the Alcatel WLAN Switch.

AOS-W 3.1
User Guide

Overview of the Alcatel OmniAccess System
Chapter 1

Authentication
Authentication provides a way to identify a client and provide appropriate access
to the network for that client. By default, all wireless clients in an Alcatel
OmniAccess system start in an initial user role and use an authentication method
to move to an identified, authenticated role. One or more authentication methods
may be used, ranging from secure authentication methods such as 802.1x, VPN,
and captive portal to less secure methods such as MAC address authentication.
NOTE:

Client access to the network depends upon whether the Policy
Enforcement Firewall license is installed in the WLAN Switch and what
policies are configured. For example, if the Policy Enforcement Firewall
license is not installed, any authenticated client can connect to the
network. If the Policy Enforcement Firewall license is installed, the
policies associated with the user role that the client is given determine
the network access that the client is allowed. Subsequent chapters in
this manual demonstrate the configuration of user roles and policies.

802.1x Authentication
802.1x is an IEEE standard used for authenticating clients on any IEEE 802
network. It is an open authentication framework, allowing multiple authentication
protocols to operate within the framework. 802.1x operates as a Layer-2 protocol.
Successful 802.1x authentication must complete before any higher-layer
communication with the network, such as a DHCP exchange to obtain an IP
address, is allowed.
802.1x is key-generating, which means that the output of the authentication
process can be used to assign dynamic per-client encryption keys. While the
configuration of 802.1x authentication on the WLAN Switch is fairly simple,
802.1x can require significant work in configuring an external authentication
server and wireless client devices.

VPN
VPN technology has been in use for Internet-based remote access for many years
and client/server components are widely available. Generally, the VPN client is
installed on mobile devices and is used to provide secure communication with a
corporate network across a non-secure network such as the Internet. VPN
technology operates at Layer-3, which means that an IP address is required on
the client device before the VPN client can operate.
With VPN, the MAC and outer IP header information is transmitted cleartext,
while inner IP header and data are encrypted. Because the IP layer is unprotected,
some form of Layer-2 encryption (such as WEP) should be used on a wireless
network.

AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Overview of the Alcatel OmniAccess System
Chapter 1

Captive Portal
Captive portal allows a wireless client to authenticate using a web-based portal.
Captive portals are typically used in public access wireless hotspots or for hotel
in-room Internet access. After a client associates to the wireless network, their
device is assigned an IP address. The client must start a web browser and pass
an authentication check before access to the network is granted.
Captive portal authentication is the simplest form of authentication to use and
requires no software installation or configuration on the client. The
username/password exchange is encrypted using standard SSL encryption.
However, portal authentication does not provide any form of encryption beyond
the authentication process; to ensure privacy of client data, some form of
link-layer encryption (such as WEP or WPA-PSK) should be used when sensitive
data will be sent over the wireless network.

MAC Address Authentication
MAC address authentication is the process of examining the MAC address of an
associated device, comparing it to an internal or RADIUS database, and changing
the user role to an authenticated state. MAC address authentication is not a
secure form of authentication as the MAC address of a network interface card
(NIC) can be changed in software. MAC address authentication is useful for
devices that cannot support a more secure form of authentication, such as
barcode scanners, voice handsets, or manufacturing instrumentation sensors.
User roles mapped to MAC address authentication should be linked to restrictive
policies to permit only the minimum required communication. Whenever possible,
WEP encryption should also be employed to prevent unauthorized devices from
joining the network.

Client Mobility and AP Association
When a wireless client associates with an AP, it retains the association for as long
as possible. Generally, a wireless client only drops the association if the number
of errors in data transmission is too high or the signal strength is too weak.
When a wireless client roams from one AP to another in an Alcatel OmniAccess
system, the WLAN Switch can automatically maintain the client’s authentication
and state information; the client only changes the radio that it uses. Clients do
not need to reauthenticate or reassociate. When a client roams between APs that
are connected to the same WLAN Switch, the client maintains its original IP
address and existing IP sessions.
You can also enable client mobility on all WLAN Switches in a master WLAN
Switch’s hierarchy. This allows clients to roam between APs that are connected
to different WLAN Switches without needing to reauthenticate or obtain a new IP
address. When a client associates with an AP, the client information is sent to the
master WLAN Switch. The master WLAN Switch pushes out the client

AOS-W 3.1
User Guide

Overview of the Alcatel OmniAccess System
Chapter 1

information to all local WLAN Switches in its hierarchy. When a client roams to an
AP connected to a different WLAN Switch, the new WLAN Switch recognizes the
client and tunnels the client traffic back to the original WLAN Switch.

Configuring and Managing the Alcatel
OmniAccess System
There are several interfaces that you can use to configure and manage
components of the Alcatel OmniAccess system:

The Web User Interface (WebUI) allows you to configure and manage Alcatel
WLAN Switches. The WebUI is accessible through a standard Web browser
from a remote management console or workstation.

The command line interface (CLI) allows you to configure and manage Alcatel
WLAN Switches. The CLI is accessible from a local console connected to the
serial port on the WLAN Switch or through a Telnet or Secure Shell (SSH)
session from a remote management console or workstation.
NOTE:

By default, you can only access the CLI from the serial port or from
an SSH session. To use the CLI in a Telnet session, you must
explicitly enable Telnet on the WLAN Switch.

The Alcatel Mobility Manager System is a suite of applications for monitoring
multiple master WLAN Switches and their related local WLAN Switches and
APs. Each application provides a Web-based user interface. The Alcatel
Mobility Manager System is available as an integrated appliance and as a
software application that runs on a dedicated system. See the Mobility
Manager User Guide for more information.

For more information about using these interfaces, see Chapter 18, “Configuring
Management Access.”

AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Volume 2
Installing the
Alcatel
OmniAccess
System

AOS-W Version 3.1

AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Deploying a Basic
OmniAccess System

This chapter describes how to connect an Alcatel WLAN Switch and Alcatel APs
to your wired network. After completing the tasks described in this chapter, you
can configure the APs as described in Volume 3.
This chapter describes the following topics:

“Configuration Overview” on page 46

“Configuring the Alcatel WLAN Switch” on page 50

“Deploying APs” on page 55

“Additional Configuration” on page 59

AOS-W 3.1
User Guide

Deploying a Basic OmniAccess System
Chapter 2

Configuration Overview
This section describes typical deployment scenarios and the tasks you must
perform in connecting an Alcatel WLAN Switch and Alcatel APs to your wired
network.

Deployment Scenario #1
ROUTER IS DEFAULT GATEWAY
FOR WLAN SWITCH AND
CLIENTS

In this deployment scenario, the Alcatel APs and WLAN Switch are on the same
subnetwork and will use IP addresses assigned to the subnetwork. There are no
routers between the APs and the WLAN Switch. APs can be physically connected
directly to the WLAN Switch. The uplink port on the WLAN Switch is connected
to a layer-2 switch or router.
You must perform the following tasks:
1.

Run the Initial Setup.
z

Set the IP address of VLAN 1.

Set the default gateway to the IP address of the interface of the upstream
router to which you will connect the WLAN Switch.

Connect the uplink port on the WLAN Switch to the switch or router
interface. By default, all ports on the WLAN Switch are access ports and will
carry traffic for a single VLAN.

Deploy APs. The APs will use the Alcatel Discovery Protocol (ADP) to locate
the WLAN Switch.

Configure the SSID(s) with VLAN 1 as the assigned VLAN for all users.

AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Deploying a Basic OmniAccess System
Chapter 2

Deployment Scenario #2

FLOOR 3

SUBNET

FLOOR 2

SUBNET

FLOOR 1

SUBNET

WLAN SWITCH

IS
DEFAULT GATEWAY
FOR CLIENTS

DATA CENTER

In this deployment scenario, the Alcatel APs and the WLAN Switch are on
different subnetworks and the APs are on multiple subnetworks. The WLAN
Switch acts as a router for the wireless subnetworks (the WLAN Switch is the
default gateway for the wireless clients). The uplink port on the WLAN Switch is
connected to a layer-2 switch or router; this port is an access port in VLAN 1.
You must perform the following tasks:
1.

Run the Initial Setup.
z

Set the IP address for VLAN 1.

Set the default gateway to the IP address of the interface of the upstream
router to which you will connect the WLAN Switch.

Connect the uplink port on the WLAN Switch to the switch or router
interface.

Deploy APs. The APs will use DNS or DHCP to locate the WLAN Switch.

Configure VLANs for the wireless subnetworks on the WLAN Switch.

Configure SSIDs with the VLANs assigned for each wireless subnetwork.

AOS-W 3.1
User Guide

Deploying a Basic OmniAccess System
Chapter 2

NOTE:

Each wireless client VLAN must be configured on the WLAN Switch with
an IP address. On the uplink switch or router, you must configure static
routes for each client VLAN, with the WLAN Switch’s VLAN 1 IP address
as the next hop.

Deployment Scenario #3

FLOOR 3

SUBNET

FLOOR 2

SUBNET

FLOOR 1

SUBNET

TRUNK

PORT
CARRIES CLIENT
TRAFFIC

ROUTER

IS DEFAULT
GATEWAY FOR WLAN
SWITCH AND CLIENTS

DATA CENTER

In this deployment scenario, the Alcatel APs and the WLAN Switch are on
different subnetworks and the APs are on multiple subnetworks. There are
routers between the APs and the WLAN Switch. The WLAN Switch is connected
to a layer-2 switch or router through a trunk port that carries traffic for all wireless
client VLANs. An upstream router functions as the default gateway for the
wireless users.
NOTE:

This deployment scenario does not use VLAN 1 to connect to the layer-2
switch or router through the trunk port. The Initial Setup prompts you for
the IP address and default gateway for VLAN 1; use the default values. In
later steps, you configure the appropriate VLAN to connect to the switch
or router as well as the default gateway.

AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Deploying a Basic OmniAccess System
Chapter 2

You must perform the following tasks:
1.

Run the Initial Setup.
z

Use the default IP address for VLAN 1. Since VLAN 1 is not used to
connect to the layer-2 switch or router through the trunk port, you must
configure the appropriate VLAN in a later step.

Do not specify a default gateway (use the default “none”). In a later step,
you configure the default gateway.

Create a VLAN that has the same VLAN ID as the VLAN on the switch or
router to which you will connect the WLAN Switch. Add the uplink port on
the WLAN Switch to this VLAN and configure the port as a trunk port.

Add client VLANs to the trunk port.

Configure the default gateway on the WLAN Switch. This gateway is the IP
address of the router to which you will connect the WLAN Switch.

Configure the loopback interface for the WLAN Switch.

Connect the uplink port on the WLAN Switch to the switch or router
interface.

Deploy APs. The APs will use DNS or DHCP to locate the WLAN Switch.

You would then configure VLANs on the WLAN Switch for the wireless client
subnetworks and configure SSIDs with the VLANs assigned for each wireless
subnetwork .

AOS-W 3.1
User Guide

Deploying a Basic OmniAccess System
Chapter 2

Configuring the Alcatel WLAN Switch
The tasks in deploying a basic Alcatel OmniAccess system fall into two main
areas:

Configuring and connecting the Alcatel WLAN Switch to the wired network
(described in this section)

Deploying Alcatel APs (described later in this section)

To connect the WLAN Switch to the wired network:
1.

Run the Initial Setup to configure administrative information for the WLAN
Switch.

(Deployment #3) Configure a VLAN to connect the WLAN Switch to your
network. You do not need to perform this step if you are using VLAN 1 to
connect the WLAN Switch to the wired network.

Connect the ports on the WLAN Switch to your network.

(Optional) Configure a loopback address for the WLAN Switch. You do not
need to perform this step if you are using the VLAN 1 IP address as the WLAN
Switch’s IP address.

This section describes the steps in detail.

Run the Initial Setup
When you connect to the WLAN Switch for the first time using either a serial
console or a Web browser, the Initial Setup requires you to set the role (master or
local) for the WLAN Switch and passwords for administrator and configuration
access. The Initial Setup also requires that you specify the country code for the
country in which the WLAN Switch will operate; this sets the regulatory domain
for the radio frequencies that the APs use.
The Initial Setup requires that you configure an IP address for the VLAN 1
interface, which you can use to access and configure the WLAN Switch remotely
via an SSH or WebUI session. Configuring an IP address for the VLAN 1 interface
ensures that there is an IP address and default gateway assigned to the WLAN
Switch upon completion of the Initial Setup.
After you complete the Initial Setup, the WLAN Switch reboots using the new
configuration. See the Alcatel Quick Start Guide for information about using the
Initial Setup.

AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Deploying a Basic OmniAccess System
Chapter 2

You can connect to and configure the WLAN Switch in several ways using the
administrator password you entered during the Initial Setup:

You can continue to use the connection to the serial port on the WLAN
Switch to enter the command line interface (CLI). (Refer to Chapter 18,
“Configuring Management Access,” for information on how to access the CLI
and enter configuration commands.)

You can connect an Ethernet cable from a PC to an Ethernet port on the
WLAN Switch. You can then use one of the following access methods:
z

Use the VLAN 1 IP address to start an SSH session where you can enter
CLI commands.

Enter the VLAN 1 IP address in a browser window to start the WebUI.

Configure a VLAN for Network Connection
You must follow the instructions in this section only if you need to configure a
trunk port between the Alcatel WLAN Switch and another layer-2 switch (shown
in “Deployment Scenario #3” on page 48).
This section shows how to use both the WebUI and CLI for the following
configurations (subsequent steps show how to use the WebUI only):

Create a VLAN on the WLAN Switch and assign it an IP address.

Assign to the VLAN the port(s) that you will use to connect the WLAN Switch
to the network. (For example, the uplink ports that you connect to a router are
usually Gigabit ports.) In the example configurations shown in this section, an
OmniAccess 4324 WLAN Switch is connected to the network through its
Gigabit Ethernet port 1/25.

Configure the port as a trunk port.

Configure a default gateway for the WLAN Switch.

Create the VLAN
The following configurations create VLAN 5 and assign it the IP address
10.3.22.20/24.

Using the WebUI to create the VLAN:
1.

Click the Configuration tab in the menu bar. Under Network, click the VLANs
option.
NOTE:

In the remainder of this manual, the instructions for reaching a
specific WebUI page are shortened to specify the sequence of tab or
page selections; for example, “Navigate to the Configuration >
Network > VLANs page.”

Click Add to create a new VLAN.
AOS-W 3.1
User Guide

Deploying a Basic OmniAccess System
Chapter 2

On the Add New VLAN screen, enter 5 for the VLAN ID and click Apply.

Navigate to the Configuration > Network > IP > IP Interfaces page on the
WebUI. Click Edit for the VLAN you just added. Select Use the following IP
address. Enter the IP address and network mask of the VLAN interface. If
required, you can also configure the address of the DHCP server for the VLAN
by clicking Add.

Click Apply to apply this configuration.

At the top of the page, click Save Configuration.
NOTE:

In the WebUI configuration pages, clicking the Save Configuration
button saves configuration changes so they are retained after the
WLAN Switch is rebooted. Clicking the Apply button saves changes
to the running configuration but the changes are not retained when
the WLAN Switch is rebooted. A good practice is to use the Apply
button to save changes to the running configuration and, after
ensuring that the system operates as desired, click Save
Configuration.

Using the CLI to create the VLAN:

(alcatel)
User: admin
Password: *****
(alcatel) >enable
Password:******
(alcatel) #configure terminal
Enter Configuration commands, one per line. End with CNTL/Z
(alcatel) (config) #vlan 5
(alcatel) (config) #interface vlan 5
(alcatel) (config-subif)#ip address 10.3.22.20 255.255.255.0
(alcatel) (config-subif)#exit
(alcatel) (config) #write memory

Assign and Configure the Trunk Port
The following configuration configures a Gigabit Ethernet port as trunk port.

Using the WebUI to configure the trunk port:

Navigate to the Configuration > Network > Ports page on the WebUI.

In the Port Selection section, click the port that will connect the WLAN
Switch to the network. In this example, click port 25.

For Port Mode, select Trunk.

For Native VLAN, select VLAN 5 from the scrolling list, then click the <-- arrow.

Click Apply.

AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Deploying a Basic OmniAccess System
Chapter 2

Using the CLI to configure the trunk port:

interface gigabitethernet 1/25
switchport mode trunk
switchport trunk native vlan 5
To confirm the port assignments, use the show vlan command:

(alcatel) (config) #show vlan
VLAN CONFIGURATION
-----------------VLAN
Name
Ports
----------1
Default
Fa1/0-23 Gig1/24
5
VLAN0005
Gig1/25

Configure the Default Gateway
The following configurations assign a default gateway for the WLAN Switch.

Using the WebUI to configure the default gateway:
1.

Navigate to the Configuration > Network > IP > IP Routes page.

In the Default Gateway field, enter 10.3.22.1.

Click Apply.

Using the CLI to configure the default gateway:

ip default-gateway 10.3.22.1

Connect the WLAN Switch to the Network
Connect the ports on the WLAN Switch to the appropriately-configured ports on
an L2 switch or router. Make sure that you have the correct cables and that the
port LEDs indicate proper connections. Refer to the Installation Guide for the
Alcatel WLAN Switch for port LED and cable descriptions.
NOTE:

In many deployment scenarios, an external firewall is situated between
various Alcatel devices. Appendix B, “External Firewall Configuration”
describes the network ports that must be configured on the external
firewall to allow proper operation of the Alcatel network.

To verify that the WLAN Switch is accessible on the network:

If you are using VLAN 1 to connect the WLAN Switch to the network
(“Deployment Scenario #1” and “Deployment Scenario #2”), ping the VLAN 1
IP address from a workstation on the network.

AOS-W 3.1
User Guide

Deploying a Basic OmniAccess System
Chapter 2

If you created and configured a new VLAN (“Deployment Scenario #3”), ping
the IP address of the new VLAN from a workstation on the network.

Configure the Loopback for the WLAN Switch
You must configure a loopback address if you are not using VLAN 1 to connect
the WLAN Switch to the network (see “Deployment Scenario #3” on page 48).
If configured, the loopback address is used as the WLAN Switch’s IP address. If
you do not configure a loopback address for the WLAN Switch, the IP address
assigned to VLAN 1 is used as the WLAN Switch’s IP address.
NOTE:

After you configure or modify a loopback address, you must reboot the
WLAN Switch.

AOS-W allows the loopback address to be part of the IP address space assigned
to a VLAN interface. In the example topology, the VLAN 5 interface on the WLAN
Switch was previously configured with the IP address 10.3.22.20/24. The
loopback IP address in this example will be 10.3.22.220.
NOTE:

You configure the loopback address as a host address with a 32-bit
netmask. The loopback address should be routable from all external
networks.

Using the WebUI to configure the loopback:
1.

Navigate to the Configuration > Network > Switch > System Settings page.

Enter the IP address under Loopback Interface.

Click Apply at the bottom of the page (you might need to scroll down the
page).

At the top of the page, click Save Configuration.
You must reboot the WLAN Switch for the new IP address to take effect.

Navigate to the Maintenance > Switch > Reboot Switch page.

Click Continue.

Using the CLI to configure the loopback:

interface loopback ip address 10.3.22.220
To verify that the WLAN Switch is accessible on the network, ping the loopback
address from a workstation on the network.

AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Deploying a Basic OmniAccess System
Chapter 2

Deploying APs
Alcatel APs and AMs are designed to require only minimal setup to make them
operational in an Alcatel OmniAccess system. Once APs have established
communication with the WLAN Switch, you can apply advanced configuration to
individual APs or groups of APs in the OmniAccess system using the WebUI on
the WLAN Switch.
You can deploy APs by doing the following steps:
1.

Run the Java-based RF Plan tool to help position APs and import floorplans
for your installation.

Ensure that the APs can locate the WLAN Switch when they are connected to
the network. There are several ways in which APs can locate the WLAN
Switch.

Install the APs by connecting the AP to an Ethernet port. If power over
Ethernet (PoE) is not used, connect the AP to a power source.

On the WLAN Switch, configure the APs.

This section describes the steps.

Run Alcatel RF Plan
The Java-based RF Plan tool is an application that allows you to determine AP
placement based on your specified coverage and capacity requirements without
impacting the live network. For more information about using RF Plan, see the RF
Plan Installation and User Guide.

Enable APs to Connect to the WLAN Switch
Before you install APs in a network environment, you must ensure that the APs
will be able to locate and connect to the WLAN Switch when powered on.
Specifically, you must ensure the following:

When connected to the network, each AP is assigned a valid IP address

APs are able to locate the WLAN Switch

NOTE:

Alcatel APs use Trivial File Transfer Protocol (TFTP) the first time they
boot to obtain their software image and configuration from the WLAN
Switch. After the initial boot, the APs use FTP to obtain software images
and configurations from the WLAN Switch.
In many deployment scenarios, an external firewall is situated between
various Alcatel devices. Appendix B, “External Firewall Configuration”
describes the network ports that must be configured on the external
firewall to allow proper operation of the Alcatel network.

AOS-W 3.1
User Guide

Deploying a Basic OmniAccess System
Chapter 2

Enable APs to Obtain IP Addresses
Each Alcatel AP requires a unique IP address on a subnetwork that has
connectivity to a WLAN Switch. Alcatel recommends using the Dynamic Host
Configuration Protocol (DHCP) to provide IP addresses for APs; the DHCP server
can be an existing network server or an Alcatel WLAN Switch configured as a
DHCP server.
You can use an existing DHCP server in the same subnetwork as the AP to
provide the AP with its IP information. You can also configure a device in the
same subnetwork to act as a relay agent for a DHCP server on a different
subnetwork. Refer to the vendor documentation for the DHCP Server or relay
agent for information.
If an AP is on the same subnetwork as the master WLAN Switch, you can
configure the WLAN Switch as a DHCP server to assign an IP address to the AP.
The WLAN Switch must be the only DHCP server for this subnetwork.

Using the WebUI to enable the DHCP server on the WLAN Switch:
1.

Navigate to the Configuration > Network > IP > DHCP Server page.

Select the Enable DHCP Server checkbox.

In the Pool Configuration section, click Add.

Enter information about the subnetwork for which IP addresses are to be
assigned. Click Done.

If there are addresses that should not be assigned in the subnetwork:

Click Add in the Excluded Address Range section.

Enter the address range in the Add Excluded Address section.

Click Done.

Click Apply at the bottom of the page.

Using the CLI to enable the DHCP server on the WLAN Switch:

ip dhcp excluded-address ipaddr ipaddr2
ip dhcp pool name
default-router ipaddr
dns-server ipaddr
domain-name name
network ipaddr mask

AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Deploying a Basic OmniAccess System
Chapter 2

Locate the WLAN Switch
An Alcatel AP can discover the IP address of the WLAN Switch in one of the
following ways:

From a DNS server

From a DHCP server

Using the Alcatel Discovery Protocol (ADP)

From a DNS Server
Alcatel APs are factory-configured to use the host name aruba-master for the
master WLAN Switch. For the DNS server to resolve this host name to the IP
address of the master WLAN Switch, you must configure an entry on the DNS
server for the name aruba-master.
For information on how to configure a host name entry on the DNS server, refer to
the vendor documentation for your server.
NOTE:

Alcatel recommends using a DNS server to provide APs with the IP
address of the master WLAN Switch because it involves minimal changes
to the network and provides the greatest flexibility in the placement of
APs.

From a DHCP Server
You can configure a DHCP server to provide the master WLAN Switch’s IP
address. You must configure the DHCP server to send the WLAN Switch’s IP
address using the DHCP vendor-specific attribute option 43. Alcatel APs identify
themselves with a vendor class identifier set to ArubaAP in their DHCP request.
When the DHCP server responds to the request, it will send the WLAN Switch’s
IP address as the value of option 43.
For more information on how to configure vendor-specific information on a DHCP
server, see Appendix A, “Configuring DHCP with Vendor-Specific Options,” or
refer to the vendor documentation for your server.

Using the Alcatel Discovery Protocol (ADP)
ADP is enabled by default on all Alcatel APs and WLAN Switches. To use ADP, all
Alcatel APs and WLAN Switches must be connected to the same Layer-2
network. If the devices are on different networks, a Layer-3 compatible discovery
mechanism, such as DNS, DHCP, or IGMP forwarding, must be used instead.
With ADP, APs send out periodic multicast and broadcast queries to locate the
master WLAN Switch. You might need to perform additional network
configuration, depending on whether the APs are in the same broadcast domain
as the WLAN Switch:

If the APs are in the same broadcast domain as the master WLAN Switch, the
WLAN Switch automatically responds to the APs’ queries with its IP address.

AOS-W 3.1
User Guide

Deploying a Basic OmniAccess System
Chapter 2

If the APs are not in the same broadcast domain as the master WLAN Switch,
you must enable multicast on the network (ADP multicast queries are sent to
the IP multicast group address 239.0.82.11) for the WLAN Switch to respond
to the APs’ queries. You also must make sure that all routers are configured
to listen for Internet Group Management Protocol (IGMP) join requests from
the WLAN Switch and can route these multicast packets.
To verify that ADP and IGMP join options are enabled on the WLAN Switch,
use the following CLI command:

(WLAN_Switch) #show adp config
ADP Configuration
----------------key
value
------discovery enable
igmp-join enable
If ADP or IGMP join options are not enabled, use the following CLI
commands:

(WLAN_Switch) (config) #adp discovery enable
(WLAN_Switch) (config) #adp igmp-join enable

Install APs
Use the AP placement map generated by RF Plan to install APs. You can either
connect the AP directly to a port on the WLAN Switch, or connect the AP to
another switch or router that has layer-2 or layer-3 connectivity to the WLAN
Switch.
If the Ethernet port on the WLAN Switch is an 802.3af Power over Ethernet (PoE)
port, the AP automatically uses it to power up. If a PoE port is not available, you
must get an AC adapter for the AP from Alcatel. For more information, see the
Installation Guide for the specific AP.
Once an AP is connected to the network and powered up, it attempts to locate
the master WLAN Switch using one of the methods described in “Locate the
WLAN Switch” on page 57.
On the master WLAN Switch, you can view the APs that have connected to the
WLAN Switch in the WebUI. Navigate to the Configuration > Wireless > AP
Installation page. Figure 2-6 shows an example of this page.

AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Deploying a Basic OmniAccess System
Chapter 2

FIGURE 2-6

APs Connected to WLAN Switch

Update RF Plan
After deploying APs, update the AP placement map in RF Plan. This allows more
accurate reconciliation of location tracking features provided by the Alcatel
OmniAccess system—for example, locating users, intruders, rogue APs and other
security threats, assets, and sources of RF interference—with the physical
environment.

Additional Configuration
After you have installed a basic Alcatel OmniAccess system, the Alcatel APs
advertise the default alcatel-ap SSID. Wireless users can connect to this SSID but
because you have not yet configured authentication, policies, or user roles, they
will not have access to the network. Other volumes in the AOS-W User Guide
describe how to build upon this basic deployment to configure user roles, firewall
policies, authentication, authentication servers, and other wireless features.
Chapter 5, “Configuring Access Points,” in the AOS-W User Guide describes how
to configure APs. The other volumes in the AOS-W User Guide provide more
information about configuring and using features of the Alcatel OmniAccess
system.

AOS-W 3.1
User Guide

Deploying a Basic OmniAccess System
Chapter 2

AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Network
Parameters

This chapter describes some basic network configuration on the Alcatel WLAN
Switch. This chapter describes the following topics:

“Configuring VLANs” on page 62

“Configuring Static Routes” on page 70

“Configuring the Loopback IP Address” on page 71

AOS-W 3.1
User Guide

Configuring Network Parameters
Chapter 3

Configuring VLANs
The Alcatel WLAN Switch operates as a layer-2 switch that uses a VLAN as a
broadcast domain. As a layer-2 switch, the WLAN Switch requires an external
router to route traffic between VLANs. The WLAN Switch can also operate as a
layer-3 switch that can route traffic between VLANs defined on the WLAN Switch.
You can configure one or more physical ports on the WLAN Switch to be
members of a VLAN. Additionally, each wireless client association constitutes a
connection to a virtual port on the WLAN Switch, with membership in a specified
VLAN. You can place all authenticated wireless users into a single VLAN or into
different VLANs, depending upon your network. VLANs can exist only inside the
Alcatel WLAN Switch or they can extend outside the WLAN Switch through
802.1q VLAN tagging.
You can optionally configure an IP address and netmask for a VLAN on the Alcatel
WLAN Switch. The IP address is up when at least one physical port in the VLAN is
up. The VLAN IP address can be used as a gateway by external devices; packets
directed to a VLAN IP address that are not destined for the WLAN Switch are
forwarded according to the Alcatel WLAN Switch’s IP routing table.

Using the WebUI to create or edit a VLAN:
1.

Navigate to the Configuration > Network > VLANs page.

Click Add to create a new VLAN. (To edit an existing VLAN click Edit for the
VLAN entry.)

On the Add New VLAN screen, enter the VLAN ID.

To add physical ports to the VLAN, click the port in the Assign this VLAN to
Ports section.

Click Apply.

Using the CLI to create or edit a VLAN:

vlan
interface fastethernet|gigabitethernet /
switchport access vlan

Configuring Ports
By default, a port carries traffic only for the VLAN to which it is assigned. You can
optionally configure a port to operate as a trunk port that can carry traffic for
multiple VLANs. A trunk port uses 802.1q tags to mark frames for specific VLANs.

AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Network Parameters
Chapter 3

For a trunk port, you specify whether the port will carry traffic for all VLANs
configured on the WLAN Switch or for specific VLANs. You can also specify the
native VLAN for the port (frames on the native VLAN are not tagged).

Using the WebUI to configure ports:
1.

Navigate to the Configuration > Network > Ports page.

In the Port Selection section, click the port you want to configure.

For Port Mode select Trunk.

To specify the native VLAN, select a VLAN from the drop-down list and click
the <-- arrow.

To allow the port to carry traffic for a specific set of VLANs, select Allowed
VLAN list. Select the VLAN(s) from the Allowed VLANs or Disallowed VLANs
drop-down list and click the <-- arrow.

Click Apply.

Using the CLI to configure ports

interface fastethernet|gigabitethernet /
switchport mode trunk
switchport trunk native vlan
switchport trunk allowed vlan ,

VLAN Assignment
A client is assigned to a VLAN by one of several methods. There is an order of
precedence by which VLANs are assigned. The assignment of VLANs are (from
lowest to highest precedence):
1.

The default VLAN is the VLAN configured for the virtual AP profile.

Before client authentication, the VLAN can be derived from rules based on
client attributes (SSID, BSSID, client MAC, location, and encryption type). A
rule that derives a specific VLAN takes precedence over a rule that derives a
user role that may have a VLAN configured for it.

After client authentication, the VLAN can be the VLAN configured for a default
role for an authentication method, such as 802.1x or VPN.

After client authentication, the VLAN can be derived from attributes returned
by the authentication server (server-derived rule). A rule that derives a specific
VLAN takes precedence over a rule that derives a user role that may have a
VLAN configured for it.

AOS-W 3.1
User Guide

Configuring Network Parameters
Chapter 3

After client authentication, the VLAN can be derived from Microsoft Tunnel
attributes (Tunnel-Type, Tunnel Medium Type, and Tunnel Private Group ID).
All three attributes must be present. This does not require any server-derived
rule.

After client authentication, the VLAN can be derived from Vendor Specific
Attributes (VSA) for RADIUS server authentication. This does not require any
server-derived rule.
NOTE:

If a VSA is present, it overrides any previous VLAN assignment.

Assigning a Static Address to a VLAN
You can manually assign a static IP address to a VLAN on the WLAN Switch. At
least one VLAN on the WLAN Switch must be assigned a static IP address.

Using the WebUI to Assign a Static Address to a VLAN:
1.

Navigate to the Configuration > Network > IP > IP Interfaces page on the
WebUI. Click Edit for the VLAN you just added.

Select the Use the following IP address option. Enter the IP address and
network mask of the VLAN interface. If required, you can also configure the
address of the DHCP server for the VLAN by clicking Add.

Click Apply.

Using the CLI to Assign a Static Address to a VLAN:

interface vlan
ip address

Configuring a VLAN to Receive a Dynamic
Address
A VLAN on the Alcatel WLAN Switch obtains its IP address in one of the following
ways:

Manually configured by the network administrator. This is the default method
and is described in “Assigning a Static Address to a VLAN” on page 64. At
least one VLAN on the WLAN Switch must be assigned a static IP address.

Dynamically assigned from a Dynamic Host Configuration Protocol (DHCP) or
Point-to-Point Protocol over Ethernet (PPPoE) server. These methods are
described in the following section.

In a branch office, you can connect an Alcatel WLAN Switch to an uplink switch
or server that dynamically assigns IP addresses to connected devices. For
example, the WLAN Switch can be connected to a DSL or cable modem, or a
broadband remote access server (BRAS). Figure 3-7 shows a branch office where

AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Network Parameters
Chapter 3

an Alcatel WLAN Switch connects to a cable modem. VLAN 1 has a static IP
address, while VLAN 2 has a dynamic IP address assigned via DHCP or PPPoE on
the uplink device. The DHCP server on the Alcatel WLAN Switch assigns IP
addresses to users on the local network from a configured pool of IP addresses.

VLAN 1

VLAN 2
TO INTERNET

TO LOCAL
NETWORK
WLAN SWITCH

FIGURE 3-7

CABLE MODEM
OR BRAS

IP Address Assignment to VLAN via DHCP or PPPoE

To allow the WLAN Switch to obtain a dynamic IP address for a VLAN:
Enable the DHCP or PPPoE client on the WLAN Switch for the VLAN.
The following restrictions apply when enabling the DHCP or PPPoE client on the
WLAN Switch:

You can enable the DHCP/PPPoE client on only one VLAN on the WLAN
Switch; this VLAN cannot be VLAN 1.

Only one port in the VLAN can be connected to the modem or uplink switch.

At least one interface in the VLAN must be in the up state before the
DHCP/PPPoE client requests an IP address from the server.

Only one VLAN on the WLAN Switch can obtain its IP address through DHCP
or PPPoE. You cannot enable both the DHCP and PPPoE client on the WLAN
Switch at the same time.

Enabling the DHCP Client
The DHCP server assigns an IP address for a specified amount of time called a
lease. The WLAN Switch automatically renews the lease before it expires. When
you shut down the VLAN, the DHCP lease is released.

Using the WebUI to Enable DHCP on a VLAN:
1.

Navigate to the Configuration > Network > IP > IP Interfaces page.

Click Edit for a previously-created VLAN.

Select Obtain an IP address from DHCP.

Click Apply.

Using the CLI to Enable DHCP on a VLAN:

vlan

AOS-W 3.1
User Guide

Configuring Network Parameters
Chapter 3

interface vlan
ip address dhcp-client

Enabling the PPPoE Client
To authenticate to the BRAS and request a dynamic IP address, the WLAN Switch
must have the following configured:

PPPoE user name and password to connect to the DSL network

PPPoE service name — either an ISP name or a class of service configured on
the PPPoE server

When you shut down the VLAN, the PPPoE session terminates.

Using the WebUI to Enable the PPPoE Client on a VLAN:
1.

Navigate to the Configuration > Network > IP > IP Interfaces page.

Click Edit for a previously-created VLAN.

Select Obtain an IP address with PPPoE.

Enter the service name, username, and password for the PPPoE session.

Click Apply.

Using the CLI to Enable the PPPoE Client on a VLAN:

ip pppoe-service-name
ip pppoe-username
ip pppoe-password
vlan
interface vlan
ip address pppoe

Default Gateway from DHCP/PPPoE
You can specify that the router IP address obtained from the DHCP or PPPoE
server be used as the default gateway for the WLAN Switch.

Using the WebUI to Set a Default Gateway from DHCP/PPPoE:

Navigate to the Configuration > Network > IP > IP Routes page.

For Default Gateway, select (Obtain an IP address automatically).

Select Apply.

AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Network Parameters
Chapter 3

Using the CLI to Set a Default Gateway from DHCP/PPPoE:

ip default-gateway import

DNS/WINS Server from DHPC/PPPoE
The DHCP or PPPoE server can also provide the IP address of a DNS server or
NetBIOS name server, which can be passed to wireless clients through the WLAN
Switch’s internal DHCP server.
For example, the following configures the DHCP server on the Alcatel WLAN
Switch to assign addresses to authenticated employees; the IP address of the
DNS server obtained by the WLAN Switch via DHCP/PPPoE is provided to clients
along with their IP address.

Using the WebUI to Configure the DNS/WINS Server:
1.

Navigate to the Configuration > Network > IP > DHCP Server page.

Select Enable DCHP Server.

Under Pool Configuration, select Add.

For Pool Name, enter employee-pool.

For Default Router, enter 10.1.1.254.

For DNS Servers, select Import from DHCP/PPPoE.

For WINS Servers, select Import from DHCP/PPPoE.

For Network, enter 10.1.1.0 for IP Address and 255.255.255.0 for Netmask.

Click Done.

Using the CLI to Configure the DNS/WINS Server:

ip dhcp pool employee-pool
default-router 10.1.1.254
dns-server import
netbios-name-server import
network 10.1.1.0 255.255.255.0

Source NAT to Dynamic VLAN Address
When a VLAN interface obtains an IP address through DHCP or PPPoE, a NAT
pool (dynamic-srcnat) and a session ACL (dynamic-session-acl) are automatically
created which reference the dynamically-assigned IP addresses. This allows you
to configure policies that map private local addresses to the public address(es)
provided to the DHCP or PPPoE client. Whenever the IP address on the VLAN
changes, the dynamic NAT pool address also changes to match the new address.

AOS-W 3.1
User Guide

Configuring Network Parameters
Chapter 3

For example, the following rules for a guest policy deny traffic to internal network
addresses. Traffic to other (external) destinations are source NATed to the
IP address of the DHCP/PPPoE client on the WLAN Switch.

Using the WebUI to Configure Source NAT to the Dynamic VLAN:
1.

Navigate to the Configuration > Security > Access Control > Policies page.
Click Add to add the policy guest.

To add a rule, click Add.

For Source, select any.

For Destination, select network and enter 10.1.0.0 for Host IP and
255.255.0.0 for Mask.

For Service, select any.

For Action, select reject.

Click Add.

To add another rule, click Add.
A.

Leave Source, Destination, and Service as any.

For Action, select src-nat.

For NAT Pool, select dynamic-srcnat.

Click Add.

Click Apply.

Using the CLI to Configure Source NAT to the Dynamic VLAN:

ip access-list session guest
any network 10.1.0.0 255.255.0.0 any deny
any any any src-nat pool dynamic-srcnat

Configuring Source NAT for VLAN Interfaces
The example configuration in the previous section illustrates how to configure
source NAT using a policy that is applied to a user role. You can also enable
source NAT for a VLAN interface to cause NAT to be performed on the source
address for all traffic that exits the VLAN.
Packets that exit the VLAN are given a source IP address of the “outside”
interface, which is determined by the following:

If you configure “private” IP addresses for the VLAN, the Alcatel WLAN
Switch is assumed to be the default gateway for the subnetwork. Packets
that exit the VLAN are given the IP address of the WLAN Switch for their
source IP address.

AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Network Parameters
Chapter 3

If the WLAN Switch is forwarding the packets at Layer-3, packets that exit the
VLAN are given the IP address of the next-hop VLAN for their source IP
address.

Example Configuration
In the following example, the Alcatel WLAN Switch operates within an enterprise
network. VLAN 1 is the outside VLAN. Traffic from VLAN 6 is source NATed using
the IP address of the WLAN Switch. In this example, the IP address assigned to
VLAN 1 is used as the WLAN Switch’s IP address; thus traffic from VLAN 6 would
be source NATed to 66.1.131.5.

PRIVATE IP ADDRESSES:
192.168.2.1/24
VLAN 6

PUBLIC IP ADDRESSES:
66.1.131.5/24

VLAN 1

INSIDE

FIGURE 3-8

OUTSIDE

Example: Source NAT using WLAN Switch IP Address

Using the WebUI to Configure the Source NAT for a VLAN Interface:
1.

Navigate to the Configuration > Network > VLANs page. Click Add to
configure VLAN 6 (VLAN 1 is configured through the Initial Setup).
A.

Enter 6 for the VLAN ID.

Click Apply.

Navigate to the Configuration > Network > IP > IP Interfaces page.

Click Edit for VLAN 6:

Select Use the following IP address.

Enter 192.168.2.1 for the IP Address and 255.255.255.0 for the Net
Mask.

Select the Enable source NAT for this VLAN checkbox.

Click Apply.

Using the CLI to Configure the Source NAT for a VLAN Interface:

interface vlan 1
ip address 66.1.131.5 255.255.255.0

AOS-W 3.1
User Guide

Configuring Network Parameters
Chapter 3

interface vlan 6
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip default-gateway 66.1.131.1

Configuring Static Routes
To configure a static route (such as a default route) on the WLAN Switch, do the
following:

Using the WebUI to Configure a Static Route:
1.

Navigate to the Configuration > Network > IP > IP Routes page.

Click Add to add a static route to a destination network or host. Enter the
destination IP address and network mask (255.255.255.255 for a host route)
and the next hop IP address.

Click Done to add the entry.
NOTE:

The route has not yet been added to the routing table.

Click Apply to add this route to the routing table. The message

Configuration Updated Successfully confirms that the route has been
added.

Using the CLI to Configure a Static Route:

ip route

AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Network Parameters
Chapter 3

Configuring the Loopback IP Address
The loopback IP address is a logical IP interface that is used by the WLAN Switch
to communicate with APs. If you do not configure a loopback address for the
WLAN Switch, the IP address of the lowest-numbered VLAN interface (typically
VLAN 1) is used as the WLAN Switch’s IP address.
The loopback address is used as the WLAN Switch’s IP address for terminating
VPN and GRE tunnels, originating requests to RADIUS servers, and accepting
administrative communications. You configure the loopback address as a host
address with a 32-bit netmask. The loopback address is not bound to any specific
interface and is operational at all times. To make use of this interface, ensure that
the IP address is reachable through one of the VLAN interfaces. It should be
routable from all external networks.
You can modify or delete the IP address of the loopback interface on the WLAN
Switch. However, you cannot delete the loopback address if there is no IP
address configured for the VLAN 1 interface. If you delete the loopback address
when there is no IP address configured for the VLAN 1 interface, you are
prompted for a new IP address for the VLAN 1 interface. You also cannot delete
the IP address for the VLAN 1 interface if there is no loopback address
configured; you will be prompted for a new loopback address.
NOTE:

Any change in the WLAN Switch’s IP address requires a reboot.

Using the WebUI to Configure the Loopback IP Address:
1.

Navigate to the Configuration > Network > Switch > System Settings page
on the WebUI.

Modify the loopback IP address in the Loopback Interface section on this
page as required. Click Apply to apply this configuration.
CAUTION:

If you are using the loopback IP address to access the
WebUI, changing the loopback IP address will result in
loss of connectivity. Alcatel recommends that you use one
of the VLAN interface IP addresses to access the WebUI.

Navigate to the Maintenance > Switch > Reboot Switch page to reboot the
WLAN Switch to apply the change of loopback IP address.

Click Continue to save the configuration.

AOS-W 3.1
User Guide

Configuring Network Parameters
Chapter 3

When prompted that the changes were written successfully to flash, click
OK.

The WLAN Switch boots up with the changed loopback IP address.

Using the CLI to Configure the Loopback IP Address:

interface loopback ip address
write memory
Using the WebUI to reboot the WLAN Switch:
1.

Navigate to the Maintenance > Switch > Reboot Switch page.

Click Continue.

After saving the current configuration, the WLAN Switch begins a countdown
before rebooting.

Using the CLI to reboot the WLAN Switch:
Enter the following command in Enable mode:

reload

AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

RF Plan

RF Plan is a wireless deployment modeling tool that enables you to design an
efficient Wireless Local Area Network (WLAN) for your corporate environment,
optimizing coverage and performance, and eliminating complicated WLAN
network setup.
This chapter describes the following topics:

“Overview” on page 74

“Before You Begin” on page 75

“Using RF Plan” on page 76

“RF Plan Example” on page 103

NOTE:

A Java-based version of the RF Plan tool allows you to input the serial
number or MAC address of each AP. For information about using the
Java-based RF Plan tool, see the RF Plan Installation and User Guide.

AOS-W 3.1
User Guide

RF Plan
Chapter 4

Overview
RF Plan provides the following critical functionality:

Defines WLAN coverage.

Defines WLAN environment security coverage.

Assesses equipment requirements.

Optimizes radio resources.

RF Plan provides a view of each floor, allowing you to specify how Wi-Fi coverage
should be provided. RF Plan then provides coverage maps and AP and AM
placement locations.
Unlike other static site survey tools that require administrators to have intricate
knowledge of building materials and other potential radio frequency (RF) hazards,
RF Plan calibrates coverage in real-time through a sophisticated RF calibration
algorithm. This real-time calibration lets you characterize the indoor propagation
of RF signals to determine the best channel and transmission power settings for
each AP. You can program the calibration to occur automatically or you can
manually launch the calibration at any time to quickly adapt to changes in the
wireless environment.

AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

RF Plan
Chapter 4

Before You Begin
Before you use RF Plan, review the following steps to create a building model and
plan the WLAN for the model.

Task Overview
1.

Gather information about your building’s dimensions and floor plan.

Determine the level of coverage you want for your APs and AMs.

Create a new building and add its dimensions.

Enter the parameters of your AP coverage.

Enter the parameters of your AM coverage.

Add floors to your building and import the floor plans.

Define special areas.

Generate suggested AP and AM tables by executing the AP/AM Plan
features.

Planning Requirements
You should collect the following information before using RF Plan. Having this
information readily available will expedite your planning efforts.

Building dimensions

Number of floors

Distance between floors

Number of users and number of users per AP

Radio type(s)

Overlap Factor

Desired data rates for APs

Desired monitoring rates for AMs

Areas of your building(s) that you do not necessarily want coverage

Areas of your building(s) where you do not want or cannot deploy an AP or
AM

Any area where you want to deploy a fixed AP or AM

AOS-W 3.1
User Guide

RF Plan
Chapter 4

Use the following worksheets to collect your information:

Building Dimensions
Height:

Width:

Number of Floors:

User Information
Number of Users:

Users per AP:

Radio Types:
Overlap Factor:

AP Desired Rates
802.11b|g:

802.11a:

AM Desired Rates
802.11b|g:

802.11a:

Don’t Care/Don’t Deploy Areas

Using RF Plan
This section describes how to use RF Plan and how to enter information in RF
Plan pages.
To start RF Plan from the WebUI, click the Plan tab in the WebUI menu bar. When
you start RF Plan, the browser window shows the Campus List page.

Campus List Page
The Campus List is the first page you see when you start RF Plan. This list
contains a default campus and any campus you have defined using the RF Plan
software.

AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

RF Plan
Chapter 4

You may add, edit, and delete campuses using this page. You may also import and
export campus information. This page includes the following buttons:

Campus List Buttons

Description

New Campus

Use this button to create a new campus.

Browse Campus

Use this button to edit existing campuses in the
campus list. To edit a campus, select the checkbox
next to the campus name, then click Browse
Campus. When you edit a campus, you can access
other RF Plan pages.

Rename Campus

Use this button to rename an existing campus in the
list. To rename a campus, select the checkbox next to
the campus name, then click Rename Campus.
A dialog box appears into which you enter the new
name of the campus. Click OK to accept the new
name, or click Cancel to exit this action.

Delete Campuses

Use this button to delete existing campuses in the list.
To delete a campus, select the checkbox next to the
building ID, then click Delete Campuses.
You can only delete empty campuses. If you attempt
to delete a campus that contains one or more
buildings, an error message appears.

Export

Use this button to export a database file with all the
specifications and background images of one or more
selected campuses in the list. See “Exporting and
Importing Files” on page 98.

AOS-W 3.1
User Guide

RF Plan
Chapter 4

Campus List Buttons

Description

Import

Use this button to import database files that define
campuses into the RF Plan list. See “Exporting and
Importing Files” on page 98.

AP FQLN Mapper

In RF Plan, the AP name can be a fully-qualified
location name (FQLN) in the format
APname.floor.building.campus (the APname portion
of the FQLN must be unique).
You can manually set the FQLN for the AP by clicking
the AP FQLN Mapper button. Setting the FQLN
reboots the APs. See “FQLN Mapper” on page 100.

Building List Page
When you edit a campus, the building list page appears.

You may add, edit, and delete buildings using this page. You may also import and
export building information. This page includes the following buttons:

Building List Buttons

Description

New Building

Use this button to create a new building. When you
add or edit a building, you can access other RF Plan
pages.

Edit Building

Use this button to edit existing buildings in the
building list. To edit a building, select the checkbox
next to the building ID, then click Edit Building. When
you add or edit a building, you can access other RF
Plan pages.

Delete Buildings

Use this button to delete existing buildings in the
building list. To delete a building, select the checkbox
next to the building ID, then click Delete Building.

Export

Use this button to export a database file with all the
specifications and background images of one or more
selected buildings in the building list. See “Exporting
and Importing Files” on page 98.

AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

RF Plan
Chapter 4

Building List Buttons

Description

Import

Use this button to import database files that define
buildings into the RF Plan building list. See “Exporting
and Importing Files” on page 98.

Locate

Use this button to locate Wi-Fi devices in a building.
See “Locate” on page 100.

AP FQLN Mapper

Building Specifications Overview Page
The Building Specification Overview page shows the default values for a building
that you are adding or the current values for a building that you are modifying.

The Overview page includes the following:

Building Dimensions: Your building’s name and dimensions

Access Point Modeling Parameters

Air Monitor Modeling Parameters

Building Dimension button (in the upper right-hand portion of the page). Click
on this button to edit the building dimensions settings.

AOS-W 3.1
User Guide

RF Plan
Chapter 4

When you create or edit information for a building, there are several ways you can
navigate through RF Plan pages:

The navigation pane on the left side of the browser window displays RF Plan
pages in the order in which they should be accessed when you are creating a
new building. If you are editing a building, simply click on the page you want
to display or modify.

A button for the next page appears in the upper right-hand portion of the
page. You can click on this button to display the next page. For example, the
Building Dimension button appears in the Building Specifications Overview
page.

Clicking Apply on editable pages sequences you to the next page. For
example, when you click Apply in the Building Dimensions page, the AP
Modeling Parameters page displays.

Building Dimension Page
The Building Dimension page allows you to specify the name and identification for
the building and its dimensions.

Enter the following information:

Parameter

Description

Campus Name

Select a campus for this building from the drop-down
menu.

Building Name

The Building Name is an alphanumeric string up to 64
characters in length.

AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

RF Plan
Chapter 4

Parameter

Description

Width and Length

Enter the rectangular exterior dimensions of the building.
The valid range for this field is any integer from 1 to a value
corresponding to 1x10,000.
If your building has an
irregular shape, the
width and length
should represent the
maximum width and
length of the overall
footprint of the
building as seen from
above. For example:
When width and
length are specified,
RF Plan creates a
rectangular area in
the Planning feature
pages that represent the overall area covered by the
building. You need to import an appropriate background
image (see “Floor Editor Dialog Box” on page 89.) to aid you
in defining areas that do not require coverage or areas in
which you do not wish to deploy APs and AMs (see “Area
Editor Dialog Box” on page 91).

Inter-Floor Height

This is the distance between floor surfaces in the building.
The valid range for this field is any integer from 1 to a value
corresponding to 1x10,000.
RF Plan uses the inter-floor height to allow APs on one floor
to service users on adjacent floors. If you do not want RF
Plan to factor adjacent floors, select a high inter-floor height
value (for example, 300).
NOTE:

This is not the distance from floor to ceiling. Some
buildings have a large space between the interior
ceilings and the floor above.

AOS-W 3.1
User Guide

RF Plan
Chapter 4

Parameter

Description

Floors

Enter the number of floors in your building here.
The valid range for this field is any integer from 1 to 255. A
building can have a maximum of 255 floors.
You can also configure negative floor IDs. Negative floor IDs
let you allocate floors as sub floors, ground floors,
basements or other underground floors, or floors where you
do not need to deploy APs.
NOTE:

In concert, RF Plan 2.0, MMS 2.0, and AOS-W 3.1
or later support the concept of negative floor IDs. If
your WLAN Switch is running AOS-W 2.5 or earlier,
or you are running RF Plan 1.0.x or MMS 1.0.x, you
cannot configure negative floor IDs.

You specify a negative integer when modifying an existing
floor; you do not configure negative floor settings when
adding a building or adding a floor. For more information,
see “Level” on page 89.
Unit

Specify the unit of measurement for the dimensions you
specified on the page. The choices are feet and meters.

AP Modeling Parameters Page
The AP Modeling Parameters page allows you to specify the information
necessary for RF Plan to determine the appropriate placement of your APs. These
settings are on a per-building basis. If you have a mix of APs, choose the most
common one to define the building parameters.

AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

RF Plan
Chapter 4

Controls on this page allow you to select or control the following functions,
which are described in further detail in this section:.
Parameter

Description

Radio Type

Use this pull-down menu to specify the radio type. See
“Radio Type”.

AP Type

Use this drop box to select the Alcatel AP model. The drop
box lists all of the supported AP types.

Design Model

Use the Coverage, Capacity, and Custom radio buttons to
specify a design model to use in the placement of APs. See
“Design Model”.

Overlap Factor

Use this field and pull-down to specify an overlap factor.
See “Overlap Factor”.

Users

Use this field to specify the number of users on your WLAN.
See “Users”.

Rates

Use this pull-down to specify the data rates desired on APs.
See “Rates”

APs

Use this field to enter the fixed number of APs to be used in
this building’s network (Custom model only).

Radio Type
Specify the radio type(s) of your APs using the pull-down Radio Type menu on the
Modeling Parameters page. Available Radio Type choices are:
Parameter

Description

801.11a

5GHz, Orthogonal Frequency Division Multiplexing (OFDM)
with data rates up to 54Mbps.

802.11b

2.4GHz, Direct Spread Spectrum (DSSS) multiplexing with
data rates up to 11Mbps.

802.11g

2.4GHZ, OFDM/CCK (Complementary Code Keying) with
data rates up to 54Mbps.

AOS-W 3.1
User Guide

RF Plan
Chapter 4

Design Model
Three radio buttons on the page allow you to control the kind of model used to
determine the number and type of APs:
Radio
Button
Coverage

Description
Use this option to let RF Plan automatically determine the number
of APs based on desired data rates and the configuration of your
building.
The higher the data rate, the smaller the coverage area, and the
more APs that are required. Coverage is the most common type of
installation.

Capacity

Use this option to let RF Plan determine the number of APs based
on the total number of users, ratio of users to APs, and desired
data rates.
Capacity-based coverage is useful for high capacity conference or
training rooms, where the APs could have a high volume of users.

Custom

Use this option to specify a fixed number of APs.
Custom coverage is useful for deployments with a known number
of APs or if you have a fixed project budget.

The desired rate is selectable from 1 to 54 Mbps in both the Coverage and
Capacity models.

Overlap Factor
The Overlap Factor is the amount of signal area overlap when the APs are
operating. Overlap is important if an AP fails as it allows the network to self-heal
with adjacent APs powering up to assume some of the load from the failed
device. Although there may be no holes in coverage in this scenario, there is likely
to be a loss of throughput. Increasing the overlap allows for higher throughputs
when an AP has failed and allows for future capacity as the number of users
increases.

AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

RF Plan
Chapter 4

You can select a pre-determined value from the pull-down overlap menu or
specify a value in the text box to the left of the pull-down. The following table
describes the available options.
Overlap
Factor

Description

100%
Low

Use this option for buildings that contain open spaces such as
warehouses.

150%
Medium

Use this option for most typical office environments with cubicles
and sheetrock walls that have higher WLAN user density than
warehouses.

200%
High

Use this option for dense deployments such as buildings with poor
RF coverage characteristics including buildings with thick brick or
concrete walls, lots of metal, or excess RF noise (for example, data
centers).

Custom

Use this option to enter a custom rate. For most office spaces,
120% works well.
When specifying the custom rate, the valid range is 1% to 1000%.

Users
NOTE:

The Users text boxes are active only when the Capacity model is
selected.

Enter the number of users you expect to have on your WLAN in the Users text
box. Enter the number of users per AP you expect in the Users/AP text box.
The numbers entered in the these two text boxes must be non-zero integers
between 1-255 inclusive.

Rates
Select the desired data rates from the pull-down menus for 802.11b/g and
802.11a.
High data transmission rates require an increased number of AP to be placed in
your building. You should carefully evaluate your users’ data rate needs.

AM Modeling Page
The AM Modeling page allows you to specify the information necessary for RF
Plan to determine the appropriate placement of your AMs.
NOTE:

AM coverage rates refer to the rate at which an AM captures packets. RF
Plan uses that information to determine the placement of AMs.

AOS-W 3.1
User Guide

RF Plan
Chapter 4

Controls on this page allow you to select the following functions, which are
described in more detail in this section:
Radio Button

Description

Design Model

Use these radio buttons to specify a design model to use in the
placement of AMs. See “Design Models”.

Monitor Rates

Use this pull-down menu to specify the desired monitor rate for
the AMs. See “Monitor Rates”.

AMs

Use this field to manually specify the number of AMs to deploy
(Custom Model only).

Design Models
Two radio buttons on the page allow you to specify the model used to determine
the number and type of APs.
Radio
Button

Description

Coverage

Use this option to let RF Plan automatically determine the number
of AMs based on desired monitor rates and the configuration of
the building.
Desired rate is selectable from 1 to 54 Mbps in the Coverage
model.

Custom

NOTE:

Use this option to specify a fixed number of AMs. When the AM
Plan portion of RF Plan is executed, RF Plan distributes the AMs
evenly.

The monitor rates you select for the AMs should be less than the data
rates you selected for the APs. If you set the rate for the AMs at a value
equal to that specified for the corresponding PHY type AP, RF Plan
allocates one AM per AP. If you specify a monitor rate greater than the
data rate, RF Plan allocates more than one AM per AP.

AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

RF Plan
Chapter 4

Monitor Rates
Use the drop down menus to select the desired monitor rates for 802.11b/g and
802.11a AMs.
NOTE:

This option is available only when the coverage design model is selected.

Planning Floors Pages
The Planning Floors page enables you to see the footprint of your floors.

You can select or adjust the following features, which are described in more detail
in this section:
Feature

Description

Zoom

Use this pull-down menu or type a zoom factor in the
text field to increase or decrease the size of the
displayed floor area. See “Zoom”.

Approximate Coverage
Map (select radio type)

Use this pull-down to select a particular radio type for
which to show estimated coverage. See “Coverage”.

Coverage Rate

Use this pull-down to modify the coverage areas
based on a different data rate. If a map type has not
been selected, this option is not applicable (N/A). See
“Coverage Rate”.

AOS-W 3.1
User Guide

RF Plan
Chapter 4

Feature

Description

Channel

Use this pull-down to select a channel value to apply
to the selected map.
NOTE:

The country code configured on your WLAN
Switch determines the available channel
options.

If a map type has not been selected, this option is not
applicable (N/A). See “Channel”
Edit Floor

Click on this link to launch the Floor Editor dialog box.
See “Floor Editor Dialog Box” on page 89.

New in Areas section

Click on this link to launch the Area Editor dialog box.
See “Area Editor Dialog Box” on page 91.

New in Suggested
Access Points and Air
Monitors section

Click on this link to launch the Suggested Access
Point Editor dialog box. See “Access Point Editor Page”
on page 92.

Zoom
The Zoom control sets the viewing size of the floor image. It is adjustable in finite
views from 10% to 1000%. You may select a value from the pull-down zoom
menu or specify a value in the text box to the left of the pull-down. When you
specify a value, RF Plan adjusts the values in the pull-down to display a set of
values both above and below the value you typed in the text box.

Coverage
Select a radio type from the Coverage pull-down menu to view the approximate
coverage area for each of the APs that RF Plan has deployed in AP Plan or AM
Plan. Adjusting the Coverage values help you to understand how the AP coverage
works in your building.

AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

RF Plan
Chapter 4

NOTE:

You will not see coverage areas displayed here until you have executed
either an AP Plan or an AM Plan.

Coverage Rate
Adjusting the coverage rate also affects the size of the coverage areas for AMs.
Adjusting the rate values help you to understand how the coverage works in your
proposed building.

Channel
Select a channel from the Channel pull-down menu for transmitting and receiving
electromagnetic signals. Changing the country code causes the valid channel lists
to be reset to the defaults for that country.

Floor Editor Dialog Box
The Floor Editor dialog box allows you to modify the floor level, specify the
background image, and name the floor. The Floor Editor is accessible from the
Floors Page by clicking on the Edit Floor link.

Level
When modifying an existing floor, you can configure it with a negative integer to
specify a basement or some other underground floor that you do not need or
want to deploy APs.

AOS-W 3.1
User Guide

RF Plan
Chapter 4

NOTE:

In concert, RF Plan 2.0, MMS 2.0, and AOS-W 3.1 or later support the
concept of negative floor IDs. If your WLAN Switch is running AOS-W 2.5
or earlier, or you are running RF Plan 1.0.x or MMS 1.0.x, you cannot
configure negative floor IDs.

To configure a negative floor, specify a negative integer in the Level field. The valid
range is -100 to 255; however, a building can have a maximum of 255 floors.

Naming
You may name the floor anything you choose as long as the name is an
alphanumeric string with a maximum length of 64 characters. The name you
specify appears to the right of the Floor Number displayed above the background
image in the Planning view.

Background Images
You can import a background image (floor plan image) into RF Plan for each floor.
A background image is extremely helpful when specifying areas where coverage
is not desired or areas where an AP/AM is not to be physically deployed.
Use the guidelines in this section when importing background images. By
becoming familiar with these guidelines, you can ensure that your graphic file is
edited properly for pre- and post-deployment planning.

Edit the image—Use an appropriate graphics editor to edit the file as needed.

Scale the image—If the image is not scaled, proportional triangulation and
heat map displays can be incorrect when the plan is deployed.

Calculate image dimensions—Calculate the image pixels per feet (or meters)
against a known dimension. Use that value to calculate the width and length
of the image.

Leave a border around the image—When creating the image, leave a boarder
around the image to help triangulate Wi-Fi devices outside of the building.

Multiple floors—If your building has multiple floors, make sure there is a
common anchor point for all floors; for example an elevator shaft, a staircase,
and so on.

Larger dimensions—Use larger dimensions only for scaling to more accurately
calculate the full dimensions. For best results, final floor images 2048 X 2048
and smaller perform best.

Select a background image using the Browse button on the Floor Editor dialog
box.

File Type and Size
Background images must be JPEG format and may not exceed 2048 X 2048
pixels in size. Attempting to import a file with a larger pixel footprint than that
specified here results in the image not scaling to fit the image area in the floor
display area.

AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

RF Plan
Chapter 4

NOTE:

Because background images for your floors are embedded in the
XML file that defines your building, you should strongly consider
minimizing the file size of the JPEGs that you use for your
backgrounds. You can minimize the file size by selecting the
maximum compression (lowest quality) in most graphics programs.

Image Scaling
Images are scaled (stretched) to fit the display area. The display area aspect
ratio is determined by the building dimensions specified on the Dimension
page.

Area Editor Dialog Box
The Area Editor dialog box allows you to specify areas on your buildings floors
where you either do not care about coverage, or where you do not want to place
an AP or AM.
Open the Area Editor dialog box by clicking New in the Areas section.
You specify these areas by placing them on top of the background image using
the Area Editor.

Naming
You may name an area using an alphanumeric string of characters with a
maximum length of 64 characters. You should give areas some meaningful name
so that they are easily identified.

Locating and Sizing
You may specify absolute coordinates for the lower left corner and upper right
corner of the box that represents the area you are defining. The datum for
measurement is the lower left corner of the rectangular display area that
represents your building’s footprint. The coordinates of the upper right-hand
corner of the display area are the absolute (no unit of measure) values of the
dimensions you gave your building when you defined it with the dimension
feature.
NOTE:

The location is zero-based. Values range from 0 to (height - 1 and width 1). For example: If you defined your building to be 200 feet wide and 400
feet long, the coordinates of the upper right-hand corner would be (199,
399).

AOS-W 3.1
User Guide

RF Plan
Chapter 4

You may also use the drag and drop feature of the Area Editor to drag your area to
where you want it and resize it by dragging one or more of the handles displayed
in the corners of the area.
Don’t Care areas are displayed as orange rectangles and Don’t Deploy areas are
displayed as yellow

Access Point Editor Page
The Access Point Editor allows you to manually create or modify a suggested AP.
To create an AP, open the Access Point Editor dialog box by clicking New in the
Suggested Access Points and Air Monitors section.
To modify an existing AP, place the cursor over the AP and click it to display the
Suggested Access Point Editor dialog box.

Naming
RF Plan automatically names APs using the default convention ap number, where
number starts at 1 and increments by one for each new AP. When you manually
create an AP, the new AP is assigned the next number and is added to the bottom
of the suggested AP list.
You may name an AP anything you wish. The name must consist of alphanumeric
characters and be 64 characters or less in length.

AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

RF Plan
Chapter 4

Fixed
Fixed APs do not move when RF Plan executes the positioning algorithm.
NOTE:

You might typically set a fixed AP when you have a specific room, such
as a conference room, in which you want saturated coverage. You might
also want to consider using a fixed AP when you have an area that has
an unusually high user density.

Choose Yes or No from the drop-down menu. Choosing Yes locks the position of
the AP as it is shown in the coordinate boxes of the Access Editor. Choosing No
allows RF Plan to move the AP as necessary to achieve best performance.

Radio Types
The Radio drop-down menu allows you to specify what radio mode the AP uses.
You can choose from one of the following:

802.11a/b/g

802.11a

802.1 b/g

X and Y Coordinates
The physical location of the AP is specified by X-Y coordinates that begin at the
lower left corner of the display area. The numbers you specify in the X and Y text
boxes are whole units. The Y-coordinate increases as a point moves up the
display and the X-coordinate increases as they move from left to right across the
display.

802.11 Types
The 802.11 b/g and 802.11a Type drop-down menus allow you to choose the
mode of operation for the AP. You may choose to set the mode of operation to
Access Point or Air Monitor.

AOS-W 3.1
User Guide

RF Plan
Chapter 4

802.11 Channels
The 802.11a and 802.11b/g channel drop-down menus allow you to select from
the available channels.
NOTE:

The available channels vary depending on the regulatory domain (country)
in which the device is being operated.

802.11a channels begin at channel 34 at a frequency of 5.170 MHz and increase
in 20MHz steps through channel 161 at 5.805 Mhz.
802.11b/g channels begin at 1 and are numbered consecutively through 14. The
frequencies begin at 2.412 MHz on channel 1 and increase in 22 MHz steps to
Channel 14 at 2.484 MHz.

802.11 Power Levels
The power level drop-down menus allow you to specify the transmission power
of the AP. Choices are OFF, 0, 1, 2, 3, and 4. A setting of 4 applies the maximum
Effective Isotropic Radiated Power (EIRP) allowed in the regulatory domain
(country) in which you are operating the AP.

Memo
The Memo text field allows you to enter notes regarding the AP. You can enter a
maximum of 256 alphanumeric characters in the Memo field.

AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

RF Plan
Chapter 4

AP Plan Page
The AP Plan page uses the information entered in the modeling pages to locate
APs in the building(s) you described.

Initialize
Initialize the Algorithm by clicking the Initialize button. This makes an initial
placement of the APs and prepares RF Plan for the task of determining the
optimum location for each of the APs. As soon as you click Initialize you see the
AP symbols appear on the floor plan.
Colored circles around the AP symbols on the floor plan indicate the approximate
coverage of the individual AP and the color of the circle represents the channel on
which the AP is operating. The circles appear when you select an approximate
coverage value on one of the Floors pages. You may also click an AP icon and
drag it to manually reposition it.

AOS-W 3.1
User Guide

RF Plan
Chapter 4

Start
Click Start to launch the optimizing algorithm. The AP symbols move on the page
as RF Plan finds the optimum location for each.
The process may take several minutes. You may watch the progress on the status
bar of your browser. The algorithm stops when the movement is less than a
threshold value calculated based on the number of APs. The threshold value may
be seen in the status bar at the bottom of the browser window.

Viewing the Results
The results of optimizing algorithm may be viewed two ways: graphically and in a
table of suggested APs. You may obtain information about a specific AP by
placing the cursor over its symbol. An information box appears that contains
information about the location, radio type, channel, power, and so on.

AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

RF Plan
Chapter 4

The Suggested Access Points and Air Monitors table lists the coordinates, power,
location, power setting, and channel for each of the APs that are shown in the
floor plan.

AM Plan Page
The AM Plan page calculates the optimum placement for the AMs.

Initialize
Initialize the Algorithm by clicking Initialize. This makes an initial placement of the
AMs and prepares RF Plan for the task of determining the optimum location for
each of the AMs. When you click Initialize, the AM symbols appear on the floor
plan.

Start
Click Start to launch the optimizing algorithm. The AM symbols move on the
page as RF Plan finds the optimum location for each.
The process may take several minutes. You may watch the progress on the status
bar of your browser. The algorithm stops when the movement is less than a
threshold value calculated based on the number of AMs. The threshold value may
be seen in the status bar at the bottom of the browser window.

Viewing the Results
Viewing the results of the AM Plan feature is similar to that for the AP Plan
feature.
The results of optimizing algorithm may be viewed two ways: graphically and in a
table of suggested AMs. You may obtain information about a specific AM by
placing the cursor over its symbol. An information box appears that contains
information about the exact location, PHY type, channel, power, and so on.

AOS-W 3.1
User Guide

RF Plan
Chapter 4

The Suggested Access Points and Air Monitors table lists the coordinates, power,
location, power setting, and channel for each of the AMs that are shown in the
floor plan.

Exporting and Importing Files
Both the Campus List page and the Building List page have Export and Import
buttons, which allow you to export and import files that define the parameters of
your campus and buildings. You can export a file so that it may be imported into
and used to automatically configure an Alcatel WLAN Switch. On an Alcatel
WLAN Switch, you can import a file that has been exported from another WLAN
Switch or from the standalone version of RF Plan that runs as a Windows
application.
NOTE:

The WebUI version of RF Plan only supports JPEG file formats for
background images.

The files that you export and import are XML files and, depending on how many
buildings are in your campus, floors are in your buildings, and how many
background images you have for your floors, the XML files may be quite large.
(See “Background Images” on page 90.)

Export Campus
To export a file that defines the parameters of one or more campuses, including all
of its associated buildings, select the campus(es) to be exported in the Campus
List page and then click Export.

AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

RF Plan
Chapter 4

After you click the Export button, you are prompted to include the background
images.

When exporting a campus file, Alcatel recommends that you click OK to export
the background images. If you click Cancel, the exported file does not include the
background images. The File Download window appears.
From the File Download window, click Save to save the file. The Save As dialog
box appears. From here, navigate to the location where want to save the file and
enter the name for the exported file. When naming your exported file, be sure to
give the file the .XML file extension, for example, My_Campus.XML.
Exported campus files include detailed information about the campus and the
selected building(s).

Import Campus
You can import only XML files exported from another Alcatel WLAN Switch or
from the standalone version of RF Plan that runs as a Windows application.
NOTE:

Importing any other file, including XML files from other applications, may
result in unpredictable results.

