AOS W 3.1 User Guide 3 1

User Manual: AOS 3-1 User Guide

Open the PDF directly: View PDF PDF.
Page Count: 530 [warning: Documents this large are best viewed by clicking the View PDF Link!]

AOS-W
User Guide
AOS-W Version 3.1
2 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Copyright
Copyright © 2007 Alcatel Internetworking, Inc. All rights reserved.
Specifications in this manual are subject to change without notice.
Originated in the USA.
Trademarks
AOS-W, Alcatel 4308, Alcatel 4324, Alcatel 6000, Alcatel 41, Alcatel 60/61/65,
Alcatel 70, and Alcatel 80 are trademarks of Alcatel Internetworking, Inc. in the
United States and certain other countries.
Any other trademarks appearing in this manual are the property of their respective
companies.
Legal Notice
The use of Alcatel Internetworking Inc. switching platforms and software, by all
individuals or corporations, to terminate Cisco or Nortel VPN client devices
constitutes complete acceptance of liability by that individual or corporation for
this action and indemnifies, in full, Alcatel Internetworking Inc. from any and all
legal actions that might be taken against it with respect to infringement of
copyright on behalf of Cisco Systems or Nortel Networks.
AOS-W 3.1 3
User Guide
Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Document Organization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Related Documents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Text Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Contacting Alcatel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Volume 1
Introducing the Alcatel OmniAccess System
Chapter 1 Overview of the Alcatel OmniAccess System
Alcatel OmniAccess System Components . . . . . . . . . . . . . . . . . . . 24
Alcatel Access Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Alcatel WLAN Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
AOS-W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Basic WLAN Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
VLAN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
User Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Wireless Client Access to the WLAN . . . . . . . . . . . . . . . . . . . . . . . . 39
Association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Client Mobility and AP Association. . . . . . . . . . . . . . . . . . . . . . . . 41
Configuring and Managing the Alcatel OmniAccess System . . 42
Volume 2
Installing the Alcatel OmniAccess System
Chapter 2 Deploying a Basic OmniAccess System
Configuration Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Deployment Scenario #1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Deployment Scenario #2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Deployment Scenario #3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Contents
4 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Configuring the Alcatel WLAN Switch . . . . . . . . . . . . . . . . . . . . . . . 50
Run the Initial Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Configure a VLAN for Network Connection . . . . . . . . . . . . . . . . 51
Connect the WLAN Switch to the Network . . . . . . . . . . . . . . . . 53
Configure the Loopback for the WLAN Switch. . . . . . . . . . . . . 54
Deploying APs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Run Alcatel RF Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Enable APs to Connect to the WLAN Switch . . . . . . . . . . . . . . 55
Install APs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Update RF Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Additional Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Chapter 3 Configuring Network Parameters
Configuring VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Configuring Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
VLAN Assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Assigning a Static Address to a VLAN. . . . . . . . . . . . . . . . . . . . . 64
Configuring a VLAN to Receive a Dynamic Address . . . . . . . . 64
Configuring Source NAT for VLAN Interfaces . . . . . . . . . . . . . . 68
Configuring Static Routes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Configuring the Loopback IP Address . . . . . . . . . . . . . . . . . . . . . . . 71
Chapter 4 RF Plan
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Task Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Planning Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Using RF Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Campus List Page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Building List Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Building Specifications Overview Page . . . . . . . . . . . . . . . . . . . . 79
Building Dimension Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
AP Modeling Parameters Page. . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
AM Modeling Page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Planning Floors Pages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
AP Plan Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
AM Plan Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Exporting and Importing Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Locate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
FQLN Mapper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
AOS-W 3.1 5
User Guide
Contents
RF Plan Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Sample Building. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Create a Building . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Model the Access Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Model the Air Monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Add and Edit a Floor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Defining Areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Running the AP Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Running the AM Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Volume 3
Configuring APs
Chapter 5 Configuring Access Points
AP Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
AP Names and Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Virtual APs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Configuring Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Example Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Configuring the Corpnet WLAN . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Guest WLAN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Advanced Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Channel Switch Announcement . . . . . . . . . . . . . . . . . . . . . . . . . 135
Chapter 6 Configuring Remote APs
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Configuring the Secure Remote Access Point Service . . . . . . . 140
Configure a Public IP Address for the WLAN Switch . . . . . . 140
Configure the VPN Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Configure the Remote AP User Role. . . . . . . . . . . . . . . . . . . . . . 142
Configure VPN Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Provision the AP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Deploying a Branch Office/Home Office Solution . . . . . . . . . . . . 146
Troubleshooting the Branch Office Configuration . . . . . . . . . 148
Double Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Volume 4
Configuring Wireless Encryption and Authentication
Contents
6 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Chapter 7 Configuring Roles and Policies
Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Access Control Lists (ACLs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Creating a Firewall Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Creating a User Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Assigning User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Default User Role in AAA Profile . . . . . . . . . . . . . . . . . . . . . . . . . 160
User-Derived Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Default Role for Authentication Method . . . . . . . . . . . . . . . . . . 163
Server-Derived Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
VSA-Derived Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Firewall Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Chapter 8 Configuring Authentication Servers
Servers and Server Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Configuring Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Configuring a RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Configuring an LDAP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Configuring a TACACS+ Server . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Configuring the Internal Database. . . . . . . . . . . . . . . . . . . . . . . . 175
Configuring Server Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Configuring Server Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Assigning Server Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Configuring Authentication Timers . . . . . . . . . . . . . . . . . . . . . . . . . 182
Chapter 9 Configuring 802.1x Authentication
Overview of 802.1x Authentication. . . . . . . . . . . . . . . . . . . . . . . . . 186
Authentication with a RADIUS Server . . . . . . . . . . . . . . . . . . . . 187
Authentication Terminated on WLAN Switch . . . . . . . . . . . . . 188
Configuring 802.1x Authentication . . . . . . . . . . . . . . . . . . . . . . . . . 190
802.1x Authentication Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Configuring User and Computer Authentication . . . . . . . . . . 193
Example Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Authentication with an 802.1x RADIUS Server. . . . . . . . . . . . 196
Authentication with the WLAN Switch’s Internal Database 211
Advanced Configuration Options for 802.1x . . . . . . . . . . . . . . . . 224
Reauthentication with Unicast Key Rotation . . . . . . . . . . . . . . 224
Chapter 10 Configuring Captive Portal
Overview of Captive Portal Functions . . . . . . . . . . . . . . . . . . . . . . 228
Policy Enforcement Firewall License . . . . . . . . . . . . . . . . . . . . . 228
WLAN Switch Server Certificate . . . . . . . . . . . . . . . . . . . . . . . . . 228
Configuring Captive Portal in the Base AOS-W . . . . . . . . . . . . . . 229
AOS-W 3.1 7
User Guide
Contents
Configuring Captive Portal with the Policy Enforcement Firewall
License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Example Authentication with Captive Portal . . . . . . . . . . . . . . . . 236
Configuring Policies and Roles. . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Configuring the Guest VLAN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Configuring Captive Portal Authentication . . . . . . . . . . . . . . . . 246
Modifying the Initial User Role . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Configuring the AAA Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Configuring the WLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
User Account Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Captive Portal Configuration Parameters. . . . . . . . . . . . . . . . . . . . 250
Optional Captive Portal Configurations . . . . . . . . . . . . . . . . . . . . . 253
Per-SSID Captive Portal Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Changing the Protocol to HTTP . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Proxy Server Redirect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Redirecting Clients on Different VLANs . . . . . . . . . . . . . . . . . . . 257
Web Client Configuration with Proxy Script . . . . . . . . . . . . . . 257
Personalizing the Captive Portal Page . . . . . . . . . . . . . . . . . . . . . . 259
Chapter 11 Configuring Virtual Private Networks
VPN Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
Configuring VPN with L2TP IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Configuring VPN with PPTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
Configuring Alcatel Dialer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Captive Portal Download of Dialer . . . . . . . . . . . . . . . . . . . . . . . 268
Configuring Site-to-Site VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Dead Peer Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
Chapter 12 Configuring Advanced Security
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Securing Client Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Securing Wireless Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Securing Wired Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Securing Wireless Clients Through Non-Alcatel APs . . . . . . 280
Securing WLAN Switch-to-WLAN Switch Communication . . . 282
Configuring the Odyssey Client on Client Machines . . . . . . . . . 284
Chapter 13 Configuring MAC-Based Authentication
Configuring MAC-Based Authentication . . . . . . . . . . . . . . . . . . . . 290
Configuring the MAC Authentication Profile . . . . . . . . . . . . . . 290
Configuring Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Contents
8 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Volume 5
Configuring Multiple
WLAN Switch Environments
Chapter 14 Adding Local WLAN Switches
Moving to a Multi-WLAN Switch Environment . . . . . . . . . . . . . . 296
Preshared Key for Inter-WLAN Switch Communication. . . . 296
Configuring Local WLAN Switches . . . . . . . . . . . . . . . . . . . . . . . . . 298
Configuring the Local WLAN Switch . . . . . . . . . . . . . . . . . . . . . 298
Configuring Layer-2/Layer-3 Settings . . . . . . . . . . . . . . . . . . . . 299
Configuring Trusted Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Configuring APs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Chapter 15 Configuring IP Mobility
Alcatel Mobility Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Configuring Mobility Domains. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Configuring a Mobility Domain. . . . . . . . . . . . . . . . . . . . . . . . . . . 306
Joining a Mobility Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Example Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Tracking Mobile Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Mobile Client Roaming Status . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Mobile Client Roaming Locations . . . . . . . . . . . . . . . . . . . . . . . . 313
Advanced Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Proxy Mobile IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Proxy DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
Revocations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
Chapter 16 Configuring Redundancy
Virtual Router Redundancy Protocol . . . . . . . . . . . . . . . . . . . . . . . . 316
Configuring Redundancy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Configuring Local WLAN Switch Redundancy . . . . . . . . . . . . 318
Master WLAN Switch Redundancy. . . . . . . . . . . . . . . . . . . . . . . 319
Master-Local WLAN Switch Redundancy . . . . . . . . . . . . . . . . . 321
Volume 6
Configuring Intrusion Protection
AOS-W 3.1 9
User Guide
Contents
Chapter 17 Configuring Wireless Intrusion Prevention
IDS Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
Unauthorized Device Detection . . . . . . . . . . . . . . . . . . . . . . . . . . 328
Denial of Service (DoS) Detection . . . . . . . . . . . . . . . . . . . . . . . . 330
Impersonation Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
Signature Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
IDS Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
IDS Profile Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
Configuring the IDS General Profile . . . . . . . . . . . . . . . . . . . . . . 333
Configuring Denial of Service Attack Detection . . . . . . . . . . . 335
Configuring Impersonation Detection . . . . . . . . . . . . . . . . . . . . 338
Configuring Signature Detection . . . . . . . . . . . . . . . . . . . . . . . . . 341
Configuring Unauthorized Device Detection . . . . . . . . . . . . . . 344
Client Blacklisting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Methods of Blacklisting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Blacklist Duration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
Removing a Client from Blacklisting . . . . . . . . . . . . . . . . . . . . . . 357
Volume 7
Managing the OmniAccess System
Chapter 18 Configuring Management Access
Management Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
Web Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
CLI Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
Alcatel Mobility Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Managing Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
About Digital Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
Obtaining a Server Certificate. . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
Obtaining a Client Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
Importing Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
Updating CRLs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Service-Specific Use of Certificates . . . . . . . . . . . . . . . . . . . . . . 378
Configuring SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
SNMP for the WLAN Switch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
SNMP for Access Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
SNMP Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
Configuring Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Creating Guest Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
Configuring the Guest Provisioning User . . . . . . . . . . . . . . . . . 393
Guest-Provisioning User Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . 394
Optional Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
Contents
10 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Setting the System Clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
Manually Setting the Clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
Configuring an NTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
Chapter 19 Managing Software Feature Licenses
Alcatel Software Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
Software License Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
The Software Licensing Process . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
Obtaining a Software License Certificate . . . . . . . . . . . . . . . . . 401
Software License Certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
Locating the System Serial Number . . . . . . . . . . . . . . . . . . . . . . 403
Obtaining a Software License Key . . . . . . . . . . . . . . . . . . . . . . . 403
Applying the Software License Key . . . . . . . . . . . . . . . . . . . . . . 404
Additional Software License Information. . . . . . . . . . . . . . . . . . . . 405
Permanent Licenses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Evaluation Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Deleting a License Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Moving Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Resetting the WLAN Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Getting Help with Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
Volume 8
Configuring Advanced Services
Chapter 20 Configuring QoS for Voice
Roles and Policies for Voice Traffic . . . . . . . . . . . . . . . . . . . . . . . . . 412
Configuring a User Role for SIP Phones . . . . . . . . . . . . . . . . . . 412
Configuring a User Role for SVP Phones . . . . . . . . . . . . . . . . . 415
Configuring a User Role for Vocera Badges . . . . . . . . . . . . . . . 417
Configuring a User Role for SCCP Phones. . . . . . . . . . . . . . . . 420
Configuring User-Derivation Rules . . . . . . . . . . . . . . . . . . . . . . . 422
Optional Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424
Wi-Fi Multimedia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424
Battery Boost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
WPA Fast Handover. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426
AOS-W 3.1 11
User Guide
Contents
Voice Services Module Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . 428
Configuring the VoIP CAC Profile . . . . . . . . . . . . . . . . . . . . . . . . 428
Dynamic WMM Queue Management . . . . . . . . . . . . . . . . . . . . . 430
TSPEC Signaling Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . 432
WMM Queue Content Enforcement . . . . . . . . . . . . . . . . . . . . . . 433
Voice-Aware 802.1x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
SIP Authentication Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
SIP Call Setup Keepalive. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435
Mobile IP Home Agent Assignment . . . . . . . . . . . . . . . . . . . . . . 435
Chapter 21 External Services Interface
Understanding ESI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
Understanding the ESI Syslog Parser . . . . . . . . . . . . . . . . . . . . . . . 440
ESI Parser Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
Peer WLAN Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
Syslog Parser Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
ESI Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
Health-Check Method, Groups, and Servers . . . . . . . . . . . . . . 444
Redirection Policies and User Role . . . . . . . . . . . . . . . . . . . . . . . 448
ESI Syslog Parser Domains and Rules . . . . . . . . . . . . . . . . . . . . 452
Monitoring Syslog Parser Statistics . . . . . . . . . . . . . . . . . . . . . . 462
Example Route-mode ESI Topology. . . . . . . . . . . . . . . . . . . . . . . . . 463
Configuring the Example Routed ESI Topology . . . . . . . . . . . 464
Example NAT-mode ESI Topology . . . . . . . . . . . . . . . . . . . . . . . . . . 474
Configuring the Example NAT-mode ESI Topology . . . . . . . . 475
Basic Regular Expression Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . 481
Character-Matching Operators. . . . . . . . . . . . . . . . . . . . . . . . . . . 481
Regular Expression Repetition Operators . . . . . . . . . . . . . . . . . 482
Regular Expression Anchors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483
Volume 9
Appendices
Appendix A Configuring DHCP with Vendor-Specific
Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488
Windows-Based DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488
Configuring Option 60. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488
Configuring Option 43. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489
Linux DHCP Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491
Contents
12 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Appendix B External Firewall Configuration . . . . . . . . . . 493
Communication Between Alcatel Devices . . . . . . . . . . . . . . . . . . . 494
Network Management Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
Other Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
Appendix C Alcatel System Defaults . . . . . . . . . . . . . . . . 497
Basic System Defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
Firewall Defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
Network Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499
System Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500
Default Open Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
Appendix D Windows Client Example Configuration for
802.1x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505
Window XP Wireless Client Example Configuration . . . . . . . . . 505
Appendix E Internal Captive Portal . . . . . . . . . . . . . . . . . . 511
Creating a New Internal Web Page . . . . . . . . . . . . . . . . . . . . . . . . . 512
Basic HTML Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513
Installing a New Captive Portal Page . . . . . . . . . . . . . . . . . . . . . . . 514
Displaying Authentication Error Message . . . . . . . . . . . . . . . . . . . 515
Reverting to the Default Captive Portal . . . . . . . . . . . . . . . . . . . . . 516
Language Customization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
Customizing the Welcome Page. . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
Customizing the Pop-Up box. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
Customizing the Logged Out Box . . . . . . . . . . . . . . . . . . . . . . . . . . 525
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527
AOS-W 3.1 13
User Guide
List of Tables
Text Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Table 1-1 Optional Software Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Table 1-2 Encryption Options by Authentication Method . . . . . . . . . . . . . . 35
Table 5-3 Default AP Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Table 5-4 AP Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Table 5-5 Profiles for Example Configuration . . . . . . . . . . . . . . . . . . . . . . 127
Table 7-6 Firewall Policy Rule Parameters . . . . . . . . . . . . . . . . . . . . . . . . . 153
Table 7-7 User Role Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Table 7-8 Conditions for User-Derived Role . . . . . . . . . . . . . . . . . . . . . . . . 161
Table 7-9 Conditions for Server-Derived Role . . . . . . . . . . . . . . . . . . . . . . 165
Table 7-10 Firewall Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Table 8-11 RADIUS Server Configuration Parameters . . . . . . . . . . . . . . . . 171
Table 8-12 LDAP Server Configuration Parameters . . . . . . . . . . . . . . . . . . 173
Table 8-13 TACACS+ Server Configuration Parameters . . . . . . . . . . . . . . . 174
Table 8-14 Internal Database Configuration Parameters . . . . . . . . . . . . . . 176
Table 8-15 Server Group Configuration Parameters . . . . . . . . . . . . . . . . . 177
Table 8-16 Server Rule Configuration Parameters . . . . . . . . . . . . . . . . . . . 178
Table 8-17 Server Types and Purposes . . . . . . . . . . . . . . . . . . . . . . . . . . .180
Table 8-18 Authentication Timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Table 9-19 802.1x Authentication Profile Basic WebUI Parameters . . . . . . 192
Table 9-20 User and Machine Authentication Scenarios . . . . . . . . . . . . . . 194
Table 10-21 Captive Portal Authentication Profile Parameters . . . . . . . . . 250
Table 13-22 MAC Authentication Profile Configuration Parameters . . . . . 290
Table 16-23 VRRP Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Table 17-24 IDS Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
Table 17-25 IDS General Profile Configuration Parameters . . . . . . . . . . . .333
Table 17-26 IDS Denial of Service Profile Configuration Parameters . . . . . 335
Table 17-27 IDS Rate Thresholds Profile Configuration Parameters . . . . . 337
Table 17-28 IDS Impersonation Profile Configuration Parameters . . . . . . . 339
Table 17-29 Predefined Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Table 17-30 Signature Rule Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Table 17-31 IDS Unauthorized Device Profile Configuration Parameters . . 344
Table 17-32 WMS Configuration Parameters . . . . . . . . . . . . . . . . . . . . . . 348
Table 17-33 Valid SSIDs with Multi-Tenancy and Misconfigured AP
Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
Table 18-34 WebUI Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
Table 18-35 Configuration Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
Table 18-36 Line Editing Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
Table 18-37 SNMP Parameters for the WLAN Switch . . . . . . . . . . . . . . . . 381
List of Tables
14 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Table 18-38 SNMP Profile Configuration Parameters . . . . . . . . . . . . . . . . 383
Table 18-39 SNMP User Profile Configuration Parameters . . . . . . . . . . . . 384
Table 18-40 Software Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Table 18-41 Logging Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
Table 20-42 WMM Access Category to 802.1D Priority Mapping . . . . . . . 424
Table 20-43 WMM Access Categories and 802.1d Tags . . . . . . . . . . . . . . 431
Table 21-44 Character-matching operators in regular expressions . . . . . . 481
Table 21-45 Regular expression repetition operators . . . . . . . . . . . . . . . . . 482
Table 21-46 Regular expression anchors . . . . . . . . . . . . . . . . . . . . . . . . . . 482
Table C-47 Default (Trusted) Open Ports . . . . . . . . . . . . . . . . . . . . . . . . . . 501
AOS-W 3.1 15
User Guide
List of Figures
Figure 1-1 Connecting APs to the Alcatel WLAN Switch . . . . . . . . . . . . . . . 25
Figure 1-2 Alcatel APs Establish GRE Tunnels to the WLAN Switch . . . . . . 26
Figure 1-3 Client Traffic is Tunneled to the WLAN Switch . . . . . . . . . . . . . . 27
Figure 1-4 Master and Local WLAN Switches . . . . . . . . . . . . . . . . . . . . . . . 30
Figure 1-5 VLANs for Wireless Clients Configured on WLAN Switch . . . . . 37
Figure 2-6 APs Connected to WLAN Switch . . . . . . . . . . . . . . . . . . . . . . . . 59
Figure 3-7 IP Address Assignment to VLAN via DHCP or PPPoE . . . . . . . . . 65
Figure 3-8 Example: Source NAT using WLAN Switch IP Address . . . . . . . 69
Figure 5-9 AP Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Figure 5-10 Virtual AP Configurations Applied to the Same AP . . . . . . . . . 120
Figure 5-11 Applying AP Profiles to AP Groups . . . . . . . . . . . . . . . . . . . . 123
Figure 5-12 Applying WLAN Profiles to AP Groups . . . . . . . . . . . . . . . . . . 124
Figure 5-13 Excluding a Virtual AP Profile from an AP . . . . . . . . . . . . . . . . 124
Figure 6-14 Remote AP with a Private Network . . . . . . . . . . . . . . . . . . . . 138
Figure 6-15 Remote AP with WLAN Switch on Public Network . . . . . . . . 139
Figure 6-16 Remote AP with WLAN Switch Behind Firewall . . . . . . . . . . . 139
Figure 6-17 Remote AP in a Multi-WLAN Switch Environment . . . . . . . . . 139
Figure 8-18 Server Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Figure 9-19 802.1x Authentication with RADIUS Server . . . . . . . . . . . . . . 187
Figure 9-20 802.1x Authentication with Termination on WLAN Switch . . . 188
Figure 10-21 Captive Portal in Base Operating System Example . . . . . . . . 230
Figure 11-22 Site-to-Site VPN Configuration Components . . . . . . . . . . . . 269
Figure 12-23 Wireless xSec Client Example . . . . . . . . . . . . . . . . . . . . . . . . 276
Figure 12-24 Wired xSec Client Example . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Figure 12-25 WLAN Switch-to-WLAN Switch xSec Example . . . . . . . . . . . 282
Figure 12-26 The regedit Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Figure 12-27 Modifying a regedit Policy . . . . . . . . . . . . . . . . . . . . . . . . . . 285
Figure 12-28 The Funk Odyssey Client Profile . . . . . . . . . . . . . . . . . . . . . . 285
Figure 12-29 Certificate Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
Figure 12-30 Network Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Figure 15-31 Routing of Traffic to Mobile Client within Mobility Domain . 305
Figure 15-32 Example Configuration: Campus-Wide Mobility . . . . . . . . . . 309
Figure 16-33 Redundant Topology: Master-Local Redundancy . . . . . . . . . 322
Figure 18-34 Creating a Guest Account . . . . . . . . . . . . . . . . . . . . . . . . . . 393
Figure 18-35 Guest Account Information . . . . . . . . . . . . . . . . . . . . . . . . . 393
Figure 18-36 Guest Provisioning Page . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
Figure 21-37 The ESI-Fortinet Topology . . . . . . . . . . . . . . . . . . . . . . . . . . 438
Figure 21-38 Load Balancing Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
Figure 21-39 ESI Parser Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
List of Figures
16 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Figure 21-40 Peer WLAN Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
Figure 21-41 The External Services View . . . . . . . . . . . . . . . . . . . . . . . . . . 444
Figure 21-42 The User Roles View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
Figure 21-43 The Add Role View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
Figure 21-44 Firewall Polices Choices . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449
Figure 21-45 Firewall Policy Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . 449
Figure 21-46 Setting Firewall Policy Parameters . . . . . . . . . . . . . . . . . . . . 450
Figure 21-47 Selecting Parameters in Drop-down Lists . . . . . . . . . . . . . . . 450
Figure 21-48 The External Services View . . . . . . . . . . . . . . . . . . . . . . . . . . 452
Figure 21-49 The Syslog Parser Domains View . . . . . . . . . . . . . . . . . . . . . 453
Figure 21-50 The Add Domain View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454
Figure 21-51 The Edit Domain View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455
Figure 21-52 The Syslog Parser Rules View . . . . . . . . . . . . . . . . . . . . . . . 456
Figure 21-53 The New Rule View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
Figure 21-54 The Edit Rule View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
Figure 21-55 The Syslog Parser Rule Test View . . . . . . . . . . . . . . . . . . . . 460
Figure 21-56 The Syslog Parser Statistics View . . . . . . . . . . . . . . . . . . . . 462
Figure 21-57 Example Route-Mode Topology . . . . . . . . . . . . . . . . . . . . . . 463
Figure 21-58 The User Roles View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468
Figure 21-59 The Add Role View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468
Figure 21-60 Firewall Polices Choices . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
Figure 21-61 Firewall Policy Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
Figure 21-62 Setting Firewall Policy Parameters . . . . . . . . . . . . . . . . . . . . 470
Figure 21-63 Selecting Parameters in Drop-down Lists . . . . . . . . . . . . . . . 470
Figure 21-64 Example NAT-Mode Topology . . . . . . . . . . . . . . . . . . . . . . . 474
Figure A-65 Scope Options Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . 490
Figure A-66 DHCP Scope Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490
Figure D-67 Wireless Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506
Figure D-68 Networks to Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506
Figure D-69 Wireless Network Association . . . . . . . . . . . . . . . . . . . . . . . . 508
Figure D-70 Wireless Network Authentication . . . . . . . . . . . . . . . . . . . . . . 509
Figure D-71 Protected EAP Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510
Figure D-72 EAP MSCHAPv2 Properties . . . . . . . . . . . . . . . . . . . . . . . . . . 510
AOS-W 3.1 17
User Guide
Preface
This preface includes the following information:
An overview of the contents of this manual
A list of related documentation for further reading
A key to the various text conventions used throughout this manual
Alcatel support and service information
Document Organization
This user guide includes instructions and examples for commonly-used wireless
LAN (WLAN) Switch configurations such as Virtual Private Networks (VPNs),
authentication, and redundancy.
Volume 1 contains an overview of the Alcatel OmniAccess system. Volume 2
describes how to install the Alcatel OmniAccess system in a wired network.
Volume 3 describes how to configure Alcatel access points (APs), including
remote APs. The remaining volumes of the user guide describe other features of
the Alcatel OmniAccess system.
Related Documents
The following items are part of the complete documentation for the Alcatel
OmniAccess system:
Alcatel WLAN Switch Installation Guides
Alcatel Access Point Installation Guides
Release Notes
Preface
18 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Text Conventions
The following conventions are used throughout this manual to emphasize
important concepts:
TABLE 1 Text Conventions
Type Style Description
Italics This style is used to emphasize important terms and to mark
the titles of books.
System items This fixed-width font depicts the following:
Sample screen output
System prompts
Filenames, software devices, and specific commands
when mentioned in the text
Commands In the command examples, this bold font depicts text that
you must type exactly as shown.
<Arguments> In the command examples, italicized text within angle
brackets represents items that you should replace with
information appropriate to your specific situation. For
example:
# send <text message>
In this example, you would type “send” at the system
prompt exactly as shown, followed by the text of the
message you wish to send. Do not type the angle brackets.
[ Optional ] In the command examples, items enclosed in brackets are
optional. Do not type the brackets.
{ Item A | Item B } In the command examples, items within curled braces and
separated by a vertical bar represent the available choices.
Enter only one choice. Do not type the braces or bars.
AOS-W 3.1 19
User Guide
Preface
Contacting Alcatel
Contact Center Online
Main Site http://www.alcatel.com/enterprise
Support Site http://eservice.ind.alcatel.com
Email support@ind.alcatel.com
Sales & Support Contact Center Telephone
North America 1-800-995-2696
Latin America 1-877-919-9526
Europe +33 (0) 38 85 56 92 9
Asia Pacific +65 6586 1555
Worldwide 1-818-880-3500
Preface
20 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Volume 1
Introducing the
Alcatel
OmniAccess
System
AOS-W Version 3.1
22 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
AOS-W 3.1 23
User Guide
Overview of the Alcatel
OmniAccess System 1
Wireless local area networks (WLANs) allow users of personal computers with
wireless network interface adapters to communicate with each other and connect
to existing wired networks. The Alcatel OmniAccess system allows you to
implement WLANs in enterprise environments with lower cost of deployment,
simplified management, and multiple layers of security.
This chapter describes the components and features of the Alcatel OmniAccess
system, in the following topics:
Alcatel OmniAccess System Components” on page 24
“Basic WLAN Configuration” on page 33
“Wireless Client Access to the WLAN” on page 39
“Configuring and Managing the Alcatel OmniAccess System” on page 42
Overview of the Alcatel OmniAccess System
Chapter 1
24 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Alcatel OmniAccess System Components
The Alcatel OmniAccess system consists of the following components:
Alcatel Access Points
Alcatel WLAN Switches
AOS-W
The following sections describe each of these components.
Alcatel Access Points
Alcatel Access Points (APs) operate exclusively with Alcatel WLAN Switches to
provide network access for wireless clients. Alcatel APs support Institute of
Electrical and Electronics Engineers (IEEE) 802.11a/b/g standards for wireless
systems.
NOTE:Alcatel offers a range of APs that support various antenna types and
radio specifications. Refer to the Installation Guide for your Alcatel AP for
specific information about supported features.
An AP broadcasts its configured service set identifier (SSID), which corresponds
to a specific wireless local area network (WLAN). Wireless clients discover APs by
listening for broadcast beacons or by sending active probes to search for APs
with a specific SSID.
You can connect an Alcatel AP to an Alcatel WLAN Switch either directly with an
Ethernet cable or remotely through an IP network. Figure 1-1 shows two Alcatel
APs connected to an Alcatel WLAN Switch. One AP is connected to a switch in
the wiring closet that is connected to a router in the data center where the WLAN
Switch is located. The Ethernet port on the other AP is cabled directly to a port on
the WLAN Switch.
AOS-W 3.1 25
User Guide
Overview of the Alcatel OmniAccess System
Chapter 1
FIGURE 1-1 Connecting APs to the Alcatel WLAN Switch
Alcatel APs are thin APs, which means their primary function is to receive and
transmit electromagnetic signals; other WLAN processing is left to the WLAN
Switch. When powered on, an Alcatel AP locates its host WLAN Switch through
a variety of methods, including the Alcatel Discovery Protocol (ADP), Domain
Name Service (DNS), or Dynamic Host Configuration Protocol (DHCP). When an
Alcatel AP locates its host WLAN Switch, it automatically builds a secure Generic
Routing Encapsulation (GRE) tunnel (Figure 1-2) to the WLAN Switch. The AP
then downloads its software and configuration from the WLAN Switch through
the tunnel.
INTERNET
ALCATEL WLAN SWITCH
DATA CENTER
FLOOR
WIRING
CLOSET
ALCATEL AP CONNECTED
THROUGH AN IP NETWORK
ALCATEL AP CONNECTED
WITH AN ETHERNET CABLE
Overview of the Alcatel OmniAccess System
Chapter 1
26 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
FIGURE 1-2 Alcatel APs Establish GRE Tunnels to the WLAN Switch
Client traffic received by the AP is immediately sent through the tunnel to the host
WLAN Switch (Figure 1-3), which performs packet processing such as encryption
and decryption, authentication, and policy enforcement.