To import a file that defines the building parameters of one or more campuses,
click the Import button in the Campus List page. The Import Buildings page
appears, as described in “Import Buildings Page” on page 100.

Export Buildings Page
To export a file that defines the parameters of one or more buildings, select the
building(s) to be exported in the Building List page and then click Export.
After you click the Export button, you are prompted to include the background
images.

When exporting a building file, Alcatel recommends that you click OK to export
the background images. If you click Cancel, the exported file does not include the
background images. The File Download window appears.

AOS-W 3.1
User Guide

RF Plan
Chapter 4

From the File Download window, click Save to save the file. The Save As dialog
box appears. From here, navigate to the location where want to save the file and
enter the name for the exported file. When naming your exported file, be sure to
give the file the .XML file extension, for example, My_Building.XML.
Exported building files include the name of the campus to which the building
belongs; however, detailed campus parameters are not included.

Import Buildings Page
You can import only XML files exported from another Alcatel WLAN Switch or
from the standalone version of RF Plan that runs as a Windows application.
NOTE:

Importing any other file, including XML files from other applications, may
result in unpredictable results.

To import a file that defines the parameters of one or more buildings, click the
Import button in the Building List page.

In the Import Buildings page, click Browse to select the file to be imported, then
click the Import button.

Locate
The Locate button on the Building List page allows you to search for APs, AMs,
monitored clients, etc. on a building by building basis. To use this feature, select
the building in which you want to search, and click Locate.
The Target Devices table displays information on each of these devices. To add a
device, click Add Device. To delete a device, click Remove Device. To select a device,
click Choose Devices.

FQLN Mapper
Both the Campus List page and the Building List page have the AP FQLN Mapper
button, which allows you to create a fully-qualified location name (FQLN) for the
specified AP/AM in the format APname.Floor.Building.Campus. This format
replaces the AP location ID format used in AOS-W 2.5 and earlier.
NOTE:

If the AP was provisioned with AOS-W 3.1 or later, the FQLN for the AP is
automatically set.

100 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

RF Plan
Chapter 4

You can use the FQLN mapper for multiple purposes, including:

Searching for deployed APs/AMs

Configuring the AP name in the form APname.Floor.Building.Campus

Modifying the location of APs

To use this feature, select one or more campuses from the Campus List page, or
one or more buildings from the Building List page, and click AP FQLN Mapper.
The AP FQLN Mapper page appears. From here, you can search for deployed APs
by entering one or more parameters in the Search fields, view the results in the
Search Results table, configure the FQLN, and modify the location of an AP.
To search for deployed APs, enter information in the Search fields and click
Search.

You can perform a search based on one or more of the following AP properties:

Property

Description

AP Name

Logical name of the AP or AM. You can enter a portion of
the name to widen the search.

Wired MAC

MAC address of the AP or AM. You can enter a portion of
the MAC address to widen the search.

IP Address

IP address of the AP or AM. You can enter a portion of
the IP address to widen the search.

FQLN

Fully-qualified location name of the AP, in the form
APname.floor.building.campus. You can enter a portion of
the FQLN to widen the search.

Serial Number

Serial number of the AP. You can enter a portion of the
serial number to widen the search.

Status

Current state of the AP, including Up/Down/Any.

Use the drop-down list to the right of the Number of results per page to specify
the number of APs to display in the search results.

AOS-W 3.1
User Guide

101

RF Plan
Chapter 4

After entering the search criteria, you can either click Reset to clear the entries or
click Search to search for APs. If you click Search, the results are displayed in the
Search Result table, as shown below:

You can view the information in ascending or descending order. By default, the
display is in ascending order, based on the AP name (the white arrow indicates
the row that is being used to sort the information). Left-click on a column head to
view the information in ascending or descending order (you may need to click
multiple times to get the desired display.)
In addition to displaying AP names, wired MAC addresses, serial numbers, IP
addresses, FQLNs, and AP status, the Search Result table also displays the AP
type and when it was last updating.
From here you can modify the attributes that create the FQLN for the selected AP,
using the following drop-down lists:

Campus—Displays the campus where the AP is deployed. To deploy the AP in
a different campus, select a campus form the drop-down list. The Campus
defines the buildings and floors displayed.
NOTE:

Building—Displays the building where the AP is deployed. To deploy the AP in
a different building, select a building from the drop-down list.
NOTE:

This drop-down list only displays the existing campuses that you are
managing. To add a new campus, see “Campus List Page” on
page 76.

This drop-down list only displays the available buildings in the
selected campus. To add a new building, see “Building List Page” on
page 78.

Floor—Displays the floor where the AP is deployed. To deploy the AP on a
different floor, select a floor from the drop-down list.
NOTE:

This drop-down lists only displays the available floors in the selected
building. To add a new floor, see “Planning Floors Pages” on page 87.

To submit your changes, click Set FQLN. Setting the FQLN reboots the APs.

102 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

RF Plan
Chapter 4

RF Plan Example
This section guides you through the process of creating a building and populating
it with APs and AMs using RF Plan.
NOTE:

Before you begin, obtain a JPEG file that you can use as a sample
background image. You will use that image when you complete the steps
described in “Add and Edit a Floor” on page 106.

Sample Building
The following planning table shows the information to be used in this example.

Building Dimensions
Height: 100

Width: 100

Number of Floors: 2

User Information
Number of Users:

Users per AP: N/A

Radio Types: a, b, g
Overlap Factor: Medium (150%)

AP Desired Rates
802.11b|g: 48 Mbps

802.11a: 48 Mbps

AM Desired Rates
802.11b|g: 24

802.11a: 24

Don’t Care/Deploy Areas
Shipping & Receiving = Don’t Care
Lobby = Don’t Deploy

AOS-W 3.1
User Guide

103

RF Plan
Chapter 4

Create a Building
In this section you create a building using the information supplied in the planning
table.
1.

In the Campus List, select New Campus. Enter the name My Campus and
click OK.

In the Campus List, select the checkbox next to My Campus, and click
Browse Campus.

Click New Building.
The Overview page appears.

Click Save.
A dialog box appears that indicates the new building was saved successfully.
Click OK to close the dialog box.

Click Building Dimension.
The Specification page appears.

Enter the following information in the text boxes.

Text Box

Information

Campus Name

My Campus
(The name is automatically populated based on
what you entered in step 1.)

Building Name

My Building

Width

100

Length

100

Inter Floor Height

Units

Feet

Floors

104 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

RF Plan
Chapter 4

Click Save.
A dialog box appears that indicates the building data was saved successfully.
Click OK to close the dialog box.

Click Apply.
Notice that when you click Apply, RF Plan automatically moves to the next
page in the list. In this case RF Plan moves to the AP Modeling Parameters
page.

Model the Access Points
You now determine how many APs are required to cover your building with a
specified data transfer rate and overlap.
In this example, you use the Coverage Model. The following are assumed about
the performance of the WLAN:

Radio Types: a/b/g

Overlap factor: Medium (150%)

802.11a desired rate: 48 Mbps

802.11b desired rate: 48 Mbps

Select 801.11 a|b|g from the Radio Type drop-down menu.

Select Medium from the Overlap Factor drop-down menu.
Notice that the percentage show at the left of the drop-down menu changes
to 150%.

Select 48 from the 802.11 b|g Desired Rate drop-down menu.

Select 48 from the 801.11 a Desired Rate drop-down menu.
Notice that the number of required APs has changed to 5.

AOS-W 3.1
User Guide

105

RF Plan
Chapter 4

Click Save, then OK.

Click Apply.
RF Plan moves to the AM Modeling Parameters page.

Model the Air Monitors
You now determine how many AMs are required to provide a specified monitoring
rate. In this example you continue to use the Coverage Model and make the
following assumptions:

802.11 b|g monitor rate: 48 Mbps

802.11 a monitor rate: 48 Mbps

Select 24 from the 802.11 b|g Monitor Rate drop-down menu.

Select 24 from the 802.11 a Monitor Rate drop-down menu.
Notice that the number of required AMs is now 2.

Click Save, then OK.

Click Apply.
RF Plan moves to the Planning page.

Add and Edit a Floor
You now add floor plans to your floors. In this section you:

Add a background image floor plan for each floor

Name the floors

NOTE:

The information in this section assumes that you have a JPEG file that
you can use as a sample background image when re-creating the steps.

106 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

RF Plan
Chapter 4

To add the background image and name the first floor:
1.

In the Planning page, click the Edit Floor link at the right of the Floor 1
indicator.

Enter Entrance Level in the Name box of the Floor Editor Dialog.

Use the Browse button to locate the background image for the 1st floor.

Click Apply.

To add the background image and name the second floor:
1.

Click the Edit Floor link at the right of the Floor 2 indicator.

Type Second Level in the Name box of the Floor Editor Dialog.

Use the Browse button to locate the background image for the 2nd floor.

Click Apply.

Click Save on the Planning page, then OK.

Defining Areas
Before you advance to the AP and AM Planning pages you want to define special
areas. In this section you define areas where you do not want to physically deploy
an AP, or where you do not care if there is coverage or not.

AOS-W 3.1
User Guide

107

RF Plan
Chapter 4

This step assumes the following:

We do not care if we have coverage in the Shipping and Receiving areas

We do not want to deploy APs or AMs in the Lobby Area

Create a Don’t Care Area
To create a Don’t Care area:
1.

Click on AP Plan in the Feature Tree at the left side of the browser window.
NOTE:

You can zoom in on the floor plan using the Zoom pull-down near the
top of the AP Planning page, or type a zoom value in the text box at
the left of the pull-down and press the enter key on your keyboard.
For example, enter a zoom factor of 400.

In the Planning page, click the New link in the Areas section under Floor 1
(named Entrance Level).
This opens the Area Editor.

Enter Shipping and Receiving in the Name text box in the Area Editor.

Select Don’t Care from the Type pull-down menu box.

Click Apply.
Notice that an orange box appears near the center of the floor plan.

Use your mouse (or other pointing device) to place the cursor over the box.
Notice that the information you typed in the editor appears in the box. You
see the name and type of area, as well as the coordinates of the lower left
corner and upper right corner of the box.
NOTE:

The x = 0 and y = 0 coordinates correspond to the lower left corner of
the layout space.

Using your mouse, left-click and drag the box to the top area of your floor
plan.
In this example, the JPEG file has an area named Shipping and Receiving that
will be used to assist in positioning the Don’t Care box.

To position the Don’t Care box, drag one corner of the box to a corresponding
corner and using one of the corner handles of the box, stretch it to fit.
You can also position the box by entering values in the Left, Bottom, Right,
and Top fields.
NOTE:

108 AOS-W 3.1
User Guide

Whether you stretch the box to fit, or enter values, use the following
dimensions:
Left—11, Bottom—75, Right—90, Top—96

032063-00 Rev A
February 2007

RF Plan
Chapter 4

In this example, the Don’t Care box for Shipping and Receiving has been
stretched to fit exactly over the Shipping and Receiving area as shown:

Click Save, then OK.

Create a Don’t Deploy Area
To create a Don’t Deploy area:
1.

Click the New link in the Areas section under Floor 1 (named Entrance Level)
to open the Area Editor.

Enter Lobby in the Name text box in the Area Editor.

Select Don’t Deploy from the Type pull-down menu box.

Click Apply.
Notice that an yellow box appears near the center of the floor plan.

The x = 0 and y = 0 coordinates correspond to the lower left corner of
the layout space.

Using your mouse, left-click and drag the box to the lower area of your floor
plan.
In this example, the JPEG file has an area named Lobby that will be used to
assist in positioning the Don’t Deploy box.

To position the Don’t Deploy box, drag one corner of the box to a
corresponding corner and using one of the corner handles of the box, stretch
it to fit.

AOS-W 3.1
User Guide

109

RF Plan
Chapter 4

You can also position the box by entering values in the Left, Bottom, Right,
and Top fields.
NOTE:

Whether you stretch the box to fit, or enter values, use the following
dimensions:
Left—39, Bottom—3, Right—60, Top—12

In this example, the Don’t Deploy box for the Lobby has been stretched to fit
exactly over the Lobby area as shown:

Click Save, then OK.

When you are finished defining area in the Floors page, click AP Planning to
advance to the next step in the process (the AP Plan page).

Running the AP Plan
In this section you run the algorithm that searches for the best place to put the
APs.
You might want to zoom in on the floor plan. Zoom using the Zoom pull-down
near the top of the AP Planning page, or type a zoom factor in the text box at the
left of the pull-down and press the enter key on your keyboard.
Try entering a zoom factor of 400.

110 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

RF Plan
Chapter 4

Notice that the number of required APs is 5, the same value that you saw when
you modeled your APs above. Notice also that none of the APs show on the floor
plan yet.
1.

Click Initialize.
You should see a total of five AP symbols appear on the two floor diagrams:
two on Floor 1 and three on Floor 2. Also notice that the Suggested Access
Points tables below each floor diagram have been populated with information
about the suggested APs for each corresponding floor.

Click Start.
After you Initialize the APs you must start the algorithm. The APs move
around on the floor plans as the algorithm is running.
The algorithm stops when the movement is less than a threshold value
calculated based on the number of APs. The threshold value may be seen in
the status bar at the bottom of the browser window.

NOTE:

To see the approximate coverage areas of each of the APs, select an AP
type from the Approx. Coverage pull-down box and select a rate from
the Coverage Rate pull-down box.

Click Save, then OK.

Click AM Planning to advance to the next step in the process (the AM
Planning page).

AOS-W 3.1
User Guide

111

RF Plan
Chapter 4

Running the AM Plan
Running the AM Plan algorithm is similar to running the AP Plan.
1.

Click Initialize then Start.
The algorithm stops when the movement is less than a threshold value
calculated based on the number of AMs. The threshold value may be seen in
the status bar at the bottom of the browser window.

Click Save, then OK.

112 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Volume 3
Configuring APs

AOS-W Version 3.1

114 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Access Points

When an Alcatel AP is powered on, it locates its host WLAN Switch to download
its software and configuration. There are several methods by which APs can
locate the WLAN Switch. Chapter 2, “Deploying a Basic OmniAccess System”
describes how to install and configure the WLAN Switch and ensure that network
resources (for example, a DNS server) are set up so that the deployed APs can
locate their host WLAN Switch.
NOTE:

In a network with a master and local WLAN Switches, an AP will initially
connect to the master WLAN Switch. The AP can be instructed to
download its software and configuration from a local WLAN Switch —
see Chapter 14, “Adding Local WLAN Switches” for more information.

This chapter describes how to configure Alcatel APs on the WLAN Switch. The
APs will download this configuration from the WLAN Switch.
This chapter describes the following topics:

“AP Configuration Overview” on page 116

“Configuring Profiles” on page 121

“Example Configurations” on page 126

“Advanced Configuration Options” on page 135

AOS-W 3.1
User Guide

115

Configuring Access Points
Chapter 5

AP Configuration Overview
You configure APs on the WLAN Switch using either the WebUI or CLI. The AP
configuration can include information for any and all of the following functions:
Wireless LANs

A wireless LAN (WLAN) allows wireless clients to connect
to the network. An AP broadcasts to wireless clients the
SSID that corresponds to a WLAN configured on the WLAN
Switch. (An Alcatel AP can support multiple SSIDs.) The
WLAN configuration includes the authentication method
and authentication servers by which wireless users are
validated for access to the WLAN.

AP operation

An Alcatel AP can function as an air monitor (AM), where it
performs network and radio frequency (RF) monitoring
functions. You can also specify the regulatory domain (the
country) which determines the 802.11 transmission
spectrum in which the AP will operate. Within the regulated
transmission spectrum, you can configure 802.11a or
802.11b/g radio settings.

Quality of Service
(QoS)

You can configure Voice over IP call admission control
options and bandwidth allocation for 802.11a or 802.11b/g
traffic.

RF management

You can configure settings for balancing wireless traffic
across APs, detection of holes in radio coverage, and other
metrics that can indicate interference or potential problems
on the wireless network. Adaptive Radio Management
(ARM) is an RF spectrum management technology that
allows each AP to determine the best 802.11 channel and
transmit power settings; you can enable and configure
various ARM settings.

Intrusion Detection
System (IDS)

You can configure the device to detect and disable rogue
APs, ad-hoc networks, and unauthorized devices, and
prevent attacks on the network. You can also configure
signatures to detect and prevent intrusions and attacks.

AP Names and Groups
In the Alcatel OmniAccess system, each AP has a unique name and belongs to an
AP group.

AP Names
Each Alcatel AP is identified with an automatically-derived name. The default
name depends on whether the AP has been configured with a previous version of
AOS-W, as shown in Table 5-3.
116 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Access Points
Chapter 5

TABLE 5-3

Default AP Names

AP Configuration Status

Default Name

Configured with previous
AOS-W release

Name is in the format building.floor.location

Has not previously been
configured with AOS-W

Name is the AP’s Ethernet MAC address, in
the format xx:xx:xx:xx:xx:xx

You can assign a new name of up to 63 characters to an AP, although the new
name must be unique within your network. For example, you can rename an AP
to reflect its physical location within your network, such as “building3-lobby”.
NOTE:

Renaming an AP requires a reboot of the AP for the new name to take
effect. Therefore, if you need to do this, there should be little or no client
traffic passing through the AP.

In RF Plan or RF Live, the AP name can be part of a fully-qualified location name
(FQLN) in the format APname.floor.building.campus. The APname portion of the
FQLN must be unique.

Using the WebUI to rename an AP:
3.

Navigate to the Configuration > Wireless> AP Installation page. The list of
discovered APs appears in this page.

Select the AP you want to rename, and click Provision.

In the Provisioning page, scroll to the AP list at the bottom of the page and
find the AP you want to rename.

In the AP Name field, enter the new name for the AP, for example,
building3-lobby.
NOTE:

The AP name you enter must be unique within your network.

At the bottom of the page, click Apply and Reboot.

Using the CLI to rename an AP:
NOTE:

You can execute the following enable mode command only on a master
WLAN Switch. Executing the command causes the AP to automatically
reboot.

ap-rename {ap-name |serial-num |wired-mac }

AOS-W 3.1
User Guide

117

Configuring Access Points
Chapter 5

If an AP is recognized by the WLAN Switch but is powered off or not connected
to the network or WLAN Switch when you execute the command, the request is
queued until the AP is powered back on or reconnected.

AP Groups
An AP group is a set of APs to which the same configuration can be applied.
There is an AP group called “default” to which all APs discovered by the WLAN
Switch are assigned. By using the “default” AP group, you can configure features
that are applied globally to all APs at the same time.
You can create additional AP groups to which you assign APs. However, an AP
can belong to only one AP group at a time. For example, you can create an AP
group “Victoria” that consists of the APs that are installed in a company’s
location in British Columbia. You can create another AP group “Toronto” that
consists of the APs in Ontario. You could configure the “Toronto” AP group with
different information than the APs in the “Victoria” AP group.
Figure 5-9 depicts three AP groups.

“DEFAULT” AP GROUP

“VICTORIA” AP GROUP

“TORONTO” AP GROUP

NOTE: AN AP CAN BELONG TO
ONLY ONE AP GROUP AT A TIME.

FIGURE 5-9

AP Groups

While you can use an AP group to apply a feature to a set of APs, you can also
configure a feature or option for a specific AP by referencing the AP name. Any
options or values that you configure for a specific AP override the same options
or values configured for the AP group to which the AP belongs. This is explained
in more detail in a later section.
The following section describes how to create an AP group and, because all
discovered APs initially belong to the “default” AP group, how to reassign an AP
to the newly-created AP group.

118 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Access Points
Chapter 5

NOTE:

Reassigning an AP from an AP group requires a reboot of the AP for the
new group assignment to take effect. Therefore, if you need to do this,
there should be little or no client traffic passing through the AP.

Using the WebUI to create an AP group:
1.

Navigate to the Configuration > Wireless> AP Configuration > AP Group
page.

Click New. Enter the new AP group name and click Add. The new AP group
name appears in the Profile list.

Using the WebUI to assign APs to an AP group:
1.

Navigate to the Configuration > Wireless> AP Installation page. The list of
discovered APs appears in this page. (All discovered APs initially belong to
the “default” AP group.)

Select the AP you want to reassign, and click Provision.

In the Provisioning page, select the AP group from the drop-down menu.

Scroll to the bottom of the page and click Apply and Reboot.

Using the CLI to create an AP group:
Use the following configuration command to create an AP group:

ap-group
When you create an AP group with the CLI, you can specify the virtual AP
definitions and configuration profiles that are applied to the APs in the group.
Enter exit to leave the AP group configuration mode.

Using the CLI to assign an AP to an AP group:
Use the following CLI enable mode command to assign a single AP to an existing
AP group. Use the WebUI to assign multiple APs to an AP group at the same time.
NOTE:

You can execute the following enable mode command only on a master
WLAN Switch. Executing the command causes the AP to automatically
reboot.

ap-regroup {ap-name |serial-num |wired-mac }
If an AP is recognized by the WLAN Switch but is powered off or not connected
to the network or WLAN Switch when you execute the command, the request is
queued until the AP is powered back on or reconnected.

AOS-W 3.1
User Guide

119

Configuring Access Points
Chapter 5

Virtual APs
APs advertise WLANs to wireless clients by sending out beacons and probe
responses that contain the WLAN’s SSID and supported authentication and data
rates. When a wireless client associates to an AP, it sends traffic to the AP’s Basic
Service Set Identifier (BSSID), which is usually the AP’s MAC address.
In the Alcatel OmniAccess system, an AP uses a unique BSSID for each WLAN.
Thus a physical AP can support multiple WLANs. The WLAN configuration applied
to a BSSID on an AP is called a virtual AP. You can configure and apply multiple
virtual APs to an AP group or to an individual AP.
You can configure virtual APs to provide different network access or services to
users on the same physical network. For example, you can configure a WLAN to
provide access to guest users and another WLAN to provide access to employee
users through the same APs. You can also configure a WLAN that offers open
authentication and Captive Portal access with data rates of 1 and 2 Mbps and
another WLAN that requires WPA authentication with data rates of up to 11
Mbps. You can apply both virtual AP configurations to the same AP or AP group,
as shown in Figure 5-10.

VIRTUAL AP
“EMPLOYEE”
SSID WITH
WPA2

VIRTUAL AP
“GUEST”
SSID WITH
OPENSYSTEM
USING CAPTIVE
PORTAL

AUTHENTICATION

FIGURE 5-10

120 AOS-W 3.1
User Guide

Virtual AP Configurations Applied to the Same AP

032063-00 Rev A
February 2007

Configuring Access Points
Chapter 5

Configuring Profiles
In AOS-W, related configuration parameters are grouped into a profile that you
can apply as needed to an AP group or to individual APs. You can apply the
following types of profiles to an AP or AP group:

Wireless LAN profiles configure WLANs in the form of virtual AP profiles. A
virtual AP profile contains an SSID profile which defines the WLAN and an
AAA profile which defines the authentication for the WLAN. Unlike other
profile types, you can configure and apply multiple instances of virtual AP
profiles to an AP group or to an individual AP.

AP profiles configure AP operation parameters, radio settings, port
operations, regulatory domain, and SNMP information.

QoS profiles configure traffic management and VoIP functions.

RF management profiles configure radio tuning and calibration, AP load
balancing, coverage hole detection, and RSSI metrics.

IDS profiles configure IDS functions for APs. There is a top-level IDS profile
that contains other IDS profiles in which you configure detection of denial of
service (DoS) and impersonation attacks, and unauthorized devices on the
wireless network, as well as intrusion signatures.

NOTE:

You can apply multiple virtual AP profiles to an AP group or to an
individual AP; for most other profiles, you can apply only one instance of
the profile to an AP group or AP at a time.

Table 5-4 lists the AP profiles by type that you can configure and apply to an AP
group or to an individual AP. Note that some profiles reference other profiles. For
example, a virtual AP profile references SSID and AAA profiles, while an AAA
profile can reference an 802.1x authentication profile and server group.

TABLE 5-4

AP Profiles

Profile Type

Description

WLAN:
Virtual AP (can be multiple)
SSID

WLAN configuration
SSID configuration

EDCA (station)

Client to AP traffic prioritization

EDCA (AP)

AP to client traffic prioritization

AAA

Initial and default user roles, derivation rules

MAC authentication

MAC address authentication

802.1x authentication

AOS-W 3.1
User Guide

121

Configuring Access Points
Chapter 5

TABLE 5-4

AP Profiles (Continued)

Profile Type
Server group

Description
Authentication/accounting servers

XML API server

External XML API server

RFC 3576 server

RFC 3576 RADIUS server

RF Management:
802.11a radio
ARM
802.11b/g radio
ARM

802.11a radio settings for APs
RF allocation
802.11b/g radio settings for APs
RF allocation

RF optimization

Coverage hole and interference detection

RF event thresholds

Received signal strength indication metrics

AP:
Wired AP

AP 70 second Ethernet port

Ethernet interface 0 link

Duplex/speed of AP’s Ethernet link

Ethernet interface 1 link

Duplex/speed of AP’s Ethernet link

AP system

Administrative options

Regulatory domain

Country code and valid channels

SNMP

SNMP for APs

SNMP user

SNMPv3 users

QoS:
VoIP call admission control

Voice over IP

802.11a traffic management

Bandwidth allocation

802.11b/g traffic management

Bandwidth allocation

IDS:
General

Air monitoring attributes

Signature matching

Intrusion detection signature matching

Signature
Denial of service
Rate thresholds

Predefined or user-defined signatures
Traffic anomalies for DoS attacks
Thresholds for frame types

Impersonation

Anomalies for impersonation attacks

Unauthorized device

Detection of unauthorized devices

122 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Access Points
Chapter 5

Alcatel provides a “default” version of each profile with default values for most
parameters. If you are not using a feature in a profile, you can simply leave the
“default” profile values unchanged. For example, if you are not using any of the
IDS features for an AP group or AP, you do not need to open any of the “default”
IDS profiles.
You can use the “default” version of a profile or create a new instance of a profile
which you can then edit as you need. You can change the values of any parameter
in a profile. You have the flexibility of applying the “default” versions of profiles in
addition to customizing profiles that are necessary for the AP or AP group to
function.
For example, if your wireless network includes a master WLAN Switch in
Edmonton, Alberta and a local WLAN Switch in Toronto, Ontario, you could
segregate the APs into two AP groups: “default” for the APs in Edmonton and
“Toronto” for the APs in Toronto. The primary difference between the APs in
Edmonton and Toronto is the WLAN Switch from which the APs boot: the APs in
Edmonton should boot from the master WLAN Switch, while the APs in Toronto
should boot from the local WLAN Switch. You configure the address of the local
WLAN Switch in the AP system profile. Therefore, you would need to have two
instances of the AP system profile: one for Edmonton and one for Toronto. You
can apply the “default” profiles for other AP profile types to both AP groups, as
shown in Figure 5-11.

AP Profiles

“default” AP Group

“Toronto” AP Group

802.11a

“default”

802.11b/g

“default”

Wired

“default”

Ethernet 0 Link

“default”

Ethernet 1 Link

“default”

AP System

“default”

“Toronto”

Regulatory Domain

“default”

SNMP

“default”

FIGURE 5-11
NOTE:

Applying AP Profiles to AP Groups

Each instance of a profile must have a unique name. In the example
above, there are two different AP system profiles, therefore each
instance should have a unique name.

You can apply the same virtual AP profiles to the AP groups shown in
Figure 5-11. For example, there are users in both Edmonton and Toronto that
access the same “Corpnet” WLAN. Note that if your WLAN requires
authentication to an external server, you may want to have users who associate

AOS-W 3.1
User Guide

123

Configuring Access Points
Chapter 5

with the APs in Toronto authenticate with their local servers. In this case, you can
configure slightly different AAA profiles: one that references authentication
servers in the Edmonton and the other that references servers in Toronto, as
shown in Figure 5-12.

WLAN Profiles

“default” AP Group

Virtual AP

“Toronto” AP Group

“Corpnet-E”

“Corpnet-T”

SSID

“Corpnet”

AAA

“E-Servers”

“T-Servers”

FIGURE 5-12

Applying WLAN Profiles to AP Groups

When you assign a profile to an individual AP, the values in the profile override the
profile assigned to the AP group to which the AP belongs. The exception is the
virtual AP profile — you can apply multiple virtual AP profiles to individual APs, as
well as to AP groups.
You can exclude one or more virtual AP profiles from an individual AP — this
prevents a virtual AP defined at the AP group level from being applied to a specific
AP. For example, you can apply the virtual AP profile that corresponds to the
“Corpnet” SSID to the “default” AP group. If you do not want the “Corpnet” SSID
to be advertised on the AP in the lobby, you can specify that the virtual AP profile
that contains the “Corpnet” SSID configuration be excluded from that AP.

“DEFAULT” AP GROUP
“CORPNET”

VIRTUAL AP
PROFILE APPLIED TO THE AP
GROUP

X
FIGURE 5-13

124 AOS-W 3.1
User Guide

BUT NOT TO THIS

Excluding a Virtual AP Profile from an AP

032063-00 Rev A
February 2007

Configuring Access Points
Chapter 5

Using the WebUI to exclude a virtual AP profile from an AP:
1.

Navigate to the Configuration > Wireless > AP Configuration > AP Specific
page.

Do one of the following:
z

If the AP for which you want to exclude a virtual AP profile appears in the
list, click Edit for the AP.

If the AP does not appear in the list, click New. Either type in the name of
the AP, or select the AP from the drop-down list. Then click Add.

Under the Profiles list, select Wireless LAN, then select Excluded Virtual AP.

Under Profile Details, select the name of the virtual AP profile you want to
exclude from this AP from the drop-down menu, and then click Add. The
profile name appears in the Excluded Virtual APs list. You can add multiple
profile names in the same way.
To remove a profile name from the Excluded Virtual APs list, select the profile
name and click Delete.

Click Apply.

Using the CLI to exclude a virtual AP profile from an AP:

ap-name

AOS-W 3.1
User Guide

125

Configuring Access Points
Chapter 5

Example Configurations
This section shows simple examples of how to configure virtual APs for the
“default” AP group, which includes all APs discovered by the Alcatel WLAN
Switch, and for a specific AP. The example configuration includes the following
WLANs:

An 802.11a/b/g SSID called “Corpnet” that uses WPA2 and is available on all
APs in the network

An 802.11a/b/g SSID called “Guest” that uses open system and is only
available on the AP “building3-lobby” (this AP will support both the “Corpnet”
and “Guest” SSIDs)

Each WLAN requires a different SSID profile that maps into a separate virtual AP
profile. For the SSID “Corpnet”, which will use WPA2, you need to configure an
AAA profile that includes 802.1x authentication and an 802.1x authentication
server group.
Because all APs discovered by the WLAN Switch belong to the AP group called
“default”, you assign the virtual AP profile that contains the SSID profile
“Corpnet” to the “default” AP group. For the “Guest” SSID, you configure a new
virtual AP profile that you assign to the AP named “building3-lobby”.
Table 5-5 describes the profiles that you need to modify or create for these
examples.

126 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Access Points
Chapter 5

TABLE 5-5

Profiles for Example Configuration

AP Group/Name

Virtual AP Profile

SSID Profile

AAA Profile

“default”

“corpnet”

VLAN: 1

SSID: Corpnet

SSID profile:
“corpnet”

WPA2

802.1x authentication
default role: “employee”
802.1x authentication
server group: “corpnet”

AAA profile:
“corpnet”

- Radius1
- Radius2

“building3-lobby”

“guest”

“default-open”

VLAN: 2

SSID: Guest

Deny Time
Range

Open system

(This is a predefined,
read-only AAA profile that
specifies open system
authentication)

SSID profile:
“guest”
AAA profile:
“default-open”

Configuring the Corpnet WLAN
In this WLAN, users are validated against a corporate database on a RADIUS
authentication server before they are allowed access to the network. Once
validated, users are placed into a specified VLAN (VLAN 1 in this example) and
assigned the user role “employee” that permits access to the corporate network.
NOTE:

Alcatel recommends that you assign a unique name to each virtual AP,
SSID, and AAA profile that you modify. In this example, you use the name
“corpnet” to identify each of the profiles.

To configure the Corpnet WLAN, you need to perform the following tasks:
1.

Configure a policy for the user role employee and configure the user role
employee with the specified policy.

Configure RADIUS authentication servers and assign them to the corpnet
802.1x authentication server group.

Configure authentication for the WLAN.
A.

Create the corpnet 802.1x authentication profile.

Create the AAA profile corpnet and specify the previously-configured
employee user role for the 802.1x authentication default role.
AOS-W 3.1
User Guide

127

Configuring Access Points
Chapter 5

C.
4.

Specify the previously-configured corpnet 802.1x authentication server
group.

For the AP group “default”, create and configure the virtual AP corpnet.
A.

Create a new virtual AP profile corpnet.

Select the previously-configured corpnet AAA profile for this virtual AP.

Create a new SSID profile corpnet to configure “Corpnet” for the SSID
name and WPA2 for the authentication.

The following sections describe how to do this using the WebUI and the CLI.

Configure the User Role
In this example, the employee user role allows unrestricted access to network
resources and is granted only to users who have been successfully authenticated
with an external RADIUS server. You can configure a more restrictive user role by
specifying allowed or disallowed source and destination, protocol, and service for
the traffic. For more information about configuring user roles, see Chapter 7,
“Configuring Roles and Policies”.

Using the WebUI to configure the user role:
1.

Navigate to the Configuration > Security > Access Control > Policies page.

Click Add to add a new policy. Enter the name of the policy.
Default settings for a policy rule permit all traffic from any source to any
destination, but you can make a rule more restrictive. You can also configure
multiple rules; the first rule in a policy that matches the traffic is applied. Click
Add to add a rule. When you are done adding rules, click Apply.

Click the User Roles tab. Click Add to add a new user role. Enter the name of
the role. Under Firewall Policies, click Add. In the Choose from Configured
Policies drop-down list, select the policy you previously created. Click Done.

Click Apply.

Using the CLI to configure the user role:

ip access-list session

user-role employee
access-list session

128 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Access Points
Chapter 5

Configure Authentication Servers
This example uses RADIUS servers for the client authentication. You need to
specify the hostname and IP address for each RADIUS server and the shared
secret used to authenticate communication between the server and the WLAN
Switch. After configuring authentication servers, assign them to the corpnet
server group, an ordered list of the servers to be used for 802.1x authentication.
For more information about configuring authentication servers, see Chapter 8,
“Configuring Authentication Servers”.

Using the WebUI to configure authentication servers:
1.

Navigate to the Configuration > Security > Authentication > Servers page.

Select Radius Server to display the Radius Server List.

Enter the name of the server, and click Add. The server name appears in the
list of servers.

Select the server name. Enter the IP address and shared secret for the server.
Select the Mode checkbox to activate the authentication server.

Click Apply to apply the configuration.

Select Server Group on the Servers page.

Enter the name of the group, and click Add. The server group name appears
in the list of server groups.

Select the server group name. Click New to add a server to the group. Under
Server Name, select the server you just configured and click Add.

Click Apply to apply the configuration.

Using the CLI to configure authentication servers:

aaa authentication-server radius Radius1
host
key
enable
aaa server-group corpnet
auth-server Radius1

Configure Authentication
In this example, you create the 802.1x authentication profile corpnet. The AAA
profile configures the authentication for a WLAN. The AAA profile defines the type
of authentication (802.1x in this example), the authentication server group, and
the default user role for authenticated users.

AOS-W 3.1
User Guide

129

Configuring Access Points
Chapter 5

Using the WebUI to configure authentication:
1.

Navigate to the Configuration > Security > Authentication > L2
Authentication page. Select 802.1x Authentication Profile.
A.

In the 802.1x Authentication Profile Instance list, enter corpnet, and click
Add.

Select the corpnet 802.1x authentication profile you just created.

You can configure parameters in the Basic or Advanced tabs. For this
example, you use the default values, so click Apply.

Select the AAA Profiles tab.
A.

In the AAA Profiles Summary list, click Add to create a new profile.

Enter corpnet, then click Add.

Select the corpnet AAA profile you just created.

For 802.1x Authentication Default Role, select the employee role you
previously configured.

Click Apply.

Select the 802.1x Authentication Profile under the corpnet AAA profile.
A.

Select corpnet.

Click Apply.

Select the 802.1x Authentication Server Group under the corpnet AAA profile.
A.

Select the corpnet server group you previously configured.

Click Apply.

Using the CLI to configure authentication:

aaa authentication dot1x corpnet
aaa profile corpnet
authentication-dot1x corpnet
dot1x-default-role employee
dot1x-server-group corpnet

Configure the Virtual AP
In this example, you apply the corpnet virtual AP to the “default” AP group which
consists of all APs.

Using the WebUI to configure the virtual AP:
1.

Navigate to the Configuration > Wireless > AP Configuration > AP Group
page.

130 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Access Points
Chapter 5

Click Edit for the “default” AP group.

Under Profiles, select Wireless LAN, then select Virtual AP. In the Virtual AP
list, select the “default” virtual AP profile.

Select the “default” SSID profile. Enter anynet for the SSID name. Click Save
As, then enter anynet. Click Apply.
NOTE:

The WebUI prevents you from configuring the same ESSID in more
than one virtual AP for an AP group or name. Whenever you create a
new virtual AP profile, the profile automatically contains the “default”
SSID profile with the default “alcatel-ap” SSID. The step above allows
you to create a new virtual AP that does not have the same ESSID as
the “default” virtual AP profile.

Under Profiles, select Virtual AP to display the Profile Details.
A.

To create a new virtual AP profile, select NEW for Add a profile,.

Enter the profile name corpnet, then click Add.

Click Apply.

Under Profiles, select the corpnet virtual AP profile.
A.

Make sure Virtual AP enable is selected.

Select 1 for the VLAN.

Click Apply.

Under Profiles, select the AAA profile under the corpnet virtual AP profile.
A.

In the Profile Details section, select corpnet for the AAA Profile.

Click Apply.

Under Profiles, select the SSID profile under the corpnet virtual AP profile.
A.

Select NEW from the SSID Profile drop-down menu.

Enter corpnet.

Enter Corpnet for the Network Name.

Under 802.11 Security, select WPA2.

Click Apply.

Using the CLI to configure the virtual AP:

wlan ssid-profile corpnet
essid Corpnet
opmode wpa2-aes
wlan virtual-ap corpnet
vlan 1

AOS-W 3.1
User Guide

131

Configuring Access Points
Chapter 5

aaa-profile corpnet
ssid-profile corpnet
ap-group default
virtual-ap corpnet

Guest WLAN
To configure the Guest WLAN, you need to perform the following tasks:
1.

Configure the VLAN for guest users.

Configure the guest role which only allows HTTP and HTTPS traffic from 9:00
a.m. to 5 p.m. on weekdays.

For the AP named “building3-lobby”, create and configure the virtual AP
profile guest:
A.

Create a new virtual AP profile guest.

Select the predefined AAA profile default-open.

Create a new SSID profile guest to configure “Guest” for the SSID name
and open system for the authentication.

The following sections describe how to do this using the WebUI and the CLI.

Configure the VLAN
In this example, users on the “Corpnet” WLAN are placed into VLAN 1, which is
the default VLAN configured on the WLAN Switch. For guest users, you need to
create another VLAN and assign the VLAN interface an IP address.

Using the WebUI to configure the VLAN:
1.

Navigate to the Configuration > Network > VLANs page.

Click Add to add a VLAN. Enter 2 in the VLAN ID, and click Apply.

To assign an IP address and netmask to the VLAN you just created, navigate
to the Configuration > Network > IP > IP Interfaces page. Click Edit for VLAN
2. Enter an IP address and netmask for the VLAN interface, and then click
Apply.

Using the CLI to configure the VLAN:

vlan 2
interface vlan 2
ip address

132 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Access Points
Chapter 5

Configure the Guest Role
The guest role allows web (HTTP and HTTPS) access only during normal business
hours (9:00 a.m. to 5:00 p.m. Monday through Friday).

Using the WebUI to configure the Guest Role:
1.

Navigate to the Configuration > Security > Access Control > Time Ranges
page.

Click Add. Enter a name, such as “workhours”. Select Periodic. Click Add.
Under Add Periodic Rule, select Weekday. For Start Time, enter 9:00. For End
Time, enter 17:00. Click Done. Click Apply.

Select the Policies tab. Click Add. Enter a policy name, such as “restricted”.
Click Add. Select Service, then select svc-http from the drop-down list. For
Time Range, select the time range you previously configured. Select Add. Add
another rule for svc-https. Click Apply.

Select the User Roles tab. Click Add. Enter guest for Role Name. Under
Firewall Policies, click Add. Select Choose from Configured Policies and
select the policy you previously configured. Click Done.

Click Apply.

Using the CLI to configure the Guest Role:

time-range workhours periodic
weekday 09:00 to 17:00
ip access-list session restricted
any any svc-http permit time-range workhours
any any svc-https permit time-range workhours
user-role guest
session-acl restricted

Configure the Virtual AP
In this example, you apply the guest virtual AP profile to a specific AP.
NOTE:

Alcatel recommends that you assign a unique name to each virtual AP,
SSID, and AAA profile that you modify. In this example, you use the name
guest to identify the virtual AP and SSID profiles.

Using the WebUI to configure the virtual AP:
1.

Navigate to Configuration > Wireless > AP Configuration > AP Specific page.

Click New. Either enter the AP name or select an AP from the list of
discovered APs. Click Add. The AP name appears in the list.

AOS-W 3.1
User Guide

133

Configuring Access Points
Chapter 5

Click Edit for the AP to display the profiles that you can configure for the AP.
NOTE:

Selecting Wireless LAN allows you to exclude certain virtual AP
profiles from being applied to this AP.

Select Virtual AP.
A.

For Add a profile, select NEW.

Enter guest, and click Add.

Click Apply.

Click the guest virtual AP to display profile details.
A.

Make sure Virtual AP Enable is selected.

Select 2 for the VLAN.

Click Apply.

Under Profiles, select the AAA profile under the guest virtual AP profile.
A.

In the Profile Details, select default-open from the AAA Profile
drop-down list.

Click Apply.

Under Profiles, select the SSID profile under the guest virtual AP profile.
A.

Select NEW from the SSID Profile drop-down menu.

Enter guest.

In the Profile Details, enter Guest for the Network Name.

Select None for Network Authentication and Open for Encryption.

Click Apply.

Using the CLI to configure the virtual AP:

wlan ssid-profile guest
opmode opensystem
wlan virtual-ap guest
vap-enable
vlan 2
deny-time-range workhours
ssid-profile guest
aaa-profile default-open
ap-name building3-lobby
virtual-ap guest

134 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Access Points
Chapter 5

Advanced Configuration Options
This section describes advanced options you can configure for APs.

Channel Switch Announcement
When an AP changes its channel, existing wireless clients can time out while
waiting to receive a beacon from the AP and must begin scanning to discover the
new channel on which the AP is operating. If the disruption is long enough, the
client may need to reassociate, reauthenticate, and re-request an IP address.
Channel Switch Announcement (CSA), as defined by IEEE 802.11h, enables an
AP to announce that it is switching to a new channel before it begins transmitting
on that channel. This allows clients that support CSA to transition to the new
channel with minimal downtime. When CSA is enabled, the AP does not change
to a new channel immediately. Instead, it sends a number of beacons (the default
is 4) that contain the CSA announcement before it switches to the new channel.
You can configure the number of announcements sent before the change.
NOTE:

Clients must support CSA in order to track the channel change without
experiencing disruption.

Using the WebUI to configure CSA:
1.

Navigate to the Configuration > Wireless > AP Configuration page.

Select either the AP Group or AP Specific tab. Click Edit for the AP group or
AP name.

In the Profile list, select RF Management.

In the Profiles list, select the 802.11a or 802.11g radio profile.

Select Enable CSA. You can configure a different value for CSA Count.

Click Apply.

Using the CLI to configure CSA:

rf radio-profile
csa
csa-count

AOS-W 3.1
User Guide

135

Configuring Access Points
Chapter 5

136 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Remote APs

The Secure Remote Access Point Service allows users at remote locations that
are equipped with APs to connect to an Alcatel WLAN Switch over the Internet.
Since the Internet is involved, data traffic between the WLAN Switch and the
remote AP is VPN encapsulated, and control traffic between the WLAN Switch
and AP is encrypted. For additional security, you have the choice of encrypting
data as well as control traffic.
This chapter describes the following topics:

“Overview” on page 138

“Configuring the Secure Remote Access Point Service” on page 140

“Deploying a Branch Office/Home Office Solution” on page 146

“Double Encryption” on page 148

NOTE:

The Secure Remote Access Point Service requires that you install one or
more Remote AP licenses in the WLAN Switch on which you terminate
the VPN tunnel that carries traffic from the remote AP. There are several
Remote AP licenses available that support different maximum numbers of
APs. The licenses are cumulative; each additional license installed
increases the maximum number of remote APs supported by the WLAN
Switch.
You must install a Remote AP license on any WLAN Switch that you use
to provision a remote AP. See “Provision the AP” on page 145 for
information.

AOS-W 3.1
User Guide

137

Configuring Remote APs
Chapter 6

Overview
Remote APs connect to a WLAN Switch using Layer-2 Tunneling Protocol and
Internet Protocol Security (L2TP/IPSec). AP control and 802.11 data traffic are
carried through this tunnel. Secure Remote Access Point Service extends the
corporate office to the remote site. Remote users can use the same features as
corporate office users. For example, voice over IP (VoIP) applications can be
extended to remote sites while the servers and the PBX remain secure in the
corporate office.
Secure Remote Access Point Service can also be used to secure control traffic
between an AP and the WLAN Switch in a corporate environment. In this case,
both the AP and WLAN Switch are in the company’s private address space.
The remote AP must be configured with the IPSec VPN tunnel termination point.
Once the VPN tunnel is established, the AP bootstraps and becomes operational.
The tunnel termination point used by the remote AP depends upon the AP
deployment, as shown in the following scenarios:

Deployment Scenario 1: The remote AP and WLAN Switch reside in a private
network which is used to secure AP-to-WLAN Switch communication.
(Alcatel recommends this deployment when AP-to-WLAN Switch
communications on a private network need to be secured.) In this scenario,
the remote AP uses the WLAN Switch’s IP address on the private network to
establish the IPSec VPN tunnel.

INTRANET
CORPORATE NETWORK
WLAN SWITCH’S
IP ADDRESS

FIGURE 6-14

Remote AP with a Private Network

Deployment Scenario 2: The remote AP is on the public network or behind a
NAT device and the WLAN Switch is on the public network. The remote AP
must be configured with the tunnel termination point which must be a
publicly-routable IP address. In this scenario, a routable interface is
configured on the WLAN Switch in the DMZ. The remote AP uses the WLAN
Switch’s IP address on the public network to establish the IPSec VPN tunnel.

138 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Remote APs
Chapter 6

INTERNET
CORPORATE NETWORK
WLAN SWITCH’S
IP ADDRESS

FIGURE 6-15

Remote AP with WLAN Switch on Public Network

Deployment Scenario 3: The remote AP is on the public network or behind a
NAT device and the WLAN Switch is also behind a NAT device. (Alcatel
recommends this deployment for remote access.) The remote AP must be
configured with the tunnel termination point which must be a
publicly-routable IP address. In this scenario, the remote AP uses the public
IP address of the corporate firewall. The firewall forwards traffic to an
existing interface on the WLAN Switch. (The firewall must be configured to
pass NAT-T traffic (UDP port 4500) to the WLAN Switch.)

INTERNET
CORPORATE NETWORK
FIREWALL’S
IP ADDRESS

FIGURE 6-16

Remote AP with WLAN Switch Behind Firewall

In any of the described deployment scenarios, the IPSec VPN tunnel can be
terminated on a local WLAN Switch, with a master WLAN Switch located
elsewhere in the corporate network (Figure 6-17). The remote AP must be able to
communicate with the master WLAN Switch after the IPSec tunnel is established.
Make sure that the L2TP IP pool configured on the local WLAN Switch (from
which the remote AP obtains its address) is reachable in the network by the
master WLAN Switch.

LOCAL WLAN SWITCH

MASTER WLAN SWITCH

INTERNET

CORPORATE NETWORK
FIREWALL’S
IP ADDRESS

FIGURE 6-17

Remote AP in a Multi-WLAN Switch Environment
AOS-W 3.1
User Guide

139

Configuring Remote APs
Chapter 6

Configuring the Secure Remote Access Point
Service
Alcatel Access Points, with the exception of the AP 52 and AP 80, can be
configured for Secure Remote Access Point Service.
Refer to the deployment scenarios described previously. To configure the Secure
Remote Access Point Service:
1.

Configure a public IP address for the WLAN Switch.

NOTE:

You must install one or more Remote AP licenses in the WLAN Switch.
There are several Remote AP licenses available that support different
maximum numbers of APs. The licenses are cumulative; each additional
license installed increases the maximum number of remote APs
supported by the WLAN Switch.

Configure the VPN server on the WLAN Switch. The remote AP will be a VPN
client to the server.

Configure the remote AP role.

Configure the authentication server that will validate the username and
password for the remote AP.

Provision the AP with IPSec settings, including the username and password
for the AP, before you install it at the remote location.

These tasks are described in the following sections.

Configure a Public IP Address for the WLAN
Switch
The remote AP requires an IP address to which it can connect in order to
establish a VPN tunnel to the WLAN Switch. This can be either a routable IP
address that you configure on the WLAN Switch, or the address of an external
router or firewall that forwards traffic to the WLAN Switch.

Configure a Routable IP Address on the WLAN Switch
The following steps describe how to create a DMZ address on the WLAN Switch.

Using the WebUI to create a DMZ address:
1.

Navigate to the Configuration > Network > VLANs page.

Click Add to add a VLAN.

Enter the VLAN ID.

140 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Remote APs
Chapter 6

Select the port that belongs to this VLAN.

Click Apply.

Navigate to the Configuration > Network > IP page.

Click Edit for the VLAN you just created.

Enter the IP Address and Net Mask fields.

Click Apply.

Using the CLI to create a DMZ address:

vlan
interface fastethernet /
switchport access vlan
interface vlan
ip address

Configure the NAT Device
Communication between the AP and secure WLAN Switch uses the UDP 4500
port. When both the WLAN Switch and the AP are behind NAT devices, configure
the AP to use the NAT device’s public address as its master address. On the NAT
device, you must enable NAT-T (UDP port 4500 only) and forward all packets to
the public address of the NAT device on UDP port 4500 to the WLAN Switch to
ensure that the remote AP boots successfully.

Configure the VPN Server
This section describes how to configure the IPSec VPN server on the WLAN
Switch. The remote AP will be a VPN client that connects to the VPN server on
the WLAN Switch.

Using the WebUI to configure VPN server:
1.

Navigate to the Configuration > Advanced Services > VPN Services > IPSec
page.

Select (check) Enable L2TP.

Make sure that only PAP (Password Authentication Protocol) is selected for
Authentication Protocols.

Enter the IP address of the primary DNS server for the remote AP.

To configure the L2TP IP pool, click Add in the Address Pools section.
Configure the L2TP pool from which the APs will be assigned addresses,
then click Done.

AOS-W 3.1
User Guide

141

Configuring Remote APs
Chapter 6

NOTE:

The size of the pool should correspond to the maximum number of
remote APs that the WLAN Switch is licensed to manage.

To configure an Internet Security Association and Key Management Protocol
(ISAKMP) encrypted subnet and preshared key, click Add in the IKE Shared
Secrets section and configure the preshared key. Click Done to return to the
IPSec page.

Click Apply.

For more details, see Chapter 11, “Configuring Virtual Private Networks.”

Using the CLI to configure VPN server:

vpdn group l2tp
ppp authentication PAP
client configuration dns
ip local pool
crypto isakmp key address netmask

Configure the Remote AP User Role
Once the remote AP is authenticated for the VPN and established a IPSec
connection, it is assigned a role. This role is a temporary role assigned to the AP
until it completes the bootstrap process after which it inherits the ap-role. The
appropriate ACLs need to be enabled to permit traffic from the WLAN Switch to
the AP and back to facilitate the bootstrap process.
To configure the user role, you first create a policy that permits the following
traffic:

AP control traffic via the Alcatel PAPI protocol

GRE tunnel traffic

Layer-2 Tunneling Protocol (L2TP) traffic

TFTP traffic from the remote AP to the WLAN Switch

FTP traffic from the remote AP to the WLAN Switch

Then, you create a user role that contains this policy.

Using the WebUI to configure the user role:
1.

Navigate to the Configuration > Security > Access Control > Policies page.

Click Add to create a policy.

Enter the Policy Name (for example, remote-AP-access).

142 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Remote APs
Chapter 6

To create the first rule:
A.

Under Rules, click Add.

For Source, select any.

For Destination, select any.

For Service, select service, then select svc-papi.

Click Add.

To create the next rule:
A.

Under Rules, click Add.

For Source, select any.

For Destination, select any.

For Service, select service, then select svc-gre.

Click Add.

To create the next rule:
A.

Under Rules, click Add.

For Source, select any.

For Destination, select any.

For Service, select service, then select svc-l2tp.

Click Add.

To create the next rule:
A.

Under Rules, click Add.

For Source, select any.

For Destination, select alias, then select mswitch.

For Service, select service, then select svc-tftp.

Click Add.

To create the next rule:
A.

Under Rules, click Add.

For Source, select any.

For Destination, select alias, then select mswitch.

For Service, select service, then select svc-ftp.

Click Add.

Click Apply.

10. Click the User Roles tab.

AOS-W 3.1
User Guide

143

Configuring Remote APs
Chapter 6

Click Add.

Enter the Role Name (for example, RemoteAP).

Click Add under Firewall Policies.

In the Choose from Configured Policies menu, select the policy you just
created.

Click Done.

11. Click Apply.

Using the CLI to configure the user role:

ip access-list session
any any svc-papi permit
any any svc-gre permit
any any svc-l2tp permit
any alias mswitch svc-tftp permit
any alias mswitch svc-ftp permit
user-role
session-acl

Configure VPN Authentication
Before you enable VPN authentication, you must configure the authentication
server(s) and server group that the WLAN Switch will use to validate the remote
AP. When you provision the remote AP, you configure IPSec settings for the AP,
including the username and password. This username and password must be
validated by an authentication server before the remote AP is allowed to establish
a VPN tunnel to the WLAN Switch. The authentication server can be any type of
server supported by the WLAN Switch, including the WLAN Switch’s internal
database.

CAUTION:

For security purposes, Alcatel recommends that you
assign a unique username and password to each remote
AP.

For more information about configuring authentication servers and server groups,
see Chapter 8, “Configuring Authentication Servers”.

144 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Remote APs
Chapter 6

Using the WebUI to configure the VPN authentication profile:
1.

Navigate to the Configuration > Security > Authentication > L3
Authentication page.

In the Profiles list, select VPN Authentication Profile.

For Default Role, enter the user role you created previously (for example,
RemoteAP).

Click Apply.

In the Profile list, under VPN Authentication Profile, select Server Group.

Select the server group from the drop-down menu.

Click Apply.

Using the CLI to configure the VPN authentication profile:

aaa server-group
auth-server
aaa authentication vpn
default-role
server-group

Provision the AP
You need to configure the VPN client settings on the AP to instruct the AP to use
IPSec to connect to the WLAN Switch.
You must provision the AP before you install it at its remote location. To provision
the AP, the AP must be physically connected to the local network or directly
connected to the WLAN Switch. When connected and powered on, the AP must
also be able to obtain an IP address from a DHCP server on the local network or
from the WLAN Switch.
NOTE:

You must install a Remote AP license on any WLAN Switch that you use
to provision a remote AP. For example, if you are provisioning a remote
AP on a master WLAN Switch but the remote AP tunnel will terminate on
a local WLAN Switch, you need to install Remote AP licenses on both the
master and local WLAN Switchs.

The easiest way to provision an AP is to use the Provisioning page in the WebUI,
as described in the following steps:
1.

Navigate to the Configuration > Wireless > AP Installation > Provisioning
page. Select the remote AP and click Provision.

Under Authentication Method, select IPSec Parameters. Enter the Internet Key
Exchange (IKE) Pre-Shared Key (PSK), username, and password.

AOS-W 3.1
User Guide

145

Configuring Remote APs
Chapter 6

NOTE:

The username and password you enter must match the username
and password configured on the authentication server for the remote
AP.

Under Master Discovery, set the Master IP Address as shown below:

Deployment Scenario

Master IP Address Value

Deployment 1

WLAN Switch IP address

Deployment 2

WLAN Switch public IP address

Deployment 3

Public address of the NAT device to which the
WLAN Switch is connected

Under IP Settings, make sure that Obtain IP Address Using DHCP is selected.

Click Apply and Reboot.

NOTE:

Regardless of the deployment type, Alcatel recommends that the LMS IP
in the AP system profile for the AP be set to the WLAN Switch IP address
(either the loopback address of the WLAN Switch or the VLAN 1 IP
address).

Deploying a Branch Office/Home Office
Solution
In a branch office, the AP is deployed in a separate IP network from the corporate
network. Typically, there are one or two NAT devices between the two networks.
Branch office users need access to corporate resources like printers and servers
but traffic to and from these resources must not impact the corporate head office.
The following illustration shows a remote AP in a branch or home office with a
single WLAN Switch providing access to both a corporate WLAN and a branch
office WLAN.

146 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Remote APs
Chapter 6

Branch office users want continued operation of the branch office WLAN even if
the link to the corporate network goes down. The branch office AP solves these
requirements by providing the following capabilities on the branch office WLAN:

Local termination of 802.11 management frames which provides survivability
of the branch office WLAN.

Implementation of an 802.1x authenticator split. All 802.1x authenticator
functionality is implemented in the AP. The WLAN Switch is used as a
RADIUS pass-through when the authenticator has to communicate with a
RADIUS server (which also supports survivability).

802.11 encryption/decryption is in the AP to provide access to local
resources.

Local bridging of client traffic connected to the WLAN or to an AP 70 enet1
port to provide access to local resources.

To configure the branch office AP:

Specify forward mode for the Extended Service Set Identifier (ESSID) in the
virtual AP profile

Set how long the AP stays up after connectivity to WLAN Switch has gone
down in the SSID profile

Set the VLAN ID in the virtual AP profile

Set the native VLAN ID in the AP system profile

Set forward mode for enet1 port

NOTE:

Remote APs support 802.1q VLAN tagging. Data from the remote AP will
be tagged on the wired side.

AOS-W 3.1
User Guide

147

Configuring Remote APs
Chapter 6

Troubleshooting the Branch Office Configuration
To query the STM state in an AP:

show ap bss-table

To see AP counters:

show ap remote counters

To see AP associations:

show ap association

To see AP traffic statistics:

show ap remote debug mgmt-frames

To see AP configuration:

show ap debug bss-config

Double Encryption
The IPSec tunnel between the remote AP and the WLAN Switch carries
management traffic as well as wireless client traffic, which is encrypted
according to the SSID configuration. A device at the branch office that cannot
perform its own encryption may need connection to the corporate WLAN (for
example, a printer or local server). To securely transmit traffic from this device,
enable the double encryption feature. When this feature is enabled, all traffic
placed into the IPSec tunnel is encrypted, including the already-encrypted
wireless client data (hence the term “double encryption”).

Using the WebUI to enable double encryption:
1.

Navigate to the Configuration > Wireless > AP Configuration > AP Specific
page. Click Edit for the remote AP.

Under Profiles, select AP, then select AP system profile.

Under Profile Details, select the AP system profile for this AP from the
drop-down menu. Select Double Encrypt. Click Apply.

Using the CLI to enable double encryption:

ap system-profile
double-encrypt
ap-name
ap-system-profile
NOTE:

Alcatel recommends that double-encryption not be turned on for
inter-device communication over untrusted networks, as doing so is
redundant and adds significant processing overhead for APs.

148 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Volume 4
Configuring
Wireless
Encryption and
Authentication
AOS-W Version 3.1

150 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Roles and
Policies

Every client in an Alcatel OmniAccess system is associated with a user role,
which determines the client’s network privileges, how often it must
re-authenticate, and which bandwidth contracts are applicable. A policy is a set of
rules that applies to traffic that passes through the WLAN Switch. You specify
one or more policies for a user role. Finally, you can assign a user role to clients
before or after they authenticate to the system.
This chapter describes the following topics:

“Policies” on page 152

“Creating a Firewall Policy” on page 153

“Creating a User Role” on page 156

“Assigning User Roles” on page 160

“Firewall Parameters” on page 166

AOS-W 3.1
User Guide

151

Configuring Roles and Policies
Chapter 7

Policies
A firewall policy identifies specific characteristics about a data packet passing
through the WLAN Switch and takes some action based on that identification. In
an Alcatel WLAN Switch, that action can be a firewall-type action such as
permitting or denying the packet, an administrative action such as logging the
packet, or a quality of service (QoS) action such as setting 802.1p bits or placing
the packet into a priority queue. You can apply firewall policies to user roles to
give differential treatment to different users on the same network, or to physical
ports to apply the same policy to all traffic through the port.
Firewall policies differ from access control lists (ACLs) in the following ways:

Firewall policies are stateful, meaning that they recognize flows in a network
and keep track of the state of sessions. For example, if a firewall policy
permits telnet traffic from a client, the policy also recognizes that inbound
traffic associated with that session should be allowed.

Firewall policies are bi-directional, meaning that they keep track of data
connections traveling into or out of the network. ACLs are normally applied to
either traffic inbound to an interface or outbound from an interface.

Firewall policies are dynamic, meaning that address information in the policy
rules can change as the policies are applied to users. For example, the alias
user in a policy automatically applies to the IP address assigned to a particular
user. ACLs typically require static IP addresses in the rule.

Access Control Lists (ACLs)
Access control lists (ACLs) are a common way of restricting certain types of
traffic on a physical port. AOS-W provides the following types of ACLs:

Standard ACLs permit or deny traffic based on the source IP address of the
packet. Standard ACLS can be either named or numbered, with valid numbers
in the range of 1-99 and 1300-1399. Standard ACLs use a bitwise mask to
specify the portion of the source IP address to be matched.

Extended ACLs permit or deny traffic based on source or destination IP
address, source or destination port number, or IP protocol. Extended ACLs
can be named or numbered, with valid numbers in the range 100-199 and
2000-2699.

MAC ACLs are used to filter traffic on a specific source MAC address or
range of MAC addresses. MAC ACLs can be either named or numbered, with
valid numbers in the range of 700-799 and 1200-1299.

Ethertype ACLs are used to filter based on the Ethertype field in the frame
header. Ethertype ACLs can be either named or numbered, with valid
numbers in the range of 200-299.These ACLs can be used to permit IP while
blocking other non-IP protocols, such as IPX or AppleTalk.

152 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Roles and Policies
Chapter 7

AOS-W provides both standard and extended ACLs for compatibility with router
software from popular vendors, however firewall policies provide equivalent and
greater function than standard and extended ACLs and should be used instead.
You can apply MAC and Ethertype ACLs to a user role, however these ACLs only
apply to traffic from the user.

Creating a Firewall Policy
This section describes how to configure the rules that constitute a firewall policy.
A firewall policy can then be applied to a user role (until the policy is applied to a
user role, it does not have any effect).
Table 7-6 describes required and optional parameters for a rule.

TABLE 7-6

Firewall Policy Rule Parameters

Field

Description

Source
(required)

Source of the traffic, which can be one of the following:

Destination
(required)

any: Acts as a wildcard and applies to any source address.

user: This refers to traffic from the wireless client.

host: This refers to traffic from a specific host. When this option is
chosen, you must configure the IP address of the host.

network: This refers to a traffic that has a source IP from a subnet
of IP addresses. When this option is chosen, you must configure
the IP address and network mask of the subnet.

alias: This refers to using an alias for a host or network. You
configure the alias by navigating to the Configuration > Advanced
Services > Stateful Firewall > Destination page.

Destination of the traffic, which can be configured in the same manner
as Source.

AOS-W 3.1
User Guide

153

Configuring Roles and Policies
Chapter 7

TABLE 7-6

Firewall Policy Rule Parameters (Continued)

Field

Description

Service
(required)

Type of traffic, which can be one of the following:

Action
(required)

any: This option specifies that this rule applies to any type of
traffic.

tcp: Using this option, you configure a range of TCP port(s) to
match for the rule to be applied.

udp: Using this option, you configure a range of UDP port(s) to
match for the rule to be applied.

service: Using this option, you use one of the pre-defined services
(common protocols such as HTTPS, HTTP, and others) as the
protocol to match for the rule to be applied. You can also specify a
network service that you configure by navigating to the
Configuration > Advanced Services > Stateful Firewall >
Network Services page.

protocol: Using this option, you specify a different layer 4 protocol
(other than TCP/UDP) by configuring the IP protocol value.

The action that you want the WLAN Switch to perform on a packet
that matches the specified criteria. This can be one of the following:

permit: Permits traffic matching this rule.

drop: Drops packets matching this rule without any notification.

reject: Drops the packet and sends an ICMP notification to the
traffic source.

src-nat: Performs network address translation (NAT) on packets
matching the rule. When this option is selected, you need to select
a NAT pool. (If this pool is not configured, you configure a NAT
pool by navigating to the Configuration > Advanced > Security >
Advanced > NAT Pools.)

dst-nat: This option redirects traffic to the configured IP address
and destination port. An example of this option is to redirect all
HTTP packets to the captive portal port on the Alcatel WLAN
Switch as used in the pre-defined policy called “captiveportal”.

dual-nat: This option performs both source and destination NAT
on packets matching the rule.

redirect to tunnel: This option redirects traffic into a GRE tunnel.
This option is used primarily to redirect all guest traffic into a GRE
tunnel to a DMZ router/switch.

redirect to ESI group: This option redirects traffic to the specified
ESI server group. You also specify the direction of traffic to be
redirected: forward, reverse, or both directions.

154 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Roles and Policies
Chapter 7

TABLE 7-6

Firewall Policy Rule Parameters (Continued)

Field

Description

Log
(optional)

Select this option to log a match to this rule. This is recommended
when a rule indicates a security breach, such as a data packet on a
policy that is meant only to be used for voice calls.

Mirror
(optional)

Mirrors session packets to datapath or remote destination.

Queue
(optional)

The queue in which a packet matching this rule should be placed.
Select High for higher priority data, such as voice, and Low for lower
priority traffic.

Time Range
(optional)

Specifies the time range for this rule. You configure time ranges in the
Configuration > Security > Access Control > Time Ranges page.

Black List
(optional)

Select this option if it is required to automatically blacklist a client that
is the source or destination of traffic matching this rule. This option is
recommended for rules that indicate a security breach where the
blacklisting option can be used to prevent access to clients that are
attempting to breach the security.

TOS
(optional)

Value of type of service (TOS) bits to be marked in the IP header of a
packet matching this rule when it leaves the WLAN Switch.

802.1p
Priority
(optional)

Value of 802.1p priority bits to be marked in the frame of a packet
matching this rule when it leaves the WLAN Switch.

Using the WebUI to create a new firewall policy:
1.

Navigate to the Configuration > Security > Access Control > Policies page on
the WebUI.

Click Add to create a new policy.

Enter the policy name.

To configure a firewall policy, select Session for Policy Type.

Click Add to add a rule to the policy being created. Table 7-6 describes
required and optional fields for a rule.

Click Add to add this rule to the policy being created. If more rules are
needed, follow the same process to create and add more rules to the policy.
NOTE:

Rules can be re-ordered by the using the up and down buttons
provided for each rule.

When all the required rules are created and ordered in the policy, click Apply
to apply this configuration.
NOTE:

The policy is not created until the configuration is applied.
AOS-W 3.1
User Guide

155

Configuring Roles and Policies
Chapter 7

Using the CLI to create a new firewall policy:

ip access-list session
... [position ]

Creating a User Role
This section describes how to create a new user role. When you create a user
role, you specify one or more policies for the role.
Table 7-7 describes the different parameters you can configure for the user role.

TABLE 7-7

User Role Parameters

Field

Description

Firewall Policies
(required)

This consists of the policies that define the privileges of a
wireless client in this role. There are three ways to add a firewall
policy to a user role:

Re-authentication
Interval (optional)

Choose from configured policies (see “Creating a Firewall
Policy” on page 153): Select a policy from the list of
configured policies and click the “Done” button to add the
policy to the list of policies in the user role. If this policy is to
be applied to this user role only for specific AP groups, you
can specify the applicable AP group.

Create a new policy from a configured policy: This option can
be used to create a new policy that is derived from an
existing policy.

Create a new policy: The rules for the policy can be added as
explained in “Creating a User Role” on page 156.

Time, in minutes, after which the client is required to
reauthenticate. Enter a value between 0-4096. 0 disables
reauthentication.
Default: 0 (disabled)

Role VLAN ID
(optional)

156 AOS-W 3.1
User Guide

By default, a client is assigned a VLAN on the basis of the ingress
VLAN for the client to the WLAN Switch. You can override this
assignment and configure the VLAN ID that is to be assigned to
the user role. You configure a VLAN by navigating to the
Configuration > Network > VLANs page.

032063-00 Rev A
February 2007

Configuring Roles and Policies
Chapter 7

TABLE 7-7

User Role Parameters (Continued)

Field

Description

Bandwidth
Contract
(optional)

You can assign a bandwidth contract to provide an upper limit to
the bandwidth utilized by clients in this role. As an example, the
administrator may want to cap the total bandwidth used by the
guest users in a network to 2Mbps.
You can select the Per User option to apply the bandwidth
contracts on a per-user basis instead of to all clients in the role.
To create a new bandwidth contract, select the “Add New” option
from the drop-down menu. Enter the name of the bandwidth
contract and the bandwidth to be allowed (in Kbps or Mbps).
Click Done to add the new contract and assign it to the role. Or,
navigate to the Configuration > Advanced Services > Stateful
Firewall > BW Contracts page.

VPN Dialer
(optional)

This assigns a VPN dialer to a user role. For details about VPN
dialer, see Chapter 11, “Configuring Virtual Private Networks.”
Select a dialer from the drop-down list and assign it to the user
role. This dialer will be available for download when a client logs
in using captive portal and is assigned this role.

L2TP Pool
(optional)

This assigns an L2TP pool to the user role. For more details about
L2TP pools, see Chapter 11, “Configuring Virtual Private
Networks.”
Select the required L2TP pool from the list to assign to the user
role. The inner IP addresses of VPN tunnels using L2TP will be
assigned from this pool of IP addresses for clients in this user
role.

PPTP Pool
(optional)

This assigns a PPTP pool to the user role. For more details about
PPTP pools, see Chapter 11, “Configuring Virtual Private
Networks.”
Select the required PPTP pool from the list to assign to the user
role. The inner IP addresses of VPN tunnels using PPTP will be
assigned from this pool of IP addresses for clients in this user
role.

Captive Portal
Profile (optional)

This assigns a Captive Portal profile to this role. For more details
about Captive Portal profiles, see Chapter 10, “Configuring
Captive Portal.”

AOS-W 3.1
User Guide

157

Configuring Roles and Policies
Chapter 7

TABLE 7-7

User Role Parameters (Continued)

Field

Description

Bandwidth
Contract
(optional)

VPN Dialer
(optional)

L2TP Pool
(optional)

PPTP Pool
(optional)

Captive Portal
Profile (optional)

158 AOS-W 3.1
User Guide

This assigns a Captive Portal profile to this role. For more details
about Captive Portal profiles, see Chapter 10, “Configuring
Captive Portal.”

032063-00 Rev A
February 2007

Configuring Roles and Policies
Chapter 7

Using the WebUI to create a role:
1.

Navigate to the Configuration > Security > Access Control > User Roles
page.

Click Add to create and configure a new user role.

Enter the desired name for the role.

Under Firewall Policies, click Add. Select a previously-configured policy from
the scrolling menu. Or, you can click Create to configure a new policy. Click
Done to add the policy to the user role being created. If more policies are
needed, follow the same process to create and add more policies to the role.
NOTE:

Policies can be re-ordered by the using the up and down buttons
provided for each policy.

You can optionally enter configuration values as described in Table 7-7.

Click Apply to apply this configuration.

NOTE:

The role is not created until the configuration is applied.

Using the CLI to create a role:

user-role
access-list session position
...

AOS-W 3.1
User Guide

159

Configuring Roles and Policies
Chapter 7

Assigning User Roles
A client is assigned a user role by one of several methods. A user role assigned by
one method may take precedence over a user role assigned by a different method.
The methods of assigning user roles are, from lowest to highest precedence:
1.

The initial user role for unauthenticated clients is configured in the AAA
profile for a virtual AP (see Chapter 5, “Configuring Access Points”).

The user role can be derived from user attributes upon the client’s association
with an AP (this is known as a user-derived role). You can configure rules that
assign a user role to clients that match a certain set of criteria. For example,
you can configure a rule to assign the role “VoIP-Phone” to any client that has
a MAC address that starts with bytes xx:yy:zz. User-derivation rules are
executed before client authentication.

The user role can be the default user role configured for an authentication
method, such as 802.1x or VPN. For each authentication method, you can
configure a default role for clients who are successfully authenticated using
that method.

The user role can be derived from attributes returned by the authentication
server and certain client attributes (this is known as a server-derived role). If
the client is authenticated via an authentication server, the user role for the
client can be based on one or more attributes returned by the server during
authentication, or on client attributes such as SSID (even if the attribute is not
returned by the server). Server-derivation rules are executed after client
authentication.

The user role can be derived from Vendor-Specific Attributes (VSA) for
RADIUS server authentication. A role derived from a VSA takes precedence
over any other user roles.

The following sections describe the methods of assigning user roles.

Default User Role in AAA Profile
An AAA profile defines the user role for unauthenticated clients (initial role) as
well as the default user role for MAC and 802.1x authentication.

Using the WebUI to configure user roles in the AAA profile:
1.

Navigate to the Configuration > Security > Authentication > AAA Profiles
page.

Select the “default” profile or a user-defined AAA profile.

Enter the user role for Initial role.

160 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Roles and Policies
Chapter 7

Enter the user role for 802.1x Authentication Default Role and/or MAC
Authentication Default Role.

Click Apply.

Using the CLI to configure user roles in the AAA profile:

aaa profile
initial-role
dot1x-default-role
mac-default-role

User-Derived Role
The user role can be derived from attributes from the client’s association with an
AP. You configure the user role to be derived by specifying condition rules; when a
condition is met, the specified user role is assigned to the client. You can specify
more than one condition rule; the order of rules is important as the first matching
condition is applied.
NOTE:

User-derivation rules are executed before the client is authenticated.

Table 7-8 describes the conditions for which you can specify a user role.

TABLE 7-8

Conditions for User-Derived Role

Rule Type

Condition

Value

BSSID of AP to which
client is associated

One of the following:

MAC address (xx:xx:xx:xx:xx:xx)

User class identifier
(option 77) returned by
DHCP server

contains

ends with

equals

does not equal

starts with

equals

string

AOS-W 3.1
User Guide

161

Configuring Roles and Policies
Chapter 7

TABLE 7-8

Conditions for User-Derived Role (Continued)

Rule Type

Condition

Value

Encryption type used
by client

One of the following:

Open (no encryption)

equals

WPA/WPA2 AES

does not equal

WPA-TKIP (static or
dynamic)

Dynamic WEP

WPA/WPA2 AES PSK

Static WEP

xSec

ESSID to which the
client is associated

One of the following:

contains

ends with

equals

does not equal

starts with

value of (does not
take string;
attribute value is
used as role)

AP name or AP group
which includes the AP
to which the client is
associated

One of the following:

MAC address of the
client

One of the following:

162 AOS-W 3.1
User Guide

equals

does not equal

contains

ends with

equals

does not equal

starts with

string

MAC address (xx:xx:xx:xx:xx:xx)

032063-00 Rev A
February 2007

Configuring Roles and Policies
Chapter 7

Using the WebUI to configure a user-derived role:
1.

Navigate to the Configuration > Security > Authentication > User Rules
page.

Click Add to add a new set of derivation rules. Enter a name for the set of
rules, and click Add. The name appears in the User Rules Summary list.

In the User Rules Summary list, select the name of the rule set to configure
rules.

Click Add to add a rule. For Set Type, select Role from the drop-down menu.
(You can select VLAN to configure derivation rules for setting the VLAN
assigned to a client.)

Configure the condition for the rule by setting the Rule Type, Condition, and
Value parameters. See Table 7-8 for descriptions of these parameters.

Select the role assigned to the client when this condition is met.

Click Add.

You can configure additional rules for this rule set. When you have added
rules to the set, use the up or down arrows in the Actions column to modify
the order of the rules. (The first matching rule is applied.)

Click Apply.

Using the CLI to configure a user-derived role:

aaa derivation-rules user
set role condition set-value position
where condition consists of rule_type condition value parameters. See Table 7-8
for descriptions of these parameters.

Default Role for Authentication Method
For each authentication method, you can configure a default role for clients who
are successfully authenticated using that method.

Using the WebUI to configure a default role for an authentication
method:
1.

Navigate to the Configuration > Security > Authentication page.

To configure the default user role for MAC or 802.1x authentication, select
the AAA Profiles tab. Select the AAA profile. Enter the user role for MAC
Authentication Default Role or 802.1x Authentication Default Role.

AOS-W 3.1
User Guide

163

Configuring Roles and Policies
Chapter 7

To configure the default user role for other authentication methods, select the
L2 Authentication or L3 Authentication tab. Select the authentication type
(Stateful 802.1x for L2 Authentication, Captive Portal or VPN for L3
Authentication), and then select the profile. Enter the user role for Default
Role.

Click Apply.

Using the CLI to configure a default role for an authentication method:
To configure the default user role for MAC or 802.1x authentication:

aaa profile
mac-default-role
dot1x-default-role
To configure the default user role for other authentication methods:

aaa authentication captive-portal
default-role
aaa authentication stateful-dot1x
default-role
aaa authentication vpn
default-role

Server-Derived Role
If the client is authenticated via a RADIUS authentication server, the user role for
the client can be based on one or more attributes returned by the server during
authentication. You can also define server-derived rules based on client attributes
such as ESSID, BSSID, or MAC address, even though these attributes are not
returned by the server.
You configure the user role to be derived by specifying condition rules; when a
condition is met, the specified user role is assigned to the client. You can specify
more than one condition rule; the order of rules is important as the first matching
condition is applied.
Table 7-9 describes the conditions for which you can specify a user role.

164 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Roles and Policies
Chapter 7

TABLE 7-9

Conditions for Server-Derived Role

Attribute

Operation

Operand

Use the CLI command
show aaa
radius-attributes to
see the list of server
attributes that are
supported by the
Alcatel WLAN Switch

One of the following:

string

contains

ends with

equals

does not equal

starts with

value of (does not
take string; attribute
value is used as role)

Using the WebUI to configure a server-derived role:
1.

Navigate to the Configuration > Security > Authentication > Servers page.

Select the Server Group for which you want to define a server-derived role.

Under Server Rules, select New.

Configure the condition for the rule by setting the Attribute, Operation, and
Operand parameters. See Table 7-9 for descriptions of these parameters.

Under Set, select set role. Under Value, select the role assigned to the client
when this condition is met.

Click Add.

Click Apply.

Using the CLI to configure a server-derived role:

aaa server-group
set role condition set-value position
where condition consists of attribute operation operand parameters. See
Table 7-9 for descriptions of these parameters.

VSA-Derived Role
Many Network Address Server (NAS) vendors use VSAs to provide features not
supported in standard RADIUS attributes. For Alcatel systems, VSAs can be
employed to provide the user role and VLAN for RADIUS-authenticated clients,
AOS-W 3.1
User Guide

165

Configuring Roles and Policies
Chapter 7

however the VSAs must be present on your RADIUS server. This involves defining
the vendor and/or the vendor-specific code, vendor-assigned attribute number,
attribute format (such as string or integer), and attribute value in the RADIUS
dictionary file. VSAs supported on WLAN Switches conform to the format
recommended in RFC 2865, “Remote Authentication Dial In User Service
(RADIUS)”.

Firewall Parameters
Table 7-10 describes optional firewall parameters you can set on the WLAN
Switch. To set these options in the WebUI, navigate to the Configuration >
Advanced Services > Stateful Firewall > Global Setting page. To set these
options in the CLI, use the firewall configuration commands.

TABLE 7-10

Firewall Parameters

Parameter

Description

Monitor Ping Attack

Number of ICMP pings per second, which if
exceeded, can indicate a denial of service attack.
Valid range is 1-255 pings per second.
Recommended value is 4.
Default: No default

Monitor TCP SYN Attack
rate

Number of TCP SYN messages per second, which if
exceeded, can indicate a denial of service attack.
Valid range is 1-255 messages per second.
Recommended value is 32.
Default: No default

Monitor IP Session
Attack

Number of TCP or UDP connection requests per
second, which if exceeded, can indicate a denial of
service attack. Valid range is 1-255 requests per
second. Recommended value is 32.
Default: No default

Prevent L2 Bridging
between Wireless users

Prevents the forwarding of Layer-2 traffic between
wired or wireless users. You can configure user role
policies that prevent Layer-3 traffic between users or
networks but this does not block Layer-2 traffic. This
option can be used to prevent traffic, such as
Appletalk or IPX, from being forwarded.
Default: Disabled

166 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Roles and Policies
Chapter 7

TABLE 7-10

Firewall Parameters (Continued)

Parameter

Description

Enforce TCP Handshake
Before Allowing Data

Prevents data from passing between two clients
until the three-way TCP handshake has been
performed. This option should be disabled when you
have mobile clients on the network as enabling this
option will cause mobility to fail. You can enable this
option if there are no mobile clients on the network.
Default: Disabled

Prohibit IP Spoofing

Enables detection of IP spoofing (where an intruder
sends messages using the IP address of a trusted
client). When this option is enabled, IP and MAC
addresses are checked; possible IP spoofing attacks
are logged and an SNMP trap is sent.
Default: Disabled

Prohibit RST Replay
Attack

When enabled, closes a TCP connection in both
directions if a TCP RST is received from either
direction. You should not enable this option unless
instructed to do so by an Alcatel representative.
Default: Disabled

Log ICMP Errors

Enables logging of received ICMP errors. You should
not enable this option unless instructed to do so by
an Alcatel representative.
Default: Disabled

Disable stateful SIP
Processing

Disables monitoring of exchanges between a voice
over IP or voice over WLAN device and a SIP server.
This option should be enabled only when there is no
VoIP or VoWLAN traffic on the network.
Default: Disabled (stateful SIP processing is enabled)

Allow Tri-session with
DNAT

Allows three-way session when performing
destination NAT. This option should be enabled when
the WLAN Switch is not the default gateway for
wireless clients and the default gateway is behind
the WLAN Switch. This option is typically used for
captive portal configuration.
Default: Disabled.

Session Mirror
Destination

Destination to which mirrored session packets are
sent. You can configure IP flows to be mirrored with
the session ACL mirror option. This option is used
only for troubleshooting or debugging.
Default: N/A

AOS-W 3.1
User Guide

167

Configuring Roles and Policies
Chapter 7

TABLE 7-10

Firewall Parameters (Continued)

Parameter

Description

Session Idle Timeout

Set the time, in seconds, that a non-TCP session can
be idle before it is removed from the session table.
Specify a value in the range 16-259 seconds. You
should not set this option unless instructed to do so
by an Alcatel representative.
Default: 30 seconds

Disable FTP Server

Disables the FTP server on the WLAN Switch.
Enabling this option prevents FTP transfers. You
should not enable this option unless instructed to do
so by an Alcatel representative.
Default: Disabled (FTP server is enabled)

GRE Call ID Processing

Creates a unique state for each PPTP tunnel. You
should not enable this option unless instructed to do
so by an Alcatel representative.
Default: Disabled

Per-packet Logging

Enables logging of every packet if logging is enabled
for the corresponding session rule. Normally, one
event is logged per session. If you enable this option,
each packet in the session is logged. You should not
enable this option unless instructed to do so by an
Alcatel representative, as doing so may create
unnecessary overhead on the WLAN Switch.
Default: Disabled (per-session logging is performed)

VoIP Proxy ARP

Reduces the number of broadcast packets sent to
VoIP clients, thereby improving the battery life of
voice handsets. You can enable this option for voice
handsets in conjunction with increasing the DTIM
interval on clients.
Default: Disabled

Enforce WMM Voice
Priority Matches Flow
Content

If traffic to or from the user is inconsistent with the
associated QoS policy for voice, the traffic is
reclassified to best effort and data path counters
incremented.
Default: Disabled

168 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Authentication
Servers

The AOS-W software allows you to use an external authentication server or the
WLAN Switch’s internal user database to authenticate clients who need to access
the wireless network.
NOTE:

In order for an external authentication server to process requests from
the Alcatel WLAN Switch, you must configure the server to recognize the
WLAN Switch. Refer to the vendor documentation for information on
configuring the authentication server.
For example, instructions on how to configure Microsoft’s IAS and Active
Directory can be obtained at http://technet2.microsoft.com/
windowsserver/en/technologies/ias.mspx and
http://technet2.microsoft.com/windowsserver/en/technologies/featured/
ad/default.mspx, respectively.

This chapter describes the following topics:

“Servers and Server Groups” on page 170

“Configuring Servers” on page 171

“Configuring Server Groups” on page 177

“Configuring Authentication Timers” on page 182

AOS-W 3.1
User Guide

169

Configuring Authentication Servers
Chapter 8

Servers and Server Groups
You can configure AOS-W to interface with the following external authentication
servers:

Remote Authentication Dial-In User Service (RADIUS)

Lightweight Directory Access Protocol (LDAP)

Terminal Access Controller Access Control System (TACACS+)

You can also use the WLAN Switch’s internal database to authenticate users. You
create entries in the database for users and their passwords and default role.
You can create groups of servers for specific types of authentication — for
example, you can specify one or more RADIUS servers to be used for 802.1x
authentication. The list of servers in a server group is an ordered list. This means
that the first server in the list is always used unless it is unavailable, in which case
the next server in the list is used. You can configure servers of different types in
one group — for example, you can include the internal database as a backup to a
RADIUS server.
Figure 8-18 shows a server group “Radii” that consists of two RADIUS servers,
Radius-1 and Radius-2. The server group is assigned to the server group for
802.1x authentication.

802.1X
SERVER GROUP

SERVER
GROUP RADII
RADIUS-1

RADIUS-2

FIGURE 8-18

Server Group

Server names are unique and you can add a server to only one server group. You
must configure the server before you can add it to a server group.
NOTE:

If you are using the WLAN Switch’s internal database for user
authentication, use the predefined “Internal” server group.

You can also include conditions for server-derived user roles or VLANs in the
server group configuration. The server derivation rules apply to all servers in the
group.
170 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Authentication Servers
Chapter 8

Configuring Servers
This section describes how to configure RADIUS, LDAP, and TACACS+ external
authentication servers and the internal database on the WLAN Switch.

Configuring a RADIUS Server
Table 8-11 describes the parameters you configure for a RADIUS server.

TABLE 8-11

RADIUS Server Configuration Parameters

Parameter

Description

Host

IP address of the authentication server.
Default: N/A

Key

Shared secret between the WLAN Switch and the
authentication server. The maximum length is 48
bytes.
Default: N/A

Authentication Port

Authentication port on the server.
Default: 1812

Accounting Port

Accounting port on the server
Default: 1813

Retransmits

Maximum number of retries sent to the server by the
WLAN Switch before the server is marked as down.
Default: 3

Timeout

Maximum time, in seconds, that the WLAN Switch
waits before timing out the request and resending it.
Default: 5 seconds

NAS ID

Network Access Server (NAS) identifier to use in
RADIUS packets.
Default: N/A

AOS-W 3.1
User Guide

171

Configuring Authentication Servers
Chapter 8

TABLE 8-11

RADIUS Server Configuration Parameters (Continued)

Parameter

Description

NAS IP

NAS IP address to send in RADIUS packets.
You can configure a “global” NAS IP address that the
WLAN Switch uses for communications with all
RADIUS servers. If you do not configure a
server-specific NAS IP, the global NAS IP is used. To
set the global NAS IP in the WebUI, navigate to the
Configuration > Security > Authentication >
Advanced page. To set the global NAS IP in the CLI,
enter the ip radius nas-ip ipaddr command.
Default: N/A

Use MD5

Use MD5 hash of cleartext password.
Default: disabled

Mode

Enables or disables the server.
Default: enabled

Using the WebUI to configure a RADIUS server:
1.

Navigate to the Configuration > Security > Authentication > Servers page.

Select Radius Server to display the Radius Server List.

To configure a RADIUS server, enter the name for the server and click Add.

Select the name to configure server parameters. Enter parameters as
described in Table 8-11. Select the Mode checkbox to activate the
authentication server.

Click Apply to apply the configuration.
NOTE:

The configuration does not take effect until you perform this step.

Using the CLI to configure a RADIUS server:

aaa authentication-server radius
host
key
enable

172 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Authentication Servers
Chapter 8

Configuring an LDAP Server
Table 8-12 describes the parameters you configure for an LDAP server.

TABLE 8-12

LDAP Server Configuration Parameters

Parameter

Description

Host

IP address of the LDAP server.
Default: N/A

Admin-DN

Distinguished name for the admin user who has
read/search privileges across all the entries in the
LDAP database (the user need not have write
privileges but the user should be able to search the
database, and read attributes of other users in the
database).

Admin Password

Password for the admin user.
Default: N/A

Allow Clear-Text

Allows clear-text (unencrypted) communication with
the LDAP server.
Default: disabled

Authentication Port

Port number used for authentication.
Default: 389

Base-DN

Distinguished Name of the node which contains the
entire user database to use.
Default: N/A

Filter

Filter that should be applied to search of the user in
the LDAP database (default filter string is:
ì(objectclass=*)î ).
Default: N/A

Key Attribute

Attribute that should be used as a key in search for
the LDAP server. For Active Directory, the value is
sAMAccountName.
Default: sAMAccountName

Timeout

Timeout period of a LDAP request, in seconds.
Default: 20 seconds

Mode

Enables or disables the server.
Default: enabled

AOS-W 3.1
User Guide

173

Configuring Authentication Servers
Chapter 8

Using the WebUI to configure an LDAP server:
1.

Navigate to the Configuration > Security > Authentication > Servers page.

Select LDAP Server to display the LDAP Server List.

To configure an LDAP server, enter the name for the server and click Add.

Select the name to configure server parameters. Enter parameters as
described in Table 8-12. Select the Mode checkbox to activate the
authentication server.

Click Apply to apply the configuration.
NOTE:

The configuration does not take effect until you perform this step.

Using the CLI to configure an LDAP server:

aaa authentication-server ldap
host
(enter parameters as described in Table 8-12)
enable

Configuring a TACACS+ Server
Table 8-13 describes the parameters you configure for a TACACS+ server.

TABLE 8-13

TACACS+ Server Configuration Parameters

Parameter

Description

Host

IP address of the server.
Default: N/A

Key

Shared secret to authenticate communication
between the TACACS+ client and server.
Default: N/A

TCP Port

TCP port used by server.
Default: 49

174 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Authentication Servers
Chapter 8

TABLE 8-13

TACACS+ Server Configuration Parameters (Continued)

Parameter

Description

Retransmits

Maximum number of times a request is retried.
Default: 3

Timeout

Timeout period for TACACS+ requests, in seconds.
Default: 20 seconds

Mode

Enables or disables the server.
Default: enabled

Using the WebUI to configure a TACACS+ server:
1.

Navigate to the Configuration > Security > Authentication > Servers page.

Select TACACS Server to display the TACACS Server List.

To configure a TACACS+ server, enter the name for the server and click Add.

Select the name to configure server parameters. Enter parameters as
described in Table 8-13. Select the Mode checkbox to activate the
authentication server.

Click Apply to apply the configuration.
NOTE:

The configuration does not take effect until you perform this step.

Using the CLI to configure a TACACS+ server:

aaa authentication-server tacacs
host
key
enable

Configuring the Internal Database
You can create entries in the WLAN Switch’s internal database that can be used
to authenticate clients. The internal database contains a list of clients along with
the password and default role for each client. When you configure the internal
database as an authentication server, client information in incoming
authentication requests is checked against the internal database.

AOS-W 3.1
User Guide

175

Configuring Authentication Servers
Chapter 8

NOTE:

By default, the internal database in the master WLAN Switch is used for
authentication. You can choose to use the internal database in a local
WLAN Switch by entering the CLI command aaa authenticationserver internal use-local-switch. If you use the internal database in a
local WLAN Switch, you need to add clients on the local WLAN Switch.

Table 8-14 describes the information required for internal database entries.

TABLE 8-14 Internal Database Configuration Parameters
Parameters

Description

User Name

(Required) Enter a user name or select Generate to
automatically generate a user name.

Password

(Required) Enter a password or select Generate to
automatically generate a password string.

Role

Role for the client if not otherwise configured (optional field,
default is guest)

E-mail

(Optional) E-mail address of the client

Entry does not
No expiration on user entry, expiration duration (in minutes),
expire/Expiration or specific time and date of expiration

Using the WebUI to configure users in the internal database:
1.

Navigate to the Configuration > Security > Authentication > Servers > page.

Select Internal DB.

Click Add User in the Users section. The user configuration page displays.

Enter the information for the client.

Click Enabled to activate this entry on creation.

Click Apply to apply the configuration.
NOTE:

The configuration does not take effect until you perform this step.

Using the CLI to configure users in the internal database:
Enter the following command in enable mode:

local-userdb add {generate-username|username }
{generate-password|password }

176 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Authentication Servers
Chapter 8

Configuring Server Groups
You can create groups of servers for specific types of authentication — for
example, you can specify one or more RADIUS servers to be used for 802.1x
authentication. The list of servers in a server group is an ordered list. This means
that the first server in the list is always used unless it is unavailable, in which case
the next server in the list is used. You can configure servers of different types in
one group — for example, you can include the internal database as a backup to a
RADIUS server.
Server names are unique and you can add a server to only one server group. The
server must be configured before you can include it in a server group.
NOTE:

If you installed the ESI license in the Alcatel WLAN Switch, clients can be
authenticated by specific servers based on the fully-qualified domain
name (FQDN) and Extended Service Set Identifier (ESSID) of the client.
See Chapter 21, “External Services Interface” for more information.

Table 8-15 describes the parameters you can configure for a server group.

TABLE 8-15

Server Group Configuration Parameters

Parameter

Description

Name

Name of the server.
Default: N/A

trim-FQDN

Trim the FQDN from the username before sending to
the server.
Default: N/A

match-FQDN

Match the FQDN.
Default: N/A

Position

Position of the server in the group list. 1 is the top.
Default: bottom

Configuring Server Rules
When you configure a server group, you can set the VLAN or role for clients based
on attributes returned for the client by the server during authentication. The
server derivation rules apply to all servers in the group. The user role or VLAN
assigned through server derivation rules take precedence over the default role and
VLAN configured for the authentication method.

AOS-W 3.1
User Guide

177

Configuring Authentication Servers
Chapter 8

NOTE: The authentication servers have to be configured to return the attributes
for the clients during authentication. For instructions on configuring the
authentication attributes in a Windows environment using IAS, refer to the
documentation at http://technet2.microsoft.com/windowsserver/
en/technologies/ias.mspx.
The server rules are applied based on the first match principle. The first rule that is
applicable for the server and the attribute returned is applied to the client and
would be the only rule applied from the server rules. These rules are applied
uniformly across all servers in the server group.
Table 8-16 describes the server rule parameters you can configure.

TABLE 8-16 Server Rule Configuration Parameters
Parameter

Description

Role or VLAN

The server derivation rules can be for either user role or VLAN
assignment. With Role assignment, a client can be assigned a
specific role based on the attributes returned. In case of VLAN
assignment, the client can be placed in a specific VLAN based on
the attributes returned.

Attribute

This is the attribute returned by the authentication server that is
examined for Operation and Operand match.

Operation

This is the match method by which the string in Operand is
matched with the attribute value returned by the authentication
server.

178 AOS-W 3.1
User Guide

contains – The rule is applied if and only if the attribute value
contains the string in parameter Operand.

starts-with – The rule is applied if and only if the attribute
value returned starts with the string in parameter Operand.

ends-with – The rule is applied if and only if the attribute
value returned ends with the string in parameter Operand.

equals - The rule is applied if and only if the attribute value
returned equals the string in parameter Operand.

not-equals - The rule is applied if and only if the attribute
value returned is not equal to the string in parameter
Operand.

value-of – This is a special condition. What this implies is
that the role or VLAN is set to the value of the attribute
returned. For this to be successful, the role and the VLAN ID
returned as the value of the attribute selected must be
already configured on the WLAN Switch when the rule is
applied.

032063-00 Rev A
February 2007

Configuring Authentication Servers
Chapter 8

TABLE 8-16 Server Rule Configuration Parameters (Continued)
Parameter

Description

Operand

This is the string to which the value of the returned attribute is
matched.

Value

The user role or the VLAN applied to the client when the rule is
matched.

Position

Position of the condition rule. Rules are applied based on the first
match principle. 1 is the top.
Default: bottom

Using the WebUI to configure a server group:
1.

Navigate to the Configuration > Security > Authentication > Servers page.

Select Server Group to display the Server Group list.

Enter the name of the new server group and click Add.

Select the name to configure the server group.

Under Servers, click New to add a server to the group.

Select a server from the drop-down menu and click Add.

Repeat the above step to add other servers to the group.

Under Server Rules, click New to add server derivation rules for assigning a
user role or VLAN.
A.

Enter the attribute.

Select the operation from the drop-down menu.

Enter the operand.

Select Set VLAN or Set Role from the drop-down menu.

Enter the value (either user role or VLAN) to be assigned.

Click Add.

Repeat the above steps to add other rules for the server group.

Click Apply.

Using the CLI to configure a server group:

aaa server-group
auth-server
set {role|vlan} condition set-value {|}
[position number]
AOS-W 3.1
User Guide

179

Configuring Authentication Servers
Chapter 8

Assigning Server Groups
You can create server groups for the following purposes:

user authentication

management authentication

accounting

You can configure all types of servers for user and management authentication
(see Table 8-17). Accounting is only supported with RADIUS and TACACS+
servers when RADIUS or TACACS+ is used for authentication.

TABLE 8-17

Server Types and Purposes
RADIUS

TACACS+

LDAP

Internal Database

User authentication

Yes

Management authentication

Yes

Accounting

Yes

User Authentication
For information about assigning a server group for user authentication, see the
configuration chapter for the authentication method.

Management Authentication
Users who need to access the WLAN Switch to monitor, manage, or configure the
Alcatel OmniAccess system can be authenticated with RADIUS, TACACS+, or
LDAP servers or the internal database.

Using the WebUI to assign a server group for management
authentication:
1.

Navigate to the Configuration > Management > Administration page.

Under the Management Authentication Servers section, select the Server
Group.

Click Apply.

Using the CLI to assign a server group for management
authentication:

aaa authentication mgmt
server-group
180 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Authentication Servers
Chapter 8

Accounting
You can configure accounting for RADIUS and TACACS+ server groups.
NOTE:

RADIUS or TACACS+ accounting is only supported when RADIUS or
TACACS+ is used for authentication. You cannot configure accounting
when authenticating users through the internal database.

RADIUS Accounting
RADIUS accounting allows user login and logout times to be reported to RADIUS
servers.

Using the WebUI to assign a server group for RADIUS accounting:
1.

Navigate to the Configuration > Security > Authentication > AAA Profiles
page.

Select AAA Profile, then select the AAA profile instance.

Scroll down and select Radius Accounting Server Group. Select the server
group from the drop-down menu.
You can add additional servers to the group or configure server rules.

Click Apply.

Using the CLI to assign a server group for RADIUS accounting:

aaa profile
radius-accounting

TACACS+ Accounting
TACACS+ accounting allows commands issued on the WLAN Switch to be
reported to TACACS+ servers. You can specify the types of commands that are
reported (action, configuration, or show commands) or have all commands
reported.
You can configure TACACS+ accounting only with the CLI:

aaa tacacs-accounting server-group command
{action|all|configuration|show} mode {enable|disable}

AOS-W 3.1
User Guide

181

Configuring Authentication Servers
Chapter 8

Configuring Authentication Timers
Table 8-18 describes the timers you can configure that apply to all clients and
servers. These timers can be left at their default values for most implementations.

TABLE 8-18

Authentication Timers

Timer

Description

User Idle Timeout

Maximum period, in minutes, after which a client is
considered idle if there are no new sessions started with
the client. The timeout period is reset if there is a new
client session. After this timeout period has elapsed, the
WLAN Switch sends probe packets to the client; if the
client responds to the probe, it is considered active and
the User Idle Timeout is reset (an active client that is not
initiating new sessions is not removed). If the client does
not respond to the probe, it is removed from the system.
To prevent clients from timing out, set the value in the
field to 0.
Default: 5 minutes

Authentication
Server Dead Time

Maximum period, in minutes, that the WLAN Switch
considers an unresponsive authentication server to be
“out of service”.
This timer is only applicable if there are two or more
authentication servers configured on the WLAN Switch. If
there is only one authentication server configured, the
server is never considered out of service and all requests
are sent to the server.
If one or more backup servers are configured and a server
is unresponsive, it is marked as out of service for the
dead time; subsequent requests are sent to the next
server on the priority list for the duration of the dead time.
If the server is responsive after the dead time has elapsed,
it can take over servicing requests from a lower-priority
server; if the server continues to be unresponsive, it is
marked as down for the dead time.
Default: 10 minutes

Logon User Lifetime

Maximum time, in minutes, unauthenticated clients are
allowed to remain logged on.
Default: 5 minutes

182 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Authentication Servers
Chapter 8

Using the WebUI to set an authentication timer:
1.

Navigate to the Configuration > Security > Authentication > Advanced page.

Configure the timers as described above.

Click Apply before moving on to another page or closing the browser
window. Failure to do this results in loss of configuration and you will have to
reconfigure the settings.

Using the CLI to set an authentication timer:

aaa timers {dead-time|idle-timeout|logon-lifetime}

AOS-W 3.1
User Guide

183

Configuring Authentication Servers
Chapter 8

184 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring 802.1x
Authentication

802.1x is an Institute of Electrical and Electronics Engineers (IEEE) standard that
provides an authentication framework for WLANs. 802.1x uses the Extensible
Authentication Protocol (EAP) to exchange messages during the authentication
process. The authentication protocols that operate inside the 802.1x framework
that are suitable for wireless networks include EAP-Transport Layer Security
(EAP-TLS), Protected EAP (PEAP), and EAP-Tunneled TLS (EAP-TTLS). These
protocols allow the network to authenticate the client while also allowing the
client to authenticate the network.
This chapter describes the following topics:

“Overview of 802.1x Authentication” on page 186

“Configuring 802.1x Authentication” on page 190

“Example Configurations” on page 196

“Advanced Configuration Options for 802.1x” on page 224

AOS-W 3.1
User Guide

185

Configuring 802.1x Authentication
Chapter 9

Overview of 802.1x Authentication
802.1x authentication consists of three components:

The supplicant, or client, is the device attempting to gain access to the
network. You can configure the Alcatel OmniAccess system to support
802.1x authentication for wired users as well as wireless users.

The authenticator is the gatekeeper to the network and permits or denies
access to the supplicants.
The Alcatel WLAN Switch acts as the authenticator, relaying information
between the authentication server and supplicant. The EAP type must be
consistent between the authentication server and supplicant and is
transparent to the WLAN Switch.

The authentication server provides a database of information required for
authentication and informs the authenticator to deny or permit access to the
supplicant.
The 802.1x authentication server is typically an EAP-compliant Remote
Access Dial-In User Service (RADIUS) server which can authenticate either
users (through passwords or certificates) or the client computer.
An example of an 802.1x authentication server is the Internet Authentication
Service (IAS) in Windows (see http://technet2.microsoft.com/
windowsserver/en/technologies/ias.mspx).
In Alcatel OmniAccess systems, you can terminate the 802.1x authentication
on the WLAN Switch. The WLAN Switch passes user authentication to its
internal database or to a “backend” non-802.1x server. This feature, also
called “AAA FastConnect,” is useful for deployments where an 802.1x
EAP-compliant RADIUS server is not available or required for authentication.

186 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring 802.1x Authentication
Chapter 9

Authentication with a RADIUS Server
Figure 9-19 is an overview of the parameters that you need to configure on
authentication components when the authentication server is an 802.1x
EAP-compliant RADIUS server.

CLIENT
(SUPPLICANT)

WLAN SWITCH
(AUTHENTICATOR)

• EAP TYPE

• EAP TYPE
•
•
•
•

• ESSID
• NETWORK AUTHENTICATION
• DATA ENCRYPTION

FIGURE 9-19

AUTHENTICATION
SERVER

SERVER IP
SHARED SECRET
AUTH PORT
ACCT PORT

• CLIENT IP
• SHARED SECRET

• ESSID
• NETWORK AUTHENTICATION
• DATA ENCRYPTION

802.1x Authentication with RADIUS Server

The supplicant and authentication server must be configured to use the same
EAP type. The WLAN Switch does not need to know the EAP type used between
the supplicant and authentication server.
For the WLAN Switch to communicate with the authentication server, you must
configure the IP address, authentication port, and accounting port of the server
on the WLAN Switch. The authentication server must be configured with the IP
address of the RADIUS client, which is the WLAN Switch in this case. Both the
WLAN Switch and the authentication server must be configured to use the same
shared secret.
Additional information on EAP types supported in a Windows environment,
Microsoft supplicants, and authentication server, is available at
http://www.microsoft.com/technet/prodtechnol/winxppro/evaluate/eap.mspx.
As described in Chapter 1, “Overview of the Alcatel OmniAccess System,” the
client communicates with the WLAN Switch through a GRE tunnel in order to
form an association with an AP and to authenticate to the network. Therefore, the
network authentication and encryption configured for an ESSID must be the same
on both the client and the WLAN Switch.

AOS-W 3.1
User Guide

187

Configuring 802.1x Authentication
Chapter 9

“Configuring 802.1x Authentication” on page 190 describes 802.1x configuration
on the WLAN Switch.

Authentication Terminated on WLAN Switch
Figure 9-20 is an overview of the parameters that you need to configure on
802.1x authentication components when 802.1x authentication is terminated on
the WLAN Switch (AAA FastConnect). User authentication is performed either via
the WLAN Switch’s internal database or a non-802.1x server.
USER

AUTHENTICATION
VIA INTERNAL DATABASE
OR NON-802.1X SERVER

CLIENT
(SUPPLICANT)

WLAN SWITCH
(AUTHENTICATOR AND
AUTHENTICATION SERVER)

• EAP TYPE = EAP-TLS
OR EAP-PEAP
• ESSID
• NETWORK AUTHENTICATION
• DATA ENCRYPTION

FIGURE 9-20

802.1x Authentication with Termination on WLAN Switch

In this scenario, the supplicant is configured for EAP-Transport Layer Security
(TLS) or EAP-Protected EAP (PEAP).

EAP-TLS is used with smart card user authentication. A smart card holds a
digital certificate which, with the user-entered personal identification number
(PIN), allows the user to be authenticated on the network. EAP-TLS relies on
digital certificates to verify the identities of both the client and server.
NOTE:

EAP-TLS requires that you import server and certification authority
(CA) certificates, and the certificate revocation list (CRL) on the
WLAN Switch (see Chapter 18, “Configuring Management Access”).
The client certificate is verified on the WLAN Switch (the client
certificate must be signed by a known CA) before the user name is
checked on the authentication server.

EAP-PEAP uses TLS to create an encrypted tunnel. Within the tunnel, one of
the following “inner EAP” methods is used:

188 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring 802.1x Authentication
Chapter 9

EAP-Generic Token Card (GTC): Described in RFC 2284, this EAP method
permits the transfer of unencrypted usernames and passwords from
client to server. The main uses for EAP-GTC are one-time token cards
such as SecureID and the use of an LDAP or RADIUS server as the user
authentication server. You can also enable caching of user credentials on
the WLAN Switch as a backup to an external authentication server.

EAP-Microsoft Challenge Handshake Authentication Protocol version 2
(MS-CHAPv2): Described in RFC 2759, this EAP method is widely
supported by Microsoft clients. A RADIUS server must be used as the
backend authentication server.

If you are using the WLAN Switch’s internal database for user authentication, you
need to add the names and passwords of the users to be authenticated. If you are
using an LDAP server for user authentication, you need to configure the LDAP
server on the WLAN Switch, and configure user IDs and passwords. If you are
using a RADIUS server for user authentication, you need to configure the RADIUS
server on the WLAN Switch.
The following section describes how to configure 802.1x authentication on the
WLAN Switch.
NOTE:

Alcatel WLAN Switches ship with a demonstration digital certificate. Until
you install a customer-specific server certificate in the WLAN Switch, this
demonstration certificate is used by default for all secure HTTP
connections (such as the WebUI and captive portal) and AAA
FastConnect. This certificate is included primarily for the purposes of
feature demonstration and convenience and is not intended for long-term
use in production networks. Users in a production environment are urged
to obtain and install a certificate issued for their site or domain by a
well-known certificate authority (CA). See “Managing Certificates” on
page 373 for more information.

AOS-W 3.1
User Guide

189

Configuring 802.1x Authentication
Chapter 9

Configuring 802.1x Authentication
On the WLAN Switch, use the following steps to configure a wireless network
that uses 802.1x authentication:
1.

Configure the VLANs to which the authenticated users will be assigned. See
Chapter 3, “Configuring Network Parameters.”

Configure policies and roles. You can specify a default role for users who are
successfully authenticated using 802.1x. You can also configure server
derivation rules to assign a user role based on attributes returned by the
authentication server; server-derived user roles take precedence over default
roles. For more information about policies and roles, see Chapter 7,
“Configuring Roles and Policies.”
NOTE:

The AOS-W Policy Enforcement Firewall module provides
identity-based security for wired and wireless users and must be
installed on the WLAN Switch. The stateful firewall allows user
classification based on user identity, device type, location and time of
day and provides differentiated access for different classes of users.
For information about obtaining and installing licenses, see Chapter
19, “Managing Software Feature Licenses.”

Configure the authentication server(s) and server group. The server can be an
802.1x RADIUS server or, if you are using AAA FastConnect, a non-802.1x
server or the WLAN Switch’s internal database. If you are using EAP-GTC
within a PEAP tunnel, you can configure an LDAP or RADIUS server as the
authentication server (see Chapter 8, “Configuring Authentication Servers.”) If
you are using EAP-TLS, you need to import server and CA certificates and the
CRL for validating client certificates on the WLAN Switch (see “Managing
Certificates” on page 373).

Configure the AAA profile. Select the 802.1x default user role.

Configure the 802.1x authentication profile. See “802.1x Authentication
Profile” on page 191.

Configure the virtual AP profile for an AP group or for a specific AP:
z

Select the AAA profile you previously configured.

Select the server group you previously configured for the 802.1x
authentication server group.

In the SSID profile, configure the WLAN for 802.1x authentication.

For details on how to complete the above steps, see “Example Configurations” on
page 196.

190 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring 802.1x Authentication
Chapter 9

802.1x Authentication Profile
This section describes how to create and configure a new instance of an 802.1x
authentication profile in the WebUI or the CLI.

Using the WebUI to configure an 802.1x authentication profile:
1.

Navigate to the Configuration > Security > Authentication > L2
Authentication page.

In the Profiles list, select 802.1x Authentication Profile.

Enter a name for the profile, then click Add.

Click Apply.

In the Profiles list, select the 802.1x authentication profile you just created.

Configure the basic parameters described in Table 9-19.

Click Apply.

Using the CLI to configure an 802.1x authentication profile:

aaa authentication dot1x
Table 9-19 describes the options for the 802.1x authentication profile in the Basic
tab for the WebUI:

AOS-W 3.1
User Guide

191

Configuring 802.1x Authentication
Chapter 9

TABLE 9-19

802.1x Authentication Profile Basic WebUI Parameters

Parameter

Description

Max authentication
failures

Number of times a user can try to login with wrong
credentials after which the user will be blacklisted as
a security threat.
Set to 0 to disable blacklisting, otherwise enter a
non-zero integer to blacklist the user after the
specified number of failures.
Default: 0

Enforce Machine
Authentication

(For Windows environments only) Select this option
to enforce machine authentication before user
authentication. If selected, either the Machine
Authentication Default Role or the User
Authentication Default Role is assigned to the user,
depending on which authentication is successful.
Default: disabled

Machine Authentication:
Default Machine Role

Select the default role to be assigned to the user
after completing only machine authentication.
Default: guest

Machine Authentication:
Default User Role

Select the default role to be assigned to the user
after completing 802.1x authentication.
Default: guest

Reauthentication

Select this option to force the client to do a 802.1x
re-authentication after the expiration of the default
timer for re-authentication. The default value of the
timer (Reauthentication Interval) is 24 hours. If the
user fails to re-authenticate with valid credentials,
the state of the user is cleared.
If derivation rules are used to classify
802.1x-authenticated users, then the
Re-authentication timer per role overrides this
setting.
Default: disabled

192 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring 802.1x Authentication
Chapter 9

TABLE 9-19

802.1x Authentication Profile Basic WebUI Parameters

Parameter

Description

Termination

Select this option to terminate 802.1x authentication
on the WLAN Switch.
Default: disabled

Termination EAP-Type

The EAP method, either EAP-PEAP or EAP-TLS.
Default: eap-peap

Termination Inner
EAP-Type

Select one of the following:

EAP-Transport Layer Security (TLS): This EAP
method is used with smart card user
authentication.

EAP-Generic Token Card (GTC): Described in
RFC 2284, this EAP method permits the transfer
of unencrypted usernames and passwords from
client to server. The main uses for EAP-GTC are
one-time token cards such as SecureID and the
use of LDAP or RADIUS as the user
authentication server. You can also enable
caching of user credentials on the WLAN Switch
as a backup to an external authentication server.

EAP-Microsoft Challenge Authentication
Protocol version 2 (MS-CHAPv2): Described in
RFC 2759, this EAP method is widely supported
by Microsoft clients.

Default: eap-mschapv2

Configuring User and Computer Authentication
When a Windows computer boots, it logs onto the network domain using a
machine account. Within the domain, the device is authenticated before computer
group policies and software settings can be executed; this process is known as
machine authentication. Machine authentication ensures that only authorized
computers are allowed on the network.
802.1x can be used to perform user and machine authentication (in Table 9-19,
this is the Enforce Machine Authentication option). This tightens the
authentication process further since both computer and user need to be
authenticated.
Enabling machine authentication creates the following scenarios.

Both machine and user authentication fail

AOS-W 3.1
User Guide

193

Configuring 802.1x Authentication
Chapter 9

Machine authentication fails while user authentication passes

Machine authentication passes while user authentication fails

Both machine and user authentication pass

Table 9-20 describes the results of each scenario.

TABLE 9-20

User and Machine Authentication Scenarios

Machine User
Auth
Auth
Status
Status

Description

Role

Typical Access
Policy

Failed

Both machine
authentication and user
authentication failed. L2
authentication failed.

(Not applicable)

No access to
network.

Failed

Passed

If machine authentication
fails (for example, the
machine information is
not present on the server)
and user authentication
succeeds, the user is
assigned the User
Authentication Default
Role. Derivation roles, if
present, do not apply.

User
authentication
default role.

Limited access
depending on
the role.

Passed

Failed

If machine authentication
succeeds and user
authentication has not
been initiated, the role
assigned would be the
Machine Authentication
Default Role. Derivation
rules, if present, do not
apply

Machine
authentication
default role.

Access
depends on
the physical
security of the
device.

194 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring 802.1x Authentication
Chapter 9

TABLE 9-20

User and Machine Authentication Scenarios (Continued)

Machine User
Auth
Auth
Status
Status
Passed

Passed

Description

Role

In case both machine and
user are successfully
authenticated, the
resultant role is the
802.1x default role. In
case of derivation rules,
the rules assigned to the
user via derivation rules
will take precedence over
the default role. This is the
only case where
derivation rules are
applied.

Default role or
role assigned
by derivation
rules.

Typical Access
Policy
Most secure
since both
authentication
s succeeded.
Permissions
could not
depend purely
on the user
classification
like guest,
employee,
admin, etc.

For example, if the following roles are configured:

Default role:

dot1x_user

Machine Authentication default role:

dot1x_mc

User Authentication default role:

guest

User VLAN:

100 (configured by role)

role assignments would be as follows:

If machine authentication succeeds, the role assigned would be the dot1x_mc
role.

If only user authentication succeeds, the role assigned would be the guest
role.

If both machine and user authentication succeed, the role assigned would be
dot1x_user.

On failure of any type of authentication, the user does not have access to the
network.

NOTE:

When you enable machine authentication, there are three different role
options you configure (as described above) – the User Authentication
Default Role, the Machine Authentication Default Role and the Default
role. While you can select the same role in all three options, you should
define the roles as per the polices that need to be enforced.

AOS-W 3.1
User Guide

195

Configuring 802.1x Authentication
Chapter 9

Example Configurations
The following examples show basic configurations on the WLAN Switch for:

“Authentication with an 802.1x RADIUS Server” on page 196

“Authentication with the WLAN Switch’s Internal Database” on page 211

In the following examples:

Wireless clients associate to the ESSID WLAN-01.

The following roles allow different networks access capabilities:
z

student

faculty

guest

system administrators

The examples show how to configure using the WebUI and CLI commands.

Authentication with an 802.1x RADIUS Server
In the following example:

An EAP-compliant RADIUS server provides the 802.1x authentication.
NOTE:

The RADIUS server administrator must configure the server to
support this authentication. The administrator must also configure
the server to allow communication with the Alcatel WLAN Switch.

The authentication type is WPA. From the 802.1x authentication exchange,
the client and the WLAN Switch derive dynamic keys to encrypt data
transmitted on the wireless network.

802.1x authentication based on PEAP with MS-CHAPv2 provides both
computer and user authentication. If a user attempts to log in without the
computer being authenticated first, the user is placed into a more limited
“guest” user role.
Windows domain credentials are used for computer authentication, and the
user’s Windows login and password are used for user authentication. A
single user sign-on facilitates both authentication to the wireless network
and access to the Windows server resources.

NOTE:

Appendix D, “Windows Client Example Configuration for 802.1x”
provides example configurations for a Windows XP wireless client,
Microsoft Active Directory Server, and Microsoft Internet Authentication
Server that would operate with the WLAN Switch configuration shown in
this section.

196 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring 802.1x Authentication
Chapter 9

Configuring Policies and Roles
Create the following policies and user roles:

The student policy prevents students from using telnet, POP3, FTP, SMTP,
SNMP, or SSH to the wired portion of the network. The student policy is
mapped to the student user role.

The faculty policy is similar to the student policy, however faculty members
are allowed to use POP3 and SMTP for VPN remote access from home.
(Students are not permitted to use VPN remote access.) The faculty policy is
mapped to the faculty user role.

The guest policy permits only access to the Internet (via HTTP or HTTPS) and
only during daytime working hours. The guest policy is mapped to the guest
user role.

The allowall policy, a predefined policy, allows unrestricted access to the
network. The allowall policy is mapped to both the sysadmin user role and
the computer user role.

Using the Web to create the student policy and role:
1.

Navigate to the Configuration > Security > Access Control > Policies page.
Select Add to add the student policy.

For Policy Name, enter student.

Under Rules, select Add to add rules for the policy.
A.

Under Source, select user.

Under Destination, select alias.
NOTE:

The following steps define an alias representing all internal
network addresses. Once defined, you can use the alias for other
rules and policies.

Under the alias selection, click New.

II.

For Destination Name, enter “Internal Network”.
a.

Click Add to add a rule.

For Rule Type, select network.

For IP Address, enter 10.0.0.0.

For Network Mask/Range, enter 255.0.0.0.

Click Add to add the network range.

Repeat steps a-e to add the network range 172.16.0.0
255.255.0.0.

AOS-W 3.1
User Guide

197

Configuring 802.1x Authentication
Chapter 9

Click Apply. The alias “Internal Network” appears in the
Destination menu

Under Destination, select Internal Network.

Under Service, select service. In the Service scrolling list, select
svc-telnet.

Under Action, select drop.

Click Add.

Under Rules, click Add.
A.

Under Source, select user.

Under Destination, select alias. Then select Internal Network.

Under Service, select service. In the Service scrolling list, select
svc-pop3.

Under Action, select drop.

Click Add.

Repeat steps 4A-E to create rules for the following services: svc-ftp,
svc-smtp, svc-snmp, and svc-ssh.

Click Apply.

Click the User Roles tab. Click Add to create the student role.

For Role Name, enter student.

Under Firewall Policies, click Add. In Choose from Configured Policies, select
the student policy you previously created. Click Done.

10. Click Apply.

Using the WebUI to create the faculty policy and role:
1.

Navigate to the Configuration > Security > Access Control > Policies page.
Click Add to add the faculty policy.

For Policy Name, enter faculty.

Under Rules, click Add to add rules for the policy.
A.

Under Source, select user.

Under Destination, select alias, then select Internal Network.

Under Service, select service. In the Service scrolling list, select
svc-telnet.

Under Action, select drop.

Click Add.

198 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring 802.1x Authentication
Chapter 9

Repeat steps A-E to create rules for the following services: svc-ftp,
svc-snmp, and svc-ssh.

Click Apply.

Select the User Roles tab. Click Add to create the faculty role.

For Role Name, enter faculty.

Under Firewall Policies, click Add. In Choose from Configured Policies, select
the faculty policy you previously created. Click Done.

Using the WebUI to create the guest policy and role:
1.

Navigate to the Configuration > Security > Access Control > Time Ranges
page to define the time range “working-hours”. Click Add.
A.

For Name, enter working-hours.

For Type, select Periodic.

Click Add.

For Start Day, click Weekday.

For Start Time, enter 07:30.

For End Time, enter 17:00.

Click Done.

Click Apply.

Click the Policies tab. Click Add to add the guest policy.

For Policy Name, enter guest.

Under Rules, click Add to add rules for the policy.
To create rules to permit access to DHCP and DNS servers during working
hours:
A.

Under Source, select user.

Under Destination, select host. In Host IP, enter 10.1.1.25.

Under Service, select service. In the Service scrolling list, select
svc-dhcp.

Under Action, select permit.

Under Time Range, select working-hours.

Click Add.

Repeat steps A-F to create a rule for svc-dns.

AOS-W 3.1
User Guide

199

Configuring 802.1x Authentication
Chapter 9

To create a rule to deny access to the internal network:
A.

Under Source, select user.

Under Destination, select alias. Select Internal Network.

Under Service, select any.

Under Action, select drop.

Click Add.

To create rules to permit HTTP and HTTPS access during working hours:
A.

Under Source, select user.

Under Destination, select any.

Under Service, select service. In the Services scrolling list, select
svc-http.

Under Action, select permit.

Under Time Range, select working-hours.

Click Add.

Repeat steps A-F for the svc-https service.

To create a rule that denies the user access to all destinations and all
services:
A.

Under Source, select user.

Under Destination, select any.

Under Service, select any.

Under Action, select deny.

Click Add.

Click Apply.

Click the User Roles tab. Click Add to create the guest role.

For Role Name, enter guest.

Under Firewall Policies, click Add. In Choose from Configured Policies, select
the guest policy you previously created. Click Done.

Using the WebUI to create the sysadmin role:
1.

Navigate to Configuration > Security > Access Control > User Roles page.
Click Add to create the sysadmin role.

For Role Name, enter sysadmin.

200 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring 802.1x Authentication
Chapter 9

Under Firewall Policies, click Add. In Choose from Configured Policies, select
the predefined allowall policy. Click Done.

Click Apply.

Using the WebUI to create the computer role:
1.

Navigate to Configuration > Security > Access Control > User Roles page.
Click Add to create the computer role.

For Role Name, enter computer.

Under Firewall Policies, click Add. In Choose from Configured Policies, select
the predefined allowall policy. Click Done.

Click Apply.

Using the CLI to create an alias for the internal network:

netdestination “Internal Network”
network 10.0.0.0 255.0.0.0
network 172.16.0.0 255.255.0.0

Using the CLI to create the student role:

ip access-list session student
user alias “Internal Network”
user alias “Internal Network”
user alias “Internal Network”
user alias “Internal Network”
user alias “Internal Network”
user alias “Internal Network”

svc-telnet deny
svc-pop3 deny
svc-ftp deny
svc-smtp deny
svc-snmp deny
svc-ssh deny

user-role student
session-acl student
session acl allowall

Using the CLI to create the faculty role:

ip access-list session faculty
user alias “Internal Network”
user alias “Internal Network”
user alias “Internal Network”
user alias “Internal Network”

svc-telnet deny
svc-ftp deny
svc-snmp deny
svc-ssh deny

AOS-W 3.1
User Guide

201

Configuring 802.1x Authentication
Chapter 9

user-role faculty
session-acl faculty
session acl allowall

Using the CLI to create the guest role:

time-range working-hours periodic
weekday 07:30 to 17:00
ip access-list session guest
user host 10.1.1.25 svc-dhcp permit time-range working-hours
user host 10.1.1.25 svc-dns permit time-range working-hours
user alias “Internal Network” any deny
user any svc-http permit time-range working-hours
user any svc-https permit time-range working-hours
user any any deny
user-role guest
session-acl guest

Using the CLI to create the sysadmin role:

user-role sysadmin
session-acl allowall

Using the CLI to create the computer role:

user-role computer
session-acl allowall

Configuring the RADIUS Authentication Server
Configure the RADIUS server IAS1, with IP address 10.1.1.21 and shared key. The
RADIUS server is configured to sent an attribute called Class to the WLAN
Switch; the value of this attribute is set to either “student,” “faculty,” or
“sysadmin” to identify the user’s group. The WLAN Switch uses the literal value
of this attribute to determine the role name.
On the WLAN Switch, you add the configured server (IAS1) into a server group.
For the server group, you configure the server rule that allows the Class attribute
returned by the server to set the user role.

202 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring 802.1x Authentication
Chapter 9

Using the WebUI to configure the RADIUS authentication server:
1.

Navigate to the Configuration > Security > Authentication > Servers page.

In the Servers list, select Radius Server. In the RADIUS Server Instance list,
enter IAS1 and click Add.

Select IAS1 to display configuration parameters for the RADIUS server.

For IP Address, enter 10.1.1.21.

For Key, enter |*a^t%183923!.

Click Apply.

In the Servers list, select Server Group. In the Server Group Instance list, enter
IAS and click Add.
A.

Select the server group IAS to display configuration parameters for the
server group.

Under Servers, click New.

From the Server Name drop-down menu, select IAS1. Click Add.

Under Server Rules, click New.
A.

For Condition, enter Class.

For Attribute, select value-of from the drop-down menu.

For Operand, select set role.

Click Add.

Click Apply.

Using the CLI to configure the RADIUS authentication server:

aaa authentication-server radius IAS1
host 10.1.1.21
key |*a^t%183923!
aaa server-group IAS
auth-server IAS1
set role condition Class value-of

Configure 802.1x Authentication
An AAA profile specifies the 802.1x authentication profile and 802.1x server
group to be used for authenticating clients for a WLAN. The AAA profile also
specifies the default user roles for 802.1x and MAC authentication.

AOS-W 3.1
User Guide

203

Configuring 802.1x Authentication
Chapter 9

In the 802.1x authentication profile, configure enforcement of machine
authentication before user authentication. If a user attempts to log in without
machine authentication taking place first, the user is placed in the limited guest
role.

Using the WebUI to configure 802.1x authentication:
1.

Navigate to the Configuration > Security > Authentication > L2
Authentication page.

Select 802.1x Authentication Profile.

In the list of instances, enter dot1x, then click Add.

Select the profile name you just added.

Select Enforce Machine Authentication.

For the Machine Authentication: Default Machine Role, select computer.

For the Machine Authentication: Default User Role, select guest.

Click Apply.

Select the AAA Profiles tab.
A.

In the AAA Profiles Summary, click Add to add a new profile.

Enter aaa_dot1x, then click Add.

Select the profile name you just added.

For MAC Auth Default Role, select computer.

For 802.1x Authentication Default Role, select student.

Click Apply.

In the Profiles list (under the aaa_dot1x profile), select 802.1x Authentication
Profile.
A.

From the drop-down menu, select the dot1x 802.1x authentication
profile you configured previously.

Click Apply.

In the Profiles list (under the aaa_dot1x profile), select 802.1x Authentication
Server Group.
A.

From the drop-down menu, select the IAS server group you created
previously.

Click Apply.

204 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring 802.1x Authentication
Chapter 9

Using the CLI to configure 802.1x authentication:

aaa authentication dot1x dot1x
machine-authentication enable
machine-authentication machine-default-role computer
machine-authentication user-default-role guest
aaa profile aaa_dot1x
dot1x-default-role student
mac-default-role guest
authentication-dot1x dot1x
dot1x-server-group IAS

Configure VLANs
In this example, wireless clients are assigned to either VLAN 60 or 61 while guest
users are assigned to VLAN 63. VLANs 60 and 61 split users into smaller IP
subnetworks, improving performance by decreasing broadcast traffic. The VLANs
are internal to the Alcatel WLAN Switch only and do not extend into other parts of
the wired network. The clients’ default gateway is the Alcatel WLAN Switch,
which routes traffic out to the 10.1.1.0 subnetwork.
You configure the VLANs, assign IP addresses to each VLAN, and establish the
“helper address” to which client DHCP requests are forwarded.

Using the WebUI to configure VLANs:
1.

Navigate to the Configuration > Network > VLANs page. Click Add to add
VLAN 60.
A.

For VLAN ID, enter 60.

Click Apply.

Repeat steps A and B to add VLANs 61 and 63.

To configure IP parameters for the VLANs, navigate to the Configuration >
Network > IP > IP Interfaces page.
A.

Click Edit for VLAN 60.

For IP Address, enter 10.1.60.1.

For Net Mask, enter 255.255.255.0.

Under DHCP Helper Address, click Add. Enter 10.1.1.25 and click Add.

Click Apply.

In the IP Interfaces page, click Edit for VLAN 61.
A.

For IP Address, enter 10.1.61.1.

AOS-W 3.1
User Guide

205

Configuring 802.1x Authentication
Chapter 9

For Net Mask, enter 255.255.255.0.

Under DHCP Helper Address, click Add. Enter 10.1.1.25 and click Add.

Click Apply.

In the IP Interfaces page, click Edit for VLAN 63.
A.

For IP Address, enter 10.1.63.1.

For Net Mask, enter 255.255.255.0.

Under DHCP Helper Address, click Add. Enter 10.1.1.25 and click Add.

Click Apply.

Select the IP Routes tab.
A.

For Default Gateway, enter 10.1.1.254.

Click Apply.

Using the CLI to Configure VLANs
vlan 60
interface vlan 60
ip address 10.1.60.1 255.255.255.0
ip helper-address 10.1.1.25
vlan 61
interface vlan 61
ip address 10.1.61.1 255.255.255.0
ip helper-address 10.1.1.25
vlan 63
interface vlan 63
ip address 10.1.63.1 255.255.255.0
ip helper-address 10.1.1.25
ip default-gateway 10.1.1.254

Configure the WLANs
In this example, default AP parameters for the entire network are as follows: the
default ESSID is WLAN-01 and the encryption mode is TKIP. A second ESSID
called “guest” has the encryption mode set to static WEP with a configured WEP
key.
In this example, the non-guest clients that associate to an AP are mapped into
one of two different user VLANs. The initial AP to which the client associates
determines the VLAN: clients that associate to APs in the first floor of the building
are mapped to VLAN 60 and clients that associate to APs in the second floor of
the building are mapped to VLAN 61. Therefore, the APs in the network are
206 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring 802.1x Authentication
Chapter 9

segregated into two AP groups, named “first-floor” and “second-floor”. (See
Chapter 5, “Configuring Access Points” for information about creating AP
groups.)

Guest WLAN
You create and configure the virtual AP profile “guest” and apply the profile to
each AP group. The “guest” virtual AP profile contains the SSID profile “guest”
which configures static WEP with a WEP key.

Using the WebUI to configure the WLAN:
1.

Navigate to the Configuration > Wireless > AP Configuration page.

In the AP Group list, select first-floor.

In the Profiles list, select Wireless LAN, then select Virtual AP.

To configure the guest virtual AP:

Under Profile Details, select NEW. Enter guest, and click Add.

Click Apply.

Select the guest virtual AP that you just created.

For VLAN, enter 63.

Click Apply.

To configure the guest SSID:
A.

Select SSID Profile (under the guest virtual AP).

From the drop-down menu for SSID Profile, select NEW. Enter guest.

For Network Name, enter guest.

For Network Authentication, select None.

For Encryption, select WEP.

Enter the WEP Key.

Click Apply.

Navigate to the Configuration > Wireless > AP Configuration page.

In the AP Group list, select second-floor.

In the Profiles list, select Wireless LAN then select Virtual AP.

Under Add a profile, select guest from the drop-down menu. Click Add.

10. Click Apply.

AOS-W 3.1
User Guide

207

Configuring 802.1x Authentication
Chapter 9

Using the CLI to configure the guest WLAN:

wlan ssid-profile guest
essid guest
wepkey1 aaaaaaaaaa
opmode static-wep
wlan virtual-ap guest
vlan 63
ssid-profile guest
ap-group first-floor
virtual-ap guest
ap-group second-floor
virtual-ap guest

Non-Guest WLANs
You create and configure the SSID profile “WLAN-01” with the ESSID “WLAN-01”
and WPA TKIP encryption. You need to create and configure two virtual AP
profiles: one with VLAN 60 for the first-floor AP group and the other with VLAN
61 for the second-floor AP group. Each virtual AP profile references the SSID
profile “WLAN-01” and the previously-configured AAA profile “aaa_dot1x”.

Using the WebUI to configure the non-guest WLANs:
1.

Navigate to the Configuration > Wireless > AP Configuration page.

In the AP Group list, select first-floor.

In the Profiles list, select Wireless LAN, then select Virtual AP.

To configure the WLAN-01_first-floor virtual AP:

Under Profile Details, elect NEW. Enter WLAN-01_first-floor, and click
Add.

Click Apply.

Select the virtual AP you just created.

For VLAN, enter 60.

Click Apply.

To configure the aaa_dot1x AAA profile:
A.

In the Profiles list, select AAA Profile (under WLAN-01_first-floor virtual
AP):

Select aaa_dot1x from the AAA Profile drop-down menu.

Click Apply.

208 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring 802.1x Authentication
Chapter 9

To configure the WLAN-01 SSID profile:
A.

In the Profiles list, select SSID Profile (under WLAN-01_first-floor virtual
AP):

Select NEW. Enter WLAN-01, then click Apply.

For Network Name, enter WLAN-01.

For Network Authentication, select WPA.

Click Apply.

Navigate to the Configuration > Wireless > AP Configuration page.

In the AP Group list, select second-floor.

In the Profiles list, select Wireless LAN, then select Virtual AP.

10. To configure the WLAN-01_second-floor virtual AP:
A.

Under Profile Details, elect NEW. Enter WLAN-01_second-floor, and click
Add.

Click Apply.

Select the virtual AP you just created.

For VLAN, enter 61.

Click Apply.

11. To configure the aaa_dot1x AAA profile:
A.

In the Profiles list, select AAA Profile (under WLAN-01_second-floor
virtual AP).

Select aaa_dot1x from the AAA Profile drop-down menu.

Click Apply.

12. To configure the WLAN-01 SSID profile:
A.

In the Profiles list, select SSID Profile (under WLAN-01_second-floor
virtual AP).

Select WLAN-01 from the SSID Profile drop-down menu.

Click Apply.

Using the CLI to configure the non-guest WLANs:

wlan ssid-profile WLAN-01
essid WLAN-01
opmode wpa-tkip
wlan virtual-ap WLAN-01_first-floor

AOS-W 3.1
User Guide

209

Configuring 802.1x Authentication
Chapter 9

vlan 60
ssid-profile WLAN-01
aaa-profile aaa_dot1x

wlan virtual-ap WLAN-01_second-floor
vlan 61
ssid-profile WLAN-01
aaa-profile aaa_dot1x
ap-group first-floor
virtual-ap WLAN-01_first-floor
ap-group second-floor
virtual-ap WLAN-01_second-floor

210 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring 802.1x Authentication
Chapter 9

Authentication with the WLAN Switch’s Internal
Database
In the following example:

The WLAN Switch’s internal database provides user authentication.

The authentication type is WPA. From the 802.1x authentication exchange,
the client and the WLAN Switch derive dynamic keys to encrypt data
transmitted on the wireless network.

Configuring Policies and Roles
Create the following policies and user roles:

The student policy prevents students from using telnet, POP3, FTP, SMTP,
SNMP, or SSH to the wired portion of the network. The student policy is
mapped to the student user role.

The guest policy permits only access to the Internet (via HTTP or HTTPS) and
only during daytime working hours. The guest policy is mapped to the guest
user role.

The allowall policy, a predefined policy, allows unrestricted access to the
network. The allowall policy is mapped to both the sysadmin user role and
the computer user role.

Using the Web to create the student policy and role:
1.

Navigate to the Configuration > Security > Access Control > Policies page.
Select Add to add the student policy.

For Policy Name, enter student.

Under Rules, select Add to add rules for the policy.
A.

Under Source, select user.

Under Destination, select alias.
NOTE:

The following steps define an alias representing all internal
network addresses. Once defined, you can use the alias for other
rules and policies.

Under the alias selection, click New.

II.

For Destination Name, enter “Internal Network”.
a.

Click Add to add a rule.

AOS-W 3.1
User Guide

211

Configuring 802.1x Authentication
Chapter 9

For Rule Type, select network.

For IP Address, enter 10.0.0.0.

For Network Mask/Range, enter 255.0.0.0.

Click Add to add the network range.

Repeat steps a-e to add the network range 172.16.0.0
255.255.0.0.

Click Apply. The alias “Internal Network” appears in the
Destination menu

Under Destination, select Internal Network.

Under Service, select service. In the Service scrolling list, select
svc-telnet.

Under Action, select drop.

Click Add.

Under Rules, click Add.
A.

Under Source, select user.

Under Destination, select alias. Then select Internal Network.

Under Service, select service. In the Service scrolling list, select
svc-pop3.

Under Action, select drop.

Click Add.

Repeat steps 4A-E to create rules for the following services: svc-ftp,
svc-smtp, svc-snmp, and svc-ssh.

Click Apply.

Click the User Roles tab. Click Add to create the student role.

For Role Name, enter student.

Under Firewall Policies, click Add. In Choose from Configured Policies, select
the student policy you previously created. Click Done.

10. Click Apply.

Using the WebUI to create the faculty policy and role:
1.

Navigate to the Configuration > Security > Access Control > Policies page.
Click Add to add the faculty policy.

For Policy Name, enter faculty.

Under Rules, click Add to add rules for the policy.

212 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring 802.1x Authentication
Chapter 9

Under Source, select user.

Under Destination, select alias, then select Internal Network.

Under Service, select service. In the Service scrolling list, select
svc-telnet.

Under Action, select drop.

Click Add.

Repeat steps A-E to create rules for the following services: svc-ftp,
svc-snmp, and svc-ssh.

Click Apply.

Select the User Roles tab. Click Add to create the faculty role.

For Role Name, enter faculty.

Under Firewall Policies, click Add. In Choose from Configured Policies, select
the faculty policy you previously created. Click Done.

Using the WebUI to create the guest policy and role:
1.

Navigate to the Configuration > Security > Access Control > Time Ranges
page to define the time range “working-hours”. Click Add.
A.

For Name, enter working-hours.

For Type, select Periodic.

Click Add.

For Start Day, click Weekday.

For Start Time, enter 07:30.

For End Time, enter 17:00.

Click Done.

Click Apply.

Click the Policies tab. Click Add to add the guest policy.

For Policy Name, enter guest.

Under Rules, click Add to add rules for the policy.
To create rules to permit access to DHCP and DNS servers during working
hours:
A.

Under Source, select user.

Under Destination, select host. In Host IP, enter 10.1.1.25.

Under Service, select service. In the Service scrolling list, select
svc-dhcp.

AOS-W 3.1
User Guide

213

Configuring 802.1x Authentication
Chapter 9

Under Action, select permit.

Under Time Range, select working-hours.

Click Add.

Repeat steps A-F to create a rule for svc-dns.

To create a rule to deny access to the internal network:
A.

Under Source, select user.

Under Destination, select alias. Select Internal Network.

Under Service, select any.

Under Action, select drop.

Click Add.

To create rules to permit HTTP and HTTPS access during working hours:
A.

Under Source, select user.

Under Destination, select any.

Under Service, select service. In the Services scrolling list, select
svc-http.

Under Action, select permit.

Under Time Range, select working-hours.

Click Add.

Repeat steps A-F for the svc-https service.

To create a rule that denies the user access to all destinations and all
services:
A.

Under Source, select user.

Under Destination, select any.

Under Service, select any.

Under Action, select deny.

Click Add.

Click Apply.

Click the User Roles tab. Click Add to create the guest role.

For Role Name, enter guest.

Under Firewall Policies, click Add. In Choose from Configured Policies, select
the guest policy you previously created. Click Done.

214 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring 802.1x Authentication
Chapter 9

Using the WebUI to create the sysadmin role:
1.

Navigate to Configuration > Security > Access Control > User Roles page.
Click Add to create the sysadmin role.

For Role Name, enter sysadmin.

Under Firewall Policies, click Add. In Choose from Configured Policies, select
the predefined allowall policy. Click Done.

Click Apply.

Using the WebUI to create the computer role:
1.

Navigate to Configuration > Security > Access Control > User Roles page.
Click Add to create the computer role.

For Role Name, enter computer.

Under Firewall Policies, click Add. In Choose from Configured Policies, select
the predefined allowall policy. Click Done.

Click Apply.

Using the CLI to create an alias for the internal network:

netdestination “Internal Network”
network 10.0.0.0 255.0.0.0
network 172.16.0.0 255.255.0.0

Using the CLI to create the student role:

svc-telnet deny
svc-pop3 deny
svc-ftp deny
svc-smtp deny
svc-snmp deny
svc-ssh deny

user-role student
session-acl student
session acl allowall

AOS-W 3.1
User Guide

215

Configuring 802.1x Authentication
Chapter 9

Using the CLI to create the faculty role:

ip access-list session faculty
user alias “Internal Network”
user alias “Internal Network”
user alias “Internal Network”
user alias “Internal Network”

svc-telnet deny
svc-ftp deny
svc-snmp deny
svc-ssh deny

user-role faculty
session-acl faculty
session acl allowall

Using the CLI to create the guest role:

Using the CLI to create the sysadmin role:

user-role sysadmin
session-acl allowall

Using the CLI to create the computer role:

user-role computer
session-acl allowall

Configuring the Internal Database
Configure the internal database with the username, password, and role (student,
faculty, or sysadmin) for each user.