INTERNET
ALCATEL WLAN SWITCH
DATA CENTER
FLOOR
WIRING
CLOSET
ALCATEL AP
GRE T
UNNEL
GRE TUNNEL
AOS-W 3.1 27
User Guide
Overview of the Alcatel OmniAccess System
Chapter 1
FIGURE 1-3 Client Traffic is Tunneled to the WLAN Switch
Automatic RF Channel and Power Settings
Adaptive Radio Management (ARM) is a radio frequency (RF) resource allocation
algorithm that you can enable and configure in the Alcatel Mobility Edge system.
When ARM is enabled, each Alcatel AP can determine the optimum channel
selection and transmit power setting to minimize interference and maximize
coverage and throughput. The APs scan for better channels at periodic intervals
and report information to the WLAN Switch. The WLAN Switch analyzes reports
from all APs and coordinates changes, resulting in a higher performing RF
environment.
If an AP fails for any reason, the Alcatel OmniAccess system’s self-healing
mechanism automatically ensures coverage for wireless clients. The WLAN
Switch detects the failed AP and instructs neighboring APs to increase power
levels to compensate.
You can also enable the system to detect coverage holes, or areas where a good
RF signal is not adequately reaching wireless clients.
INTERNET
ALCATEL WLAN SWITCH
DATA CENTER
FLOOR
ALCATEL AP
WIRELESS CLIENTS
WIRING
CLOSET
Overview of the Alcatel OmniAccess System
Chapter 1
28 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
RF Monitoring
An Alcatel AP can function as either a dedicated or shared Air Monitor (AM) to
monitor radio frequency (RF) spectrums to detect intrusions, denial of service
(DoS) attacks, and other vulnerabilities. A dedicated AM performs monitoring
functions exclusively and does not service wireless clients or advertise SSIDs. A
shared AM performs monitoring functions in addition to servicing wireless
clients.
Every AP automatically monitors the channel on which it services wireless clients.
You can configure the AP to perform off-channel scanning, where the AP spends
brief time intervals scanning other channels. However, the more clients an AP
services, the less time it has to perform off-channel scanning. If air monitoring
functions are critical to your network, Alcatel recommends that a few APs be
designated as dedicated AMs.
For example, you can configure dedicated AMs to perform the following
functions:
Detect, locate, and disable rogue APs (APs that are not authorized or
sanctioned by network administrators)
Detect and disable ad-hoc networks
Detect and disable honeypot APs
Detect wireless bridges
Capture remote packets
If air monitoring functions are only needed periodically, you can configure APs to
operate temporarily as AMs. You can also configure dedicated AMs to
automatically convert into APs if there is an AP failure or when there is high level
of traffic on the network.
Alcatel WLAN Switches
All Alcatel APs are connected either directly or remotely through an IP network to
an Alcatel WLAN Switch. The WLAN Switch is an enterprise-class switch that
bridges wireless client traffic to and from traditional wired networks and performs
high-speed Layer-2 or Layer-3 packet forwarding between Ethernet ports. While
Alcatel APs provide radio services only, the WLAN Switch performs upper-layer
media access control (MAC) processing, such as encryption and authentication,
as well as centralized configuration and management of SSIDs and RF
characteristics for Alcatel APs. This allows you to deploy APs with little or no
physical change to an existing wired infrastructure.
WLAN Switches provide 10/100 Mbps Fast Ethernet, IEEE 802.3af-compliant
ports that can provide Power over Ethernet (PoE) to directly-connected APs.
When you connect a PoE-capable port on the WLAN Switch to a PoE-compatible
device such as an Alcatel AP, the port automatically detects the device and
AOS-W 3.1 29
User Guide
Overview of the Alcatel OmniAccess System
Chapter 1
provides operating power through the connected Ethernet cable. This allows APs
to be installed in areas where electrical outlets are unavailable, undesirable, or not
permitted, such as in the plenum or in air handling spaces.
NOTE:Alcatel offers a range of WLAN Switches that provide different port types
and traffic capacities. Refer to the Installation Guide for your Alcatel
WLAN Switch for specific information about supported features.
In an Alcatel OmniAccess system, at least one WLAN Switch is the master WLAN
Switch while non-master WLAN Switches are referred to as local WLAN Switches
(Figure 1-4). A master WLAN Switch offers a single point of configuration that is
automatically replicated from the master to local WLAN Switches throughout the
network.
Local WLAN Switches offer local points of traffic aggregation and management
for Alcatel APs and services. A local WLAN Switch can perform any supported
function (for example, WLAN management, policy enforcement, VPN services,
and so on), however these services are always configured on the master WLAN
Switch and are “pushed” to specified local WLAN Switches.
An Alcatel AP obtains its software image and configuration from a master WLAN
Switch; it can also be instructed by a master WLAN Switch to obtain its software
from a local WLAN Switch.
Overview of the Alcatel OmniAccess System
Chapter 1
30 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
FIGURE 1-4 Master and Local WLAN Switches
A typical OmniAccess system includes one master WLAN Switch, one or more
backup master WLAN Switches and any number of local WLAN Switches. It is
important to note that master WLAN Switches do not share information with
each other. Thus, APs that share roaming tables, security policies, and other
configurations should be managed by the same master WLAN Switch.
MASTER WLAN
SWITCH
LOCAL WLAN
SWITCH
LOCAL WLAN
SWITCH
AOS-W 3.1 31
User Guide
Overview of the Alcatel OmniAccess System
Chapter 1
AOS-W
AOS-W is a suite of mobility applications that runs on all Alcatel WLAN Switches
and allows you to configure and manage the wireless and mobile user
environment.
AOS-W consists of a base software package with optional software modules that
you can activate by installing the appropriate license key (Ta b l e 1 - 1 ). The base
AOS-W software includes the following functions:
Centralized configuration and management of APs
Wireless client authentication to an external authentication server or to the
WLAN Switch’s local database
Encryption
Mobility with fast roaming
RF management and analysis tools
TABLE 1-1 Optional Software Modules
Optional Software Module Description
Policy Enforcement
Firewall
Provides identity-based security for wired and
wireless clients. Stateful firewall enables
classification based on client identity, device type,
location, and time of day, and provides
differentiated access for different classes of users.
Wireless Intrusion
Protection
Detects, classifies and limits designated wireless
security threats such as rogue APs, DoS attacks,
malicious wireless attacks, impersonations, and
unauthorized intrusions. Eliminates need for
separate system of RF sensors and security
appliances.
VPN Server Enables WLAN Switches to provide Virtual Private
Networks (VPN) tunnel termination to local and
remote clients. Provides site-to-site VPN tunnels
between Alcatel WLAN Switches and third-party
VPN concentrators.
Overview of the Alcatel OmniAccess System
Chapter 1
32 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Each optional module has a software license (either permanent or evaluation) that
you must install on an Alcatel WLAN Switch as a software license key. Contact
your sales account manager or authorized reseller to obtain software licenses.
NOTE:After installing one or more software license keys, you must reboot the
Alcatel WLAN Switch for the new feature to become available.
Remote AP Allows an Alcatel AP to be securely connected
from a remote location to a WLAN Switch across
the Internet. Allows the remote AP to be plugged
directly into an Internet-connected DSL router; a
WLAN Switch does not need to be installed at the
remote location.
There are three Remote AP licenses available that
allow the WLAN Switch to support a maximum of
6, 128, or 256 Remote APs.
xSec Enables support for xSec, a Federal Information
Processing Standard (FIPS)-certifiable Layer-2
encryption protocol.
Client Integrity Enables wireless and wired client remediation
services before network access is granted.
Integrates Sygate Technologies Sygate
On-Demand Agent (SODA).
External Services Interface
(ESI)
Supports automatic redirect of clients to external
devices that provide inline network services such
as anti-virus, intrusion detection system (IDS), and
content filtering.
TABLE 1-1 Optional Software Modules (Continued)
Optional Software Module Description
AOS-W 3.1 33
User Guide
Overview of the Alcatel OmniAccess System
Chapter 1
Basic WLAN Configuration
You have a wide variety of options for authentication, encryption, access
management, and user rights when you configure a WLAN in the Alcatel
OmniAccess system. However, you must configure the following basic elements:
An SSID that uniquely identifies the WLAN
Layer-2 authentication to protect against unauthorized access to the WLAN
Layer-2 encryption to ensure the privacy and confidentiality of the data
transmitted to and from the network
A user role and virtual local area network (VLAN) for the authenticated client
This section describes authentication, encryption, VLAN, and user role
configuration in the Alcatel OmniAccess system.
Authentication
A wireless client must authenticate to the Alcatel OmniAccess system in order to
access WLAN resources. There are several types of Layer-2 security mechanisms
allowed by the IEEE 802.11 standard that you can employ in the OmniAccess
system, including those that require an external RADIUS authentication server:
Authentication
Method Description
None (Also called open system authentication) This is the default
authentication protocol. The client’s identity, in the form of the
Media Access Control (MAC) address of the wireless adapter
in the wireless client, is passed to the WLAN Switch.
Essentially any client requesting access to the WLAN is
authenticated.
Overview of the Alcatel OmniAccess System
Chapter 1
34 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
IEEE 802.1x The IEEE 802.1x authentication standard allows for the use of
keys that are dynamically generated on a per-client basic (as
opposed to a static key that is the same on all devices in the
network).
NOTE:The 802.1x standard requires the use of a RADIUS
authentication server. Most Lightweight Directory
Access Protocol (LDAP) servers do not support
802.1x.
With 802.1x authentication, a supplicant is the wireless client
that wants to gain access to the network and the device that
communicates with both the supplicant and the
authentication server is the authenticator. In the Alcatel
OmniAccess system, the WLAN Switch is the 802.1x
authenticator, relaying authentication requests between the
authentication server and the supplicant.
NOTE:During the authentication process, the supplicant (the
wireless client) and the RADIUS authentication server
negotiate the type of Extensible Authentication
Protocol (EAP) they will use for the authentication
transaction. The EAP type is completely transparent
to the WLAN Switch and has no impact on its
configuration.
Wi-Fi Protected
Access (WPA)
WPA implements most of the IEEE 802.11i standard. It is
designed for use with an 802.1x authentication server (the
Wi-Fi Alliance refers to this mode as WPA-Enterprise). WPA
uses the Temporal Key Integrity Protocol (TKIP) to dynamically
change keys and RC4 stream cipher to encrypt data.
WPA in
pre-shared key
(PSK) mode
(WPA-PSK)
With WPA-PSK, all clients use the same key (the Wi-Fi Alliance
refers to this mode as WPA-Personal).
NOTE:In PSK mode, users must enter a passphrase from
8-63 characters to access the network. PSK is
intended for home and small office networks where
operating an 802.1x authentication server is not
practical.
WPA2 WPA2 implements the full IEEE 802.11i standard. In addition
to WPA features, WPA2 provides Counter Mode with Cipher
Blocking Chaining Message Authentication Code Protocol
(CCMP) for encryption which uses the Advanced Encryption
Standard (AES) algorithm. (The Wi-Fi Alliance refers to this
mode as WPA2-Enterprise.)
Authentication
Method Description
AOS-W 3.1 35
User Guide
Overview of the Alcatel OmniAccess System
Chapter 1
Encryption
The Layer-2 encryption option you can select depends upon the authentication
method chosen (Tab l e 1 - 2 ).
You can configure the following data encryption options for the WLAN:
WPA2-PSK WPA2-PSK is WPA2 used in PSK mode, where all clients use
the same key. (The Wi-Fi Alliance refers to this mode as
WPA2-Personal.)
Authentication
Method Description
TABLE 1-2 Encryption Options by Authentication Method
Authentication Method Encryption Option
None Null or Static WEP
802.1x Dynamic WEP
WPA or WPA-PSK only TKIP
WPA2 or WPA2-PSK only AES
Combination of WPA or WPA-PSK
and WPA2 or WPA2-PSK
Mixed TKIP/AES
Encryption Method Description
Null Null means that no encryption is used and packets passing
between the wireless client and WLAN Switch are in clear
text.
Wired Equivalent
Protocol (WEP)
Defined by the original IEEE 802.11 standard, WEP uses
the RC4 stream cipher with 40-bit and 128-bit encryption
keys. The management and distribution of WEP keys is
performed outside of the 802.11 protocol. There are two
forms of WEP keys:
Static WEP requires you to manually enter the key for
each client and on the WLAN Switch.
Dynamic WEP allows the keys to be automatically
derived for each client for a specific authentication
method during the authentication process. Dynamic
WEP requires 802.1x authentication.
Overview of the Alcatel OmniAccess System
Chapter 1
36 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
VLAN
Each authenticated client is placed into a VLAN, which determines the client’s
DHCP server, IP address, and Layer-2 connection. While you could place all
authenticated wireless clients into a single VLAN, the Alcatel OmniAccess system
allows you to group wireless clients into separate VLANs. This enables you to
differentiate groups of wireless clients and their access to network resources. For
example, you can place authorized employee clients into one VLAN and itinerant
clients, such as contractors or guests, into a separate VLAN.
Temporal Key
Integrity Protocol
(TKIP)
TKIP ensures that the encryption key is changed for every
data packet. You specify TKIP encryption for WPA and
WPA-PSK authentication.
Advanced
Encryption
Standard (AES)
AES is an encryption cipher that uses the Counter-mode
CBC-MAC (Cipher Block Chaining-Message Authentication
Code) Protocol (CCMP) mandated by the IEEE 802.11i
standard. AES-CCMP is specifically designed for IEEE
802.11 encryption and encrypts parts of the 802.11 MAC
headers as well as the data payload. You can specify
AES-CCMP encryption with WPA2 or WPA2-PSK
authentication.
Mixed
TKIP/AES-CCM
This option allows the WLAN Switch to use TKIP
encryption with WPA or WPA-PSK clients and use AES
encryption with WPA2 or WPA2-PSK clients. This option
allows you to deploy the Alcatel OmniAccess system in
environments that contain existing WLANs that use
different authentication and encryption.
xSec (Extreme
Security)
xSec is a Federal Information Processing Standard
(FIPS)-certifiable Layer-2 encryption. xSec can encrypt and
tunnel Layer-2 traffic between a WLAN Switch and wired
and wireless clients, or between two Alcatel WLAN
Switches. To use xSec encryption:
You must use 802.1x authentication, which means
that you must use a RADIUS authentication server.
You must install the AOS-W xSec license in the Alcatel
WLAN Switch. If you are using xSec between two
Alcatel WLAN Switches, you must install a license in
each device.
For encryption and tunneling of data between the
client and WLAN Switch, you must install the Funk
Odyssey client that supports xSec in the wired or
wireless client.
Encryption Method Description
AOS-W 3.1 37
User Guide
Overview of the Alcatel OmniAccess System
Chapter 1
NOTE:You create the VLANs for wireless clients only on the WLAN Switch. You
do not need to create the VLANs anywhere else on your network.
Because wireless clients are tunneled to the WLAN Switch (see
Figure 1-3 on page 27) to the rest of the network it appears as if the
clients were directly connected to the WLAN Switch.
For example, in the topology shown in Figure 1-5, authenticated wireless clients
are placed on VLAN 20. You configure VLAN 20 only on the WLAN Switch; you do
not need to configure VLAN 20 on any other device in the network.
NOTE:To allow data to be routed to VLAN 20, you need to configure a static
route to VLAN 20 on an upstream router in the wired network.
FIGURE 1-5 VLANs for Wireless Clients Configured on WLAN Switch
A client is assigned to a VLAN by one of several methods and there is an order of
precedence by which VLANs are assigned. For more information about creating
VLANs and how VLANs are assigned, see Chapter 3, “Configuring Network
Parameters.
VLAN 20
VLAN 20
INTERNET
DATA CENTER
FLOOR
WIRING
CLOSET
Overview of the Alcatel OmniAccess System
Chapter 1
38 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
User Role
Every client in an Alcatel OmniAccess system is associated with a user role,
which determines what a client is allowed to do, where and when it can operate,
how often it must re-authenticate, and which bandwidth contracts are applicable.
User roles can be simply defined; for example, you can define an “employee” role
that allows unrestricted access to all network resources at all times of the day
and a “guest” role that allows only HTTP access to the Internet during regular
business hours. Or you can define more granular user roles that are specific to
jobs in an enterprise environment, such as “IT staff” or “payroll”.
NOTE:User roles and policies require the installation of a Policy Enforcement
Firewall license in the WLAN Switch. See Table 1-1 on page 31 for
descriptions of optional AOS-W software licenses.
In an Alcatel OmniAccess system, a policy identifies a set of rules that applies to
traffic that passes through the WLAN Switch. A policy can consist of firewall
rules that permit or deny traffic, quality of service (QoS) actions such as setting a
data packet to high priority, or administrative actions such as logging.
Whenever you create a user role, you specify one or more policies for the role. You
can apply policies to clients to give different treatment to clients on the same
network. The following example shows policies that might be applied for the user
roles “Employee” and “Guest”:
NOTE:In the examples shown above, all clients should be securely
authenticated before network access is granted.
“Employee” User Role Policy: “Guest” User Role Policy:
“Permit all traffic from any source to
any destination”
“Permit DHCP traffic from the client to
corporate DHCP server during business
hours”
“Permit DNS traffic from the client to a
public DNS server during business
hours”
“Permit HTTP traffic from the client to
any destination during business hours”
“Permit HTTPS traffic from the client to
any destination during business hours”
“Drop all traffic from the client to the
Internal Corporate network”
AOS-W 3.1 39
User Guide
Overview of the Alcatel OmniAccess System
Chapter 1
A client is assigned a user role by one of several methods and there is an order or
precedence by which roles are assigned. For more information about configuring
user roles and how user roles are assigned, see Chapter 7, “Configuring Roles
and Policies.
Wireless Client Access to the WLAN
Wireless clients communicate with the wired network and other wireless clients
through a WLAN in an Alcatel OmniAccess system. There are two phases to the
process by which a wireless client gains access to a WLAN in an Alcatel
OmniAccess system:
1. Association of the radio network interface card (NIC) in the PC with an AP, as
described by the IEEE 802.11 standard. This association allows data link
(Layer-2) connectivity.
2. Authentication of the wireless client before network access is allowed.
Association
APs send out beacons that contain the SSIDs of specific WLANs; the client can
select the network they want to join. Wireless clients can also send out probes to
locate a WLAN within range or to locate a specific SSID; APs within range of the
client respond. Along with the SSID, an AP also sends out the following
information:
Data rates supported by the WLAN. Clients can determine which WLAN to
associate with based on the supported data rate.
WLAN requirements for the client. For example, clients may need to use TKIP
for encrypting data transmitted on the WLAN.
The client determines which AP is best for connecting to the WLAN and attempts
to associate with it. It sends an association request to become a member of the
service set. During the association exchange, the client and WLAN Switch
negotiate the data rate, authentication method, and other options.
NOTE:Because an Alcatel AP is a “thin” AP, all wireless traffic it receives is
immediately sent through a GRE tunnel to the WLAN Switch. The WLAN
Switch responds to client requests and communicates with an
authentication server on behalf of the client. Therefore, the client
authentication and association processes occur between the wireless
client and the Alcatel WLAN Switch.
Overview of the Alcatel OmniAccess System
Chapter 1
40 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Authentication
Authentication provides a way to identify a client and provide appropriate access
to the network for that client. By default, all wireless clients in an Alcatel
OmniAccess system start in an initial user role and use an authentication method
to move to an identified, authenticated role. One or more authentication methods
may be used, ranging from secure authentication methods such as 802.1x, VPN,
and captive portal to less secure methods such as MAC address authentication.
NOTE:Client access to the network depends upon whether the Policy
Enforcement Firewall license is installed in the WLAN Switch and what
policies are configured. For example, if the Policy Enforcement Firewall
license is not installed, any authenticated client can connect to the
network. If the Policy Enforcement Firewall license is installed, the
policies associated with the user role that the client is given determine
the network access that the client is allowed. Subsequent chapters in
this manual demonstrate the configuration of user roles and policies.
802.1x Authentication
802.1x is an IEEE standard used for authenticating clients on any IEEE 802
network. It is an open authentication framework, allowing multiple authentication
protocols to operate within the framework. 802.1x operates as a Layer-2 protocol.
Successful 802.1x authentication must complete before any higher-layer
communication with the network, such as a DHCP exchange to obtain an IP
address, is allowed.
802.1x is key-generating, which means that the output of the authentication
process can be used to assign dynamic per-client encryption keys. While the
configuration of 802.1x authentication on the WLAN Switch is fairly simple,
802.1x can require significant work in configuring an external authentication
server and wireless client devices.
VPN
VPN technology has been in use for Internet-based remote access for many years
and client/server components are widely available. Generally, the VPN client is
installed on mobile devices and is used to provide secure communication with a
corporate network across a non-secure network such as the Internet. VPN
technology operates at Layer-3, which means that an IP address is required on
the client device before the VPN client can operate.
With VPN, the MAC and outer IP header information is transmitted cleartext,
while inner IP header and data are encrypted. Because the IP layer is unprotected,
some form of Layer-2 encryption (such as WEP) should be used on a wireless
network.
AOS-W 3.1 41
User Guide
Overview of the Alcatel OmniAccess System
Chapter 1
Captive Portal
Captive portal allows a wireless client to authenticate using a web-based portal.
Captive portals are typically used in public access wireless hotspots or for hotel
in-room Internet access. After a client associates to the wireless network, their
device is assigned an IP address. The client must start a web browser and pass
an authentication check before access to the network is granted.
Captive portal authentication is the simplest form of authentication to use and
requires no software installation or configuration on the client. The
username/password exchange is encrypted using standard SSL encryption.
However, portal authentication does not provide any form of encryption beyond
the authentication process; to ensure privacy of client data, some form of
link-layer encryption (such as WEP or WPA-PSK) should be used when sensitive
data will be sent over the wireless network.
MAC Address Authentication
MAC address authentication is the process of examining the MAC address of an
associated device, comparing it to an internal or RADIUS database, and changing
the user role to an authenticated state. MAC address authentication is not a
secure form of authentication as the MAC address of a network interface card
(NIC) can be changed in software. MAC address authentication is useful for
devices that cannot support a more secure form of authentication, such as
barcode scanners, voice handsets, or manufacturing instrumentation sensors.
User roles mapped to MAC address authentication should be linked to restrictive
policies to permit only the minimum required communication. Whenever possible,
WEP encryption should also be employed to prevent unauthorized devices from
joining the network.
Client Mobility and AP Association
When a wireless client associates with an AP, it retains the association for as long
as possible. Generally, a wireless client only drops the association if the number
of errors in data transmission is too high or the signal strength is too weak.
When a wireless client roams from one AP to another in an Alcatel OmniAccess
system, the WLAN Switch can automatically maintain the client’s authentication
and state information; the client only changes the radio that it uses. Clients do
not need to reauthenticate or reassociate. When a client roams between APs that
are connected to the same WLAN Switch, the client maintains its original IP
address and existing IP sessions.
You can also enable client mobility on all WLAN Switches in a master WLAN
Switch’s hierarchy. This allows clients to roam between APs that are connected
to different WLAN Switches without needing to reauthenticate or obtain a new IP
address. When a client associates with an AP, the client information is sent to the
master WLAN Switch. The master WLAN Switch pushes out the client
Overview of the Alcatel OmniAccess System
Chapter 1
42 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
information to all local WLAN Switches in its hierarchy. When a client roams to an
AP connected to a different WLAN Switch, the new WLAN Switch recognizes the
client and tunnels the client traffic back to the original WLAN Switch.
Configuring and Managing the Alcatel
OmniAccess System
There are several interfaces that you can use to configure and manage
components of the Alcatel OmniAccess system:
The Web User Interface (WebUI) allows you to configure and manage Alcatel
WLAN Switches. The WebUI is accessible through a standard Web browser
from a remote management console or workstation.
The command line interface (CLI) allows you to configure and manage Alcatel
WLAN Switches. The CLI is accessible from a local console connected to the
serial port on the WLAN Switch or through a Telnet or Secure Shell (SSH)
session from a remote management console or workstation.
NOTE:By default, you can only access the CLI from the serial port or from
an SSH session. To use the CLI in a Telnet session, you must
explicitly enable Telnet on the WLAN Switch.
The Alcatel Mobility Manager System is a suite of applications for monitoring
multiple master WLAN Switches and their related local WLAN Switches and
APs. Each application provides a Web-based user interface. The Alcatel
Mobility Manager System is available as an integrated appliance and as a
software application that runs on a dedicated system. See the Mobility
Manager User Guide for more information.
For more information about using these interfaces, see Chapter 18, “Configuring
Management Access.
Volume 2
Installing the
Alcatel
OmniAccess
System
AOS-W Version 3.1
44 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
AOS-W 3.1 45
User Guide
Deploying a Basic
OmniAccess System 2
This chapter describes how to connect an Alcatel WLAN Switch and Alcatel APs
to your wired network. After completing the tasks described in this chapter, you
can configure the APs as described in Volume 3.
This chapter describes the following topics:
“Configuration Overview” on page 46
“Configuring the Alcatel WLAN Switch” on page 50
“Deploying APs” on page 55
Additional Configuration” on page 59
Deploying a Basic OmniAccess System
Chapter 2
46 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Configuration Overview
This section describes typical deployment scenarios and the tasks you must
perform in connecting an Alcatel WLAN Switch and Alcatel APs to your wired
network.
Deployment Scenario #1
In this deployment scenario, the Alcatel APs and WLAN Switch are on the same
subnetwork and will use IP addresses assigned to the subnetwork. There are no
routers between the APs and the WLAN Switch. APs can be physically connected
directly to the WLAN Switch. The uplink port on the WLAN Switch is connected
to a layer-2 switch or router.
You must perform the following tasks:
1. Run the Initial Setup.
zSet the IP address of VLAN 1.
zSet the default gateway to the IP address of the interface of the upstream
router to which you will connect the WLAN Switch.
2. Connect the uplink port on the WLAN Switch to the switch or router
interface. By default, all ports on the WLAN Switch are access ports and will
carry traffic for a single VLAN.
3. Deploy APs. The APs will use the Alcatel Discovery Protocol (ADP) to locate
the WLAN Switch.
Configure the SSID(s) with VLAN 1 as the assigned VLAN for all users.
ROUTER IS DEFAULT GATEWAY
FOR WLAN SWITCH AND
CLIENTS
AOS-W 3.1 47
User Guide
Deploying a Basic OmniAccess System
Chapter 2
Deployment Scenario #2
In this deployment scenario, the Alcatel APs and the WLAN Switch are on
different subnetworks and the APs are on multiple subnetworks. The WLAN
Switch acts as a router for the wireless subnetworks (the WLAN Switch is the
default gateway for the wireless clients). The uplink port on the WLAN Switch is
connected to a layer-2 switch or router; this port is an access port in VLAN 1.
You must perform the following tasks:
1. Run the Initial Setup.
zSet the IP address for VLAN 1.
zSet the default gateway to the IP address of the interface of the upstream
router to which you will connect the WLAN Switch.
2. Connect the uplink port on the WLAN Switch to the switch or router
interface.
3. Deploy APs. The APs will use DNS or DHCP to locate the WLAN Switch.
4. Configure VLANs for the wireless subnetworks on the WLAN Switch.
5. Configure SSIDs with the VLANs assigned for each wireless subnetwork.
WLAN SWITCH IS
DEFAULT GATEWAY
FOR CLIENTS
FLOOR 3 SUBNET
FLOOR 2 SUBNET
FLOOR 1 SUBNET
DATA CENTER
Deploying a Basic OmniAccess System
Chapter 2
48 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
NOTE:Each wireless client VLAN must be configured on the WLAN Switch with
an IP address. On the uplink switch or router, you must configure static
routes for each client VLAN, with the WLAN Switch’s VLAN 1 IP address
as the next hop.
Deployment Scenario #3
In this deployment scenario, the Alcatel APs and the WLAN Switch are on
different subnetworks and the APs are on multiple subnetworks. There are
routers between the APs and the WLAN Switch. The WLAN Switch is connected
to a layer-2 switch or router through a trunk port that carries traffic for all wireless
client VLANs. An upstream router functions as the default gateway for the
wireless users.
NOTE:This deployment scenario does not use VLAN 1 to connect to the layer-2
switch or router through the trunk port. The Initial Setup prompts you for
the IP address and default gateway for VLAN 1; use the default values. In
later steps, you configure the appropriate VLAN to connect to the switch
or router as well as the default gateway.
TRUNK PORT
CARRIES CLIENT
TRAFFIC
FLOOR 3 SUBNET
FLOOR 2 SUBNET
FLOOR 1 SUBNET
DATA CENTER
ROUTER IS DEFAULT
GATEWAY FOR WLAN
SWITCH AND CLIENTS
AOS-W 3.1 49
User Guide
Deploying a Basic OmniAccess System
Chapter 2
You must perform the following tasks:
1. Run the Initial Setup.
zUse the default IP address for VLAN 1. Since VLAN 1 is not used to
connect to the layer-2 switch or router through the trunk port, you must
configure the appropriate VLAN in a later step.
zDo not specify a default gateway (use the default “none”). In a later step,
you configure the default gateway.
2. Create a VLAN that has the same VLAN ID as the VLAN on the switch or
router to which you will connect the WLAN Switch. Add the uplink port on
the WLAN Switch to this VLAN and configure the port as a trunk port.
3. Add client VLANs to the trunk port.
4. Configure the default gateway on the WLAN Switch. This gateway is the IP
address of the router to which you will connect the WLAN Switch.
5. Configure the loopback interface for the WLAN Switch.
6. Connect the uplink port on the WLAN Switch to the switch or router
interface.
7. Deploy APs. The APs will use DNS or DHCP to locate the WLAN Switch.
You would then configure VLANs on the WLAN Switch for the wireless client
subnetworks and configure SSIDs with the VLANs assigned for each wireless
subnetwork .
Deploying a Basic OmniAccess System
Chapter 2
50 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Configuring the Alcatel WLAN Switch
The tasks in deploying a basic Alcatel OmniAccess system fall into two main
areas:
Configuring and connecting the Alcatel WLAN Switch to the wired network
(described in this section)
Deploying Alcatel APs (described later in this section)
To connect the WLAN Switch to the wired network:
1. Run the Initial Setup to configure administrative information for the WLAN
Switch.
2. (Deployment #3) Configure a VLAN to connect the WLAN Switch to your
network. You do not need to perform this step if you are using VLAN 1 to
connect the WLAN Switch to the wired network.
3. Connect the ports on the WLAN Switch to your network.
4. (Optional) Configure a loopback address for the WLAN Switch. You do not
need to perform this step if you are using the VLAN 1 IP address as the WLAN
Switch’s IP address.
This section describes the steps in detail.
Run the Initial Setup
When you connect to the WLAN Switch for the first time using either a serial
console or a Web browser, the Initial Setup requires you to set the role (master or
local) for the WLAN Switch and passwords for administrator and configuration
access. The Initial Setup also requires that you specify the country code for the
country in which the WLAN Switch will operate; this sets the regulatory domain
for the radio frequencies that the APs use.
The Initial Setup requires that you configure an IP address for the VLAN 1
interface, which you can use to access and configure the WLAN Switch remotely
via an SSH or WebUI session. Configuring an IP address for the VLAN 1 interface
ensures that there is an IP address and default gateway assigned to the WLAN
Switch upon completion of the Initial Setup.
After you complete the Initial Setup, the WLAN Switch reboots using the new
configuration. See the Alcatel Quick Start Guide for information about using the
Initial Setup.