216 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring 802.1x Authentication
Chapter 9

Using the WebUI to configure the internal database:
1.

Navigate to the Configuration > Security > Authentication > Servers page.

In the Servers list, select Internal DB.

Under Users, click Add User to add users.

For each user, enter a username and password.

Select the Role for each user (if a role is not specified, the default role is
guest).

Select the expiration time for the user account in the internal database.

Click Apply.

In the Servers list, select Server Group. In the Server Group Instance list, enter
Internal and click Add.

Select Internal to display configuration parameters for the server group.

Under Servers, click New.

From the Server Name drop-down menu, select Internal. Click Add.

Click Apply.

Using the CLI to configure the internal database:

aaa server-group Internal
auth-server internal
NOTE:

Use the privileged mode in the CLI to configure users in the WLAN
Switch’s internal database.

local-userdb add username password role

Using the WebUI to configure 802.1x authentication:
1.

Navigate to the Configuration > Security > Authentication > L2
Authentication page. In the profiles list, select 802.1x Authentication Profile.
A.

In the Instance list, enter dot1x, then click Add.

AOS-W 3.1
User Guide

217

Configuring 802.1x Authentication
Chapter 9

Select the dot1x profile you just created.

Select Termination.
NOTE:

D.
2.

The defaults for EAP Method and Inner EAP Method are
EAP-PEAP and EAP-MSCHAPv2, respectively.

Click Apply.

Select the AAA Profiles tab.
A.

In the AAA Profiles Summary, click Add to add a new profile.

Enter aaa_dot1x, then click Add.

Select the aaa_dot1x profile you just created.

For 802.1x Authentication Default Role, select student.

Click Apply.

In the Profiles list (under the aaa_dot1x profile you just created), select 802.1x
Authentication Profile.
A.

Select the dot1x profile from the 802.1x Authentication Profile
drop-down menu.

Click Apply.

In the Profiles list (under the aaa_dot1x profile you just created), select 802.1x
Authentication Server Group.
A.

Select the Internal server group you created previously from the
drop-down menu.

Click Apply.

Using the CLI to configure 802.1x authentication:

aaa authentication dot1x dot1x
termination enable
aaa profile aaa_dot1x
dot1x-default-role student
authentication-dot1x dot1x
dot1x-server-group internal

218 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring 802.1x Authentication
Chapter 9

are internal to the Alcatel WLAN Switch only and do not extend into other parts of
the wired network. The clients’ default gateway is the Alcatel WLAN Switch,
which routes traffic out to the 10.1.1.0 subnetwork.
You configure the VLANs, assign IP addresses to each VLAN, and establish the
“helper address” to which client DHCP requests are forwarded.

Using the WebUI to configure VLANs:
1.

Navigate to the Configuration > Network > VLAN page. Click Add to add
VLAN 60.
A.

For VLAN ID, enter 60.

Click Apply.

Repeat steps A and B to add VLANs 61 and 63.

To configure IP parameters for the VLANs, navigate to the Configuration >
Network > IP > IP Interfaces page.
A.

Click Edit for VLAN 60.

For IP Address, enter 10.1.60.1.

For Net Mask, enter 255.255.255.0.

Under DHCP Helper Address, click Add. Enter 10.1.1.25 and click Add.

Click Apply.

In the IP Interfaces page, click Edit for VLAN 61.
A.

For IP Address, enter 10.1.61.1.

For Net Mask, enter 255.255.255.0.

Under DHCP Helper Address, click Add. Enter 10.1.1.25 and click Add.

Click Apply.

In the IP Interfaces page, click Edit for VLAN 63.
A.

For IP Address, enter 10.1.63.1.

For Net Mask, enter 255.255.255.0.

Under DHCP Helper Address, click Add. Enter 10.1.1.25 and click Add.

Click Apply.

Select the IP Routes tab.
A.

For Default Gateway, enter 10.1.1.254.

Click Apply.

AOS-W 3.1
User Guide

219

Configuring 802.1x Authentication
Chapter 9

Using the WebUI to configure the WLAN:
1.

Navigate to the Configuration > Wireless > AP Configuration page.

In the AP Group list, select first-floor.

In the Profiles list, select Wireless LAN then select Virtual AP.

220 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring 802.1x Authentication
Chapter 9

To configure the guest virtual AP:
A.

Under Profile Details, select NEW. Enter guest, and click Add.

Click Apply.

Select the guest virtual AP profile you just created.

For VLAN, select 63.

Click Apply.

To create the guest SSID:
A.

Select SSID Profile (under the guest virtual AP profile).

Under Profile Details, select NEW from the SSID Profile drop-down menu.
Enter guest.

For Network Name, enter guest.

For Network Authentication, select None.

For Encryption, select WEP.

Enter the WEP key.

Click Apply.

Navigate to the Configuration > Wireless > AP Configuration page.

In the AP Group list, select second-floor.

In the Profiles list, select Wireless LAN then select Virtual AP.

Under Add a profile, select guest from the drop-down menu. Click Add.

10. Click Apply.

Using the CLI to configure the guest WLAN:

wlan ssid-profile guest
essid guest
wepkey1 aaaaaaaaaa
opmode static-wep
wlan virtual-ap guest
vlan 63
ssid-profile guest
ap-group first-floor
virtual-ap guest
ap-group second-floor
virtual-ap guest

AOS-W 3.1
User Guide

221

Configuring 802.1x Authentication
Chapter 9

Using the WebUI to configure the non-guest WLANs:
1.

Navigate to the Configuration > Wireless > AP Configuration page.

In the AP Group list, select first-floor.

In the Profiles list, select Wireless LAN, then select Virtual AP.

To configure the WLAN-01_first-floor virtual AP:

Under Profile Details, select NEW. Enter WLAN-01_first-floor, and click
Add.

Click Apply.

Select the WLAN-01_first-floor virtual AP profile you just created.

For VLAN, enter 60.

Click Apply.

To configure the aaa_dot1x AAA profile:
A.

Select AAA Profile (under the WLAN-01_first-floor virtual AP profile).

Under Profile Details, select aaa_dot1x from the AAA Profile drop-down
list.

Click Apply.

To configure the WLAN-01 SSID profile:
A.

Select SSID Profile (under the WLAN-01_first-floor virtual AP profile).

Under Profile Details, select NEW from the SSID Profile drop-down menu.
Enter WLAN-01.

For Network Name, enter WLAN-01.

For Network Authentication, select WPA.

Click Apply.

Navigate to the Configuration > Wireless > AP Configuration page.

In the AP Group list, select second-floor.

In the Profiles list, select Wireless LAN then select Virtual AP.

222 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring 802.1x Authentication
Chapter 9

10. To create the WLAN-01_second-floor virtual AP:
A.

Under Profile Details, select NEW from the Add a profile drop-down
menu. Enter WLAN-01_second-floor, and click Add.

Click Apply.

Select the WLAN-01_second-floor virtual AP profile.

For VLAN, enter 61.

Click Apply.

11. To configure the aaa_dot1x AAA profile:
A.

In the Profiles list, select AAA Profile (under the WLAN-01_second-floor
virtual AP profile).

Select aaa_dot1x from the AAA Profile drop-down menu.

Click Apply.

12. To configure the WLAN-01 SSID profile:
A.

In the Profiles list, select SSID Profile (under the WLAN-01_second-floor
virtual AP profile).

Select WLAN-01 from the SSID Profile drop-down menu.

Click Apply.

Using the CLI to configure the non-guest WLANs:

wlan ssid-profile WLAN-01
essid WLAN-01
opmode wpa-tkip
wlan virtual-ap WLAN-01_first-floor
vlan 60
ssid-profile WLAN-01
aaa-profile aaa_dot1x

wlan virtual-ap WLAN-01_second-floor
vlan 61
ssid-profile WLAN-01
aaa-profile aaa_dot1x
ap-group first-floor
virtual-ap WLAN-01_first-floor
ap-group second-floor
virtual-ap WLAN-01_second-floor
AOS-W 3.1
User Guide

223

Configuring 802.1x Authentication
Chapter 9

Advanced Configuration Options for 802.1x
This section describes advanced configuration options for 802.1x authentication.

Reauthentication with Unicast Key Rotation
When enabled, unicast and multicast keys are updated after each reauthorization.
It is a best practice to configure the time intervals for reauthentication, multicast
key rotation, and unicast key rotation to be at least 15 minutes. Make sure these
intervals are mutually prime, and the factor of the unicast key rotation interval and
the multicast key rotation interval is less than the reauthentication interval.
NOTE:

Unicast key rotation depends upon both the AP/WLAN Switch and
wireless client behavior. It is known that some wireless NICs have issues
with unicast key rotation.

The following is an example of the parameters you can configure for
reauthentication with unicast and multicast key rotation:
Reauthentication:

Enabled

Reauthentication Time Interval:

6011 Seconds

Multicast Key Rotation:

Enabled

Multicast Key Rotation Time Interval:

1867 Seconds

Unicast Key Rotation:

Enabled

Unicast Key Rotation Time Interval:

1021 Seconds

Using the WebUI to configure reauthentication with unicast key
rotation:
1.

Navigate to the Configuration > Security > Authentication > L2
Authentication page.

Select 802.1x Authentication Profile, then select the name of the profile you
want to configure.

Select the Advanced tab. Enter the following values:
z

Reauthentication Interval: 6011

Multicast Key Rotation Time Interval: 1867

Unicast Key Rotation Time Interval: 1021

Multicast Key Rotation: (select)

Unicast Key Rotation: (select)

Reauthentication: (select)

224 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring 802.1x Authentication
Chapter 9

Click Apply.

Using the CLI to configure reauthentication with unicast key rotation:

aaa authentication dot1x profile
reauthentication
timer reauth-period 6011
unicast-keyrotation
timer ukey-rotation-period 1021
multicast-keyrotation
timer mkey-rotation-period 1867

AOS-W 3.1
User Guide

225

Configuring 802.1x Authentication
Chapter 9

226 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Captive Portal

Captive portal is one of the methods of authentication supported by AOS-W. A
captive portal presents a web page which requires action on the part of the user
before network access is granted. The required action can be simply viewing and
agreeing to an acceptable use policy, or entering a user ID and password which
must be validated against a database of authorized users.
You can also configure captive portal to allow clients to download the Alcatel VPN
dialer for Microsoft VPN clients if the VPN is to be terminated on the Alcatel
WLAN Switch. For more information about the VPN dialer, see Chapter 11,
“Configuring Virtual Private Networks.”
This chapter describes the following topics:

“Overview of Captive Portal Functions” on page 228

“Configuring Captive Portal in the Base AOS-W” on page 229

“Configuring Captive Portal with the Policy Enforcement Firewall License” on
page 233

“Example Authentication with Captive Portal” on page 236

“Captive Portal Configuration Parameters” on page 250

“Optional Captive Portal Configurations” on page 253

“Personalizing the Captive Portal Page” on page 259

AOS-W 3.1
User Guide

227

Configuring Captive Portal
Chapter 10

Overview of Captive Portal Functions
You can configure captive portal for guest users, where no authentication is
required, or for registered users who must be authenticated against an external
server or the WLAN Switch’s internal database.
NOTE:

While you can use captive portal to authenticate users, it does not
provide for encryption of user data and should not be used in networks
where data security is required. Captive portal is most often used for
guest access, access to open systems (such as public hot spots), or as a
way to connect to a VPN.

You can use captive portal for guest and registered users at the same time. The
default captive portal web page provided with AOS-W displays login prompts for
both registered users and guests. (You can customize the default captive portal
page, as described in “Personalizing the Captive Portal Page” on page 259.)
You can also load up to 16 different customized login pages into the WLAN
Switch. The login page displayed is based on the SSID to which the client
associates.

Policy Enforcement Firewall License
You can use captive portal with or without the Policy Enforcement Firewall license
installed in the WLAN Switch. The Policy Enforcement Firewall license provides
identity-based security to wired and wireless clients through user roles and
firewall rules. You must purchase and install the Policy Enforcement Firewall
license on the WLAN Switch to use identity-based security features.
There are differences in how captive portal functions work and how you
configure captive portal, depending on whether the license is installed. Later
sections in this chapter describe how to configure captive portal in the base
operating system (without the Policy Enforcement Firewall license) and with the
license installed.

WLAN Switch Server Certificate
The Alcatel WLAN Switch is designed to provide secure services through the use
of digital certificates. Alcatel WLAN Switches ship with a demonstration digital
certificate. Until you install a customer-specific server certificate in the WLAN
Switch, this demonstration certificate is used by default for all secure HTTP
connections (such as the WebUI and captive portal) and AAA FastConnect. This
certificate is included primarily for the purposes of feature demonstration and
convenience and is not intended for long-term use in production networks. Users
in a production environment are urged to obtain and install a certificate issued for
their site or domain by a well-known certificate authority (CA).

228 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Captive Portal
Chapter 10

You can generate a Certificate Signing Request (CSR) on the WLAN Switch to
submit to a CA. For information on how to do this, see “Managing Certificates”
on page 373 in Chapter 18, “Configuring Management Access”.
Once you have received a signed server certificate from the CA, use the following
instructions to import the certificate into the WLAN Switch.

Using the WebUI to import captive portal server certificates:
1.

Navigate to the Configuration > Management > Certificates > Captive Portal
Certificates page.

Click Browse to navigate to the appropriate file on your computer.

Click Upload to install the certificate in the WLAN Switch.

Configuring Captive Portal in the Base AOS-W
The base operating system allows full network access to all users who connect
to an ESSID, whether guest or registered user. In the base operating system, you
cannot configure or customize user roles; this function is only available by
installing the Policy Enforcement Firewall license. Captive portal allows you to
control or identify who has access to network resources.
When you create a captive portal profile in the base operating system, an implicit
user role is automatically created with same name as the captive portal profile.
This implicit user role allows only DNS and DHCP traffic between the client and
network and directs all HTTP or HTTPS requests to the captive portal. You cannot
directly modify the implicit user role or its rules. Upon authentication, captive
portal clients are allowed full access to their assigned VLAN.
Figure 10-21 illustrates the basic tasks for configuring captive portal in the base
operating system; example server group and profile names are in quotation
marks.

AOS-W 3.1
User Guide

229

Configuring Captive Portal
Chapter 10

Create Server Group “cp-srv”

Create Captive Portal Authentication Profile
“c-portal”

Create AAA Profile “aaa_c-portal”

IMPLICIT

USER ROLE “C-PORTAL”
IS CREATED AUTOMATICALLY

Set the initial role to “c-portal”

Create SSID Profile “ssid_c-portal”

Create Virtual AP Profile “vp_c-portal”

FIGURE 10-21 Captive Portal in Base Operating System Example
The following describes the tasks shown in Figure 10-21.
1.

If you are configuring captive portal for registered users, configure the
server(s) and create the server group. In Figure 10-21, the server group is
called “cp-srv”. (See Chapter 8, “Configuring Authentication Servers” for
more information about configuring authentication servers and server
groups.)

Create and configure an instance of the captive portal authentication profile.
Creating the captive portal profile automatically creates an implicit user role
and ACL with the same name. In Figure 10-21, creating the profile “c-portal”
creates an implicit user role called “c-portal” that allows only DNS and DHCP
traffic between the client and network and directs all HTTP or HTTPS
requests to the captive portal.

Create and configure an instance of the AAA profile. For the initial role, enter
the implicit user role that was created when you created the captive portal
profile. In Figure 10-21, the initial role in the profile “aaa_c-portal” must be set
to “c-portal”.

Create and configure an instance of the virtual AP profile that you apply to an
AP group or AP name. Specify the AAA profile you just created.

Create and configure an instance of the SSID profile for the virtual AP.

The following sections describe how to use the WebUI or CLI to configure the
captive portal authentication profile, the AAA profile, and the virtual AP profile.
Other chapters in this manual describe the configuration of the VLAN and
authentication servers and server group.

230 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Captive Portal
Chapter 10

NOTE:

In AOS-W 2.5.2 and later 2.5.x releases, captive portal users in the base
operating system are placed into the predefined cpbase initial user role
before authentication. The cpbase role is not supported in AOS-W 3.x.
You need to create new captive portal profiles in the base operating
system, as described in this section, which automatically generates the
required policies and roles.

Using the WebUI to configure captive portal in the base operating
system:
1.

To configure the captive portal authentication profile, navigate to the
Configuration > Security > Authentication > L3 Authentication page. Select
Captive Portal Authentication Profile.
A.

In the Captive Portal Authentication Profile Instance list, enter the name
of the profile (for example, c-portal), then click Add.

Select the captive portal authentication profile you just created.

You can enable user login and/or guest login, and configure other
parameters described in Table 10-21.

Click Apply.

To specify authentication servers, select Server Group under the captive
portal authentication profile you just configured.
A.

Select the server group (for example, cp-srv) from the drop-down menu.

Click Apply.

Select the AAA Profiles tab.
A.

In the AAA Profiles Summary, click Add to add a new profile. Enter the
name of the profile (for example, aaa_c-portal), then click Add.

Select the AAA profile you just created.

For Initial Role, select the captive portal authentication profile (for
example, c-portal) you created previously.
NOTE:

The Initial Role must be exactly the same as the name of the
captive portal authentication profile you created.

Click Apply.

To configure the virtual AP profile, navigate to the Configuration > Wireless >
AP Configuration page. Select either the AP Group or AP Specific tab. Click
Edit for the applicable AP group name or AP name.

Under Profiles, select Wireless LAN, then select Virtual AP. In the Virtual AP
list, select the “default” virtual AP profile. Select the “default” SSID profile.
Enter anynet for the SSID name. Click Save As, then enter anynet. Click
Apply.

AOS-W 3.1
User Guide

231

Configuring Captive Portal
Chapter 10

NOTE:

The WebUI prevents you from configuring the same ESSID in more
than one virtual AP for an AP group or name. Whenever you create a
new virtual AP profile, the profile automatically contains the “default”
SSID profile with the default “alcatel-ap” SSID. The above step allows
you to create a new virtual AP that does not have the same ESSID as
the “default” virtual AP profile.

Under Profiles, select Virtual AP to display the Profile Details.
A.

To create a new virtual AP profile, select NEW for Add a profile.

Enter the profile name (for example, vp_c-portal), then click Add.

Click Apply.

Under Profiles, select the virtual AP profile you just created.
A.

Make sure Virtual AP enable is selected.

For VLAN, select the VLAN to which users are assigned (for example, 20).

Click Apply.

Under Profiles, select the AAA profile under the virtual AP profile you just
configured.
A.

From the AAA Profile drop-down menu, select aaa_c-portal for the AAA
Profile.

Click Apply.

Under Profiles, select the SSID profile under the virtual AP profile you just
configured.
A.

From the SSID Profile drop-down menu, select NEW. Enter ssid_c-portal.

Enter c-portal-ap for the Network Name.

Click Apply.

Using the CLI to configure captive portal in the base operating system:

aaa authentication captive-portal c-portal
server-group cp-srv
aaa profile aaa_c-portal
initial-role c-portal
wlan ssid-profile ssid_c-portal
essid c-portal-ap
vlan 20
wlan virtual-ap vp_c-portal
ssid-profile ssid_c-portal
aaa-profile aaa_c-portal

232 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Captive Portal
Chapter 10

Configuring Captive Portal with the Policy
Enforcement Firewall License
The Policy Enforcement Firewall license provides identity-based security for wired
and wireless users. There are two user roles that are important for captive portal:

Default user role, which you specify in the captive portal authentication
profile, is the role granted to clients upon captive portal authentication. This
can be the predefined guest system role.

Initial user role, which you specify in the AAA profile, directs clients who
associate to the SSID to captive portal whenever the user initiates a Web
browser connection. This can be the predefined logon system role.
The captive portal authentication profile specifies the captive portal login
page and other configurable parameters. The initial user role configuration
must include the applicable captive portal authentication profile instance.

NOTE:

MAC-based authentication, if enabled on the WLAN Switch, takes
precedence over captive portal authentication. If you use captive portal,
do not enable MAC-based authentication.

This section describes how to configure captive portal using role-based access
provided by the Policy Enforcement Firewall software module. You must install
the Policy Enforcement Firewall license, as described in Chapter 19, “Managing
Software Feature Licenses”.
The following are the basic tasks for configuring captive portal using role-based
access:
1.

Create and configure user roles and policies for guest or registered captive
portal users. (See Chapter 7, “Configuring Roles and Policies” for more
information about configuring policies and user roles.)

If you are configuring captive portal for registered users, configure the
server(s) and create the server group. (See Chapter 8, “Configuring
Authentication Servers” for more information about configuring
authentication servers and server groups.)
NOTE:

If you are using the WLAN Switch’s internal database for user
authentication, use the predefined “Internal” server group. You need
to configure entries in the internal database, as described in Chapter
8, “Configuring Authentication Servers”.

Create and configure an instance of the captive portal authentication profile.
Specify the default user role for captive portal users.

Create and configure the initial user role for captive portal. You need to
include the predefined captiveportal policy, which directs clients to the
captive portal, in the initial user role configuration.

AOS-W 3.1
User Guide

233

Configuring Captive Portal
Chapter 10

You also need to specify the captive portal authentication profile instance in
the initial user role configuration. For example, if you are using the predefined
logon system role for the initial role, you need to edit the role to specify the
captive portal authentication profile instance.
5.

Create and configure an instance of the AAA profile. Specify the initial user
role.

Create and configure an instance of the virtual AP profile that you apply to an
AP group or AP name. Specify the AAA profile you just created.

Create and configure an instance of the SSID profile for the virtual AP.

The following sections describe how to use the WebUI or CLI to configure the
captive portal authentication profile, initial user role, the AAA profile, and the
virtual AP profile. Other chapters in this manual describe the configuration of the
user roles and policies and authentication servers and server group.

Using the WebUI to configure captive portal with PEF license:
1.

To configure the captive portal authentication profile, navigate to the
Configuration > Security > Authentication > L3 Authentication page. Select
Captive Portal Authentication Profile.
A.

In the Captive Portal Authentication Profile Instance list, enter the name
of the profile (for example, c-portal), then click Add.

Select the captive portal authentication profile you just created.

Select the default role (for example, employee) for captive portal users.

You can enable guest login and/or user login, as well as other parameters
described in Table 10-21.

Click Apply.

To specify the authentication servers, select Server Group under the captive
portal authentication profile you just configured.
A.

Select the server group (for example, cp-srv) from the drop-down menu.

Click Apply.

Select the AAA Profiles tab.
A.

In the AAA Profiles Summary, click Add to add a new profile. Enter the
name of the profile (for example, aaa_c-portal), then click Add..

Set the Initial role to a role that you will configure with the captive portal
authentication profile.

Click Apply.

To configure the initial user role to use captive portal authentication, navigate
to the Configuration > Security > Access Control page.

234 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Captive Portal
Chapter 10

To edit the predefined logon role, select the System Roles tab, then click
Edit for the logon role.

To configure a new role, first configure policy rules in the Policies tab,
then select the User Roles tab to add a new user role and assign policies.

To specify the captive portal authentication profile, scroll down to the
bottom of the page. Select the profile from the Captive Portal Profile
drop-down menu, and click Change.

Click Apply.

The WebUI prevents you from configuring the same ESSID in more
than one virtual AP for an AP group or name. Whenever you create a
new virtual AP profile, the profile automatically contains the “default”
SSID profile with the default “alcatel-ap” SSID. The above step allows
you to create a new virtual AP that does not have the same ESSID as
the “default” virtual AP profile.

Under Profiles, select Virtual AP to display the Profile Details.
A.

To create a new virtual AP profile, select NEW for Add a profile.

Enter the profile name (for example, vp_c-portal), then click Add.

Click Apply.

Under Profiles, select the virtual AP profile you just created.
A.

Make sure Virtual AP enable is selected.

For VLAN, select the VLAN to which users are assigned (for example, 20).

Click Apply.

Under Profiles, select the AAA profile under the virtual AP profile you just
configured.
A.

From the AAA Profile drop-down menu, select aaa_c-portal for the AAA
Profile.

Click Apply.

10. Under Profiles, select the SSID profile under the virtual AP profile you just
configured.
A.

From the SSID Profile drop-down menu, select NEW. Enter ssid_c-portal.

AOS-W 3.1
User Guide

235

Configuring Captive Portal
Chapter 10

Enter c-portal-ap for the Network Name.

Click Apply.

Using the CLI to configure captive portal with PEF license:

aaa authentication captive-portal c-portal
default-role employee
server-group cp-srv
user-role logon
captive-portal c-portal
aaa profile aaa_c-portal
initial-role logon
wlan ssid-profile ssid_c-portal
essid c-portal-ap
vlan 20
wlan virtual-ap vp_c-portal
ssid-profile ssid_c-portal
aaa-profile aaa_c-portal

Example Authentication with Captive Portal
In the following example:

Guest clients associate to the guestnet SSID which is an open wireless LAN.
Guest clients are placed into VLAN 900 and assigned IP addresses by the
WLAN Switch’s internal DHCP server. The user has no access to network
resources beyond DHCP and DNS until they open a web browser and log in
with a guest account using captive portal.

Guest users are given a login and password from guest accounts created in
the WLAN Switch’s internal database. The temporary guest accounts are
created and administered by the site receptionist.

Guest users must enter their assigned login and password into the captive
portal login before they are given access to use web browsers (HTTP and
HTTPS), POP3 email clients, and VPN clients (IPSEC, PPTP, and L2TP) on the
Internet and only during specified working hours. Guest users are prohibited
from accessing internal networks and resources. All traffic to the Internet is
source-NATed.

NOTE:

This example assumes a Policy Enforcement Firewall license is installed in
the WLAN Switch.

236 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Captive Portal
Chapter 10

Configuring Policies and Roles
In this example, you create two user roles:

guest-logon is a user role assigned to any client who associates to the
guestnet SSID. Normally, any client that associates to an SSID will be placed
into the logon system role. The guest-logon user role is more restrictive than
the logon role.

auth-guest is a user role granted to clients who successfully authenticate via
the captive portal.

guest-logon User Role
The guest-logon user role consists of the following ordered policies:
1.

captiveportal is a predefined policy that allows captive portal authentication.

guest-logon-access is a policy that you create with the following rules:

Allows DHCP exchanges between the user and the DHCP server during
business hours while blocking other users from responding to DHCP
requests.

Allows ICMP exchanges between the user and the WLAN Switch during
business hours.

block-internal-access is a policy that you create that denies user access to
the internal networks.

NOTE:

The guest-logon user role configuration needs to include the name of the
captive portal authentication profile instance. You can modify the user
role configuration after you create the captive portal authentication profile
instance.

auth-guest User Role
The auth-guest user role consists of the following ordered policies:
1.

cplogout is a predefined policy that allows captive portal logout.

guest-logon-access is a policy that you create with the following rules:

Allows DHCP exchanges between the user and the DHCP server during
business hours while blocking other users from responding to DHCP
requests.

Allows DNS exchanges between the user and the public DNS server
during business hours. Traffic is source-NATed using the IP interface of
the WLAN Switch for the VLAN.

block-internal-access is a policy that you create that denies user access to
the internal networks.

AOS-W 3.1
User Guide

237

Configuring Captive Portal
Chapter 10

auth-guest-access is a policy that you create with the following rules:
z

Allows DHCP exchanges between the user and the DHCP server during
business hours while blocking other users from responding to DHCP
requests.

Allows DNS exchanges between the user and the public DNS server
during business hours. Traffic is source-NATed using the IP interface of
the WLAN Switch for the VLAN.

Allows HTTP/S traffic from the user during business hours. Traffic is
source-NATed using the I interface of the WLAN Switch for the VLAN.

drop-and-log is a policy that you create that denies all traffic and logs the
attempted network access.

Using the WebUI to create a time range:
1.

Navigate to the Configuration > Security > Access Control > Time Ranges
page to define the time range “working-hours”. Click Add.
A.

For Name, enter working-hours.

For Type, select Periodic.

Click Add.

For Start Day, click Weekday.

For Start Time, enter 07:30.

For End Time, enter 17:00.

Click Done.

Click Apply.

Using the WebUI to create the guest-logon-access policy:
1.

Navigate to the Configuration > Security > Access Control > Policies page.
Select Add to add the guest-logon-access policy.

For Policy Name, enter guest-logon-access.

Under Rules, select Add to add rules for the policy.

Under Source, select user.

Under Destination, select any.

Under Service, select udp. Enter 68.

Under Action, select drop.

Click Add.

Under Rules, click Add.

238 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Captive Portal
Chapter 10

Under Source, select user.

Under Destination, select any.

Under Service, select service. Select svc-dhcp.

Under Action, select permit.

Under Time Range, select working-hours.

Click Add.

Under Rules, click Add.
A.

Under Source, select user.

Under Destination, select alias.
NOTE:

The following steps define an alias representing the public DNS
server addresses. Once defined, you can use the alias for other
rules and policies.

Under the alias selection, click New.

II.

For Destination Name, enter “Public DNS”.
a.

Click Add to add a rule.

For Rule Type, select host.

For IP Address, enter 64.151.103.120.

Click Add.

For Rule Type, select host.

For IP Address, enter 216.87.84.209.

Click Add.

Click Apply. The alias “Public DNS” appears in the Destination
menu

Under Destination, select Public DNS.

Under Service, select svc-dns.

Under Action, select src-nat.

Under Time Range, select working-hours.

Click Add.

Click Apply.

Using the WebUI to configure the auth-guest-access policy:
1.

Navigate to the Configuration > Security > Access Control > Policies page.
Select Add to add the guest-logon-access policy.

AOS-W 3.1
User Guide

239

Configuring Captive Portal
Chapter 10

For Policy Name, enter auth-guest-access.

Under Rules, select Add to add rules for the policy.

Under Source, select user.

Under Destination, select any.

Under Service, select udp. Enter 68.

Under Action, select drop.

Click Add.

Under Rules, click Add.
A.

Under Source, select user.

Under Destination, select any.

Under Service, select service. Select svc-dhcp.

Under Action, select permit.

Under Time Range, select working-hours.

Click Add.

Under Rules, click Add.
A.

Under Source, select user.

Under Destination, select alias. Select Public DNS from the drop-down
menu.

Under Service, select service. Select svc-dns.

Under Action, select src-nat.

Under Time Range, select working-hours.

Click Add.

Under Rules, click Add.
A.

Under Source, select user.

Under Destination, select any.

Under Service, select service. Select svc-http.

Under Action, select src-nat.

Under Time Range, select working-hours.

Click Add.

Under Rules, click Add.
A.

Under Source, select user.

Under Destination, select any.

240 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Captive Portal
Chapter 10

Under Service, select service. Select svc-https.

Under Action, select src-nat.

Under Time Range, select working-hours.

Click Add.

Click Apply.

Using the WebUI to create the block-internal-access policy:
1.

Navigate to the Configuration > Security > Access Control > Policies page.
Select Add to add the block-internal-access policy.

For Policy Name, enter block-internal-access.

Under Rules, select Add to add rules for the policy.
A.

Under Source, select user.

Under Destination, select alias.
NOTE:

The following steps define an alias representing all internal
network addresses. Once defined, you can use the alias for other
rules and policies.

Under the alias selection, click New.

II.

For Destination Name, enter “Internal Network”.
a.

Click Add to add a rule.

For Rule Type, select network.

For IP Address, enter 10.0.0.0.

For Network Mask/Range, enter 255.0.0.0.

Click Add to add the network range.

Repeat steps a-e to add the network ranges 172.16.0.0
255.255.0.0 and 192.168.0.0 255.255.0.0.

Click Apply. The alias “Internal Network” appears in the
Destination menu

Under Destination, select Internal Network.

Under Service, select any.

Under Action, select drop.

Click Add.

Click Apply.

AOS-W 3.1
User Guide

241

Configuring Captive Portal
Chapter 10

Using the WebUI to create the drop-and-log policy:
1.

Navigate to the Configuration > Security > Access Control > Policies page.
Select Add to add the drop-and-log policy.

For Policy Name, enter drop-and-log.

Under Rules, select Add to add rules for the policy.

Under Source, select user.

Under Destination, select any.

Under Service, select any.

Under Action, select drop.

Select Log.

Click Add.

Click Apply.

Using the WebUI to create the guest-logon role:
1.

Navigate to the Configuration > Security > Access Control > User Roles
page.

Click Add.

For Role Name, enter guest-logon.

Under Firewall Policies, click Add.

For Choose from Configured Policies, select captiveportal from the
drop-down menu.

Click Done.

Under Firewall Policies, click Add.

For Choose from Configured Policies, select guest-logon-access from the
drop-down menu.

Click Done.

10. Under Firewall Policies, click Add.
11. For Choose from Configured Policies, select block-internal-access from the
drop-down menu.
12. Click Done.
13. Click Apply.

242 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Captive Portal
Chapter 10

Using the WebUI to create the auth-guest role:
1.

Navigate to the Configuration > Security > Access Control > User Roles
page.

Click Add.

For Role Name, enter auth-guest.

Under Firewall Policies, click Add.

For Choose from Configured Policies, select cplogout from the drop-down
menu.

Click Done.

Under Firewall Policies, click Add.

For Choose from Configured Policies, select guest-logon-access from the
drop-down menu.

Click Done.

10. Under Firewall Policies, click Add.
11. For Choose from Configured Policies, select block-internal-access from the
drop-down menu.
12. Click Done.
13. Under Firewall Policies, click Add.
14. For Choose from Configured Policies, select auth-guest-access from the
drop-down menu.
15. Click Done.
16. Under Firewall Policies, click Add.
17. For Choose from Configured Policies, select drop-and-log from the
drop-down menu.
18. Click Done.
19. Click Apply.

Using the CLI to create a time range:

time-range working-hours periodic
weekday 07:30 to 17:00

AOS-W 3.1
User Guide

243

Configuring Captive Portal
Chapter 10

Using the CLI to create aliases:

netdestination “Internal Network”
network 10.0.0.0 255.0.0.0
network 172.16.0.0 255.255.0.0
network 192.168.0.0 255.255.0.0
netdestination “Public DNS”
host 64.151.103.120
host 216.87.84.209

Using the CLI to create the guest-logon-access policy:

ip access-list session guest-logon-access
user any udp 68 deny
user any svc-dhcp permit time-range working-hours
user alias “Public DNS” svc-dns src-nat time-range working-hours

Using the CLI to create the auth-guest-access policy:

ip access-list session auth-guest-access
user any udp 68 deny
user any svc-dhcp permit time-range working-hours
user alias “Public DNS” svc-dns src-nat time-range working-hours
user any svc-http src-nat time-range working-hours
user any svc-https src-nat time-range working-hours

Using the CLI to create the block-internal-access policy:

ip access-list session block-internal-access
user alias “Internal Network” any deny

Using the CLI to create the drop-and-log policy:

ip access-list session drop-and-log
user any any deny log

Using the CLI to create the guest-logon role:

user-role guest-logon
session-acl captiveportal position 1
session-acl guest-logon-access position 2
session-acl block-internal-access position 3

244 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Captive Portal
Chapter 10

Using the CLI to create the auth-guest role:

user-role auth-guest
session-acl cplogout position 1
session-acl guest-logon-access position 2
session-acl block-internal-access position 3
session-acl auth-guest-access position 4
session-acl drop-and-log position 5

Configuring the Guest VLAN
Guests using the WLAN are assigned to VLAN 900 and are given IP addresses via
DHCP from the WLAN Switch.

Using the WebUI to configure the guest VLAN:
1.

Navigate to the Configuration > Network > VLANs page.
A.

Click Add.

For VLAN ID, enter 900.

Click Apply.

Navigate to the Configuration > Network > IP > IP Interfaces page.
A.

Click Edit for VLAN 900.

For IP Address, enter 192.168.200.20.

For Net Mask, enter 255.255.255.0.

Click Apply.

Click the DHCP Server tab.
A.

Select Enable DHCP Server.

Click Add under Pool Configuration.

For Pool Name, enter guestpool.

For Default Router, enter 192.168.200.20.

For DNS Server, enter 64.151.103.120.

For Lease, enter 4 hours.

For Network, enter 192.168.200.0. For Netmask, enter 255.255.255.0.

Click Done.

Click Apply.

AOS-W 3.1
User Guide

245

Configuring Captive Portal
Chapter 10

Using the CLI to configure the guest VLAN:

vlan 900
interface vlan 900
ip address 192.168.200.20 255.255.255.0
ip dhcp pool "guestpool"
default-router 192.168.200.20
dns-server 64.151.103.120
lease 0 4 0
network 192.168.200.0 255.255.255.0

Configuring Captive Portal Authentication
In this section, you create an instance of the captive portal authentication profile
and the AAA profile. For the captive portal authentication profile, you specify the
previously-created auth-guest user role as the default user role for authenticated
captive portal clients and the authentication server group (“Internal”).

Using the WebUI to configure captive portal authentication:
1.

Navigate to the Configuration > Security > Authentication > L3
Authentication page. In the Profiles list, select Captive Portal Authentication
Profile.
A.

In the Captive Portal Authentication Profile Instance list, enter guestnet
for the name of the profile, then click Add.

Select the captive portal authentication profile you just created.

For Default Role, select auth-guest.

Select User Login.

Deselect (uncheck) Guest Login.

Click Apply.

Select Server Group under the guestnet captive portal authentication profile
you just created.
A.

Select internal from the Server Group drop-down menu.

Click Apply.

Using the CLI to configure captive portal authentication:

aaa authentication captive-portal guestnet
default-role auth-guest
user-logon
no guest-logon
246 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Captive Portal
Chapter 10

server-group internal

Modifying the Initial User Role
The captive portal authentication profile specifies the captive portal login page
and other configurable parameters. The initial user role configuration must include
the applicable captive portal authentication profile instance. Therefore, you need
to modify the guest-logon user role configuration to include the guestnet captive
portal authentication profile.

Using the WebUI to modify the guest-logon role:
1.

Navigate to the Configuration > Security > Access Control > User Roles
page.

Select Edit for the guest-logon role.

Scroll down to the bottom of the page.

Select the captive portal authentication profile you just created from the
Captive Portal Profile drop-down menu, and click Change.

Click Apply.

Using the CLI to modify the guest-logon role:

user-role guest-logon
captive-portal guestnet

Configuring the AAA Profile
In this section, you configure the guestnet AAA profile, which specifies the
previously-created guest-logon role as the initial role for clients who associate to
the WLAN.

Using the WebUI to configure the AAA profile:
1.

Navigate to the Configuration > Security > Authentication > AAA Profiles
page.

In the AAA Profiles Summary, click Add to add a new profile. Enter guestnet
for the name of the profile, then click Add.

For Initial role, select guest-logon.

Click Apply.

AOS-W 3.1
User Guide

247

Configuring Captive Portal
Chapter 10

Using the CLI to configure the AAA profile:

aaa profile guestnet
initial-role guest-logon

Configuring the WLAN
In this section, you create the guestnet virtual AP profile for the WLAN. The
guestnet virtual AP profile contains the SSID profile guestnet (which configures
opensystem for the SSID) and the AAA profile guestnet.

Using the WebUI to configure the guest WLAN:
1.

Navigate to the Configuration > Wireless > AP Configuration page.

Select either AP Group or AP Specific tab. Click Edit for the AP group or AP
name.

Under Profiles, select Virtual AP to display the Profile Details.
A.

To create a new virtual AP profile, select NEW for Add a profile.

Enter the profile name guestnet, then click Add.

Click Apply.

Under Profiles, select the guestnet virtual AP profile you just created.
A.

Make sure Virtual AP enable is selected.

For VLAN, select VLAN 900.

Click Apply.

Under Profiles, select the AAA profile under the guestnet virtual AP profile.

248 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Captive Portal
Chapter 10

From the AAA Profile drop-down menu, select guestnet for the AAA
Profile.

Click Apply.

Under Profiles, select the SSID profile under the guestnet virtual AP profile.
A.

From the SSID Profile drop-down menu, select NEW. Enter guestnet.

For Network Name, enter guestnet.

For Network Authentication, select None.

For Encryption, select Open.

Click Apply.

Using the CLI to configure the guest WLAN:

wlan ssid-profile guestnet
essid guestnet
opmode opensystem
aaa profile guestnet
initial-role guest-logon
wlan virtual-ap guestnet
vlan 900
ssid-profile guestnet
aaa-profile guestnet

User Account Administration
Temporary user accounts are created in the internal database on the WLAN
Switch. You can create a user role which will allow a receptionist to create
temporary user accounts. Guests can use the accounts to log into a captive portal
login page to gain Internet access.
See “Creating Guest Accounts” on page 393 for more information about
configuring guest provisioning users and administering guest accounts.

AOS-W 3.1
User Guide

249

Configuring Captive Portal
Chapter 10

Captive Portal Configuration Parameters
Table 10-21 describes configuration parameters on the WebUI Captive Portal
Authentication profile page.
NOTE:

In the CLI, you configure these options with the aaa authentication
captive-portal commands.

TABLE 10-21 Captive Portal Authentication Profile Parameters
Parameter

Description

Default role

Role assigned to the Captive Portal user upon login.
When both user and guest logon are enabled, the
default role applies to the user logon; users logging in
using the guest interface are assigned the guest role.
NOTE:

The Policy Enforcement Firewall license must
be installed.

Default: guest
Redirect Pause

Time, in seconds, that the system remains in the initial
welcome page before redirecting the user to the final
web URL. If set to 0, the welcome page displays until
the user clicks on the indicated link.
Default: 10 seconds.

User Login

Enables Captive Portal with authentication of user
credentials.
Default: enabled

Guest Login

Enables Captive Portal logon without authentication.
Default: disabled

Logout popup window

Enables a pop-up window with the Logout link for the
user to logout after logon. If this is disabled, the user
remains logged in until the user timeout period has
elapsed or the station reloads.
Default: enabled

Use HTTP for
authentication

Use HTTP protocol on redirection to the Captive Portal
page. If you use this option, modify the captiveportal
policy to allow HTTP traffic.
Default: Disabled (HTTPS is used)

250 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Captive Portal
Chapter 10

TABLE 10-21 Captive Portal Authentication Profile Parameters (Continued)
Parameter

Description

Logon wait minimum
wait

Minimum time, in seconds, the user will have to wait
for the logon page to pop up if the CPU load is high.
This works in conjunction with the Logon wait CPU
utilization threshold parameter.
Default: 5 seconds.

Logon wait maximum
wait

Maximum time, in seconds, the user will have to wait
for the logon page to pop up if the CPU load is high.
This works in conjunction with the Logon wait CPU
utilization threshold parameter.
Default: 10 seconds.

Logon wait CPU
utilization threshold

CPU utilization percentage above which the Logon
wait interval is applied when presenting the user with
the logon page.
Default: 60%

Max authentication
failures

Maximum number of authentication failures before the
user is blacklisted.
Default: 0

Show FQDN

Allows the user to see and select the fully-qualified
domain name (FQDN) on the login page.
Default: disabled

Use CHAP

Use CHAP protocol.
Default: PAP

Sygate-on-demandagent

Enables client remediation with
Sygate-on-demand-agent (SODA).
Default: disabled

URL of the page that appears for the user logon. This
can be set to any URL.
Default: /auth/index.html

AOS-W 3.1
User Guide

251

Configuring Captive Portal
Chapter 10

TABLE 10-21 Captive Portal Authentication Profile Parameters (Continued)
Parameter

Description

Welcome page

URL of the page that appears after logon and before
redirection to the web URL. This can be set to any
URL.
Default: /auth/welcome.html

Show Welcome Page

Enables the display of the welcome page. If this option
is disabled, redirection to the web URL happens
immediately after logon.
Default: Enabled

Proxy Server
Configuration

Configures IP address and port number for proxy
server.
Default: N/A

252 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Captive Portal
Chapter 10

Optional Captive Portal Configurations
This section describes the following optional captive portal configurations:

“Per-SSID Captive Portal Page” on page 253

“Changing the Protocol to HTTP” on page 254

“Proxy Server Redirect” on page 255

“Redirecting Clients on Different VLANs” on page 257

“Web Client Configuration with Proxy Script” on page 257

Per-SSID Captive Portal Page
You can upload custom login pages for captive portal into the WLAN Switch
through the WebUI (see Appendix E, “Internal Captive Portal”). The SSID to which
the client associates determines the captive portal login page displayed.
You specify the captive portal login page in the captive portal authentication
profile, along with other configurable parameters. The initial user role
configuration must include the applicable captive portal authentication profile
instance. (In the case of captive portal in the base operating system, the initial
user role is automatically created when you create the captive portal
authentication profile instance.) You then specify the initial user role for captive
portal in the AAA profile for the WLAN.
When you have multiple captive portal login pages loaded in the WLAN Switch,
you must configure a unique initial user role and user role, and captive portal
authentication profile, AAA profile, SSID profile, and virtual AP profile for each
WLAN that will use captive portal. For example, if you want to have different
captive portal login pages for the following departments:

Engineering

Business

Faculty

AOS-W 3.1
User Guide

253

Configuring Captive Portal
Chapter 10

you need to create and configure the following:

Engineering

Business

Faculty

Captive portal
login page

/auth/eng-login.html

/auth/bus-login.html

/auth/fac-login.html

Captive portal
user role

eng-user

bus-user

fac-user

Captive portal eng-cp
authentication
(Specify
profile
/auth/eng-login.html
and eng-user)

bus-cp

fac-cp

(Specify
/auth/bus-login.html
and bus-user)

(Specify
/auth/bus-login.html
and fac-user)

Initial user role eng-logon

bus-logon

fac-logon

(Specify the eng-cp
profile)

(Specify the bus-cp
profile)

(Specify the
fac-logon profile)

eng-aaa

bus-aaa

fac-aaa

(Specify the
eng-logon user role)

(Specify the
bus-logon user role)

(Specify the
fac-logon user role)

AAA profile

SSID profile

eng-ssid

bus-ssid

fac-ssid

Virtual AP
profile

eng-vap

bus-vap

fac-vap

Changing the Protocol to HTTP
By default, the HTTPS protocol is used on redirection to the Captive Portal page. If
you need to use HTTP instead, you need to do the following:
1.

Modify the captive portal authentication profile to enable the HTTP protocol.

(For captive portal with role-based access only) Modify the captiveportal
policy to permit HTTP traffic instead of HTTPS traffic.
NOTE:

In the base operating system, the implicit ACL captive-portal-profile is
automatically modified.

The following sections describe how use the WebUI and CLI to do this.

Using the WebUI to change the protocol to HTTP:
1.

Edit the captive portal authentication profile by navigating to the
Configuration > Security > Authentication > L3 Authentication page.

254 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Captive Portal
Chapter 10

Enable (select) “Use HTTP for authentication”.

Click Apply.

(For captive portal with role-based access only) Edit the captiveportal policy
by navigating to the Configuration > Security > Access Control > Policies
page.
A.

Delete the rule for “user mswitch svc-https permit”.

Add a new rule with the following values and move this rule to the top of
the rules list:

–

source is user

–

destination is the mswitch alias

–

service is svc-http

–

action is permit

Click Apply.

Using the CLI to change the protocol to HTTP:

aaa authentication captive-portal profile
protocol-http
(For captive portal with role-based access only)

ip access-list session captiveportal
no user alias mswitch svc-https permit
user alias mswitch svc-http permit
user any svc-http dst-nat 8080
user any svc-https dst-nat 8081

Proxy Server Redirect
You can configure captive portal to work with proxy Web servers. End users have
their browser proxy server settings configured for the proxy server’s IP address
and TCP port. When the user opens a Web browser, the HTTP/S connection
request must be redirected from the proxy server to the captive portal on the
WLAN Switch.
To configure captive portal to work with a proxy server:
1.

Modify the captive portal authentication profile to specify the proxy server’s
IP address and TCP port.

(For captive portal with role-based access only) Modify the captiveportal
policy to have traffic for the proxy server’s port destination NATed to port
8088 on the WLAN Switch.

AOS-W 3.1
User Guide

255

Configuring Captive Portal
Chapter 10

NOTE:

In the base operating system, the implicit ACL captive-portal-profile is
automatically modified.

The following sections describe how use the WebUI and CLI to do this.
NOTE:

When HTTPS traffic is redirected from a proxy server to the WLAN
Switch, the user’s browser will display a warning that the subject name
on the certificate does not match the hostname to which the user is
connecting.

Using the WebUI to redirect proxy server traffic:
1.

Edit the captive portal authentication profile by navigating to the
Configuration > Security > Authentication > L3 Authentication page.
A.

For Proxy Server, enter the IP address and port for the proxy server.

Click Apply.

(For captive portal with role-based access only) Edit the captiveportal policy
by navigating to the Configuration > Security > Access Control > Policies
page.
A.

Add a new rule with the following values:
–

Source is user

–

Destination is any

–

Service is TCP

–

Port is the TCP port on the proxy server

–

Action is dst-nat

–

IP address is the IP address of the proxy port

–

Port is the port on the proxy server

Click Add to add the rule. Use the up arrows to move this rule just below
the rule that allows HTTP(S) traffic.

Click Apply.

Using the CLI to redirect proxy server traffic:

aaa authentication captive-portal profile
proxy host ipaddr port port
(For captive portal with role-based access only)

ip access-list session captiveportal
user alias mswitch svc-https permit
user any tcp port dst-nat 8088
256 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Captive Portal
Chapter 10

user any svc-http dst-nat 8080
user any svc-https dst-nat 8081

Redirecting Clients on Different VLANs
You can redirect wireless clients that are on different VLANs (from the WLAN
Switch’s IP address) to the captive portal on the WLAN Switch. To do this:
1.

Specify the redirect address for the captive portal.

(For captive portal with Policy Enforcement Firewall license only) Modify the
captiveportal policy to permit HTTP/S traffic to the destination cp-redirect
instead of mswitch.
NOTE:

In the base operating system, the implicit ACL captive-portal-profile is
automatically modified.

The following section describes how to use the CLI to do this.

Using the CLI:

ip cp-redirect-address ipaddr
(For captive portal with Policy Enforcement Firewall license)

ip access-list session captiveportal
user cp-redirect svc-https permit
user any svc-http dst-nat 8080
user any svc-https dst-nat 8081

Web Client Configuration with Proxy Script
If the web client proxy configuration is distributed through a proxy script (a .pac
file), you need to configure the captiveportal policy to allow the client to
download the file.
NOTE:

To modify the captiveportal policy, you must have the Policy
Enforcement Firewall license installed in the WLAN Switch.

Using the WebUI to allow clients to download proxy script:
1.

Edit the captiveportal policy by navigating to the Configuration > Security >
Access Control > Policies page.

Add a new rule with the following values:
z

Source is user

AOS-W 3.1
User Guide

257

Configuring Captive Portal
Chapter 10

Destination is host

Host IP is the IP address of the proxy server

Service is svc-https or svc-http

Action is permit

Click Add to add the rule. Use the up arrows to move this rule above the rules
that perform destination NAT.

Click Apply.

Using the CLI to allow clients to download proxy script:

ip access-list session captiveportal
user alias mswitch svc-https permit
user any tcp port dst-nat 8088
user host ipaddr svc-https permit
user any svc-http dst-nat 8080
user any svc-https dst-nat 8081

258 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Captive Portal
Chapter 10

Personalizing the Captive Portal Page
The following can be personalized on the default captive portal page:

Captive portal background

Page text

Acceptance Use Policy

NOTE:

You can create your own web pages and install them in the WLAN Switch
for use with captive portal. See Appendix E, “Internal Captive Portal.”

Navigate to the Maintenance > Captive Portal > Customize Login Page
page.

You can choose one of three page designs. To select an existing design, click
the first or the second page design present.
2.

To customize the page background:
A.

Select the YOUR CUSTOM BACKGROUND page.

Under Additional options, enter the location of the JPEG image in the
Upload your own custom background field.

You can also set the background color in the Custom page background
color field. The color code must a hexadecimal value in the format
#hhhhhh.

AOS-W 3.1
User Guide

259

Configuring Captive Portal
Chapter 10

You can view the background setting by first clicking Submit on the
bottom on the page, then clicking the View CaptivePortal link. This
displays the Captive Portal page as it will be seen by users.

To customize the captive portal background text:
A.

Enter the text that needs to be displayed in the Page Text (in HTML
format) message box.

To view the changes, click Submit at the bottom on the page and then
click the View CaptivePortal link. This displays the Captive Portal page
as it will be seen by users.

To customize the text under the Acceptable Use Policy:
A.

Enter the policy information in the Policy Text text box. This appears only
in case of guest logon.

To view the changes, click Submit at the bottom on the page and then
click the View CaptivePortal link. This displays the Captive Portal page
as it will be seen by users.

The text you entered appears in a text box when the user clicks the
Acceptable Use Policy on the Captive Portal web page.
To upload a customized login page, use the Maintenance > Captive Portal >
Upload Custom Login Pages page in the WebUI.

260 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Virtual Private
Networks

For wireless networks, virtual private network (VPN) connections can be used to
further secure the wireless data from attackers. The Alcatel WLAN Switch can be
used as a VPN concentrator that terminates all VPN connections from both wired
and wireless clients.
NOTE:

VPN is an optional AOS-W software module. You must purchase and
install the license for the VPN software module on the WLAN Switch.

This chapter describes the following topics:

“VPN Configuration” on page 262

“Configuring VPN with L2TP IPSec” on page 263

“Configuring VPN with PPTP” on page 266

“Configuring Alcatel Dialer” on page 267

“Configuring Site-to-Site VPN” on page 269

AOS-W 3.1
User Guide

261

Configuring Virtual Private Networks
Chapter 11

VPN Configuration
Before enabling VPN authentication, you must configure the following:

The default user role for authenticated VPN clients. See Chapter 7,
“Configuring Roles and Policies” for information about configuring user roles.

The authentication server group the WLAN Switch will use to validate the
clients. See Chapter 8, “Configuring Authentication Servers” for configuration
details.

NOTE:

A server-derived role, if present, takes precedence over the default user
role.

You then specify the default user role and authentication server group in the VPN
authentication profile.

Using the WebUI to configure VPN authentication:
1.

Navigate to the Configuration > Security > Authentication > L3
Authentication page.

In the Profiles list, select VPN Authentication Profile.

Select the Default Role from the drop-down menu.

(Optional) Set Max Authentication failures to an integer value (the default
value is 0, which disables this feature). This number indicates the number of
contiguous authentication failures before the station is blacklisted.

Click Apply.

In the Profiles list, select Server Group.

From the drop-down menu, select the server group to be used for VPN
authentication.

Click Apply.

Using the CLI to configure VPN authentication:

aaa authentication vpn
default-role
max-authentication-failure
server-group

262 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Virtual Private Networks
Chapter 11

Configuring VPN with L2TP IPSec
The combination of Layer-2 Tunneling Protocol and Internet Protocol Security
(L2TP/IPSec) is a highly-secure technology that enables VPN connections across
public networks such as the Internet.
L2TP/IPSec provides a logical transport mechanism to send PPP frames as well
as tunneling or encapsulation so that the PPP frames can be sent across an IP
network. L2TP/IPSec relies on the PPP connection process to perform user
authentication and protocol configuration.
With L2TP/IPSec, the user authentication process is encrypted. L2TP/IPSec
connections use the Data Encryption Standard (DES) algorithm or Triple DES
(3DES). L2TP/IPSec requires two levels of authentication:
1.

Computer-level authentication with a certificate or a preshared key to create
the IPSec security associations (SAs) to protect the L2TP-encapsulated data.

User-level authentication through a PPP-based authentication protocol after
the SAs are successfully created.

Complete the steps in “VPN Configuration” on page 262.

Using the WebUI to configure VPN with L2TP IPSec:
1.

Navigate to the Configuration > Advanced Services > VPN Services > IPSEC
page.

Authentication Method and Server Addresses
2.

To enable L2TP, select Enable L2TP.

Select the authentication method. Currently supported methods are
Password Authentication Protocol (PAP), Challenge Handshake
Authentication Protocol (CHAP), Microsoft Challenge Handshake
Authentication Protocol (MSCHAP) and MSCHAP version 2 (MSCHAPv2).

Configure the IP addresses of the primary and secondary Domain Name
System (DNS) servers and primary and secondary Windows Internet Naming
Service (WINS) Server that will be pushed to the VPN client.

Address Pools
This is the pool from which the clients are assigned addresses.
1.

Under Address Pools, click Add to open the Add Address Pool page.

Specify the start address, the end address and the pool name.

Click Done to apply the configuration.

AOS-W 3.1
User Guide

263

Configuring Virtual Private Networks
Chapter 11

Source NAT
Use this option if the IP addresses of clients need to be translated to access the
network. To use this option, you must have created a NAT pool by navigating to
the Configuration > IP > NAT Pools page.

IKE Shared Secrets
You can configure a global IKE key or configure an IKE key for each subnet. Make
sure that this key matches the key on the client.
1.

Under IKE Shared Secrets, click Add to open the Add IKE Secret page.

Enter the subnet and subnet mask. To make the IKE key global, specify
0.0.0.0 and 0.0.0.0 for both values.

Enter the IKE Shared Secret and Verify IKE Shared Secret.

Click Done to apply the configurations.

IKE Policies
1.

Under IKE Policies, click Add to open the IPSEC Add Policy configuration
page.

Set the Priority to 1 for this configuration to take priority over the Default
setting.

Set the Encryption type from the drop-down menu.

Set the HASH Algorithm to SHA or MD5.

Set the Authentication to Pre-Share or RSA.

Set the Diffie Hellman Group to Group 1 or Group 2.
The configurations from 1 through 5 along with the pre-share key need to be
reflected in the VPN client configuration. When using a 3rd party VPN client,
set the VPN configuration on clients to match the choices made above. In
case the Alcatel dialer is used, these configuration need to be made on the
dialer prior to downloading the dialer onto the local client.

Click Done to activate the changes.

Click Apply to apply the changes made before navigating to other pages.

Using the CLI to configure VPN with L2TP IPSec:

Authentication Method and Server Addresses
vpdn group l2tp
enable
ppp authentication {cache-securid|chap|mschap|mschapv2|pap}

264 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Virtual Private Networks
Chapter 11

client configuration {dns|wins} []

Address Pools
ip local pool

Source NAT
ip access-list session srcnat
user any any src-nat pool position 1
user-role guest
session-acl srcnat position 1

IKE Shared Secrets
crypto isakmp key address netmask

IKE Policies
crypto isakmp policy
encryption {3des|aes128|aes192|aes256|des}
authentication {pre-share|rsa-sig}
group {1|2}
hash {md5|sha}
lifetime

AOS-W 3.1
User Guide

265

Configuring Virtual Private Networks
Chapter 11

Configuring VPN with PPTP
Point-to-Point Tunneling Protocol (PPTP) is an alternative to L2TP/IPSec. Like
L2TP/IPSec, PPTP provides a logical transport mechanism to send PPP frames as
well as tunneling or encapsulation so that the PPP frames can be sent across an
IP network. PPTP relies on the PPP connection process to perform user
authentication and protocol configuration.
With PPTP, data encryption begins after PPP authentication and connection
process is completed. PPTP connections use Microsoft Point-to-Point Encryption
(MPPE), which uses the Rivest-Shamir-Aldeman (RSA) RC-4 encryption algorithm.
PPTP connections require user-level authentication through a PPP-based
authentication protocol (MSCHAPv2 is the currently-supported method).
Complete the steps in “VPN Configuration” on page 262.

Using the WebUI to configure VPN with PPTP:
1.

Navigate to the Configuration > Advanced Services > VPN Services > PPTP
page.

To enable PPTP, select Enable PPTP.

Select the authentication protocol. The currently-supported method is
MSCHAPv2.

Configure the primary and secondary DNS servers and primary and secondary
WINS Server that will be pushed to the VPN Dialer.

Configure the VPN Address Pool.

Click Add. The Add Address Pool page displays.

Specify the pool name, start address, and end address.

Click Done on completion to apply the configuration.

Click Apply to apply the changes made before navigating to other pages.

Using the CLI to configure VPN with PPTP:

vpdn group pptp
enable
client configuration {dns|wins} []
ppp authentication {mschapv2}
pptp ip local pool

266 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Virtual Private Networks
Chapter 11

Configuring Alcatel Dialer
For Windows clients, a dialer can be downloaded from the WLAN Switch to
auto-configure tunnel settings on the dialer.

Using the WebUI to configure the Alcatel dialer:
1.

Navigate to the Configuration > Advanced Services > VPN Services >
Dialers page. Click Add to add a new dialer or click the Edit tab to edit an
existing dialer.

Enter the Dialer Name that will be used to identify this setting.

Configure the dialer to work with PPTP or L2TP by selecting the Enable PPTP
or the Enable L2TP checkbox.

Select the authentication protocol. This should match the L2TP protocol list
selected if Enable L2TP is checked or the PPTP list configured if Enable PPTP
is checked.

For L2TP:

Set the IKE Hash Algorithm to SHA or MD5 as in the IKE policy on the
Advanced Services > VPN Services > IPSEC page.

If a preshared key is configured for IKE Shared Secrets in the VPN
Services > IPSEC page, enter the key.

The key you enter in the Dialers page must match the preshared key
configured on the IPSEC page.

Select the IPSEC Mode Group that matches the Diffie Hellman Group
configured for the IPSEC policy.

Select the IPSEC Encryption that matches the Encryption configured for
the IPSEC policy.

Select the IPSEC Hash Algorithm that matches the Hash Algorithm
configured for the IPSEC policy.

Click Done to apply the changes made prior to navigating to another page.

Using the CLI to configure the Alcatel dialer:

vpn-dialer
enable {dnctclear|l2tp|pptp|secureid_newpinmode|wirednowifi}
ike authentication {pre-share |rsa-sig}
ike encryption {3des|des}
ike group {1|2}
ike hash {md5|sha}
ipsec encryption {esp-3des|esp-des}
AOS-W 3.1
User Guide

267

Configuring Virtual Private Networks
Chapter 11

ipsec hash {esp-md5-hmac|esp-sha-hmac}
ppp authentication {cache-securid|chap|mschap|mschapv2|pap}

Captive Portal Download of Dialer
The VPN dialer can be downloaded using Captive Portal. For the user role
assigned through Captive Portal, configure the dialer by the name used to identify
the dialer.
For example, if the captive portal client is assigned the guest role after logging on
through captive portal and the dialer is called mydialer, configure mydialer as the
dialer to be used in the guest role.

Using the WebUI to configure the captive portal dialer:
1.

Navigate to the Configuration > Security > Access Control > User Roles
page.

Click Edit for the user role.

Under VPN Dialer, select the dialer you configured and click Change.

Click Apply.

Using the CLI to configure the captive portal dialer:

user-role
dialer

268 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Virtual Private Networks
Chapter 11

Configuring Site-to-Site VPN
Site-to-site VPN allows sites at different physical locations to securely
communicate with each other over a Layer-3 network such as the Internet. You
can use Alcatel WLAN Switches instead of VPN concentrators to connect the
sites. Or, you can use a VPN concentrator at one site and a WLAN Switch at the
other site.
NOTE:

VPN is an optional AOS-W software module. For site-to-site VPN
between two WLAN Switches, you must purchase and install licenses for
the VPN software module on both WLAN Switches.

You must configure VPN settings on the WLAN Switches at both the local and
remote sites. In the following figure, a VPN tunnel connects Network A to
Network B across the Internet.
VLAN
(SOURCE IP
WLAN SWITCH A
NETWORK A
SOURCE NETWORK

FOR

IKE)

PEER GATEWAY
WLAN SWITCH B

LAYER 3
NETWORK

INTERFACE A

INTERFACE B

NETWORK B
DESTINATION NETWORK

FIGURE 11-22 Site-to-Site VPN Configuration Components
To configure the VPN tunnel on WLAN Switch A, you need to configure the
following:

The source network (Network A)

The destination network (Network B)

The VLAN on which the WLAN Switch A’s interface to the Layer-3 network is
located (Interface A in the figure)

The peer gateway, which is the IP address of WLAN Switch B’s interface to
the Layer-3 network (Interface B in the figure)

To configure a site-to-site VPN on the WLAN Switch:
NOTE:

You must configure VPN settings on the WLAN Switches at both the
local and remote sites.

AOS-W 3.1
User Guide

269

Configuring Virtual Private Networks
Chapter 11

Using the WebUI to configure site-to-site VPN:
1.

Navigate to the Configuration > Advanced Services > VPN Services >
Site-to-Site page.

Under IPSec Maps, click Add to open the Add IPSec Map page.

Enter a name for this VPN connection in the Name field.

Enter the IP address and netmask for the source (the local network connected
to the WLAN Switch) in the Source Network and Source Subnet Mask
fields, respectively. (See WLAN Switch A in Figure 11-22.)

Enter the IP address and netmask for the destination (the remote network to
which the local network will communicate) in the Destination Network and
Destination Subnet Mask fields, respectively. (See WLAN Switch B in
Figure 11-22.)

In the Peer Gateway field, enter the IP address of the interface on the remote
WLAN Switch that connects to the Layer-3 network. (See Interface B in
Figure 11-22.)

Select the VLAN that contains the interface of the local WLAN Switch which
connects to the Layer-3 network. (See Interface A in Figure 11-22.)
This determines the source IP address used to initiate IKE. If you select 0 or
None, the default is the VLAN of the WLAN Switch’s IP address (either the
VLAN where the loopback IP is configured or VLAN 1 if no loopback IP is
configured).

Select Pre-Connect to have the VPN connection established even if there is
no traffic being sent from the local network. If this is not selected, the VPN
connection is only established when traffic is sent from the local network to
the remote network.

Select Trusted Tunnel if traffic between the networks is trusted. If this is not
selected, traffic between the networks is untrusted.

10. Enter the IKE shared secret.
11. Click Done to apply the configuration.

Using the CLI to configure site-to-site VPN:

crypto-local ipsec-map
src-net
dst-net
peer-ip
vlan
preconnect enable|disable
trusted enable
crypto-local isakmp key address netmask

270 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Virtual Private Networks
Chapter 11

Dead Peer Detection
Dead Peer Detection (DPD) is enabled by default on the WLAN Switch for
site-to-site VPNs. DPD, as described in RFC 3706, “A Traffic-Based Method of
Detecting Dead Internet Key Exchange (IKE) Peers,” uses IPSec traffic patterns to
minimize the number of IKE messages required to determine the liveness of an IKE
peers. You can configure DPD parameters.

Using the CLI to configure DPD for site-to-site VPN:

crypto-local isakmp dpd idle-timeout retry-timeout
retry-attempts

AOS-W 3.1
User Guide

271

Configuring Virtual Private Networks
Chapter 11

272 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Advanced
Security

xSec (or Extreme Security) is a cryptographically secure, Layer-2 tunneling
network protocol implemented over the 802.1x protocol. The xSec protocol can
be used to secure Layer-2 traffic between the WLAN Switch and wired and
wireless clients, or between Alcatel WLAN Switches.
NOTE:

xSec is an optional AOS-W software module. You must purchase and
install the license for the xSec software module on the WLAN Switch.

This chapter describes the following topics:

“Overview” on page 274

“Securing Client Traffic” on page 275

“Securing WLAN Switch-to-WLAN Switch Communication” on page 282

“Configuring the Odyssey Client on Client Machines” on page 284

AOS-W 3.1
User Guide

273

Configuring Advanced Security
Chapter 12

Overview
xSec encrypts an original Layer-2 data frame inside a Layer-2 xSec frame, the
contents of which are defined by the protocol. xSec relies on 256-bit Advanced
Encryption Standard (AES) encryption.
Upon 802.1x client authentication, xSec creates a tunnel between the client and
the WLAN Switch. The xSec frame sent over the air or wire between the user and
the WLAN Switch contains user and WLAN Switch information, as well as
original IP and MAC addresses, in encrypted form. The only visible address is the
MAC address assigned by the xSec protocol for the tunnel endpoints. All user
information is secured using xSec. This concept is also extended to secure
management information and data between two WLAN Switches on the same
VLAN.
For xSec tunneling between a client and WLAN Switch to work, a version of the
Funk Odyssey client1 software that supports xSec needs to be installed on the
client. It is possible to secure clients running Windows 2000 and XP operating
systems using xSec and the Odyssey client software.
NOTE:

xSec is an optional licensed feature for Alcatel WLAN Switches. xSec is
automatically enabled on the WLAN Switch when you install the license.

xSec provides the following advantages:

Advanced security as Layer-2 frames are encrypted and tunneled.

Ease of implementation of advanced encryption in a heterogeneous
environment. xSec is designed to support multiple operating systems and a
wide range of network interface cards (NICs). All encryption and decryption
on the client machine is performed by the Odyssey client while the NICs are
configured with NULL encryption. This ensures that even older operating
systems that cannot be upgraded to support WPA or WPA2 authentication
can be secured using xSec and the Odyssey client.

Compatible with TLS, TTLS and PEAP.

Advanced authentication extended to wired clients allowing network
managers to secure wired ports.

1. For information about the currently supported release, please contact Juniper Networks.

274 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Advanced Security
Chapter 12

Securing Client Traffic
You can secure wireless or wired client traffic with xSec. On the client, install the
Odyssey Client software. The xSec client must complete 802.1x authentication.
to connect to the network. The client indicates the use of the xSec protocol
during 802.1x exchanges with the WLAN Switch. (Alcatel WLAN Switches
support 802.1x for both wired and wireless clients.) Upon successful client
authentication, an xSec tunnel is established between the WLAN Switch and the
client.
The authenticated client is placed into a configured VLAN, which determines the
client’s DHCP server, IP address, and Layer-2 connection. For wireless xSec
clients, the VLAN is the user VLAN configured for the WLAN. For wired xSec
clients and wireless xSec clients that connect to the WLAN Switch through a
non-Alcatel AP, the VLAN is a designated xSec VLAN. The VLAN can also be
derived from configured RADIUS server-derivation rules or from Vendor-Specific
Attributes (VSAs). Once an xSec tunnel is established, a DHCP server assigns the
xSec client an IP address from the address pool on the VLAN to which the client
is assigned. All traffic between the client and the WLAN Switch is then encrypted.
The following sections describe how to configure xSec on the WLAN Switch for
wireless and wired clients.

Securing Wireless Clients
The following are the basic steps for configuring the WLAN Switch for xSec
wireless clients:
1.

Configure the user VLAN to which the authenticated clients will be assigned.
See Chapter 3, “Configuring Network Parameters” for more information.

Configure the user role for the authenticated xSec clients. See Chapter 7,
“Configuring Roles and Policies” for information.

Configure the server group that will be used to authenticate clients using
802.1x. See Chapter 8, “Configuring Authentication Servers” for more
information

Configure the AAA profile to specify the 802.1x default user role. Specify the
802.1x authentication server group.
NOTE:

You can configure the 802.1x authentication profile if necessary. See
Chapter 9, “Configuring 802.1x Authentication” for more
information.

Configure the virtual AP profile for the WLAN. Specify the
previously-configured user VLAN.
A.

Specify the previously-configured AAA profile.

Configure the SSID profile with xSec as the authentication.

AOS-W 3.1
User Guide

275

Configuring Advanced Security
Chapter 12

NOTE:
6.

Only xSec clients will be allowed to connect to the WLAN and
non-xSec connections are dropped.

Install and set up the Odyssey Client on the wireless client. See “Configuring
the Odyssey Client on Client Machines” on page 284.

Figure 12-23 is an example network where a wireless xSec client is assigned to
the user VLAN 20 and the user role “employee” upon successful 802.1x
authentication. VLAN 1 includes the port on the WLAN Switch that connects to
the wired network on which the AP is installed. (APs can connect to the WLAN
Switch across either a Layer-2 or Layer-3 network.)

VLAN 1
VLAN 20
WLAN SWITCH

VLAN 20
ALCATEL AP

XSEC

CLIENT

FIGURE 12-23 Wireless xSec Client Example
The following sections describe how to use the WebUI or CLI to configure the
AAA profile and virtual AP profile for this example. Other chapters in this manual
describe the configuration of the user role, VLAN, authentication servers and
server group, and 802.1x authentication profile.

Using the WebUI to configure xSec for wireless clients:
1.

Navigate to the Configuration > Security > Authentication > AAA Profiles
page.
A.

To create a new AAA profile, click Add in the AAA Profiles Summary.

Enter a name for the profile (for example, xsec-wireless), and click Add.

To configure the AAA profile, click on the newly-created profile name.

For 802.1x Authentication Default Role, select a configured user role (for
example, employee).

Click Apply.

In the AAA Profile list, select 802.1x Authentication Server Group under
the AAA profile you configured.

Select the applicable server group (for example, xsec-svrs).

Click Apply.

Navigate to the Configuration > Wireless > AP Configuration page. Select
either the AP Group or AP Specific tab. Click Edit for the applicable AP group
name or AP name.

276 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Advanced Security
Chapter 12

Under Profiles, select Wireless LAN, then select Virtual AP.

In the Virtual AP list, select the “default” virtual AP profile. Select the
“default” SSID profile. Enter anynet for the SSID name. Click Save As, then
enter anynet. Click Apply.
NOTE:

The WebUI prvents you from configuring the same ESSID in more
than one virtual AP for an AP group or name. Whenever you create a
new virtual AP profile, the profile automatically contains the “default”
SSID profile with the default “alcatel-ap” SSID. The step above allows
you to create a new virtual AP profile that does not have the same
ESSID as the “default” virtual AP profile.

To create a new virtual AP profile, select NEW from the Add a profile
drop-down menu. Enter the name for the virtual AP profile (for example,
xsec-wireless), and click Add. Click Apply.
A.

Click on the new virtual AP name in the Profiles list or the Profile Details
to display configuration parameters. For VLAN, enter the ID of the VLAN
in which authenticated xSec clients are placed (for example, 20).

Click Apply.

Select AAA Profile under the virtual AP profile you just configured.
A.

From the AAA Profile list, select the AAA profile you previously
configured.

Click Apply.

Create and configure the SSID profile.
A.

In the Profiles list, select SSID Profile. In the SSID Profile drop-down
menu, select NEW and enter the name for the SSID profile (for example,
xsec-wireless). Click Apply.

In the Profile Details section, enter the Network Name for the SSID (for
example, xsec-ap).

For Network Authentication, select xSec.

Click Apply.

Using the CLI to configure xSec for wireless clients:

wlan ssid-profile xsec-wireless
essid xsec-ap
opmode xSec
aaa profile xsec-wireless
dot1x-default-role employee
dot1x-server-group xsec-svrs
wlan virtual-ap xsec-wireless
vlan 20
AOS-W 3.1
User Guide

277

Configuring Advanced Security
Chapter 12

ssid-profile xsec-wireless
aaa-profile xsec-wireless

Securing Wired Clients
The following are the basic steps for configuring the WLAN Switch for xSec wired
clients:
1.

Configure the VLAN to which the authenticated clients will be assigned. See
Chapter 3, “Configuring Network Parameters” for information.
NOTE:

This VLAN must have an IP interface, and is a different VLAN from
the port’s “native” VLAN that provides connectivity to the network.

Configure the user role for the authenticated xSec clients. See Chapter 7,
“Configuring Roles and Policies” for information.

Configure the server group that will be used to authenticate clients using
802.1x. See Chapter 8, “Configuring Authentication Servers” for information.

Configure the WLAN Switch port to which the wired client(s) are connected.
Specify the VLAN to which the authenticated xSec clients are assigned.
NOTE:

For firewall rules to be enforced after client authentication, the port
must be configured as untrusted.

Configure the AAA profile to specify the 802.1x default user role and the
802.1x authentication server group.

Configure the wired authentication profile to use the AAA profile.

Install and set up the Odyssey Client on the wireless client. See “Configuring
the Odyssey Client on Client Machines” on page 284.

Figure 12-24 is an example network where a wired xSec client is assigned to the
VLAN 20 and the user role “employee” upon successful 802.1x authentication.
Traffic between the WLAN Switch and the xSec client is encrypted.

VLAN 1
VLAN 20
WLAN SWITCH

VLAN 20
XSEC

CLIENT

FIGURE 12-24 Wired xSec Client Example
NOTE:

The VLAN to which you assign an xSec client must be a different VLAN
from the VLAN that contains the WLAN Switch port to which the wired
xSec client or AP is connected.

278 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Advanced Security
Chapter 12

The following sections describe how to use the WebUI or CLI to configure the
WLAN Switch port to which the wired client is connected, the AAA profile, and
the wired authentication profile for this example. Other chapters in this manual
describe the configuration of the user role, VLAN, authentication servers and
server group, and 802.1x authentication profile.

Using the WebUI to configure xSec for wired clients:
1.

Navigate to the Configuration > Networks > Ports page to configure the port
to which the wired client(s) are connected.
A.

Click the port that you want to configure.

Make sure the Enable Port checkbox is selected.

For Enter VLAN(s), select the native VLAN on the port to ensure Layer-2
connectivity to the network. In Figure 12-24, this is VLAN 1.

For xSec VLAN, select the VLAN to which authenticated users are
assigned from the drop-down menu. In Figure 12-24, this is VLAN 20.

Click Apply.

Navigate to the Configuration > Security > Authentication > AAA Profiles
page to configure the AAA profile.
A.

To create a new AAA profile, click Add.

Enter a name for the profile (for example, xsec-wired), and click Add.

To configure the AAA profile, click on the newly-created profile name.

For 802.1x Authentication Default Role, select a configured user role (for
example, employee).

Click Apply.

In the AAA Profile list, select 802.1x Authentication Server Group under
the AAA profile you configured.

Select the applicable server group (for example, xsec-svrs).

Click Apply.

Navigate to the Configuration > Advanced Services > Wired Access page.
A.

Under Wired Access AAA Profile, select the AAA profile you just
configured.

Click Apply.

Using the CLI to configure xSec for wired clients:

interface fastethernet|gigabitethernet slot/port
switchport access vlan 1
AOS-W 3.1
User Guide

279

Configuring Advanced Security
Chapter 12

xsec vlan 20
aaa profile xsec-wired
dot1x-default-role employee
dot1x-server-group xsec-svrs
aaa authentication wired
profile xsec-wired

Securing Wireless Clients Through Non-Alcatel
APs
If xSec clients are connecting through a non-Alcatel AP, you need to configure the
WLAN Switch port to which the AP is connected. The AP must be configured for
no (opensystem) authentication.
The following are the basic steps for configuring the WLAN Switch for xSec
wireless clients connecting through a non-Alcatel AP:
1.

Configure the VLAN to which the authenticated clients will be assigned. See
Chapter 3, “Configuring Network Parameters” for information.
NOTE:

This VLAN must have an IP interface, and is a different VLAN from
the port’s “native” VLAN that provides connectivity to the network.

Configure the user role for the authenticated xSec clients. See Chapter 7,
“Configuring Roles and Policies” for information.

Configure the server group that will be used to authenticate clients using
802.1x. See Chapter 8, “Configuring Authentication Servers” for information.

Configure the WLAN Switch port that connects to the wired network on
which the non-Alcatel AP is installed. Specify the VLAN to which the
authenticated xSec clients are assigned.
NOTE:

The ingress and egress ports for xSec client traffic must be different
physical ports on the WLAN Switch.

Configure the AAA profile to specify the 802.1x default user role and the
802.1x authentication server group.

Configure the wired authentication profile to use the AAA profile.

Install and set up the Odyssey Client on the wireless client. See “Configuring
the Odyssey Client on Client Machines” on page 284.

The following sections describe how to use the WebUI or CLI to configure the
WLAN Switch port and AAA and wired authentication profiles for wireless clients
connecting with non-Alcatel APs. Other chapters in this manual describe the
configuration of the user role, VLAN, authentication servers and server group, and
802.1x authentication profile.

280 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Advanced Security
Chapter 12

Using the WebUI to configure xSec for non-Alcatel AP wireless clients:
1.

Navigate to the Configuration > Networks > Ports page to configure the port
to which the wireless xSec client(s) are connected.
A.

Click the port that you want to configure.

Make sure the Enable Port checkbox is selected.

For Enter VLAN(s), select the native VLAN (for example, VLAN 1) on the
port to ensure Layer-2 connectivity to the network.

For xSec VLAN, select the VLAN to which authenticated users are
assigned from the drop-down menu (for example, VLAN 20)

Click Apply.

Navigate to the Configuration > Security > Authentication > AAA Profiles
page to configure the AAA profile.
A.

To create a new AAA profile, click Add.

Enter a name for the profile (for example, xsec-3party), and click Add.

To configure the AAA profile, click on the newly-created profile name.

For 802.1x Authentication Default Role, select a configured user role (for
example, employee).

Click Apply.

In the AAA Profile list, select 802.1x Authentication Server Group under
the AAA profile you configured.

Select the applicable server group (for example, xsec-svrs).

Click Apply.

Navigate to the Configuration > Advanced Services > Wired Access page.
A.

Under Wired Access AAA Profile, select the AAA profile you just
configured.

Click Apply.

Using the CLI to configure xSec for non-Alcatel AP wireless clients:

interface fastethernet|gigabitethernet slot/port
switchport access vlan 1
xsec vlan 20
aaa profile xsec-wired
dot1x-default-role employee
dot1x-server-group xsec-svrs
aaa authentication wired
profile xsec-wired

AOS-W 3.1
User Guide

281

Configuring Advanced Security
Chapter 12

Securing WLAN Switch-to-WLAN Switch
Communication
xSec can be used to secure data and control traffic passed between two WLAN
Switches. The only requirement is that both WLAN Switches be members of the
same VLAN. To establish a point-to-point tunnel between the two WLAN
Switches, you need to configure the following for the connecting ports on each
WLAN Switch:

The MAC address of the xSec tunnel termination point. This would be the
MAC address of the “other” WLAN Switch.

A 16-byte shared key used to authenticate the WLAN Switches to each other.
You must configure the same shared key on both WLAN Switches.

The VLAN IDs for the VLANs that will extend across both the WLAN Switches
via the xSec tunnel.

Figure 12-25 is an example network where two WLAN Switches are connected to
the same VLAN, VLAN 1. On WLAN Switch 1, you configure the MAC address of
WLAN Switch 2 for the xSec tunnel termination point. On WLAN Switch 2, you
configure the MAC address of WLAN Switch 1 for the xSec tunnel termination
point. On both WLAN Switches, you configure the same 16-byte shared key and
the IDs for the VLANs which are allowed to pass through the xSec tunnel.

101

101
VLAN 1
200

200

250

250
WLAN SWITCH 1
MAC: 01:02:03:04:05:06

WLAN SWITCH 2
MAC: 10:11:12:13:14:15

FIGURE 12-25 WLAN Switch-to-WLAN Switch xSec Example
The following sections describe how to use the WebUI or CLI to configure the
port that connects to the wired network on which the other WLAN Switch is
installed. Other chapters in this manual describe the configuration of VLANs.

Using the WebUI to configure WLAN Switches for xSec:
1.

On each WLAN Switch, navigate to the Configuration > Network > Port
page.

Click on the port to be configured.

282 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Advanced Security
Chapter 12

Select the VLAN from the drop-down list.

Configure the xSec point-to-point settings:

Enter the MAC address of the tunnel termination point (the “other” WLAN
Switch’s MAC address).

Enter the key (for example, 1234567898765432) used by xSec to
establish the tunnel between the WLAN Switches.

Select the VLANs that would be allowed across the point-to-point
connection from the Allowed VLANs drop-down menu, and click the <-button.

Click Apply.

Using the CLI to configure WLAN Switches for xSec:
For WLAN Switch 1:

interface gigabitethernet|fastethernet slot/port
vlan 1
xsec point-to-point 10:11:12:13:14:15 1234567898765432 allowed vlan
101,200,250
For WLAN Switch 2:

interface gigabitethernet|fastethernet slot/port
vlan 1
xsec point-to-point 01:02:03:04:05:06 1234567898765432 allowed vlan
101,200,250

AOS-W 3.1
User Guide

283

Configuring Advanced Security
Chapter 12

Configuring the Odyssey Client on Client
Machines
You can obtain the Odyssey Client from Juniper Networks. For information on
Odyssey Client versions, contact Alcatel or Juniper Networks support.

To install the Odyssey Client:
1.

Unzip and install the Odyssey client on the client laptop.

For wired xSec, to use the Odyssey client to control the wired port, modify
the registry:
A.

On the windows machine, click Start and select Run.

Type regedit in the dialog box and click OK.

Navigate down the tree to HKEY_LOCAL_MACHINE\SOFTWARE\Funk Software,
Inc.\odyssey\client\configuration\options\wiredxsec.

FIGURE 12-26 The regedit Screen

284 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Advanced Security
Chapter 12

Select “policy” from the registry values and right click on it. Select
Modify to modify the contents of policy. Set the value in the resulting
window to required.

FIGURE 12-27 Modifying a regedit Policy
3.

Open the Funk Odyssey Client. Click the Profile tab in the client window. This
allows the user to create the user profile for 802.1x authentication.

FIGURE 12-28 The Funk Odyssey Client Profile

AOS-W 3.1
User Guide

285

Configuring Advanced Security
Chapter 12

In the login name dialog box, enter the login name used for 802.1x
authentication. For the password, the client could use the WINDOWS
password or use the configured password based on the selection made.

Click the certificate tab and enter the certificate information required. This
example shows the PEAP settings.

FIGURE 12-29 Certificate Information
C.

Click the Authentication tab. In the resultant window, click the Add tab
and select EAP/PEAP. Move this option to the top of the list if PEAP is
the method chosen. If certification validation not required, uncheck the
Validate server certificates setting.

Click the PEAP Settings tab and select the EAP protocol supported.

Click OK.

To modify an existing profile, select the profile and then click the
Properties tab.

286 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Advanced Security
Chapter 12

Select the Network tab to configure the network for wireless client. For
wired clients, skip this step.

FIGURE 12-30 Network Profile

Click the Add tab. Enter the SSID to which the client connects.

Set the Network type to Infrastructure.

Set the Association mode to xSec, AES encryption is automatically
selected.

Under Authentication, select the Authenticate using profile checkbox.

From the pull down menu, select the profile used for 802.1x
authentication. This would be one of the profiles configured in step 2.

Select the keys that will be generated automatically for data privacy.

Apply the configuration changes made by clicking on the OK tab.

To modify an existing profile, select the profile and then click the
Properties tab.

Click the Adapters tab if the adapter used is not seen under the list of
adapters pull down menu under connections.
A.

When using a wireless client, click the Wireless tab.

Select the Wireless adapters only radio button. From the resulting list,
select the adapter required from the list and click OK.

AOS-W 3.1
User Guide

287

Configuring Advanced Security
Chapter 12

For wired 802.1x clients, select the Wired 802.1x tab and select the
Wired adapters only radio button. From the resulting list, select the
adapter required from the list and click OK.

Establish the connection.
A.

Click the Connection tab.

From the pull down menu, select the adapter required. If the adapter in
use is not visible, add the adapter as explained in Step 5.

Select the Connect to network checkbox and select the Network option
from the pull down menu. To configure a new network, follow the
instructions in Step 4.

This will automatically start the connection process. To reconnect to the
network, click Reconnect.

Click Scan to display the SSIDs seen by the NIC after a site survey.

288 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring MAC-Based
Authentication

This chapter describes how to configure MAC-based authentication on the
Alcatel WLAN Switch using the WebUI.
Use MAC-based authentication to authenticate devices based on their physical
media access control (MAC) address. While not the most secure and scalable
method, MAC-based authentication implicitly provides an addition layer of
security authentication devices. MAC-based authentication is often used to
authenticate and allow network access through certain devices while denying
access to the rest. For example, if clients are allowed access to the network via
station A, then one method of authenticating station A is MAC-based. Clients
may be required to authenticate themselves using other methods depending on
the network privileges required.
MAC-based authentication can also be used to authenticate WiFi phones as an
additional layer of security to prevent other devices from accessing the voice
network using what is normally an insecure SSID.
This chapter describes the following topics:

“Configuring MAC-Based Authentication” on page 290

“Configuring Clients” on page 292

AOS-W 3.1
User Guide

289

Configuring MAC-Based Authentication
Chapter 13

Configuring MAC-Based Authentication
Before configuring MAC-based authentication, you must configure:

The user role that will be assigned as the default role for the MAC-based
authenticated clients. (See Chapter 7, “Configuring Roles and Policies” for
information on firewall policies to configure roles).
You configure the default user role for MAC-based authentication in the AAA
profile. If derivation rules exist or if the client configuration in the internal
database has a role assignment, these values take precedence over the
default user role.

Authentication server group that the WLAN Switch uses to validate the
clients. The internal database can be used to configure the clients for
MAC-based authentication. See “Configuring Clients” on page 292 for
information on configuring the clients on the local database. For information
on configuring authentication servers and server groups, see Chapter 8,
“Configuring Authentication Servers.”

Configuring the MAC Authentication Profile
Table 13-22 describes the parameters you can configure for MAC-based
authentication.

TABLE 13-22 MAC Authentication Profile Configuration Parameters
Parameter

Description

Delimiter

Delimiter used in the MAC string:

colon specifies the format xx:xx:xx:xx:xx:xx

dash specifies the format xx-xx-xx-xx-xx-xx

none specifies the format xxxxxxxxxxxx

Default: none
Case

The case (upper or lower) used in the MAC string.
Default: lower

Max Authentication
failures

Number of times a station can fail to authenticate
before it is blacklisted. A value of 0 disables
blacklisting.
Default: 0

290 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring MAC-Based Authentication
Chapter 13

Using the WebUI to configure a MAC authentication profile:
1.

Navigate to the Configuration > Security > Authentication > L2
Authentication page.

Select MAC Authentication Profile.

Enter a profile name and click Add.

Select the profile name to display configurable parameters.

Configure the parameters, as described in Table 13-22.

Click Apply.

Using the CLI to configure a MAC authentication profile:

aaa authentication mac
case {lower|upper}
delimiter {colon|dash|none}
max-authentication-failures

AOS-W 3.1
User Guide

291

Configuring MAC-Based Authentication
Chapter 13

Configuring Clients
You can create entries in the WLAN Switch’s internal database that can be used
to authenticate client MAC addresses. The internal database contains a list of
clients along with the password and default role for each client. To configure
entries in the internal database for MAC authentication, you enter the MAC
address for both the user name and password for each client.
NOTE:

You must enter the MAC address using the delimiter format configured in
the MAC authentication profile. The default delimiter is none, which
means that MAC addresses should be in the format xxxxxxxxxxxx. If you
specify colons for the delimiter, you can enter MAC addresses in the
format xx:xx:xx:xx:xx:xx.

For each entry in the internal database, you can assign a role to the client that is
different from the MAC authentication default role; this server-derived role takes
precedence over the default role.

Using the WebUI to configure clients in the internal database:
1.

Navigate to the Configuration > Security > Authentication > Servers > page.

Select Internal DB.

Click Add User in the Users section. The user configuration page displays.

For User Name and Password, enter the MAC address for the client. Use the
format specified by the Delimiter parameter in the MAC Authentication profile.
For example, if the MAC Authentication profile specifies the default delimiter
(none), enter MAC addresses in the format xxxxxxxxxxxx.

Click Enabled to activate this entry on creation.

Click Apply to apply the configuration.
NOTE:

The configuration does not take effect until you perform this step.

Using the CLI to configure clients in the internal database:
Enter the following command in enable mode:

local-userdb add username password ...

292 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Volume 5
Configuring
Multiple
WLAN Switch
Environments
AOS-W Version 3.1

294 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Adding Local WLAN
Switches

This chapter explains how to expand your network by adding a local WLAN
Switch to a master WLAN Switch configuration. Typically, this is the first
expansion of a network with just one WLAN Switch (which is a master WLAN
Switch). This chapter is a basic discussion of creating master-local WLAN Switch
configurations. More complicated multi-WLAN Switch configurations are
discussed in other chapters.
This chapter describes the following topics:

“Moving to a Multi-WLAN Switch Environment” on page 296

“Configuring Local WLAN Switches” on page 298

AOS-W 3.1
User Guide

295

Adding Local WLAN Switches
Chapter 14

Moving to a Multi-WLAN Switch Environment
For a single WLAN configuration, the master WLAN Switch is the WLAN Switch
which controls the RF and security settings of the WLAN. Additional WLAN
Switches to the same WLAN serve as local switches to the master WLAN Switch.
The local WLAN Switch operates independently of the master WLAN Switch and
depends on the master WLAN Switch only for its security and RF settings. You
configure the layer-2 and layer-3 settings on the local WLAN Switch independent
of the master WLAN Switch. The local WLAN Switch needs to have connectivity
to the master WLAN Switch at all times to ensure that any changes on the master
are propagated to the local WLAN Switch.
Some of the common reasons to move from a single to a multi-WLAN
Switch-environment include:

Scaling to include a larger coverage area

Setting up remote Access Points (APs)

Network setup requires APs to be redistributed from a single WLAN Switch
to multiple WLAN Switches

Preshared Key for Inter-WLAN Switch
Communication
A preshared key (PSK) is used to create IPSec tunnels between a master and
backup master WLAN Switches and between master and local WLAN Switches.
These inter-WLAN Switch IPSec tunnels carry management traffic such as
mobility, configuration, and master-local information.
NOTE

An inter-WLAN Switch IPSec tunnel can be used to route data between
networks attached to the WLAN Switches if you have installed VPN
licenses in the WLAN Switches. To route traffic, configure a static route
on each WLAN Switch specifying the destination network and the name
of the IPSec tunnel.

There is a default PSK to allow inter-WLAN Switch communications, however, for
security you should configure a a unique PSK for each WLAN Switch pair (see
“Best Security Practices for the Preshared Key” on page 297). You can use either
the WebUI or CLI to configure a 6-64 character PSK on master and local WLAN
Switches.
To configure a unique PSK for each WLAN Switch pair, you must configure the
master WLAN Switch with the IP address of the local and the PSK, and configure
the local WLAN Switch with the IP address of the master and the PSK.

296 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Adding Local WLAN Switches
Chapter 14

You can configure a global PSK for all master-local communications, although this
is not recommended for networks with more than two WLAN Switches (see
“Best Security Practices for the Preshared Key” on page 297). On the master
WLAN Switch, use 0.0.0.0 for the IP address of the local. On the local WLAN
Switch, configure the IP address of the master and the PSK.
The local WLAN Switch can be located behind a NAT device or over the Internet.
On the local WLAN Switch, when you specify the IP address of the master WLAN
Switch, use the public IP address for the master. On the master WLAN Switch,
when you specify the IP address of the local WLAN Switch, specify the IP address
for the local and not its public IP address (or use 0.0.0.0).

Best Security Practices for the Preshared Key
Leaving the PSK set to the default value exposes the IPSec channel to serious
risk, therefore you should always configure a unique PSK for each WLAN Switch
pair.
Sharing the same PSK between more than two WLAN Switches increases the
likelihood of compromise. If one WLAN Switch is compromised, all WLAN
Switches are compromised. Therefore, best security practices include configuring
a unique PSK for each WLAN Switch pair.
Weak keys are susceptible to offline dictionary attacks, meaning that a hostile
eavesdropper can capture a few packets during connection setup and derive the
PSK, thus compromising the connection. Therefore the PSK selection process
should be the same process as selecting a strong passphrase:

the PSK should be at least ten characters in length

the PSK should not be a dictionary word

the PSK should combine characters from at least three of the following four
groups:
z

lowercase characters

uppercase characters

numbers

punctuation or special characters, such as ~‘@#$%^&*()_-+=\|//.[]{}

Configuring the Preshared Key
The following sections describe how to configure a PSK using the WebUI or CLI.

Using the WebUI to configure the PSK:
1.

Navigate to the Configuration > Network > Switch > System Settings page:
z

On the local WLAN Switch, enter the IPSec key under the Master IP
Address.

AOS-W 3.1
User Guide

297

Adding Local WLAN Switches
Chapter 14

On the master WLAN Switch, click New under Local Switch IPSec Keys,
then enter the IP address for the local WLAN Switch and the IPSec key.
Click Add.

Click Apply.

Using the CLI to configure the PSK:
On the master WLAN Switch:

localip ipsec
On the local WLAN Switch:

masterip ipsec

Configuring Local WLAN Switches
A single master WLAN Switch configuration can be one WLAN Switch or a
master redundant configuration with one master WLAN Switch and the VRRP
redundant backup WLAN Switch. This section highlights the difference in
configuration for both of these scenarios.
The steps involved in migrating from a single to a multi-WLAN Switch
environment are:
1.

Configure the role of the local WLAN Switch to local and specify the IP
address of the master.

Configure the layer-2 / layer-3 settings on the local WLAN Switch (VLANs, IP
subnets, IP routes).

Configure as trusted ports the ports the master and local WLAN Switch use
to communicate with each other.

For those APs that need to boot off the local WLAN Switch, configure the
LMS IP address to point to the new local WLAN Switch.

Reboot the APs that are already on the network, so that they now connect to
the local WLAN Switch.

These steps are explained below.

Configuring the Local WLAN Switch
You configure the role of a WLAN Switch by running the Initial Setup on an
unconfigured WLAN Switch, or by using the WebUI or CLI on a
previously-configured WLAN Switch.

298 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Adding Local WLAN Switches
Chapter 14

Using the Initial Setup
The Initial Setup allows you to configure the IP address of the WLAN Switch and
its role, in addition to other operating parameters. You can run the Initial Setup
through a Web browser connection to a line port on the WLAN Switch or through
a connection to the serial port on the WLAN Switch. (See the Alcatel Quick Start
Guide for more information.) You perform the Initial Setup the first time you
conect to and log into the WLAN Switch or whenever the WLAN Switch is reset
to its factory default configuration (after executing a write erase, reload
sequence).
When prompted to enter the WLAN Switch role in the Initial Setup, select or enter
local to set the WLAN Switch operational mode to be a local WLAN Switch. You
are then prompted for the master WLAN Switch IP address. Enter the IP address
of the master WLAN Switch for the WLAN network. Enter the preshared key
(PSK) that is used to authenticate communications between WLAN Switches.
NOTE:

You need to enter the same PSK on the master WLAN Switch and on the
local WLAN Switches that are managed by the master.

Using the Web UI
For a WLAN Switch that is up and operating with layer-3 connectivity, configure
the following to set the WLAN Switch as local:
1.

Navigate to the Configuration > Network > Switch > System Settings page.

Set the Switch Role to Local.

Enter the IP address of the master WLAN Switch. If master redundancy is
enabled on the master, this address should be the VRRP address for the
VLAN instance corresponding to the IP address of the WLAN Switch.

Enter the preshared key (PSK) that is used to authenticate communications
between WLAN Switches.

NOTE:

You need to enter the same PSK on the master WLAN Switch and on the
local WLAN Switches that are managed by the master.

Using the CLI
For a WLAN Switch that is up and operating with layer-3 connectivity, configure
the following to set the WLAN Switch as local:

masterip ipsec

Configuring Layer-2/Layer-3 Settings
Configure the VLANs, subnets, and IP address on the local WLAN Switch for IP
connectivity.

AOS-W 3.1
User Guide

299

Adding Local WLAN Switches
Chapter 14

Verify connectivity to the master WLAN Switch by pinging the master WLAN
Switch from the local WLAN Switch.
Ensure that the master WLAN Switch recognizes the new WLAN Switch as its
local WLAN Switch. The local WLAN Switch should be listed with type local in the
Monitoring > Network > All WLAN Switches page on the master. It takes about 4
– 5 minutes for the master and local WLAN Switches to synchronize
configurations.

Configuring Trusted Ports
On the local WLAN Switch, navigate to the Configuration > Network > Ports
page and make sure that the port on the local WLAN Switch connecting to the
master is trusted. On the master WLAN Switch, check this for the port on the
master WLAN Switch that connects to the local WLAN Switch.

Configuring APs
APs download their configurations from a master WLAN Switch. However, an AP
or AP group can tunnel client traffic to a local WLAN Switch. To specify the WLAN
Switch to which an AP or AP group tunnels client traffic, you configure the LMS
IP in the AP system profile on the master WLAN Switch.
Configuration changes take effect only after you reboot the affected APs; this
allows them to reassociate with the local WLAN Switch. After rebooting, these
APs appear to the new local WLAN Switch as local APs.

Using the WebUI to configure the LMS IP:
1.

Navigate to the Configuration > Wireless > AP Configuration page.
z

If you select AP Group, click Edit for the AP group name for which you
want to configure the LMS IP.

If you select AP Specific, select the name of the AP for which you want
to configure the LMS IP.

Under the Profiles section, select AP to display the AP profiles.

Select the AP system profile you want to modify.

Enter the WLAN Switch IP address in the LMS IP field.

Click Apply.

Using the CLI to configure the LMS IP:

ap system-profile
lms-ip

300 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Adding Local WLAN Switches
Chapter 14

ap-group
ap-system-profile
ap-name
ap-system-profile

AOS-W 3.1
User Guide

301

Adding Local WLAN Switches
Chapter 14

302 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring IP Mobility

A mobility domain is a group of Alcatel WLAN Switches among which a wireless
user can roam without losing their IP address. Mobility domains are not tied with
the master WLAN Switch, thus it is possible for a user to roam between WLAN
Switches managed by different master WLAN Switches as long as all of the
WLAN Switches belong to the same mobility domain.
You enable and configure mobility domains only on Alcatel WLAN Switches. No
additional software or configuration is required on wireless clients to allow
roaming within the domain.
This chapter describes the following topics:

“Alcatel Mobility Architecture”

“Configuring Mobility Domains”

“Tracking Mobile Users”

“Advanced Configuration”

AOS-W 3.1
User Guide

303

Configuring IP Mobility
Chapter 15

Alcatel Mobility Architecture
Alcatel’s layer-3 mobility solution is based on the Mobile IP protocol standard, as
described in RFC 3344, “IP Mobility Support for IPv4”. This standard addresses
users who need both network connectivity and mobility within the work
environment.
Unlike other layer-3 mobility solutions, an Alcatel mobility solution does not
require that you install mobility software or perform additional configuration on
wireless clients. The Alcatel WLAN Switches perform all functions that enable
clients to roam within the mobility domain.
In a mobility domain, a mobile client is a wireless client that can change its point
of attachment from one network to another within the domain. A mobile client
receives an IP address (a home address) on a home network.
A mobile client can detach at any time from its home network and reconnect to a
foreign network (any network other than the mobile client’s home network) within
the mobility domain. When a mobile client is connected to a foreign network, it is
bound to a care-of address that reflects its current point of attachment. A care-of
address is the IP address of the Alcatel WLAN Switch in the foreign network with
which the mobile client is associated.
The home agent for the client is the WLAN Switch where the client appears for
the first time when it joins the mobility domain. The home agent is the single
point of contact for the client when the client roams. The foreign agent for the
client is the WLAN Switch which handles all Mobile IP communication with the
home agent on behalf of the client. Traffic sent to a client’s home address is
intercepted by the home agent and tunneled for delivery to the client on the
foreign network. On the foreign network, the foreign agent delivers the tunneled
data to the mobile client.
Figure 15-31 shows the routing of traffic from Host A to Mobile Client B when the
client is away from its home network. The client’s care-of address is the IP
address of the Alcatel WLAN Switch in the foreign network. The numbers in the
figure correspond to the following descriptions:
1.

Traffic to Mobile Client B arrives at the client’s home network via standard IP
routing mechanisms.

The traffic is intercepted by the home agent in the client’s home network and
tunneled to the care-of address in the foreign network.

The foreign agent delivers traffic to the mobile client.

Traffic sent by Mobile Client B is also tunneled back to the home agent.

304 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring IP Mobility
Chapter 15

MOBILE CLIENT B
CLIENT’S HOME NETWORK

3
2
HOME AGENT

FOREIGN AGENT

1
FOREIGN NETWORK
HOST A

FIGURE 15-31 Routing of Traffic to Mobile Client within Mobility Domain

Configuring Mobility Domains
NOTE:

Alcatel mobility domains are supported only on Alcatel WLAN Switches.

Before configuring a mobility domain, you should determine the user VLAN(s) for
which mobility is required. For example, you may want to allow employees to be
able to roam from one subnetwork to another. All WLAN Switches that support
the VLANs into which employee users can be placed should be part of the same
mobility domain.
A WLAN Switch can be part of multiple mobility domains, although Alcatel
recommends that a WLAN Switch belong to only one domain. The WLAN
Switches in a mobility domain do not need to be managed by the same master
WLAN Switch.
You configure a mobility domain on a master WLAN Switch; the mobility domain
information is pushed to all local WLAN Switches that are managed by the same
master WLAN Switch. On each WLAN Switch, you must specify the active
domain (the domain to which the WLAN Switch belongs).
NOTE:

Although you configure a mobility domain on a master WLAN Switch, the
master WLAN Switch does not need to be a member of the mobility
domain. For example, you could set up a mobility domain that contains
only local WLAN Switches; you still need to configure the mobility
domain on the master WLAN Switch that manages the local WLAN
Switches. You can also configure a mobility domain that contains
multiple master WLAN Switches; you need to configure the mobility
domain on each master WLAN Switch.

AOS-W 3.1
User Guide

305

Configuring IP Mobility
Chapter 15

The basic tasks you need to perform to configure a mobility domain are listed
below. The sections following describe each task in further detail. A sample
mobility domain configuration is provided in “Example Configuration” on
page 308,

On a master WLAN Switch:

On all WLAN Switches in the mobility
domain:

Enable mobility (disabled by
default)

Join a specified mobility domain
(not required for “default” mobility
domain)

Configure the mobility domain,
including the entries in the home
agent table (HAT)

NOTE:

You can enable or disable IP mobility in a virtual AP profile (IP mobility is
enabled by default). When IP mobility is enabled in a virtual AP profile, the
ESSID that is configured for the virtual AP supports layer-3 mobility. If
you disable IP mobility for a virtual AP, any clients that associate to the
virtual AP will not have mobility service.

Configuring a Mobility Domain
You configure mobility domains on master WLAN Switches. All local WLAN
Switches managed by the master WLAN Switch share the list of mobility domains
configured on the master.
NOTE:

Mobility is disabled by default and must be explicitly enabled on all WLAN
Switches that will support client mobility. Disabling mobility does not
delete any mobility-related configuration.

The home agent table (HAT) provides mapping between a subnetwork or VLAN
and a home agent address. The WLAN Switch looks up information in the HAT to
obtain the IP address of a home agent for a mobile client. The home agent
address is typically the IP address of the WLAN Switch. Because there can be
multiple home agents on a subnetwork, the HAT can contain more than one entry
for the same subnetwork.
You configure the HAT with a list of every subnetwork, mask, VLAN ID, and home
agent IP address in the mobility domain. There must be an entry for every home
agent and user VLAN to which an IP subnetwork maps. If there is more than one
WLAN Switch in the mobility domain providing service for the same user VLAN,
you must configure an entry for the VLAN for each WLAN Switch.
There is a predefined mobility domain called “default”. All WLAN Switches, by
default, belong to this active domain. However, you have the flexibility to define
user-defined domains as well. Once you assign a WLAN Switch to a user-defined
domain, it automatically leaves the “default” mobility domain. For a WLAN Switch

306 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring IP Mobility
Chapter 15

to belong to both the “default” and user-defined mobility domain at the same
time, you must explicitly configure the “default” domain as an active domain for
the WLAN Switch.
The “default” mobility domain is the active domain for all WLAN Switches. If you
need only one mobility domain, you can use the default domain.

Using the WebUI to configure a mobility domain (on the master WLAN
Switch):
1.

Navigate to the Configuration > Advanced Services > IP Mobility page.

Select the Enable IP Mobility checkbox.

To configure the default mobility domain, select the “default” domain in the
Mobility Domain list.
To create a new mobility domain, enter the name of the domain in Mobility
Domain Name and click Add; the new domain name appears in the Mobility
Domain list. Select the newly-created domain name.

Click Add under the Subnet column. Enter the subnetwork, mask, VLAN ID,
and home agent IP address and click Add.
Repeat this step for each HAT entry.

Click Apply.

Using the CLI to configure a mobility domain (on the master WLAN
Switch):

router mobile
ip mobile domain
hat
The VLAN ID must be the VLAN number on the home agent WLAN Switch.
To view currently-configured mobility domains in the CLI, use the show ip mobile
domain command.
NOTE:

Make sure that the ESSID to which the mobile client will connect
supports IP mobility. You can disable IP mobility for an ESSID in the
virtual AP profile (IP mobility is enabled by default). If you disable IP
mobility for a virtual AP, any client that associates to the virtual AP will
not have mobility service.

AOS-W 3.1
User Guide

307

Configuring IP Mobility
Chapter 15

Joining a Mobility Domain
Assigning a WLAN Switch to a specific mobility domain is the key to defining the
roaming area for mobile clients. You should take extra care in planning your
mobility domains, including surveying the user VLANs and WLAN Switches to
which clients can roam, to ensure that there are no roaming holes.
NOTE:

All WLAN Switches are initially part of the “default” mobility domain. If
you are using the default mobility domain, you do not need to specify this
domain as the active domain on a WLAN Switch. However, once you
assign a WLAN Switch to a user-defined domain, the “default” mobility
domain is no longer an active domain on the WLAN Switch.

Using the WebUI to join a mobility domain:
1.

Navigate to the Configuration > Advanced Services > IP Mobility page.

In the Mobility Domain list, select the mobility domain.

Select the Active checkbox for the domain.

Click Apply.

Using the CLI to join a mobility domain:

ip mobile active-domain
To view the active domains in the CLI, use the show ip mobile active-domains
command on the WLAN Switch.

Example Configuration
The following example is a campus with three buildings. An Alcatel WLAN Switch
in each building provides network connections for wireless users on several
different user VLANs. To allow wireless users to roam from building to building
without interrupting ongoing sessions, you configure a mobility domain that
includes all user VLANs on the three WLAN Switches. You configure the HAT on
the master WLAN Switch only (WLAN Switch A in this example). On the local
WLAN Switches (WLAN Switches B and C), you only need to enable mobility.

308 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring IP Mobility
Chapter 15

BUILDING 1

BUILDING 2
SWITCH A
10.1.1.245
(MASTER)
VLAN 1 10.1.1.0/24
VLAN 2 10.1.2.0/24
VLAN 3 10.1.3.0/24

SWITCH B
10.2.1.245
VLAN
VLAN
VLAN
VLAN

1
4
5
6

10.1.1.0/24
10.2.1.0/24
10.2.1.0/24
10.2.3.0/24

BUILDING 3

SWITCH C
10.3.1.245

VLAN 7 10.3.1.0/24
VLAN 8 10.3.2.0/24
VLAN 9 10.3.3.0/24

FIGURE 15-32 Example Configuration: Campus-Wide Mobility
NOTE:

This example uses the “default” mobility domain for the campus-wide
roaming area. Since all WLAN Switches are initially included in the default
mobility domain, you do not need to explicitly configure “default” as the
active domain on each WLAN Switch.

Using the WebUI:
On WLAN Switch A (the master WLAN Switch):
1.

Navigate to the Configuration > Advanced Services > IP Mobility page.

Select the Enable IP Mobility checkbox.

Select the “default” domain in the Mobility Domain list.

Click Add under the Subnet column. Enter the subnetwork, mask, VLAN ID,
and home agent IP address for the first entry shown below and click Add.

AOS-W 3.1
User Guide

309

Configuring IP Mobility
Chapter 15

Repeat this step for each HAT entry.

Subnetwork

Mask

VLAN ID

Home Agent Address

10.1.1.0

255.255.255.0

10.1.1.245

10.1.1.0

255.255.255.0

10.2.1.245

10.1.2.0

255.255.255.0

10.1.1.245

10.1.3.0

255.255.255.0

10.1.1.245

10.2.1.0

255.255.255.0

10.2.1.245

10.2.2.0

255.255.255.0

10.2.1.245

10.2.3.0

255.255.255.0

10.2.1.245

10.3.1.0

255.255.255.0

10.3.1.245

10.3.2.0

255.255.255.0

10.3.1.245

10.3.3.0

255.255.255.0

10.3.1.245

Click Apply.

On WLAN Switches B and C:
1.

Navigate to the Configuration > Advanced Services > IP Mobility page.

Select the Enable IP Mobility checkbox.

Click Apply.

Using the CLI:
On WLAN Switch A (the master WLAN Switch):

ip mobile domain default
hat 10.1.1.0 255.255.255.0
hat 10.1.1.0 255.255.255.0
hat 10.1.2.0 255.255.255.0
hat 10.1.3.0 255.255.255.0
hat 10.2.1.0 255.255.255.0
hat 10.2.2.0 255.255.255.0
hat 10.2.3.0 255.255.255.0
hat 10.3.1.0 255.255.255.0
hat 10.3.2.0 255.255.255.0
hat 10.3.3.0 255.255.255.0
router mobile

1
1
2
3
4
5
6
7
8
9

10.1.1.245
10.2.1.245
10.1.1.245
10.1.1.245
10.2.1.245
10.2.1.245
10.2.1.245
10.3.1.245
10.3.1.245
10.3.1.245

On WLAN Switches B and C:

router mobile

310 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring IP Mobility
Chapter 15

Tracking Mobile Users
This section describes the ways in which you can view information about the
status of mobile clients in the mobility domain.
Location-related information for users, such as roaming status, AP name, ESSID,
BSSID, and physical type are consistent in both the home agent and foreign
agent. The user name, role, and authentication can be different on the home
agent and foreign agent, as explained by the following: Whenever a client
connects to a WLAN Switch in a mobility domain, layer-2 authentication is
performed and the station obtains the layer-2 (logon) role. When the client roams
to other networks, layer-2 authentication is performed and the client obtains the
layer-2 role. If layer-3 authentication is required, this authentication is performed
on the client’s home agent only. The home agent obtains a new role for the client
after layer-3 authentication; this new role appears in the user status on the home
agent only. Even if re-authentication occurs after the station moves to a foreign
agent, the display on the foreign agent still shows the layer-2 role for the user.

Mobile Client Roaming Status
You can view the list of mobile clients and their roaming status on any WLAN
Switch in the mobility domain:

Using the WebUI to view mobile client status:
Navigate to the Monitoring > Switch > Clients page.

Using the CLI to view mobile client status:

show ip mobile host
Roaming status can be one of the following:
Home
Switch/Home
VLAN

This WLAN Switch is the home agent for a station and the
client is on the VLAN on which it has an IP address.

Mobile IP Visitor

This WLAN Switch is not the home agent for a client.

Mobile IP Binding
(away)

This WLAN Switch is the home agent for a client that is
currently away.

Home
Switch/Foreign
VLAN

This WLAN Switch is the home agent for a client but the
client is currently on a different VLAN than its home VLAN
(the VLAN from which it acquired its IP address).

AOS-W 3.1
User Guide

311

Configuring IP Mobility
Chapter 15

Stale

The client does not have connectivity in the mobility
domain. Either the WLAN Switch has received a
disassociation message for a client but has not received an
association or registration request for the client from
another WLAN Switch, or a home agent binding for the
station has expired before being refreshed by a foreign
agent.

No Mobility Service The WLAN Switch cannot provide mobility service to this
client. The mobile client may lose its IP address if it obtains
the address via DHCP and has limited connectivity. The
mobile client may be using an IP address that cannot be
served, or there may be a roaming hole due to improper
configuration.
You can view the roaming status of users on any WLAN Switch in the mobility
domain:

Using the CLI to view user roaming status:

show user
Roaming status can be one of the following:
Associated

This client is on its home agent WLAN Switch and the client
is on the VLAN on which it has an IP address.

Visitor

This client is visiting this WLAN Switch and the WLAN
Switch is not its home agent.

Away

This client is currently away from its home agent WLAN
Switch.

Foreign VLAN

This client is on its home agent WLAN Switch but the client
is currently on a different VLAN than the one on which it
has an IP address.

Stale

This should be a temporary state as the client will either
recover connectivity or the client’s entry is deleted when
the stale timer expires.

You can use the following CLI command to view the home agent, foreign agent,
and roaming status for a specific mobile client.

Using the CLI to view specific client information:

show ip mobile trace { | }

312 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring IP Mobility
Chapter 15

Mobile Client Roaming Locations
You can view information about where a mobile user has been in the mobility
domain. This information can only be viewed on the client’s home agent.

Using the WebUI to view client roaming locations:
1.

Navigate to the Monitoring > Switch > Clients page.

Click Status. The mobility state section contains information about the user
locations.

Using the CLI to view client roaming locations:

show ip mobile trail { ip-address | MAC-address }

Advanced Configuration
You can configure various parameters that pertain to mobility functions on a
WLAN Switch in a mobility domain using either the WebUI or the CLI.

Using the WebUI to configure advanced mobility functions:
1.

Navigate to the Configuration > Advanced Services > IP Mobility page.

Select the Global Parameters tab.

Click Apply after setting the parameter.

Using the CLI to configure mobility functions:

ip
ip
ip
ip

mobile
mobile
mobile
mobile

foreign-agent ...
home-agent ...
proxy ...
revocation ...

Proxy Mobile IP
The proxy mobile IP module in a mobility-enabled WLAN Switch detects when a
mobile client has moved to a foreign network and determines the home agent for
a roaming client. The proxy mobile IP module performs the following functions:

AOS-W 3.1
User Guide

313

Configuring IP Mobility
Chapter 15

Derives the address of the home agent for a mobile client from the HAT using
the mobile client’s IP address. If there is more than one possible home agent
for a mobile client in the HAT, the proxy mobile IP module uses a discovery
mechanism to find the current home agent for the client.

Detects when a mobile client has moved. Client moves are detected based on
ingress port and VLAN changes and mobility is triggered accordingly. For
faster roaming convergence between AP(s) on the same WLAN Switch, it is
recommended that you keep the “on-association” option enabled. This helps
trigger mobility as soon as 802.11 association packets are received from the
mobile client.

Proxy DHCP
When a mobile client first associates with a WLAN Switch, it sends a DHCP
discover request with no requested IP. The WLAN Switch allows DHCP packets
for the client onto the configured VLAN where, presumably, it will receive an IP
address. The incoming VLAN becomes the client’s home VLAN.
If a mobile client moves to another AP on the same WLAN Switch that places the
client on a different VLAN than its initial (home) VLAN, the proxy DHCP module
redirects packets from the client’s current/visited VLAN to the home VLAN. The
proxy DHCP module also redirects DHCP packets for the client from the home
VLAN to the visited VLAN.
If the mobile client moves to another WLAN Switch, the proxy DHCP module
attempts to discover if the client has an ongoing session on a different WLAN
Switch. When a remote WLAN Switch is identified, all DHCP packets from the
client are sent to the home agent where they are replayed on the home VLAN. The
proxy DHCP module also redirects DHCP packets for the client from the home
VLAN to the visited network. In either situation, operations of the proxy DHCP
module do not replace DHCP relay functions which can still operate on the client’s
home VLAN, either in the WLAN Switch or in another device.

Revocations
A home agent or foreign agent can send a registration revocation message, which
revokes registration service for the mobile client. For example, when a mobile
client roams from one foreign agent to another, the home agent can send a
registration revocation message to the first foreign agent so that the foreign
agent can free any resources held for the client.

314 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Redundancy

This chapter describes the following topics:

“Virtual Router Redundancy Protocol” on page 316

“Configuring Redundancy” on page 317

AOS-W 3.1
User Guide

315

Configuring Redundancy
Chapter 16

Virtual Router Redundancy Protocol
The underlying mechanism for the Alcatel redundancy solutions is the Virtual
Router Redundancy Protocol (VRRP). This mechanism can be used to create
various redundancy solutions, including the following:

Pairs of local Alcatel WLAN Switches acting in an active-active mode or a
hot-standby mode

A master WLAN Switch backing up a set of local WLAN Switches

A pair of WLAN Switches acting as a redundant pair of master WLAN
Switches in a hot standby mode

Each of these modes is explained in greater detail with the required configuration.
VRRP is designed to eliminate a single point of failure by providing an election
mechanism amongst WLAN Switches to elect a “master” WLAN Switch. This
master WLAN Switch is the owner of the configured virtual IP address for the
VRRP instance. When the master becomes unavailable, one of the backup WLAN
Switches takes the place of the master and owns the virtual IP address. All
network elements (such as the APs and other WLAN Switches) can be configured
to access the virtual IP address, thereby providing a transparent redundant
solution to the rest of the network.

316 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Redundancy
Chapter 16

Configuring Redundancy
In an Alcatel network, the APs are controlled by a WLAN Switch. The APs tunnel
all data to the WLAN Switch which processes the data, including
encryption/decryption, bridging/forwarding, etc.
Local WLAN Switch redundancy refers to providing redundancy for a WLAN
Switch such that the APs “fail over” to a backup WLAN Switch if a WLAN Switch
becomes unavailable. Local WLAN Switch redundancy is provided by running
VRRP between a pair of WLAN Switches.
NOTE:

The two WLAN Switches need to be connected on the same broadcast
domain (or Layer-2 connected) for VRRP operation. The two WLAN
Switches should be of the same class (for example, A800 to A800 or
higher), and both WLAN Switches should be running the same version of
AOS-W.

The APs are then configured to connect to the “virtual-IP” configured for the
VRRP instance.
You configure the parameters described in Table 16-23 on the local WLAN
Switches.

TABLE 16-23 VRRP Parameters
Parameter

Description

Virtual Router
ID

This is the virtual router ID that uniquely identifies this VRRP
instance. For ease in administration, you should configure this
with the same value as the VLAN ID.

Advertisement
Interval

This is the interval, in seconds, between successive VRRP
advertisements sent by the current master.
Recommended to use the default (1 second).

Authentication
Password

This is an optional password of up to eight characters that can
be used to authenticate VRRP peers in their advertisements. If
this is not configured, there is no authentication password set.

Description

This is an optional text description to describe the VRRP
instance.

IP Address

This is the virtual IP address that will be owned by the elected
VRRP master.

Enable Router
Pre-emption

Selecting this option means that a WLAN Switch can take over
the role of master if it detects a lower priority WLAN Switch
currently acting as master.

Priority

Priority level of the VRRP instance for the WLAN Switch. This
value is used in the election mechanism for the master.

AOS-W 3.1
User Guide

317

Configuring Redundancy
Chapter 16

TABLE 16-23 VRRP Parameters (Continued)
Parameter

Description

Tracking

Configures a tracking mechanism that adds a specified value to
the priority after a WLAN Switch has been the master for the
VRRP instance. This mechanism is used to avoid failing over to
a backup Master for transient failures.
Tracking can be based on one of the following:

Master Up Time: how long the WLAN Switch has been the
master. The value of duration is the length of time that the
administrator expects will be long enough that the
database gathered in the time is too important to be lost.
This will obviously vary from instance to instance.

VRRP Master State Priority: the master state of another
VRRP.

Admin State

Administrative state of the VRRP instance. To start the VRRP
instance, change the admin state to UP in the WebUI.

VLAN

VLAN on which the VRRP protocol will run.

Configuring Local WLAN Switch Redundancy
Collect the following information needed to configure local WLAN Switch
redundancy:

VLAN ID on the two local WLAN Switches that are on the same Layer-2
network and is used to configure VRRP.

Virtual IP address to be used for the VRRP instance.

Configure VRRP
You can use either the WebUI or CLI to configure VRRP on the local WLAN
Switches. For this topology, it is recommended to use the default priority value.

Using the WebUI to configure redundancy for a local WLAN Switch:
1.

Navigate to the Configuration > Advanced Services > Redundancy page on
the WebUI for each of the local WLAN Switches.

Under Virtual Router Table, click Add to create a VRRP instance.

Enter the IP Address for the virtual router. Select the VLAN on which VRRP
will run. Set the Admin State to Up.

Click Done to apply the configuration and add the VRRP instance.

Using the CLI to configure redundancy for a local WLAN Switch:
318 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Redundancy
Chapter 16

vrrp
ip address
vlan
no shutdown

Configure the LMS IP
Configure the APs to terminate their tunnels on the virtual-IP address. To specify
the WLAN Switch to which an AP or AP group tunnels client traffic, you configure
the LMS IP in the AP system profile on the master WLAN Switch. For information
on how to configure the LMS IP in the AP system profile, see “Configuring APs”
on page 300.
NOTE:

This configuration needs to be executed on the master WLAN Switch as
the APs obtain their configuration from the master WLAN Switch.

Master WLAN Switch Redundancy
The master WLAN Switch in the Alcatel solution acts as a single point of
configuration for global policies such as firewall policies, authentication
parameters, RF configuration to ease the configuration and maintenance of a
wireless network. It also maintains a database related to the wireless network
that is used to make any adjustments (automated as well as manual) in reaction
to events that cause a change in the environment (such as an AP becoming
unavailable). The master WLAN Switch is also responsible for providing the
configuration for any AP to complete its boot process. If the master WLAN
Switch becomes unavailable, the network continues to run without any
interruption. However any change in the network topology or configuration will
require the availability of the master WLAN Switch.
To maintain a highly redundant network, the administrator can use a WLAN
Switch to act as a hot standby for the master WLAN Switch. The underlying
protocol used is the same as in local redundancy, that is, VRRP.
1.

Collect the following data before configuring master WLAN Switch
redundancy.
z

VLAN ID on the two WLAN Switches that are on the same layer 2
network and will be used to configure VRRP.

Virtual IP address that has been reserved to be used for the VRRP
instance

You can use either the WebUI or CLI to configure VRRP on the master WLAN
Switches (see Table 16-23). For this topology, the following are
recommended values:
z

For priority: Set the master to 110; set the backup to 100 (the default
value)

Enable pre-emption

AOS-W 3.1
User Guide

319

Configuring Redundancy
Chapter 16

Configure master up time or master state tracking with an add value of
20.

The following shows an example of the configuration on the “initially-preferred
master”.

vrrp 22
vlan 22
ip address 10.200.22.254
priority 110
preempt
authentication password
description Preferred-Master
tracking master-up-time 30 add 20
no shutdown
The following shows the corresponding VRRP configuration for the peer WLAN
Switch.

vrrp 22
vlan 22
ip address 10.200.22.254
priority 100
preempt
authentication password
description Backup-Master
tracking master-up-time 30 add 20
no shutdown
Use the following commands to associate the VRRP instance with master WLAN
Switch redundancy.
Command

Explanation

master-redundancy

Enter the master-redundancy context.

master-vrrp

Associates a VRRP instance with master
redundancy. Enter the virtual router ID of the
VRRP instance.

peer-ip-address

Loopback IP address of the peer WLAN Switch
for master redundancy.

320 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Redundancy
Chapter 16

NOTE:

All the APs and local WLAN Switches in the network should be
configured with the virtual IP address as the master IP address. The
master IP address can be configured for local WLAN Switches during
the Initial Setup (refer to the Alcatel Quick Start Guide). You can also
use the following commands to change the master IP of the local
WLAN Switch. The WLAN Switch will require a reboot after changing
the master IP on the WLAN Switch.

Command

Explanation

masterip

Configures the master IP address for a local WLAN
Switch.
Configure this to be the virtual IP address of the VRRP
instance used for master redundancy.

If DNS resolution is the chosen mechanism for the APs to discover their master
WLAN Switch, ensure that the name “aruba-master” resolves to the same virtual
IP address configured as a part of the master redundancy.

Master-Local WLAN Switch Redundancy
This section outlines the concepts behind a redundancy solution where a master
can act as a backup for one or more local WLAN Switches and shows how to
configure the Alcatel WLAN Switches for such a redundant solution. In this
solution, the local WLAN Switches act as the WLAN Switch for the APs. When
any one of the local WLAN Switches becomes unavailable, the master takes over
the APs controlled by that local WLAN Switch for the time that the local WLAN
Switch remains unavailable. It is configured such that when the local WLAN
Switch comes back again, it can take control over the APs once more.
This type of redundant solution is illustrated by the following topology diagram.
NOTE:

This solution requires that the master WLAN Switch have Layer-2
connectivity to all the local WLAN Switches.

AOS-W 3.1
User Guide

321

Configuring Redundancy
Chapter 16

FIGURE 16-33 Redundant Topology: Master-Local Redundancy
In the network shown above, the master WLAN Switch is connected to the local
WLAN Switches on VLANs 1 through n through a Layer-2 network. To configure
redundancy as described in the conceptual overview for master-local redundancy,
configure VRRP instances on each of the VLANs between the master and the
respective local WLAN Switch. The VRRP instance on the local WLAN Switch is
configured with a higher priority to ensure that when available, the APs always
choose the local WLAN Switch to terminate their tunnels.

To configure the master and local WLAN Switches for redundant
topology:
1.

Configure the interface on the master WLAN Switch to be a trunk port with 1,
2… n being member VLANs.

Collect the following data before configuring master WLAN Switch
redundancy.

VLAN IDs on the WLAN Switches corresponding to the VLANs 1, 2…n
shown in the topology above.

Virtual IP addresses that has been reserved to be used for the VRRP
instances.

You can use either the WebUI or CLI to configure VRRP on the master WLAN
Switches (see Table 16-23). For this topology, the following are
recommended values:
z

For priority: Set the local to 110; set the master to 100 (the default value)

Enable pre-emption

322 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Redundancy
Chapter 16

NOTE:

The master WLAN Switch will be configured for a number of VRRP
instances (equal to the number of local WLAN Switches the master is
backing up).

The following shows an example configuration of the Master WLAN Switch in
such a topology for one of the VLANs (in this case VLAN 22).

vrrp 22
vlan 22
ip address 10.200.22.254
priority 100
preempt
authentication password
description Master-acting-as-backup-to-local
tracking master-up-time 30 add 20
no shutdown
The following shows the configuration on the corresponding local WLAN Switch.

vrrp 22
vlan 22
ip address 10.200.22.254
priority 110
preempt
authentication password
description local-backed-by-master
no shutdown
To configure APs, you configure the appropriate virtual IP address (depending on
which WLAN Switch is expected to control the APs) for the LMS IP address
parameter in the AP system profile for an AP group or specified AP.
As an example, the administrator can configure APs in the AP group “floor1” to
be controlled by local WLAN Switch 1, APs in the AP group “floor2” to be
controlled by local WLAN Switch 2 and so on. All the local WLAN Switches are
backed up by the master WLAN Switch. In the AP system profile for the AP group
“floor1”, enter the virtual IP address (10.200.22.154 in the example configuration)
for the LMS IP address on the master WLAN Switch.
NOTE:

You configure APs on the master WLAN Switch.

Configuration changes take effect only after you reboot the affected APs; this
allows them to reassociate with the local WLAN Switch. After rebooting, these
APs appear to the new local WLAN Switch as local APs.

Using the WebUI to configure the LMS IP:
1.

Navigate to the Configuration > Wireless > AP Configuration page on the
master WLAN Switch.

AOS-W 3.1
User Guide

323

Configuring Redundancy
Chapter 16

If you select AP Group, click Edit for the AP group name for which you
want to configure the LMS IP.

If you select AP Specific, select the name of the AP for which you want
to configure the LMS IP.

Under the Profiles section, select AP to display the AP profiles.

Select the AP system profile you want to modify.

Enter the WLAN Switch IP address in the LMS IP field.

Click Apply.

Using the CLI to configure the LMS IP:
On the master WLAN Switch:

ap system-profile
lms-ip
ap-group
ap-system-profile
ap-name
ap-system-profile

324 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Volume 6
Configuring
Intrusion
Protection
AOS-W Version 3.1

326 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Wireless
Intrusion Prevention

This chapter describes how to configure various intrusion detection system (IDS)
capabilities of the Alcatel OmniAccess system. The Alcatel system offers a variety
of IDS/intrusion prevention system (IPS) features that you can configure and
deploy as required. Like most other security-related features of the Alcatel
system, the IDS configuration is done completely on the master WLAN Switch in
the network.
NOTE:

To use the IDS features described in this chapter, you must install a
Wireless Intrusion Protection license in the WLAN Switch.

This chapter describes the following topics:

“IDS Features” on page 328

“IDS Configuration” on page 332

“Client Blacklisting” on page 354

AOS-W 3.1
User Guide

327

Configuring Wireless Intrusion Prevention
Chapter 17

IDS Features
This section describes IDS features provided by the Alcatel system.

Unauthorized Device Detection
Unauthorized device detection includes the ability to detect and disable rogue APs
and other devices that can potentially disrupt network operations.

Rogue/Interfering AP Detection
The most important IDS functionality offered in the Alcatel system is the ability to
classify an AP as either a rogue AP or an interfering AP. An AP is considered to be
a rogue AP if it is both unauthorized and plugged into the wired side of the
network. An AP is considered to be an interfering AP if it is seen in the RF
environment but is not connected to the wired network. While the interfering AP
can potentially cause RF interference, it is not considered a direct security threat
since it is not connected to the wired network. However, an interfering AP may be
reclassified as a rogue AP.
You can enable a policy to automatically disable APs that are classified as a rogue
APs by the Alcatel system. When a rogue AP is disabled, no wireless stations are
allowed to associate to that AP. Refer to “Configuring Unauthorized Device
Detection” on page 344 for details on how to configure rogue AP detection,
classification, and containment.
You can manually reclassify an interfering AP. Refer to “Classifying APs” on
page 350 for details on how to change the classification of an AP.

Adhoc Network Detection and Containment
As far as network administrators are concerned, ad-hoc wireless networks are
uncontrolled. If they do not use encryption, they may expose sensitive data to
outside eavesdroppers. If a device is connected to a wired network and has
bridging enabled, an ad-hoc network may also function like a rogue AP.
Additionally, ad-hoc networks can expose client devices to viruses and other
security vulnerabilities. For these reasons, many administrators choose to prohibit
ad-hoc networks. The Alcatel system can perform both ad-hoc network detection
and also disable ad-hoc networks when they are found.

Wireless Bridge Detection
Wireless bridges are normally used to connect multiple buildings together.
However, an attacker could place (or have an authorized person place) a wireless
bridge inside the network that would extend the corporate network somewhere
outside the building. Wireless bridges are somewhat different from rogue APs in

328 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Wireless Intrusion Prevention
Chapter 17

that they do not use beacons and have no concept of association. Most networks
do not use bridges – in these networks, the presence of a bridge is a signal that a
security problem exists.

Misconfigured AP Detection
If desired, a list of parameters can be configured that defines the characteristics
of a valid AP. This is primarily used when non-Alcatel APs are being used in the
network since the Alcatel WLAN Switch cannot configure the third-party APs.
These parameters can include preamble type, WEP configuration, OUI of valid
MAC addresses, valid channels, DCF/PCF configuration, and ESSID. The system
can also be configured to detect an AP using a weak WEP key. If a valid AP is
detected as misconfigured, the system will deny access to the misconfigured AP
if protection is enabled. In cases where someone gains configuration access to a
third-party AP and changes the configuration, this policy is useful in blocking
access to that AP until the configuration can be fixed.

Weak WEP Detection
The primary means of cracking WEP keys is by capturing 802.11 frames over an
extended period of time and searching for patterns of WEP initialization vectors
(IVs) that are known to be weak. The Alcatel system will monitor for devices
using weak WEP implementations and generate reports for the administrator of
which devices require upgrades.

Multi Tenancy Protection
The Alcatel system provides the ability to configure SSID lists, and disable
unrecognized APs using these reserved resources. This feature can be used in a
multi-tenant building where different enterprises must share the RF environment.
This feature can also be used to defend against “honeypot” APs. A “honeypot”
AP is an attacker’s AP that is set up in close proximity to an enterprise,
advertising the ESSID of the enterprise. The goal of such an attack is to lure valid
clients to associate to the honeypot AP. From that point, a man in the middle
(MITM) attack can be mounted, or an attempt can be made to learn the client’s
authentication credentials. Most client devices have no way of distinguishing
between a valid AP and an invalid one – the devices only look for a particular
ESSID and will associate to the nearest AP advertising that ESSID.

MAC OUI Checking
The Alcatel system provides the ability to match MAC addresses seen in the air
with known manufacturers. The first three bytes of a MAC address are known as
the MAC OUI (Organizationally Unique Identifier) and are assigned by the IEEE.
Often, clients using a spoofed MAC address will not use a valid OUI, and instead
use a randomly generated MAC address. By enabling MAC OUI checking,
administrators will be notified if an unrecognized MAC address is in use.

AOS-W 3.1
User Guide

329

Configuring Wireless Intrusion Prevention
Chapter 17

Denial of Service (DoS) Detection
DoS attacks are designed to prevent or inhibit legitimate clients from accessing
the network. This includes blocking network access completely, degrading
network service, and increasing processing load on clients and network
equipment. Denial of Service attack detection encompasses both rate analysis
and the detection of a specific DoS attack known as Fake AP.

Rate Analysis
Many DoS attacks flood an AP or multiple APs with 802.11 management frames.
These can include authenticate/associate frames which are designed to fill up the
association table of an AP. Other management frame floods, such as probe
request floods, can consume excess processing power on the AP. The Alcatel
WLAN Switch can be configured with the thresholds that indicate a DoS attack
and can detect the same. Refer to “Configuring Denial of Service Attack
Detection” on page 335 for more details.

Fake AP
Fake AP is a tool that was originally created to thwart wardrivers by flooding
beacon frames containing hundreds of different addresses. This would appear to
a wardriver as though there were hundreds of different APs in the area, thus
concealing the real AP. While the tool is still effective for this purpose, a newer
purpose is to flood public hotspots or enterprises with fake AP beacons to
confuse legitimate clients and to increase the amount of processing client
operating systems must do. Refer to “Configuring Denial of Service Attack
Detection” on page 335 for more details.

Impersonation Detection
A successful man-in-the-middle attack will insert an attacker into the data path
between the client and the AP. In such a position, the attacker can delete, add, or
modify data, provided he has access to the encryption keys. Such an attack also
enables other attacks that can learn a client’s authentication credentials.
Man-in-the-middle attacks often rely on a number of different vulnerabilities.

Station Disconnection
Spoofed deauthenticate frames form the basis for most denial of service attacks,
as well as the basis for many other attacks such as man-in-the-middle. In a
station disconnection attack, an attacker spoofs the MAC address of either an
active client or an active AP. The attacker then sends deauthenticate frames to the
target device, causing it to lose its active association. In addition to a
deauthentication frame, Reassociate, Authenticate, and Disassociate frames can
also cause the target device to lose its active association.

330 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Wireless Intrusion Prevention
Chapter 17

EAP Handshake Analysis
EAP (Extensible Authentication Protocol) is a component of 802.1x used for
authentication. Some attacks, such as “ASLEAP” (used to attack Cisco LEAP)
send spoofed deauthenticate messages to clients in order to force the client to
re-authenticate multiple times. These attacks then capture the authentication
frames for offline analysis. EAP Handshake Analysis detects a client performing
an abnormal number of authentication procedures and generates an alarm when
this condition is detected.

Sequence Number Analysis
During an impersonation attack, the attacker will generally spoof the MAC
address of a client or AP. If two devices are active on the network with the same
MAC address, their 802.11 sequence numbers will not match – since the
sequence number is usually generated by the NIC firmware, even a custom driver
will not generally be able to modify these numbers. Sequence number analysis
will detect possible impersonation attacks by looking for anomalies between
sequence numbers seen in frames in the air.

AP Impersonation
AP impersonation attacks can be done for several purposes, including as a
Man-In-the-Middle attack, as a rogue AP attempting to bypass detection, and as a
possible honeypot attack. In such an attack, the attacker sets up an AP that
assumes the BSSID and ESSID of a valid AP.

Signature Detection
Many WLAN intrusion and attack tools generate characteristic signatures that can
be detected by the Alcatel network. The system is pre-configured with several
known signatures, and also includes the ability for you to create new signatures.
For more details on how to configure and create new signatures refer to
“Configuring Signature Detection” on page 341.

AOS-W 3.1
User Guide

331

Configuring Wireless Intrusion Prevention
Chapter 17

IDS Configuration
This section describes how to configure IDS features using the IDS profiles. You
apply the top-level IDS profile to an AP group or specific AP.

IDS Profile Hierarchy
The top-level IDS profile, assigned to an AP group or AP name, refers to the
following IDS profiles:

TABLE 17-24 IDS Profiles
Profile

Description

IDS General profile

Configures AM attributes.

IDS Signature Matching

Configures signatures for intrusion detection. This
profile can include predefined signatures or
signatures that you configure.

IDS DoS profile

Configures traffic anomalies for Denial of Service
attacks.

IDS Impersonation profile

Configures anomalies for impersonation attacks.

IDS Unauthorized Device
profile

Configures detection for unauthorized devices. Also
configures rogue AP detection and containment.

Alcatel provides a set of predefined profiles that provide different levels of
sensitivity. The following are predefined IDS profiles:

ids-disabled

ids-high-setting

ids-low-setting

ids-medium-setting (the default setting)

NOTE:

A predefined IDS profile refers to specific instances of the other IDS
profiles. You cannot create new instances of a profile within a predefined
IDS profile. You can modify parameters within the other IDS profiles.

Using the WebUI to configure IDS:
1.

Navigate to the Configuration > AP Configuration page. Select either AP
Group or AP Specific.
z

If you select AP Group, click Edit for the AP group name for which you
want to configure IDS.

332 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Wireless Intrusion Prevention
Chapter 17

If you select AP Specific, select the name of the AP for which you want
to configure IDS.

In the Profiles list, select IDS. Select IDS profile to display the IDS profiles that
are contained in the top-level profile. You can select a predefined IDS profile
or create a new profile.

Click Apply.

Using the CLI to configure IDS:

ap-group
ids-profile

Configuring the IDS General Profile
Table 17-25 describes the parameters you can configure in the IDS general profile.

TABLE 17-25 IDS General Profile Configuration Parameters
Parameter

Description

Stats Update Interval

Time interval, in seconds, for the AP to update the
WLAN Switch with statistics.
NOTE:

This setting takes effect only if the Alcatel
Mobility Manager is configured. Otherwise,
statistics update to the WLAN Switch is
disabled.

Default: 60 seconds
AP Inactivity Timeout

Time, in seconds, after which an AP is aged out.
Default: 5 seconds

STA Inactivity Timeout

Time, in seconds, after which a STA is aged out.
Default: 60 seconds

Min Potential AP Beacon
Rate

Minimum beacon rate acceptable from a potential
AP, in percentage of the advertised beacon interval.
Default: 25%

Min Potential AP Monitor
Time

Minimum time, in seconds, a potential AP has to be
up before it is classified as a real AP.
Default: 2 seconds

AOS-W 3.1
User Guide

333

Configuring Wireless Intrusion Prevention
Chapter 17

TABLE 17-25 IDS General Profile Configuration Parameters (Continued)
Parameter

Description

Signature Quiet Time

Time to wait, in seconds, after detecting a signature
match after which the check can be resumed.
Default: 900 seconds

Wireless Containment

Enable/disable containment from the wireless side.
Default: disabled

Debug Wireless
Containment

Enable/disable debugging of containment from the
wireless side.
Default: disabled

Wired Containment

Enable/disable containment from the wired side.
Default: disabled

Using the WebUI to configure the IDS general profile:
1.