AOS-W 3.1 51
User Guide
Deploying a Basic OmniAccess System
Chapter 2
You can connect to and configure the WLAN Switch in several ways using the
administrator password you entered during the Initial Setup:
You can continue to use the connection to the serial port on the WLAN
Switch to enter the command line interface (CLI). (Refer to Chapter 18,
“Configuring Management Access,” for information on how to access the CLI
and enter configuration commands.)
You can connect an Ethernet cable from a PC to an Ethernet port on the
WLAN Switch. You can then use one of the following access methods:
zUse the VLAN 1 IP address to start an SSH session where you can enter
CLI commands.
zEnter the VLAN 1 IP address in a browser window to start the WebUI.
Configure a VLAN for Network Connection
You must follow the instructions in this section only if you need to configure a
trunk port between the Alcatel WLAN Switch and another layer-2 switch (shown
in “Deployment Scenario #3” on page 48).
This section shows how to use both the WebUI and CLI for the following
configurations (subsequent steps show how to use the WebUI only):
Create a VLAN on the WLAN Switch and assign it an IP address.
Assign to the VLAN the port(s) that you will use to connect the WLAN Switch
to the network. (For example, the uplink ports that you connect to a router are
usually Gigabit ports.) In the example configurations shown in this section, an
OmniAccess 4324 WLAN Switch is connected to the network through its
Gigabit Ethernet port 1/25.
Configure the port as a trunk port.
Configure a default gateway for the WLAN Switch.
Create the VLAN
The following configurations create VLAN 5 and assign it the IP address
10.3.22.20/24.
Using the WebUI to create the VLAN:
1. Click the Configuration tab in the menu bar. Under Network, click the VLANs
option.
NOTE:In the remainder of this manual, the instructions for reaching a
specific WebUI page are shortened to specify the sequence of tab or
page selections; for example, “Navigate to the Configuration >
Network > VLANs page.
2. Click Add to create a new VLAN.
Deploying a Basic OmniAccess System
Chapter 2
52 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
3. On the Add New VLAN screen, enter 5 for the VLAN ID and click Apply.
4. Navigate to the Configuration > Network > IP > IP Interfaces page on the
WebUI. Click Edit for the VLAN you just added. Select Use the following IP
address. Enter the IP address and network mask of the VLAN interface. If
required, you can also configure the address of the DHCP server for the VLAN
by clicking Add.
5. Click Apply to apply this configuration.
6. At the top of the page, click Save Configuration.
NOTE:In the WebUI configuration pages, clicking the Save Configuration
button saves configuration changes so they are retained after the
WLAN Switch is rebooted. Clicking the Apply button saves changes
to the running configuration but the changes are not retained when
the WLAN Switch is rebooted. A good practice is to use the Apply
button to save changes to the running configuration and, after
ensuring that the system operates as desired, click Save
Configuration.
Using the CLI to create the VLAN:
(alcatel)
User: admin
Password: *****
(alcatel) >enable
Password:******
(alcatel) #configure terminal
Enter Configuration commands, one per line. End with CNTL/Z
(alcatel) (config) #vlan 5
(alcatel) (config) #interface vlan 5
(alcatel) (config-subif)#ip address 10.3.22.20 255.255.255.0
(alcatel) (config-subif)#exit
(alcatel) (config) #write memory
Assign and Configure the Trunk Port
The following configuration configures a Gigabit Ethernet port as trunk port.
Using the WebUI to configure the trunk port:
1. Navigate to the Configuration > Network > Ports page on the WebUI.
2. In the Port Selection section, click the port that will connect the WLAN
Switch to the network. In this example, click port 25.
3. For Port Mode, select Trunk.
4. For Native VLAN, select VLAN 5 from the scrolling list, then click the <-- arrow.
5. Click Apply.
AOS-W 3.1 53
User Guide
Deploying a Basic OmniAccess System
Chapter 2
Using the CLI to configure the trunk port:
interface gigabitethernet 1/25
switchport mode trunk
switchport trunk native vlan 5
To confirm the port assignments, use the show vlan command:
(alcatel) (config) #show vlan
VLAN CONFIGURATION
------------------
VLAN Name Ports
---- ---- -----
1 Default Fa1/0-23 Gig1/24
5 VLAN0005 Gig1/25
Configure the Default Gateway
The following configurations assign a default gateway for the WLAN Switch.
Using the WebUI to configure the default gateway:
1. Navigate to the Configuration > Network > IP > IP Routes page.
2. In the Default Gateway field, enter 10.3.22.1.
3. Click Apply.
Using the CLI to configure the default gateway:
ip default-gateway 10.3.22.1
Connect the WLAN Switch to the Network
Connect the ports on the WLAN Switch to the appropriately-configured ports on
an L2 switch or router. Make sure that you have the correct cables and that the
port LEDs indicate proper connections. Refer to the Installation Guide for the
Alcatel WLAN Switch for port LED and cable descriptions.
NOTE:In many deployment scenarios, an external firewall is situated between
various Alcatel devices. Appendix B, “External Firewall Configuration”
describes the network ports that must be configured on the external
firewall to allow proper operation of the Alcatel network.
To verify that the WLAN Switch is accessible on the network:
If you are using VLAN 1 to connect the WLAN Switch to the network
(“Deployment Scenario #1” and “Deployment Scenario #2”), ping the VLAN 1
IP address from a workstation on the network.
Deploying a Basic OmniAccess System
Chapter 2
54 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
If you created and configured a new VLAN (“Deployment Scenario #3”), ping
the IP address of the new VLAN from a workstation on the network.
Configure the Loopback for the WLAN Switch
You must configure a loopback address if you are not using VLAN 1 to connect
the WLAN Switch to the network (see “Deployment Scenario #3” on page 48).
If configured, the loopback address is used as the WLAN Switch’s IP address. If
you do not configure a loopback address for the WLAN Switch, the IP address
assigned to VLAN 1 is used as the WLAN Switch’s IP address.
NOTE:After you configure or modify a loopback address, you must reboot the
WLAN Switch.
AOS-W allows the loopback address to be part of the IP address space assigned
to a VLAN interface. In the example topology, the VLAN 5 interface on the WLAN
Switch was previously configured with the IP address 10.3.22.20/24. The
loopback IP address in this example will be 10.3.22.220.
NOTE:You configure the loopback address as a host address with a 32-bit
netmask. The loopback address should be routable from all external
networks.
Using the WebUI to configure the loopback:
1. Navigate to the Configuration > Network > Switch > System Settings page.
2. Enter the IP address under Loopback Interface.
3. Click Apply at the bottom of the page (you might need to scroll down the
page).
4. At the top of the page, click Save Configuration.
You must reboot the WLAN Switch for the new IP address to take effect.
5. Navigate to the Maintenance > Switch > Reboot Switch page.
6. Click Continue.
Using the CLI to configure the loopback:
interface loopback ip address 10.3.22.220
To verify that the WLAN Switch is accessible on the network, ping the loopback
address from a workstation on the network.
AOS-W 3.1 55
User Guide
Deploying a Basic OmniAccess System
Chapter 2
Deploying APs
Alcatel APs and AMs are designed to require only minimal setup to make them
operational in an Alcatel OmniAccess system. Once APs have established
communication with the WLAN Switch, you can apply advanced configuration to
individual APs or groups of APs in the OmniAccess system using the WebUI on
the WLAN Switch.
You can deploy APs by doing the following steps:
1. Run the Java-based RF Plan tool to help position APs and import floorplans
for your installation.
2. Ensure that the APs can locate the WLAN Switch when they are connected to
the network. There are several ways in which APs can locate the WLAN
Switch.
3. Install the APs by connecting the AP to an Ethernet port. If power over
Ethernet (PoE) is not used, connect the AP to a power source.
4. On the WLAN Switch, configure the APs.
This section describes the steps.
Run Alcatel RF Plan
The Java-based RF Plan tool is an application that allows you to determine AP
placement based on your specified coverage and capacity requirements without
impacting the live network. For more information about using RF Plan, see the RF
Plan Installation and User Guide.
Enable APs to Connect to the WLAN Switch
Before you install APs in a network environment, you must ensure that the APs
will be able to locate and connect to the WLAN Switch when powered on.
Specifically, you must ensure the following:
When connected to the network, each AP is assigned a valid IP address
APs are able to locate the WLAN Switch
NOTE:Alcatel APs use Trivial File Transfer Protocol (TFTP) the first time they
boot to obtain their software image and configuration from the WLAN
Switch. After the initial boot, the APs use FTP to obtain software images
and configurations from the WLAN Switch.
In many deployment scenarios, an external firewall is situated between
various Alcatel devices. Appendix B, “External Firewall Configuration”
describes the network ports that must be configured on the external
firewall to allow proper operation of the Alcatel network.
Deploying a Basic OmniAccess System
Chapter 2
56 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Enable APs to Obtain IP Addresses
Each Alcatel AP requires a unique IP address on a subnetwork that has
connectivity to a WLAN Switch. Alcatel recommends using the Dynamic Host
Configuration Protocol (DHCP) to provide IP addresses for APs; the DHCP server
can be an existing network server or an Alcatel WLAN Switch configured as a
DHCP server.
You can use an existing DHCP server in the same subnetwork as the AP to
provide the AP with its IP information. You can also configure a device in the
same subnetwork to act as a relay agent for a DHCP server on a different
subnetwork. Refer to the vendor documentation for the DHCP Server or relay
agent for information.
If an AP is on the same subnetwork as the master WLAN Switch, you can
configure the WLAN Switch as a DHCP server to assign an IP address to the AP.
The WLAN Switch must be the only DHCP server for this subnetwork.
Using the WebUI to enable the DHCP server on the WLAN Switch:
1. Navigate to the Configuration > Network > IP > DHCP Server page.
2. Select the Enable DHCP Server checkbox.
3. In the Pool Configuration section, click Add.
4. Enter information about the subnetwork for which IP addresses are to be
assigned. Click Done.
5. If there are addresses that should not be assigned in the subnetwork:
A. Click Add in the Excluded Address Range section.
B. Enter the address range in the Add Excluded Address section.
C. Click Done.
6. Click Apply at the bottom of the page.
Using the CLI to enable the DHCP server on the WLAN Switch:
ip dhcp excluded-address ipaddr ipaddr2
ip dhcp pool name
default-router ipaddr
dns-server ipaddr
domain-name name
network ipaddr mask
AOS-W 3.1 57
User Guide
Deploying a Basic OmniAccess System
Chapter 2
Locate the WLAN Switch
An Alcatel AP can discover the IP address of the WLAN Switch in one of the
following ways:
From a DNS server
From a DHCP server
Using the Alcatel Discovery Protocol (ADP)
From a DNS Server
Alcatel APs are factory-configured to use the host name aruba-master for the
master WLAN Switch. For the DNS server to resolve this host name to the IP
address of the master WLAN Switch, you must configure an entry on the DNS
server for the name aruba-master.
For information on how to configure a host name entry on the DNS server, refer to
the vendor documentation for your server.
NOTE:Alcatel recommends using a DNS server to provide APs with the IP
address of the master WLAN Switch because it involves minimal changes
to the network and provides the greatest flexibility in the placement of
APs.
From a DHCP Server
You can configure a DHCP server to provide the master WLAN Switch’s IP
address. You must configure the DHCP server to send the WLAN Switch’s IP
address using the DHCP vendor-specific attribute option 43. Alcatel APs identify
themselves with a vendor class identifier set to ArubaAP in their DHCP request.
When the DHCP server responds to the request, it will send the WLAN Switch’s
IP address as the value of option 43.
For more information on how to configure vendor-specific information on a DHCP
server, see Appendix A, “Configuring DHCP with Vendor-Specific Options,” or
refer to the vendor documentation for your server.
Using the Alcatel Discovery Protocol (ADP)
ADP is enabled by default on all Alcatel APs and WLAN Switches. To use ADP, all
Alcatel APs and WLAN Switches must be connected to the same Layer-2
network. If the devices are on different networks, a Layer-3 compatible discovery
mechanism, such as DNS, DHCP, or IGMP forwarding, must be used instead.
With ADP, APs send out periodic multicast and broadcast queries to locate the
master WLAN Switch. You might need to perform additional network
configuration, depending on whether the APs are in the same broadcast domain
as the WLAN Switch:
If the APs are in the same broadcast domain as the master WLAN Switch, the
WLAN Switch automatically responds to the APs’ queries with its IP address.
Deploying a Basic OmniAccess System
Chapter 2
58 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
If the APs are not in the same broadcast domain as the master WLAN Switch,
you must enable multicast on the network (ADP multicast queries are sent to
the IP multicast group address 239.0.82.11) for the WLAN Switch to respond
to the APs’ queries. You also must make sure that all routers are configured
to listen for Internet Group Management Protocol (IGMP) join requests from
the WLAN Switch and can route these multicast packets.
To verify that ADP and IGMP join options are enabled on the WLAN Switch,
use the following CLI command:
(WLAN_Switch) #show adp config
ADP Configuration
-----------------
key value
--- -----
discovery enable
igmp-join enable
If ADP or IGMP join options are not enabled, use the following CLI
commands:
(WLAN_Switch) (config) #adp discovery enable
(WLAN_Switch) (config) #adp igmp-join enable
Install APs
Use the AP placement map generated by RF Plan to install APs. You can either
connect the AP directly to a port on the WLAN Switch, or connect the AP to
another switch or router that has layer-2 or layer-3 connectivity to the WLAN
Switch.
If the Ethernet port on the WLAN Switch is an 802.3af Power over Ethernet (PoE)
port, the AP automatically uses it to power up. If a PoE port is not available, you
must get an AC adapter for the AP from Alcatel. For more information, see the
Installation Guide for the specific AP.
Once an AP is connected to the network and powered up, it attempts to locate
the master WLAN Switch using one of the methods described in “Locate the
WLAN Switch” on page 57.
On the master WLAN Switch, you can view the APs that have connected to the
WLAN Switch in the WebUI. Navigate to the Configuration > Wireless > AP
Installation page. Figure 2-6 shows an example of this page.
AOS-W 3.1 59
User Guide
Deploying a Basic OmniAccess System
Chapter 2
FIGURE 2-6 APs Connected to WLAN Switch
Update RF Plan
After deploying APs, update the AP placement map in RF Plan. This allows more
accurate reconciliation of location tracking features provided by the Alcatel
OmniAccess system—for example, locating users, intruders, rogue APs and other
security threats, assets, and sources of RF interference—with the physical
environment.
Additional Configuration
After you have installed a basic Alcatel OmniAccess system, the Alcatel APs
advertise the default alcatel-ap SSID. Wireless users can connect to this SSID but
because you have not yet configured authentication, policies, or user roles, they
will not have access to the network. Other volumes in the AOS-W User Guide
describe how to build upon this basic deployment to configure user roles, firewall
policies, authentication, authentication servers, and other wireless features.
Chapter 5, “Configuring Access Points,” in the AOS-W User Guide describes how
to configure APs. The other volumes in the AOS-W User Guide provide more
information about configuring and using features of the Alcatel OmniAccess
system.
Deploying a Basic OmniAccess System
Chapter 2
60 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
AOS-W 3.1 61
User Guide
Configuring Network
Parameters 3
This chapter describes some basic network configuration on the Alcatel WLAN
Switch. This chapter describes the following topics:
“Configuring VLANs” on page 62
“Configuring Static Routes” on page 70
“Configuring the Loopback IP Address” on page 71
Configuring Network Parameters
Chapter 3
62 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Configuring VLANs
The Alcatel WLAN Switch operates as a layer-2 switch that uses a VLAN as a
broadcast domain. As a layer-2 switch, the WLAN Switch requires an external
router to route traffic between VLANs. The WLAN Switch can also operate as a
layer-3 switch that can route traffic between VLANs defined on the WLAN Switch.
You can configure one or more physical ports on the WLAN Switch to be
members of a VLAN. Additionally, each wireless client association constitutes a
connection to a virtual port on the WLAN Switch, with membership in a specified
VLAN. You can place all authenticated wireless users into a single VLAN or into
different VLANs, depending upon your network. VLANs can exist only inside the
Alcatel WLAN Switch or they can extend outside the WLAN Switch through
802.1q VLAN tagging.
You can optionally configure an IP address and netmask for a VLAN on the Alcatel
WLAN Switch. The IP address is up when at least one physical port in the VLAN is
up. The VLAN IP address can be used as a gateway by external devices; packets
directed to a VLAN IP address that are not destined for the WLAN Switch are
forwarded according to the Alcatel WLAN Switch’s IP routing table.
Using the WebUI to create or edit a VLAN:
1. Navigate to the Configuration > Network > VLANs page.
2. Click Add to create a new VLAN. (To edit an existing VLAN click Edit for the
VLAN entry.)
3. On the Add New VLAN screen, enter the VLAN ID.
4. To add physical ports to the VLAN, click the port in the Assign this VLAN to
Ports section.
5. Click Apply.
Using the CLI to create or edit a VLAN:
vlan <id>
interface fastethernet|gigabitethernet <slot>/<port>
switchport access vlan <id>
Configuring Ports
By default, a port carries traffic only for the VLAN to which it is assigned. You can
optionally configure a port to operate as a trunk port that can carry traffic for
multiple VLANs. A trunk port uses 802.1q tags to mark frames for specific VLANs.
AOS-W 3.1 63
User Guide
Configuring Network Parameters
Chapter 3
For a trunk port, you specify whether the port will carry traffic for all VLANs
configured on the WLAN Switch or for specific VLANs. You can also specify the
native VLAN for the port (frames on the native VLAN are not tagged).
Using the WebUI to configure ports:
1. Navigate to the Configuration > Network > Ports page.
2. In the Port Selection section, click the port you want to configure.
3. For Port Mode select Trunk.
4. To specify the native VLAN, select a VLAN from the drop-down list and click
the <-- arrow.
5. To allow the port to carry traffic for a specific set of VLANs, select Allowed
VLAN list. Select the VLAN(s) from the Allowed VLANs or Disallowed VLANs
drop-down list and click the <-- arrow.
6. Click Apply.
Using the CLI to configure ports
interface fastethernet|gigabitethernet <slot>/<port>
switchport mode trunk
switchport trunk native vlan <id>
switchport trunk allowed vlan <id>,<id>
VLAN Assignment
A client is assigned to a VLAN by one of several methods. There is an order of
precedence by which VLANs are assigned. The assignment of VLANs are (from
lowest to highest precedence):
1. The default VLAN is the VLAN configured for the virtual AP profile.
2. Before client authentication, the VLAN can be derived from rules based on
client attributes (SSID, BSSID, client MAC, location, and encryption type). A
rule that derives a specific VLAN takes precedence over a rule that derives a
user role that may have a VLAN configured for it.
3. After client authentication, the VLAN can be the VLAN configured for a default
role for an authentication method, such as 802.1x or VPN.
4. After client authentication, the VLAN can be derived from attributes returned
by the authentication server (server-derived rule). A rule that derives a specific
VLAN takes precedence over a rule that derives a user role that may have a
VLAN configured for it.
Configuring Network Parameters
Chapter 3
64 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
5. After client authentication, the VLAN can be derived from Microsoft Tunnel
attributes (Tunnel-Type, Tunnel Medium Type, and Tunnel Private Group ID).
All three attributes must be present. This does not require any server-derived
rule.
6. After client authentication, the VLAN can be derived from Vendor Specific
Attributes (VSA) for RADIUS server authentication. This does not require any
server-derived rule.
NOTE:If a VSA is present, it overrides any previous VLAN assignment.
Assigning a Static Address to a VLAN
You can manually assign a static IP address to a VLAN on the WLAN Switch. At
least one VLAN on the WLAN Switch must be assigned a static IP address.
Using the WebUI to Assign a Static Address to a VLAN:
1. Navigate to the Configuration > Network > IP > IP Interfaces page on the
WebUI. Click Edit for the VLAN you just added.
2. Select the Use the following IP address option. Enter the IP address and
network mask of the VLAN interface. If required, you can also configure the
address of the DHCP server for the VLAN by clicking Add.
3. Click Apply.
Using the CLI to Assign a Static Address to a VLAN:
interface vlan <id>
ip address <address> <netmask>
Configuring a VLAN to Receive a Dynamic
Address
A VLAN on the Alcatel WLAN Switch obtains its IP address in one of the following
ways:
Manually configured by the network administrator. This is the default method
and is described in Assigning a Static Address to a VLAN” on page 64. At
least one VLAN on the WLAN Switch must be assigned a static IP address.
Dynamically assigned from a Dynamic Host Configuration Protocol (DHCP) or
Point-to-Point Protocol over Ethernet (PPPoE) server. These methods are
described in the following section.
In a branch office, you can connect an Alcatel WLAN Switch to an uplink switch
or server that dynamically assigns IP addresses to connected devices. For
example, the WLAN Switch can be connected to a DSL or cable modem, or a
broadband remote access server (BRAS). Figure 3-7 shows a branch office where
AOS-W 3.1 65
User Guide
Configuring Network Parameters
Chapter 3
an Alcatel WLAN Switch connects to a cable modem. VLAN 1 has a static IP
address, while VLAN 2 has a dynamic IP address assigned via DHCP or PPPoE on
the uplink device. The DHCP server on the Alcatel WLAN Switch assigns IP
addresses to users on the local network from a configured pool of IP addresses.
FIGURE 3-7 IP Address Assignment to VLAN via DHCP or PPPoE
To allow the WLAN Switch to obtain a dynamic IP address for a VLAN:
Enable the DHCP or PPPoE client on the WLAN Switch for the VLAN.
The following restrictions apply when enabling the DHCP or PPPoE client on the
WLAN Switch:
You can enable the DHCP/PPPoE client on only one VLAN on the WLAN
Switch; this VLAN cannot be VLAN 1.
Only one port in the VLAN can be connected to the modem or uplink switch.
At least one interface in the VLAN must be in the up state before the
DHCP/PPPoE client requests an IP address from the server.
Only one VLAN on the WLAN Switch can obtain its IP address through DHCP
or PPPoE. You cannot enable both the DHCP and PPPoE client on the WLAN
Switch at the same time.
Enabling the DHCP Client
The DHCP server assigns an IP address for a specified amount of time called a
lease. The WLAN Switch automatically renews the lease before it expires. When
you shut down the VLAN, the DHCP lease is released.
Using the WebUI to Enable DHCP on a VLAN:
1. Navigate to the Configuration > Network > IP > IP Interfaces page.
2. Click Edit for a previously-created VLAN.
3. Select Obtain an IP address from DHCP.
4. Click Apply.
Using the CLI to Enable DHCP on a VLAN:
vlan <id>
VLAN 1 VLAN 2
T
O INTERNET
TO LOCAL
NETWORK
CABLE MODEM
OR BRAS
WLAN SWITCH
Configuring Network Parameters
Chapter 3
66 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
interface vlan <id>
ip address dhcp-client
Enabling the PPPoE Client
To authenticate to the BRAS and request a dynamic IP address, the WLAN Switch
must have the following configured:
PPPoE user name and password to connect to the DSL network
PPPoE service name — either an ISP name or a class of service configured on
the PPPoE server
When you shut down the VLAN, the PPPoE session terminates.
Using the WebUI to Enable the PPPoE Client on a VLAN:
1. Navigate to the Configuration > Network > IP > IP Interfaces page.
2. Click Edit for a previously-created VLAN.
3. Select Obtain an IP address with PPPoE.
4. Enter the service name, username, and password for the PPPoE session.
5. Click Apply.
Using the CLI to Enable the PPPoE Client on a VLAN:
ip pppoe-service-name <service-name>
ip pppoe-username <name>
ip pppoe-password <password>
vlan <vlan>
interface vlan <vlan>
ip address pppoe
Default Gateway from DHCP/PPPoE
You can specify that the router IP address obtained from the DHCP or PPPoE
server be used as the default gateway for the WLAN Switch.
Using the WebUI to Set a Default Gateway from DHCP/PPPoE:
1. Navigate to the Configuration > Network > IP > IP Routes page.
2. For Default Gateway, select (Obtain an IP address automatically).
3. Select Apply.
AOS-W 3.1 67
User Guide
Configuring Network Parameters
Chapter 3
Using the CLI to Set a Default Gateway from DHCP/PPPoE:
ip default-gateway import
DNS/WINS Server from DHPC/PPPoE
The DHCP or PPPoE server can also provide the IP address of a DNS server or
NetBIOS name server, which can be passed to wireless clients through the WLAN
Switch’s internal DHCP server.
For example, the following configures the DHCP server on the Alcatel WLAN
Switch to assign addresses to authenticated employees; the IP address of the
DNS server obtained by the WLAN Switch via DHCP/PPPoE is provided to clients
along with their IP address.
Using the WebUI to Configure the DNS/WINS Server:
1. Navigate to the Configuration > Network > IP > DHCP Server page.
2. Select Enable DCHP Server.
3. Under Pool Configuration, select Add.
4. For Pool Name, enter employee-pool.
5. For Default Router, enter 10.1.1.254.
6. For DNS Servers, select Import from DHCP/PPPoE.
7. For WINS Servers, select Import from DHCP/PPPoE.
8. For Network, enter 10.1.1.0 for IP Address and 255.255.255.0 for Netmask.
9. Click Done.
Using the CLI to Configure the DNS/WINS Server:
ip dhcp pool employee-pool
default-router 10.1.1.254
dns-server import
netbios-name-server import
network 10.1.1.0 255.255.255.0
Source NAT to Dynamic VLAN Address
When a VLAN interface obtains an IP address through DHCP or PPPoE, a NAT
pool (dynamic-srcnat) and a session ACL (dynamic-session-acl) are automatically
created which reference the dynamically-assigned IP addresses. This allows you
to configure policies that map private local addresses to the public address(es)
provided to the DHCP or PPPoE client. Whenever the IP address on the VLAN
changes, the dynamic NAT pool address also changes to match the new address.
Configuring Network Parameters
Chapter 3
68 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
For example, the following rules for a guest policy deny traffic to internal network
addresses. Traffic to other (external) destinations are source NATed to the
IP address of the DHCP/PPPoE client on the WLAN Switch.
Using the WebUI to Configure Source NAT to the Dynamic VLAN:
1. Navigate to the Configuration > Security > Access Control > Policies page.
Click Add to add the policy guest.
2. To add a rule, click Add.
A. For Source, select any.
B. For Destination, select network and enter 10.1.0.0 for Host IP and
255.255.0.0 for Mask.
C. For Service, select any.
D. For Action, select reject.
E. Click Add.
3. To add another rule, click Add.
A. Leave Source, Destination, and Service as any.
B. For Action, select src-nat.
C. For NAT Pool, select dynamic-srcnat.
D. Click Add.
4. Click Apply.
Using the CLI to Configure Source NAT to the Dynamic VLAN:
ip access-list session guest
any network 10.1.0.0 255.255.0.0 any deny
any any any src-nat pool dynamic-srcnat
Configuring Source NAT for VLAN Interfaces
The example configuration in the previous section illustrates how to configure
source NAT using a policy that is applied to a user role. You can also enable
source NAT for a VLAN interface to cause NAT to be performed on the source
address for all traffic that exits the VLAN.
Packets that exit the VLAN are given a source IP address of the “outside”
interface, which is determined by the following:
If you configure “private” IP addresses for the VLAN, the Alcatel WLAN
Switch is assumed to be the default gateway for the subnetwork. Packets
that exit the VLAN are given the IP address of the WLAN Switch for their
source IP address.
AOS-W 3.1 69
User Guide
Configuring Network Parameters
Chapter 3
If the WLAN Switch is forwarding the packets at Layer-3, packets that exit the
VLAN are given the IP address of the next-hop VLAN for their source IP
address.
Example Configuration
In the following example, the Alcatel WLAN Switch operates within an enterprise
network. VLAN 1 is the outside VLAN. Traffic from VLAN 6 is source NATed using
the IP address of the WLAN Switch. In this example, the IP address assigned to
VLAN 1 is used as the WLAN Switch’s IP address; thus traffic from VLAN 6 would
be source NATed to 66.1.131.5.
FIGURE 3-8 Example: Source NAT using WLAN Switch IP Address
Using the WebUI to Configure the Source NAT for a VLAN Interface:
1. Navigate to the Configuration > Network > VLANs page. Click Add to
configure VLAN 6 (VLAN 1 is configured through the Initial Setup).
A. Enter 6 for the VLAN ID.
B. Click Apply.
2. Navigate to the Configuration > Network > IP > IP Interfaces page.
3. Click Edit for VLAN 6:
A. Select Use the following IP address.
B. Enter 192.168.2.1 for the IP Address and 255.255.255.0 for the Net
Mask.
C. Select the Enable source NAT for this VLAN checkbox.
4. Click Apply.
Using the CLI to Configure the Source NAT for a VLAN Interface:
interface vlan 1
ip address 66.1.131.5 255.255.255.0
VLAN 1
VLAN 6
INSIDE OUTSIDE
PRIVATE IP ADDRESSES:
192.168.2.1/24
PUBLIC IP ADDRESSES:
66.1.131.5/24
Configuring Network Parameters
Chapter 3
70 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
interface vlan 6
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip default-gateway 66.1.131.1
Configuring Static Routes
To configure a static route (such as a default route) on the WLAN Switch, do the
following:
Using the WebUI to Configure a Static Route:
1. Navigate to the Configuration > Network > IP > IP Routes page.
2. Click Add to add a static route to a destination network or host. Enter the
destination IP address and network mask (255.255.255.255 for a host route)
and the next hop IP address.
3. Click Done to add the entry.
NOTE: The route has not yet been added to the routing table.
4. Click Apply to add this route to the routing table. The message
Configuration Updated Successfully confirms that the route has been
added.
Using the CLI to Configure a Static Route:
ip route <address> <netmask> <next_hop>
AOS-W 3.1 71
User Guide
Configuring Network Parameters
Chapter 3
Configuring the Loopback IP Address
The loopback IP address is a logical IP interface that is used by the WLAN Switch
to communicate with APs. If you do not configure a loopback address for the
WLAN Switch, the IP address of the lowest-numbered VLAN interface (typically
VLAN 1) is used as the WLAN Switch’s IP address.
The loopback address is used as the WLAN Switch’s IP address for terminating
VPN and GRE tunnels, originating requests to RADIUS servers, and accepting
administrative communications. You configure the loopback address as a host
address with a 32-bit netmask. The loopback address is not bound to any specific
interface and is operational at all times. To make use of this interface, ensure that
the IP address is reachable through one of the VLAN interfaces. It should be
routable from all external networks.
You can modify or delete the IP address of the loopback interface on the WLAN
Switch. However, you cannot delete the loopback address if there is no IP
address configured for the VLAN 1 interface. If you delete the loopback address
when there is no IP address configured for the VLAN 1 interface, you are
prompted for a new IP address for the VLAN 1 interface. You also cannot delete
the IP address for the VLAN 1 interface if there is no loopback address
configured; you will be prompted for a new loopback address.
NOTE:Any change in the WLAN Switch’s IP address requires a reboot.
Using the WebUI to Configure the Loopback IP Address:
1. Navigate to the Configuration > Network > Switch > System Settings page
on the WebUI.
2. Modify the loopback IP address in the Loopback Interface section on this
page as required. Click Apply to apply this configuration.
3. Navigate to the Maintenance > Switch > Reboot Switch page to reboot the
WLAN Switch to apply the change of loopback IP address.