Navigate to the Configuration > AP Configuration page. Select either AP
Group or AP Specific.
z

If you select AP Group, click Edit for the AP group name for which you
want to configure IDS.

If you select AP Specific, select the name of the AP for which you want
to configure IDS.

Select IDS. Select IDS profile to display the IDS profiles that are contained in
the top-level profile.

Select IDS General profile.

You can select a predefined IDS general profile from the drop-down menu. Or
you can modify parameters and click Save As to create an IDS general profile
instance.
NOTE:

If you selected a predefined IDS profile, you cannot select or create a
different IDS general profile instance. You can modify parameters
within the IDS general profile instance.

Click Apply.

Using the CLI to configure the IDS general profile:

ids general-profile

334 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Wireless Intrusion Prevention
Chapter 17

Configuring Denial of Service Attack Detection
Table 17-26 describes the parameters you can configure in the IDS DoS profile.

TABLE 17-26 IDS Denial of Service Profile Configuration Parameters
Parameter

Description

Detect Disconnect
Station Attack

Enables or disables detection of station
disconnection attacks.
Default: disabled

Disconnect STA
Detection Quiet Time

After a station disconnection attack is detected, the
time (in seconds) that must elapse before another
identical alarm can be generated.
Default: 900 seconds

Detect AP Flood Attack

Enables or disables the detection of flooding with
fake AP beacons to confuse legitimate users and to
increase the amount of processing need on client
operating systems.
Default: disabled

AP Flood Threshold

Number of Fake AP beacons that must be received
within the Flood Increase Time to trigger an alarm.
Default: 50

AP Flood Increase Time

Time, in seconds, during which a configured number
of Fake AP beacons must be received to trigger an
alarm.
Default: 3 seconds

AP Flood Detection Quiet
Time

After an alarm has been triggered by a Fake AP
flood, the time (in seconds) that must elapse before
an identical alarm may be triggered.
Default: 900 seconds

Detect EAP Rate
Anomaly

Enables or disables Extensible Authentication
Protocol (EAP) handshake analysis to detect an
abnormal number of authentication procedures on a
channel and generates an alarm when this condition
is detected.
Default: disabled

AOS-W 3.1
User Guide

335

Configuring Wireless Intrusion Prevention
Chapter 17

TABLE 17-26 IDS Denial of Service Profile Configuration Parameters
Parameter

Description

EAP Rate Threshold

Number of EAP handshakes that must be received
within the EAP Rate Time Interval to trigger an alarm.
Default: 60

EAP Rate Time Interval

Time, in seconds, during which the configured
number of EAP handshakes must be received to
trigger an alarm.
Default: 3 seconds

EAP Rate Quiet Time

After an alarm has been triggered, the time (in
seconds) that must elapse before another identical
alarm may be triggered.
Default: 900 seconds

Detect Rate Anomalies

Enables or disables detection of rate anomalies.
Default: disabled

Using the WebUI to configure the IDS DoS profile:
1.

Navigate to the Configuration > AP Configuration page. Select either AP
Group or AP Specific.
z

If you select AP Group, click Edit for the AP group name for which you
want to configure IDS.

If you select AP Specific, select the name of the AP for which you want
to configure IDS.

Select IDS. Select IDS profile to display the IDS profiles that are contained in
the top-level profile.

Select IDS DoS profile.

You can select a predefined profile from the drop-down menu. Or you can
modify parameters and click Save As to create an IDS DoS profile instance.
NOTE:

If you selected a predefined IDS profile, you cannot select or create a
different IDS DoS profile instance. You can modify parameters within
the IDS DoS profile instance.

Click Apply.

Using the CLI to configure the IDS DoS profile:

ids dos-profile
336 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Wireless Intrusion Prevention
Chapter 17

IDS Rate Thresholds Profile
IDS rate threshold profile defines thresholds assigned to the different frame types
for rate anomaly checking. A profile of this type is attached to each of the
following 802.11 frame types in the IDS Denial of Service profile:

Association frames

Disassociation frames

Deauthentication frames

Probe Request frames

Probe Response frames

Authentication frames

A channel threshold applies to an entire channel, while a node threshold applies
to a particular client MAC address. Alcatel provides predefined default IDS rate
thresholds profiles for each of these types of frames. Default values depend upon
the frame type.
Table 17-27 describes the parameters you can configure for the IDS rate threshold
profile.

TABLE 17-27 IDS Rate Thresholds Profile Configuration Parameters
Parameter

Description

Channel Increase Time

Time, in seconds, in which the threshold must be
exceeded in order to trigger an alarm.

Channel Quiet Time

After an alarm has been triggered, the time that must
elapse before another identical alarm may be
triggered. This option prevents excessive messages
in the log file.

Channel Threshold

Specifies the number of a specific type of frame that
must be exceeded within a specific interval in an
entire channel to trigger an alarm.

AOS-W 3.1
User Guide

337

Configuring Wireless Intrusion Prevention
Chapter 17

TABLE 17-27 IDS Rate Thresholds Profile Configuration Parameters
Parameter

Description

Node Quiet Time

After an alarm has been triggered, the time that must
elapse before another identical alarm may be
triggered. This option prevents excessive messages
in the log file.

Node Threshold

Specifies the number of a specific type of frame that
must be exceeded within a specific interval for a
particular client MAC address to trigger an alarm.

Node Time Interval

Time, in seconds, in which the threshold must be
exceeded in order to trigger an alarm.

Using the WebUI to configure an IDS rate thresholds profile:
1.

In the Profiles list, under the IDS DoS profile, select the threshold profile you
want to configure.

You can select a predefined profile from the drop-down menu. Or you can
modify parameters and click Save As to create a threshold profile instance.

Click Apply.

Using the CLI to configure an IDS rate thresholds profile:

ids rate-thresholds-profile

ids dos-profile

Configuring Impersonation Detection
Table 17-28 describes the parameters you can configure in the IDS DoS profile.

338 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Wireless Intrusion Prevention
Chapter 17

TABLE 17-28 IDS Impersonation Profile Configuration Parameters
Parameter

Description

Detect AP Impersonation

Enables or disables detection of AP impersonation.
In AP impersonation attacks, the attacker sets up an
AP that assumes the BSSID and ESSID of a valid AP.
AP impersonation attacks can be done for
man-in-the-middle attacks, a rogue AP attempting to
bypass detection, or a honeypot attack.
Default: disabled

Protect from AP
Impersonation

When AP impersonation is detected, both the
legitimate and impersonating AP are disabled using a
denial of service attack.
Default: disabled

Beacon Diff Threshold

Percentage increase in beacon rate that triggers an
AP impersonation event.
Default: 50%

Beacon Increase Wait
Time

Time, in seconds, after the Beacon Diff Threshold is
crossed before an AP impersonation event is
generated.
Default: 3 seconds

Detect Sequence
Anomaly

Enables or disables detection of anomalies between
sequence numbers seen in 802.11 frames. During an
impersonation attack, the attacker may spoof the
MAC address of a client or AP — if two devices are
active on the network with the same MAC address,
the sequence numbers in the frames will not match
since the sequence number is generated by NIC
firmware.
Default: disabled

Sequence Number
Difference

Maximum allowable tolerance between sequence
numbers within the Sequence Number Time
Tolerance period.
Default: 300

AOS-W 3.1
User Guide

339

Configuring Wireless Intrusion Prevention
Chapter 17

TABLE 17-28 IDS Impersonation Profile Configuration Parameters
Parameter

Description

Sequence Number Time
Tolerance

Time, in seconds, during which sequence numbers
must exceed the Sequence Number Difference value
for an alarm to be triggered.
Default: 300 seconds

Sequence Number Quiet
Time

After an alarm has been triggered, the time (in
seconds) that must elapse before another identical
alarm may be triggered.
Default: 900 seconds

Using the WebUI to configure the IDS impersonation profile:
1.

Navigate to the Configuration > AP Configuration page. Select either AP
Group or AP Specific.
z

If you select AP Group, click Edit for the AP group name for which you
want to configure IDS.

If you select AP Specific, select the name of the AP for which you want
to configure IDS.

Select IDS. Select IDS profile to display the IDS profiles that are contained in
the top-level profile.

Select IDS Impersonation profile.

You can select a predefined profile from the drop-down menu. Or you can
modify parameters and click Save As to create an IDS impersonation profile
instance.
NOTE:

If you selected a predefined IDS profile, you cannot select or create a
different IDS impersonation profile instance. You can modify
parameters within the IDS impersonation profile instance.

Click Apply.

Using the CLI to configure the IDS impersonation profile:

ids impersonation-profile

340 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Wireless Intrusion Prevention
Chapter 17

Configuring Signature Detection
The IDS signature matching profile contains signatures for intrusion detection.
This profile can include predefined signatures or signatures that you configure.
Table 17-29 describes the predefined signatures that you can add to the profile.
.

TABLE 17-29 Predefined Signatures
Signature

Description

ASLEAP

A tool created for Linux systems that has
been used to attack Cisco LEAP
authentication protocol.

Null-Probe-Response

An attack with the potential to crash or lock
up the firmware of many 802.11 NICs. In this
attack, a client probe-request frame will be
answered by a probe response containing a
null SSID. A number of popular NIC cards will
lock up upon receiving such a probe
response.

AirJack

Originally a suite of device drivers for
802.11(a/b/g) raw frame injection and
reception. It was intended to be used as a
development tool for all 802.11 applications
that need to access the raw protocol,
however one of the tools included allowed
users to force off all users on an Access
Point.

NetStumbler Generic

NetStumbler is a popular wardriving
application used to locate 802.11 networks.
When used with certain NICs (such as
Orinoco), NetStumbler generates a
characteristic frame that can be detected.

NetStumbler Version 3.3.0x

Version 3.3.0 of NetStumbler changed the
characteristic frame slightly. This signature
detects the updated frame.

Deauth-Broadcast

A deauth broadcast attempts to disconnect
all stations in range – rather than sending a
spoofed deauth to a specific MAC address,
this attack sends the frame to a broadcast
address.

AOS-W 3.1
User Guide

341

Configuring Wireless Intrusion Prevention
Chapter 17

Using the WebUI to configure the IDS signature-matching profile:
1.

Navigate to the Configuration > AP Configuration page. Select either AP
Group or AP Specific.
z

If you select AP Group, click Edit for the AP group name for which you
want to configure IDS.

If you select AP Specific, select the name of the AP for which you want
to configure IDS.

Select IDS. Select IDS profile to display the IDS profiles that are contained in
the top-level profile.

Select IDS Signature Matching profile.

You can select a predefined profile from the drop-down menu. Or you can
modify parameters and click Save As to create an IDS signature-matching
profile instance.
NOTE:

If you selected a predefined IDS profile, you cannot select or create a
different IDS signature-matching profile instance. You can modify
parameters within the IDS signature-matching profile instance.

Click Apply.

Using the CLI to configure the IDS signature-matching profile:

ids signature-matching-profile

Creating a New Signature
Signature rules match an attribute to a value. For example, you can add a rule that
matches the BSSID to the value 00:00:00:00:00:0a. Table 17-30 describes the
attributes and values you can configure for a signature rule.

342 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Wireless Intrusion Prevention
Chapter 17

TABLE 17-30 Signature Rule Attributes
Attribute

Description

BSSID

BSSID field in the 802.11 frame header.

Destination MAC address

Destination MAC address in 802.11 frame header.

Frame Type

Type of 802.11 frame. For each type of frame
further details can be specified to filter and detect
only the required frames. It can be one of the
following:

association

auth

beacon

control (all control frames)

data (all data frames)

deauth

deassoc

management (all management frames)

probe-request

probe-response

SSID

For beacon, probe-request, and probe-response
frame types, specify the SSID as either a string or
hex pattern.

SSID-length

For beacon, probe-request, and probe-response
frame types, specify the SSID length. Maximum
length is 32 bytes.

Payload

Pattern at a fixed offset in the payload of a 802.11
frame. Specify the pattern to be matched as a
sgring or hex pattern. Maximum length is 32
bytes.

Offset

When a payload pattern is configured, specify the
offset in the payload where the pattern is expected
to be found in the frame.

Sequence Number

Sequence number of the frame.

Source MAC address

Source MAC address of the 802.11 frame.

AOS-W 3.1
User Guide

343

Configuring Wireless Intrusion Prevention
Chapter 17

Using the WebUI to create a new signature:
1.

Navigate to the Configuration > Advanced Services > All Profiles page.

Scroll the list of profiles to select IDS Signature Profile. Enter the name of the
new signature profile and click Add.

Select the new signature profile name to display profile details.

Click New to add a rule to the profile.

After completing configuring the rule to be added, click Add to add the rule.

Click Apply.

Using the CLI to add a new signature:

ids signature-profile

Configuring Unauthorized Device Detection
Table 17-31 describes the parameters you can configure in the IDS unauthorized
device detection profile.

TABLE 17-31 IDS Unauthorized Device Profile Configuration Parameters
Parameter

Description

Detect Adhoc Networks

Enable or disable detection of adhoc networks.
Default: disabled

Protect from Adhoc
Networks

Enable or disable protection from adhoc networks.
When adhoc networks are detected, they are
disabled using a denial of service attack.
Default: disabled

Detect Windows Bridge

Enable or disable detection of Windows station
bridging.
Default: disabled

Detect Wireless Bridge

Enable or disable detection of wireless bridging.
Default: disabled

344 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Wireless Intrusion Prevention
Chapter 17

TABLE 17-31 IDS Unauthorized Device Profile Configuration Parameters
Parameter

Description

Detect Devices with an
Invalid MAC OUI

Enables or disables the checking of the first three
bytes of a MAC address, known as the MAC
organizationally unique identifier (OUI), assigned by
the IEEE to known manufacturers. Often clients
using a spoofed MAC address do not use a valid OUI
and instead use a randomly generated MAC address.
Enabling MAC OUI checking causes an alarm to be
triggered if an unrecognized MAC address is in use.
Default: disabled

MAC OUI detection Quiet
Time

The time, in seconds, that must elapse after an
invalid MAC OUI alarm has been triggered before
another identical alarm may be triggered.
Default: 900 seconds

Adhoc Network detection
Quiet Time

The time, in seconds, that must elapse after an
adhoc network detection alarm has been triggered
before another identical alarm may be triggered.
Default: 900 seconds

Wireless Bridge detection
Quiet Time

The time, in seconds, that must elapse after a
wireless bridging alarm has been triggered before
another identical alarm may be triggered.
Default: 900 seconds

Rogue AP Classification

Enable or disable rogue AP classification. A rogue
AP is one that is unauthorized and plugged into the
wired side of the network. Any other AP seen in the
RF environment that is not part of the valid
enterprise network is considered to be “interfering”
— it has the potential to cause RF interference but it
is not connected to the wired network and thus does
not represent a direct threat.
Default: disabled

Overlay Rogue
Classification

This option is useful when Alcatel APs are used for
monitoring a non-Alcatel wireless network, as it
allows APs that are plugged into the wired side of
the network to be classified as “suspected rogue”
instead of “rogue”. Suspected rogue APs are not
subject to rogue containment.
Default: enabled

AOS-W 3.1
User Guide

345

Configuring Wireless Intrusion Prevention
Chapter 17

TABLE 17-31 IDS Unauthorized Device Profile Configuration Parameters
Parameter

Description

Valid Wired Macs

List of MAC addresses of wired devices in the
network, typically gateways or servers.
Default: N/A

Rogue Containment

By default, rogue APs are only detected but are not
automatically disabled. This option automatically
shuts down rogue APs. When this option is enabled,
clients attempting to associate to a rogue AP will be
disconnected from the rogue AP through a denial of
service attack.
Default: disabled

Protect Valid Stations

Does not allow valid stations to connect to a
non-valid AP (see “Classifying APs” on page 350).

Detect Bad WEP

Enables or disables detection of WEP initialization
vectors that are known to be weak. A primary means
of cracking WEP keys is to capture 802.11 frames
over an extended period of time and searching for
such weak implementations that are still used by
many legacy devices.

Default: disabled

Default: disabled
Detect Misconfigured AP

Enables or disables detection of misconfigured APs.
An AP is classified as misconfigured if it does not
meet any of the following configurable parameters:

Valid channels

Encryption type

Short preamble

List of valid AP MAC OUIs

Valid SSID list

Default: disabled
Protect Misconfigured
AP

Enables or disables protection of misconfigured APs.
Default: disabled

Protect SSID

Enables or disables use of SSID by only valid APs.
Default: disabled

346 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Wireless Intrusion Prevention
Chapter 17

TABLE 17-31 IDS Unauthorized Device Profile Configuration Parameters
Parameter

Description

Privacy

Enable or disables encryption as valid AP
configuration.
Default: disabled

Require WPA

When enabled, any valid AP that is not using WPA
encryption is flagged as misconfigured.
Default: disabled

Valid 802.11a channel for
policy enforcement
(multi-valued)

List of valid 802.11a channels that third-party APs
are allowed to use.

Valid 802.11g channel for
policy enforcement
(multi-valued)

List of valid 802.11g channels that third-party APs
are allowed to use.

Valid MAC OUIs
(multi-valued)

List of valid MAC organizationally unique identifiers
(OUIs).

Default: 36, 44, 52, 60, 40, 48, 56, 64

Default: 1, 6, 11

Default: N/A
Valid and Protected
SSIDs (multi-valued)

List of valid and protected SSIDs.
Default: N/A

Using the WebUI to configure the IDS unauthorized device profile:
1.

Navigate to the Configuration > AP Configuration page. Select either AP
Group or AP Specific.
z

If you select AP Group, click Edit for the AP group name for which you
want to configure IDS.

If you select AP Specific, select the name of the AP for which you want
to configure IDS.

Select IDS. Select IDS profile to display the IDS profiles that are contained in
the top-level profile.

Select IDS Unauthorized Device profile.

You can select a predefined profile from the drop-down menu. Or you can
modify parameters and click Save As to create an IDS unauthorized device
profile instance.
NOTE:

If you selected a predefined IDS profile, you cannot select or create a
different IDS unauthorized device profile instance. You can modify
parameters within the IDS unauthorized device profile instance.

AOS-W 3.1
User Guide

347

Configuring Wireless Intrusion Prevention
Chapter 17

Click Apply.

Using the CLI to configure the IDS unauthorized device profile:

ids unauthorized-device-profile

Configuring WMS Parameters
The WLAN management system (WMS) on the WLAN Switch monitors wireless
traffic to detect any new AP or wireless client station that tries to connect to the
network. When an AP or wireless client is detected, it is classified and its
classification is used to determine the security policies which should be enforced
on the AP or client.
Table 17-32 lists the parameters you can configure for WMS.

TABLE 17-32 WMS Configuration Parameters
Parameter

Description

AP Ageout Interval

The amount of time, in minutes, that an AP
is unseen by any probes before it is deleted
from the database. Enter 0 to disable ageout.
Default: 30 minutes

AM Poll Interval

Interval, in milliseconds, for communication
between the WLAN Switch and Alcatel AMs.
The WLAN Switch contacts the AM at this
interval to download AP to STA associations,
update policy configuration changes, and
download AP and STA statistics.
Default: 60000 milliseconds (1 minute)

Number of AM Poll Retries

Maximum number of failed polling attempts
before the polled AM is considered to be
down.
Default: 2

Station Ageout Interval

The amount of time, in minutes, that a client
is unseen by any probes before it is deleted
from the database. Enter 0 to disable ageout.
Default: 30 minutes

348 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Wireless Intrusion Prevention
Chapter 17

TABLE 17-32 WMS Configuration Parameters (Continued)
Parameter

Description

Enable Statistics Update in DB

Enables or disables statistics update in the
database.
Default: Enabled

Mark Known Interfering APs as
Enables or disables APs that are marked as
Persistent Known Interfering APs known interfering from being aged out.
Default: Disabled
Learn APs

Enables or disables AP learning. Learning
affects the way APs are classified (see
“Enabling AP Learning” on page 349).
Default: Disabled

Using the WebUI to configure WMS parameters:
1.

Navigate to the Configuration > Advanced Services > Wireless page.

Configure the parameters, as described in Table 17-32.

Click Apply.

Using the CLI to configure WMS parameters:

wms general (parameters described in Table 17-32)

Enabling AP Learning
AP learning is typically used where there are non-Alcatel APs connected on the
same wired network as Alcatel APs. By default, AP learning is not enabled and
any non-Alcatel APs that are connected on the same networks as Alcatel APs are
classified as rogue APs. Enabling AP learning marks the non-Alcatel APs as valid
APs instead of as rogue APs. You can enable or disable AP learning from the CLI.
NOTE:

Enabling AP learning is useful when you install the Alcatel WLAN Switch
in an environment with an existing third-party wireless network,
especially if there are a large number of installed APs. Leave AP learning
enabled until all APs in the network have been detected and classified as
valid. Then disable AP learning and reclassify any unknown APs as
interfering.

Using the WebUI to enable or disable AP learning:
1.

Navigate to the Configuration > Advanced Services > Wireless page.

Select (or deselect) the Learn APs checkbox.

AOS-W 3.1
User Guide

349

Configuring Wireless Intrusion Prevention
Chapter 17

Click Apply.

Using the CLI to enable or disable AP learning:

wms general learn-ap {enable|disable}

Classifying APs
If AP learning is enabled, non-Alcatel APs connected on the same wired network
as Alcatel APs are classified as valid APs. If AP learning is disabled, a non-Alcatel
AP is classified as a rogue AP. You can also manually classify an AP. For example,
if you know about an interfering AP, you can manually reclassify it as a known
interfering AP. You can manually classify an AP into one of the following
categories:
Valid AP

An AP that is part of the enterprise providing WLAN service.
Alcatel APs that successfully connect to the WLAN Switch
and load software and configuration should be classified as
valid APs.
NOTE:

Any client that successfully authenticates with a
valid AP and passes encrypted traffic is classified
as a valid client. (Encrypted traffic includes
encrypted 802.11 frames and unencrypted 802.11
frames which are VPN encrypted.)

Interfering AP

An AP that is seen in the RF environment but is not
connected to the wired network. An interfering AP is not
considered a direct security threat since it is not connected
to the wired network. For example, an interfering AP can be
an AP that belongs to a neighboring office’s WLAN and is
not part of your WLAN network.

Known Interfering
AP

An interfering AP where the BSSIDs are known. Once
classified, a known interfering AP does not change its
state.

Unsecure AP
(rogue AP)

A rogue AP is an unauthorized AP that is plugged into the
wired side of the network. You can configure automatic
shutdown of rogue APs in the IDS unauthorized device
detection profile.

Suspected
Unsecure AP

A suspected rogue AP is plugged into the wired side of the
network, but may not be an unauthorized device. Automatic
rogue containment does not apply to suspected rogue APs.

DoS AP

An AP for which denial of service is enabled. Any clients
connected to this AP are disconnected.

350 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Wireless Intrusion Prevention
Chapter 17

Using the WebUI to Manually Classify APs
1.

Navigate to the Reports > AP Reports> All Interfering APs page on the
master WLAN Switch.

Select the checkbox for the AP(s) you want to classify.

Click the appropriate “Set as” button on the page.

Click Apply.

Using the CLI to Manually Classify APs
Enter the following command in privilege mode:

wms ap mode {dos|interfering|known-interfering|unsecure|valid}

Configuring Misconfigured AP Detection and Protection
An AP is classified as misconfigured if it does not meet any of the following
following configurable parameters:

Valid channels

Encryption type

Short preamble

List of valid AP MAC OUIs

Valid SSID list (exceptions are described in “Use of the Valid Enterprise SSID
List” on page 352)

This classification is primarily for enforcing security policies on non-Alcatel APs,
although the classification and protection mechanism also applies to all valid
Alcatel APs.

Updating the Valid Enterprise SSID List
SSIDs added to the Valid Enterprise SSID list are known as “Valid SSIDs” or
“Reserved SSIDs.” The list is empty by default and does not contain any SSIDs
configured on the WLAN Switch. You can add SSIDs to the list using the WebUI
or CLI.

Using the WebUI to add an SSID to the Valid Enterprise SSID list:
1.

Navigate to the Configuration > Advanced > WLAN Intrusion Prevention >
Policies > Multi Tenancy page.

Click the Add button.

Enter the name of the SSID, then click Add.

AOS-W 3.1
User Guide

351

Configuring Wireless Intrusion Prevention
Chapter 17

Using the CLI to add an SSID to the Valid Enterprise SSID list:

wms valid-ssid

Use of the Valid Enterprise SSID List
This section describes the use of the Valid Enterprise SSID list with both
Multi-Tenancy protection and Misconfigured AP protection.
As part of its function, Multi-Tenancy protection prevents an interfering AP from
advertising an SSID that is added to the Valid Enterprise SSID list. This feature
protects against honeypot attacks.
Misconfigured AP protection also uses the Valid Enterprise SSID list to classify an
AP as misconfigured.
Whether a client can connect to an SSID depends on whether Multi-Tenancy
protection or Misconfigured AP protection are enabled or disabled, whether the
AP is valid or interfering, and whether the SSID is in the Valid Enterprise SSID list.
Table 17-33 describes client connections to valid and non-valid SSIDs when
Multi-Tenancy protection and Misconfigured AP protection are enabled or
disabled.

TABLE 17-33 Valid SSIDs with Multi-Tenancy and Misconfigured AP
Protection
Multi-Tenancy
Protection

Misconfigured
AP Protection

Client Connections

Enabled

Disabled

If there are entries in the valid SSID list:

Clients can connect to valid SSIDs on valid
APs.

Clients cannot connect to valid SSIDs on
interfering APs (including known
interfering APs).

Clients can connect to SSIDs not in the
valid SSID list on valid APs.

Clients can connect to SSIDs not in the
valid SSID list on interfering APs (including
known interfering APs).

If the valid SSID list is empty, it is ignored and
clients can connect to all SSIDs on both valid
APs and interfering APs (including known
interfering APs). Not adding an SSID to the
valid SSID list exposes that SSID to honeypot
attacks.

352 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Wireless Intrusion Prevention
Chapter 17

TABLE 17-33 Valid SSIDs with Multi-Tenancy and Misconfigured AP
Protection
Multi-Tenancy
Protection

Misconfigured
AP Protection

Client Connections

Enabled

If there are entries in the valid SSID list:

Clients can connect to valid SSIDs on valid
APs.

Clients cannot connect to valid SSIDs on
interfering APs (including known
interfering APs).

Clients cannot connect to SSIDs not in the
valid SSID list on valid APs.

Clients can connect to SSIDs not in the
valid SSID list on interfering APs.

Enabled

If there are entries in the valid SSID list:

Clients can connect to valid SSIDs on valid
APs.

Clients can connect to valid SSIDs on
interfering APs (including known
interfering APs).

Clients cannot connect to SSIDs not in the
valid SSID list on valid APs.

Clients can connect to SSIDs not in the
valid SSID list on interfering APs.

If the valid SSID list is empty, it is ignored and
clients can connect to all SSIDs on both valid
APs and interfering APs (including known
interfering APs). When Multi-Tenancy
protection is disabled, the network is
susceptible to honeypot attacks.

AOS-W 3.1
User Guide

353

Configuring Wireless Intrusion Prevention
Chapter 17

Client Blacklisting
When a client is blacklisted in the Alcatel system, the client is not allowed to
associate with any AP in the network for a specified amount of time. If a client is
connected to the network when it is blacklisted, a deauthentication message is
sent to force the client to disconnect. While blacklisted, the client cannot
associate with another SSID in the network.

Methods of Blacklisting
There are several ways in which a client can be blacklisted in the Alcatel system:

You can manually blacklist a specific client. See “Manual Blacklisting” on
page 354 for more information.

A client fails to successfully authenticate for a configured number of times for
a specified authentication method. The client is automatically blacklisted. See
“Authentication Failure Blacklisting” on page 355 for more information.

A denial of service or man in the middle (MITM) attack has been launched in
the network. Detection of these attacks can cause the immediate blacklisting
of a client. See “Attack Blacklisting” on page 355 for more information.

An external application or appliance that provides network services, such as
virus protection or intrusion detection, can blacklist a client and send the
blacklisting information to the WLAN Switch via an XML API server. When the
WLAN Switch receives the client blacklist request from the server, it blacklists
the client, logs an event, and sends an SNMP trap.
NOTE:

This requires that the External Services Interface (ESI) license be
installed in the WLAN Switch.

See Chapter 21, “External Services Interface” for more information.

Manual Blacklisting
There are several reasons why you may choose to blacklist a client. For example,
you can enable different Alcatel intrusion detection system (IDS) features that
detect suspicious activities, such as MAC address spoofing or denial of service
attacks. When these activities are detected, an event is logged and an SNMP trap
is sent with the client information.
To blacklist a client, you need to know its MAC address.

Using the WebUI to manually blacklist a client:
1.

Navigate to the Monitoring > Switch > Clients page.

Select the client to be blacklisted and click the Blacklist button.

354 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Wireless Intrusion Prevention
Chapter 17

Using the CLI to manually blacklist a client:

stm add-blacklist-client

Authentication Failure Blacklisting
You can configure a maximum authentication failure threshold for each of the
following authentication methods:

802.1x

MAC

Captive portal

VPN

When a client exceeds the configured threshold for one of the above methods,
the client is automatically blacklisted by the WLAN Switch, an event is logged,
and an SNMP trap is sent. By default, the maximum authentication failure
threshold is set to 0 for the above authentication methods, which means that
there is no limit to the number of times a client can attempt to authenticate.
With 802.1x authentication, you can also configure blacklisting of clients who fail
machine authentication.
NOTE:

When clients are blacklisted because they exceed the authentication
failure threshold, they are blacklisted indefinitely by default. You can
configure the duration of the blacklisting; see “Blacklist Duration” on
page 356.

Using the WebUI to set the authentication failure threshold:
1.

Navigate to the Configuration > Security > Authentication > Profiles page.

In the Profiles list, select the appropriate authentication profile, then select
the profile instance.

Enter a value in the Max Authentication failures field.

Click Apply.

Using the CLI to set the authentication failure threshold:

aaa authentication {captive-portal|dot1x|mac|vpn}
max-authentication-failures

Attack Blacklisting
There are two type of automatic client blacklisting that can be enabled:
blacklisting due to spoofed deauthentication, or blacklisting due to other types of
denial of service (DoS) attacks.

AOS-W 3.1
User Guide

355

Configuring Wireless Intrusion Prevention
Chapter 17

Automatic blacklisting for DoS attacks other than spoofed deauthentication is
enabled by default. You can disable this blacklisting on a per-SSID basis in the
virtual AP profile.
Man in the middle (MITM) attacks begin with an intruder impersonating a valid
enterprise AP. If an AP needs to reboot, it sends deauthentication packets to
connected clients to enable them to disconnect and reassociate with another AP.
An intruder or attacker can spoof deauthentication packets, forcing clients to
disconnect from the network and reassociate with the attacker’s AP. A valid
enterprise client associates to the intruder’s AP, while the intruder then associates
to the enterprise AP. Communication between the network and the client flows
through the intruder (the man in the middle), thus allowing the intruder the ability
to add, delete, or modify data. When this type of attack is identified by the Alcatel
system, the client can be blacklisted, blocking the MITM attack. You enable this
blacklisting ability in the IDS DoS profile (this is disabled by default).

Using the WebUI to enable spoofed deauth detection and blacklisting:
1.

Navigate to the Configuration > Wireless > AP Configuration page.

Select either AP Group or AP Specific tab. Click Edit for the AP group or AP
name.

In the Profiles list, select IDS, then select IDS profile.

Select the IDS DOS profile instance.

Select (check) Spoofed Deauth Blacklist.

Click Apply.

Using the CLI to enable spoofed deauth detection and blacklisting:

ids dos-profile
spoofed-deauth-blacklist

Blacklist Duration
You can configure the duration that clients are blacklisted on a per-SSID basis.
There are two different blacklist duration settings:

For clients that are blacklisted due to authentication failure. By default, this is
set to 0 (the client is blacklisted indefinitely).

For clients that are blacklisted due to other reasons, including manual
blacklisting. By default, this is set to 3600 seconds (one hour). You can set
this to 0 to blacklist clients indefinitely.

You configure these settings in the virtual AP profile.

356 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Wireless Intrusion Prevention
Chapter 17

Using the WebUI to configure the blacklist duration:
1.

Navigate to the Configuration > Wireless > AP Configuration page.

Select either AP Group or AP Specific tab. Click Edit for the AP group or AP
name.

In the Profiles list, select Wireless LAN, then Virtual AP. Select the virtual AP
instance.

To set a blacklist duration for authentication failure, enter a value for
Authentication Failure Blacklist Time.

To set a blacklist duration for other reasons, enter a value for Blacklist
Time.

Click Apply.

Using the CLI to configure the blacklist duration:

wlan virtual-ap
auth-failure-blacklist-time
blacklist-time

Removing a Client from Blacklisting
You can manually remove a client from blacklisting using either the WebUI or CLI:

Using the WebUI to remove a client from blacklisting:
1.

Navigate to the Monitoring > Switch > Blacklist Clients page.

Select the client that you want to remove from the blacklist, then click
Remove from Blacklist.

Using the CLI to remove a client from blacklisting:
Enter the following in enable mode:

stm remove-blacklist-client

AOS-W 3.1
User Guide

357

Configuring Wireless Intrusion Prevention
Chapter 17

358 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Volume 7
Managing the
OmniAccess
System
AOS-W Version 3.1

360 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Management
Access

This chapter describes management access for an Alcatel wireless network.
This chapter describes the following topics:

“Management Interfaces” on page 362

“Managing Certificates” on page 373

“Configuring SNMP” on page 381

“Configuring Logging” on page 391

“Creating Guest Accounts” on page 393

“Setting the System Clock” on page 396

AOS-W 3.1
User Guide

361

Configuring Management Access
Chapter 18

Management Interfaces
There are several interfaces that you can use to configure and manage
components of the Alcatel OmniAccess system:

The Web User Interface (WebUI) allows you to configure and manage Alcatel
WLAN Switches. The WebUI is accessible through a standard Web browser
from a remote management console or workstation.

By default, you can only access the CLI from the serial port or from
an SSH session. To use the CLI in a Telnet session, you must
explicitly enable Telnet on the WLAN Switch by issuing the telnet cli
command.

NOTE:

Before you can use the management interface from a remote console or
workstation you must configure the WLAN Switch with an IP address
and default gateway and connect it to your network. See “Deploying a
Basic OmniAccess System” on page 45 for more information.

All Alcatel WLAN Switches have a serial port for connecting to a local console.
The OAW 6000 WLAN Switch contains a 10/100 Mbps Fast Ethernet port for
out-of-band management (see the Installation Guide for your WLAN Switch for
more information).
By default, management sessions through the serial port, SSH, Telnet, or the
WebUI time out after 15 minutes. You can change or disable the timeout with the
CLI loginsession timeout command.
NOTE:

In many deployment scenarios, an external firewall is situated between
various Alcatel devices. Appendix B, “External Firewall Configuration”
describes the network ports that need to be configured on the external
firewall to allow proper operation of the Alcatel network.

362 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Management Access
Chapter 18

Web Access
NOTE:

To use the WebUI, enter the IP address of the WLAN Switch in the URL of a
browser window.
NOTE:

The WebUI requires Internet Explorer 6.0. Other browsers may work but
with limited functionality and are therefore not supported.

When you connect to the WLAN Switch using the WebUI, the system displays the
login page. Log in using the administrator user account (the password does not
display). For example:

When you are logged in, the browser window shows the default Monitor
Summary page. For example:

AOS-W 3.1
User Guide

363

Configuring Management Access
Chapter 18

TOOL TABS

LOGOUT
BUTTON

CURRENT
TOOL
CURRENT
PAGE

NAVIGATION
PANE FOR
SELECTED
TOOL

The following describes the elements in all WebUI pages:

The tabs at the top of the page allow you to select tools available in the Web
UI software. Click on a tab to select the tool.

When you select a tab, the tool and its available pages appear in the
navigation pane. You can navigate to any of the listed pages by clicking on
the page name.
NOTE:

Some of the items in the listed pages are merely headings for their
sub-pages and cannot be selected. Selectable pages become
highlighted when you place the cursor over them. Non-selectable
items do not react.

The name of the currently-selected page is highlighted in the page tree.

The main page display area displays all the information and/or input fields
relevant to the current page of the current tool.

The Logout button at the top right corner of the page allows you to end your
WebUI session.

Tools
The tool bar at the top of the WebUI browser window contains tabs for the
various tools available. Click on the tab to select the tool. Table 18-34 lists the
tools that are available in the WebUI.

364 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Management Access
Chapter 18

TABLE 18-34 WebUI Tools
Menu

Description

Monitoring

This tool allows you to view the status of the Alcatel
components and clients in the Alcatel OmniAccess
system, the connections on the local WLAN Switch,
WLANs, and custom logs.

Configuration

This tool allows you to configure the Alcatel OmniAccess
system.

Diagnostics

This tool allows you to run ping and traceroute, store and
view output files for technical support, and view AP
configuration and statistics.

Maintenance

This tool allows you to upgrade the image file, load
licenses, copy files to/from flash, configure and reboot
APs, and configure the captive portal feature.

Plan

This tools allows you to specify how Wi-Fi coverage
should be provided for your floor plans. RF Plan then
provides coverage maps and AP and AM placement
locations. See Chapter 4, “RF Plan.”

Events

This tool allows you to view events in the Alcatel system.

Reports

This tool allows you to view reports on APs and clients as
well as create custom reports.

Configuration Tool
Table 18-35 describes the Configuration pages.

AOS-W 3.1
User Guide

365

Configuring Management Access
Chapter 18

TABLE 18-35 Configuration Pages
Page

Description

Network

These pages allow you to configure:

Security

Switch role, IP address, and preshared key, licenses,
and certificates

VLANs

Ports

Interface addresses

These pages allow you to configure:

Authentication servers and profiles

User roles and policies

Wireless

The pages allow you to configure profiles, including SSID
and related WLAN options, for AP groups and for specific
APs.

Management

These pages allow you to configure:

Advanced Services

Users, roles, and authentication servers for
administering the Alcatel system

SNMP-related information

Logging

System clock

These pages allow you to configure various Alcatel
OmniAccess features. Some of these features require that
you install an optional license.

The following buttons are available on the Configuration pages:
Apply

Accepts all configuration changes made on the current
page and places them in the running configuration.

Save
Configuration

(Appears in top right corner of the WebUI when the
Configuration tool is selected) Saves all applied
configuration changes made during the current
configuration session. Saved settings are retained when
the WLAN Switch is rebooted or powered off while
unsaved configuration changes are lost. Clicking this
button performs the same function as issuing the CLI write
memory command.

Clear

Resets options on current page to the last-applied or saved
settings.

366 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Management Access
Chapter 18

Add

Adds a new item to the current page. Typically a set of
relevant configuration fields for the item to be added is
displayed.

Edit

Allows you to edit the configuration of the selected item.

Delete

Removes the selected item from the page configuration.

View Commands

Displays the equivalent CLI command(s) for the WebUI
configuration.

CLI Access
The CLI is available through the serial console connection or from a Telnet or SSH
session.
NOTE:

Telnet access is disabled by default on Alcatel WLAN Switches. To enable
Telnet access, enter the telnet cli command from a serial connection or
from an SSH session.

When you connect to the WLAN Switch using the CLI, the system displays its
host name followed by the login prompt. Log in using the administrator user
account (the password displays as asterisks). For example:

(alcatel)
user: admin
password: *****
When you are logged in, the user mode CLI prompt displays. For example:

(alcatel) >
User mode provides only limited access for basic operational testing such as
running ping and traceroute.
All configuration and management functions are available in privileged mode. To
move from user mode to privileged mode requires you to enter an additional
password. For example:

(alcatel) > enable
Password: ******
When you are in privileged mode, the > prompt changes to a pound sign (#):

(alcatel) #

Saving Configuration Changes
Configuration changes made using the CLI affect only the current state of the
WLAN Switch. Unless saved, the changes are lost when the WLAN Switch is
rebooted. To save your changes so that they are retained after a reboot, use the
following privileged mode CLI command:
AOS-W 3.1
User Guide

367

Configuring Management Access
Chapter 18

(alcatel) # write memory
Saving Configuration...
Saved Configuration

Command Completion
To make command input easier, you can usually abbreviate each key word in the
command. You need type only enough of each keyword to distinguish it from
similar commands. For example:

(alcatel) # configure terminal
could also be entered as:

(alcatel) # con t
Three characters (con) represent the shortest abbreviation allowed for configure.
Typing only c or co would not work because there are other commands (like copy)
which also begin with those letters. The configure command is the only one that
begins with con.
As you type, you can press the spacebar or tab to move to the next keyword. The
system then attempts to expand the abbreviation for you. If there is only one
command keyword that matches the abbreviation, it is filled in for you
automatically. If the abbreviation is too vague (too few characters), the cursor
does not advance and you must type more characters or use the help feature to
list the matching commands.

Command Help
You can use the question mark (?) to view various types of command help.
When typed at the beginning of a line, the question mark lists all the commands
available in your current mode or sub-mode. A brief explanation follows each
command. For example:

(alcatel) > ?
enable
logout
ping
traceroute

Turn on Privileged commands
Exit this session. Any unsaved changes are lost.
Send ICMP echo packets to a specified IP address.
Trace route to specified IP address.

When typed at the end of a possible command or abbreviation, the question mark
lists the commands that match (if any). For example:

(alcatel) > c?

368 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Management Access
Chapter 18

clear
clock
configure
copy

Clear configuration
Configure the system clock
Configuration Commands
Copy Files

If more than one item is shown, type more of the keyword characters to
distinguish your choice. However, if only one item is listed, the keyword or
abbreviation is valid and you can press tab or the spacebar to advance to the next
keyword.
When typed in place of a parameter, the question mark lists the available options.
For example:

(alcatel) # write ?
erase
file
memory
terminal

Erase
Write
Write
Write

and start from scratch
to a file in the file system
to memory
to terminal

The indicates that the command can be entered without additional
parameters. Any other parameters are optional.

Command Line Editing
The command line editing feature allows you to make corrections or changes to a
command without retyping. Table 18-36 lists the editing controls:

TABLE 18-36 Line Editing Keys
Key

Effect

Description

Home

Move the cursor to the beginning of the line.

Back

Move the cursor one character left.

Delete
Right

Delete the character to the right of the cursor.

End

Move the cursor to the end of the line.

Forward

Move the cursor one character right.

Kill Right

Delete all characters to the right of the cursor.

Display the next command in the command
history.

AOS-W 3.1
User Guide

369

Configuring Management Access
Chapter 18

TABLE 18-36 Line Editing Keys (Continued)
Key

Effect

Description

Display the previous command in the command
history.

Transpose

Swap the character to the left of the cursor with
the character to the right of the cursor.

Clear

Clear the line.

Delete
Word

Delete the characters from the cursor up to and
including the first space encountered.

Kill Left

Delete all characters to the left of the cursor.

Alphanumeric characters are always inserted into the line at the cursor position.

Command History
The system records your most recently entered commands. You can review the
history of your actions, or reissue a recent command easily, without having to
retype it.
To view items in the command history, use the to move back through
the list and key to forward. To reissue a specific command, press
when it appears. You can even use the command line editing feature to
make changes to the command prior to entering it.

Viewing the Configuration
You can view two configuration images from the CLI:

startup-config holds the configuration options which will be used the next
time the WLAN Switch is rebooted. It contains all the options last saved using
the write memory command. Presently unsaved changes are not included.
To view the startup-config, use the following command:

(alcatel) # show startup-config

running-config holds the current switch configuration, including all pending
changes which have yet to be saved.
To view the running-config, use the following command:

(alcatel) # show running-config
Both configurations can also be saved to a file or sent to a TFTP server for backup
or transfer to another system using the copy command.

370 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Management Access
Chapter 18

Alcatel Mobility Manager
The Alcatel Mobility Manager System (MMS) is an element management system
(EMS) application that enables you to manage Alcatel APs and WLAN Switches
from a single platform. The MMS software is embedded on the Alcatel OmniVista
Mobility Manager Appliance. You can also install the MMS software on a
dedicated server platform. Multiple Windows, Linux, or MacOS clients can access
the MMS interface simultaneously. Each client must have the compatible Java
Runtime Environment (JRE) installed; you can download the appropriate JRE from
the Mobility Manager application.
The 1.x version of MMS allows you to scope, plan, filter, and monitor the wireless
network. The 2.0 version of MMS adds the capability to centrally configure
settings on the WLAN Switches. When a configuration change is made on the
MMS server, the configuration is synchronized with the master WLAN Switch
before being applied.
To configure MMS on AOS-W:
1.

On the master WLAN Switch, configure the IP address of the MMS server
and an SNMP username and password for the MMS server to use to
communicate with the WLAN Switch. You can configure up to two MMS
servers.
Once you configure the MMS server on the Mobility Manager, the Plan,
Events, and Reports tabs no longer appear in the WebUI and the functions
previously provided by these tabs are handled by MMS.

To support configuration by the MMS server, you must enable the master
WLAN Switch to receive, apply, and communicate the status of configuration
changes with the MMS server (this is disabled by default in AOS-W).
NOTE:

You must be running MMS version 2.0 or later on the MMS server to
configure WLAN Switches.

On the MMS server, you must configure the IP address of the master WLAN
Switch and specify the SNMP username and password you configured on the
WLAN Switch.

Configuring an MMS Server
Before the WLAN Switch can communicate with an MMS server, you need to
configure the IP address and username and password for the MMS server on the
master WLAN Switch. This configuration creates an SNMP version 3 user profile
with the configured username and password that allows SNMP SETs from the
MMS server to be received by the WLAN Switch. This configuration also allows
SNMP traps and notifications to be sent to the MMS server.

Using the WebUI to configure an MMS server on the WLAN Switch:
1.

Navigate to the Configuration > Management > General page.

AOS-W 3.1
User Guide

371

Configuring Management Access
Chapter 18

In the Mobility Manager Servers section, click New.

Enter the IP address for the MMS server in the Mobility Manager Server IP
Address field.

Enter an SNMP username and password for the MMS server.

Click Apply.

Using the CLI to configure an MMS server on the WLAN Switch:

mobility-manager user

Enabling Configuration Updates from MMS
When a configuration change is made on the MMS server, the changes are
synchronized with the master WLAN Switch before being applied. On the master
WLAN Switch, you must enable the WLAN Switch to receive, apply, and
communicate the status of the configuration change with the MMS server.
NOTE:

MMS configuration updates only apply to global configurations that are
shared by all WLAN Switches in the network. Local configurations, such
as hostname or VLANs, apply only to the WLAN Switch on which they
are configured and are not updated by MMS.

Using the WebUI to enable MMS configuration on the WLAN Switch:
1.

Navigate to the Configuration > Management > General page.

Select the Update of Global Configuration from MMS checkbox.

Click Apply.

Using the CLI to enable MMS configuration on the WLAN Switch:

cfgm mms config enable
On the MMS server, you must configure the IP address of the master WLAN
Switch and specify the SNMP username and password you configured on the
WLAN Switch. For more information about the Alcatel Mobility Manager, see the
Mobility Manager User Guide.

372 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Management Access
Chapter 18

Managing Certificates
The Alcatel WLAN Switch is designed to provide secure services through the use
of digital certificates. Certificates provide security when authenticating users and
computers and eliminate the need for less secure password-based
authentication.
There is a default server certificate installed in the WLAN Switch, however this
certificate does not guarantee security for production networks. Alcatel strongly
recommends that you replace the default certificate with a custom certificate
issued for your site or domain by a trusted Certificate Authority (CA). This section
describes how to generate a Certificate Signing Request (CSR) to submit to a CA
and how to import the signed certificate received from the CA into the WLAN
Switch.
The WLAN Switch supports client authentication using digital certificates for
specific OmniAccess services, such as AAA FastConnect (see Chapter 9,
“Configuring 802.1x Authentication”) and WebUI and SSH management access.
Each service can employ different sets of client and server certificates.
During certificate-based authentication, the WLAN Switch provides its server
certificate to the client for authentication. After validating the WLAN Switch’s
server certificate, the client presents its own certificate to the WLAN Switch for
authentication. To validate the client certificate, the WLAN Switch checks the
certificate revocation list (CRL) maintained by the CA that issued the client
certificate. After validating the client’s certificate, the WLAN Switch can check the
user name in the certificate with the configured authentication server (this action
is optional and configurable).

About Digital Certificates
Clients and the servers to which they connect may hold authentication
certificates that validate their identities. When a client connects to a server for the
first time, or the first time since its previous certificate has expired or been
revoked, the server requests that the client transmit its authentication certificate.
The client’s certificate is then verified against the CA which issued it. Clients can
also request and verify the server’s authentication certificate. For some
applications, such as 802.1x authentication, clients do not need to validate the
server certificate for the authentication to function.
Digital certificates are issued by a CA which can be either a commercial,
third-party company or a private CA controlled by your organization. The CA is
trusted to authenticate the owner of the certificate before issuing a certificate. A
CA-signed certificate guarantees the identity of the certificate holder. This is done
by comparing the digital signature on a client or server certificate to the signature
on the certificate for the CA. When CA-signed certificates are used to
authenticate clients, the WLAN Switch checks the validity of client certificates
using certificate revocation lists (CRLs) maintained by the CA that issued the
certificate.
AOS-W 3.1
User Guide

373

Configuring Management Access
Chapter 18

Digital certificates employ public key infrastructure (PKI), which requires a
private-public key pair. A digital certificate is associated with a private key, known
only to the certificate owner, and a public key. A certificate encrypted with a
private key is decrypted with its public key. For example, party A encrypts its
certificate with its private key and sends it to party B. Party B decrypts the
certificate with party A’s public key.

Obtaining a Server Certificate
Alcatel strongly recommends that you replace the default server certificate in the
WLAN Switch with a custom certificate issued for your site or domain by a
trusted CA. To obtain a security certificate for the WLAN Switch from a CA:
1.

Generate a Certificate Signing Request (CSR) on the WLAN Switch using
either the WebUI or CLI.

Submit the CSR to a CA. Copy and paste the output of the CSR into an email
and send it to the CA of your choice.

The CA returns a signed server certificate and the CA’s certificate and public
key.

Install the server certificate, as described in “Importing Certificates” on
page 375.

NOTE:

There can be only one outstanding CSR at a time in the WLAN Switch.
Once you generate a CSR, you need to import the CA-signed certificate
into the WLAN Switch before you can generate another CSR.

Using the WebUI to generate a CSR:
1.

Navigate to the Configuration > Management > Certificates > CSR page.

Click Generate New.

Enter the following information:

Parameter

Description

Range

Default

key

Length of private/public key.

1024/2048/
4096

—

common_name

Typically, this is the host and domain name, as in
www.yourcompany.com.

—

country

Two-letter ISO country code for the country in which
your organization is located.

—

state_or_pro
vince

State, province, region, or territory in which your
organization is located.

—

city

City in which your organization is located.

—

organization

Name of your organization.

—

374 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Management Access
Chapter 18

unit

Optional field to distinguish a department or other
unit within your organization.

—

Email address referenced in the CSR.

—

Click View Current to display the generated CSR. Select and copy the CSR
output between the BEGIN CERTIFICATE REQUEST and END CERTIFICATE
REQUEST lines, paste it into an email and send it to the CA of your choice.

Using the CLI to generate a CSR:
1.

Run the following command:

crypto pki csr key {1024|2048|4096} common-name country
state_or_province city organization unit
email
2.

Display the CSR output with the following command:

show crypto pki csr
3.

Copy the CSR output between the BEGIN CERTIFICATE REQUEST and END
CERTIFICATE REQUEST lines, paste it into an email and send it to the CA of
your choice.

Obtaining a Client Certificate
You can use the CSR generated on the WLAN Switch to obtain a certificate for a
client. However, since there may be a large number of clients in a network, you
typically obtain client certificates from a corporate CA server. For example, in a
browser window, enter http:///crtserv, where is the IP address
of the CA server.

Importing Certificates
NOTE:

The following information does not apply to server certificates used for
captive portal services. For information about importing server
certificates into the WLAN Switch for captive portal, see Chapter 10,
“Configuring Captive Portal”.

You must use the WebUI to import certificates into the WLAN Switch. You cannot
use a CLI command to import certificates, although a ‘crypto-local pki’ command
is saved to the configuration file when you import a certificate from the WebUI.
NOTE:

You cannot export certificates from the WLAN Switch.

You can import the following types of certificates into the WLAN Switch using the
WebUI:

AOS-W 3.1
User Guide

375

Configuring Management Access
Chapter 18

Server certificate signed by a trusted CA. This includes a public and private
key pair.

CA certificate used to validate other server or client certificates. This includes
only the public key for the certificate.

Client certificate and client’s public key. (The public key is used for
applications such as SSH which does not support X509 certificates and
requires the public key to verify an allowed certificate.)

Certificates can be in the following formats:

X509 PEM unencrypted

X509 PEM encrypted with a key

DER

PKCS12 encrypted

NOTE:

You can import a certificate only through the WebUI.

Using the WebUI to import certificates:
1.

Navigate to the Configuration > Management > Certificates > Upload page.

For Certificate Name, enter a user-defined name.

For Certificate Filename, click Browse to navigate to the appropriate file on
your computer.

If the certificate is encrypted, enter the passphrase.

Select the Certificate Format from the drop-down menu.

Select the Certificate Type from the drop-down menu.

Click Upload to install the certificate in the WLAN Switch.

The Certificate Lists section of the page lists the certificates that are currently
installed in the WLAN Switch.
Imported certificates and keys and CRLs are stored in the following locations in
flash on the WLAN Switch:

Location

Description

/flash/certmgr/trustedCAs

Trusted CA certificates, either for root or
intermediate CAs. Alcatel recommends that if you
import the certificate for an intermediate CA, you
also import the certificate for the signing CA.

376 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Management Access
Chapter 18

Location

Description

/flash/certmgr/serverCerts

Server certificates. These certificates must contain
both a public and private key (the public and
private key must match). You can import
certificates in PKCS12 and X509 PEM formats, but
they are stored in X509 PEM DES encrypted
format.

/flash/certmgr/CSR

Temporary certificate signing requests (CSRs) that
have been generated on the WLAN Switch and are
awaiting a CA to sign them.

/flash/certmgr/publiccert

Public key of certificates. This allows a service on
the WLAN Switch to identify a certificate as an
allowed certificate.

/flash/certmgr/CRLs

CRLs of expired client certificates.

To view the contents of a certificate, use the following CLI commands:

Command

Description

show crypto-local pki
trustedCAs []
<[attribute>]

Displays the contents of a trusted CA certificate. If a
name is not specified, all CA certificates imported
into the WLAN Switch are displayed. If name and
attribute are specified, then only the attribute in the
certificate are displayed. Attributes can be CN,
validity, serial-number, issuer, subject, public-key.

show crypto-local pki
serverCerts []
[]

Displays the contents of a server certificate. If a
name is not specified,all server certificates imported
into the WLAN Switch are displayed.

show crypto-local pki
publiccert []
[]

Displays the contents of a public certificate. If a
name is not specified, all public certificates
imported into the WLAN Switch are displayed.

Updating CRLs
A CA maintains a CRL that contains a list of certificates that have been revoked
before their expiration date. Expired client certificates are not accepted for any
OmniAccess service. Certificates may be revoked because certificate key has
been compromised or the user specified in the certificate is no longer authorized
to use the key.

AOS-W 3.1
User Guide

377

Configuring Management Access
Chapter 18

When a client certificate is being authenticated for a OmniAccess service, the
WLAN Switch checks the appropriate CRL to make sure that the certificate has
not been revoked. The WLAN Switch automatically downloads CRLs once a day
(you can change the download interval up to 365 days). If the CRL server is not
reachable, an SNMP trap is sent and a critical error is logged.

Using the CLI to modify the CRL update interval:

crypto pki update-crl period

Service-Specific Use of Certificates
The WLAN Switch supports client authentication using digital certificates for
specific OmniAccess services, such as AAA FastConnect (see Chapter 9,
“Configuring 802.1x Authentication”) and WebUI and SSH management access.
The WLAN Switch’s server certificate must be associated with a OmniAccess
service. You can have a different server certificate for each service (for example, a
server certificate for WebUI management access and a server certificate for AAA
FastConnect).

AAA FastConnect
To use certificate authentication for AAA FastConnect, you need to configure the
following in the 802.1x authentication profile:

WLAN Switch’s server certificate

CA certificate

Using the WebUI to configure AAA FastConnect certificate
authentication:
1.

Navigate to the Configuration > Security > Authentication > L2
Authentication page.

In the Profiles list, select 802.1x Authentication Profile.

Select the “default” 802.1x authentication profile from the drop-down menu
to display configuration parameters.

In the Basic tab, select Termination.

Select the Advanced Tab.

In the Server-Certificate field, select the server certificate imported into the
WLAN Switch.

In the CA-Certificate field, select the CA certificate imported into the WLAN
Switch.

Click Save As. Enter a name for the 802.1x authentication profile.

378 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Management Access
Chapter 18

Click Apply.

Using the CLI to configure AAA FastConnect certificate
authentication:

aaa authentication dot1x
termination enable
server-cert
ca-cert

WebUI Management Access
The WLAN Switch allows certificate authentication for WebUI management users.
(The default is for management users to login with username and password only.)
To use this authentication, you must do the following:
1.

Configure WebUI management for certificate authentication.

Configure the management username, role and client certificate.

Using the WebUI to configure certificate authentication for WebUI
access:
1.

Navigate to the Configuration > Management > General page.

Under WebUI Management Authentication Method, select Client Certificate.
You can select Username and Password as well; in this case, the user is
prompted to manually enter the username and password only if the client
certificate is invalid.

Select the server certificate to be used for this service.

Click Apply.

To configure the management user, navigate to the Configuration >
Management > Administration page.
A.

Under Management Users, click Add.

Select Certificate Management.

Select WebUI Certificate.

Enter the username.

Select the user role assigned to the user upon validation of the client
certificate

Enter the serial number for the client certificate.

Select the name of the CA that issued the client certificate.

Click Apply.

AOS-W 3.1
User Guide

379

Configuring Management Access
Chapter 18

Using the CLI to configure certificate authentication for WebUI access:

web-server
mgmt-auth [username/password] [certificate]
switch-cert
mgmt-user webui-cacert serial < role>

SSH
The WLAN Switch allows public key authentication of management users
accessing the WLAN Switch using SSH. (The default is for management users to
login with username and password only.) To use this authentication, you must do
the following:
1.

Import the X.509 client certificate into the WLAN Switch using the WebUI, as
described in “Importing Certificates”.

Configure SSH for certificate authentication.

Configure the management username, role and client certificate.

Using the WebUI to configure certificate authentication for SSH
access:
1.

Navigate to the Configuration > Management > General page.

Under SSH (Secure Shell) Authentication Method, select Client Public Key.

Click Apply.

To configure the management user, navigate to the Configuration >
Management > Administration page.
A.

Under Management Users, click Add.

Select Certificate Management.

Select SSH Public Key.

Enter the username.

Select the user role assigned to the user upon validation of the client
certificate.

Select the client certificate.

Click Apply.

Using the CLI to configure certificate authentication for SSH access:

ssh mgmt-auth [username/password] [public-key]
mgmt-user ssh-pubkey client-cert

380 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Management Access
Chapter 18

Configuring SNMP
Alcatel WLAN Switches and APs support versions 1, 2c, and 3 of SNMP for
reporting purposes only. In other words, SNMP cannot be used for setting values
in an Alcatel system in the current version.
There are separate SNMP configurations for the WLAN Switch and for APs,
described in the following sections.

SNMP for the WLAN Switch
You can configure the following SNMP parameters for the WLAN Switch.

TABLE 18-37 SNMP Parameters for the WLAN Switch
Field

Description

Host Name

Host name of the WLAN Switch.

System Contact

Name of the person who acts as the System Contact or
administrator for the WLAN Switch.

System Location

String to describe the location of the WLAN Switch.

Read Community
Strings

Community strings used to authenticate requests for SNMP
versions before version 3.
NOTE:

This is needed only if using SNMP v2c and is not
needed if using version 3.

Enable Trap
Generation

Enables generation of SNMP traps to configured SNMP trap
receivers. Refer to the list of traps in the “SNMP traps”
section below for a list of traps that are generated by the
Alcatel WLAN Switch.

Trap receivers

Host information about a trap receiver. This host needs to
be running a trap receiver to receive and interpret the traps
sent by the Alcatel WLAN Switch. Configure the following
for each host/trap receiver:

IP address

SNMP version: can be 1 or 2c.

Community string

UDP port on which the trap receiver is listening for
traps. The default is the UDP port number 162. This is
optional, and will use the default port number if not
modified by the user.

AOS-W 3.1
User Guide

381

Configuring Management Access
Chapter 18

TABLE 18-37 SNMP Parameters for the WLAN Switch (Continued)
Field

Description

If you are using SNMPv3 to obtain values from the Alcatel WLAN Switch, you
can configure the following parameters:
User name

A string representing the name of the user.

Authentication
protocol

An indication of whether messages sent on behalf of this
user can be authenticated, and if so, the type of
authentication protocol used. This can take one of the two
values:

MD5: HMAC-MD5-96 Digest Authentication Protocol

SHA: HMAC-SHA-96 Digest Authentication Protocol

Authentication
If messages sent on behalf of this user can be
protocol password authenticated, the (private) authentication key for use with
the authentication protocol. This is a string password for
MD5 or SHA depending on the choice above.
Privacy protocol

An indication of whether messages sent on behalf of this
user can be protected from disclosure, and if so, the type of
privacy protocol which is used. This takes the value DES
(CBC-DES Symmetric Encryption Protocol).

Privacy protocol
password

If messages sent on behalf of this user can be
encrypted/decrypted with DES, the (private) privacy key for
use with the privacy protocol.

Follow the steps below to configure a WLAN Switch’s basic SNMP parameters.

Using the WebUI to configure SNMP on the WLAN Switch:
1.

Navigate to the Configuration > Management > SNMP page.

If the WLAN Switch will be sending SNMP traps, click Add in the Trap
Receivers section to add a trap receiver.

If you are using SNMPv3 to obtain values from the Alcatel WLAN Switch,
click Add in the SNMPv3 Users section to add a new SNMPv3 user.

Click Apply.

Using the CLI to configure SNMP on the WLAN Switch:

hostname name
syscontact name
syslocation string

382 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Management Access
Chapter 18

snmp-server
snmp-server
snmp-server
snmp-server
snmp-server

community string
enable trap
host ipaddr version {1|2c|3} string [udp-port number]
trap source ipaddr
user name [auth-prot {md5|sha} password priv-prot DES password]

SNMP for Access Points
Alcatel APs also support SNMP and you can configure all or some of the APs for
SNMP user access. The APs can be acting as Air Monitors.
For APs, you configure SNMP-related configuration in an SNMP profile, which
you apply to an AP group or to a specific AP. The SNMP profile references one or
more more instances of SNMPv3 user profiles.
NOTE:

You always configure APs on the master WLAN Switch.

You can configure the following SNMP parameters for an AP or AP group:

TABLE 18-38 SNMP Profile Configuration Parameters
Parameter

Description

SNMP enable

Enables or disables SNMP reporting by the Alcatel
AP.
Default: enabled

Community

One or more community strings used to authenticate
requests for data from the AP.
NOTE:

This is required for SNMP v2c but is not
needed for SNMP version 3.

Default: N/A
SNMP user

One or more SNMP user profiles.
Default: N/A

SNMP User Profile
The SNMP User profile configures SNMPv3 users.

AOS-W 3.1
User Guide

383

Configuring Management Access
Chapter 18

TABLE 18-39 SNMP User Profile Configuration Parameters
Parameter

Description

User name

String that represents the name of the user.
Default: N/A

Authentication protocol

If messages sent on behalf of this user can be
authenticated, the type of authentication protocol
used:

md5: HMAC-MD5-96 Digest Authentication
Protocol

sha: HMAC-SHA-96 Digest Authentication
Protocol

Default: sha
Authentication password

Authentication key for use with the authentication
protocol.
Default: N/A

Privacy password

Privacy key for use with the cipher block chaining data encryption standard (CBC-DES) Symmetric
Encryption Protocol.
Default: N/A

Follow the steps below to configure SNMP parameters for APs in the network.

Using the WebUI to configure SNMP:
1.

Navigate to the Configuration > Wireless > AP Configuration page on the
Master WLAN Switch.

Click Edit for the AP group.

Under the Profiles section, select AP to display the AP profiles. Select SNMP
profile.

Under the Profile Details section, enable SNMP and add community strings.
Click Apply.

To configure an SNMPv3 user:
A.

Under the Profiles section, select SNMP user.

Select NEW from the Add a profile drop-down menu.

384 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Management Access
Chapter 18

Enter a profile name, and click Add.

Click Apply. The new user profile appears in the Profiles list.

Select the user profile in the Profiles list to enter information in the Profile
Details section.

Enter the SNMP user information, and click Apply.

Using the CLI to configure SNMP:

ap snmp-user-profile profile
user-name name
auth-passwd password
auth-prot protocol
priv-passwd password
ap snmp-profile profile
snmp-enable
community string
snmp-user profile

SNMP Traps
The following is a list of key traps generated by the Alcatel WLAN Switch.
1.

WLAN Switch IP changed.
Description: This indicates the WLAN Switch IP has been changed. The
WLAN Switch IP is either the loopback IP address or the IP address of the
VLAN 1 interface (if no loopback IP address is configured).
Priority Level: Critical

WLAN Switch role changed
Description: This indicates that the WLAN Switch has transitioned from
being a Master WLAN Switch to a Local WLAN Switch or vice versa.
Priority Level: Critical

User entry created/deleted/authenticated/de-authenticated/authentication
failed.
Description: Each of these traps are triggered by an event related to a user
event. The event can be a new user entry being created in the user table,
deletion of a user entry, a user getting authenticated successfully, a user
getting de-authenticated, or a failed authentication attempt. Each of these
traps will be generated by the WLAN Switch on which the user event occurs.
In other words this is a local event to the WLAN Switch where the user is
visible.

AOS-W 3.1
User Guide

385

Configuring Management Access
Chapter 18

Priority Level: Medium.
4.

Authentication server request timed out.
Description: This trap indicates that a request to a authentication server did
not receive a response from the server within a specified amount of time and
therefore the request timed out. This usually indicates a connectivity problem
from the Alcatel WLAN Switch to the authentication server or some other
problem related to the authentication server.
Priority Level: High.

Authentication server timed out
Description: This trap indicates that an authentication server has been taken
out of service. This is almost always same as AuthServerReqTimedOut except
when there is only one authentication server in which case the server will
never be taken out of service. In that case the AuthServerReqTimedOut will
continue to be raised but not then AuthServerTimedOut.
Priority level: High

Authentication server up.
Description: This trap indicates that an authentication server that was
previously not responding has started responding to authentication requests.
This will be triggered by a user event that causes the WLAN Switch to send
an authentication request to the authentication server.
Priority Level: Low.

Authentication user table full.
Description: This trap indicates that the authentication user table has reached
its limit with the number of user entries it can hold. This event is local to the
WLAN Switch that generates the traps. The maximum number of user entries
that can be present at the same time in the user table is 4096.
Priority Level: Critical.

Authentication Bandwidth contracts table full
Description: This trap indicates that the maximum number of configured
bandwidth contracts on the WLAN Switch has been exceeded. The threshold
for this is 4096
Priority Level: High

Authentication ACL table full.
Description: This trap indicates that the maximum number of ACL entries in
the ACL table has been exceeded. The limit for this is 2048 entries on a WLAN
Switch.
Priority Level: High

386 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Management Access
Chapter 18

10. Power supply failure
Description: As the name indicates, this trap indicates the failure of one of
the two possible power supplies in the WLAN Switch.
Priority Level: Critical
11. Fan failure
Description: As the name indicates, this trap indicates a failure of the fan in
the WLAN Switch.
Priority Level: Critical
12. Out of Range Voltage
Description: This trap indicates an out of range voltage being supplied to the
WLAN Switch.
Priority Level: Critical
13. Out of Range temperature.
Description: This trap indicates an out of range operating temperature being
supplied to the WLAN Switch.
Priority Level: Critical
14. Line card inserted/removed.
Description: These traps indicate that a Line Card has been inserted or
removed from the WLAN Switch.
Priority Level: Critical.
15. Supervisor card inserted/removed.
Description: These traps indicate that a Supervisor card has been inserted or
removed from the WLAN Switch
Priority Level: Critical
16. Power supply missing
Description: This trap indicates that one of the power supplies is missing.
Priority Level:. Critical.

Access Point/Air Monitor Traps
The following are the key traps that can be generated by the Alcatel Access Point
or an Air Monitor:1
1.

Unsecure AP detected.
Description: This trap indicates that an Air Monitor has detected and
classified an Access Point as unsecure. It will indicate the location of the Air
Monitor that has detected the unsecure AP, the channel on which the AP was
detected as well as the BSSID and SSID of the detected AP.

AOS-W 3.1
User Guide

387

Configuring Management Access
Chapter 18

Priority Level: Critical.
2.

Station impersonation.
Description: This trap indicates an Air Monitor has detected a Station
impersonation event. The trap will provide the location of the Air Monitor that
has detected the event and the MAC address of the Station.
Priority level: Critical

Reserved channel impersonation.
Description: This trap indicates an Access Point is being detected is violating
the Reserved Channels. The location of the AP/AM that detects the event is
provided in the trap. In addition to this, the BSSID and SSID of the detected
AP is also included.
Priority Level: High

Valid SSID violation
Description: This indicates a configuration in the configuration of the SSID of
the AP. The AP generates the trap and includes its BSSID, the configured SSID
and the location of the AP in the trap.
Priority Level: High

Channel misconfiguration
Description: This trap indicates an error in channel configuration of an AP.
The AP generates the trap and includes its BSSID, the configured SSID and
the location of the AP in the trap
Priority Level: High

OUI misconfiguration.
Description: This trap indicates an error in the OUI configuration of an Access
Point. The AP generates the trap and includes its BSSID, the configured SSID
and the location of the AP in the trap
Priority: High

SSID misconfiguration.
Description: This trap indicates an error in the SSID configuration of an
Access Point. The AP generates the trap and includes its BSSID, the
configured SSID and the location of the AP in the trap
Priority level: High

Short Preamble misconfiguration.

1. For a complete list of traps, refer to the Alcatel MIB Reference.

388 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Management Access
Chapter 18

Description: This trap indicates an error in the Short Preamble configuration
of an Access Point. The AP generates the trap and includes its BSSID, the
configured SSID and the location of the AP in the trap. This check will be
done only if the short-preamble option is selected for the AP from the CLI or
the WebUI.
Priority level: High
9.