4. Click Continue to save the configuration.
CAUTION:If you are using the loopback IP address to access the
WebUI, changing the loopback IP address will result in
loss of connectivity. Alcatel recommends that you use one
of the VLAN interface IP addresses to access the WebUI.
Configuring Network Parameters
Chapter 3
72 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
5. When prompted that the changes were written successfully to flash, click
OK.
6. The WLAN Switch boots up with the changed loopback IP address.
Using the CLI to Configure the Loopback IP Address:
interface loopback ip address <address>
write memory
Using the WebUI to reboot the WLAN Switch:
1. Navigate to the Maintenance > Switch > Reboot Switch page.
2. Click Continue.
3. After saving the current configuration, the WLAN Switch begins a countdown
before rebooting.
Using the CLI to reboot the WLAN Switch:
Enter the following command in Enable mode:
reload
AOS-W 3.1 73
User Guide
RF Plan 4
RF Plan is a wireless deployment modeling tool that enables you to design an
efficient Wireless Local Area Network (WLAN) for your corporate environment,
optimizing coverage and performance, and eliminating complicated WLAN
network setup.
This chapter describes the following topics:
“Overview” on page 74
“Before You Begin” on page 75
“Using RF Plan” on page 76
“RF Plan Example” on page 103
NOTE:A Java-based version of the RF Plan tool allows you to input the serial
number or MAC address of each AP. For information about using the
Java-based RF Plan tool, see the RF Plan Installation and User Guide.
RF Plan
Chapter 4
74 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Overview
RF Plan provides the following critical functionality:
Defines WLAN coverage.
Defines WLAN environment security coverage.
Assesses equipment requirements.
Optimizes radio resources.
RF Plan provides a view of each floor, allowing you to specify how Wi-Fi coverage
should be provided. RF Plan then provides coverage maps and AP and AM
placement locations.
Unlike other static site survey tools that require administrators to have intricate
knowledge of building materials and other potential radio frequency (RF) hazards,
RF Plan calibrates coverage in real-time through a sophisticated RF calibration
algorithm. This real-time calibration lets you characterize the indoor propagation
of RF signals to determine the best channel and transmission power settings for
each AP. You can program the calibration to occur automatically or you can
manually launch the calibration at any time to quickly adapt to changes in the
wireless environment.
AOS-W 3.1 75
User Guide
RF Plan
Chapter 4
Before You Begin
Before you use RF Plan, review the following steps to create a building model and
plan the WLAN for the model.
Task Overview
1. Gather information about your building’s dimensions and floor plan.
2. Determine the level of coverage you want for your APs and AMs.
3. Create a new building and add its dimensions.
4. Enter the parameters of your AP coverage.
5. Enter the parameters of your AM coverage.
6. Add floors to your building and import the floor plans.
7. Define special areas.
8. Generate suggested AP and AM tables by executing the AP/AM Plan
features.
Planning Requirements
You should collect the following information before using RF Plan. Having this
information readily available will expedite your planning efforts.
Building dimensions
Number of floors
Distance between floors
Number of users and number of users per AP
Radio type(s)
Overlap Factor
Desired data rates for APs
Desired monitoring rates for AMs
Areas of your building(s) that you do not necessarily want coverage
Areas of your building(s) where you do not want or cannot deploy an AP or
AM
Any area where you want to deploy a fixed AP or AM
RF Plan
Chapter 4
76 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Use the following worksheets to collect your information:
Using RF Plan
This section describes how to use RF Plan and how to enter information in RF
Plan pages.
To start RF Plan from the WebUI, click the Plan tab in the WebUI menu bar. When
you start RF Plan, the browser window shows the Campus List page.
Campus List Page
The Campus List is the first page you see when you start RF Plan. This list
contains a default campus and any campus you have defined using the RF Plan
software.
Building Dimensions
Height: Width:
Number of Floors:
User Information
Number of Users: Users per AP:
Radio Types:
Overlap Factor:
AP Desired Rates
802.11b|g: 802.11a:
AM Desired Rates
802.11b|g: 802.11a:
Don’t Care/Don’t Deploy Areas
AOS-W 3.1 77
User Guide
RF Plan
Chapter 4
You may add, edit, and delete campuses using this page. You may also import and
export campus information. This page includes the following buttons:
Campus List Buttons Description
New Campus Use this button to create a new campus.
Browse Campus Use this button to edit existing campuses in the
campus list. To edit a campus, select the checkbox
next to the campus name, then click Browse
Campus. When you edit a campus, you can access
other RF Plan pages.
Rename Campus Use this button to rename an existing campus in the
list. To rename a campus, select the checkbox next to
the campus name, then click Rename Campus.
A dialog box appears into which you enter the new
name of the campus. Click OK to accept the new
name, or click Cancel to exit this action.
Delete Campuses Use this button to delete existing campuses in the list.
To delete a campus, select the checkbox next to the
building ID, then click Delete Campuses.
You can only delete empty campuses. If you attempt
to delete a campus that contains one or more
buildings, an error message appears.
Export Use this button to export a database file with all the
specifications and background images of one or more
selected campuses in the list. See “Exporting and
Importing Files” on page 98.
RF Plan
Chapter 4
78 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Building List Page
When you edit a campus, the building list page appears.
You may add, edit, and delete buildings using this page. You may also import and
export building information. This page includes the following buttons:
Import Use this button to import database files that define
campuses into the RF Plan list. See “Exporting and
Importing Files” on page 98.
AP FQLN Mapper In RF Plan, the AP name can be a fully-qualified
location name (FQLN) in the format
APname.floor.building.campus (the APname portion
of the FQLN must be unique).
You can manually set the FQLN for the AP by clicking
the AP FQLN Mapper button. Setting the FQLN
reboots the APs. See “FQLN Mapper” on page 100.
Campus List Buttons Description
Building List Buttons Description
New Building Use this button to create a new building. When you
add or edit a building, you can access other RF Plan
pages.
Edit Building Use this button to edit existing buildings in the
building list. To edit a building, select the checkbox
next to the building ID, then click Edit Building. When
you add or edit a building, you can access other RF
Plan pages.
Delete Buildings Use this button to delete existing buildings in the
building list. To delete a building, select the checkbox
next to the building ID, then click Delete Building.
Export Use this button to export a database file with all the
specifications and background images of one or more
selected buildings in the building list. See “Exporting
and Importing Files” on page 98.
AOS-W 3.1 79
User Guide
RF Plan
Chapter 4
Building Specifications Overview Page
The Building Specification Overview page shows the default values for a building
that you are adding or the current values for a building that you are modifying.
The Overview page includes the following:
Building Dimensions: Your building’s name and dimensions
Access Point Modeling Parameters
Air Monitor Modeling Parameters
Building Dimension button (in the upper right-hand portion of the page). Click
on this button to edit the building dimensions settings.
Import Use this button to import database files that define
buildings into the RF Plan building list. See “Exporting
and Importing Files” on page 98.
Locate Use this button to locate Wi-Fi devices in a building.
See “Locate” on page 100.
AP FQLN Mapper In RF Plan, the AP name can be a fully-qualified
location name (FQLN) in the format
APname.floor.building.campus (the APname portion
of the FQLN must be unique).
You can manually set the FQLN for the AP by clicking
the AP FQLN Mapper button. Setting the FQLN
reboots the APs. See “FQLN Mapper” on page 100.
Building List Buttons Description
RF Plan
Chapter 4
80 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
When you create or edit information for a building, there are several ways you can
navigate through RF Plan pages:
The navigation pane on the left side of the browser window displays RF Plan
pages in the order in which they should be accessed when you are creating a
new building. If you are editing a building, simply click on the page you want
to display or modify.
A button for the next page appears in the upper right-hand portion of the
page. You can click on this button to display the next page. For example, the
Building Dimension button appears in the Building Specifications Overview
page.
Clicking Apply on editable pages sequences you to the next page. For
example, when you click Apply in the Building Dimensions page, the AP
Modeling Parameters page displays.
Building Dimension Page
The Building Dimension page allows you to specify the name and identification for
the building and its dimensions.
Enter the following information:
Parameter Description
Campus Name Select a campus for this building from the drop-down
menu.
Building Name The Building Name is an alphanumeric string up to 64
characters in length.
AOS-W 3.1 81
User Guide
RF Plan
Chapter 4
Width and Length Enter the rectangular exterior dimensions of the building.
The valid range for this field is any integer from 1 to a value
corresponding to 1x10,000.
If your building has an
irregular shape, the
width and length
should represent the
maximum width and
length of the overall
footprint of the
building as seen from
above. For example:
When width and
length are specified,
RF Plan creates a
rectangular area in
the Planning feature
pages that represent the overall area covered by the
building. You need to import an appropriate background
image (see “Floor Editor Dialog Box” on page 89.) to aid you
in defining areas that do not require coverage or areas in
which you do not wish to deploy APs and AMs (see “A r e a
Editor Dialog Box” on page 91).
Inter-Floor Height This is the distance between floor surfaces in the building.
The valid range for this field is any integer from 1 to a value
corresponding to 1x10,000.
RF Plan uses the inter-floor height to allow APs on one floor
to service users on adjacent floors. If you do not want RF
Plan to factor adjacent floors, select a high inter-floor height
value (for example, 300).
NOTE:This is not the distance from floor to ceiling. Some
buildings have a large space between the interior
ceilings and the floor above.
Parameter Description
RF Plan
Chapter 4
82 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
AP Modeling Parameters Page
The AP Modeling Parameters page allows you to specify the information
necessary for RF Plan to determine the appropriate placement of your APs. These
settings are on a per-building basis. If you have a mix of APs, choose the most
common one to define the building parameters.
Floors Enter the number of floors in your building here.
The valid range for this field is any integer from 1 to 255. A
building can have a maximum of 255 floors.
You can also configure negative floor IDs. Negative floor IDs
let you allocate floors as sub floors, ground floors,
basements or other underground floors, or floors where you
do not need to deploy APs.
NOTE:In concert, RF Plan 2.0, MMS 2.0, and AOS-W 3.1
or later support the concept of negative floor IDs. If
your WLAN Switch is running AOS-W 2.5 or earlier,
or you are running RF Plan 1.0.x or MMS 1.0.x, you
cannot configure negative floor IDs.
You specify a negative integer when modifying an existing
floor; you do not configure negative floor settings when
adding a building or adding a floor. For more information,
see “Level” on page 89.
Unit Specify the unit of measurement for the dimensions you
specified on the page. The choices are feet and meters.
Parameter Description
AOS-W 3.1 83
User Guide
RF Plan
Chapter 4
Controls on this page allow you to select or control the following functions,
which are described in further detail in this section:.
Radio Type
Specify the radio type(s) of your APs using the pull-down Radio Type menu on the
Modeling Parameters page. Available Radio Type choices are:
Parameter Description
Radio Type Use this pull-down menu to specify the radio type. See
“Radio Type”.
AP Type Use this drop box to select the Alcatel AP model. The drop
box lists all of the supported AP types.
Design Model Use the Coverage, Capacity, and Custom radio buttons to
specify a design model to use in the placement of APs. See
“Design Model”.
Overlap Factor Use this field and pull-down to specify an overlap factor.
See “Overlap Factor”.
Users Use this field to specify the number of users on your WLAN.
See “Users”.
Rates Use this pull-down to specify the data rates desired on APs.
See “Rates”
APs Use this field to enter the fixed number of APs to be used in
this building’s network (Custom model only).
Parameter Description
801.11a 5GHz, Orthogonal Frequency Division Multiplexing (OFDM)
with data rates up to 54Mbps.
802.11b 2.4GHz, Direct Spread Spectrum (DSSS) multiplexing with
data rates up to 11Mbps.
802.11g 2.4GHZ, OFDM/CCK (Complementary Code Keying) with
data rates up to 54Mbps.
RF Plan
Chapter 4
84 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Design Model
Three radio buttons on the page allow you to control the kind of model used to
determine the number and type of APs:
The desired rate is selectable from 1 to 54 Mbps in both the Coverage and
Capacity models.
Overlap Factor
The Overlap Factor is the amount of signal area overlap when the APs are
operating. Overlap is important if an AP fails as it allows the network to self-heal
with adjacent APs powering up to assume some of the load from the failed
device. Although there may be no holes in coverage in this scenario, there is likely
to be a loss of throughput. Increasing the overlap allows for higher throughputs
when an AP has failed and allows for future capacity as the number of users
increases.
Radio
Button Description
Coverage Use this option to let RF Plan automatically determine the number
of APs based on desired data rates and the configuration of your
building.
The higher the data rate, the smaller the coverage area, and the
more APs that are required. Coverage is the most common type of
installation.
Capacity Use this option to let RF Plan determine the number of APs based
on the total number of users, ratio of users to APs, and desired
data rates.
Capacity-based coverage is useful for high capacity conference or
training rooms, where the APs could have a high volume of users.
Custom Use this option to specify a fixed number of APs.
Custom coverage is useful for deployments with a known number
of APs or if you have a fixed project budget.
AOS-W 3.1 85
User Guide
RF Plan
Chapter 4
You can select a pre-determined value from the pull-down overlap menu or
specify a value in the text box to the left of the pull-down. The following table
describes the available options.
Users
NOTE:The Users text boxes are active only when the Capacity model is
selected.
Enter the number of users you expect to have on your WLAN in the Users text
box. Enter the number of users per AP you expect in the Users/AP text box.
The numbers entered in the these two text boxes must be non-zero integers
between 1-255 inclusive.
Rates
Select the desired data rates from the pull-down menus for 802.11b/g and
802.11a.
High data transmission rates require an increased number of AP to be placed in
your building. You should carefully evaluate your users’ data rate needs.
AM Modeling Page
The AM Modeling page allows you to specify the information necessary for RF
Plan to determine the appropriate placement of your AMs.
NOTE:AM coverage rates refer to the rate at which an AM captures packets. RF
Plan uses that information to determine the placement of AMs.
Overlap
Factor Description
100%
Low
Use this option for buildings that contain open spaces such as
warehouses.
150%
Medium
Use this option for most typical office environments with cubicles
and sheetrock walls that have higher WLAN user density than
warehouses.
200%
High
Use this option for dense deployments such as buildings with poor
RF coverage characteristics including buildings with thick brick or
concrete walls, lots of metal, or excess RF noise (for example, data
centers).
Custom Use this option to enter a custom rate. For most office spaces,
120% works well.
When specifying the custom rate, the valid range is 1% to 1000%.
RF Plan
Chapter 4
86 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Controls on this page allow you to select the following functions, which are
described in more detail in this section:
Design Models
Two radio buttons on the page allow you to specify the model used to determine
the number and type of APs.
NOTE:The monitor rates you select for the AMs should be less than the data
rates you selected for the APs. If you set the rate for the AMs at a value
equal to that specified for the corresponding PHY type AP, RF Plan
allocates one AM per AP. If you specify a monitor rate greater than the
data rate, RF Plan allocates more than one AM per AP.
Radio Button Description
Design Model Use these radio buttons to specify a design model to use in the
placement of AMs. See “Design Models”.
Monitor Rates Use this pull-down menu to specify the desired monitor rate for
the AMs. See “Monitor Rates”.
AMs Use this field to manually specify the number of AMs to deploy
(Custom Model only).
Radio
Button Description
Coverage Use this option to let RF Plan automatically determine the number
of AMs based on desired monitor rates and the configuration of
the building.
Desired rate is selectable from 1 to 54 Mbps in the Coverage
model.
Custom Use this option to specify a fixed number of AMs. When the AM
Plan portion of RF Plan is executed, RF Plan distributes the AMs
evenly.
AOS-W 3.1 87
User Guide
RF Plan
Chapter 4
Monitor Rates
Use the drop down menus to select the desired monitor rates for 802.11b/g and
802.11a AMs.
NOTE:This option is available only when the coverage design model is selected.
Planning Floors Pages
The Planning Floors page enables you to see the footprint of your floors.
You can select or adjust the following features, which are described in more detail
in this section:
Feature Description
Zoom Use this pull-down menu or type a zoom factor in the
text field to increase or decrease the size of the
displayed floor area. See “Zoom”.
Approximate Coverage
Map (select radio type)
Use this pull-down to select a particular radio type for
which to show estimated coverage. See “Coverage”.
Coverage Rate Use this pull-down to modify the coverage areas
based on a different data rate. If a map type has not
been selected, this option is not applicable (N/A). See
“Coverage Rate.
RF Plan
Chapter 4
88 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Zoom
The Zoom control sets the viewing size of the floor image. It is adjustable in finite
views from 10% to 1000%. You may select a value from the pull-down zoom
menu or specify a value in the text box to the left of the pull-down. When you
specify a value, RF Plan adjusts the values in the pull-down to display a set of
values both above and below the value you typed in the text box.
Coverage
Select a radio type from the Coverage pull-down menu to view the approximate
coverage area for each of the APs that RF Plan has deployed in AP Plan or AM
Plan. Adjusting the Coverage values help you to understand how the AP coverage
works in your building.
Channel Use this pull-down to select a channel value to apply
to the selected map.
NOTE:The country code configured on your WLAN
Switch determines the available channel
options.
If a map type has not been selected, this option is not
applicable (N/A). See “Channel”
Edit Floor Click on this link to launch the Floor Editor dialog box.
See “Floor Editor Dialog Box” on page 89.
New in Areas section Click on this link to launch the Area Editor dialog box.
See Area Editor Dialog Box” on page 91.
New in Suggested
Access Points and Air
Monitors section
Click on this link to launch the Suggested Access
Point Editor dialog box. See Access Point Editor Page”
on page 92.
Feature Description
AOS-W 3.1 89
User Guide
RF Plan
Chapter 4
NOTE:You will not see coverage areas displayed here until you have executed
either an AP Plan or an AM Plan.
Coverage Rate
Adjusting the coverage rate also affects the size of the coverage areas for AMs.
Adjusting the rate values help you to understand how the coverage works in your
proposed building.
Channel
Select a channel from the Channel pull-down menu for transmitting and receiving
electromagnetic signals. Changing the country code causes the valid channel lists
to be reset to the defaults for that country.
Floor Editor Dialog Box
The Floor Editor dialog box allows you to modify the floor level, specify the
background image, and name the floor. The Floor Editor is accessible from the
Floors Page by clicking on the Edit Floor link.
Level
When modifying an existing floor, you can configure it with a negative integer to
specify a basement or some other underground floor that you do not need or
want to deploy APs.
RF Plan
Chapter 4
90 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
NOTE:In concert, RF Plan 2.0, MMS 2.0, and AOS-W 3.1 or later support the
concept of negative floor IDs. If your WLAN Switch is running AOS-W 2.5
or earlier, or you are running RF Plan 1.0.x or MMS 1.0.x, you cannot
configure negative floor IDs.
To configure a negative floor, specify a negative integer in the Level field. The valid
range is -100 to 255; however, a building can have a maximum of 255 floors.
Naming
You may name the floor anything you choose as long as the name is an
alphanumeric string with a maximum length of 64 characters. The name you
specify appears to the right of the Floor Number displayed above the background
image in the Planning view.
Background Images
You can import a background image (floor plan image) into RF Plan for each floor.
A background image is extremely helpful when specifying areas where coverage
is not desired or areas where an AP/AM is not to be physically deployed.
Use the guidelines in this section when importing background images. By
becoming familiar with these guidelines, you can ensure that your graphic file is
edited properly for pre- and post-deployment planning.
Edit the image—Use an appropriate graphics editor to edit the file as needed.
Scale the image—If the image is not scaled, proportional triangulation and
heat map displays can be incorrect when the plan is deployed.
Calculate image dimensions—Calculate the image pixels per feet (or meters)
against a known dimension. Use that value to calculate the width and length
of the image.
Leave a border around the image—When creating the image, leave a boarder
around the image to help triangulate Wi-Fi devices outside of the building.
Multiple floors—If your building has multiple floors, make sure there is a
common anchor point for all floors; for example an elevator shaft, a staircase,
and so on.
Larger dimensions—Use larger dimensions only for scaling to more accurately
calculate the full dimensions. For best results, final floor images 2048 X 2048
and smaller perform best.
Select a background image using the Browse button on the Floor Editor dialog
box.
File Type and Size
Background images must be JPEG format and may not exceed 2048 X 2048
pixels in size. Attempting to import a file with a larger pixel footprint than that
specified here results in the image not scaling to fit the image area in the floor
display area.
AOS-W 3.1 91
User Guide
RF Plan
Chapter 4
NOTE:Because background images for your floors are embedded in the
XML file that defines your building, you should strongly consider
minimizing the file size of the JPEGs that you use for your
backgrounds. You can minimize the file size by selecting the
maximum compression (lowest quality) in most graphics programs.
Image Scaling
Images are scaled (stretched) to fit the display area. The display area aspect
ratio is determined by the building dimensions specified on the Dimension
page.
Area Editor Dialog Box
The Area Editor dialog box allows you to specify areas on your buildings floors
where you either do not care about coverage, or where you do not want to place
an AP or AM.
Open the Area Editor dialog box by clicking New in the Areas section.
You specify these areas by placing them on top of the background image using
the Area Editor.
Naming
You may name an area using an alphanumeric string of characters with a
maximum length of 64 characters. You should give areas some meaningful name
so that they are easily identified.
Locating and Sizing
You may specify absolute coordinates for the lower left corner and upper right
corner of the box that represents the area you are defining. The datum for
measurement is the lower left corner of the rectangular display area that
represents your building’s footprint. The coordinates of the upper right-hand
corner of the display area are the absolute (no unit of measure) values of the
dimensions you gave your building when you defined it with the dimension
feature.
NOTE:The location is zero-based. Values range from 0 to (height - 1 and width -
1). For example: If you defined your building to be 200 feet wide and 400
feet long, the coordinates of the upper right-hand corner would be (199,
399).
RF Plan
Chapter 4
92 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
You may also use the drag and drop feature of the Area Editor to drag your area to
where you want it and resize it by dragging one or more of the handles displayed
in the corners of the area.
Don’t Care areas are displayed as orange rectangles and Don’t Deploy areas are
displayed as yellow
Access Point Editor Page
The Access Point Editor allows you to manually create or modify a suggested AP.
To create an AP, open the Access Point Editor dialog box by clicking New in the
Suggested Access Points and Air Monitors section.
To modify an existing AP, place the cursor over the AP and click it to display the
Suggested Access Point Editor dialog box.
Naming
RF Plan automatically names APs using the default convention ap number, where
number starts at 1 and increments by one for each new AP. When you manually
create an AP, the new AP is assigned the next number and is added to the bottom
of the suggested AP list.
You may name an AP anything you wish. The name must consist of alphanumeric
characters and be 64 characters or less in length.
AOS-W 3.1 93
User Guide
RF Plan
Chapter 4
Fixed
Fixed APs do not move when RF Plan executes the positioning algorithm.
NOTE:You might typically set a fixed AP when you have a specific room, such
as a conference room, in which you want saturated coverage. You might
also want to consider using a fixed AP when you have an area that has
an unusually high user density.
Choose Yes or No from the drop-down menu. Choosing Yes locks the position of
the AP as it is shown in the coordinate boxes of the Access Editor. Choosing No
allows RF Plan to move the AP as necessary to achieve best performance.
Radio Types
The Radio drop-down menu allows you to specify what radio mode the AP uses.
You can choose from one of the following:
802.11a/b/g
802.11a
802.1 b/g
X and Y Coordinates
The physical location of the AP is specified by X-Y coordinates that begin at the
lower left corner of the display area. The numbers you specify in the X and Y text
boxes are whole units. The Y-coordinate increases as a point moves up the
display and the X-coordinate increases as they move from left to right across the
display.
802.11 Types
The 802.11 b/g and 802.11a Type drop-down menus allow you to choose the
mode of operation for the AP. You may choose to set the mode of operation to
Access Point or Air Monitor.
RF Plan
Chapter 4
94 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
802.11 Channels
The 802.11a and 802.11b/g channel drop-down menus allow you to select from
the available channels.
NOTE:The available channels vary depending on the regulatory domain (country)
in which the device is being operated.
802.11a channels begin at channel 34 at a frequency of 5.170 MHz and increase
in 20MHz steps through channel 161 at 5.805 Mhz.
802.11b/g channels begin at 1 and are numbered consecutively through 14. The
frequencies begin at 2.412 MHz on channel 1 and increase in 22 MHz steps to
Channel 14 at 2.484 MHz.
802.11 Power Levels
The power level drop-down menus allow you to specify the transmission power
of the AP. Choices are OFF, 0, 1, 2, 3, and 4. A setting of 4 applies the maximum
Effective Isotropic Radiated Power (EIRP) allowed in the regulatory domain
(country) in which you are operating the AP.
Memo
The Memo text field allows you to enter notes regarding the AP. You can enter a
maximum of 256 alphanumeric characters in the Memo field.
AOS-W 3.1 95
User Guide
RF Plan
Chapter 4
AP Plan Page
The AP Plan page uses the information entered in the modeling pages to locate
APs in the building(s) you described.
Initialize
Initialize the Algorithm by clicking the Initialize button. This makes an initial
placement of the APs and prepares RF Plan for the task of determining the
optimum location for each of the APs. As soon as you click Initialize you see the
AP symbols appear on the floor plan.
Colored circles around the AP symbols on the floor plan indicate the approximate
coverage of the individual AP and the color of the circle represents the channel on
which the AP is operating. The circles appear when you select an approximate
coverage value on one of the Floors pages. You may also click an AP icon and
drag it to manually reposition it.
RF Plan
Chapter 4
96 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Start
Click Start to launch the optimizing algorithm. The AP symbols move on the page
as RF Plan finds the optimum location for each.
The process may take several minutes. You may watch the progress on the status
bar of your browser. The algorithm stops when the movement is less than a
threshold value calculated based on the number of APs. The threshold value may
be seen in the status bar at the bottom of the browser window.
Viewing the Results
The results of optimizing algorithm may be viewed two ways: graphically and in a
table of suggested APs. You may obtain information about a specific AP by
placing the cursor over its symbol. An information box appears that contains
information about the location, radio type, channel, power, and so on.
AOS-W 3.1 97
User Guide
RF Plan
Chapter 4
The Suggested Access Points and Air Monitors table lists the coordinates, power,
location, power setting, and channel for each of the APs that are shown in the
floor plan.
AM Plan Page
The AM Plan page calculates the optimum placement for the AMs.
Initialize
Initialize the Algorithm by clicking Initialize. This makes an initial placement of the
AMs and prepares RF Plan for the task of determining the optimum location for
each of the AMs. When you click Initialize, the AM symbols appear on the floor
plan.
Start
Click Start to launch the optimizing algorithm. The AM symbols move on the
page as RF Plan finds the optimum location for each.
The process may take several minutes. You may watch the progress on the status
bar of your browser. The algorithm stops when the movement is less than a
threshold value calculated based on the number of AMs. The threshold value may
be seen in the status bar at the bottom of the browser window.
Viewing the Results
Viewing the results of the AM Plan feature is similar to that for the AP Plan
feature.
The results of optimizing algorithm may be viewed two ways: graphically and in a
table of suggested AMs. You may obtain information about a specific AM by
placing the cursor over its symbol. An information box appears that contains
information about the exact location, PHY type, channel, power, and so on.
RF Plan
Chapter 4
98 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
The Suggested Access Points and Air Monitors table lists the coordinates, power,
location, power setting, and channel for each of the AMs that are shown in the
floor plan.
Exporting and Importing Files
Both the Campus List page and the Building List page have Export and Import
buttons, which allow you to export and import files that define the parameters of
your campus and buildings. You can export a file so that it may be imported into
and used to automatically configure an Alcatel WLAN Switch. On an Alcatel
WLAN Switch, you can import a file that has been exported from another WLAN
Switch or from the standalone version of RF Plan that runs as a Windows
application.
NOTE:The WebUI version of RF Plan only supports JPEG file formats for
background images.
The files that you export and import are XML files and, depending on how many
buildings are in your campus, floors are in your buildings, and how many
background images you have for your floors, the XML files may be quite large.
(See “Background Images” on page 90.)
Export Campus
To export a file that defines the parameters of one or more campuses, including all
of its associated buildings, select the campus(es) to be exported in the Campus
List page and then click Export.
AOS-W 3.1 99
User Guide
RF Plan
Chapter 4
After you click the Export button, you are prompted to include the background
images.
When exporting a campus file, Alcatel recommends that you click OK to export
the background images. If you click Cancel, the exported file does not include the
background images. The File Download window appears.
From the File Download window, click Save to save the file. The Save As dialog
box appears. From here, navigate to the location where want to save the file and
enter the name for the exported file. When naming your exported file, be sure to
give the file the .XML file extension, for example, My_Campus.XML.
Exported campus files include detailed information about the campus and the
selected building(s).
Import Campus
You can import only XML files exported from another Alcatel WLAN Switch or
from the standalone version of RF Plan that runs as a Windows application.
NOTE:Importing any other file, including XML files from other applications, may
result in unpredictable results.
To import a file that defines the building parameters of one or more campuses,
click the Import button in the Campus List page. The Import Buildings page
appears, as described in “Import Buildings Page” on page 100.
Export Buildings Page
To export a file that defines the parameters of one or more buildings, select the
building(s) to be exported in the Building List page and then click Export.
After you click the Export button, you are prompted to include the background
images.
When exporting a building file, Alcatel recommends that you click OK to export
the background images. If you click Cancel, the exported file does not include the
background images. The File Download window appears.
RF Plan
Chapter 4
100 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
From the File Download window, click Save to save the file. The Save As dialog
box appears. From here, navigate to the location where want to save the file and
enter the name for the exported file. When naming your exported file, be sure to
give the file the .XML file extension, for example, My_Building.XML.
Exported building files include the name of the campus to which the building
belongs; however, detailed campus parameters are not included.
Import Buildings Page
You can import only XML files exported from another Alcatel WLAN Switch or
from the standalone version of RF Plan that runs as a Windows application.
NOTE:Importing any other file, including XML files from other applications, may
result in unpredictable results.
To import a file that defines the parameters of one or more buildings, click the
Import button in the Building List page.
In the Import Buildings page, click Browse to select the file to be imported, then
click the Import button.
Locate
The Locate button on the Building List page allows you to search for APs, AMs,
monitored clients, etc. on a building by building basis. To use this feature, select
the building in which you want to search, and click Locate.
The Target Devices table displays information on each of these devices. To add a
device, click Add Device. To delete a device, click Remove Device. To select a device,
click Choose Devices.
FQLN Mapper
Both the Campus List page and the Building List page have the AP FQLN Mapper
button, which allows you to create a fully-qualified location name (FQLN) for the
specified AP/AM in the format APname.Floor.Building.Campus. This format
replaces the AP location ID format used in AOS-W 2.5 and earlier.
NOTE:If the AP was provisioned with AOS-W 3.1 or later, the FQLN for the AP is
automatically set.
AOS-W 3.1 101
User Guide
RF Plan
Chapter 4
You can use the FQLN mapper for multiple purposes, including:
Searching for deployed APs/AMs
Configuring the AP name in the form APname.Floor.Building.Campus
Modifying the location of APs
To use this feature, select one or more campuses from the Campus List page, or
one or more buildings from the Building List page, and click AP FQLN Mapper.
The AP FQLN Mapper page appears. From here, you can search for deployed APs
by entering one or more parameters in the Search fields, view the results in the
Search Results table, configure the FQLN, and modify the location of an AP.
To search for deployed APs, enter information in the Search fields and click
Search.
You can perform a search based on one or more of the following AP properties:
Use the drop-down list to the right of the Number of results per page to specify
the number of APs to display in the search results.
Property Description
AP Name Logical name of the AP or AM. You can enter a portion of
the name to widen the search.
Wired MAC MAC address of the AP or AM. You can enter a portion of
the MAC address to widen the search.
IP Address IP address of the AP or AM. You can enter a portion of
the IP address to widen the search.
FQLN Fully-qualified location name of the AP, in the form
APname.floor.building.campus. You can enter a portion of
the FQLN to widen the search.
Serial Number Serial number of the AP. You can enter a portion of the
serial number to widen the search.
Status Current state of the AP, including Up/Down/Any.
RF Plan
Chapter 4
102 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
After entering the search criteria, you can either click Reset to clear the entries or
click Search to search for APs. If you click Search, the results are displayed in the
Search Result table, as shown below:
You can view the information in ascending or descending order. By default, the
display is in ascending order, based on the AP name (the white arrow indicates
the row that is being used to sort the information). Left-click on a column head to
view the information in ascending or descending order (you may need to click
multiple times to get the desired display.)
In addition to displaying AP names, wired MAC addresses, serial numbers, IP
addresses, FQLNs, and AP status, the Search Result table also displays the AP
type and when it was last updating.
From here you can modify the attributes that create the FQLN for the selected AP,
using the following drop-down lists:
Campus—Displays the campus where the AP is deployed. To deploy the AP in
a different campus, select a campus form the drop-down list. The Campus
defines the buildings and floors displayed.
NOTE:This drop-down list only displays the existing campuses that you are
managing. To add a new campus, see “Campus List Page” on
page 76.
Building—Displays the building where the AP is deployed. To deploy the AP in
a different building, select a building from the drop-down list.
NOTE:This drop-down list only displays the available buildings in the
selected campus. To add a new building, see “Building List Page” on
page 78.
Floor—Displays the floor where the AP is deployed. To deploy the AP on a
different floor, select a floor from the drop-down list.
NOTE:This drop-down lists only displays the available floors in the selected
building. To add a new floor, see “Planning Floors Pages” on page 87.
To submit your changes, click Set FQLN. Setting the FQLN reboots the APs.
AOS-W 3.1 103
User Guide
RF Plan
Chapter 4
RF Plan Example
This section guides you through the process of creating a building and populating
it with APs and AMs using RF Plan.
NOTE:Before you begin, obtain a JPEG file that you can use as a sample
background image. You will use that image when you complete the steps
described in Add and Edit a Floor” on page 106.
Sample Building
The following planning table shows the information to be used in this example.
Building Dimensions
Height: 100 Width: 100
Number of Floors: 2
User Information
Number of Users: Users per AP: N/A
Radio Types: a, b, g
Overlap Factor: Medium (150%)
AP Desired Rates
802.11b|g: 48 Mbps 802.11a: 48 Mbps
AM Desired Rates
802.11b|g: 24 802.11a: 24
Don’t Care/Deploy Areas
Shipping & Receiving = Don’t Care
Lobby = Don’t Deploy
RF Plan
Chapter 4
104 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Create a Building
In this section you create a building using the information supplied in the planning
table.
1. In the Campus List, select New Campus. Enter the name My Campus and
click OK.
2. In the Campus List, select the checkbox next to My Campus, and click
Browse Campus.
3. Click New Building.
The Overview page appears.
4. Click Save.
A dialog box appears that indicates the new building was saved successfully.
Click OK to close the dialog box.
5. Click Building Dimension.
The Specification page appears.
6. Enter the following information in the text boxes.
Text Box Information
Campus Name My Campus
(The name is automatically populated based on
what you entered in step 1.)
Building Name My Building
Width 100
Length 100
Inter Floor Height 20
Units Feet
Floors 2
AOS-W 3.1 105
User Guide
RF Plan
Chapter 4
7. Click Save.
A dialog box appears that indicates the building data was saved successfully.
Click OK to close the dialog box.
8. Click Apply.
Notice that when you click Apply, RF Plan automatically moves to the next
page in the list. In this case RF Plan moves to the AP Modeling Parameters
page.
Model the Access Points
You now determine how many APs are required to cover your building with a
specified data transfer rate and overlap.
In this example, you use the Coverage Model. The following are assumed about
the performance of the WLAN:
Radio Types: a/b/g
Overlap factor: Medium (150%)
802.11a desired rate: 48 Mbps
802.11b desired rate: 48 Mbps
1. Select 801.11 a|b|g from the Radio Type drop-down menu.
2. Select Medium from the Overlap Factor drop-down menu.
Notice that the percentage show at the left of the drop-down menu changes
to 150%.
3. Select 48 from the 802.11 b|g Desired Rate drop-down menu.
4. Select 48 from the 801.11 a Desired Rate drop-down menu.
Notice that the number of required APs has changed to 5.
RF Plan
Chapter 4
106 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
5. Click Save, then OK.
6. Click Apply.
RF Plan moves to the AM Modeling Parameters page.
Model the Air Monitors
You now determine how many AMs are required to provide a specified monitoring
rate. In this example you continue to use the Coverage Model and make the
following assumptions:
802.11 b|g monitor rate: 48 Mbps
802.11 a monitor rate: 48 Mbps
1. Select 24 from the 802.11 b|g Monitor Rate drop-down menu.
2. Select 24 from the 802.11 a Monitor Rate drop-down menu.
Notice that the number of required AMs is now 2.
3. Click Save, then OK.
4. Click Apply.
RF Plan moves to the Planning page.
Add and Edit a Floor
You now add floor plans to your floors. In this section you:
Add a background image floor plan for each floor
Name the floors
NOTE:The information in this section assumes that you have a JPEG file that
you can use as a sample background image when re-creating the steps.
AOS-W 3.1 107
User Guide
RF Plan
Chapter 4
To add the background image and name the first floor:
1. In the Planning page, click the Edit Floor link at the right of the Floor 1
indicator.
2. Enter Entrance Level in the Name box of the Floor Editor Dialog.
3. Use the Browse button to locate the background image for the 1st floor.
4. Click Apply.
To add the background image and name the second floor:
1. Click the Edit Floor link at the right of the Floor 2 indicator.
2. Ty p e Second Level in the Name box of the Floor Editor Dialog.
3. Use the Browse button to locate the background image for the 2nd floor.
4. Click Apply.
5. Click Save on the Planning page, then OK.
Defining Areas
Before you advance to the AP and AM Planning pages you want to define special
areas. In this section you define areas where you do not want to physically deploy
an AP, or where you do not care if there is coverage or not.
RF Plan
Chapter 4
108 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
This step assumes the following:
We do not care if we have coverage in the Shipping and Receiving areas
We do not want to deploy APs or AMs in the Lobby Area
Create a Don’t Care Area
To create a Don’t Care area:
1. Click on AP Plan in the Feature Tree at the left side of the browser window.
NOTE:You can zoom in on the floor plan using the Zoom pull-down near the
top of the AP Planning page, or type a zoom value in the text box at
the left of the pull-down and press the enter key on your keyboard.
For example, enter a zoom factor of 400.
2. In the Planning page, click the New link in the Areas section under Floor 1
(named Entrance Level).
This opens the Area Editor.
3. Enter Shipping and Receiving in the Name text box in the Area Editor.
4. Select Don’t Care from the Type pull-down menu box.
5. Click Apply.
Notice that an orange box appears near the center of the floor plan.
6. Use your mouse (or other pointing device) to place the cursor over the box.
Notice that the information you typed in the editor appears in the box. You
see the name and type of area, as well as the coordinates of the lower left
corner and upper right corner of the box.
NOTE:The x = 0 and y = 0 coordinates correspond to the lower left corner of
the layout space.
7. Using your mouse, left-click and drag the box to the top area of your floor
plan.
In this example, the JPEG file has an area named Shipping and Receiving that
will be used to assist in positioning the Don’t Care box.
8. To position the Don’t Care box, drag one corner of the box to a corresponding
corner and using one of the corner handles of the box, stretch it to fit.
You can also position the box by entering values in the Left, Bottom, Right,
and To p fields.
NOTE:Whether you stretch the box to fit, or enter values, use the following
dimensions:
Left—11, Bottom—75, Right—90, Top—96
AOS-W 3.1 109
User Guide
RF Plan
Chapter 4
In this example, the Don’t Care box for Shipping and Receiving has been
stretched to fit exactly over the Shipping and Receiving area as shown:
9. Click Save, then OK.
Create a Don’t Deploy Area
To create a Don’t Deploy area:
1. Click the New link in the Areas section under Floor 1 (named Entrance Level)
to open the Area Editor.
2. Enter Lobby in the Name text box in the Area Editor.
3. Select Don’t Deploy from the Type pull-down menu box.
4. Click Apply.
Notice that an yellow box appears near the center of the floor plan.
5. Use your mouse (or other pointing device) to place the cursor over the box.
Notice that the information you typed in the editor appears in the box. You
see the name and type of area, as well as the coordinates of the lower left
corner and upper right corner of the box.
NOTE:The x = 0 and y = 0 coordinates correspond to the lower left corner of
the layout space.
6. Using your mouse, left-click and drag the box to the lower area of your floor
plan.
In this example, the JPEG file has an area named Lobby that will be used to
assist in positioning the Don’t Deploy box.
7. To position the Don’t Deploy box, drag one corner of the box to a
corresponding corner and using one of the corner handles of the box, stretch
it to fit.
RF Plan
Chapter 4
110 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
You can also position the box by entering values in the Left, Bottom, Right,
and To p fields.
NOTE:Whether you stretch the box to fit, or enter values, use the following
dimensions:
Left—39, Bottom—3, Right—60, Top—12
In this example, the Don’t Deploy box for the Lobby has been stretched to fit
exactly over the Lobby area as shown:
8. Click Save, then OK.
9. When you are finished defining area in the Floors page, click AP Planning to
advance to the next step in the process (the AP Plan page).
Running the AP Plan
In this section you run the algorithm that searches for the best place to put the
APs.
You might want to zoom in on the floor plan. Zoom using the Zoom pull-down
near the top of the AP Planning page, or type a zoom factor in the text box at the
left of the pull-down and press the enter key on your keyboard.
Try entering a zoom factor of 400.
AOS-W 3.1 111
User Guide
RF Plan
Chapter 4
Notice that the number of required APs is 5, the same value that you saw when
you modeled your APs above. Notice also that none of the APs show on the floor
plan yet.
1. Click Initialize.
You should see a total of five AP symbols appear on the two floor diagrams:
two on Floor 1 and three on Floor 2. Also notice that the Suggested Access
Points tables below each floor diagram have been populated with information
about the suggested APs for each corresponding floor.
2. Click Start.
After you Initialize the APs you must start the algorithm. The APs move
around on the floor plans as the algorithm is running.
The algorithm stops when the movement is less than a threshold value
calculated based on the number of APs. The threshold value may be seen in
the status bar at the bottom of the browser window.
NOTE:To see the approximate coverage areas of each of the APs, select an AP
type from the Approx. Coverage pull-down box and select a rate from
the Coverage Rate pull-down box.
3. Click Save, then OK.
4. Click AM Planning to advance to the next step in the process (the AM
Planning page).
RF Plan
Chapter 4
112 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Running the AM Plan
Running the AM Plan algorithm is similar to running the AP Plan.
1. Click Initialize then Start.
The algorithm stops when the movement is less than a threshold value
calculated based on the number of AMs. The threshold value may be seen in
the status bar at the bottom of the browser window.
2. Click Save, then OK.
Volume 3
Configuring APs
AOS-W Version 3.1
114 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
AOS-W 3.1 115
User Guide
Configuring Access Points 5
When an Alcatel AP is powered on, it locates its host WLAN Switch to download
its software and configuration. There are several methods by which APs can
locate the WLAN Switch. Chapter 2, “Deploying a Basic OmniAccess System”
describes how to install and configure the WLAN Switch and ensure that network
resources (for example, a DNS server) are set up so that the deployed APs can
locate their host WLAN Switch.
NOTE:In a network with a master and local WLAN Switches, an AP will initially
connect to the master WLAN Switch. The AP can be instructed to
download its software and configuration from a local WLAN Switch
see Chapter 14, “Adding Local WLAN Switches” for more information.
This chapter describes how to configure Alcatel APs on the WLAN Switch. The
APs will download this configuration from the WLAN Switch.
This chapter describes the following topics:
AP Configuration Overview” on page 116
“Configuring Profiles” on page 121
“Example Configurations” on page 126
Advanced Configuration Options” on page 135
Configuring Access Points
Chapter 5
116 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
AP Configuration Overview
You configure APs on the WLAN Switch using either the WebUI or CLI. The AP
configuration can include information for any and all of the following functions:
AP Names and Groups
In the Alcatel OmniAccess system, each AP has a unique name and belongs to an
AP group.
AP Names
Each Alcatel AP is identified with an automatically-derived name. The default
name depends on whether the AP has been configured with a previous version of
AOS-W, as shown in Ta b l e 5 - 3 .
Wireless LANs A wireless LAN (WLAN) allows wireless clients to connect
to the network. An AP broadcasts to wireless clients the
SSID that corresponds to a WLAN configured on the WLAN
Switch. (An Alcatel AP can support multiple SSIDs.) The
WLAN configuration includes the authentication method
and authentication servers by which wireless users are
validated for access to the WLAN.
AP operation An Alcatel AP can function as an air monitor (AM), where it
performs network and radio frequency (RF) monitoring
functions. You can also specify the regulatory domain (the
country) which determines the 802.11 transmission
spectrum in which the AP will operate. Within the regulated
transmission spectrum, you can configure 802.11a or
802.11b/g radio settings.
Quality of Service
(QoS)
You can configure Voice over IP call admission control
options and bandwidth allocation for 802.11a or 802.11b/g
traffic.
RF management You can configure settings for balancing wireless traffic
across APs, detection of holes in radio coverage, and other
metrics that can indicate interference or potential problems
on the wireless network. Adaptive Radio Management
(ARM) is an RF spectrum management technology that
allows each AP to determine the best 802.11 channel and
transmit power settings; you can enable and configure
various ARM settings.
Intrusion Detection
System (IDS)
You can configure the device to detect and disable rogue
APs, ad-hoc networks, and unauthorized devices, and
prevent attacks on the network. You can also configure
signatures to detect and prevent intrusions and attacks.
AOS-W 3.1 117
User Guide
Configuring Access Points
Chapter 5
You can assign a new name of up to 63 characters to an AP, although the new
name must be unique within your network. For example, you can rename an AP
to reflect its physical location within your network, such as “building3-lobby”.
NOTE:Renaming an AP requires a reboot of the AP for the new name to take
effect. Therefore, if you need to do this, there should be little or no client
traffic passing through the AP.
In RF Plan or RF Live, the AP name can be part of a fully-qualified location name
(FQLN) in the format APname.floor.building.campus. The APname portion of the
FQLN must be unique.
Using the WebUI to rename an AP:
3. Navigate to the Configuration > Wireless> AP Installation page. The list of
discovered APs appears in this page.
4. Select the AP you want to rename, and click Provision.
5. In the Provisioning page, scroll to the AP list at the bottom of the page and
find the AP you want to rename.
6. In the AP Name field, enter the new name for the AP, for example,
building3-lobby.
NOTE:The AP name you enter must be unique within your network.
7. At the bottom of the page, click Apply and Reboot.
Using the CLI to rename an AP:
NOTE:You can execute the following enable mode command only on a master
WLAN Switch. Executing the command causes the AP to automatically
reboot.
ap-rename {ap-name <name>|serial-num <number>|wired-mac <macaddr>}
<new-name>
TABLE 5-3 Default AP Names
AP Configuration Status Default Name
Configured with previous
AOS-W release
Name is in the format building.floor.location
Has not previously been
configured with AOS-W
Name is the AP’s Ethernet MAC address, in
the format xx:xx:xx:xx:xx:xx
Configuring Access Points
Chapter 5
118 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
If an AP is recognized by the WLAN Switch but is powered off or not connected
to the network or WLAN Switch when you execute the command, the request is
queued until the AP is powered back on or reconnected.
AP Groups
An AP group is a set of APs to which the same configuration can be applied.
There is an AP group called “default” to which all APs discovered by the WLAN
Switch are assigned. By using the “default” AP group, you can configure features
that are applied globally to all APs at the same time.
You can create additional AP groups to which you assign APs. However, an AP
can belong to only one AP group at a time. For example, you can create an AP
group “Victoria” that consists of the APs that are installed in a company’s
location in British Columbia. You can create another AP group “Toronto” that
consists of the APs in Ontario. You could configure the “Toronto” AP group with
different information than the APs in the “Victoria” AP group.
Figure 5-9 depicts three AP groups.
FIGURE 5-9 AP Groups
While you can use an AP group to apply a feature to a set of APs, you can also
configure a feature or option for a specific AP by referencing the AP name. Any
options or values that you configure for a specific AP override the same options
or values configured for the AP group to which the AP belongs. This is explained
in more detail in a later section.
The following section describes how to create an AP group and, because all
discovered APs initially belong to the “default” AP group, how to reassign an AP
to the newly-created AP group.
DEFAULT” AP GROUP “TORONTO” AP GROUP“VICTORIA” AP GROUP
NOTE: AN AP CAN BELONG TO
ONLY ONE AP GROUP AT A TIME.
AOS-W 3.1 119
User Guide
Configuring Access Points
Chapter 5
NOTE:Reassigning an AP from an AP group requires a reboot of the AP for the
new group assignment to take effect. Therefore, if you need to do this,
there should be little or no client traffic passing through the AP.
Using the WebUI to create an AP group:
1. Navigate to the Configuration > Wireless> AP Configuration > AP Group
page.
2. Click New. Enter the new AP group name and click Add. The new AP group
name appears in the Profile list.
Using the WebUI to assign APs to an AP group:
1. Navigate to the Configuration > Wireless> AP Installation page. The list of
discovered APs appears in this page. (All discovered APs initially belong to
the “default” AP group.)
2. Select the AP you want to reassign, and click Provision.
3. In the Provisioning page, select the AP group from the drop-down menu.
4. Scroll to the bottom of the page and click Apply and Reboot.
Using the CLI to create an AP group:
Use the following configuration command to create an AP group:
ap-group <group>
When you create an AP group with the CLI, you can specify the virtual AP
definitions and configuration profiles that are applied to the APs in the group.
Enter exit to leave the AP group configuration mode.
Using the CLI to assign an AP to an AP group:
Use the following CLI enable mode command to assign a single AP to an existing
AP group. Use the WebUI to assign multiple APs to an AP group at the same time.
NOTE:You can execute the following enable mode command only on a master
WLAN Switch. Executing the command causes the AP to automatically
reboot.
ap-regroup {ap-name <name>|serial-num <number>|wired-mac <macaddr>} <group>
If an AP is recognized by the WLAN Switch but is powered off or not connected
to the network or WLAN Switch when you execute the command, the request is
queued until the AP is powered back on or reconnected.
Configuring Access Points
Chapter 5
120 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Virtual APs
APs advertise WLANs to wireless clients by sending out beacons and probe
responses that contain the WLAN’s SSID and supported authentication and data
rates. When a wireless client associates to an AP, it sends traffic to the AP’s Basic
Service Set Identifier (BSSID), which is usually the AP’s MAC address.
In the Alcatel OmniAccess system, an AP uses a unique BSSID for each WLAN.
Thus a physical AP can support multiple WLANs. The WLAN configuration applied
to a BSSID on an AP is called a virtual AP. You can configure and apply multiple
virtual APs to an AP group or to an individual AP.
You can configure virtual APs to provide different network access or services to
users on the same physical network. For example, you can configure a WLAN to
provide access to guest users and another WLAN to provide access to employee
users through the same APs. You can also configure a WLAN that offers open
authentication and Captive Portal access with data rates of 1 and 2 Mbps and
another WLAN that requires WPA authentication with data rates of up to 11
Mbps. You can apply both virtual AP configurations to the same AP or AP group,
as shown in Figure 5-10.
FIGURE 5-10 Virtual AP Configurations Applied to the Same AP
AP
VIRTUAL AP
EMPLOYEE
SSID WITH
WPA2
AUTHENTICATION
VIRTUAL AP
GUEST
SSID WITH
OPENSYSTEM
USING CAPTIVE
PORTAL
AOS-W 3.1 121
User Guide
Configuring Access Points
Chapter 5
Configuring Profiles
In AOS-W, related configuration parameters are grouped into a profile that you
can apply as needed to an AP group or to individual APs. You can apply the
following types of profiles to an AP or AP group:
Wireless LAN profiles configure WLANs in the form of virtual AP profiles. A
virtual AP profile contains an SSID profile which defines the WLAN and an
AAA profile which defines the authentication for the WLAN. Unlike other
profile types, you can configure and apply multiple instances of virtual AP
profiles to an AP group or to an individual AP.
AP profiles configure AP operation parameters, radio settings, port
operations, regulatory domain, and SNMP information.
QoS profiles configure traffic management and VoIP functions.
RF management profiles configure radio tuning and calibration, AP load
balancing, coverage hole detection, and RSSI metrics.
IDS profiles configure IDS functions for APs. There is a top-level IDS profile
that contains other IDS profiles in which you configure detection of denial of
service (DoS) and impersonation attacks, and unauthorized devices on the
wireless network, as well as intrusion signatures.
NOTE:You can apply multiple virtual AP profiles to an AP group or to an
individual AP; for most other profiles, you can apply only one instance of
the profile to an AP group or AP at a time.
Ta b l e 5 - 4 lists the AP profiles by type that you can configure and apply to an AP
group or to an individual AP. Note that some profiles reference other profiles. For
example, a virtual AP profile references SSID and AAA profiles, while an AAA
profile can reference an 802.1x authentication profile and server group.
TABLE 5-4 AP Profiles
Profile Type Description
WLAN:
Virtual AP (can be multiple) WLAN configuration
SSID SSID configuration
EDCA (station) Client to AP traffic prioritization
EDCA (AP) AP to client traffic prioritization
AAA Initial and default user roles, derivation rules
MAC authentication MAC address authentication
802.1x authentication 802.1x authentication
Configuring Access Points
Chapter 5
122 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Server group Authentication/accounting servers
XML API server External XML API server
RFC 3576 server RFC 3576 RADIUS server
RF Management:
802.11a radio 802.11a radio settings for APs
ARM RF allocation
802.11b/g radio 802.11b/g radio settings for APs
ARM RF allocation
RF optimization Coverage hole and interference detection
RF event thresholds Received signal strength indication metrics
AP:
Wired AP AP 70 second Ethernet port
Ethernet interface 0 link Duplex/speed of AP’s Ethernet link
Ethernet interface 1 link Duplex/speed of AP’s Ethernet link
AP system Administrative options
Regulatory domain Country code and valid channels
SNMP SNMP for APs
SNMP user SNMPv3 users
QoS:
VoIP call admission control Voice over IP
802.11a traffic management Bandwidth allocation
802.11b/g traffic management Bandwidth allocation
IDS:
General Air monitoring attributes
Signature matching Intrusion detection signature matching
Signature Predefined or user-defined signatures
Denial of service Traffic anomalies for DoS attacks
Rate thresholds Thresholds for frame types
Impersonation Anomalies for impersonation attacks
Unauthorized device Detection of unauthorized devices
TABLE 5-4 AP Profiles (Continued)
Profile Type Description
AOS-W 3.1 123
User Guide
Configuring Access Points
Chapter 5
Alcatel provides a “default” version of each profile with default values for most
parameters. If you are not using a feature in a profile, you can simply leave the
“default” profile values unchanged. For example, if you are not using any of the
IDS features for an AP group or AP, you do not need to open any of the “default”
IDS profiles.
You can use the “default” version of a profile or create a new instance of a profile
which you can then edit as you need. You can change the values of any parameter
in a profile. You have the flexibility of applying the “default” versions of profiles in
addition to customizing profiles that are necessary for the AP or AP group to
function.
For example, if your wireless network includes a master WLAN Switch in
Edmonton, Alberta and a local WLAN Switch in Toronto, Ontario, you could
segregate the APs into two AP groups: “default” for the APs in Edmonton and
“Toronto” for the APs in Toronto. The primary difference between the APs in
Edmonton and Toronto is the WLAN Switch from which the APs boot: the APs in
Edmonton should boot from the master WLAN Switch, while the APs in Toronto
should boot from the local WLAN Switch. You configure the address of the local
WLAN Switch in the AP system profile. Therefore, you would need to have two
instances of the AP system profile: one for Edmonton and one for Toronto. You
can apply the “default” profiles for other AP profile types to both AP groups, as
shown in Figure 5-11.
FIGURE 5-11 Applying AP Profiles to AP Groups
NOTE:Each instance of a profile must have a unique name. In the example
above, there are two different AP system profiles, therefore each
instance should have a unique name.
You can apply the same virtual AP profiles to the AP groups shown in
Figure 5-11. For example, there are users in both Edmonton and Toronto that
access the same “Corpnet” WLAN. Note that if your WLAN requires
authentication to an external server, you may want to have users who associate
AP Profiles “default” AP Group “Toronto” AP Group
802.11a “default” “default”
802.11b/g “default” “default”
Wired “default” “default”
Ethernet 0 Link “default” “default”
Ethernet 1 Link “default” “default”
AP System “default” “Toronto”
Regulatory Domain “default” “default”
SNMP “default” “default”
Configuring Access Points
Chapter 5
124 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
with the APs in Toronto authenticate with their local servers. In this case, you can
configure slightly different AAA profiles: one that references authentication
servers in the Edmonton and the other that references servers in Toronto, as
shown in Figure 5-12.
FIGURE 5-12 Applying WLAN Profiles to AP Groups
When you assign a profile to an individual AP, the values in the profile override the
profile assigned to the AP group to which the AP belongs. The exception is the
virtual AP profile — you can apply multiple virtual AP profiles to individual APs, as
well as to AP groups.
You can exclude one or more virtual AP profiles from an individual AP — this
prevents a virtual AP defined at the AP group level from being applied to a specific
AP. For example, you can apply the virtual AP profile that corresponds to the
“Corpnet” SSID to the “default” AP group. If you do not want the “Corpnet” SSID
to be advertised on the AP in the lobby, you can specify that the virtual AP profile
that contains the “Corpnet” SSID configuration be excluded from that AP.
FIGURE 5-13 Excluding a Virtual AP Profile from an AP
WLAN Profiles “default” AP Group “Toronto” AP Group
Virtual AP “Corpnet-E” “Corpnet-T”
SSID “Corpnet” “Corpnet”
AAA “E-Servers” “T-Servers”
DEFAULT” AP GROUP
“CORPNETVIRTUAL AP
PROFILE APPLIED TO THE AP
GROUP
BUT NOT TO THIS AP
X
AOS-W 3.1 125
User Guide
Configuring Access Points
Chapter 5
Using the WebUI to exclude a virtual AP profile from an AP:
1. Navigate to the Configuration > Wireless > AP Configuration > AP Specific
page.
2. Do one of the following:
zIf the AP for which you want to exclude a virtual AP profile appears in the
list, click Edit for the AP.
zIf the AP does not appear in the list, click New. Either type in the name of
the AP, or select the AP from the drop-down list. Then click Add.
3. Under the Profiles list, select Wireless LAN, then select Excluded Virtual AP.
4. Under Profile Details, select the name of the virtual AP profile you want to
exclude from this AP from the drop-down menu, and then click Add. The
profile name appears in the Excluded Virtual APs list. You can add multiple
profile names in the same way.
To remove a profile name from the Excluded Virtual APs list, select the profile
name and click Delete.
5. Click Apply.
Using the CLI to exclude a virtual AP profile from an AP:
ap-name <name<
exclude-virtual-ap <profile>
Configuring Access Points
Chapter 5
126 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Example Configurations
This section shows simple examples of how to configure virtual APs for the
“default” AP group, which includes all APs discovered by the Alcatel WLAN
Switch, and for a specific AP. The example configuration includes the following
WLANs:
An 802.11a/b/g SSID called “Corpnet” that uses WPA2 and is available on all
APs in the network
An 802.11a/b/g SSID called “Guest” that uses open system and is only
available on the AP “building3-lobby” (this AP will support both the “Corpnet”
and “Guest” SSIDs)
Each WLAN requires a different SSID profile that maps into a separate virtual AP
profile. For the SSID “Corpnet”, which will use WPA2, you need to configure an
AAA profile that includes 802.1x authentication and an 802.1x authentication
server group.
Because all APs discovered by the WLAN Switch belong to the AP group called
“default”, you assign the virtual AP profile that contains the SSID profile
“Corpnet” to the “default” AP group. For the “Guest” SSID, you configure a new
virtual AP profile that you assign to the AP named “building3-lobby”.
Ta b l e 5 - 5 describes the profiles that you need to modify or create for these
examples.
AOS-W 3.1 127
User Guide
Configuring Access Points
Chapter 5
Configuring the Corpnet WLAN
In this WLAN, users are validated against a corporate database on a RADIUS
authentication server before they are allowed access to the network. Once
validated, users are placed into a specified VLAN (VLAN 1 in this example) and
assigned the user role “employee” that permits access to the corporate network.
NOTE:Alcatel recommends that you assign a unique name to each virtual AP,
SSID, and AAA profile that you modify. In this example, you use the name
“corpnet” to identify each of the profiles.
To configure the Corpnet WLAN, you need to perform the following tasks:
1. Configure a policy for the user role employee and configure the user role
employee with the specified policy.
2. Configure RADIUS authentication servers and assign them to the corpnet
802.1x authentication server group.
3. Configure authentication for the WLAN.
A. Create the corpnet 802.1x authentication profile.
B. Create the AAA profile corpnet and specify the previously-configured
employee user role for the 802.1x authentication default role.
TABLE 5-5 Profiles for Example Configuration
AP Group/Name Virtual AP Profile SSID Profile AAA Profile
“default” “corpnet”
VLAN: 1
SSID profile:
“corpnet”
AAA profile:
“corpnet”
“corpnet”
SSID: Corpnet
WPA2
“corpnet”
802.1x authentication
default role: “employee”
802.1x authentication
server group: “corpnet”
- Radius1
- Radius2
“building3-lobby” “guest”
VLAN: 2
Deny Time
Range
SSID profile:
“guest”
AAA profile:
“default-open”
“guest”
SSID: Guest
Open system
“default-open”
(This is a predefined,
read-only AAA profile that
specifies open system
authentication)
Configuring Access Points
Chapter 5
128 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
C. Specify the previously-configured corpnet 802.1x authentication server
group.
4. For the AP group “default”, create and configure the virtual AP corpnet.
A. Create a new virtual AP profile corpnet.
B. Select the previously-configured corpnet AAA profile for this virtual AP.
C. Create a new SSID profile corpnet to configure “Corpnet” for the SSID
name and WPA2 for the authentication.
The following sections describe how to do this using the WebUI and the CLI.
Configure the User Role
In this example, the employee user role allows unrestricted access to network
resources and is granted only to users who have been successfully authenticated
with an external RADIUS server. You can configure a more restrictive user role by
specifying allowed or disallowed source and destination, protocol, and service for
the traffic. For more information about configuring user roles, see Chapter 7,
“Configuring Roles and Policies”.
Using the WebUI to configure the user role:
1. Navigate to the Configuration > Security > Access Control > Policies page.
2. Click Add to add a new policy. Enter the name of the policy.
Default settings for a policy rule permit all traffic from any source to any
destination, but you can make a rule more restrictive. You can also configure
multiple rules; the first rule in a policy that matches the traffic is applied. Click
Add to add a rule. When you are done adding rules, click Apply.