AM misconfiguration.
Description: This trap indicates an error in the Short Preamble configuration
of an Access Point. The AP generates the trap and includes its BSSID, the
configured SSID and the location of the AP in the trap
Priority Level: High

10. Repeat WEP-IV violation.
Description: This trap indicates that the Air Monitor has detected a valid
station or a valid AP sending consecutive frames that has the same IV
(Initialization vector). This usually means that entity has a “flawed” WEP
implementation and is therefore a potential security risk.
Priority Level: High
11. Weak WEP-IV violation.
Description: This trap indicates that the Air Monitor has detected a valid
station or a valid AP sending frames with an IV that is in the range of IV that
are known to be cryptographically weak and therefore are a potential security
risk.
Priority Level: High.
12. Adhoc networks detected.
Description: This trap indicates that the Air Monitor has detected Adhoc
networks.
Priority Level: High.
13. Valid station policy violation.
Description: This trap indicates that a valid Station policy is being violated.
Priority Level: High.
14. AP interference.
Description: This trap indicates that the indicated Air Monitor (identified by
the BSSID/ SSID) is detecting AP interference on the indicated channel.
Priority Level: Medium
15. Frame Retry rate exceeded.

AOS-W 3.1
User Guide

389

Configuring Management Access
Chapter 18

Description: This trap refers to the event when the percentage of received
and transmitted frames with the retry bit crosses the High watermark. This
event can be triggered for an AP, a station or a channel. The two values that
should be configured related to this event are Frame Retry Rate – High
Watermark and Frame Retry Rate –Low watermark. The High Watermark
refers to the percentage threshold which if surpassed triggers the event that
causes the trap to be sent. The Low Watermark refers to the percentage
threshold such that if the retry rate reaches a value lower than this value the
event is reset. What this means is that the trap will be triggered the first time
the Frame Retry rate crosses the High Watermark and then will only be
triggered if the Frame Retry Rate goes under the Low Watermark and then
crosses the High Watermark again. This holds true for all the thresholds
explained below as well.
Priority level: Medium.
16. Frame Bandwidth rate exceeded.
Description: This trap refers to the event of the bandwidth rate for a station
exceeding a configured threshold (High watermark). The terms High
Watermark and Low Watermark hold the same meaning as explained above.
Priority Level: Medium
17. Frame low speed rate exceeded.
Description: This trap refers to the event when the percentage of received
and transmitted frames at low speed (less that 5.5Mbps for 802.11b and less
that 24 Mbps for 802.11a) exceeds the configured High Watermark. The
terms High Watermark and Low Watermark hold the same meaning as
explained above.
Priority level: Medium

390 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Management Access
Chapter 18

Configuring Logging
This section outlines the steps required to configure logging on an Alcatel WLAN
Switch. The logging level can be set for each of the modules in the software
system. Table 18-40 summarizes these modules:

TABLE 18-40 Software Modules
Module

Description

Management AAA

The module responsible for authentication of
management users (telnet/ssh/WebUI).

Authentication

The module responsible for authentication of wireless
clients.

Configuration Manager

The module responsible for configuration changes in
the Alcatel network and configuration synchronization
amongst all Alcatel WLAN Switches.

VPN server

The module responsible for all VPN connections.

DHCP server

The DHCP server in the WLAN Switch.

Switching

The module responsible for all layer 2/3 switching
functionality.

Mobility

The module responsible for inter- and intra-WLAN
Switch mobility for wireless clients.

User

The module responsible for user state maintenance.

Access Point Manager

The module responsible for managing the Access
Points in the network.

Station Manager

The module responsible for all wireless stations at a
802.11 level.

Traffic

A logical module to track traffic patterns to help
troubleshooting.

RF Director

The monitor responsible for monitoring the wireless
network for any rogues/intrusions etc.

AOS-W 3.1
User Guide

391

Configuring Management Access
Chapter 18

For each module, you can configure a logging level, as described in Table 18-41:

TABLE 18-41 Logging Levels
Logging Level

Description

Emergency

Panic conditions that occur when the system becomes
unusable.

Alert

Any condition requiring immediate attention and
correction.

Critical

Any critical conditions such as a hard drive error.

Errors

Error conditions.

Warning

Warning messages.

Notice

Significant events of a non-critical and normal nature.

Informational

Messages of general interest to system users.

Debug

Messages containing information useful for
debugging.

You can configure IP address of a syslog server to which the WLAN Switch can
direct these logs.

Using the WebUI to configure logging:
1.

Navigate to the Configuration > Management > Logging > Servers page.

To add a logging server, click Add in the Logging Servers section.

Click Add to add the logging server to the list of logging servers. Ensure that
the syslog server is enabled and configured on this host. Click Apply.

To select the module(s) you want to log, select the Levels tab.

Select the category or subcategory to be logged. Scroll to the bottom of the
page and select the appropriate logging level. Click Done.

Click Apply to apply the configuration.

Using the CLI to configure logging:

logging ipaddr
logging level level module

392 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Management Access
Chapter 18

Creating Guest Accounts
You can assign the predefined guest-provisioning role to a user, such as a front
desk receptionist, that allows the user to create and manage temporary guest
accounts. When the guest-provisioning user logs in to the WLAN Switch using
the username and password you configured, a special page allows them to create
guest accounts in the WLAN Switch’s internal database and configure the
expiration for the accounts (see Figure 18-34). The guest-provisioning user can
also disable, delete, or modify guest accounts as needed.

FIGURE 18-34 Creating a Guest Account
After creating a guest account, the guest-provisioning user can print the account
information from the browser to give to the guest account user (see
Figure 18-35). You can customize the window on which the account information
appears.

FIGURE 18-35 Guest Account Information

Configuring the Guest Provisioning User
You can use the WebUI or CLI to create the guest provisioning user.

AOS-W 3.1
User Guide

393

Configuring Management Access
Chapter 18

Using the WebUI to create the guest-provisioning user:
1.

Navigate to the Configuration > Management > Administration page.

In the Management Users section, click Add.

In the Add User page, make sure that Conventional User Accounts is
selected. Enter the name that the user will log in with to access the guest
account page.

Enter the password for the user login.

For Role, select guest-provisioning from the drop-down list.

Click Apply.

Using the CLI to create the guest-provisioning user:

mgmt-user guest-provisioning
After you press Enter, you are prompted for the for this user.

Guest-Provisioning User Tasks
To log into the WLAN Switch, the guest-provisioning user enters the IP address of
the WLAN Switch in the URL of a browser window. (In a multi-WLAN Switch
network, this must be the IP address of the master WLAN Switch.) In the login
window, the guest-provisioning user enters the previously-configured user name
and password. This is similar to the login for WebUI management access, except
that once the user has logged in, the displayed window is limited to the Guest
Provisioning page (see Figure 18-36).

FIGURE 18-36 Guest Provisioning Page
The guest-provisioning user clicks Add User to create a new guest account. The
guest-provisioning user can either enter a user name and password or accept the
automatically-generated user name and password (clicking Generate creates a
new user name or password), and configure the expiration for the account.
Clicking Apply adds the guest account to the database. Clicking Apply and Print
Preview adds the guest account to the database and displays the account
information in a pop-up window which can be printed from browser.

394 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Management Access
Chapter 18

Optional Configurations
This section describes guest provisioning options that you, the administrator, can
configure.
NOTE:

These options are not configurable by the guest-provisioning user.

Setting the Maximum Time for Guest Accounts
You can set the maximum expiration time (in minutes) for guest accounts. If the
guest-provisioning user attempt to add a guest account that expires beyond this
time period, an error message is displayed and the guest account is created with
the maximum time you configured.

Using the WebUI to set the maximum time for guest accounts:
1.

Navigate to the Configuration > Authentication > Servers page.

Select Internal DB.

Under Internal DB Maintenance, enter a value in Maximum Expiration.

Click Apply.

Using the CLI to set the maximum time for guest accounts:
local-userdb maximum-expiration

Customizing the Account Information Window
In the WebUI, you can customize the pop-up window that displays the guest
account information.
1.

Navigate to the Configuration > Security > Access Control > Guest Access
page.

Click Browse to insert a logo or other banner information on the window.

You can enter text for the Terms and Conditions portion of the window.

Click Submit to save your changes. Click Preview Pass to preview the
window.

AOS-W 3.1
User Guide

395

Configuring Management Access
Chapter 18

Setting the System Clock
You can set the clock on a WLAN Switch manually or by configuring the WLAN
Switch to use a Network Time Protocol (NTP) server to synchronize its system
clock with a central time source.

Manually Setting the Clock
You can use either the WebUI or CLI to manually set the time on the WLAN
Switch’s clock.

Using the WebUI to set the system clock:
1.

Navigate to the Configuration > Management > Clock page.

Under Switch Date/Time, set the date and time for the clock.

Under Time Zone, enter the name of the time zone and the offset from
Greenwich Mean Time (GMT).

To adjust the clock for daylight savings time, click Enabled under Summer
Time. Additional fields appear that allow you to set the offset from UTC, and
the start and end recurrences.

Click Apply.

Using the CLI to set the system clock:
To set the date and time, enter the following command in privileged mode:

clock set
To set the time zone and daylight savings time adjustment, enter the following
commands in configure mode:

clock timezone <-23 - 23>

396 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring Management Access
Chapter 18

clock summer-time [recurring]
<1-4>
first
last
<1-4>
first
last
[<-23 - 23>]

Configuring an NTP Server
You can use NTP to synchronize the WLAN Switch to a central time source.
Configure the WLAN Switch to set its system clock using NTP by configuring one
or more NTP servers.
For each NTP server, you can optionally specify the NTP iburst mode for faster
clock synchronization. The iburst mode sends up ten queries within the first
minute to the NTP server. (When iburst mode is not enabled, only one query is
sent within the first minute to the NTP server.) After the first minute, the iburst
mode typically synchronizes the clock so that queries need to be sent at intervals
of 64 seconds or more.
NOTE:

The iburst mode is a configurable option and not the default behavior for
the WLAN Switch, as this option is considered “aggressive” by some
public NTP servers. If an NTP server is unresponsive, the iburst mode
continues to send frequent queries until the server responds and time
synchronization starts.

Using the WebUI to configure an NTP server:
1.

Navigate to the Configuration > Management > Clock page.

Under NTP Servers, click Add.

Enter the IP address of the NTP server.

Select (check) the iburst mode, if desired.

Click Add.

Using the CLI to configure an NTP server:

ntp server ipaddr [iburst]

AOS-W 3.1
User Guide

397

Configuring Management Access
Chapter 18

398 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Managing Software
Feature Licenses

AOS-W consists of a base software package with optional software modules that
you can activate by installing one or more license keys. This chapter describes
license types and how to install the licenses on your Alcatel WLAN Switch.
This chapter describes the following topics:

“Alcatel Software Licenses” on page 400

“The Software Licensing Process” on page 401

“Additional Software License Information” on page 405

“Getting Help with Licenses” on page 407

AOS-W 3.1
User Guide

399

Managing Software Feature Licenses
Chapter 19

Alcatel Software Licenses
Alcatel product licenses enable the following software modules:

Policy Enforcement Firewall (PEF)

Wireless Intrusion Protection (WIP)

VPN Server (VPN)

Remote Access Point (RAP)

xSEC (XSC)

Client Integrity (CIM)

External Services Interface (ESI)

Voice Services

Software License Types
For all licensed software modules, two categories of licenses are available:

Permanent license - This type of license permanently enables the desired
software module on a specific Alcatel WLAN Switch. You obtain permanent
licenses through the sales order process only. Permanent software license
certificates are printed documents that are physically mailed to you; you will
also receive the license information in an e-mail confirmation.

Evaluation license - This type of license allows you to evaluate the
unrestricted functionality of a software module on a specific WLAN Switch
for 90 days (in three 30-day increments) without requiring you to purchase a
permanent software license.

At the end of the 90-day period, you must apply a permanent license to re-enable
this software module on the WLAN Switch. Evaluation software license
certificates are only available in electronic form and are e-mailed to you.

400 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Managing Software Feature Licenses
Chapter 19

The Software Licensing Process
A software license (permanent or evaluation) is unlocked individually by module
type and is applied to each WLAN Switch as a software license key. A software
license key is a unique alphanumerical string created for an individual WLAN
Switch and is only valid for the designated WLAN Switch.
Software license keys can be installed in the WLAN Switch in two ways:

Pre-installed at the factory. In this case, the licensed features are available
upon initial setup of the WLAN Switch.

Installed by you using the instructions provided in this chapter.

NOTE:

Alcatel recommends that you obtain a user account on the Alcatel
Software License Management web site even if software license keys are
pre-installed in your WLAN Switch. You should also be familiar with the
software license installation process as described in this chapter.

To enable a software license feature on your WLAN Switch:
1.

Obtain a valid Alcatel software license certificate for the feature from your
sales account manager or authorized reseller.

Locate the system serial number (or Supervisor Card serial number) of the
WLAN Switch to which you wish to apply the software license.

Use the software license certificate ID and the system serial number to obtain
a software license key from the Alcatel Software License Management web
site at https://licensing.alcateloaw.com/login.php.

Apply the software license key by using the WebUI to the WLAN Switch on
which you wish to apply the license. Log in to the WebUI and navigate to the
Configuration > Network > Switch > Licenses page. Enter the software
license key, and click Apply.

You must now reboot your WLAN Switch in order for the new feature to
become available.

See the following sections for details on each step.

Obtaining a Software License Certificate
To obtain either a permanent or evaluation software license, contact your sales
account manager or authorized reseller. They will process your order for a
permanent license certificate or email an evaluation license certificate to you as
desired.

AOS-W 3.1
User Guide

401

Managing Software Feature Licenses
Chapter 19

Software License Certificates
The software license certificate is a software-module and WLAN Switch-class
specific document that states:

The orderable part number for the license

A description of the software module type and Alcatel WLAN Switch for
which it is valid

A unique, 32-character alphanumerical string that can be used to access the
license management Web site and which, in conjunction with the serial
number of an Alcatel WLAN Switch or Supervisor Card, generates a unique
software license key

In addition to the printed software license certificate, you will also receive an
e-mail confirmation with the certificate ID.

402 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Managing Software Feature Licenses
Chapter 19

Locating the System Serial Number
The serial number of a WLAN Switch is unique. You can find it as follows:
z

System serial number that is specified on the rear of an Alcatel WLAN Switch
chassis

System serial number of the Supervisor Card (not the chassis) for an
OmniAccess 6000 WLAN Switch

You can obtain system serial numbers by physically inspecting the chassis or card
or by using the WebUI (by navigating to the Switch > Inventory page).
NOTE:

To physically inspect the system serial number on a Supervisor Card, you
need to remove the card from the WLAN Switch chassis, which can
result in network down time.

Obtaining a Software License Key
To obtain a software license key, you must log in to the Alcatel License
Management Web site at https://licensing.alcateloaw.com/login.php.
If you are a first time user of the licensing site, you can use the software license
certificate ID number to log in initially and request a user account. If you already
have a user account, log in to the site.
Once logged in, you are presented with several options:

Activate a certificate: Activate a new certificate and create the software
license key that you will apply to your WLAN Switch.

Transfer a certificate: Transfer a software license certificate ID from one
WLAN Switch to another (for example, transferring licenses to a spare
system).

Import preloaded certificates: For WLAN Switches on which licenses are
pre-installed at the factory. transfer all software license certificate IDs used on
the sales order to this user account.

List your certificates: View all currently available and active software license
certificates for your account.

To create a software license key:
1.

Select Activate a Certificate.

Enter the certificate ID number and the system serial number of the WLAN
Switch to which you wish to apply the license.

Review the license agreement and select Yes to accept the agreement.

Click Activate it. A copy of the transaction and the software license key will
be emailed to you at the e-mail address you entered for your user account.
AOS-W 3.1
User Guide

403

Managing Software Feature Licenses
Chapter 19

NOTE:

The software license key is only valid for the system serial number for
which you activated the certificate.

Applying the Software License Key
To enable the software module and functionality, you must now apply the
software license key to your Alcatel WLAN Switch:
1.

Using the WebUI, log into your WLAN Switch with Administrative access
rights.

Navigate to the Configuration > Network > Switch > Licenses page to display
system license information and the License Table.

Copy the software license key that was emailed to you, and paste it into the
Add New License Key field. Click Add to apply the license key.

You must now reboot your WLAN Switch for the new feature to become
available.

CAUTION:

404 AOS-W 3.1
User Guide

When license keys are applied on an Alcatel WLAN Switch,
abnormal tampering of the device’s system clock (setting the
system clock back by 2 hours or more) results in the disabling
of software licensed modules and their supported features.
This can affect network services.

032063-00 Rev A
February 2007

Managing Software Feature Licenses
Chapter 19

Additional Software License Information
This section includes other information about software licenses.

Permanent Licenses
Once installed, permanent software licenses report the software module as
Enabled in the WebUI for the WLAN Switch. These license types never expire,
even when you upgrade the AOS-W software to a newer version.

Evaluation Licenses
Evaluation licenses support the following behavior:

Evaluation licenses are limited to three 30-day periods. Evaluation licenses
time individually; evaluation licenses for various software modules will expire
at different times.

During evaluation, full functionality relating to a specific software module is
available to the user.

During evaluation, the WebUI for the WLAN Switch reports that software
licenses are expiring.

When you log in through the CLI, the time remaining on the licensing term
displays as shown below:

(host)
User: admin
Password: *****
NOTICE
NOTICE -- This switch has active licenses that will expire in 29 days
NOTICE
NOTICE -- See 'show license' for details.
NOTICE
(host) >
NOTE:

If multiple evaluation licenses are running concurrently on the same
WLAN Switch, the reported expiration time is for the licensed feature
with the least amount of time remaining.

The time remaining on an evaluation license is also logged every day.
When an evaluation period expires, the following occurs:
z

The WLAN Switch automatically backs up the startup configuration and
reboots itself at midnight (according to the system clock).

AOS-W 3.1
User Guide

405

Managing Software Feature Licenses
Chapter 19

All permanent licenses are unaffected. The expired evaluation licensed feature
is no longer available and is shown as Expired in the WebUI.

You can reapply a software license key to the WLAN Switch only if the 90-day
evaluation time for the feature has not been reached. If the maximum time for the
evaluation license has been reached, the startup configuration is backed up,
however, you can only re-enable the feature by installing a permanent license key.

Deleting a License Key
To remove a license from a system:
1.

Navigate to the Configuration > Network > Switch > Licenses page.

Click Delete to the right of the entry in the License Table.
If a feature is a fully-licensed feature, deleting the feature results in the
feature key being displayed. If a feature is under the trial period of an
evaluation license, no key is generated when the feature is deleted.

NOTE:

If you are unable to delete a license key on a disabled or damaged system
that is subsequently returned to the factory, you can reinstall the license
key on another machine. The factory will take the necessary steps to
remove the license key from the returned system.

Moving Licenses
It may become necessary to move licenses from one chassis to another or simply
delete the license for future use. To move licenses, delete the license from the
chassis as described in “Deleting a License Key” on page 406. Then install the
license key on the new WLAN Switch as described in “Applying the Software
License Key” on page 404.

CAUTION:

The ability to move a license from one WLAN Switch to
another is provided to allow customers maximum flexibility in
managing their organization’s network and to minimize the
need to contact Alcatel customer support. License fraud
detection is monitored and enforced by Alcatel. Abnormally
high volumes of license transfers for the same license
certificate to multiple WLAN Switches can indicate breach of
the Alcatel end user software license agreement and will be
investigated.

Resetting the WLAN Switch
The following sections describe the effects of rebooting a WLAN Switch or
resetting the configuration on software licenses.
406 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Managing Software Feature Licenses
Chapter 19

Rebooting a WLAN Switch
Rebooting or resetting a WLAN Switch has no effect on either permanent or
evaluation licenses.

Resetting the WLAN Switch Configuration
Issuing the write erase command on a WLAN Switch running software licenses
does not affect the license key management database on the WLAN Switch.
Issuing the write erase all command resets the WLAN Switch to factory
defaults, and deletes all databases on the WLAN Switch including the license key
management database. You must reinstall all previously-installed license keys.

Getting Help with Licenses
For information or support with licensing issues, contact your Alcatel sales
representative or log onto the Alcatel support website at:
http://eservice.ind.alcatel.com.

AOS-W 3.1
User Guide

407

Managing Software Feature Licenses
Chapter 19

408 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Volume 8
Configuring
Advanced Services

AOS-W Version 3.1

410 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring QoS for Voice

This chapter outlines the steps required to configure QoS on an Alcatel WLAN
Switch for Voice over IP (VoIP) devices, including Session Initiation Protocol (SIP)
and Spectralink Voice Priority (SVP) phones. Since voice applications are more
vulnerable to delay and jitter, the network infrastructure must be able to prioritize
voice traffic over data traffic.
This chapter describes the following topics:

“Roles and Policies for Voice Traffic” on page 412

“Optional Configurations” on page 424

“Voice Services Module Features” on page 428

NOTE:

To use the features described in this chapter, you must install the Policy
Enforcement Firewall license in the WLAN Switch. Certain voice features
require that the Voice Services Module also be installed in the WLAN
Switch.

AOS-W 3.1
User Guide

411

Configuring QoS for Voice
Chapter 20

Roles and Policies for Voice Traffic
In the Alcatel OmniAccess system, the user role of a wireless client determines its
privileges, including the priority that every type of traffic to or from the client
receives in the wireless network. Thus, QoS for voice applications is configured
when you configure firewall roles and policies.
In an Alcatel system, you can configure roles for clients that use mostly data
traffic, such as laptops, and roles for clients that use mostly voice traffic, such as
VoIP phones. Although there are different ways for a client to derive a user role, in
most cases the clients using data traffic will be assigned a role after they are
authenticated through a method such as 802.1x, VPN, or captive portal. The user
role for VoIP phones can be derived from the OUI of their MAC addresses or the
SSID to which they associate. This user role will typically be configured to have
access allowed only for the voice protocol being used (for example, SIP or SVP).
The following sections describe how to configure user roles with the required
privileges and priorities assigned to different types of traffic. You must install the
Policy Enforcement Firewall license in the WLAN Switch. Refer to Chapter 7,
“Configuring Roles and Policies,” for details on how to create and configure a
user role.
NOTE:

Assigning voice traffic to the high priority queue is recommended when
deploying voice over WLAN networks. If the Voice Services Module
license is installed in the WLAN Switch, VoIP traffic is automatically
assigned to the high priority queue.

Configuring a User Role for SIP Phones
This section describes how to configure the user role “sip-phones” for SIP traffic.
The user role consists of the predefined policy “control”, which permits basic IP
connection, and a user-defined policy “sip-policy” which permits SIP traffic and
assigns the traffic to the high priority queue. The “sip-policy” includes rules that
permit SIP traffic over both TCP and UDP ports and traffic to DHCP and TFTP
servers. All traffic is set to high priority.
NOTE:

The “sip-policy” configuration shown is an example; you can configure
more restrictive rules for a policy if additional security is required.

Using the WebUI to configure a SIP user role:
1.

Navigate to the Configuration > Security > Access Control page.

Select the Policies tab. Click Add to create a new policy.

For Policy Name, enter sip-policy.

Under Rules, click Add.

412 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring QoS for Voice
Chapter 20

For Source, select any.

For Destination, select any.

For Service, select service, then select svc-sip-tcp.

For Action, select permit.

For Queue, select High.

Click Add.

Under Rules, click Add.
A.

For Source, select any.

For Destination, select any.

For Service, select service, then select svc-sip-udp.

For Action, select permit.

For Queue, select High.

Click Add.

Under Rules, click Add.
A.

For Source, select any.

For Destination, select any.

For Service, select service, then select svc-tftp.

For Action, select permit.

For Queue, select High.

Click Add.

Under Rules, click Add.
A.

For Source, select any.

For Destination, select alias, then click New.
I.

For Destination Name, enter dhcp-server.

II.

Under Type, click Add.

III. Enter the IP address(es) of the DHCP server(s) in your network, then
click Add.
IV. Click Apply to add this alias to the Destination menu.
V.

Select this alias from the Destination drop-down menu.

For Service, select service, then select svc-dhcp.

For Action, select permit.

For Queue, select High.

AOS-W 3.1
User Guide

413

Configuring QoS for Voice
Chapter 20

F.
8.

Click Add.

Under Rules, click Add.
A.

For Source, select any.

For Destination, select alias, then click New.
I.

For Destination Name, enter tftp-server.

II.

Under Type, click Add.

III. Enter the IP address(es) of the TFTP server(s) in your network, then
click Add.
IV. Click Apply to add this alias to the Destination menu.
V.

Select this alias from the Destination drop-down menu.

For Service, select service, then select svc-tftp.

For Action, select permit.

For Queue, select High.

Click Add.

Click Apply.

10. Select the User Roles tab. Click Add to add a user role.
A.

For Role Name, enter sip-phones.

Under Firewall Policies, click Add.

For Choose from Configured Policies, select the previously-configured
sip-policy from the drop-down menu.

Click Done.

Under Firewall Policies, click Add.

For Choose from Configured Policies, select control from the drop-down
menu.

Click Done.

11. Click Apply.

Using the CLI to configure a SIP user role:

netdestination dhcp-server
host ipaddr
netdestination tftp-server
host ipaddr
ip access-list session sip-policy

414 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring QoS for Voice
Chapter 20

any
any
any
any
any

any svc-sip-tcp permit queue high
any svc-sip-udp permit queue high
any svc-tftp permit queue high
alias dhcp-server svc-dhcp permit queue high
alias tftp-server svc-tftp permit queue high

user-role sip-phones
session-acl sip-policy
session-acl control

Configuring a User Role for SVP Phones
This section describes how to configure the user role “svp-phones” for SVP
traffic. The user role consists of the predefined policy “control”, which permits
basic IP connection, and a user-defined policy “svp-policy”. The “svp-policy”
policy includes rules that permit SVP traffic and traffic to DHCP and TFTP servers.
All traffic is set to high priority.
NOTE:

The “svp-policy” configuration shown is an example; you can configure
more restrictive rules for a policy if additional security is required.

Using the WebUI to configure an SVP user role:
1.

Navigate to the Configuration > Security > Access Control page.

Select the Policies tab. Click Add to create a new policy.

For Policy Name, enter svp-policy.

Under Rules, click Add.

For Source, select any.

For Destination, select any.

For Service, select service, then select svc-svp.

For Action, select permit.

For Queue, select High.

Click Add.

Under Rules, click Add.
A.

For Source, select any.

For Destination, select any.

For Service, select service, then select svc-tftp.

For Action, select permit.
AOS-W 3.1
User Guide

415

Configuring QoS for Voice
Chapter 20

For Queue, select High.

Click Add.

Under Rules, click Add.
A.

For Source, select any.

For Destination, select alias, then click New.
I.

For Destination Name, enter dhcp-server.

II.

Under Type, click Add.

III. Enter the IP address(es) of the DHCP server(s) in your network, then
click Add.
IV. Click Apply to add this alias to the Destination menu.
V.

Select this alias from the Destination drop-down menu.

For Service, select service, then select svc-dhcp.

For Action, select permit.

For Queue, select High.

Click Add.

Under Rules, click Add.
A.

For Source, select any.

For Destination, select alias, then click New.
I.

For Destination Name, enter tftp-server.

II.

Under Type, click Add.

III. Enter the IP address(es) of the TFTP server(s) in your network, then
click Add.
IV. Click Apply to add this alias to the Destination menu.
V.

Select this alias from the Destination drop-down menu.

For Service, select service, then select svc-tftp.

For Action, select permit.

For Queue, select High.

Click Add.

Click Apply.

Select the User Roles tab. Click Add to add a user role.
A.

For Role Name, enter svp-phones.

Under Firewall Policies, click Add.

416 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring QoS for Voice
Chapter 20

For Choose from Configured Policies, select the previously-configured
svp-policy from the drop-down menu.

Click Done.

Under Firewall Policies, click Add.

For Choose from Configured Policies, select control from the drop-down
menu.

Click Done.

10. Click Apply.

Using the CLI to configure an SVP user role:

netdestination dhcp-server
host ipaddr
netdestination tftp-server
host ipaddr
ip access-list session svp-policy
any any svc-svp permit queue high
any any svc-tftp permit queue high
any alias dhcp-server svc-dhcp permit queue high
any alias tftp-server svc-tftp permit queue high
user-role svp-phones
session-acl svp-policy
session-acl control

Configuring a User Role for Vocera Badges
This section describes how to configure the user role “vocera” for traffic using
the Vocera Communications System. The user role consists of the predefined
policy “control”, which permits basic IP connection, and a user-defined policy
“vocera-policy”. The “vocera-policy” policy includes rules that permit Vocera
traffic (UDP port 5002) and traffic to DHCP and TFTP servers. All traffic is set to
high priority.
NOTE:

The “vocera-policy” configuration shown is an example; you can
configure more restrictive rules for a policy if additional security is
required.

Using the WebUI to configure a vocera user role:
1.

Navigate to the Configuration > Security > Access Control page.

AOS-W 3.1
User Guide

417

Configuring QoS for Voice
Chapter 20

Select the Policies tab. Click Add to create a new policy.

For Policy Name, enter vocera-policy.

Under Rules, click Add.

For Source, select any.

For Destination, select any.

For Service, select service, then select svc-vocera.

For Action, select permit.

For Queue, select High.

Click Add.

Under Rules, click Add.
A.

For Source, select any.

For Destination, select any.

For Service, select service, then select svc-tftp.

For Action, select permit.

For Queue, select High.

Click Add.

Under Rules, click Add.
A.

For Source, select any.

For Destination, select alias, then click New.
I.

For Destination Name, enter dhcp-server.

II.

Under Type, click Add.

III. Enter the IP address(es) of the DHCP server(s) in your network, then
click Add.
IV. Click Apply to add this alias to the Destination menu.
V.

Select this alias from the Destination drop-down menu.

For Service, select service, then select svc-dhcp.

For Action, select permit.

For Queue, select High.

Click Add.

Under Rules, click Add.
A.

For Source, select any.

For Destination, select alias, then click New.

418 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring QoS for Voice
Chapter 20

For Destination Name, enter tftp-server.

II.

Under Type, click Add.

III. Enter the IP address(es) of the TFTP server(s) in your network, then
click Add.
IV. Click Apply to add this alias to the Destination menu.
V.

Select this alias from the Destination drop-down menu.

For Service, select service, then select svc-tftp.

For Action, select permit.

For Queue, select High.

Click Add.

Click Apply.

Select the User Roles tab. Click Add to add a user role.
A.

For Role Name, enter vocera.

Under Firewall Policies, click Add.

For Choose from Configured Policies, select the previously-configured
vocera-policy from the drop-down menu.

Click Done.

Under Firewall Policies, click Add.

For Choose from Configured Policies, select control from the drop-down
menu.

Click Done.

10. Click Apply.

Using the CLI to configure a vocera user role:

netdestination dhcp-server
host ipaddr
netdestination tftp-server
host ipaddr
ip access-list session vocera-policy
any any svc-vocera permit queue high
any any svc-tftp permit queue high
any alias dhcp-server svc-dhcp permit queue high
any alias tftp-server svc-tftp permit queue high
user-role vocera
AOS-W 3.1
User Guide

419

Configuring QoS for Voice
Chapter 20

session-acl vocera-policy
session-acl control

Configuring a User Role for SCCP Phones
This section describes how to configure the user role “sccp-phones” for SCCP
traffic. The user role consists of the predefined policy “control”, which permits
basic IP connection, and a user-defined policy “sccp-policy”. The “sccp-policy”
policy includes rules that permit SCCP traffic (TCP port 2000) and traffic to DHCP
and TFTP servers. All traffic is set to high priority.
NOTE:

The “sccp-policy” configuration shown is an example; you can configure
more restrictive rules for a policy if additional security is required.

Using the WebUI to configure an SCCP user role:
1.

Navigate to the Configuration > Security > Access Control page.

Select the Policies tab. Click Add to create a new policy.

For Policy Name, enter sccp-policy.

Under Rules, click Add.

For Source, select any.

For Destination, select any.

For Service, select service, then select svc-sccp.

For Action, select permit.

For Queue, select High.

Click Add.

Under Rules, click Add.
A.

For Source, select any.

For Destination, select any.

For Service, select service, then select svc-tftp.

For Action, select permit.

For Queue, select High.

Click Add.

Under Rules, click Add.
A.

For Source, select any.

For Destination, select alias, then click New.

420 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring QoS for Voice
Chapter 20

For Destination Name, enter dhcp-server.

II.

Under Type, click Add.

III. Enter the IP address(es) of the DHCP server(s) in your network, then
click Add.
IV. Click Apply to add this alias to the Destination menu.
V.

Select this alias from the Destination drop-down menu.

For Service, select service, then select svc-dhcp.

For Action, select permit.

For Queue, select High.

Click Add.

Under Rules, click Add.
A.

For Source, select any.

For Destination, select alias, then click New.
I.

For Destination Name, enter tftp-server.

II.

Under Type, click Add.

III. Enter the IP address(es) of the TFTP server(s) in your network, then
click Add.
IV. Click Apply to add this alias to the Destination menu.
V.

Select this alias from the Destination drop-down menu.

For Service, select service, then select svc-tftp.

For Action, select permit.

For Queue, select High.

Click Add.

Click Apply.

Select the User Roles tab. Click Add to add a user role.
A.

For Role Name, enter sccp-phones.

Under Firewall Policies, click Add.

For Choose from Configured Policies, select the previously-configured
sccp-policy from the drop-down menu.

Click Done.

Under Firewall Policies, click Add.

For Choose from Configured Policies, select control from the drop-down
menu.

AOS-W 3.1
User Guide

421

Configuring QoS for Voice
Chapter 20

Click Done.

10. Click Apply.

Using the CLI to configure an SCCP user role:

netdestination dhcp-server
host ipaddr
netdestination tftp-server
host ipaddr
ip access-list session sccp-policy
any any svc-sccp permit queue high
any any svc-tftp permit queue high
any alias dhcp-server svc-dhcp permit queue high
any alias tftp-server svc-tftp permit queue high
user-role sccp-phones
session-acl sccp-policy
session-acl control

Configuring User-Derivation Rules
The user role can be derived from attributes from the client’s association with an
AP. For VoIP phones, you can configure the devices to be placed in their user role
based on the SSID or the Organizational Unit Identifier (OUI) of the client’s MAC
address.
NOTE:

User-derivation rules are executed before the client is authenticated.

Using the WebUI to derive the role based on SSID:
1.

Navigate to the Configuration > Security > Authentication > User Rules
page.

Click Add to add a new set of derivation rules. Enter a name for the set of
rules, and click Add. The name appears in the User Rules Summary list.

In the User Rules Summary list, select the name of the rule set to configure
rules.

Click Add to add a rule. For Set Type, select Role from the drop-down menu.

For Rule Type, select ESSID.

For Condition, select equals.

For Value, enter the SSID used for the phones.

422 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring QoS for Voice
Chapter 20

For Roles, select the user role you previously created.

Click Add.

10. Click Apply.

Using the CLI to derive the role based on SSID:

aaa derivation-rules user name
set role condition essid equals ssid set-value role

Using the WebUI to derive the role based on MAC OUI:
1.

Navigate to the Configuration > Security > Authentication > User Rules
page.

Click Add to add a new set of derivation rules. Enter a name for the set of
rules, and click Add. The name appears in the User Rules Summary list.

In the User Rules Summary list, select the name of the rule set to configure
rules.

Click Add to add a rule. For Set Type, select Role from the drop-down menu.

For Rule Type, select MAC Address.

For Condition, select contains.

For Value, enter the first three octets (the OUI) of the MAC address of the
phones (for example, the Spectralink OUI is 00:09:7a).

For Roles, select the user role you previously created.

Click Add.

10. Click Apply.

Using the CLI to derive the role based on MAC OUI:

aaa derivation-rules user name
set role condition macaddr contains xx:xx:xx set-value role

AOS-W 3.1
User Guide

423

Configuring QoS for Voice
Chapter 20

Optional Configurations
This section describes other voice-related features that you can configure in the
base AOS-W.

Wi-Fi Multimedia
Wi-Fi Multimedia (WMM), is a Wi-Fi Alliance specification based on the IEEE
802.11e wireless Quality of Service (QoS) standard. WMM works with 802.11a,
b, and g physical layer standards.
WMM supports four access categories: voice, video, best effort, and background.
Table 20-42 shows the mapping of the WMM access categories to 802.1D
priority values. The 802.1D priority value is contained in a two-byte QoS control
field in the WMM data frame.

TABLE 20-42 WMM Access Category to 802.1D Priority Mapping
Priority

802.1D Priority

lowest

1
2

WMM Access Category
Background

0
3

Best effort

4
5

Video

6
highest

Voice

Unscheduled Automatic Power Save Delivery (U-APSD) is a component of the
IEEE 802.11e standard that extends the battery life on voice over WLAN devices.
When enabled, clients trigger the delivery of buffered data from the AP by
sending a data frame.
For those environments in which the wireless clients support WMM, you can
enable both WMM and U-APSD in the SSID profile.
NOTE:

Installing the Voice Services Module license in the WLAN Switch allows
you to utilize other WMM-related features described in “Voice Services
Module Features” on page 428.

424 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring QoS for Voice
Chapter 20

Using the WebUI to enable WMM:
1.

Navigate to the Configuration > Wireless > AP Configuration page.

Select either the AP Group or AP Specific tab. Click Edit for the AP group or
AP name.

In the Profiles list, select Wireless LAN. Select Virtual AP, then select the
applicable virtual AP profile. Select the SSID profile.

In the Profile Details, select the Advanced tab.

Scroll down to the Wireless Multimedia (WMM) option. Select (check) this
option.

Click Apply.

Using the CLI to enable WMM:

wlan ssid-profile profile
wmm

Battery Boost
Battery boost converts all multicast traffic to unicast before delivery to the client.
This feature is disabled by default. Enabling this feature on an SSID allows you to
set the DTIM interval from 10 - 100 (the previous allowed values were 1 or 2),
equating to 1,000 - 10,000 milliseconds. This longer interval keeps associated
wireless clients from activating their radios for multicast indication and delivery,
leaving them in power-save mode longer, and thus lengthening battery life. The
DTIM configuration is performed on the WLAN, so no configuration is necessary
on the client.
NOTE:

Although you can enable battery boost on a per-virtual AP basis, it must
be enabled for any SSIDs that support voice traffic.

Although the multicast to unicast conversion generates more traffic, but that
traffic is buffered by the AP and delivered to the client when the client emerges
from power-save mode.
An associated parameter available on some clients is the Listening Interval (LI).
This defines the interval (in number of beacons) after which the client must wake
to read the Traffic Indication Map (TIM). The TIM indicates whether there is
buffered unicast traffic for each sleeping client. With battery boost enabled, the
DTIM is increased but multicast traffic is buffered and delivered as unicast.
Increasing the LI can further increase battery life, but can also decrease client
responsiveness.
You enable the battery boost feature and set the DTIM interval in the SSID profile.

AOS-W 3.1
User Guide

425

Configuring QoS for Voice
Chapter 20

Using the WebUI to enable battery boost:
1.

Navigate to the Configuration > AP Configuration page. Select either AP
Group or AP Specific.
z

If you select AP Group, click Edit for the AP group name for which you
want to enable battery boost.

If you select AP Specific, select the name of the AP for which you want
to enable battery boost.

Under Profiles, select Wireless LAN, then select Virtual AP. In the Virtual AP
list, select the appropriate virtual AP instance.

Select the SSID profile instance to display in the Profile Details section.

Click the Advanced tab.

Scroll down the Advanced options and select the Battery Boost check box.

Scroll up to change the DTIM Interval.

Click Apply.

Using the CLI to enable battery boost:

wlan ssid-profile
battery-boost
dtim-period

WPA Fast Handover
In the 802.1x Authentication profile, the WPA fast handover feature allows certain
WPA clients to use a pre-authorized PMK, significantly reducing handover
interruption. Check with the manufacturer of your handset to see if this feature is
supported. This feature is disabled by default.
NOTE:

This feature supports WPA clients, while opportunistic key caching (also
configured in the 802.1x Authentication profile) supports WPA2 clients.

Using the WebUI to enable WPA fast handover:
1.

Navigate to the Configuration > AP Configuration page. Select either AP
Group or AP Specific.
z

If you select AP Group, click Edit for the AP group name for which you
want to enable battery boost.

If you select AP Specific, select the name of the AP for which you want
to enable battery boost.

Under Profiles, select Wireless LAN, then select Virtual AP. In the Virtual AP
list, select the appropriate virtual AP instance.

426 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring QoS for Voice
Chapter 20

Select AAA profile. Select the 802.1x Authentication Profile to display in the
Profile Details section.

Scroll down to select the WPA-Fast-Handover check box.

Click Apply.

Using the CLI to enable WPA fast handover:
aaa authentication dot1x
wpa-fast-handover

For deployments where there are expected to be considerable delays between the
WLAN Switch and APs (for example, in a remote location where an AP is not in
range of another Alcatel AP), Alcatel recommends that you enable the “local
probe response” option in the SSID profile. (Generating probe responses on the
Alcatel WLAN Switch is an optimization that allows AOS-W to make better
decisions.) This option is enabled by default in the SSID profile. You can also
increase the value for the bootstrap threshold in the AP System profile to
minimize the chance of the AP rebooting due to temporary loss of connectivity
with the Alcatel WLAN Switch.

AOS-W 3.1
User Guide

427

Configuring QoS for Voice
Chapter 20

Voice Services Module Features
This section describes features that require installation of the Voice Services
Module license in the WLAN Switch. For information about obtaining and
installing licenses, see Chapter 19, “Managing Software Feature Licenses”.

Configuring the VoIP CAC Profile
VoIP call admission control prevents any single AP from becoming congested
with voice calls. You configure call admission control options in the VoIP CAC
profile which you apply to an AP group or a specific AP.

Using the WebUI to configure the VoIP CAC profile:
1.

Navigate to the Configuration > AP Configuration page. Select either AP
Group or AP Specific.
z

If you select AP Group, click Edit for the AP group name for which you
want to configure VoIP CAC.

If you select AP Specific, select the name of the AP for which you want
to configure VoIP CAC.

In the Profiles list, select QoS.

Select VoIP Call Admission Control profile.

You can select a profile instance from the drop-down menu. Or you can
modify parameters and click Save As to create a new VoIP CAC profile
instance.

To enable CAC options, select VoIP Call Admission Control (this option is
disabled by default).

Click Apply.

Using the CLI to configure the VoIP CAC profile:

wlan voip-cac-profile profile
call-admission-control
parameter value

Disconnecting Excess Calls on a Radio
In the VoIP Call Admission Control (CAC) profile, you can limit the number of
active voice calls allowed on a radio. This feature is disabled by default. When the
disconnect extra call feature is enabled, the system monitors the number of active
voice calls, and if the defined threshold is reached, any new calls are
disconnected. The AP denies association requests from a device that is on call.

428 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring QoS for Voice
Chapter 20

You enable this feature in the VoIP CAC profile. You also need to enable call
admission control, which is disabled by default, in this profile.

Using the WebUI to disconnect excess calls:
1.

Navigate to the Configuration > AP Configuration page. Select either AP
Group or AP Specific.
z

If you select AP Group, click Edit for the AP group name for which you
want to enable battery boost.

If you select AP Specific, select the name of the AP for which you want
to enable battery boost.

In the Profiles list, select QoS.

Select the VoIP Call Admission Control profile.

Select the VoIP Call Admission Control check box.

Scroll down to select the VoIP Disconnect Extra Call check box.

You can optionally change the VoIP High-capacity Threshold value.

Click Apply.

Using the CLI to disconnect excess calls:

wlan voip-cac-profile
call-admission-control
disconnect-extra-call
high-capacity-threshold

Enabling VoIP-Aware Scanning in ARM
When you enable CAC options, you should also enable VoIP-aware scanning in
the Adaptive Radio Management (ARM) profile.

Using the WebUI to enable VoIP aware scanning in the ARM profile:
1.

Navigate to the Configuration > AP Configuration page. Select either AP
Group or AP Specific.
z

If you select AP Group, click Edit for the AP group name for which you
want to configure IDS.

If you select AP Specific, select the name of the AP for which you want
to configure IDS.

In the Profiles list, select RF Management.

Select Adaptive Radio Management (ARM) Profile.

AOS-W 3.1
User Guide

429

Configuring QoS for Voice
Chapter 20

You can select a profile instance from the drop-down menu. Or you can
modify parameters and click Save As to create a new VoIP CAC profile
instance.

Select (check) the VoIP Aware Scan option.

Click Apply.

Using the CLI to enable VoIP aware scanning in the ARM profile:

rf arm-profile profile
voip-aware-scan

Dynamic WMM Queue Management
Traditional wireless networks provide all clients with equal bandwidth access.
However, delays or reductions in throughput can adversely affect voice and video
applications, resulting in disrupted VoIP conversations or dropped frames in a
streamed video. Thus, data streams that require strict latency and throughput
need to be assigned higher traffic priority than other traffic types.
The Wi-Fi Alliance defined the Wi-Fi Multimedia (WMM) standard in response to
industry requirements for Quality of Service (QoS) support for multimedia
applications for wireless networks. WMM anticipates the ratification of the IEEE
802.11e standard that is currently in development.
WMM requires:

the access point is Wi-Fi Certified and has WMM enabled

the client device is Wi-Fi Certified

the application supports WMM

Enhanced Distributed Channel Access
WMM provides media access prioritization through Enhanced Distributed Channel
Access (EDCA). EDCA defines four access categories (ACs) to prioritize traffic:
voice, video, best effort, and background. These ACs correspond to 802.1d
priority tags, as shown in Table 20-43.

430 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring QoS for Voice
Chapter 20

TABLE 20-43 WMM Access Categories and 802.1d Tags
WMM Access
Category

Description

802.1d Tag

Voice

Highest priority

7, 6

Video

Prioritize video traffic above other data traffic

5, 4

Best Effort

Traffic from legacy devices or traffic from
0, 3
applications or devices that do not support QoS

Background

Low priority traffic (file downloads, print jobs)

2, 1

While the WMM ACs designate specific types of traffic, you can determine the
priority of the ACs. For example, you can choose to give video traffic the highest
priority. With WMM, applications assign data packets to an AC. In the client, the
data packets are then added to one of the transmit queues for voice, video, best
effort, or background.
WMM is an extension to the Carrier Sense Multiple Access with Collision
Avoidance (CSMA/CA) protocol’s Distributed Coordination Function (DCF). The
collision resolution algorithm responsible for traffic prioritization depends on the
following configurable parameters for each AC:

arbitrary inter-frame space number (AIFSN)

minimum and maximum contention window (CW) size

For each AC, the backoff time is the sum of the AIFSN and a random value
between 0 and the CW value. The AC with the lowest backoff time is granted the
opportunity to transmit (TXOP). Frames with the highest-priority AC are more
likely to get TXOP as they tend to have the lowest backoff times (a result of
having smaller AIFSN and CW parameter values). The value of the CW varies
through time as the CW doubles after each collision up to the maximum CW. The
CW is reset to the minimum value after successful transmission. In addition, you
can configure the TXOP duration for each AC.
On the WLAN Switch, you configure the AC priorities in the WLAN EDCA
parameters profile. There are two sets of EDCA profiles you can configure:

AP parameters affect traffic from the AP to the client

STA parameters affect traffic from the client to the AP

Using the WebUI to configure EDCA parameters:
1.

Navigate to the Configuration > AP Configuration page. Select either AP
Group or AP Specific.
z

If you select AP Group, click Edit for the AP group name for which you
want to enable battery boost.

AOS-W 3.1
User Guide

431

Configuring QoS for Voice
Chapter 20

If you select AP Specific, select the name of the AP for which you want
to enable battery boost.

Under Profiles, select Wireless LAN, then select Virtual AP. In the Virtual AP
list, select the appropriate virtual AP instance.

Select the SSID profile. Select the EDCA Parameters Station or EDCA
Parameters AP profile.

You can select a profile instance from the drop-down menu. Or you can
modify parameters and click Save As to create a new EDCA Parameters
profile instance.

Click Apply.

Using the CLI to configure EDCA parameters:

wlan edca-parameters-profile {ap|sta}
To specify the EDCA profile instance in the SSID profile:

wlan ssid-profile
edca-parameters-profile {ap|sta}

TSPEC Signaling Enforcement
A WMM client can send a Traffic Specification (TSPEC) signaling request to the
AP before sending traffic of a specific AC type, such as voice. You can configure
the WLAN Switch so that the TSPEC signaling request from a client is ignored if
the underlying voice call is not active; this feature is disabled by default. If you
enable this feature, you can also configure the number of seconds that a client
must wait to start the call after sending the TSPEC request (the default is one
second).
You enable TSPEC signaling enforcement in the VoIP Call Admission Control
profile.

Using the WebUI to configure TSPEC signaling enforcement:
1.

Navigate to the Configuration > AP Configuration page. Select either AP
Group or AP Specific.
z

If you select AP Group, click Edit for the AP group name for which you
want to enable battery boost.

If you select AP Specific, select the name of the AP for which you want
to enable battery boost.

In the Profiles list, select QoS.

Select the VoIP Call Admission Control profile.

432 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring QoS for Voice
Chapter 20

Scroll down to select the VoIP TSPEC Enforcement check box.

You can optionally change the VoIP TSPEC Enforcement Period value.

Click Apply.

Using the CLI to configure TSPEC signaling enforcement:

wlan voip-cac-profile
wmm-tspec-enforcement
wmm-tspec-enforcement-period

WMM Queue Content Enforcement
WMM queue content enforcement is a firewall setting that you can enable to
ensure that the voice priority is used for voice traffic. When this feature is
enabled, if traffic to or from the user is inconsistent with the associated QoS
policy for voice, the traffic is reclassified to best effort and data path counters
incremented. If TSPEC admission were used to reserve bandwidth, then TSPEC
signaling is used to inform the client that the reservation is terminated.

Using the WebUI to enable WMM queue content enforcement:
1.

Navigate to the Configuration > Advanced Services > Stateful Firewall page.

Select Enforce WMM Voice Priority Matches Flow Content.

Click Apply.

Using the CLI to enable WMM queue content enforcement:

firewall wmm-voip-content-enforcement

Voice-Aware 802.1x
Although reauthentication and rekey timers are configurable on a per-SSID basis,
an 802.1x transaction during a call can affect voice quality. If a client is on a call,
802.1x reauthentication and rekey are disabled by default until the call is
completed. You disable or re-enable the “voice aware” feature in the 802.1x
authentication profile.

Using the WebUI to disable voice awareness for 802.1x:
1.

Navigate to the Configuration > AP Configuration page. Select either AP
Group or AP Specific.

AOS-W 3.1
User Guide

433

Configuring QoS for Voice
Chapter 20

If you select AP Group, click Edit for the AP group name for which you
want to enable battery boost.

If you select AP Specific, select the name of the AP for which you want
to enable battery boost.

Under Profiles, select Wireless LAN, then select Virtual AP. In the Virtual AP
list, select the appropriate virtual AP instance.

Select AAA profile. Select the 802.1x Authentication Profile to display in the
Profile Details section.

Scroll down to deselect the Disable rekey and reauthentication for clients on
call check box.

Click Apply.

Using the CLI to disable voice awareness for 802.1x:

aaa authentication dot1x
no voice-aware

SIP Authentication Tracking
The WLAN Switch supports the stateful tracking of session initiation protocol
(SIP) authentication between a SIP client and a SIP registry server. Upon
successful registration, a user role is assigned to the SIP client (the default role is
guest). You specify a configured user role for the SIP client in the AAA profile.

Using the WebUI to configure the SIP client user role:
1.

Navigate to the Configuration > AP Configuration page. Select either AP
Group or AP Specific.
z

If you select AP Group, click Edit for the AP group name for which you
want to enable battery boost.

If you select AP Specific, select the name of the AP for which you want
to enable battery boost.

Under Profiles, select Wireless LAN, then select Virtual AP. In the Virtual AP
list, select the appropriate virtual AP instance.

Select the AAA profile. Enter the configured user role for SIP authentication
role.

Click Apply.

Using the CLI to configure the SIP client user role:

aaa profile

434 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring QoS for Voice
Chapter 20

sip-authentication-role
Use the show voice sip client-status command to view the state of the client
registration.

SIP Call Setup Keepalive
The SIP invite call setup message is time-sensitive, as the originator retries the
call as quickly as possible if it does not proceed. You can direct the WLAN Switch
to immediately reply to the call originator with a “SIP 100 - trying” message to
indicate that the call is proceeding and to avoid a possible timeout. This is useful
in conditions where the SIP invite may be redirected through a number of servers
before reaching the WLAN Switch/
You enable SIP call setup keepalive in the VoIP Call Admission Control profile.

Using the WebUI to enable SIP call setup keepalive:
1.

Navigate to the Configuration > AP Configuration page. Select either AP
Group or AP Specific.
z

If you select AP Group, click Edit for the AP group name for which you
want to enable battery boost.

If you select AP Specific, select the name of the AP for which you want
to enable battery boost.

In the Profiles list, select QoS.

Select the VoIP Call Admission Control profile.

Scroll down to select the VoIP Send SIP 100 Trying check box.

Click Apply.

Using the CLI to enable SIP call setup keepalive:

wlan voip-cac-profile
send-sip-100-trying

Mobile IP Home Agent Assignment
When you enable IP mobility in a mobility domain, the proxy mobile IP module
determines the home agent for a roaming client. (See Chapter 15, “Configuring IP
Mobility”.) An option related to voice clients that you can enable allows on-hook
phones to be assigned a new home agent to load balance voice client home
agents across WLAN Switches in the mobility domain.

AOS-W 3.1
User Guide

435

Configuring QoS for Voice
Chapter 20

Using the CLI to enable mobile IP home agent assignment:

ip mobile proxy re-home

436 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

External Services Interface

The Alcatel External Services Interface (ESI) provides an open interface that can
be used to integrate security solutions that solve interior network problems such
as viruses, worms, spyware, and corporate compliance. ESI allows selective
redirection of traffic to external service appliances such as anti-virus gateways,
content filters, and intrusion detection systems. When “interesting” traffic is
detected by these external devices, it can be dropped, logged, modified, or
transformed according to the rules of the device. ESI also permits configuration of
different server groups— with each group potentially performing a different action
on the traffic.
The Alcatel ESI can be configured to do one or more of the following for each
group:

Redirect specified types of traffic to the server

Perform health checks on each of the servers in the group

Perform per-session load balancing between the servers in each group

Provide an interface for the server to return information about the client that
can place the client in special roles such as “quarantine”

ESI also provides the ESI syslog parser, which is a mechanism for interpreting
syslog messages from third-party appliances such as anti-virus gateways,
content filters, and intrusion detection systems. The ESI syslog parser is a generic
syslog parser that accepts syslog messages from external devices, processes
them according to user-defined rules, and then takes configurable actions on
system users.
This chapter describes the following topics:

“Understanding ESI” on page 438

“Understanding the ESI Syslog Parser” on page 440

“ESI Configuration Overview” on page 443

“Example Route-mode ESI Topology” on page 463

“Example NAT-mode ESI Topology” on page 474

“Basic Regular Expression Syntax” on page 481

NOTE:

To use the features described in this chapter, you must install an ESI
software license in the WLAN Switch.

AOS-W 3.1
User Guide

437

External Services Interface
Chapter 21

Understanding ESI
In the example shown in this section, ESI is used to provide an interface to the
AntiVirusFirewall (AVF) server device for providing virus inspection services. An
AVF server device is one of many different types of services supported in the ESI.
Wireless
Users

Untrusted
Interface

AntiVirus
Firewall
Server

Mobility
Controller
Corporate
Network

DMZ/
Internet

Wired Users

Trusted
Interface

arun_007

FIGURE 21-37 The ESI-Fortinet Topology
In the topology shown in Figure 21-37, the clients connect to access points (both
wireless and wired). The wired access points tunnel all traffic back to the WLAN
Switch over the existing network.
The WLAN Switch receives the traffic and redirects relevant traffic (including but
not limited to all HTTP/HTTPS and email protocols such as SMTP and POP3) to
the AVF server device to provide services such as anti-virus scanning, email
scanning, web content inspection, etc. This traffic is redirected on the
“untrusted” interface between the WLAN Switch and the AVF server device. The
WLAN Switch also redirects the traffic intended for the clients—coming from
either the Internet or the internal network. This traffic is redirected on the
“trusted” interface between the WLAN Switch and the AVF server device. The
WLAN Switch forwards all other traffic (for which the AVF server does not
perform any of the required operations such as AV scanning). An example of such
traffic would be database traffic running from a client to an internal server.

438 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

External Services Interface
Chapter 21

The WLAN Switch can also be configured to redirect traffic only from clients in a
particular role such as “guest” or “non-remediated client” to the AVF server
device. This might be done to reduce the load on the AVF server device if there is
a different mechanism such as the Alcatel-Sygate integrated solution to enforce
client policies on the clients that are under the control of the IT department. These
policies can be used to ensure that an anti-virus agent runs on the clients and the
client can get access to the network only if this agent reports a “healthy” status
for the client. Refer to the paper (available from Sygate) on Sygate integrated
solutions for more details on this solution.
The WLAN Switch is also capable of load balancing between multiple external
server appliances. This provides more scalability as well as redundancy by using
multiple external server appliances. Also, the WLAN Switch can be configured to
have multiple groups of external server devices and different kinds of traffic can
be redirected to different groups of devices—with load balancing occurring within
each group (see Figure 21-38 for an example).

Email Group

Wireless
Users

Load
Balancing

HTTP
Group

Corporate
Network

DMZ/
Internet

Wired Users

arun_003

FIGURE 21-38 Load Balancing Groups

AOS-W 3.1
User Guide

439

External Services Interface
Chapter 21

Understanding the ESI Syslog Parser
The ESI syslog parser adds a UNIX-style regular expression engine for parsing
relevant fields in messages from third-party appliances such as anti-virus
gateways, content filters, and intrusion detection systems.
The user creates a list of rules that identify the type of message, the username to
which this message pertains, and the action to be taken when there is a match on
the condition.

ESI Parser Domains
The ESI servers are configured into ESI parser domains (see Figure 21-39) to
which the rules will be applied. This condition ensures that only messages
coming from configured ESI parser domains are accepted, and reduces the
number of rules that must be examined before a match is detected (see “Syslog
Parser Rules” on page 442).

Domain Fortinet

Domain Acme

Fortinet 1
10.1.1.1

Acme 1
10.2.2.1
Mobility
Controller

Fortinet 2
10.1.1.2

Fortinet 3
10.1.1.3

Acme 2
10.2.2.2

Access
Point

Acme 3
10.2.2.3
arun_006

FIGURE 21-39 ESI Parser Domains
The ESI syslog parser begins with a list of configured IP interfaces to which it
listens for ESI messages. When a syslog message is received, it is checked
against the list of defined ESI servers. If a server match is found, the message is
then tested against the list of predefined rules.

440 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

External Services Interface
Chapter 21

Within the rule-checking process, the incoming message is checked against the
list of rules to search first for a condition match (see “Syslog Parser Rules” on
page 442). If a condition match is made, and the user name can be extracted from
the syslog message, the resulting user action is processed by first attempting to
look up the user in the local user table. If the user is found, the appropriate action
is taken on the user. The default behavior is to look for users only on the local
WLAN Switch. If the user is not found, the event is meaningless and is ignored.
This is the typical situation when a single WLAN Switch is connected to a
dedicated ESI server.

Peer WLAN Switches
As an alternative, consider a topology where multiple WLAN Switches share one
or more ESI servers (see Figure 21-40).

ESI Server Group
Fortinet Server
30.0.0.1

Fortinet Server
30.0.0.2

Fortinet Server
30.0.0.3

Peer Controllers

Master Mobility Controller
10.0.0.1

Wireless Client
Jack

Local Mobility Controller
20.0.0.1

Wireless Client
Joe
arun_002

FIGURE 21-40 Peer WLAN Switches
In this scenario, several WLAN Switches (master and local) are defined in the
same syslog parser domain and are also configured to act as peers. From the
standpoint of the ESI servers—because there is no good way of determining from
which WLAN Switch a given user came—the event is flooded out to all WLAN
Switches defined as peers within this ESI parser domain. The corresponding
WLAN Switch holding the user entry acts on the event, while other WLAN
Switches ignore the event.

AOS-W 3.1
User Guide

441

External Services Interface
Chapter 21

Syslog Parser Rules
The user creates an ESI rule by using characters and special operators to specify a
pattern (regular expression) that uniquely identifies a certain amount of text
within a syslog message. (Regular expression syntax is described in “Basic
Regular Expression Syntax” on page 481.) This “condition” defines the type of
message and the ESI domain to which this message pertains. The rule contains
three major fields:

Condition: The pattern that uniquely identifies the syslog message type.

User: The username identifier. It can be in the form of a name, MAC address,
or IP address.

Action: The action to take when a rule match occurs.

Once a condition match has been made, no further rule-matching will be made.
For the rule that matched, only one action can be defined.
After a condition match has been made, the message is parsed for the user
information. This is done by specifying the target region with the regular
expression (REGEX) regex() block syntax. This syntax generates two blocks: The
first block is the matched expression; the second block contains the value inside
the parentheses. For username matching, the focus is on the second block, as it
contains the username.

Condition Pattern Matching
The following description uses the Fortigate virus syslog message format as an
example to describe condition pattern matching. The Fortigate virus syslog
message takes the form:
< Sep 26 18:30:02 log_id=0100030101 type=virus subtype=infected src=1.2.3.4 >

This message example contains the Fortigate virus log ID number 0100030101
(“log_id=0100030101”), which can be used as the condition—the pattern that
uniquely identifies this syslog message.
The parser expression that matches this condition is “log_id=0100030101,” which
is a narrow match on the specific log ID number shown in the message, or
“log_id=[0–9]{10}[ ],” which is a regular expression that matches any Fortigate log
entry with a ten-digit log ID followed by a space.

User Pattern Matching
To extract the user identifier in the example Fortigate virus message shown above
(“src=1.2.3.4”), use the following expression, src=(.*)[ ], to parse the user
information contained between the parentheses. The () block specifies where the
username will be extracted. Only the first block will be processed.

442 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

External Services Interface
Chapter 21

More examples:
Given a message wherein the username is a MAC address:
< Sep 26 18:30:02 log_id=0100030101 type=virus subtype=infected mac 00:aa:bb:cc:dd:00 >

The expression “mac[ ](.{17})” will match “mac 00:aa:bb:cc:dd:00” in the example
message.
Given a message wherein the username is a user name:
< Sep 26 18:30:02 log_id=0100030101 type=virus subtype=infected user >

The expression “user<(.*)>” will match “user” in the example message.

ESI Configuration Overview
You can use the following interfaces to configure and manage ESI and ESI syslog
parser behavior:

The Web user interface (WebUI), which is accessible through a standard Web
browser from a remote management console or workstation.

The command line interface (CLI), which is accessible from a local console
device connected to the serial port on the WLAN Switch or through a Telnet
or Secure Shell (SSH) connection from a remote management console or
workstation.
NOTE:

By default, you can access the CLI only from the serial port or from
an SSH session. To use the CLI in a Telnet session, you must
explicitly enable Telnet on the WLAN Switch.

The Alcatel Mobility Manager System, which is a suite of applications for
monitoring multiple master WLAN Switches and their related local WLAN
Switches and APs. Each application provides a Web-based user interface.
The Alcatel Mobility Manager System is available as an integrated appliance
and as a software application that runs on a dedicated system. See the
Mobility Manager User Guide for more information.

For more information about using these interfaces, see Chapter 18, “Configuring
Management Access”.
NOTE:

The general configuration descriptions in the following sections include
both the WebUI pages and the CLI configuration commands. The
configuration overview section is followed by several examples that
show specific configuration procedures.

AOS-W 3.1
User Guide

443

External Services Interface
Chapter 21

In general, there are three ESI configuration “phases” on the WLAN Switch as a
part of the solution:

The first phase configures the ESI ping health-check method, servers, and
server groups.The term server here refers to external server devices—for
example, an AVF.

The second phase configures the redirection policies instructing the WLAN
Switch how to redirect the different types of traffic to different server groups.

The final phase configures the ESI syslog parser domains and the rules that
interpret and act on syslog message contents.

NOTE:

The procedures shown in the following sections are general descriptions.
Your application might be broader or narrower than this example, but the
same general operations apply.

Health-Check Method, Groups, and Servers
To configure the ESI health-check method, servers, and server groups, navigate to
the Configuration > Advanced Services > External Services view on the WebUI
(see Figure 21-41).

FIGURE 21-41 The External Services View

444 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

External Services Interface
Chapter 21

Defining the Ping Health-Check Method
Using the WebUI to Configure a Health-Check Method
To configure a health check profile:
1.

Navigate to the Configuration > Advanced Services > External Services
page on the WebUI.

Click Add in the Health Check Configuration section.
(To change an existing profile, click Edit.)

Provide the following details:
A.

Enter a Profile Name.

Frequency (secs)—Indicates how often the WLAN Switch checks to see
if the server is up and running. Default: 5 seconds.

Timeout (secs)—Indicates the number of seconds the WLAN Switch
waits for a response to its health check query before marking the health
check as failed. Default: 2 seconds.

Retry count—Is the number of failed health checks after which the WLAN
Switch marks the server as being down. Default: 2.

Click Done when you are finished.

To apply the configuration (changes), click Apply. (The configuration will not
take effect until you click Apply.)

Using the CLI to Configure a Health-Check Method
Use these CLI commands to configure a health-check method:

esi ping profile_name
frequency seconds
retry-count count
timeout seconds
For example:

esi ping default
frequency 5
retry-count 2

AOS-W 3.1
User Guide

445

External Services Interface
Chapter 21

Defining the ESI Server
The following sections describe how to configure an ESI server using the WebUI
and CLI.

Using the WebUI to Configure an ESI Server
To configure an ESI server:
1.

Navigate to the Configuration > Advanced Services > External Services
page on the WebUI.

Click Add in the External Servers section.

Provide the following details:
A.

Server Name.

Server Group. Use the drop-down list to assign this server to a group
from the existing configured groups.

Server Mode. Use the drop-down list to choose the mode (bridge, nat, or
route) your topology requires. Refer to the description above to
understand the differences between these modes.
–

For routed mode, enter the Trusted IP Address (the IP address of the
trusted interface on the external server device) and the Untrusted IP
Address (the IP address of the untrusted interface on the external
server device). (You can also choose to enable a health check on
either or both of these interfaces.)

–

For bridged mode, enter the Trusted Port number (the port
connected to the trusted side of the ESI server) and the Untrusted
Port number (the port connected to the untrusted side of the ESI
server).

–

For NAT mode, enter the Trusted IP Address (the trusted interface
on the external server) and the NAT Destination Port number (the
port a packet is redirected to rather than the original destination port
in the packet). (You can also choose to enable a health check on the
trusted IP address interface.)

Click Done when you are finished.

To apply the configuration (changes), click Apply. (The configuration will not
take effect until you click Apply.)

Using the CLI to Configure an ESI Server
Use these CLI commands to configure an ESI server and identify its associated
attributes:

esi server server_identity
dport destination_tcp/udp_port
mode {bridge | nat | route}
446 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

External Services Interface
Chapter 21

trusted-ip-addr ip-addr [health-check]
trusted-port slot/port
untrusted-ip-addr ip-addr [health-check]
untrusted-port slot/port
For example:

esi server forti_1
mode route
trusted-ip-addr 10.168.172.3
untrusted-ip-addr 10.168.171.3

Defining the ESI Server Group
The following sections describe how to configure an ESI server group using the
WebUI and CLI.

Using the WebUI to Configure an ESI Server Group
To configure an ESI server group on the WLAN Switch:
1.

Navigate to the Configuration > Advanced Services > External Services
page.

Click Add in the Server Groups section.
(To change an existing group, click Edit.)

Provide the following details:
A.

Enter a Group Name.

In the drop-down list, select a health check profile.

Click Done when you are finished.

To apply the configuration (changes), click Apply. (The configuration will not
take effect until you click Apply.)

Using the CLI to Configure an ESI Server Group
Use these CLI commands to configure an ESI server group, identify its associated
ping health-check method, and associate a server with this group:

esi group name
ping profile_name
server server_identity
For example:

esi group fortinet
ping default
server forti_1

AOS-W 3.1
User Guide

447

External Services Interface
Chapter 21

Redirection Policies and User Role
The following sections describe how to configure the redirection policies and user
role using the WebUI and CLI.

Using the WebUI to Configure the User Role
To configure user roles to redirect the required traffic to the server(s), navigate to
the Configuration > Access Control > User Roles view (see Figure 21-42).

FIGURE 21-42 The User Roles View
1.

To add a new role, click Add.
(To change an existing role, click Edit for the firewall policy to be changed.)
The WebUI displays the User Roles tab on top (see Figure 21-43).

FIGURE 21-43 The Add Role View

448 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

External Services Interface
Chapter 21

Role Name. Enter the name for the role.

To add a policy for the new role, click Add in the Firewall Policies section.
The WebUI expands the Firewall Policies section (see Figure 21-44).

FIGURE 21-44 Firewall Polices Choices
Choose from existing configured policies, create a new policy based on
existing policies, or create a new policy.
A.

If you elect to create a new policy, click on the radio button for Create
New Policy and then click Create.
The WebUI displays the Policies tab (see Figure 21-45).

FIGURE 21-45 Firewall Policy Attributes
B.

In the Policies tab:
a.

Policy Name. Provide the policy name and select the policy type
from the drop-down list.

AOS-W 3.1
User Guide

449

External Services Interface
Chapter 21

The WebUI expands the Policies tab (see Figure 21-46).

FIGURE 21-46 Setting Firewall Policy Parameters
b.

In the drop-down lists, choose parameters such as source,
destination, service in the same way as other firewall policy
rules.
For certain choices, the WebUI expands and adds drop-down
lists (see Figure 21-47).

FIGURE 21-47 Selecting Parameters in Drop-down Lists

In the Action drop-down menu, select the redirect to ESI group
option.

In the Action drop-down menu, select the appropriate ESI group.

Select the traffic direction. Forward refers to the direction of
traffic from the (untrusted) client or user to the (trusted) server
(such as the HTTP server or email server).

To add this rule to the policy, click Add.

Repeat the steps to configure additional rules.

450 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

External Services Interface
Chapter 21

Click Done to return to the User Roles tab.
The WebUI returns to the User Roles tab (see Figure 21-42 on page 448).

To apply the configuration (changes), click Apply. (The configuration will not
take effect until you click Apply.)

Refer to Chapter 7, “Configuring Roles and Policies,” for directions on how to
apply a policy to a user role.

Using the CLI to Configure Redirection and User Role
Use these commands to define the redirection filter for sending traffic to the ESI
server and apply the firewall policy to a user role.

ip access-list session policy
any any any redirect esi-group group direction both blacklist
//For any incoming traffic, going to any destination,
//redirect the traffic to servers in the specified ESI group.
any any any permit
//For everything else, allow the traffic to flow normally.
user-role role
access-list {eth | mac | session}
bandwidth-contract name
captive-portal name
dialer name
pool {l2tp | pptp}
reauthentication-interval minutes
session-acl name
vlan vlan_id
For example:

ip access-list session fortinet
any any svc-http redirect esi-group fortinet direction both blacklist
any any any permit
user-role guest
access-list session fortinet

AOS-W 3.1
User Guide

451

External Services Interface
Chapter 21

ESI Syslog Parser Domains and Rules
To configure the ESI syslog parser, navigate to the Configuration > Advanced
Services > External Services view on the WebUI (see Figure 21-48).