3. Click the User Roles tab. Click Add to add a new user role. Enter the name of
the role. Under Firewall Policies, click Add. In the Choose from Configured
Policies drop-down list, select the policy you previously created. Click Done.
4. Click Apply.
Using the CLI to configure the user role:
ip access-list session <policy>
<source> <dest> <service> <action>
user-role employee
access-list session <policy>
AOS-W 3.1 129
User Guide
Configuring Access Points
Chapter 5
Configure Authentication Servers
This example uses RADIUS servers for the client authentication. You need to
specify the hostname and IP address for each RADIUS server and the shared
secret used to authenticate communication between the server and the WLAN
Switch. After configuring authentication servers, assign them to the corpnet
server group, an ordered list of the servers to be used for 802.1x authentication.
For more information about configuring authentication servers, see Chapter 8,
“Configuring Authentication Servers”.
Using the WebUI to configure authentication servers:
1. Navigate to the Configuration > Security > Authentication > Servers page.
2. Select Radius Server to display the Radius Server List.
3. Enter the name of the server, and click Add. The server name appears in the
list of servers.
4. Select the server name. Enter the IP address and shared secret for the server.
Select the Mode checkbox to activate the authentication server.
5. Click Apply to apply the configuration.
6. Select Server Group on the Servers page.
7. Enter the name of the group, and click Add. The server group name appears
in the list of server groups.
8. Select the server group name. Click New to add a server to the group. Under
Server Name, select the server you just configured and click Add.
9. Click Apply to apply the configuration.
Using the CLI to configure authentication servers:
aaa authentication-server radius Radius1
host <ipaddr>
key <key>
enable
aaa server-group corpnet
auth-server Radius1
Configure Authentication
In this example, you create the 802.1x authentication profile corpnet. The AAA
profile configures the authentication for a WLAN. The AAA profile defines the type
of authentication (802.1x in this example), the authentication server group, and
the default user role for authenticated users.
Configuring Access Points
Chapter 5
130 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Using the WebUI to configure authentication:
1. Navigate to the Configuration > Security > Authentication > L2
Authentication page. Select 802.1x Authentication Profile.
A. In the 802.1x Authentication Profile Instance list, enter corpnet, and click
Add.
B. Select the corpnet 802.1x authentication profile you just created.
C. You can configure parameters in the Basic or Advanced tabs. For this
example, you use the default values, so click Apply.
2. Select the AAA Profiles tab.
A. In the AAA Profiles Summary list, click Add to create a new profile.
B. Enter corpnet, then click Add.
C. Select the corpnet AAA profile you just created.
D. For 802.1x Authentication Default Role, select the employee role you
previously configured.
E. Click Apply.
3. Select the 802.1x Authentication Profile under the corpnet AAA profile.
A. Select corpnet.
B. Click Apply.
4. Select the 802.1x Authentication Server Group under the corpnet AAA profile.
A. Select the corpnet server group you previously configured.
B. Click Apply.
Using the CLI to configure authentication:
aaa authentication dot1x corpnet
aaa profile corpnet
authentication-dot1x corpnet
dot1x-default-role employee
dot1x-server-group corpnet
Configure the Virtual AP
In this example, you apply the corpnet virtual AP to the “default” AP group which
consists of all APs.
Using the WebUI to configure the virtual AP:
1. Navigate to the Configuration > Wireless > AP Configuration > AP Group
page.
AOS-W 3.1 131
User Guide
Configuring Access Points
Chapter 5
2. Click Edit for the “default” AP group.
3. Under Profiles, select Wireless LAN, then select Virtual AP. In the Virtual AP
list, select the “default” virtual AP profile.
4. Select the “default” SSID profile. Enter anynet for the SSID name. Click Save
As, then enter anynet. Click Apply.
NOTE:The WebUI prevents you from configuring the same ESSID in more
than one virtual AP for an AP group or name. Whenever you create a
new virtual AP profile, the profile automatically contains the “default”
SSID profile with the default “alcatel-ap” SSID. The step above allows
you to create a new virtual AP that does not have the same ESSID as
the “default” virtual AP profile.
5. Under Profiles, select Virtual AP to display the Profile Details.
A. To create a new virtual AP profile, select NEW for Add a profile,.
B. Enter the profile name corpnet, then click Add.
C. Click Apply.
6. Under Profiles, select the corpnet virtual AP profile.
A. Make sure Virtual AP enable is selected.
B. Select 1 for the VLAN.
C. Click Apply.
7. Under Profiles, select the AAA profile under the corpnet virtual AP profile.
A. In the Profile Details section, select corpnet for the AAA Profile.
B. Click Apply.
8. Under Profiles, select the SSID profile under the corpnet virtual AP profile.
A. Select NEW from the SSID Profile drop-down menu.
B. Enter corpnet.
C. Enter Corpnet for the Network Name.
D. Under 802.11 Security, select WPA2.
E. Click Apply.
Using the CLI to configure the virtual AP:
wlan ssid-profile corpnet
essid Corpnet
opmode wpa2-aes
wlan virtual-ap corpnet
vlan 1
Configuring Access Points
Chapter 5
132 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
aaa-profile corpnet
ssid-profile corpnet
ap-group default
virtual-ap corpnet
Guest WLAN
To configure the Guest WLAN, you need to perform the following tasks:
1. Configure the VLAN for guest users.
2. Configure the guest role which only allows HTTP and HTTPS traffic from 9:00
a.m. to 5 p.m. on weekdays.
3. For the AP named “building3-lobby”, create and configure the virtual AP
profile guest:
A. Create a new virtual AP profile guest.
B. Select the predefined AAA profile default-open.
C. Create a new SSID profile guest to configure “Guest” for the SSID name
and open system for the authentication.
The following sections describe how to do this using the WebUI and the CLI.
Configure the VLAN
In this example, users on the “Corpnet” WLAN are placed into VLAN 1, which is
the default VLAN configured on the WLAN Switch. For guest users, you need to
create another VLAN and assign the VLAN interface an IP address.
Using the WebUI to configure the VLAN:
1. Navigate to the Configuration > Network > VLANs page.
2. Click Add to add a VLAN. Enter 2 in the VLAN ID, and click Apply.
3. To assign an IP address and netmask to the VLAN you just created, navigate
to the Configuration > Network > IP > IP Interfaces page. Click Edit for VLAN
2. Enter an IP address and netmask for the VLAN interface, and then click
Apply.
Using the CLI to configure the VLAN:
vlan 2
interface vlan 2
ip address <address> <netmask>
AOS-W 3.1 133
User Guide
Configuring Access Points
Chapter 5
Configure the Guest Role
The guest role allows web (HTTP and HTTPS) access only during normal business
hours (9:00 a.m. to 5:00 p.m. Monday through Friday).
Using the WebUI to configure the Guest Role:
1. Navigate to the Configuration > Security > Access Control > Time Ranges
page.
2. Click Add. Enter a name, such as “workhours”. Select Periodic. Click Add.
Under Add Periodic Rule, select Weekday. For Start Time, enter 9:00. For End
Time, enter 17:00. Click Done. Click Apply.
3. Select the Policies tab. Click Add. Enter a policy name, such as “restricted”.
Click Add. Select Service, then select svc-http from the drop-down list. For
Time Range, select the time range you previously configured. Select Add. Add
another rule for svc-https. Click Apply.
4. Select the User Roles tab. Click Add. Enter guest for Role Name. Under
Firewall Policies, click Add. Select Choose from Configured Policies and
select the policy you previously configured. Click Done.
5. Click Apply.
Using the CLI to configure the Guest Role:
time-range workhours periodic
weekday 09:00 to 17:00
ip access-list session restricted
any any svc-http permit time-range workhours
any any svc-https permit time-range workhours
user-role guest
session-acl restricted
Configure the Virtual AP
In this example, you apply the guest virtual AP profile to a specific AP.
NOTE:Alcatel recommends that you assign a unique name to each virtual AP,
SSID, and AAA profile that you modify. In this example, you use the name
guest to identify the virtual AP and SSID profiles.
Using the WebUI to configure the virtual AP:
1. Navigate to Configuration > Wireless > AP Configuration > AP Specific page.
2. Click New. Either enter the AP name or select an AP from the list of
discovered APs. Click Add. The AP name appears in the list.
Configuring Access Points
Chapter 5
134 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
3. Click Edit for the AP to display the profiles that you can configure for the AP.
NOTE:Selecting Wireless LAN allows you to exclude certain virtual AP
profiles from being applied to this AP.
4. Select Virtual AP.
A. For Add a profile, select NEW.
B. Enter guest, and click Add.
C. Click Apply.
5. Click the guest virtual AP to display profile details.
A. Make sure Virtual AP Enable is selected.
B. Select 2 for the VLAN.
C. Click Apply.
6. Under Profiles, select the AAA profile under the guest virtual AP profile.
A. In the Profile Details, select default-open from the AAA Profile
drop-down list.
B. Click Apply.
7. Under Profiles, select the SSID profile under the guest virtual AP profile.
A. Select NEW from the SSID Profile drop-down menu.
B. Enter guest.
C. In the Profile Details, enter Guest for the Network Name.
D. Select None for Network Authentication and Open for Encryption.
E. Click Apply.
Using the CLI to configure the virtual AP:
wlan ssid-profile guest
opmode opensystem
wlan virtual-ap guest
vap-enable
vlan 2
deny-time-range workhours
ssid-profile guest
aaa-profile default-open
ap-name building3-lobby
virtual-ap guest
AOS-W 3.1 135
User Guide
Configuring Access Points
Chapter 5
Advanced Configuration Options
This section describes advanced options you can configure for APs.
Channel Switch Announcement
When an AP changes its channel, existing wireless clients can time out while
waiting to receive a beacon from the AP and must begin scanning to discover the
new channel on which the AP is operating. If the disruption is long enough, the
client may need to reassociate, reauthenticate, and re-request an IP address.
Channel Switch Announcement (CSA), as defined by IEEE 802.11h, enables an
AP to announce that it is switching to a new channel before it begins transmitting
on that channel. This allows clients that support CSA to transition to the new
channel with minimal downtime. When CSA is enabled, the AP does not change
to a new channel immediately. Instead, it sends a number of beacons (the default
is 4) that contain the CSA announcement before it switches to the new channel.
You can configure the number of announcements sent before the change.
NOTE:Clients must support CSA in order to track the channel change without
experiencing disruption.
Using the WebUI to configure CSA:
1. Navigate to the Configuration > Wireless > AP Configuration page.
2. Select either the AP Group or AP Specific tab. Click Edit for the AP group or
AP name.
3. In the Profile list, select RF Management.
4. In the Profiles list, select the 802.11a or 802.11g radio profile.
5. Select Enable CSA. You can configure a different value for CSA Count.
6. Click Apply.
Using the CLI to configure CSA:
rf radio-profile <profile>
csa
csa-count <number>
Configuring Access Points
Chapter 5
136 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
AOS-W 3.1 137
User Guide
Configuring Remote APs 6
The Secure Remote Access Point Service allows users at remote locations that
are equipped with APs to connect to an Alcatel WLAN Switch over the Internet.
Since the Internet is involved, data traffic between the WLAN Switch and the
remote AP is VPN encapsulated, and control traffic between the WLAN Switch
and AP is encrypted. For additional security, you have the choice of encrypting
data as well as control traffic.
This chapter describes the following topics:
“Overview” on page 138
“Configuring the Secure Remote Access Point Service” on page 140
“Deploying a Branch Office/Home Office Solution” on page 146
“Double Encryption” on page 148
NOTE:The Secure Remote Access Point Service requires that you install one or
more Remote AP licenses in the WLAN Switch on which you terminate
the VPN tunnel that carries traffic from the remote AP. There are several
Remote AP licenses available that support different maximum numbers of
APs. The licenses are cumulative; each additional license installed
increases the maximum number of remote APs supported by the WLAN
Switch.
You must install a Remote AP license on any WLAN Switch that you use
to provision a remote AP. See “Provision the AP” on page 145 for
information.
Configuring Remote APs
Chapter 6
138 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Overview
Remote APs connect to a WLAN Switch using Layer-2 Tunneling Protocol and
Internet Protocol Security (L2TP/IPSec). AP control and 802.11 data traffic are
carried through this tunnel. Secure Remote Access Point Service extends the
corporate office to the remote site. Remote users can use the same features as
corporate office users. For example, voice over IP (VoIP) applications can be
extended to remote sites while the servers and the PBX remain secure in the
corporate office.
Secure Remote Access Point Service can also be used to secure control traffic
between an AP and the WLAN Switch in a corporate environment. In this case,
both the AP and WLAN Switch are in the company’s private address space.
The remote AP must be configured with the IPSec VPN tunnel termination point.
Once the VPN tunnel is established, the AP bootstraps and becomes operational.
The tunnel termination point used by the remote AP depends upon the AP
deployment, as shown in the following scenarios:
Deployment Scenario 1: The remote AP and WLAN Switch reside in a private
network which is used to secure AP-to-WLAN Switch communication.
(Alcatel recommends this deployment when AP-to-WLAN Switch
communications on a private network need to be secured.) In this scenario,
the remote AP uses the WLAN Switch’s IP address on the private network to
establish the IPSec VPN tunnel.
FIGURE 6-14 Remote AP with a Private Network
Deployment Scenario 2: The remote AP is on the public network or behind a
NAT device and the WLAN Switch is on the public network. The remote AP
must be configured with the tunnel termination point which must be a
publicly-routable IP address. In this scenario, a routable interface is
configured on the WLAN Switch in the DMZ. The remote AP uses the WLAN
Switch’s IP address on the public network to establish the IPSec VPN tunnel.
CORPORATE NETWORK
INTRANET
WLAN SWITCHS
IP ADDRESS
AOS-W 3.1 139
User Guide
Configuring Remote APs
Chapter 6
FIGURE 6-15 Remote AP with WLAN Switch on Public Network
Deployment Scenario 3: The remote AP is on the public network or behind a
NAT device and the WLAN Switch is also behind a NAT device. (Alcatel
recommends this deployment for remote access.) The remote AP must be
configured with the tunnel termination point which must be a
publicly-routable IP address. In this scenario, the remote AP uses the public
IP address of the corporate firewall. The firewall forwards traffic to an
existing interface on the WLAN Switch. (The firewall must be configured to
pass NAT-T traffic (UDP port 4500) to the WLAN Switch.)
FIGURE 6-16 Remote AP with WLAN Switch Behind Firewall
In any of the described deployment scenarios, the IPSec VPN tunnel can be
terminated on a local WLAN Switch, with a master WLAN Switch located
elsewhere in the corporate network (Figure 6-17). The remote AP must be able to
communicate with the master WLAN Switch after the IPSec tunnel is established.
Make sure that the L2TP IP pool configured on the local WLAN Switch (from
which the remote AP obtains its address) is reachable in the network by the
master WLAN Switch.
FIGURE 6-17 Remote AP in a Multi-WLAN Switch Environment
CORPORATE NETWORK
INTERNET
WLAN SWITCHS
IP ADDRESS
CORPORATE NETWORK
INTERNET
FIREWALLS
IP ADDRESS
CORPORATE NETWORK
INTERNET
FIREWALLS
IP ADDRESS
LOCAL WLAN SWITCH MASTER WLAN SWITCH
Configuring Remote APs
Chapter 6
140 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Configuring the Secure Remote Access Point
Service
Alcatel Access Points, with the exception of the AP 52 and AP 80, can be
configured for Secure Remote Access Point Service.
Refer to the deployment scenarios described previously. To configure the Secure
Remote Access Point Service:
1. Configure a public IP address for the WLAN Switch.
NOTE:You must install one or more Remote AP licenses in the WLAN Switch.
There are several Remote AP licenses available that support different
maximum numbers of APs. The licenses are cumulative; each additional
license installed increases the maximum number of remote APs
supported by the WLAN Switch.
2. Configure the VPN server on the WLAN Switch. The remote AP will be a VPN
client to the server.
3. Configure the remote AP role.
4. Configure the authentication server that will validate the username and
password for the remote AP.
5. Provision the AP with IPSec settings, including the username and password
for the AP, before you install it at the remote location.
These tasks are described in the following sections.
Configure a Public IP Address for the WLAN
Switch
The remote AP requires an IP address to which it can connect in order to
establish a VPN tunnel to the WLAN Switch. This can be either a routable IP
address that you configure on the WLAN Switch, or the address of an external
router or firewall that forwards traffic to the WLAN Switch.
Configure a Routable IP Address on the WLAN Switch
The following steps describe how to create a DMZ address on the WLAN Switch.
Using the WebUI to create a DMZ address:
1. Navigate to the Configuration > Network > VLANs page.
2. Click Add to add a VLAN.
3. Enter the VLAN ID.
AOS-W 3.1 141
User Guide
Configuring Remote APs
Chapter 6
4. Select the port that belongs to this VLAN.
5. Click Apply.
6. Navigate to the Configuration > Network > IP page.
7. Click Edit for the VLAN you just created.
8. Enter the IP Address and Net Mask fields.
9. Click Apply.
Using the CLI to create a DMZ address:
vlan <id>
interface fastethernet <slot>/<port>
switchport access vlan <id>
interface vlan <id>
ip address <ipaddr> <mask>
Configure the NAT Device
Communication between the AP and secure WLAN Switch uses the UDP 4500
port. When both the WLAN Switch and the AP are behind NAT devices, configure
the AP to use the NAT device’s public address as its master address. On the NAT
device, you must enable NAT-T (UDP port 4500 only) and forward all packets to
the public address of the NAT device on UDP port 4500 to the WLAN Switch to
ensure that the remote AP boots successfully.
Configure the VPN Server
This section describes how to configure the IPSec VPN server on the WLAN
Switch. The remote AP will be a VPN client that connects to the VPN server on
the WLAN Switch.
Using the WebUI to configure VPN server:
1. Navigate to the Configuration > Advanced Services > VPN Services > IPSec
page.
2. Select (check) Enable L2TP.
3. Make sure that only PAP (Password Authentication Protocol) is selected for
Authentication Protocols.
4. Enter the IP address of the primary DNS server for the remote AP.
5. To configure the L2TP IP pool, click Add in the Address Pools section.
Configure the L2TP pool from which the APs will be assigned addresses,
then click Done.
Configuring Remote APs
Chapter 6
142 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
NOTE:The size of the pool should correspond to the maximum number of
remote APs that the WLAN Switch is licensed to manage.
6. To configure an Internet Security Association and Key Management Protocol
(ISAKMP) encrypted subnet and preshared key, click Add in the IKE Shared
Secrets section and configure the preshared key. Click Done to return to the
IPSec page.
7. Click Apply.
For more details, see Chapter 11, “Configuring Virtual Private Networks.
Using the CLI to configure VPN server:
vpdn group l2tp
ppp authentication PAP
client configuration dns <ipaddr1> <ipaddr2>
ip local pool <pool> <start-ipaddr> <end-ipaddr>
crypto isakmp key <key> address <ipaddr> netmask <mask>
Configure the Remote AP User Role
Once the remote AP is authenticated for the VPN and established a IPSec
connection, it is assigned a role. This role is a temporary role assigned to the AP
until it completes the bootstrap process after which it inherits the ap-role. The
appropriate ACLs need to be enabled to permit traffic from the WLAN Switch to
the AP and back to facilitate the bootstrap process.
To configure the user role, you first create a policy that permits the following
traffic:
AP control traffic via the Alcatel PAPI protocol
GRE tunnel traffic
Layer-2 Tunneling Protocol (L2TP) traffic
TFTP traffic from the remote AP to the WLAN Switch
FTP traffic from the remote AP to the WLAN Switch
Then, you create a user role that contains this policy.
Using the WebUI to configure the user role:
1. Navigate to the Configuration > Security > Access Control > Policies page.
2. Click Add to create a policy.
3. Enter the Policy Name (for example, remote-AP-access).
AOS-W 3.1 143
User Guide
Configuring Remote APs
Chapter 6
4. To create the first rule:
A. Under Rules, click Add.
B. For Source, select any.
C. For Destination, select any.
D. For Service, select service, then select svc-papi.
E. Click Add.
5. To create the next rule:
A. Under Rules, click Add.
B. For Source, select any.
C. For Destination, select any.
D. For Service, select service, then select svc-gre.
E. Click Add.
6. To create the next rule:
A. Under Rules, click Add.
B. For Source, select any.
C. For Destination, select any.
D. For Service, select service, then select svc-l2tp.
E. Click Add.
7. To create the next rule:
A. Under Rules, click Add.
B. For Source, select any.
C. For Destination, select alias, then select mswitch.
D. For Service, select service, then select svc-tftp.
E. Click Add.
8. To create the next rule:
A. Under Rules, click Add.
B. For Source, select any.
C. For Destination, select alias, then select mswitch.
D. For Service, select service, then select svc-ftp.
E. Click Add.
9. Click Apply.
10. Click the User Roles tab.
Configuring Remote APs
Chapter 6
144 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
A. Click Add.
B. Enter the Role Name (for example, RemoteAP).
C. Click Add under Firewall Policies.
D. In the Choose from Configured Policies menu, select the policy you just
created.
E. Click Done.
11. Click Apply.
Using the CLI to configure the user role:
ip access-list session <policy>
any any svc-papi permit
any any svc-gre permit
any any svc-l2tp permit
any alias mswitch svc-tftp permit
any alias mswitch svc-ftp permit
user-role <role>
session-acl <policy>
Configure VPN Authentication
Before you enable VPN authentication, you must configure the authentication
server(s) and server group that the WLAN Switch will use to validate the remote
AP. When you provision the remote AP, you configure IPSec settings for the AP,
including the username and password. This username and password must be
validated by an authentication server before the remote AP is allowed to establish
a VPN tunnel to the WLAN Switch. The authentication server can be any type of
server supported by the WLAN Switch, including the WLAN Switch’s internal
database.
For more information about configuring authentication servers and server groups,
see Chapter 8, “Configuring Authentication Servers”.
CAUTION:For security purposes, Alcatel recommends that you
assign a unique username and password to each remote
AP.
AOS-W 3.1 145
User Guide
Configuring Remote APs
Chapter 6
Using the WebUI to configure the VPN authentication profile:
1. Navigate to the Configuration > Security > Authentication > L3
Authentication page.
2. In the Profiles list, select VPN Authentication Profile.
3. For Default Role, enter the user role you created previously (for example,
RemoteAP).
4. Click Apply.
5. In the Profile list, under VPN Authentication Profile, select Server Group.
6. Select the server group from the drop-down menu.
7. Click Apply.
Using the CLI to configure the VPN authentication profile:
aaa server-group <group>
auth-server <server>
aaa authentication vpn
default-role <role>
server-group <group>
Provision the AP
You need to configure the VPN client settings on the AP to instruct the AP to use
IPSec to connect to the WLAN Switch.
You must provision the AP before you install it at its remote location. To provision
the AP, the AP must be physically connected to the local network or directly
connected to the WLAN Switch. When connected and powered on, the AP must
also be able to obtain an IP address from a DHCP server on the local network or
from the WLAN Switch.
NOTE:You must install a Remote AP license on any WLAN Switch that you use
to provision a remote AP. For example, if you are provisioning a remote
AP on a master WLAN Switch but the remote AP tunnel will terminate on
a local WLAN Switch, you need to install Remote AP licenses on both the
master and local WLAN Switchs.
The easiest way to provision an AP is to use the Provisioning page in the WebUI,
as described in the following steps:
1. Navigate to the Configuration > Wireless > AP Installation > Provisioning
page. Select the remote AP and click Provision.
2. Under Authentication Method, select IPSec Parameters. Enter the Internet Key
Exchange (IKE) Pre-Shared Key (PSK), username, and password.
Configuring Remote APs
Chapter 6
146 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
NOTE:The username and password you enter must match the username
and password configured on the authentication server for the remote
AP.
3. Under Master Discovery, set the Master IP Address as shown below:
4. Under IP Settings, make sure that Obtain IP Address Using DHCP is selected.
5. Click Apply and Reboot.
NOTE:Regardless of the deployment type, Alcatel recommends that the LMS IP
in the AP system profile for the AP be set to the WLAN Switch IP address
(either the loopback address of the WLAN Switch or the VLAN 1 IP
address).
Deploying a Branch Office/Home Office
Solution
In a branch office, the AP is deployed in a separate IP network from the corporate
network. Typically, there are one or two NAT devices between the two networks.
Branch office users need access to corporate resources like printers and servers
but traffic to and from these resources must not impact the corporate head office.
The following illustration shows a remote AP in a branch or home office with a
single WLAN Switch providing access to both a corporate WLAN and a branch
office WLAN.
Deployment Scenario Master IP Address Value
Deployment 1 WLAN Switch IP address
Deployment 2 WLAN Switch public IP address
Deployment 3 Public address of the NAT device to which the
WLAN Switch is connected
AOS-W 3.1 147
User Guide
Configuring Remote APs
Chapter 6
Branch office users want continued operation of the branch office WLAN even if
the link to the corporate network goes down. The branch office AP solves these
requirements by providing the following capabilities on the branch office WLAN:
Local termination of 802.11 management frames which provides survivability
of the branch office WLAN.
Implementation of an 802.1x authenticator split. All 802.1x authenticator
functionality is implemented in the AP. The WLAN Switch is used as a
RADIUS pass-through when the authenticator has to communicate with a
RADIUS server (which also supports survivability).
802.11 encryption/decryption is in the AP to provide access to local
resources.
Local bridging of client traffic connected to the WLAN or to an AP 70 enet1
port to provide access to local resources.
To configure the branch office AP:
Specify forward mode for the Extended Service Set Identifier (ESSID) in the
virtual AP profile
Set how long the AP stays up after connectivity to WLAN Switch has gone
down in the SSID profile
Set the VLAN ID in the virtual AP profile
Set the native VLAN ID in the AP system profile
Set forward mode for enet1 port
NOTE:Remote APs support 802.1q VLAN tagging. Data from the remote AP will
be tagged on the wired side.
Configuring Remote APs
Chapter 6
148 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Troubleshooting the Branch Office Configuration
Double Encryption
The IPSec tunnel between the remote AP and the WLAN Switch carries
management traffic as well as wireless client traffic, which is encrypted
according to the SSID configuration. A device at the branch office that cannot
perform its own encryption may need connection to the corporate WLAN (for
example, a printer or local server). To securely transmit traffic from this device,
enable the double encryption feature. When this feature is enabled, all traffic
placed into the IPSec tunnel is encrypted, including the already-encrypted
wireless client data (hence the term “double encryption”).
Using the WebUI to enable double encryption:
1. Navigate to the Configuration > Wireless > AP Configuration > AP Specific
page. Click Edit for the remote AP.
2. Under Profiles, select AP, then select AP system profile.
3. Under Profile Details, select the AP system profile for this AP from the
drop-down menu. Select Double Encrypt. Click Apply.
Using the CLI to enable double encryption:
ap system-profile <profile>
double-encrypt
ap-name <name>
ap-system-profile <profile>
NOTE:Alcatel recommends that double-encryption not be turned on for
inter-device communication over untrusted networks, as doing so is
redundant and adds significant processing overhead for APs.
To query the STM state in an AP: show ap bss-table
To see AP counters: show ap remote counters
To see AP associations: show ap association
To see AP traffic statistics: show ap remote debug mgmt-frames
To see AP configuration: show ap debug bss-config
Volume 4
Configuring
Wireless
Encryption and
Authentication
AOS-W Version 3.1
150 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
AOS-W 3.1 151
User Guide
Configuring Roles and
Policies 7
Every client in an Alcatel OmniAccess system is associated with a user role,
which determines the client’s network privileges, how often it must
re-authenticate, and which bandwidth contracts are applicable. A policy is a set of
rules that applies to traffic that passes through the WLAN Switch. You specify
one or more policies for a user role. Finally, you can assign a user role to clients
before or after they authenticate to the system.
This chapter describes the following topics:
“Policies” on page 152
“Creating a Firewall Policy” on page 153
“Creating a User Role” on page 156
Assigning User Roles” on page 160
“Firewall Parameters” on page 166
Configuring Roles and Policies
Chapter 7
152 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Policies
A firewall policy identifies specific characteristics about a data packet passing
through the WLAN Switch and takes some action based on that identification. In
an Alcatel WLAN Switch, that action can be a firewall-type action such as
permitting or denying the packet, an administrative action such as logging the
packet, or a quality of service (QoS) action such as setting 802.1p bits or placing
the packet into a priority queue. You can apply firewall policies to user roles to
give differential treatment to different users on the same network, or to physical
ports to apply the same policy to all traffic through the port.
Firewall policies differ from access control lists (ACLs) in the following ways:
Firewall policies are stateful, meaning that they recognize flows in a network
and keep track of the state of sessions. For example, if a firewall policy
permits telnet traffic from a client, the policy also recognizes that inbound
traffic associated with that session should be allowed.
Firewall policies are bi-directional, meaning that they keep track of data
connections traveling into or out of the network. ACLs are normally applied to
either traffic inbound to an interface or outbound from an interface.
Firewall policies are dynamic, meaning that address information in the policy
rules can change as the policies are applied to users. For example, the alias
user in a policy automatically applies to the IP address assigned to a particular
user. ACLs typically require static IP addresses in the rule.
Access Control Lists (ACLs)
Access control lists (ACLs) are a common way of restricting certain types of
traffic on a physical port. AOS-W provides the following types of ACLs:
Standard ACLs permit or deny traffic based on the source IP address of the
packet. Standard ACLS can be either named or numbered, with valid numbers
in the range of 1-99 and 1300-1399. Standard ACLs use a bitwise mask to
specify the portion of the source IP address to be matched.
Extended ACLs permit or deny traffic based on source or destination IP
address, source or destination port number, or IP protocol. Extended ACLs
can be named or numbered, with valid numbers in the range 100-199 and
2000-2699.
MAC ACLs are used to filter traffic on a specific source MAC address or
range of MAC addresses. MAC ACLs can be either named or numbered, with
valid numbers in the range of 700-799 and 1200-1299.
Ethertype ACLs are used to filter based on the Ethertype field in the frame
header. Ethertype ACLs can be either named or numbered, with valid
numbers in the range of 200-299.These ACLs can be used to permit IP while
blocking other non-IP protocols, such as IPX or AppleTalk.
AOS-W 3.1 153
User Guide
Configuring Roles and Policies
Chapter 7
AOS-W provides both standard and extended ACLs for compatibility with router
software from popular vendors, however firewall policies provide equivalent and
greater function than standard and extended ACLs and should be used instead.
You can apply MAC and Ethertype ACLs to a user role, however these ACLs only
apply to traffic from the user.
Creating a Firewall Policy
This section describes how to configure the rules that constitute a firewall policy.
A firewall policy can then be applied to a user role (until the policy is applied to a
user role, it does not have any effect).
Ta b l e 7 - 6 describes required and optional parameters for a rule.
TABLE 7-6 Firewall Policy Rule Parameters
Field Description
Source
(required)
Source of the traffic, which can be one of the following:
any: Acts as a wildcard and applies to any source address.
user: This refers to traffic from the wireless client.
host: This refers to traffic from a specific host. When this option is
chosen, you must configure the IP address of the host.
network: This refers to a traffic that has a source IP from a subnet
of IP addresses. When this option is chosen, you must configure
the IP address and network mask of the subnet.
alias: This refers to using an alias for a host or network. You
configure the alias by navigating to the Configuration > Advanced
Services > Stateful Firewall > Destination page.
Destination
(required)
Destination of the traffic, which can be configured in the same manner
as Source.
Configuring Roles and Policies
Chapter 7
154 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Service
(required)
Type of traffic, which can be one of the following:
any: This option specifies that this rule applies to any type of
traffic.
tcp: Using this option, you configure a range of TCP port(s) to
match for the rule to be applied.
udp: Using this option, you configure a range of UDP port(s) to
match for the rule to be applied.
service: Using this option, you use one of the pre-defined services
(common protocols such as HTTPS, HTTP, and others) as the
protocol to match for the rule to be applied. You can also specify a
network service that you configure by navigating to the
Configuration > Advanced Services > Stateful Firewall >
Network Services page.
protocol: Using this option, you specify a different layer 4 protocol
(other than TCP/UDP) by configuring the IP protocol value.
Action
(required)
The action that you want the WLAN Switch to perform on a packet
that matches the specified criteria. This can be one of the following:
permit: Permits traffic matching this rule.
drop: Drops packets matching this rule without any notification.
reject: Drops the packet and sends an ICMP notification to the
traffic source.
src-nat: Performs network address translation (NAT) on packets
matching the rule. When this option is selected, you need to select
a NAT pool. (If this pool is not configured, you configure a NAT
pool by navigating to the Configuration > Advanced > Security >
Advanced > NAT Pools.)
dst-nat: This option redirects traffic to the configured IP address
and destination port. An example of this option is to redirect all
HTTP packets to the captive portal port on the Alcatel WLAN
Switch as used in the pre-defined policy called “captiveportal”.
dual-nat: This option performs both source and destination NAT
on packets matching the rule.
redirect to tunnel: This option redirects traffic into a GRE tunnel.
This option is used primarily to redirect all guest traffic into a GRE
tunnel to a DMZ router/switch.
redirect to ESI group: This option redirects traffic to the specified
ESI server group. You also specify the direction of traffic to be
redirected: forward, reverse, or both directions.
TABLE 7-6 Firewall Policy Rule Parameters (Continued)
Field Description
AOS-W 3.1 155
User Guide
Configuring Roles and Policies
Chapter 7
Using the WebUI to create a new firewall policy:
1. Navigate to the Configuration > Security > Access Control > Policies page on
the WebUI.
2. Click Add to create a new policy.
3. Enter the policy name.
4. To configure a firewall policy, select Session for Policy Type.
5. Click Add to add a rule to the policy being created. Ta b l e 7 - 6 describes
required and optional fields for a rule.
6. Click Add to add this rule to the policy being created. If more rules are
needed, follow the same process to create and add more rules to the policy.
NOTE:Rules can be re-ordered by the using the up and down buttons
provided for each rule.
7. When all the required rules are created and ordered in the policy, click Apply
to apply this configuration.
NOTE:The policy is not created until the configuration is applied.
Log
(optional)
Select this option to log a match to this rule. This is recommended
when a rule indicates a security breach, such as a data packet on a
policy that is meant only to be used for voice calls.
Mirror
(optional)
Mirrors session packets to datapath or remote destination.
Queue
(optional)
The queue in which a packet matching this rule should be placed.
Select High for higher priority data, such as voice, and Low for lower
priority traffic.
Time Range
(optional)
Specifies the time range for this rule. You configure time ranges in the
Configuration > Security > Access Control > Time Ranges page.
Black List
(optional)
Select this option if it is required to automatically blacklist a client that
is the source or destination of traffic matching this rule. This option is
recommended for rules that indicate a security breach where the
blacklisting option can be used to prevent access to clients that are
attempting to breach the security.
TOS
(optional)
Value of type of service (TOS) bits to be marked in the IP header of a
packet matching this rule when it leaves the WLAN Switch.
802.1p
Priority
(optional)
Value of 802.1p priority bits to be marked in the frame of a packet
matching this rule when it leaves the WLAN Switch.
TABLE 7-6 Firewall Policy Rule Parameters (Continued)
Field Description
Configuring Roles and Policies
Chapter 7
156 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Using the CLI to create a new firewall policy:
ip access-list session <name>
<source> <destination> <service> <action> ... [position <number>]
Creating a User Role
This section describes how to create a new user role. When you create a user
role, you specify one or more policies for the role.
Ta b l e 7 - 7 describes the different parameters you can configure for the user role.
TABLE 7-7 User Role Parameters
Field Description
Firewall Policies
(required)
This consists of the policies that define the privileges of a
wireless client in this role. There are three ways to add a firewall
policy to a user role:
Choose from configured policies (see “Creating a Firewall
Policy” on page 153): Select a policy from the list of
configured policies and click the “Done” button to add the
policy to the list of policies in the user role. If this policy is to
be applied to this user role only for specific AP groups, you
can specify the applicable AP group.
Create a new policy from a configured policy: This option can
be used to create a new policy that is derived from an
existing policy.
Create a new policy: The rules for the policy can be added as
explained in “Creating a User Role” on page 156.
Re-authentication
Interval (optional)
Time, in minutes, after which the client is required to
reauthenticate. Enter a value between 0-4096. 0 disables
reauthentication.
Default: 0 (disabled)
Role VLAN ID
(optional)
By default, a client is assigned a VLAN on the basis of the ingress
VLAN for the client to the WLAN Switch. You can override this
assignment and configure the VLAN ID that is to be assigned to
the user role. You configure a VLAN by navigating to the
Configuration > Network > VLANs page.
AOS-W 3.1 157
User Guide
Configuring Roles and Policies
Chapter 7
Bandwidth
Contract
(optional)
You can assign a bandwidth contract to provide an upper limit to
the bandwidth utilized by clients in this role. As an example, the
administrator may want to cap the total bandwidth used by the
guest users in a network to 2Mbps.
You can select the Per User option to apply the bandwidth
contracts on a per-user basis instead of to all clients in the role.
To create a new bandwidth contract, select the Add New option
from the drop-down menu. Enter the name of the bandwidth
contract and the bandwidth to be allowed (in Kbps or Mbps).
Click Done to add the new contract and assign it to the role. Or,
navigate to the Configuration > Advanced Services > Stateful
Firewall > BW Contracts page.
VPN Dialer
(optional)
This assigns a VPN dialer to a user role. For details about VPN
dialer, see Chapter 11, “Configuring Virtual Private Networks.
Select a dialer from the drop-down list and assign it to the user
role. This dialer will be available for download when a client logs
in using captive portal and is assigned this role.
L2TP Pool
(optional)
This assigns an L2TP pool to the user role. For more details about
L2TP pools, see Chapter 11, “Configuring Virtual Private
Networks.
Select the required L2TP pool from the list to assign to the user
role. The inner IP addresses of VPN tunnels using L2TP will be
assigned from this pool of IP addresses for clients in this user
role.
PPTP Pool
(optional)
This assigns a PPTP pool to the user role. For more details about
PPTP pools, see Chapter 11, “Configuring Virtual Private
Networks.
Select the required PPTP pool from the list to assign to the user
role. The inner IP addresses of VPN tunnels using PPTP will be
assigned from this pool of IP addresses for clients in this user
role.
Captive Portal
Profile (optional)
This assigns a Captive Portal profile to this role. For more details
about Captive Portal profiles, see Chapter 10, “Configuring
Captive Portal.
TABLE 7-7 User Role Parameters (Continued)
Field Description
Configuring Roles and Policies
Chapter 7
158 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Bandwidth
Contract
(optional)
You can assign a bandwidth contract to provide an upper limit to
the bandwidth utilized by clients in this role. As an example, the
administrator may want to cap the total bandwidth used by the
guest users in a network to 2Mbps.
You can select the Per User option to apply the bandwidth
contracts on a per-user basis instead of to all clients in the role.
To create a new bandwidth contract, select the Add New option
from the drop-down menu. Enter the name of the bandwidth
contract and the bandwidth to be allowed (in Kbps or Mbps).
Click Done to add the new contract and assign it to the role. Or,
navigate to the Configuration > Advanced Services > Stateful
Firewall > BW Contracts page.
VPN Dialer
(optional)
This assigns a VPN dialer to a user role. For details about VPN
dialer, see Chapter 11, “Configuring Virtual Private Networks.
Select a dialer from the drop-down list and assign it to the user
role. This dialer will be available for download when a client logs
in using captive portal and is assigned this role.
L2TP Pool
(optional)
This assigns an L2TP pool to the user role. For more details about
L2TP pools, see Chapter 11, “Configuring Virtual Private
Networks.
Select the required L2TP pool from the list to assign to the user
role. The inner IP addresses of VPN tunnels using L2TP will be
assigned from this pool of IP addresses for clients in this user
role.
PPTP Pool
(optional)
This assigns a PPTP pool to the user role. For more details about
PPTP pools, see Chapter 11, “Configuring Virtual Private
Networks.
Select the required PPTP pool from the list to assign to the user
role. The inner IP addresses of VPN tunnels using PPTP will be
assigned from this pool of IP addresses for clients in this user
role.
Captive Portal
Profile (optional)
This assigns a Captive Portal profile to this role. For more details
about Captive Portal profiles, see Chapter 10, “Configuring
Captive Portal.
TABLE 7-7 User Role Parameters (Continued)
Field Description
AOS-W 3.1 159
User Guide
Configuring Roles and Policies
Chapter 7
Using the WebUI to create a role:
1. Navigate to the Configuration > Security > Access Control > User Roles
page.
2. Click Add to create and configure a new user role.
3. Enter the desired name for the role.
4. Under Firewall Policies, click Add. Select a previously-configured policy from
the scrolling menu. Or, you can click Create to configure a new policy. Click
Done to add the policy to the user role being created. If more policies are
needed, follow the same process to create and add more policies to the role.
NOTE:Policies can be re-ordered by the using the up and down buttons
provided for each policy.
5. You can optionally enter configuration values as described in Ta b l e 7 - 7 .
6. Click Apply to apply this configuration.
NOTE:The role is not created until the configuration is applied.
Using the CLI to create a role:
user-role <role>
access-list session <policy> position <number>
<parameters> ...
Configuring Roles and Policies
Chapter 7
160 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Assigning User Roles
A client is assigned a user role by one of several methods. A user role assigned by
one method may take precedence over a user role assigned by a different method.
The methods of assigning user roles are, from lowest to highest precedence:
1. The initial user role for unauthenticated clients is configured in the AAA
profile for a virtual AP (see Chapter 5, “Configuring Access Points”).
2. The user role can be derived from user attributes upon the client’s association
with an AP (this is known as a user-derived role). You can configure rules that
assign a user role to clients that match a certain set of criteria. For example,
you can configure a rule to assign the role “VoIP-Phone” to any client that has
a MAC address that starts with bytes xx:yy:zz. User-derivation rules are
executed before client authentication.
3. The user role can be the default user role configured for an authentication
method, such as 802.1x or VPN. For each authentication method, you can
configure a default role for clients who are successfully authenticated using
that method.
4. The user role can be derived from attributes returned by the authentication
server and certain client attributes (this is known as a server-derived role). If
the client is authenticated via an authentication server, the user role for the
client can be based on one or more attributes returned by the server during
authentication, or on client attributes such as SSID (even if the attribute is not
returned by the server). Server-derivation rules are executed after client
authentication.
5. The user role can be derived from Vendor-Specific Attributes (VSA) for
RADIUS server authentication. A role derived from a VSA takes precedence
over any other user roles.
The following sections describe the methods of assigning user roles.
Default User Role in AAA Profile
An AAA profile defines the user role for unauthenticated clients (initial role) as
well as the default user role for MAC and 802.1x authentication.
Using the WebUI to configure user roles in the AAA profile:
1. Navigate to the Configuration > Security > Authentication > AAA Profiles
page.
2. Select the “default” profile or a user-defined AAA profile.
3. Enter the user role for Initial role.
AOS-W 3.1 161
User Guide
Configuring Roles and Policies
Chapter 7
4. Enter the user role for 802.1x Authentication Default Role and/or MAC
Authentication Default Role.
5. Click Apply.
Using the CLI to configure user roles in the AAA profile:
aaa profile <profile>
initial-role <role>
dot1x-default-role <role>
mac-default-role <role>
User-Derived Role
The user role can be derived from attributes from the client’s association with an
AP. You configure the user role to be derived by specifying condition rules; when a
condition is met, the specified user role is assigned to the client. You can specify
more than one condition rule; the order of rules is important as the first matching
condition is applied.
NOTE:User-derivation rules are executed before the client is authenticated.
Ta b l e 7 - 8 describes the conditions for which you can specify a user role.
TABLE 7-8 Conditions for User-Derived Role
Rule Type Condition Value
BSSID of AP to which
client is associated
One of the following:
contains
ends with
equals
does not equal
starts with
MAC address (xx:xx:xx:xx:xx:xx)
User class identifier
(option 77) returned by
DHCP server
equals string
Configuring Roles and Policies
Chapter 7
162 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Encryption type used
by client
One of the following:
equals
does not equal
Open (no encryption)
WPA/WPA2 AES
WPA-TKIP (static or
dynamic)
Dynamic WEP
WPA/WPA2 AES PSK
Static WEP
xSec
ESSID to which the
client is associated
One of the following:
contains
ends with
equals
does not equal
starts with
value of (does not
take string;
attribute value is
used as role)
string
AP name or AP group
which includes the AP
to which the client is
associated
One of the following:
equals
does not equal
string
MAC address of the
client
One of the following:
contains
ends with
equals
does not equal
starts with
MAC address (xx:xx:xx:xx:xx:xx)
TABLE 7-8 Conditions for User-Derived Role (Continued)
Rule Type Condition Value
AOS-W 3.1 163
User Guide
Configuring Roles and Policies
Chapter 7
Using the WebUI to configure a user-derived role:
1. Navigate to the Configuration > Security > Authentication > User Rules
page.
2. Click Add to add a new set of derivation rules. Enter a name for the set of
rules, and click Add. The name appears in the User Rules Summary list.
3. In the User Rules Summary list, select the name of the rule set to configure
rules.
4. Click Add to add a rule. For Set Type, select Role from the drop-down menu.
(You can select VLAN to configure derivation rules for setting the VLAN
assigned to a client.)
5. Configure the condition for the rule by setting the Rule Type, Condition, and
Value parameters. See Ta b l e 7 - 8 for descriptions of these parameters.
6. Select the role assigned to the client when this condition is met.
7. Click Add.
8. You can configure additional rules for this rule set. When you have added
rules to the set, use the up or down arrows in the Actions column to modify
the order of the rules. (The first matching rule is applied.)
9. Click Apply.
Using the CLI to configure a user-derived role:
aaa derivation-rules user <name>
set role condition <condition> set-value <role> position <number>
where condition consists of rule_type condition value parameters. See Tab l e 7 - 8
for descriptions of these parameters.
Default Role for Authentication Method
For each authentication method, you can configure a default role for clients who
are successfully authenticated using that method.
Using the WebUI to configure a default role for an authentication
method:
1. Navigate to the Configuration > Security > Authentication page.
2. To configure the default user role for MAC or 802.1x authentication, select
the AAA Profiles tab. Select the AAA profile. Enter the user role for MAC
Authentication Default Role or 802.1x Authentication Default Role.
Configuring Roles and Policies
Chapter 7
164 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
3. To configure the default user role for other authentication methods, select the
L2 Authentication or L3 Authentication tab. Select the authentication type
(Stateful 802.1x for L2 Authentication, Captive Portal or VPN for L3
Authentication), and then select the profile. Enter the user role for Default
Role.
4. Click Apply.
Using the CLI to configure a default role for an authentication method:
To configure the default user role for MAC or 802.1x authentication:
aaa profile <profile>
mac-default-role <role>
dot1x-default-role <role>
To configure the default user role for other authentication methods:
aaa authentication captive-portal <profile>
default-role <role>
aaa authentication stateful-dot1x
default-role <role>
aaa authentication vpn
default-role <role>
Server-Derived Role
If the client is authenticated via a RADIUS authentication server, the user role for
the client can be based on one or more attributes returned by the server during
authentication. You can also define server-derived rules based on client attributes
such as ESSID, BSSID, or MAC address, even though these attributes are not
returned by the server.
You configure the user role to be derived by specifying condition rules; when a
condition is met, the specified user role is assigned to the client. You can specify
more than one condition rule; the order of rules is important as the first matching
condition is applied.
Ta b l e 7 - 9 describes the conditions for which you can specify a user role.
AOS-W 3.1 165
User Guide
Configuring Roles and Policies
Chapter 7
Using the WebUI to configure a server-derived role:
1. Navigate to the Configuration > Security > Authentication > Servers page.
2. Select the Server Group for which you want to define a server-derived role.
3. Under Server Rules, select New.
4. Configure the condition for the rule by setting the Attribute, Operation, and
Operand parameters. See Ta b l e 7 - 9 for descriptions of these parameters.
5. Under Set, select set role. Under Value, select the role assigned to the client
when this condition is met.
6. Click Add.
7. Click Apply.
Using the CLI to configure a server-derived role:
aaa server-group <group>
set role condition <condition> set-value <role> position <number>
where condition consists of attribute operation operand parameters. See
Ta b l e 7 - 9 for descriptions of these parameters.
VSA-Derived Role
Many Network Address Server (NAS) vendors use VSAs to provide features not
supported in standard RADIUS attributes. For Alcatel systems, VSAs can be
employed to provide the user role and VLAN for RADIUS-authenticated clients,
TABLE 7-9 Conditions for Server-Derived Role
Attribute Operation Operand
Use the CLI command
show aaa
radius-attributes to
see the list of server
attributes that are
supported by the
Alcatel WLAN Switch
One of the following:
contains
ends with
equals
does not equal
starts with
value of (does not
take string; attribute
value is used as role)
string
Configuring Roles and Policies
Chapter 7
166 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
however the VSAs must be present on your RADIUS server. This involves defining
the vendor and/or the vendor-specific code, vendor-assigned attribute number,
attribute format (such as string or integer), and attribute value in the RADIUS
dictionary file. VSAs supported on WLAN Switches conform to the format
recommended in RFC 2865, “Remote Authentication Dial In User Service
(RADIUS)”.
Firewall Parameters
Table 7-10 describes optional firewall parameters you can set on the WLAN
Switch. To set these options in the WebUI, navigate to the Configuration >
Advanced Services > Stateful Firewall > Global Setting page. To set these
options in the CLI, use the firewall configuration commands.
TABLE 7-10 Firewall Parameters
Parameter Description
Monitor Ping Attack Number of ICMP pings per second, which if
exceeded, can indicate a denial of service attack.
Valid range is 1-255 pings per second.
Recommended value is 4.
Default: No default
Monitor TCP SYN Attack
rate
Number of TCP SYN messages per second, which if
exceeded, can indicate a denial of service attack.
Valid range is 1-255 messages per second.
Recommended value is 32.
Default: No default
Monitor IP Session
Attack
Number of TCP or UDP connection requests per
second, which if exceeded, can indicate a denial of
service attack. Valid range is 1-255 requests per
second. Recommended value is 32.
Default: No default
Prevent L2 Bridging
between Wireless users
Prevents the forwarding of Layer-2 traffic between
wired or wireless users. You can configure user role
policies that prevent Layer-3 traffic between users or
networks but this does not block Layer-2 traffic. This
option can be used to prevent traffic, such as
Appletalk or IPX, from being forwarded.
Default: Disabled
AOS-W 3.1 167
User Guide
Configuring Roles and Policies
Chapter 7
Enforce TCP Handshake
Before Allowing Data
Prevents data from passing between two clients
until the three-way TCP handshake has been
performed. This option should be disabled when you
have mobile clients on the network as enabling this
option will cause mobility to fail. You can enable this
option if there are no mobile clients on the network.
Default: Disabled
Prohibit IP Spoofing Enables detection of IP spoofing (where an intruder
sends messages using the IP address of a trusted
client). When this option is enabled, IP and MAC
addresses are checked; possible IP spoofing attacks
are logged and an SNMP trap is sent.
Default: Disabled
Prohibit RST Replay
Attack
When enabled, closes a TCP connection in both
directions if a TCP RST is received from either
direction. You should not enable this option unless
instructed to do so by an Alcatel representative.
Default: Disabled
Log ICMP Errors Enables logging of received ICMP errors. You should
not enable this option unless instructed to do so by
an Alcatel representative.
Default: Disabled
Disable stateful SIP
Processing
Disables monitoring of exchanges between a voice
over IP or voice over WLAN device and a SIP server.
This option should be enabled only when there is no
VoIP or VoWLAN traffic on the network.
Default: Disabled (stateful SIP processing is enabled)
Allow Tri-session with
DNAT
Allows three-way session when performing
destination NAT. This option should be enabled when
the WLAN Switch is not the default gateway for
wireless clients and the default gateway is behind
the WLAN Switch. This option is typically used for
captive portal configuration.
Default: Disabled.
Session Mirror
Destination
Destination to which mirrored session packets are
sent. You can configure IP flows to be mirrored with
the session ACL mirror option. This option is used
only for troubleshooting or debugging.
Default: N/A
TABLE 7-10 Firewall Parameters (Continued)
Parameter Description
Configuring Roles and Policies
Chapter 7
168 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Session Idle Timeout Set the time, in seconds, that a non-TCP session can
be idle before it is removed from the session table.
Specify a value in the range 16-259 seconds. You
should not set this option unless instructed to do so
by an Alcatel representative.
Default: 30 seconds
Disable FTP Server Disables the FTP server on the WLAN Switch.
Enabling this option prevents FTP transfers. You
should not enable this option unless instructed to do
so by an Alcatel representative.
Default: Disabled (FTP server is enabled)
GRE Call ID Processing Creates a unique state for each PPTP tunnel. You
should not enable this option unless instructed to do
so by an Alcatel representative.
Default: Disabled
Per-packet Logging Enables logging of every packet if logging is enabled
for the corresponding session rule. Normally, one
event is logged per session. If you enable this option,
each packet in the session is logged. You should not
enable this option unless instructed to do so by an
Alcatel representative, as doing so may create
unnecessary overhead on the WLAN Switch.
Default: Disabled (per-session logging is performed)
VoIP Proxy ARP Reduces the number of broadcast packets sent to
VoIP clients, thereby improving the battery life of
voice handsets. You can enable this option for voice
handsets in conjunction with increasing the DTIM
interval on clients.
Default: Disabled
Enforce WMM Voice
Priority Matches Flow
Content
If traffic to or from the user is inconsistent with the
associated QoS policy for voice, the traffic is
reclassified to best effort and data path counters
incremented.
Default: Disabled
TABLE 7-10 Firewall Parameters (Continued)
Parameter Description
AOS-W 3.1 169
User Guide
Configuring Authentication
Servers 8
The AOS-W software allows you to use an external authentication server or the
WLAN Switch’s internal user database to authenticate clients who need to access
the wireless network.
NOTE:In order for an external authentication server to process requests from
the Alcatel WLAN Switch, you must configure the server to recognize the
WLAN Switch. Refer to the vendor documentation for information on
configuring the authentication server.
For example, instructions on how to configure Microsoft’s IAS and Active
Directory can be obtained at http://technet2.microsoft.com/
windowsserver/en/technologies/ias.mspx and
http://technet2.microsoft.com/windowsserver/en/technologies/featured/
ad/default.mspx, respectively.
This chapter describes the following topics:
“Servers and Server Groups” on page 170
“Configuring Servers” on page 171
“Configuring Server Groups” on page 177
“Configuring Authentication Timers” on page 182
Configuring Authentication Servers
Chapter 8
170 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Servers and Server Groups
You can configure AOS-W to interface with the following external authentication
servers:
Remote Authentication Dial-In User Service (RADIUS)
Lightweight Directory Access Protocol (LDAP)
Terminal Access Controller Access Control System (TACACS+)
You can also use the WLAN Switch’s internal database to authenticate users. You
create entries in the database for users and their passwords and default role.
You can create groups of servers for specific types of authentication — for
example, you can specify one or more RADIUS servers to be used for 802.1x
authentication. The list of servers in a server group is an ordered list. This means
that the first server in the list is always used unless it is unavailable, in which case
the next server in the list is used. You can configure servers of different types in
one group — for example, you can include the internal database as a backup to a
RADIUS server.
Figure 8-18 shows a server group “Radii” that consists of two RADIUS servers,
Radius-1 and Radius-2. The server group is assigned to the server group for
802.1x authentication.
FIGURE 8-18 Server Group
Server names are unique and you can add a server to only one server group. You
must configure the server before you can add it to a server group.
NOTE:If you are using the WLAN Switch’s internal database for user
authentication, use the predefined “Internal” server group.
You can also include conditions for server-derived user roles or VLANs in the
server group configuration. The server derivation rules apply to all servers in the
group.
RADIUS-1
RADIUS-2
SERVER
GROUP RADII
802.1X
SERVER GROUP
AOS-W 3.1 171
User Guide
Configuring Authentication Servers
Chapter 8
Configuring Servers
This section describes how to configure RADIUS, LDAP, and TACACS+ external
authentication servers and the internal database on the WLAN Switch.
Configuring a RADIUS Server
Table 8-11 describes the parameters you configure for a RADIUS server.
TABLE 8-11 RADIUS Server Configuration Parameters
Parameter Description
Host IP address of the authentication server.
Default: N/A
Key Shared secret between the WLAN Switch and the
authentication server. The maximum length is 48
bytes.
Default: N/A
Authentication Port Authentication port on the server.
Default: 1812
Accounting Port Accounting port on the server
Default: 1813
Retransmits Maximum number of retries sent to the server by the
WLAN Switch before the server is marked as down.
Default: 3
Timeout Maximum time, in seconds, that the WLAN Switch
waits before timing out the request and resending it.
Default: 5 seconds
NAS ID Network Access Server (NAS) identifier to use in
RADIUS packets.
Default: N/A
Configuring Authentication Servers
Chapter 8
172 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Using the WebUI to configure a RADIUS server:
1. Navigate to the Configuration > Security > Authentication > Servers page.
2. Select Radius Server to display the Radius Server List.
3. To configure a RADIUS server, enter the name for the server and click Add.
4. Select the name to configure server parameters. Enter parameters as
described in Table 8-11. Select the Mode checkbox to activate the
authentication server.
5. Click Apply to apply the configuration.
NOTE:The configuration does not take effect until you perform this step.
Using the CLI to configure a RADIUS server:
aaa authentication-server radius <name>
host <ipaddr>
key <key>
enable
NAS IP NAS IP address to send in RADIUS packets.
You can configure a “global” NAS IP address that the
WLAN Switch uses for communications with all
RADIUS servers. If you do not configure a
server-specific NAS IP, the global NAS IP is used. To
set the global NAS IP in the WebUI, navigate to the
Configuration > Security > Authentication >
Advanced page. To set the global NAS IP in the CLI,
enter the ip radius nas-ip ipaddr command.
Default: N/A
Use MD5 Use MD5 hash of cleartext password.
Default: disabled
Mode Enables or disables the server.
Default: enabled
TABLE 8-11 RADIUS Server Configuration Parameters (Continued)
Parameter Description
AOS-W 3.1 173
User Guide
Configuring Authentication Servers
Chapter 8
Configuring an LDAP Server
Table 8-12 describes the parameters you configure for an LDAP server.
TABLE 8-12 LDAP Server Configuration Parameters
Parameter Description
Host IP address of the LDAP server.
Default: N/A
Admin-DN Distinguished name for the admin user who has
read/search privileges across all the entries in the
LDAP database (the user need not have write
privileges but the user should be able to search the
database, and read attributes of other users in the
database).
Admin Password Password for the admin user.
Default: N/A
Allow Clear-Text Allows clear-text (unencrypted) communication with
the LDAP server.
Default: disabled
Authentication Port Port number used for authentication.
Default: 389
Base-DN Distinguished Name of the node which contains the
entire user database to use.
Default: N/A
Filter Filter that should be applied to search of the user in
the LDAP database (default filter string is:
ì(objectclass=*)î ).
Default: N/A
Key Attribute Attribute that should be used as a key in search for
the LDAP server. For Active Directory, the value is
sAMAccountName.
Default: sAMAccountName
Timeout Timeout period of a LDAP request, in seconds.
Default: 20 seconds
Mode Enables or disables the server.
Default: enabled
Configuring Authentication Servers
Chapter 8
174 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Using the WebUI to configure an LDAP server:
1. Navigate to the Configuration > Security > Authentication > Servers page.
2. Select LDAP Server to display the LDAP Server List.
3. To configure an LDAP server, enter the name for the server and click Add.
4. Select the name to configure server parameters. Enter parameters as
described in Table 8-12. Select the Mode checkbox to activate the
authentication server.
5. Click Apply to apply the configuration.
NOTE:The configuration does not take effect until you perform this step.
Using the CLI to configure an LDAP server:
aaa authentication-server ldap <name>
host <ipaddr>
(enter parameters as described in Table 8-12)
enable
Configuring a TACACS+ Server
Table 8-13 describes the parameters you configure for a TACACS+ server.
TABLE 8-13 TACACS+ Server Configuration Parameters
Parameter Description
Host IP address of the server.
Default: N/A
Key Shared secret to authenticate communication
between the TACACS+ client and server.
Default: N/A
TCP Port TCP port used by server.
Default: 49
AOS-W 3.1 175
User Guide
Configuring Authentication Servers
Chapter 8
Using the WebUI to configure a TACACS+ server:
1. Navigate to the Configuration > Security > Authentication > Servers page.
2. Select TACACS Server to display the TACACS Server List.
3. To configure a TACACS+ server, enter the name for the server and click Add.
4. Select the name to configure server parameters. Enter parameters as
described in Table 8-13. Select the Mode checkbox to activate the
authentication server.
5. Click Apply to apply the configuration.
NOTE:The configuration does not take effect until you perform this step.
Using the CLI to configure a TACACS+ server:
aaa authentication-server tacacs <name>
host <ipaddr>
key <key>
enable
Configuring the Internal Database
You can create entries in the WLAN Switch’s internal database that can be used
to authenticate clients. The internal database contains a list of clients along with
the password and default role for each client. When you configure the internal
database as an authentication server, client information in incoming
authentication requests is checked against the internal database.
Retransmits Maximum number of times a request is retried.
Default: 3
Timeout Timeout period for TACACS+ requests, in seconds.
Default: 20 seconds
Mode Enables or disables the server.
Default: enabled
TABLE 8-13 TACACS+ Server Configuration Parameters (Continued)
Parameter Description
Configuring Authentication Servers
Chapter 8
176 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
NOTE:By default, the internal database in the master WLAN Switch is used for
authentication. You can choose to use the internal database in a local
WLAN Switch by entering the CLI command aaa authentication-
server internal use-local-switch. If you use the internal database in a
local WLAN Switch, you need to add clients on the local WLAN Switch.
Table 8-14 describes the information required for internal database entries.
Using the WebUI to configure users in the internal database:
1. Navigate to the Configuration > Security > Authentication > Servers > page.
2. Select Internal DB.
3. Click Add User in the Users section. The user configuration page displays.
4. Enter the information for the client.
5. Click Enabled to activate this entry on creation.
6. Click Apply to apply the configuration.
NOTE:The configuration does not take effect until you perform this step.