FIGURE 21-48 The External Services View

Managing Syslog Parser Domains
The following sections describe how to manage syslog parser domains using the
WebUI and CLI.

452 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

External Services Interface
Chapter 21

Using the WebUI to Manage Syslog Parser Domains
Click on the Syslog Parser Domains tab to display the Syslog Parser Domains
view (see Figure 21-49).

FIGURE 21-49 The Syslog Parser Domains View
This view lists all the domains by domain name and server IP address, and
includes a list of peer WLAN Switches (when peer WLAN Switches have been
configured—as described in “Peer WLAN Switches” on page 441).

Adding a New Syslog Parser Domain
To add a new syslog parser domain:
1.

Click Add in the Syslog Parser Domains section.

AOS-W 3.1
User Guide

453

External Services Interface
Chapter 21

The system displays the add domain view (see Figure 21-50).

FIGURE 21-50 The Add Domain View
2.

In the Domain Name text box, type the name of the domain to be added.

In the Server (IP Address) text box, type a valid IP address.
NOTE:

You must ensure that you type a valid IP address, because the IP
address you type is not automatically validated against the list of
external servers that has been configured.

Click << Add.

Click Apply.

Deleting an Existing Syslog Parser Domain
To delete an existing parser domain:
1.

Identify the target parser domain in the list shown in the Domain section of
the Syslog Parser Domains view.

Click Delete on the same row in the Actions column.

Editing an Existing Syslog Parser Domain
To change an existing syslog parser domain:
1.

Identify the target parser domain in the list shown in the Syslog Parser
Domains view (see Figure 21-49 on page 453).

454 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

External Services Interface
Chapter 21

Click Edit on the same row in the Actions column.
The system displays the edit domain view (see Figure 21-51).

FIGURE 21-51 The Edit Domain View
NOTE:

You cannot modify the domain name when editing a parser domain.

To delete a server from the selected domain, highlight the server IP address
and click >> Delete, then click Apply to commit the change.

To add a server or a peer WLAN Switch to the selected domain, type the
server IP address into the text box next to the << Add button, click << Add,
then click Apply to commit the change, or click Cancel to discard the
changes you made and exit the parser domain editing process.

When you make a change in the domain, you can click the View Commands link
in the lower right corner of the window to see the CLI command that corresponds
to the edit action you performed.

Using the CLI to Manage Syslog Parser Domains
Use these CLI commands to manage syslog parser domains.

Adding a New Syslog Parser Domain

esi parser domain name
peer peer-ip
server ipaddr
Showing ESI Syslog Parser Domain Information

show esi parser domains
AOS-W 3.1
User Guide

455

External Services Interface
Chapter 21

Deleting an Existing Syslog Parser Domain

no esi parser domain name
Editing an Existing Syslog Parser Domain

esi parser domain name
no
peer peer-ip
server ipaddr
For example (based on the example shown in Figure 21-40 on page 441):

esi parser domain forti_domain
server 30.0.0.1
server 30.0.0.2
server 30.0.0.3
peer 20.0.0.1

Managing Syslog Parser Rules
The following sections describe how to manage syslog parser domains using the
WebUI and CLI.

Using the WebUI to Manage Syslog Parser Rules
Click on the Syslog Parser Rules tab to display the Syslog Parser Rules view
(see Figure 21-52).

FIGURE 21-52 The Syslog Parser Rules View

456 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

External Services Interface
Chapter 21

This view displays a table of rules with the following columns:

Rule name

Ena—where “y” indicates the rule is enabled and “n” indicates the rule is
disabled (not enabled)

Condition—Match condition (a regular expression)

Match—Match type (IP address, MAC address, or user)

User—Match pattern (a regular expression)

Set—Set type (blacklist or role)

Value—Set value (role name)

Domain—Parser domain to which this rule is to be applied

Actions—The actions that can be performed on each rule.

Adding a New Parser Rule
To add a new syslog parser rule:
1.

Click Add in the Syslog Parser Rules view.
The system displays the new rule view (see Figure 21-53).

FIGURE 21-53 The New Rule View
2.

In the Rule Name text box, type the name of the rule to be added.

Click the Enable checkbox to enable the rule.

In the Condition Pattern text box, type the regular expression to be used as
the condition pattern.

AOS-W 3.1
User Guide

457

External Services Interface
Chapter 21

For example, “log_id=[0–9]{10}[ ]” to search for and match a 10-digit string
preceded by “log_id=” and followed by one space.
5.

In the drop-down Match list, use the drop-down menu to select the match
type (ipaddr, mac, or user).

In the Match Pattern text box, type the regular expression to be used as the
match pattern.
For example, if you selected “mac” as the match type, type the regular
expression to be used as the match pattern. You could use “mac[ ](.{17})” to
search for and match a 17-character MAC address preceded by the word
“mac” plus one space.

In the drop-down Set list, select the set type (blacklist or role).
When you select role as the Set type, the system displays a second
drop-down list. Click the list to display the possible choices and select the
appropriate role value. Validation on the entered value will be based on the
Set selection.

In the drop-down Parser Group list, select one of the configured parser
domain names.

Deleting a Syslog Parser Rule
To delete an existing syslog parser rule:
1.

Identify the target parser rule in the list shown in the Syslog Parser Rules
view.

Click Delete on the same row in the Actions column.

Editing an Existing Syslog Parser Rule
To change an existing syslog parser rule:
1.

Identify the target parser rule in the list shown in the Syslog Parser Rules
view (see Figure 21-52).

Click Edit on the same row in the Actions column.

458 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

External Services Interface
Chapter 21

The system displays the attributes for the selected rule (see Figure 21-54).

FIGURE 21-54 The Edit Rule View
NOTE:
3.

You cannot modify the rule name when editing a parser rule.

Change the other rule attributes as required:
A.

Click the Enable checkbox to enable the rule.

In the Condition Pattern text box, type the regular expression to be used
as the condition pattern.

In the drop-down Match list, select the match type (ipaddr, mac, or user).

In the Match Pattern text box, type the regular expression to be used as
the match pattern.

In the drop-down Set list, select the set type (blacklist or role).
When you select role as the Set type, the system displays a second
drop-down list. Click the list to display the possible choices and select
the appropriate role value. Validation on the entered value will be based
on the Set selection.

NOTE:

In the drop-down Parser Group list, select one of the configured parser
domain names.
At this point, you can test the rule you just edited by using the Test
section of the edit rule view. You can also test rules outside the add or
edit processes by using the rule test in the Syslog Parser Test view
(accessed from the External Services page by clicking the
Syslog Parser Test tab, described in “Testing a Parser Rule” on
page 460.

Click Apply to commit the change, or click Cancel to discard the changes you
made and exit the rule editing process.

AOS-W 3.1
User Guide

459

External Services Interface
Chapter 21

Testing a Parser Rule
You can test or validate enabled Syslog Parser rules against a sample syslog
message, or against a syslog message file containing multiple syslog messages.
Access the parser rules test from the External Services page by clicking the
Syslog Parser Test tab, which displays the Syslog Parser Rule Test view
(see Figure 21-55).

FIGURE 21-55 The Syslog Parser Rule Test View

To test against a sample syslog message:
A.

In the drop-down Test Type list, select Syslog message as the test
source type.

In the Message text box, type the syslog message text.

Click Test to start the test.

The test results are displayed in a box in the area below the Test button. The
test results contain information about the matching rule and match pattern.

To test against a syslog message file:
A.

In the drop-down Test Type list, select Syslog file as the test type.

In the Filename text box, type the syslog file name.

Click Test to start the test.

The test results are displayed in a box in the area below the Test button. The
test results contain information about the matching rule and match pattern.

460 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

External Services Interface
Chapter 21

Using the CLI to Manage Syslog Parser Rules
Use these CLI commands to manage syslog parser rules.

Adding a New Parser Rule

esi parser rule rule-name
condition expression
domain name
enable
match {ipaddr expression | mac expression | user expression}
position position
set {blacklist | role role}
For example:

esi parser rule forti_virus
condition “log_id=[0-9]{10}[ ]”
match “src=(.*)[ ]”
set blacklist
enable
Showing ESI Syslog Parser Rule Information

show esi parser rules
Deleting a Syslog Parser Rule

no esi parser rule rule-name
Editing an Existing Syslog Parser Rule

esi parser rule rule-name
condition expression
domain name
enable
match {ipaddr expression | mac expression | user expression}
no
position position
set {blacklist | role role}
Testing a Parser Rule

esi parser rule rule-name
test {file filename | msg message}

AOS-W 3.1
User Guide

461

External Services Interface
Chapter 21

Monitoring Syslog Parser Statistics
The following sections describe how to monitor syslog parser statistics using the
WebUI and CLI.

Using the WebUI to Monitor Syslog Parser Statistics
You can monitor syslog parser statistics in the External Servers monitoring page
(see Figure 21-56), accessed by selecting Monitoring > Switch >
External Services Interface > Syslog Parser Statistics.

FIGURE 21-56 The Syslog Parser Statistics View
The Syslog Parser Statistics view displays statistics such as the number of
matches and number of users per rule, as well as the number of respective
actions fired by the syslog parser.
NOTE:

The Syslog Parser Statistics view also displays the last refresh time
stamp and includes a Refresh Now button, to allow the statistics
information to be refreshed manually. There is no automatic refresh on
this page.

Using the CLI to Monitor Syslog Parser Statistics
show esi parser stats

462 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

External Services Interface
Chapter 21

Example Route-mode ESI Topology
This section introduces the configuration for a sample route-mode topology using
the WLAN Switch and Fortinet Anti-Virus gateways. In route mode, the trusted
and untrusted interfaces between the WLAN Switch and the Fortinet gateways
are on different subnets. Figure 21-57 shows an example route-mode topology.
NOTE:

ESI with Fortinet Anti-Virus gateways is supported only in route mode.

Core Router (default gateway)
= 10.168.172.1/24

Trusted interface IP
address = 10.168.172.1/24

Trusted interface IP
address = 10.168.172.3/24

Fortinet Gateway

Mobility Controller
Untrusted interface IP
address = 10.168.171.1/24

Untrusted interface IP
address = 10.168.171.3/24

Wireless User Subnet
= 10.168.173.0/24

arun_004

FIGURE 21-57 Example Route-Mode Topology
In the topology shown, the following configurations are entered on the WLAN
Switch and Fortinet gateway:

ESI Server configuration on WLAN Switch:

Trusted IP address = 10.168.172.3 (syslog source)

Untrusted IP address = 10.168.171.3

Mode = route

AOS-W 3.1
User Guide

463

External Services Interface
Chapter 21

IP routing configuration on Fortinet Gateway:

Default gateway (core router) = 10.168.172.1

Static route for wireless user subnet (10.168.173.0/24) through the WLAN
Switch (10.168.171.2)

Configuring the Example Routed ESI Topology
This section describes how to implement the example routed ESI topology shown
in Figure 21-57 on page 463. The description includes the relevant configuration—
both the WebUI and the CLI configuration processes are described—required on
the WLAN Switch to integrate with a AVF server appliance.
The ESI configuration process will redirect all HTTP user traffic to the Fortinet
server for examination, and any infected user will be blacklisted. The
configuration process consists of these general tasks:

Defining the ESI server.

Defining the default ping health check method.

Defining the ESI group.

Defining the HTTP redirect filter for sending HTTP traffic to the ESI server.

Applying the firewall policy to the guest role.

Defining ESI parser domains and rules.

There are three configuration “phases” on the WLAN Switch as a part of the
solution.

The first phase configures the ESI ping health-check method, servers, and
server groups.The term server here refers to external AVF server devices.

In the second phase of the configuration task, the user roles are configured
with the redirection policies (session ACL definition) instructing the WLAN
Switch to redirect the different types of traffic to different server groups.

In the final phase, the ESI parser domains and rules are configured.

NOTE:

The procedures shown in the following sections are based on the
requirements in the example routed ESI topology. Your application might
be broader or narrower than this example, but the same general
operations apply.

464 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

External Services Interface
Chapter 21

Defining the Ping Health-Check Method
Using the WebUI to Configure a Health-Check Method
To configure a health check profile:
1.

Navigate to the Configuration > Advanced Services > External Services
page on the WebUI.

Click Add in the Health Check Configuration section.
(To change an existing profile, click Edit.)

Provide the following details:
A.

Enter enter the name default for the Profile Name.

Frequency (secs)—Enter 5.)

Timeout (secs)—Indicates the number of seconds the WLAN Switch
waits for a response to its health check query before marking the health
check as failed. Default: 2 seconds. (In this example, enter 3.)

Retry count—Is the number of failed health checks after which the WLAN
Switch marks the server as being down. Default: 2. (In this example,
enter 3.)

Click Done when you are finished.

To apply the configuration (changes), click Apply. (The configuration will not
take effect until you click Apply.)

Using the CLI to Configure a Health-Check Method
Use these CLI commands to configure a health-check method:

esi ping profile_name
frequency seconds
retry-count count
timeout seconds
For example:

esi ping default
frequency 5
retry-count 3
timeout 3

AOS-W 3.1
User Guide

465

External Services Interface
Chapter 21

Defining the ESI Server
The following sections describe how to configure an ESI server using the WebUI
and CLI.

Using the WebUI to Configure an ESI Server
To configure an ESI server:
1.

Navigate to the Configuration > Advanced Services > External Services
page on the WebUI.

Click Add in the External Servers section.

Provide the following details:
A.

Server Name. (This example uses the name forti_1.)

Server Group. Use the drop-down list to assign this server to a group
from the existing configured groups. (This example uses fortinet.)

Server Mode. Use the drop-down list to choose the mode (bridge, nat, or
route) your topology requires. Refer to the description above to
understand the differences between the modes. (This example uses
route mode.)

Trusted IP Address. Enter 10.168.172.3.)

Untrusted IP Address. Enter 10.168.171.3.)

Click Done when you are finished.

To apply the configuration (changes), click Apply. (The configuration will not
take effect until you click Apply.)

Using the CLI to Configure an ESI Server
Use these CLI commands to configure an ESI server and identify its associated
attributes:

esi server server_identity
dport destination_tcp/udp_port
mode {bridge | nat | route}
trusted-ip-addr ip-addr [health-check]
trusted-port slot/port
untrusted-ip-addr ip-addr [health-check]
untrusted-port slot/port
For example:

esi server forti_1
mode route
trusted-ip-addr 10.168.172.3
untrusted-ip-addr 10.168.171.3
466 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

External Services Interface
Chapter 21

Defining the ESI Server Group
The following sections describe how to configure an ESI server group using the
WebUI and CLI.

Using the WebUI to Configure an ESI Server Group
To configure an ESI server group on the WLAN Switch:
1.

Navigate to the Configuration > Advanced Services > External Services
page.

Click Add in the Server Groups section.

Provide the following details:
A.

Enter a Group Name. Enter fortinet.)

In the drop-down list, select default as the health check profile.

Click Done when you are finished.

To apply the configuration (changes), click Apply. (The configuration will not
take effect until you click Apply.)

Using the CLI to Configure an ESI Server Group
Use these CLI commands to configure an ESI server group, identify its associated
ping health-check method, and associate a server with this group:

esi group name
ping profile_name
server server_identity
For example:

esi group fortinet
ping default
server forti_1

AOS-W 3.1
User Guide

467

External Services Interface
Chapter 21

Redirection Policies and User Role
The following sections describe how to configure the redirection policies and user
role using the WebUI and CLI.

FIGURE 21-58 The User Roles View
1.

To add a new role, click Add.
The WebUI displays the Add Role view (see Figure 21-59).

FIGURE 21-59 The Add Role View
2.

Role Name. Enter “guest” as the name for the role.

468 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

External Services Interface
Chapter 21

To add a policy for the new role, click Add in the Firewall Policies section.
The WebUI expands the Firewall Policies section (see Figure 21-60).

FIGURE 21-60 Firewall Polices Choices
Choose from existing configured policies, create a new policy based on
existing policies, or create a new policy.
A.

If you elect to create a new policy, click on the radio button for Create
New Policy and then click Create.
The WebUI displays the Policies tab (see Figure 21-61).

FIGURE 21-61 Firewall Policy Attributes
B.

In the Policies tab:
a.

Policy Name. Enter the policy name fortinet and the session
type.) Click Add to proceed.

AOS-W 3.1
User Guide

469

External Services Interface
Chapter 21

The WebUI expands the Policies tab (see Figure 21-62).

FIGURE 21-62 Setting Firewall Policy Parameters
b.

In the drop-down lists, choose parameters such as source,
destination, service in the same way as other firewall policy
rules. (This example uses any source, any destination, service
type svc-http (tcp 80),
For certain choices, the WebUI expands and adds drop-down
lists (see Figure 21-63).

FIGURE 21-63 Selecting Parameters in Drop-down Lists
c.

In the Action drop-down menu, select the redirect to ESI group
option.

Select fortinet as the appropriate ESI group.
The three steps above translate to “for any incoming HTTP
traffic, going to any destination, redirect the traffic to servers in
the ESI group named fortinet.”)

470 AOS-W 3.1
User Guide

Select both as the traffic direction. Forward refers to the
direction of traffic from the (untrusted) client or user to the
(trusted) server (such as the HTTP server or email server).
032063-00 Rev A
February 2007

External Services Interface
Chapter 21

To add this rule to the policy, click Add.

Repeat the steps to configure additional rules. (This example adds a rule
that specifies any, any, any, permit.)

Click Done to return to the User Roles tab.

To apply the configuration (changes), click Apply. (The configuration will not
take effect until you click Apply.)

Refer to Chapter 7, “Configuring Roles and Policies,” for directions on how to
apply a policy to a user role.

Using the CLI to Configure the User Role
Use these commands to define the redirection filter for sending traffic to the ESI
server and apply the firewall policy to a user role in the route-mode ESI topology
example.

ip access-list session fortinet
any any svc-http redirect esi-group fortinet direction both blacklist
any any any permit
user-role guest
access-list session fortinet

AOS-W 3.1
User Guide

471

External Services Interface
Chapter 21

Syslog Parser Domain and Rules
The following sections describe how to configure the syslog parser domain and
rules for the route-mode example using the WebUI and CLI.

Using the WebUI to Add a New Syslog Parser Domain
To add a new syslog parser domain for the routed example:
1.

Click Add in the Syslog Parser Domains tab (Advanced Services > External
Services > Syslog Parser Domain).
The system displays the new domain view (see Figure 21-50 on page 454).

In the Domain Name text box, type the name of the domain to be added.

In the Server (IP Address) text box, type a valid IP address.
NOTE:

You must ensure that you type a valid IP address, because the IP
address you type is not automatically validated against the list of
external servers that has been configured.

Click << Add.

Click Apply.

Using the WebUI to Add a New Parser Rule
To add a new syslog parser rule for the route-mode example:
1.

Click Add in the Syslog Parser Rules tab (Advanced Services > External
Services > Syslog Parser Rule).
The system displays the new rule view (see Figure 21-53 on page 457).

In the Rule Name text box, type the name of the rule to be added (in this
example, “forti_virus”).

Click the Enable checkbox to enable the rule.

In the Condition Pattern text box, type the regular expression to be used as
the condition pattern. (In this example, the expression “log_id=[0–9]{10}[ ]”
searches for and matches a 10-digit string preceded by “log_id=” and
followed by one space.)

In the drop-down Match list, use the drop-down menu to select the match
type (in this example, ipaddr).

In the Match Pattern text box, type the regular expression to be used as the
match pattern (in this example, “src=(.*)[ ]”).

In the drop-down Set list, select the set type (in this example, blacklist).

In the drop-down Parser Group list, select one of the configured parser
domain names (in this example, “forti_domain”).

472 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

External Services Interface
Chapter 21

Click Apply.

Using the CLI to Define a New Syslog Parser Domain and Rules
Use these CLI commands to define a syslog parser domain and the rule to be
applied in the route-mode example shown in Figure 21-57 on page 463.

esi parser domain name
peer peer-ip
server ipaddr
esi parser rule rule-name
condition expression
domain name
enable
match {ipaddr expression | mac expression | user expression }
position position
set {blacklist | role role}
For example:

esi parser domain forti_domain
server 10.168.172.3
esi parser rule forti_virus
condition “log_id=[0-9]{10}[ ]”
match ipaddr “src=(.*)[ ]”
set blacklist
enable

AOS-W 3.1
User Guide

473

External Services Interface
Chapter 21

Example NAT-mode ESI Topology
This section describes the configuration for a sample NAT-mode topology using
the WLAN Switch and three external captive-portal servers. NAT mode uses a
trusted interface for each external captive-portal server and a different destination
port to redirect a packet to a port other than the original destination port in the
packet. An example topology is shown below in Figure 21-64.

External Captive
Portal Servers
10.1.1.1
Access Points

10.1.1.2

10.1.1.3

Mobility Controller
arun_001

FIGURE 21-64 Example NAT-Mode Topology
In this example, all HTTP traffic received by the WLAN Switch is redirected to the
external captive portal server group and load-balanced across the captive portal
servers. All wireless client traffic with destination port 80 is redirected to the
captive portal server group, with the new destination port 8080.
NOTE:

The external servers do not necessarily have to be on the subnet as the
WLAN Switch. The policy that redirects traffic to the external servers for
load balancing is routed to the external servers if they are on a different
subnet.

474 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

External Services Interface
Chapter 21

In the topology shown, the following configurations are entered on the WLAN
Switch and external captive-portal servers:

ESI Server configuration on the WLAN Switch:

External captive-portal server 1:
z

Name = external_cp1

Mode = NAT

Trusted IP address = 10.1.1.1

Alternate destination port = 8080

External captive-portal server 2:
z

Name = external_cp2

Mode = NAT

Trusted IP address = 10.1.1.2

External captive-portal server 3:
z

Name = external_cp3

Mode = NAT

Trusted IP address = 10.1.1.3

Health-check ping:
z

Name = externalcp_ping

Frequency = 30 seconds

Retry-count = 2 attempts

Timeout = 2 seconds (2 seconds is the default)

ESI group = external_cps

Session access control list (ACL)
z

Name = cp_redirect_acl

Session policy = user any svc-http redirect esi-group external_cps
direction both

Configuring the Example NAT-mode ESI Topology
This section describes how to implement the example NAT-mode ESI topology
shown in Figure 21-64 on page 474 using both the WebUI, then the CLI.
The configuration process consists of these general tasks:

Configuring captive portal (see the “Configuring Captive Portal” chapter).

Configuring the health-check ping method.

AOS-W 3.1
User Guide

475

External Services Interface
Chapter 21

Configuring the ESI servers.

Configuring the ESI group.

Defining the redirect filter for sending traffic to the ESI server.

Using the WebUI to Configure the NAT-mode ESI Example
Navigate to the Configuration > Advanced Services > External Services view on
the WebUI (see Figure 21-41 on page 444).

Using the WebUI to configure the Health-Check Ping Method
1.

Click Add in the Health-Check Configuration section External Services view
on the WebUI.

Provide the following details:
A.

Profile Name. (This example uses externalcp_ping.)

Frequency (seconds). (This example uses 30.)

Retry Count. (This example uses 3.)

NOTE:

If you do not specify a value for a parameter, the WebUI assumes the
default value. In this example, the desired timeout value is two seconds;
therefore, not specifying the timeout causes the WebUI to use the default
value of two seconds.

Click Done when you are finished.

NOTE:

To apply the configuration (changes), you must click Apply in the
External Services view on the WebUI. In this example, you can wait until
you finish configuring the servers and groups, or you can apply after each
configuration portion.

Using the WebUI to Configure the ESI Group
1.

Click Add in the Server Groups section External Services view on the
WebUI.

Provide the following details:

Group Name. (This example uses external_cps.)

Health-Check Profile. Select the health-check ping from the drop-down
list. (This example uses externalcp_ping.)

Click Done when you are finished.

NOTE:

476 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

External Services Interface
Chapter 21

Using the WebUI to Configure the ESI Servers
1.

Click Add in the External Servers section External Services view on the
WebUI.

Provide the following details:
A.

Server Name.

Server Group. Use the drop-down list to assign this server to a group
from the existing configured groups.

Server Mode. Use the drop-down list to choose NAT mode.)

Trusted IP Address. For nat mode, enter the IP address of the trusted
interface on the external captive portal server.

NAT Destination Port. Enter the port number (to redirect a packet to a
port other than the original destination port in the packet).

Click Done when you are finished.

Repeat step 1 through step 3 for the remaining external captive portal
servers.

To apply the configuration (changes), click Apply. (The configuration will not
take effect until you click Apply.)

Using the WebUI to Configure the Redirection Filter
To redirect the required traffic to the server(s) using the WebUI, navigate to the
Configuration > Access Control > User Roles view on the WebUI (see
Figure 21-42 on page 448).
1.

Click the Policies tab.

Click Add in the Policies section of the Policies view on the WebUI.

Provide the following details:

Policy Name. (This example uses cp_redirect_acl.)

Policy Type. Select Session from the drop-down list.

Click Add in the Rules section of the Policies view.
A.

Source. Select user from the drop-down list.

Destination. Accept any.

Service. Select service from the drop-down list; select svc-http (tcp 80)
from the secondary drop-down list.

Action. Select redirect to ESI group from the drop-down list; select
external_cps from the secondary drop-down list; click <-- to add that
group.

Click Add.

AOS-W 3.1
User Guide

477

External Services Interface
Chapter 21

Click Done when you are finished.

To apply the configuration (changes), click Apply. (The configuration will not
take effect until you click Apply.)

Using the CLI to Configure the Example NAT-mode Topology
The CLI configuration process consists of these general tasks:

Configuring captive portal (see Chapter 10, “Configuring Captive Portal”).

Configuring the health-check ping method.

Configuring the ESI servers.

Configuring the ESI group.

Defining the redirect filter for sending traffic to the ESI server.

Configure a Health-Check Ping
The health-check ping will be associated with an ESI group, along with servers,
so that WLAN Switch will send ICMP echo requests to each server in the group
and mark the server down if the WLAN Switch does not hear from the server. The
health-check parameters used in this example are:

Frequency—30 seconds. (The default is 5 seconds.)

Retry-count—3. (The default is 2.)

Timeout—2 seconds. (The default is 2 seconds.)

Use these CLI commands to configure a health-check ping method:

esi ping profile_name
frequency seconds
retry-count count
timeout seconds
Configuring ESI Servers
Here are the ESI server CLI configuration tasks:

Configure server mode to be NAT.

Configure the trusted IP address (the server IP address to which packets
should be redirected).

To redirect to a different port than the original destination port in the packet,
configure an alternate destination port.

478 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

External Services Interface
Chapter 21

Use these CLI commands to configure an ESI server and identify its associated
attributes:

esi server server_identity
dport destination_tcp/udp_port
mode {bridge | nat | route}
trusted-ip-addr ip-addr [health-check]
Configure an ESI Group, Add the Health-Check Ping and ESI Servers
Use these CLI commands to configure an ESI server group, identify its associated
ping health-check method, and associate a server with this group:

esi group name
ping profile_name
server server_identity
Use This ESI Group in a Session Access Control List
Use these CLI commands to define the redirection filter for sending traffic to the
ESI server.

ip access-list session policy
user any svc-http redirect esi-group group direction both
CLI Configuration Example 1

esi ping externalcp_ping
frequency 30
retry-count 3
esi server external_cp1
dport 8080
mode nat
trusted-ip-addr 10.1.1.1
esi server external_cp2
dport 8080
mode nat
trusted-ip-addr 10.1.1.2
esi server external_cp3
dport 8080
mode nat
trusted-ip-addr 10.1.1.3

AOS-W 3.1
User Guide

479

External Services Interface
Chapter 21

esi group external_cps
ping externalcp_ping
server external_cp1
server external_cp2
server external_cp3
ip access-list session cp_redirect_acl
user any svc-http redirect esi-group external_cps direction both
CLI Configuration Example 2

esi server https-proxy1
dport 44300
mode nat
trusted-ip-addr 1.2.3.4
esi server https-proxy2
dport 44300
mode nat
trusted-ip-addr 1.2.3.5
esi group https-proxies
ping default
server https-proxy1
server https-proxy2
ip access-list session https-proxy
user any svc-https redirect esi-group https-proxies direction both
any any permit

480 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

External Services Interface
Chapter 21

Basic Regular Expression Syntax
The ESI syslog parser supports regular expressions created using the Basic
Regular Expression (BRE) syntax described in this section. BRE syntax consists of
instructions—character-matching operators (described in Table 21-44), repetition
operators (described in Table 21-45), or expression anchors (described in
Table 21-46)—used to defined the search or match target.
This section contains the following topics:

“Character-Matching Operators” on page 481

“Regular Expression Repetition Operators” on page 482

“Regular Expression Anchors” on page 482

“References” on page 483

Character-Matching Operators
Character-matching operators define what the search will match.

TABLE 21-44 Character-matching operators in regular expressions
Operator Description

Sample

Result

Match any one character.

grep .ord
sample.txt

Matches ford, lord, 2ord,
etc. in the file sample.txt.

[]

Match any one character
listed between the
brackets

grep [cng]ord
sample.txt

Matches only cord, nord,
and gord

[^]

Match any one character
not listed between the
brackets

grep [^cn]ord
sample.txt

Matches lord, 2ord, etc.,
but not cord or nord

grep
[a-zA-Z]ord
sample.txt

Matches aord, bord, Aord,
Bord, etc.

grep [^0-9]ord Matches Aord, aord, etc.,
sample.txt
but not 2ord, etc.

AOS-W 3.1
User Guide

481

External Services Interface
Chapter 21

Regular Expression Repetition Operators
Repetition operators are quantifiers that describe how many times to search for
a specified string. Use them in conjunction with the character-matching operators
in Table 21-45 to search for multiple characters.

TABLE 21-45 Regular expression repetition operators
Operator Description

Sample

Result

Match any character one
time if it exists

egrep “?erd”
sample text

Matches berd, herd, etc.,
erd

Match declared element
multiple times if it exists

egrep “n.*rd”
sample.txt

Matches nerd, nrd, neard,
etc.

Match declared element
one or more times

egrep
“[n]+erd”
sample.txt

Matches nerd, nnerd, etc.,
but not erd

{n}

Match declared element
exactly n times

egrep
“[a-z]{2}erd”
sample.txt

Matches cherd, blerd, etc.,
but not nerd, erd, buzzerd,
etc.

{n,}

Match declared element at egrep
least n times
“.{2,}erd”
sample.txt

Matches cherd and
buzzerd, but not nerd

{n,N}

Match declared element at egrep
least n times, but not
“n[e]{1,2}rd”
more than N times
sample.txt

Matches nerd and neerd

Regular Expression Anchors
Anchors describe where to match the pattern, and are a handy tool for searching
for common string combinations. Some of the anchor examples use the vi line
editor command :s, which stands for substitute. That command uses the syntax:
s/pattern_to_match/pattern_to_substitute.

TABLE 21-46 Regular expression anchors
Operator Description

Sample

Result

Match at the beginning of
a line

s/^/blah /

Inserts “blah” at the
beginning of the line

Match at the end of a line

s/$/ blah/

Inserts “ blah” at the end
of the line

Match at the beginning of
a word

s/\

Match at the end of a
word

s/\>/blah/

Inserts “blah” at the end of
the word

egrep “\>blah” Matches soupblah, etc.
sample.txt
\b

Match at the beginning or
end of a word

egrep
“\bblah”
sample.txt

Matches blahcake and
countblah

Match in the middle of a
word

egrep
“\Bblah”
sample.txt

Matches sublahper, etc.

References
This implementation is based, in part, on the following resources:

Lonvick, C., “The BSD syslog Protocol”, RFC 3164, August 2001

Regular expression (regex) reference:
http://en.wikipedia.org/wiki/Regular_expression

Regex syntax summary:
http://www.greenend.org.uk/rjk/2002/06/regexp.html

Basic regular expression (BRE) syntax:
http://builder.com.com/5100-6372-1050915.html

AOS-W 3.1
User Guide

483

External Services Interface
Chapter 21

484 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Volume 9
Appendices

AOS-W Version 3.1

486 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring DHCP with
Vendor-Specific Options

A standards-compliant DHCP server can be configured to return the host Alcatel
WLAN Switch’s IP address through the Vendor-Specific Option Code (option 43)
in the DHCP reply. In the Alcatel OmniAccess system, this information can allow
an Alcatel AP to automatically discover the IP address of a master WLAN Switch
for its configuration and management. This appendix describes how to configure
vendor-specific option 43 on various DHCP servers.
This appendix contains the following topics:

“Overview” on page 488

“Windows-Based DHCP Server” on page 488

“Linux DHCP Servers” on page 491

AOS-W 3.1
User Guide

487

Configuring DHCP with Vendor-Specific Options
Chapter A

Overview
DHCP servers are a popular way of configuring clients with basic networking
information such as an IP address, a default gateway, network mask, DNS server,
and so on. Most DHCP servers have the ability to also send a variety of optional
information, including the Vendor-Specific Option Code, also called option 43.
Here is how option 43 works:
1.

The DHCP client on an Alcatel AP adds an optional piece of information called
the Vendor Class Identifier Code (option 60) to its DHCP request. The value of
this code is ArubaAP.

The DHCP server sees the Vendor Class Identifier Code in the request and
checks to see if it has option 43 configured. If it does, it sends the
Vendor-Specific Option Code (option 43) to the client. The value of this option
is the loopback address of the Alcatel master WLAN Switch.

The AP receives a response from the DHCP server and checks if option 43 is
returned. If it is, the AP contacts the master WLAN Switch using the supplied
IP address.

Windows-Based DHCP Server
Configuring a Microsoft Windows-based DHCP server to send option 43 to the
DHCP client on an Alcatel AP consists of the following two tasks:

Configuring Option 60

Configuring Option 43

Configuring Option 60
This section describes how to configure the Vendor Class Identifier Code (option
60) on a Microsoft Windows-based DHCP server.
As mentioned in the overview section, option 60 identifies and associates a
DHCP client with a particular vendor. Any DHCP server configured to take action
based on a client’s vendor ID should also have this option configured.
Since option 60 is not a predefined option on a Windows DHCP server, you must
add it to the option list for the server.

488 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Configuring DHCP with Vendor-Specific Options

To configure option 60 on the Windows DHCP server:
1.

On the DHCP server, open the DHCP server administration tool by clicking
Start > Administration Tools > DHCP.

Find your server and right-click on the scope to be configured under the
server name. Select Set Predefined Options.

In the Predefined Options and Values dialog box, click the Add button.

In the Option Type dialog box, enter the following information:
Name

Alcatel Access Point

Data Type

String

Code

Description

Alcatel AP vendor class identifier

Click the OK button to save this information.

In the Predefined Options and Values dialog box, make sure 060 Alcatel
Access Point is selected from the Option Name drop-down list.

In the Value field, enter the following information:
String

Alcatel Access Point

Click the OK button to save this information.

Configuring Option 43
Option 43 returns the IP address of the Alcatel master WLAN Switch to an Alcatel
DHCP client. This information allows Alcatel APs to auto-discover the master
WLAN Switch and obtain their configuration.

To configure option 43 on the Windows DHCP server:
1.

On the DHCP server, open the DHCP server administration tool by clicking
Start > Administration Tools > DHCP.

Find your server and right-click on the scope to be configured under the
server name. Click on the Scope Options entry and select Configure Options.

AOS-W 3.1
User Guide

489

Configuring DHCP with Vendor-Specific Options
Chapter A

In the Scope Options dialog box, scroll down and select 043 Vendor Specific
Info.

FIGURE A-65
4.

In the Data Entry field, click anywhere in the area under the ASCII heading and
enter the following information:
ASCII

Scope Options Dialog Box

Loopback address of the master WLAN Switch

Click the OK button to save the configuration.
Option 43 is configured for this DHCP scope. Note that even though you
entered the IP address in ASCII text, it displays in binary form.

FIGURE A-66

490 AOS-W 3.1
User Guide

DHCP Scope Values

032063-00 Rev A
February 2007

Configuring DHCP with Vendor-Specific Options

Linux DHCP Servers
The following is an example configuration for the Linux dhcpd.conf file:
NOTE:

After you enter the configuration, you must restart the DHCP service.

option serverip code 43 = ip-address;
class "vendor-class" {
match option vendor-class-identifier;
}
.
.
.
subnet 10.200.10.0 netmask 255.255.255.0 {
default-lease-time 200;
max-lease-time 200;
option subnet-mask 255.255.255.0;
option routers 10.200.10.1;
option domain-name-servers 10.4.0.12;
option domain-name "vlan10.aa.arubanetworks.com";
subclass "vendor-class" "ArubaAP" {
option vendor-class-identifier "ArubaAP";
option serverip 10.200.10.10;
}
range 10.200.10.200 10.200.10.252;
}

AOS-W 3.1
User Guide

491

Configuring DHCP with Vendor-Specific Options
Chapter A

492 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

External Firewall
Configuration

In many deployment scenarios, an external firewall is situated between various
Alcatel devices. This appendix describes the network ports that need to be
configured on the external firewall to allow proper operation of the Alcatel
network. You can also use this information to configure session ACLs to apply to
physical ports on the WLAN Switch for enhanced security. This appendix does
not describe requirements for allowing specific types of user traffic on the
network.
NOTE:

A WLAN Switch uses both its loopback address and VLAN addresses for
communications with other network elements. If host-specific ACLS are
used on the firewall, specify all IP addresses used on the WLAN Switch.

This appendix contains the following topics:

“Communication Between Alcatel Devices” on page 494

“Network Management Access” on page 495

“Other Communications” on page 496

AOS-W 3.1
User Guide

493

External Firewall Configuration
Chapter B

Communication Between Alcatel Devices
This section describes the network ports that need to be configured on the
firewall to allow proper operation of the Alcatel network.

Between any two WLAN Switches:
z

IPSec (UDP ports 500 and 4500) and ESP (protocol 50)
NOTE:

IP-IP (protocol 4) and UDP port 443 if Layer-3 mobility is enabled

GRE (protocol 47) if tunneling guest traffic over GRE to DMZ WLAN
Switch

Between an AP and the master WLAN Switch:
z

PAPI (UDP port 8211) If DNS is used for the AP to discover the LMS
WLAN Switch, the AP first attempts to connect to the master WLAN
Switch.
NOTE:

PAPI between a master and a local WLAN Switch is encapsulated
in IPSec in AOS-W 3.x.

Also allow DNS (UDP port 53) traffic from the AP to the DNS
server.

PAPI (UDP port 8211) All APs running as Air Monitors (AM) require a
permanent PAPI connection to the master WLAN Switch.

Between an AP and the LMS WLAN Switch
z

FTP (TCP port 20 and TCP port 21)

TFTP (UDP port 69) for AP-52. For all other APs, if there is no local image
on the AP (for example, a brand new AP) the AP will use TFTP to retrieve
the initial image.

NTP (UDP port 123)

SYSLOG (UDP port 514)

PAPI (UDP port 8211)

GRE (protocol 47)

Between a Remote AP (IPSec) and a WLAN Switch
z

NAT-T (UDP port 4500)

TFTP (UDP port 69)
NOTE:

494 AOS-W 3.1
User Guide

TFTP is not needed for normal operation. If the remote AP loses
its local image for any reason, TFTP is used to download the
latest image.

032063-00 Rev A
February 2007

External Firewall Configuration
Chapter B

Network Management Access
This section describes the network ports that need to be configured on the
firewall to allow management of the Alcatel network.

For WebUI access between the network administrator’s computer (running a
Web browser) and a WLAN Switch:
z

HTTP (TCP ports 80 and 8888) or HTTPS (TCP ports 443 and 4343)

SSH (TCP port 22) or TELNET (TCP port 23)

For Alcatel Mobility Manager System (MMS) access between the network
administrator's computer (running a Web browser) and the MMS Server
(either the MM-100 appliance or a server running MMS software):
z

HTTPS (TCP port 443)

HTTP (TCP port 80)1

SSH (TCP port 22) for troubleshooting

For MMS access between the MMS Server and WLAN Switches:
z

SNMP (UDP ports 161 and 162)

PAPI (UDP port 8211 and TCP port 8211)

1. Check the MMS release documentation for requirements, as this network port may not
be required for future releases.

AOS-W 3.1
User Guide

495

External Firewall Configuration
Chapter B

Other Communications
This section describes the network ports that need to be configured on the
firewall to allow other types of traffic in the Alcatel network. You should only
allow traffic as needed from these ports.

For logging: SYSLOG (UDP port 514) between the WLAN Switch and syslog
servers.

For software upgrade or retrieving system logs: TFTP (UDP port 69) or FTP
(TCP ports 20 and 21) between the WLAN Switch and a software distribution
server.

If the WLAN Switch is a PPTP VPN server, allow PPTP (UDP port 1723) and
GRE (protocol 47) to the WLAN Switch.

If the WLAN Switch is an L2TP VPN server, allow NAT-T (UDP port 4500),
ISAKMP (UDP port 500) and ESP (protocol 50) to the WLAN Switch.

If a third-party network management system is used, allow SNMP (UDP ports
161 and 162) between the network management system and all WLAN
Switches. If the AOS-W version is earlier than 2.5, allow SNMP traffic
between the network management system and APs.

For authentication with a RADIUS server: RADIUS (typically, UDP ports 1812
and 813, or 1645 and 1646) between the WLAN Switch and the RADIUS
server.

For authentication with an LDAP server: LDAP (UDP port 389) or LDAPS (UDP
port 636) between the WLAN Switch and the LDAP server.

For authentication with a TACACS+ server: TACACS (TCP port 49) between
the WLAN Switch and the TACACS+ server.

For NTP clock setting: NTP (UDP port 123) between all WLAN Switches and
the MMS server and the NTP server.

For packet captures: UDP port 5555 from an AP to an Ethereal packet-capture
station; UDP port 5000 from an AP to a Wildpackets packet-capture station.

For telnet access: Telnet (TCP port 23) from the network administrator's
computer to any AP if "telnet enable" is present in the "ap location 0.0.0"
section of the WLAN Switch configuration.

For External Services Interface (ESI): ICMP (protocol 1) and syslog (UDP port
514) between a WLAN Switch and any ESI servers,

For XML API: HTTP (TCP port 80) or HTTPS (TCP port 443) between a WLAN
Switch and an XML-API client.

496 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Alcatel System Defaults

This appendix contains the following topics:

“Basic System Defaults” on page 498

“Firewall Defaults” on page 498

“Default Open Ports” on page 501

AOS-W 3.1
User Guide

497

Alcatel System Defaults
Chapter C

Basic System Defaults
The default administrator user name is admin, and the default password is also
admin.

Firewall Defaults
The AOS-W software includes prdefined network services, firewall policies, and
roles.

Network Services
The following lists the predefined network services and their protocols and ports.

svc-snmp-trap
svc-dhcp
svc-smb-tcp
svc-https
svc-ike
svc-l2tp
svc-syslog
svc-pptp
svc-telnet
svc-sccp
svc-tftp
svc-sip-tcp
svc-kerberos
svc-pop3
svc-adp
svc-dns
svc-msrpc-tcp
svc-rtsp
svc-http
svc-vocera
svc-nterm
svc-sip-udp
svc-papi
svc-ftp
svc-natt
svc-svp
svc-gre
svc-smtp
498 AOS-W 3.1
User Guide

udp
udp
tcp
tcp
udp
udp
udp
tcp
tcp
tcp
udp
tcp
udp
tcp
udp
udp
tcp
tcp
tcp
udp
tcp
udp
udp
tcp
udp
119
gre
tcp

162
67 68
445
443
500
1701
514
1723
23
2000
69
5060
88
110
8200
53
135 139
554
80
5002
1026 1028
5060
8211
21
4500
0
0
25
032063-00 Rev A
February 2007

Alcatel System Defaults
Chapter C

svc-smb-udp
svc-esp
svc-bootp
svc-snmp
svc-icmp
svc-ntp
svc-msrpc-udp
svc-ssh

udp
esp
udp
udp
icmp
udp
udp
tcp

445
0
67 69
161
0
123
135 139
22

Policies
The following are predefined policies.

ip access-list session allowall
any any any permit
!
ip access-list session control
any any svc-icmp permit
any any svc-dns permit
any any svc-papi permit
any any svc-adp permit
any any svc-tftp permit
any any svc-dhcp permit
any any svc-natt permit
!
ip access-list session captiveportal
user alias mswitch svc-https permit
user any svc-http dst-nat 8080
user any svc-https dst-nat 8081
!
ip access-list session cplogout
user alias mswitch svc-https permit
!
ip access-list session vpnlogon
any any svc-ike permit
any any svc-esp permit
any any svc-l2tp permit
any any svc-pptp permit
any any svc-gre permit
!
ip access-list session ap-acl
any any svc-gre permit
any any svc-syslog permit

AOS-W 3.1
User Guide

499

Alcatel System Defaults
Chapter C

any user svc-snmp permit
user any svc-snmp-trap permit
user any svc-ntp permit

System Roles
The following are predefined system roles.

user-role ap-role
session-acl control
session-acl ap-acl
!
user-role trusted-ap
session-acl allowall
!
user-role guest
session-acl control
session-acl cplogout
!
user-role logon
session-acl control
session-acl captiveportal
session-acl vpnlogon

500 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Alcatel System Defaults
Chapter C

Default Open Ports
By default, Alcatel WLAN Switches and Access Points treat ports as untrusted.
However, certain ports are open by default only on the trusted side of the
network. These open ports are listed in Table C-47 below.

TABLE C-47 Default (Trusted) Open Ports
Port
Number

Protocol

Where Used

Description

TCP

WLAN
Switch

This is use for certain types of VPN
clients that accept a banner (QOTD).
During normal operation, this port will
only accept a connection and
immediately close it.

TCP

WLAN
Switch

FTP server for AP6X software
download.

TCP

WLAN
Switch

SSH

TCP

AP and
WLAN
Switch

Telnet is disabled by default but the port
is still open

UDP

WLAN
Switch

Internal domain

UDP

AP (and
WLAN
Switch if
DHCP server
is
configured)

DHCP server

UDP

AP (and
WLAN
Switch if
DHCP server
is
configured)

DHCP client

UDP

WLAN
Switch

TFTP

TCP

AP and
WLAN
Switch

HTTP Used for remote packet capture
where the capture is saved on the
Access Point. Provides access to the
WebUI on the WLAN Switch.

AOS-W 3.1
User Guide

501

Alcatel System Defaults
Chapter C

TABLE C-47 Default (Trusted) Open Ports (Continued)
Port
Number

Protocol

Where Used

Description

123

UDP

WLAN
Switch

NTP

161

UDP

AP and
WLAN
Switch

SNMP. Disabled by default.

443

TCP

WLAN
Switch

Used internally for captive portal
authentication (HTTPS) and is exposed
to wireless users. A default self-signed
certificate is installed in the WLAN
Switch. Users in a production
environment are urged to install a
certificate from a well known CA such
as Verisign. Self-signed certs are open
to man-in-the-middle attacks and should
only be used for testing.

500

UDP

WLAN
Switch

ISAKMP

514

UDP

WLAN
Switch

Syslog

1701

UDP

WLAN
Switch

L2TP

1723

TCP

WLAN
Switch

PPTP

2300

TCP

WLAN
Switch

Internal terminal server opened by telnet
soe command.

3306

TCP

WLAN
Switch

Remote wired MAC lookup.

4343

TCP

WLAN
Switch

HTTPS. A different port is used from
443 in order to not conflict with captive
portal. A default self-signed certificate is
installed in the WLAN Switch. Users in a
production environment are urged to
install a certificate from a well known
CA such as Verisign. Self-signed certs
are open to man-in-the-middle attacks
and should only be used for testing

4500

UDP

WLAN
Switch

sae-urn

502 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Alcatel System Defaults
Chapter C

TABLE C-47 Default (Trusted) Open Ports (Continued)
Port
Number

Protocol

Where Used

Description

8080

TCP

WLAN
Switch

Used internally for captive portal
authentication (HTTP-proxy). Not
exposed to wireless users.

8081

TCP

WLAN
Switch

Used internally for captive portal
authentication (HTTPS). Not exposed to
wireless users. A default self-signed
certificate is installed in the WLAN
Switch. Users in a production
environment are urged to install a
certificate from a well known CA such
as Verisign. Self-signed certs are open
to man-in-the-middle attacks and should
only be used for testing.

8082

TCP

WLAN
Switch

Used internally for single sign-on
authentication (HTTP). Not exposed to
wireless users.

8083

TCP

WLAN
Switch

Used internally for single sign-on
authentication (HTTPS). Not exposed to
wireless users.

8088

TCP

WLAN
Switch

Internal

8200

UDP

WLAN
Switch

Alcatel Discovery Protocol (ADP)

8211

UDP

WLAN
Switch

Internal

8888

TCP

WLAN
Switch

Used for HTTP access.

AOS-W 3.1
User Guide

503

Alcatel System Defaults
Chapter C

504 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Windows Client Example
Configuration for 802.1x

This appendix provides an example configuration for a wireless client (the 802.1x
supplicant) in a Windows environment.
For detailed information about configuring computers in a Windows environment
for PEAP-MS-CHAPv2 and EAP-TLS authentication, see the Microsoft document
Step-by-Step Guide for Setting Up Secure Wireless Access in a Test Lab, available
from Microsoft’s Download Center (at www.microsoft.com/downloads).
Additional information on client configuration is available at
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/wificomp.ms
px#EQGAC.

Window XP Wireless Client Example
Configuration
This section shows an example of how to configure a Windows XP wireless
client using Windows XP’s Wireless Zero Configuration service.
NOTE:

The following steps apply to a computer running Windows XP
Professional Version 2002 with Service Pack 2. To configure a wireless
client on other Windows platforms, see your Microsoft Windows
documentation.

On the desktop, right-click My Network Places and select Properties.

In the Network Connections window, right-click on Wireless Network
Connection and select Properties.

Select the Wireless Networks tab.
This screen displays the available wireless networks and the list of preferred
networks. Windows connects to the preferred networks in the order in which
they appear in the list.

AOS-W 3.1
User Guide

505

Windows Client Example Configuration for 802.1x
Chapter D

FIGURE D-67
4.

Wireless Networks

Click the Advanced button to display the Networks to access window.

FIGURE D-68

Networks to Access

This window determines what types of wireless networks the client can
access. By default, Windows connects to any type of wireless network.
Make sure that the option Computer-to-computer (ad hoc) networks only is
not selected. Click Close.
5.

In the Wireless Networks tab, click Add to add a wireless network.

Click the Association tab to enter the network properties for the SSID.

506 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Windows Client Example Configuration for
802.1x

NOTE:

This tab configures the authentication and encryption used between
the wireless client and the Alcatel Mobile Edge system. Therefore,
the settings for the SSID that you configure on the client must match
the configuration for the SSID on the WLAN Switch.

For an SSID using dynamic WEP, enter the following:
–

Network Authentication: Open

–

Data Encryption: WEP

–

Select the option “The key is provided for me automatically”. Each
client will use a dynamically-generated WEP key that is automatically
derived during the 802.1x process.

For an SSID using WPA, enter the following:
–

Network Authentication: WPA

–

Data Encryption: TKIP

For an SSID using WPA-PSK, enter the following:
–

Network Authentication: WPA-PSK

–

Data Encryption: TKIP

–

Enter the preshared key.

For an SSID using WPA2, enter the following:
–

Network Authentication: WPA2

–

Data Encryption: AES

For an SSID using WPA2-PSK, enter the following:
–

Network Authentication: WPA2-PSK

–

Data Encryption: AES

–

Enter the preshared key

Do not select the option “This is a computer-to-computer (ad hoc)
network; wireless access points are not used”.

Figure D-69 shows the configuration for the SSID WLAN-01 which uses WPA
network authentication with TKIP data encryption.

AOS-W 3.1
User Guide

507

Windows Client Example Configuration for 802.1x
Chapter D

FIGURE D-69
7.

Wireless Network Association

Click the Authentication tab to enter the 802.1x authentication parameters for
the SSID.
NOTE:

This tab configures the EAP type used between the wireless client
and the authentication server.

Configure the following, as shown in Figure D-70:
z

Select Enable IEEE 802.1x authentication for this network.

Select Protected EAP (PEAP) for the EAP type.

Select Authenticate as computer when computer information is available.
The client will perform computer authentication when a user is not
logged in.

Do not select Authenticate as guest when user or computer information
is unavailable. The client will not attempt to authenticate as a guest.

508 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Windows Client Example Configuration for
802.1x

FIGURE D-70
8.

Wireless Network Authentication

Under EAP type, select Properties to display the Protected EAP Properties
window. Configure the client PEAP properties, as shown in Figure D-71:
z

Select Validate server certificate. This instructs the client to check the
validity of the server certificate from an expiration, identity, and trust
perspective.

Select the trusted Certification Authority (CA) that can issue server
certificates for the network.

Select Secured password (EAP-MSCHAP v2) — the PEAP “inner
authentication” mechanism will be an MS-CHAPv2 password.

Select Enable Fast Reconnect to speed up authentication in some cases.

AOS-W 3.1
User Guide

509

Windows Client Example Configuration for 802.1x
Chapter D

FIGURE D-71
9.

Protected EAP Properties

Under Select Authentication Method, click Configure to display the
EAP-MSCHAPv2 Properties window. Select the option Automatically use my
Windows logon name and password (and domain if any). This option
specifies that the user’s Windows logon information is used for
authentication to the wireless network. This option allows the same logon
credentials to be used for access to the Windows domain as well as the
wireless network.

FIGURE D-72
510 AOS-W 3.1
User Guide

EAP MSCHAPv2 Properties
032063-00 Rev A
February 2007

Internal Captive Portal

You can customize the default captive portal page through the WebUI, as
described in Chapter 10, “Configuring Captive Portal.” This appendix discusses
creating and installing a new internal captive portal page and other customization.

“Creating a New Internal Web Page” on page 512

“Installing a New Captive Portal Page” on page 514

“Displaying Authentication Error Message” on page 515

“Reverting to the Default Captive Portal” on page 516

“Language Customization” on page 516

“Customizing the Welcome Page” on page 522

“Customizing the Pop-Up box” on page 524

“Customizing the Logged Out Box” on page 525

AOS-W 3.1
User Guide

511

Internal Captive Portal
Chapter E

Creating a New Internal Web Page
You can also create your own web page to display.
A custom web page must include an authentication form to authenticate a user.
The authentication form can include any of the following variables:
user

(Required)

password

(Required)

FQDN

The fully-qualified domain name (this is dependent on the
setting of the WLAN Switch and is supported only in Global
Catalog Servers software

The form can use either the "get" or the "post" methods, but the "post" method
is recommended. The form's action must absolutely or relatively reference
"https:///auth/index.html/u".
You can construct an authentication form using the following HTML:

...

A recommended option for the element is:
autocomplete="off" - this tells Internet Explorer. not to cache form inputs
The form variables can be input using any form control method available such as
INPUT, SELECT, TEXTAREA and BUTTON. Example HTML code follows.
Username:
Minimal:

Recommended Options:

accesskey="u" Sets the keyboard shortcut to 'u'
SIZE="25"Sets the size of the input box to 25
VALUE= ""Ensures no default value
Password:
Minimal:

Recommended Options:

accesskey="p" Sets the keyboard shortcut to 'p'
512 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Internal Captive Portal
Chapter E

SIZE="25"Sets the size of the input box to 25
VALUE= ""Ensures no default value
FQDN:
Minimal:

Recommended Options:
None.
Finally, an HTML also requires an input button:

Basic HTML Example

Username:

Password:

You can find a more advanced example simply by using your browser’s
"view-source" function while viewing the default captive portal page.

AOS-W 3.1
User Guide

513

Internal Captive Portal
Chapter E

Installing a New Captive Portal Page
You can install the captive portal page by using the Maintenance function of the
WebUI.
Log into the WebUI and navigate to Maintenance > Captive Portal > Upload
Custom Login Pages.
This page lets you upload your own files to the WLAN Switch. There are different
page types that you can choose:

Captive Portal Login (top level): This type uploads the file into the WLAN
Switch and sets the captive portal page to reference the file that you are
uploading. Use with caution on a production WLAN Switch as this takes
effect immediately.

Captive Portal Welcome Page: This type uploads the file that appears after
logon and before redirection to the web URL. The display of the welcome
page can be disabled or enabled in the captive portal profile.

Content: The content page type allows you to upload all miscellaneous files
that you need to reference from your main captive portal login page. This can
be used for images, CSS files, scripts or any other file that you need to
reference. These files are uploaded into the same directory as the top level
captive portal page and thus all files can be referenced relatively.

Sygate Remediation Failure: This is used as part of the Alcatel Client Integrity
Module and is outside the scope of this appendix.

All uploaded files can also be referenced from your top-level captive portal page
using any of the following:

https:///upload/
/upload/

514 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Internal Captive Portal
Chapter E

Displaying Authentication Error Message
This section contains a script that performs the following tasks:

When the user is redirected to the main captive portal login when there is
authentication failure, the redirect URL includes a query parameter "errmsg"
which java script can extract and display.

Store the originally requested URL in a cookie so that once the user has
authenticated, they are automatically redirected to its original page. Note that
for this feature to work, you need AOS-W release 2.4.2.0 or later. If you don't
want this feature, delete the part of the script shown in red.

Reverting to the Default Captive Portal
You can reassign the default captive portal site using the "Revert to factory
default settings" check box in the "Upload Custom Login Pages" section of the
Maintenance tab in the WebUI.

Language Customization
The ability to customize the internal captive portal provides you with a very
flexible interface to the Alcatel captive portal system. However, other than posting
site-specific messages onto the captive portal website, the most common type of
customization is likely to be language localization. This section describes a simple
method for creating a native language captive portal implementation using the
Alcatel internal captive portal system.
1.

Customize the configurable parts of the captive portal settings to your liking.
To do this, navigate to the Maintenance > Customize Captive Portal in the
WebUI:
For example, choose a page design, upload a custom logo and/or a custom
background. Also include any page text and acceptable use policy that you
would like to include. Put this in your target language or else you will need to
translate this at a later time.
Also ensure that Guest login is enabled or disabled as you prefer. Navigate to
Configuration > Authentication Methods > Captive Portal and select or
deselect "Enable Guest Login".

Click Submit and then click on View Captive Portal. Check that your
customization and text/html is correct, with the default interface still in
English and the character set still autodetects to ISO-8859-1.
Repeat steps 1 and 2 until you are satisfied with your page.

Once you have a page you find acceptable, click on View Captive Portal one
more time to display your login page. From your browser, choose
"View->Source" or its equivalent. Your system will display the HTML source
for the captive portal page. Save this source as a file on your local system.

516 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Internal Captive Portal
Chapter E

Open the file that you saved in step 3 above using a standard text editor.to
make the following changes:
A.

Fix the character set. The default ... section of the file
will look similar to the following:

Portal Login

In order to control the character set that the browser will use to show the
text with, you will need to insert the following line inside the
... element:

Replace the "Shift_JIS" part of the above line with the character set that
is used by your system. In theory, any character encoding that has been
registered with IANA can be used, but you must ensure that any text you
enter uses this character set and that your target browsers support the
required character set encoding.

The final ... portion of the document should look similar
to this:

Portal Login

Fix references: If you have used the built-in preferences, you will need to
update the reference for the logo image and the CSS style sheet.
To update the CSS reference, search the text for "

This should be replaced with a link like the following:

The easiest way to update the image reference is to search for "src"
using your text editor and updating the reference to include "/auth/" in
front of the image file. The original link should look similar to the
following:

This should be replaced with a link like this:

Insert javascript to handle error cases:
When the WLAN Switch detects an error situation, it will pass the user's
page a variable called "errmsg" with a value of what the error is in
English. Currently, only "Authentication Failed" is supported as a valid
error message.
To localize the authentication failure message, replace the following text
(it is just a few lines below the tag):

518 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Internal Captive Portal
Chapter E

with the script below.
You will need to translate the "Authentication Failed" error message into
your local language and add it into the script below where it states:
localized_msg="...":

Translate the web page text. Once you have made the changes as above,
you only need to translate the rest of the text that appears on the page.
The exact text that appears will depend on the WLAN Switch settings
when you originally viewed the captive portal. You will need to translate
all relevant text such as "REGISTERED USER", "USERNAME",
"PASSWORD", the value="" part of the INPUT type="submit" button and
all other text. Ensure that the character set you use to translate into is the
same as you have selected in part i) above.

AOS-W 3.1
User Guide

519

Internal Captive Portal
Chapter E

Feel free to edit the HTML as you go if you are familiar with HTML.
5.

After saving the changes made in step 4 above, upload the file to the WLAN
Switch using the Maintenance > Upload Custom Login Pages section of the
WebUI. Choose "Captive Portal Login (top level)" and browse your local
computer for the file you saved above.
Ensure that the "Revert to factory default settings" box is NOT checked and
click Apply. This will upload the file to the WLAN Switch and set the captive
portal system to use this page as the redirection page.
In order to check that your site is operating correctly, go back to the
"Customize Login Page" and click on "View Captive Portal" button to view
the page you have uploaded. Check that your browser has automatically
detected the character set and that your text is not garbled.
To make any adjustments to your page, edit your file locally and simply
re-upload to the WLAN Switch in order to view the page again.

Finally, it is possible to customize the welcome page on the WLAN Switch,
however for language localization it is recommended to use an "external
welcome page" instead. This can be a web site on an external server, or it can
be a static page that is uploaded to a WLAN Switch.
You set the welcome page using the CLI command "aaa captive-portal
welcome-page ". This is the page that the user will be redirected to
after a success authentication.
If this is required to be a page on the WLAN Switch, the user needs to
create their own web page (using the charset meta attribute in step 4i
above) and upload this page to the designated WLAN Switch in the same
manner as uploading the captive portal page, except using "content" as
opposed to "Captive Portal Login" under "Maintenance > Captive Portal >
Upload Login Pages". Any required CSS, Client side Script files and media
files can also be uploaded using content, however file space is limited
(check using "show memory" under "flash free" and remember to leave
ample room for system files).

NOTE:

- The "Registered User" and "Guest User" sections of the login page are
implemented as graphics files, referenced by the default CSS styles. In
order to change these, you will need to create new graphic files,
download the CSS file, edit the reference to the graphics files, change the
style reference in your index file and then upload all files as "content" to
the WLAN Switch.

A sample of a translated page is show below.

520 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Internal Captive Portal
Chapter E

AOS-W 3.1
User Guide

521

Internal Captive Portal
Chapter E

Customizing the Welcome Page
Once a user has authenticated to the WLAN Switch, they are presented with the
Welcome page. The default welcome page will depend slightly on your
configuration, but will look similar to this:

You can customize this welcome page by building your own HTML page and
uploading it to the WLAN Switch. You upload it to the WLAN Switch using the
GUI under Maintenance > Captive Portal > Upload custom pages and choose
"content as the page type. This file is stored in a directory called "/upload/" in the
WLAN Switch in the file's original name.
In order to actually use this file, you will need to configure the welcome page on
the WLAN Switch. To do this use the CLI command: "aaa captive-portal
welcome-page /upload/welc.html" where "welc.html" is the name of the file that
you uploaded, or you can change this via the GUI under
Configuration->Authentication Methods->Captive-Portal->Welcome Page Login
A simple example that will create the same page as above is shown below:

User Authenticated
In 2 seconds you will be automatically redirected to your original web
page
Press control-d to bookmark this page.

NOTE:

If you customize the Welcome Page, then you must also customize the
Pop-Up box if you want to have one.

The part in red will redirect the user to the web page they originally requested. For
this to work, please follow the procedure described above in this document.

AOS-W 3.1
User Guide

523

Internal Captive Portal
Chapter E

Customizing the Pop-Up box
In order to customize the Pop-Up box, you must first customize your Welcome
page. Once you have customized your welcome page, then you can configure
your custom page to make a pop-up box so as to enable your users to log
themselves out.
The first step is to generate the HTML that will be displayed within the pop-up
box. The default HTML is as shown:

Logout

Click to Logout

If you wish your users to be able to logout using this pop-up box, then you must
include a reference to /auth/logout.html Once a user accesses this URL then the
WLAN Switch will log them out. It is easiest to simply edit the above HTML to suit
your users and then upload the resulting file to the WLAN Switch using the GUI
under Maintenance > Captive Portal > Upload custom pages and choose
"content” as the page type.
Once you have completed your HTML, then you must get the clients to create the
pop-up box once they have logged into the WLAN Switch. This is done by
inserting the following code into your welcome page text and re-uploading the
welcome page text to your WLAN Switch.
Common things to change:

URL: set the URL to be the name of the pop-up HTML file that you created
and uploaded. This should be preceded by "/upload/"

Width: set w to be the required width of the pop-up box

Height: set h to be the required height of the pop-up box

Title: set the second parameter in the window.open command to be the title
of the pop-up box. Be sure to include quotes

This will let you customize your pop-up window.

Customizing the Logged Out Box
In order to customize the Logged Out box, you must first customize your
Welcome page and also your Pop-Up box. To customize the message that occurs
after you have logged out then you need to replace the URL that the pop-up box
will access in order to log out with your own HTML file.
Firstly you must write the HTML web page that will actually log out the user and
will also display page that you wish. An example page is shown below. The key
part that must be included is the .. section. This is the part of
the HTML that actually does the user logging out. The logout is always performed
by the client accessing the /auth/logout.html file on the WLAN Switch and so it is
hidden in the html page here in order to get the client to access this page and for
the WLAN Switch to update its authentication status. If a client does not support
the iframe tag, then the text between the and the is used. This
is simply a 0 pixel sized image file that references /auth/logout.html. Either
method should allow the client to logout from the WLAN Switch.
Everything else can be customized.

You have now logged out.

AOS-W 3.1
User Guide

525

Internal Captive Portal
Chapter E

After writing your own HTML, then you need to ensure that your customized
pop-up box will access your new logged out file. In the pop-up box example
above, you simply replace the "/auth/logout.html" with your own file that you
upload to the WLAN Switch. For example, if your customized logout HTML is
stored in a file called "loggedout.html" then your "pop-up.html" file should
reference it like this:

Logout

Click to Logout

526 AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Index

Numerics

802.1x authentication
configuring 185

captive portal
changing to HTTP protocol 254
configuring 227
default page customization 259
different VLAN clients 257
per-SSID configuration 253
proxy Web server configuration 255
web client proxy script 257
captive portal page
customizing 259
care-of address 304
certificates 373
AAA FastConnect 378
importing 375
obtaining server certificate 374
SSH access 380
WebUI management 379
channel switch announcement 135
client association 39
client blacklisting 354
client mobiliity 41
Command Line Interface 42, 362
connecting switch to network 53
coverage holes 27

A
access control lists 152
Access Points 24
connecting to switch 24
deploying 55
IP addresses 56
locating switches 57
thin 25
accounting
configuring 181
Adaptive Radio Management 27
adding WLAN Switches 295
Air Monitors
functions 28
shared or dedicated 28
Alcatel Discovery Protocol 25
AOS-W
functions 31
licenses 32
software modules 31
AP
configuring 115
AP groups 118
AP names 116
authentication 33
authentication server
configuring timers 182
authentication server group
configuring 170

B
basic deployment 45
blacklisting clients 354

D
dead peer detection
configuring 271
DHCP client 65
DHCP with option 43 487
dialer
configuring 267
Domain Name Service 25
double encryption 148
Dynamic Host Configuration Protocol 25

AOS-W 3.1 IX-527
User Guide

Index

E
encryption 35
example configuration
802.1x 196
captive portal 236
example configurations
WLANs 126
external firewall configuration 493
External Services Interface
configuring 437
syslog parser 440

F
firewall parameters 166
foreign agent 304
foreign network 304

G
Generic Routing Encapsulation tunnel 25
guest account
creating 393

H
home agent 304
home agent table 306
home network 304

I
IDS
configuring 327
initial setup 50
internal database
configuring 175
IP mobility 303

K
keys, line editing 369

L
L2TP
configuring 263
LDAP server
configuring 173

IX-528AOS-W 3.1
User Guide

licenses 32, 399
line editing keys 369
local switch 29
local WLAN Switch
configuring 298
logging
configuring 391
loopback address
configuring 71

M
MAC-based authentication
configuring 289
management authentication
configuring 180
master switch 29
mobile client 304
mobility domain 303
configuring 305
example configuration 308
Mobility Manager 42, 362, 371

N
network ports on external firewall 493
NTP
configuring 397

O
option 43 on DHCP server 487

P
policies 152
configuring 153
port
configuring 63
Power over Ethernet 28
PPPoE client 66
PPTP
configuring 266
preshared key 296
profiles
configuring 121
PSK 296

032063-00 Rev A
February 2007

Index

Q
QoS for voice
configuring 411

static route
configuring 70

T
R
RADIUS server
configuring 171
remote AP
configuring 137
RF Plan 55, 73
add background image, name first floor 107
add background image, name second floor 107
add/edit floors 106
create a building 104
create area
don’t care 108
don’t deploy 109
image guidelines 90
model access points 105
model air monitors 106
run RF Plan 110
run the AM plan 112
role
assigning 160
configuring 156

S
self-healing 27
server derivation rules
configuring 164
server group
assigning 180
configuring 170, 177
server rules
configuring 177
server-derived role 160
site-to-site VPN
configuring 269
SNMP
configuring 381
traps 385
software licenses 399
software modules 31
source NAT 68
source NAT and dynamic VLAN 68

TACACS+ server
configuring 174
timers
authentication 182

U
user derivation rules
configuring 161
user role 38
and firewall policies 38
assigning 160
configuring 156
user-derived role 160

V
virtual APs 120
VLAN 36
assignment 63
configuring 62
dynamic address 64
static address 64
Voice Services Module
features 428
VoIP
configuring for 411
VPN
configuring 261
VRRP
configuring 316
VSA-derived role 166

W
WebUI 42, 362
WLAN policy configuration 344
WLAN Switches
adding 295
connecting to network 53
initial setup 50
master and local 29
Power over Ethernet 28

AOS-W 3.1 IX-529
User Guide

Index

X
xSec
configuring 273
configuring for wired clients 278
configuring for wireless clients 275
configuring wireless clients 280
switch-switch communication 282

IX-530AOS-W 3.1
User Guide

032063-00 Rev A
February 2007

Source Exif Data:

File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.4
Linearized                      : No
Page Mode                       : UseOutlines
XMP Toolkit                     : 3.1-702
Producer                        : Acrobat Distiller 7.0.5 (Windows)
Creator Tool                    : FrameMaker 7.0
Modify Date                     : 2007:02:26 14:47:53-08:00
Create Date                     : 2007:02:26 11:14:06Z
Metadata Date                   : 2007:02:26 14:47:53-08:00
Format                          : application/pdf
Title                           : AOS-W 3.1 User Guide
Creator                         : Alcatel
Document ID                     : uuid:d2876fab-939c-4644-af9d-d277a4e5c20a
Instance ID                     : uuid:b463c517-6dd6-4e93-bcc0-a1387d743890
Page Count                      : 530
Page Layout                     : SinglePage
Author                          : Alcatel
Warning                         : [Minor] Ignored duplicate Info dictionary

EXIF Metadata provided by EXIF.tools

AOS W 3.1 User Guide 3 1

Navigation menu

Versions of this User Manual:

Views

Navigation