Using the CLI to configure users in the internal database:
Enter the following command in enable mode:
local-userdb add {generate-username|username <name>}
{generate-password|password <password>}
TABLE 8-14 Internal Database Configuration Parameters
Parameters Description
User Name (Required) Enter a user name or select Generate to
automatically generate a user name.
Password (Required) Enter a password or select Generate to
automatically generate a password string.
Role Role for the client if not otherwise configured (optional field,
default is guest)
E-mail (Optional) E-mail address of the client
Entry does not
expire/Expiration
No expiration on user entry, expiration duration (in minutes),
or specific time and date of expiration
AOS-W 3.1 177
User Guide
Configuring Authentication Servers
Chapter 8
Configuring Server Groups
You can create groups of servers for specific types of authentication — for
example, you can specify one or more RADIUS servers to be used for 802.1x
authentication. The list of servers in a server group is an ordered list. This means
that the first server in the list is always used unless it is unavailable, in which case
the next server in the list is used. You can configure servers of different types in
one group — for example, you can include the internal database as a backup to a
RADIUS server.
Server names are unique and you can add a server to only one server group. The
server must be configured before you can include it in a server group.
NOTE:If you installed the ESI license in the Alcatel WLAN Switch, clients can be
authenticated by specific servers based on the fully-qualified domain
name (FQDN) and Extended Service Set Identifier (ESSID) of the client.
See Chapter 21, “External Services Interface” for more information.
Table 8-15 describes the parameters you can configure for a server group.
Configuring Server Rules
When you configure a server group, you can set the VLAN or role for clients based
on attributes returned for the client by the server during authentication. The
server derivation rules apply to all servers in the group. The user role or VLAN
assigned through server derivation rules take precedence over the default role and
VLAN configured for the authentication method.
TABLE 8-15 Server Group Configuration Parameters
Parameter Description
Name Name of the server.
Default: N/A
trim-FQDN Trim the FQDN from the username before sending to
the server.
Default: N/A
match-FQDN Match the FQDN.
Default: N/A
Position Position of the server in the group list. 1 is the top.
Default: bottom
Configuring Authentication Servers
Chapter 8
178 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
NOTE:The authentication servers have to be configured to return the attributes
for the clients during authentication. For instructions on configuring the
authentication attributes in a Windows environment using IAS, refer to the
documentation at http://technet2.microsoft.com/windowsserver/
en/technologies/ias.mspx.
The server rules are applied based on the first match principle. The first rule that is
applicable for the server and the attribute returned is applied to the client and
would be the only rule applied from the server rules. These rules are applied
uniformly across all servers in the server group.
Table 8-16 describes the server rule parameters you can configure.
TABLE 8-16 Server Rule Configuration Parameters
Parameter Description
Role or VLAN The server derivation rules can be for either user role or VLAN
assignment. With Role assignment, a client can be assigned a
specific role based on the attributes returned. In case of VLAN
assignment, the client can be placed in a specific VLAN based on
the attributes returned.
Attribute This is the attribute returned by the authentication server that is
examined for Operation and Operand match.
Operation This is the match method by which the string in Operand is
matched with the attribute value returned by the authentication
server.
contains – The rule is applied if and only if the attribute value
contains the string in parameter Operand.
starts-with – The rule is applied if and only if the attribute
value returned starts with the string in parameter Operand.
ends-with – The rule is applied if and only if the attribute
value returned ends with the string in parameter Operand.
equals - The rule is applied if and only if the attribute value
returned equals the string in parameter Operand.
not-equals - The rule is applied if and only if the attribute
value returned is not equal to the string in parameter
Operand.
value-of – This is a special condition. What this implies is
that the role or VLAN is set to the value of the attribute
returned. For this to be successful, the role and the VLAN ID
returned as the value of the attribute selected must be
already configured on the WLAN Switch when the rule is
applied.
AOS-W 3.1 179
User Guide
Configuring Authentication Servers
Chapter 8
Using the WebUI to configure a server group:
1. Navigate to the Configuration > Security > Authentication > Servers page.
2. Select Server Group to display the Server Group list.
3. Enter the name of the new server group and click Add.
4. Select the name to configure the server group.
5. Under Servers, click New to add a server to the group.
A. Select a server from the drop-down menu and click Add.
B. Repeat the above step to add other servers to the group.
6. Under Server Rules, click New to add server derivation rules for assigning a
user role or VLAN.
A. Enter the attribute.
B. Select the operation from the drop-down menu.
C. Enter the operand.
D. Select Set VLAN or Set Role from the drop-down menu.
E. Enter the value (either user role or VLAN) to be assigned.
F. Click Add.
G. Repeat the above steps to add other rules for the server group.
7. Click Apply.
Using the CLI to configure a server group:
aaa server-group <name>
auth-server <name>
set {role|vlan} condition <condition> set-value {<role>|<vlan>}
[position number]
Operand This is the string to which the value of the returned attribute is
matched.
Value The user role or the VLAN applied to the client when the rule is
matched.
Position Position of the condition rule. Rules are applied based on the first
match principle. 1 is the top.
Default: bottom
TABLE 8-16 Server Rule Configuration Parameters (Continued)
Parameter Description
Configuring Authentication Servers
Chapter 8
180 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Assigning Server Groups
You can create server groups for the following purposes:
user authentication
management authentication
accounting
You can configure all types of servers for user and management authentication
(see Table 8-17). Accounting is only supported with RADIUS and TACACS+
servers when RADIUS or TACACS+ is used for authentication.
User Authentication
For information about assigning a server group for user authentication, see the
configuration chapter for the authentication method.
Management Authentication
Users who need to access the WLAN Switch to monitor, manage, or configure the
Alcatel OmniAccess system can be authenticated with RADIUS, TACACS+, or
LDAP servers or the internal database.
Using the WebUI to assign a server group for management
authentication:
1. Navigate to the Configuration > Management > Administration page.
2. Under the Management Authentication Servers section, select the Server
Group.
3. Click Apply.
Using the CLI to assign a server group for management
authentication:
aaa authentication mgmt
server-group <group>
TABLE 8-17 Server Types and Purposes
RADIUS TACACS+ LDAP Internal Database
User authentication Yes Yes Yes Yes
Management authentication Yes Yes Yes Yes
Accounting Yes Yes
AOS-W 3.1 181
User Guide
Configuring Authentication Servers
Chapter 8
Accounting
You can configure accounting for RADIUS and TACACS+ server groups.
NOTE:RADIUS or TACACS+ accounting is only supported when RADIUS or
TACACS+ is used for authentication. You cannot configure accounting
when authenticating users through the internal database.
RADIUS Accounting
RADIUS accounting allows user login and logout times to be reported to RADIUS
servers.
Using the WebUI to assign a server group for RADIUS accounting:
1. Navigate to the Configuration > Security > Authentication > AAA Profiles
page.
2. Select AAA Profile, then select the AAA profile instance.
3. Scroll down and select Radius Accounting Server Group. Select the server
group from the drop-down menu.
You can add additional servers to the group or configure server rules.
4. Click Apply.
Using the CLI to assign a server group for RADIUS accounting:
aaa profile <profile>
radius-accounting <group>
TACACS+ Accounting
TACACS+ accounting allows commands issued on the WLAN Switch to be
reported to TACACS+ servers. You can specify the types of commands that are
reported (action, configuration, or show commands) or have all commands
reported.
You can configure TACACS+ accounting only with the CLI:
aaa tacacs-accounting server-group <group> command
{action|all|configuration|show} mode {enable|disable}
Configuring Authentication Servers
Chapter 8
182 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Configuring Authentication Timers
Table 8-18 describes the timers you can configure that apply to all clients and
servers. These timers can be left at their default values for most implementations.
TABLE 8-18 Authentication Timers
Timer Description
User Idle Timeout Maximum period, in minutes, after which a client is
considered idle if there are no new sessions started with
the client. The timeout period is reset if there is a new
client session. After this timeout period has elapsed, the
WLAN Switch sends probe packets to the client; if the
client responds to the probe, it is considered active and
the User Idle Timeout is reset (an active client that is not
initiating new sessions is not removed). If the client does
not respond to the probe, it is removed from the system.
To prevent clients from timing out, set the value in the
field to 0.
Default: 5 minutes
Authentication
Server Dead Time
Maximum period, in minutes, that the WLAN Switch
considers an unresponsive authentication server to be
“out of service”.
This timer is only applicable if there are two or more
authentication servers configured on the WLAN Switch. If
there is only one authentication server configured, the
server is never considered out of service and all requests
are sent to the server.
If one or more backup servers are configured and a server
is unresponsive, it is marked as out of service for the
dead time; subsequent requests are sent to the next
server on the priority list for the duration of the dead time.
If the server is responsive after the dead time has elapsed,
it can take over servicing requests from a lower-priority
server; if the server continues to be unresponsive, it is
marked as down for the dead time.
Default: 10 minutes
Logon User Lifetime Maximum time, in minutes, unauthenticated clients are
allowed to remain logged on.
Default: 5 minutes
AOS-W 3.1 183
User Guide
Configuring Authentication Servers
Chapter 8
Using the WebUI to set an authentication timer:
1. Navigate to the Configuration > Security > Authentication > Advanced page.
2. Configure the timers as described above.
3. Click Apply before moving on to another page or closing the browser
window. Failure to do this results in loss of configuration and you will have to
reconfigure the settings.
Using the CLI to set an authentication timer:
aaa timers {dead-time|idle-timeout|logon-lifetime} <minutes>
Configuring Authentication Servers
Chapter 8
184 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
AOS-W 3.1 185
User Guide
Configuring 802.1x
Authentication 9
802.1x is an Institute of Electrical and Electronics Engineers (IEEE) standard that
provides an authentication framework for WLANs. 802.1x uses the Extensible
Authentication Protocol (EAP) to exchange messages during the authentication
process. The authentication protocols that operate inside the 802.1x framework
that are suitable for wireless networks include EAP-Transport Layer Security
(EAP-TLS), Protected EAP (PEAP), and EAP-Tunneled TLS (EAP-TTLS). These
protocols allow the network to authenticate the client while also allowing the
client to authenticate the network.
This chapter describes the following topics:
“Overview of 802.1x Authentication” on page 186
“Configuring 802.1x Authentication” on page 190
“Example Configurations” on page 196
Advanced Configuration Options for 802.1x” on page 224
Configuring 802.1x Authentication
Chapter 9
186 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Overview of 802.1x Authentication
802.1x authentication consists of three components:
The supplicant, or client, is the device attempting to gain access to the
network. You can configure the Alcatel OmniAccess system to support
802.1x authentication for wired users as well as wireless users.
The authenticator is the gatekeeper to the network and permits or denies
access to the supplicants.
The Alcatel WLAN Switch acts as the authenticator, relaying information
between the authentication server and supplicant. The EAP type must be
consistent between the authentication server and supplicant and is
transparent to the WLAN Switch.
The authentication server provides a database of information required for
authentication and informs the authenticator to deny or permit access to the
supplicant.
The 802.1x authentication server is typically an EAP-compliant Remote
Access Dial-In User Service (RADIUS) server which can authenticate either
users (through passwords or certificates) or the client computer.
An example of an 802.1x authentication server is the Internet Authentication
Service (IAS) in Windows (see http://technet2.microsoft.com/
windowsserver/en/technologies/ias.mspx).
In Alcatel OmniAccess systems, you can terminate the 802.1x authentication
on the WLAN Switch. The WLAN Switch passes user authentication to its
internal database or to a “backend” non-802.1x server. This feature, also
called “AAA FastConnect,” is useful for deployments where an 802.1x
EAP-compliant RADIUS server is not available or required for authentication.
AOS-W 3.1 187
User Guide
Configuring 802.1x Authentication
Chapter 9
Authentication with a RADIUS Server
Figure 9-19 is an overview of the parameters that you need to configure on
authentication components when the authentication server is an 802.1x
EAP-compliant RADIUS server.
FIGURE 9-19 802.1x Authentication with RADIUS Server
The supplicant and authentication server must be configured to use the same
EAP type. The WLAN Switch does not need to know the EAP type used between
the supplicant and authentication server.
For the WLAN Switch to communicate with the authentication server, you must
configure the IP address, authentication port, and accounting port of the server
on the WLAN Switch. The authentication server must be configured with the IP
address of the RADIUS client, which is the WLAN Switch in this case. Both the
WLAN Switch and the authentication server must be configured to use the same
shared secret.
Additional information on EAP types supported in a Windows environment,
Microsoft supplicants, and authentication server, is available at
http://www.microsoft.com/technet/prodtechnol/winxppro/evaluate/eap.mspx.
As described in Chapter 1, “Overview of the Alcatel OmniAccess System,” the
client communicates with the WLAN Switch through a GRE tunnel in order to
form an association with an AP and to authenticate to the network. Therefore, the
network authentication and encryption configured for an ESSID must be the same
on both the client and the WLAN Switch.
CLIENT
(SUPPLICANT)
WLAN SWITCH
(AUTHENTICATOR)
AUTHENTICATION
SERVER
• SERVER IP
• SHARED SECRET
• AUTH PORT
• ACCT PORT
• CLIENT IP
• SHARED SECRET
• ESSID
• NETWORK AUTHENTICATION
• DATA ENCRYPTION
• ESSID
• NETWORK AUTHENTICATION
• DATA ENCRYPTION
• EAP TYPE• EAP TYPE
Configuring 802.1x Authentication
Chapter 9
188 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
“Configuring 802.1x Authentication” on page 190 describes 802.1x configuration
on the WLAN Switch.
Authentication Terminated on WLAN Switch
Figure 9-20 is an overview of the parameters that you need to configure on
802.1x authentication components when 802.1x authentication is terminated on
the WLAN Switch (AAA FastConnect). User authentication is performed either via
the WLAN Switch’s internal database or a non-802.1x server.
FIGURE 9-20 802.1x Authentication with Termination on WLAN Switch
In this scenario, the supplicant is configured for EAP-Transport Layer Security
(TLS) or EAP-Protected EAP (PEAP).
EAP-TLS is used with smart card user authentication. A smart card holds a
digital certificate which, with the user-entered personal identification number
(PIN), allows the user to be authenticated on the network. EAP-TLS relies on
digital certificates to verify the identities of both the client and server.
NOTE:EAP-TLS requires that you import server and certification authority
(CA) certificates, and the certificate revocation list (CRL) on the
WLAN Switch (see Chapter 18, “Configuring Management Access”).
The client certificate is verified on the WLAN Switch (the client
certificate must be signed by a known CA) before the user name is
checked on the authentication server.
EAP-PEAP uses TLS to create an encrypted tunnel. Within the tunnel, one of
the following “inner EAP” methods is used:
CLIENT
(SUPPLICANT)
WLAN SWITCH
(AUTHENTICATOR AND
AUTHENTICATION SERVER)
• EAP TYPE = EAP-TLS
OR EAP-PEAP
• ESSID
• NETWORK AUTHENTICATION
• DATA ENCRYPTION
USER AUTHENTICATION
VIA INTERNAL DATABASE
OR NON-802.1X SERVER
• EAP TYPE = EAP-TLS
OR EAP-PEAP
• ESSID
• NETWORK AUTHENTICATION
• DATA ENCRYPTION
AOS-W 3.1 189
User Guide
Configuring 802.1x Authentication
Chapter 9
zEAP-Generic Token Card (GTC): Described in RFC 2284, this EAP method
permits the transfer of unencrypted usernames and passwords from
client to server. The main uses for EAP-GTC are one-time token cards
such as SecureID and the use of an LDAP or RADIUS server as the user
authentication server. You can also enable caching of user credentials on
the WLAN Switch as a backup to an external authentication server.
zEAP-Microsoft Challenge Handshake Authentication Protocol version 2
(MS-CHAPv2): Described in RFC 2759, this EAP method is widely
supported by Microsoft clients. A RADIUS server must be used as the
backend authentication server.
If you are using the WLAN Switch’s internal database for user authentication, you
need to add the names and passwords of the users to be authenticated. If you are
using an LDAP server for user authentication, you need to configure the LDAP
server on the WLAN Switch, and configure user IDs and passwords. If you are
using a RADIUS server for user authentication, you need to configure the RADIUS
server on the WLAN Switch.
The following section describes how to configure 802.1x authentication on the
WLAN Switch.
NOTE:Alcatel WLAN Switches ship with a demonstration digital certificate. Until
you install a customer-specific server certificate in the WLAN Switch, this
demonstration certificate is used by default for all secure HTTP
connections (such as the WebUI and captive portal) and AAA
FastConnect. This certificate is included primarily for the purposes of
feature demonstration and convenience and is not intended for long-term
use in production networks. Users in a production environment are urged
to obtain and install a certificate issued for their site or domain by a
well-known certificate authority (CA). See “Managing Certificates” on
page 373 for more information.
Configuring 802.1x Authentication
Chapter 9
190 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Configuring 802.1x Authentication
On the WLAN Switch, use the following steps to configure a wireless network
that uses 802.1x authentication:
1. Configure the VLANs to which the authenticated users will be assigned. See
Chapter 3, “Configuring Network Parameters.
2. Configure policies and roles. You can specify a default role for users who are
successfully authenticated using 802.1x. You can also configure server
derivation rules to assign a user role based on attributes returned by the
authentication server; server-derived user roles take precedence over default
roles. For more information about policies and roles, see Chapter 7,
“Configuring Roles and Policies.
NOTE:The AOS-W Policy Enforcement Firewall module provides
identity-based security for wired and wireless users and must be
installed on the WLAN Switch. The stateful firewall allows user
classification based on user identity, device type, location and time of
day and provides differentiated access for different classes of users.
For information about obtaining and installing licenses, see Chapter
19, “Managing Software Feature Licenses.
3. Configure the authentication server(s) and server group. The server can be an
802.1x RADIUS server or, if you are using AAA FastConnect, a non-802.1x
server or the WLAN Switch’s internal database. If you are using EAP-GTC
within a PEAP tunnel, you can configure an LDAP or RADIUS server as the
authentication server (see Chapter 8, “Configuring Authentication Servers.) If
you are using EAP-TLS, you need to import server and CA certificates and the
CRL for validating client certificates on the WLAN Switch (see “Managing
Certificates” on page 373).
4. Configure the AAA profile. Select the 802.1x default user role.
5. Configure the 802.1x authentication profile. See “802.1x Authentication
Profile” on page 191.
6. Configure the virtual AP profile for an AP group or for a specific AP:
zSelect the AAA profile you previously configured.
zSelect the server group you previously configured for the 802.1x
authentication server group.
zIn the SSID profile, configure the WLAN for 802.1x authentication.
For details on how to complete the above steps, see “Example Configurations” on
page 196.
AOS-W 3.1 191
User Guide
Configuring 802.1x Authentication
Chapter 9
802.1x Authentication Profile
This section describes how to create and configure a new instance of an 802.1x
authentication profile in the WebUI or the CLI.
Using the WebUI to configure an 802.1x authentication profile:
1. Navigate to the Configuration > Security > Authentication > L2
Authentication page.
2. In the Profiles list, select 802.1x Authentication Profile.
3. Enter a name for the profile, then click Add.
4. Click Apply.
5. In the Profiles list, select the 802.1x authentication profile you just created.
6. Configure the basic parameters described in Tab l e 9 - 1 9 .
7. Click Apply.
Using the CLI to configure an 802.1x authentication profile:
aaa authentication dot1x <name>
Table 9-19 describes the options for the 802.1x authentication profile in the Basic
tab for the WebUI:
Configuring 802.1x Authentication
Chapter 9
192 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
TABLE 9-19 802.1x Authentication Profile Basic WebUI Parameters
Parameter Description
Max authentication
failures
Number of times a user can try to login with wrong
credentials after which the user will be blacklisted as
a security threat.
Set to 0 to disable blacklisting, otherwise enter a
non-zero integer to blacklist the user after the
specified number of failures.
Default: 0
Enforce Machine
Authentication
(For Windows environments only) Select this option
to enforce machine authentication before user
authentication. If selected, either the Machine
Authentication Default Role or the User
Authentication Default Role is assigned to the user,
depending on which authentication is successful.
Default: disabled
Machine Authentication:
Default Machine Role
Select the default role to be assigned to the user
after completing only machine authentication.
Default: guest
Machine Authentication:
Default User Role
Select the default role to be assigned to the user
after completing 802.1x authentication.
Default: guest
Reauthentication Select this option to force the client to do a 802.1x
re-authentication after the expiration of the default
timer for re-authentication. The default value of the
timer (Reauthentication Interval) is 24 hours. If the
user fails to re-authenticate with valid credentials,
the state of the user is cleared.
If derivation rules are used to classify
802.1x-authenticated users, then the
Re-authentication timer per role overrides this
setting.
Default: disabled
AOS-W 3.1 193
User Guide
Configuring 802.1x Authentication
Chapter 9
Configuring User and Computer Authentication
When a Windows computer boots, it logs onto the network domain using a
machine account. Within the domain, the device is authenticated before computer
group policies and software settings can be executed; this process is known as
machine authentication. Machine authentication ensures that only authorized
computers are allowed on the network.
802.1x can be used to perform user and machine authentication (in Table 9-19,
this is the Enforce Machine Authentication option). This tightens the
authentication process further since both computer and user need to be
authenticated.
Enabling machine authentication creates the following scenarios.
Both machine and user authentication fail
Termination Select this option to terminate 802.1x authentication
on the WLAN Switch.
Default: disabled
Termination EAP-Type The EAP method, either EAP-PEAP or EAP-TLS.
Default: eap-peap
Termination Inner
EAP-Type
Select one of the following:
EAP-Transport Layer Security (TLS): This EAP
method is used with smart card user
authentication.
EAP-Generic Token Card (GTC): Described in
RFC 2284, this EAP method permits the transfer
of unencrypted usernames and passwords from
client to server. The main uses for EAP-GTC are
one-time token cards such as SecureID and the
use of LDAP or RADIUS as the user
authentication server. You can also enable
caching of user credentials on the WLAN Switch
as a backup to an external authentication server.
EAP-Microsoft Challenge Authentication
Protocol version 2 (MS-CHAPv2): Described in
RFC 2759, this EAP method is widely supported
by Microsoft clients.
Default: eap-mschapv2
TABLE 9-19 802.1x Authentication Profile Basic WebUI Parameters
Parameter Description
Configuring 802.1x Authentication
Chapter 9
194 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Machine authentication fails while user authentication passes
Machine authentication passes while user authentication fails
Both machine and user authentication pass
Table 9-20 describes the results of each scenario.
TABLE 9-20 User and Machine Authentication Scenarios
Machine
Auth
Status
User
Auth
Status
Description Role Typical Access
Policy
Failed Failed Both machine
authentication and user
authentication failed. L2
authentication failed.
(Not applicable) No access to
network.
Failed Passed If machine authentication
fails (for example, the
machine information is
not present on the server)
and user authentication
succeeds, the user is
assigned the User
Authentication Default
Role. Derivation roles, if
present, do not apply.
User
authentication
default role.
Limited access
depending on
the role.
Passed Failed If machine authentication
succeeds and user
authentication has not
been initiated, the role
assigned would be the
Machine Authentication
Default Role. Derivation
rules, if present, do not
apply
Machine
authentication
default role.
Access
depends on
the physical
security of the
device.
AOS-W 3.1 195
User Guide
Configuring 802.1x Authentication
Chapter 9
For example, if the following roles are configured:
role assignments would be as follows:
If machine authentication succeeds, the role assigned would be the dot1x_mc
role.
If only user authentication succeeds, the role assigned would be the guest
role.
If both machine and user authentication succeed, the role assigned would be
dot1x_user.
On failure of any type of authentication, the user does not have access to the
network.
NOTE:When you enable machine authentication, there are three different role
options you configure (as described above) – the User Authentication
Default Role, the Machine Authentication Default Role and the Default
role. While you can select the same role in all three options, you should
define the roles as per the polices that need to be enforced.
Passed Passed In case both machine and
user are successfully
authenticated, the
resultant role is the
802.1x default role. In
case of derivation rules,
the rules assigned to the
user via derivation rules
will take precedence over
the default role. This is the
only case where
derivation rules are
applied.
Default role or
role assigned
by derivation
rules.
Most secure
since both
authentication
s succeeded.
Permissions
could not
depend purely
on the user
classification
like guest,
employee,
admin, etc.
Default role: dot1x_user
Machine Authentication default role: dot1x_mc
User Authentication default role: guest
User VLAN: 100 (configured by role)
TABLE 9-20 User and Machine Authentication Scenarios (Continued)
Machine
Auth
Status
User
Auth
Status
Description Role Typical Access
Policy
Configuring 802.1x Authentication
Chapter 9
196 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Example Configurations
The following examples show basic configurations on the WLAN Switch for:
Authentication with an 802.1x RADIUS Server” on page 196
Authentication with the WLAN Switch’s Internal Database” on page 211
In the following examples:
Wireless clients associate to the ESSID WLAN-01.
The following roles allow different networks access capabilities:
zstudent
zfaculty
zguest
zsystem administrators
The examples show how to configure using the WebUI and CLI commands.
Authentication with an 802.1x RADIUS Server
In the following example:
An EAP-compliant RADIUS server provides the 802.1x authentication.
NOTE:The RADIUS server administrator must configure the server to
support this authentication. The administrator must also configure
the server to allow communication with the Alcatel WLAN Switch.
The authentication type is WPA. From the 802.1x authentication exchange,
the client and the WLAN Switch derive dynamic keys to encrypt data
transmitted on the wireless network.
802.1x authentication based on PEAP with MS-CHAPv2 provides both
computer and user authentication. If a user attempts to log in without the
computer being authenticated first, the user is placed into a more limited
“guest” user role.
Windows domain credentials are used for computer authentication, and the
user’s Windows login and password are used for user authentication. A
single user sign-on facilitates both authentication to the wireless network
and access to the Windows server resources.
NOTE:Appendix D, “Windows Client Example Configuration for 802.1x”
provides example configurations for a Windows XP wireless client,
Microsoft Active Directory Server, and Microsoft Internet Authentication
Server that would operate with the WLAN Switch configuration shown in
this section.
AOS-W 3.1 197
User Guide
Configuring 802.1x Authentication
Chapter 9
Configuring Policies and Roles
Create the following policies and user roles:
The student policy prevents students from using telnet, POP3, FTP, SMTP,
SNMP, or SSH to the wired portion of the network. The student policy is
mapped to the student user role.
The faculty policy is similar to the student policy, however faculty members
are allowed to use POP3 and SMTP for VPN remote access from home.
(Students are not permitted to use VPN remote access.) The faculty policy is
mapped to the faculty user role.
The guest policy permits only access to the Internet (via HTTP or HTTPS) and
only during daytime working hours. The guest policy is mapped to the guest
user role.
The allowall policy, a predefined policy, allows unrestricted access to the
network. The allowall policy is mapped to both the sysadmin user role and
the computer user role.
Using the Web to create the student policy and role:
1. Navigate to the Configuration > Security > Access Control > Policies page.
Select Add to add the student policy.
2. For Policy Name, enter student.
3. Under Rules, select Add to add rules for the policy.
A. Under Source, select user.
B. Under Destination, select alias.
NOTE:The following steps define an alias representing all internal
network addresses. Once defined, you can use the alias for other
rules and policies.
I. Under the alias selection, click New.
II. For Destination Name, enter “Internal Network”.
a. Click Add to add a rule.
b. For Rule Type, select network.
c. For IP Address, enter 10.0.0.0.
d. For Network Mask/Range, enter 255.0.0.0.
e. Click Add to add the network range.
f. Repeat steps a-e to add the network range 172.16.0.0
255.255.0.0.
Configuring 802.1x Authentication
Chapter 9
198 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
g. Click Apply. The alias “Internal Network” appears in the
Destination menu
C. Under Destination, select Internal Network.
D. Under Service, select service. In the Service scrolling list, select
svc-telnet.
E. Under Action, select drop.
F. Click Add.
4. Under Rules, click Add.
A. Under Source, select user.
B. Under Destination, select alias. Then select Internal Network.
C. Under Service, select service. In the Service scrolling list, select
svc-pop3.
D. Under Action, select drop.
E. Click Add.
5. Repeat steps 4A-E to create rules for the following services: svc-ftp,
svc-smtp, svc-snmp, and svc-ssh.
6. Click Apply.
7. Click the User Roles tab. Click Add to create the student role.
8. For Role Name, enter student.
9. Under Firewall Policies, click Add. In Choose from Configured Policies, select
the student policy you previously created. Click Done.
10. Click Apply.
Using the WebUI to create the faculty policy and role:
1. Navigate to the Configuration > Security > Access Control > Policies page.
Click Add to add the faculty policy.
2. For Policy Name, enter faculty.
3. Under Rules, click Add to add rules for the policy.
A. Under Source, select user.
B. Under Destination, select alias, then select Internal Network.
C. Under Service, select service. In the Service scrolling list, select
svc-telnet.
D. Under Action, select drop.
E. Click Add.
AOS-W 3.1 199
User Guide
Configuring 802.1x Authentication
Chapter 9
F. Repeat steps A-E to create rules for the following services: svc-ftp,
svc-snmp, and svc-ssh.
4. Click Apply.
5. Select the User Roles tab. Click Add to create the faculty role.
6. For Role Name, enter faculty.
7. Under Firewall Policies, click Add. In Choose from Configured Policies, select
the faculty policy you previously created. Click Done.
Using the WebUI to create the guest policy and role:
1. Navigate to the Configuration > Security > Access Control > Time Ranges
page to define the time range “working-hours”. Click Add.
A. For Name, enter working-hours.
B. For Type, select Periodic.
C. Click Add.
D. For Start Day, click Weekday.
E. For Start Time, enter 07:30.
F. For End Time, enter 17:00.
G. Click Done.
H. Click Apply.
2. Click the Policies tab. Click Add to add the guest policy.
3. For Policy Name, enter guest.
4. Under Rules, click Add to add rules for the policy.
To create rules to permit access to DHCP and DNS servers during working
hours:
A. Under Source, select user.
B. Under Destination, select host. In Host IP, enter 10.1.1.25.
C. Under Service, select service. In the Service scrolling list, select
svc-dhcp.
D. Under Action, select permit.
E. Under Time Range, select working-hours.
F. Click Add.
G. Repeat steps A-F to create a rule for svc-dns.
Configuring 802.1x Authentication
Chapter 9
200 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
To create a rule to deny access to the internal network:
A. Under Source, select user.
B. Under Destination, select alias. Select Internal Network.
C. Under Service, select any.
D. Under Action, select drop.
E. Click Add.
To create rules to permit HTTP and HTTPS access during working hours:
A. Under Source, select user.
B. Under Destination, select any.
C. Under Service, select service. In the Services scrolling list, select
svc-http.
D. Under Action, select permit.
E. Under Time Range, select working-hours.
F. Click Add.
G. Repeat steps A-F for the svc-https service.
To create a rule that denies the user access to all destinations and all
services:
A. Under Source, select user.
B. Under Destination, select any.
C. Under Service, select any.
D. Under Action, select deny.
E. Click Add.
5. Click Apply.
6. Click the User Roles tab. Click Add to create the guest role.
7. For Role Name, enter guest.
8. Under Firewall Policies, click Add. In Choose from Configured Policies, select
the guest policy you previously created. Click Done.
Using the WebUI to create the sysadmin role:
1. Navigate to Configuration > Security > Access Control > User Roles page.
Click Add to create the sysadmin role.
2. For Role Name, enter sysadmin.
AOS-W 3.1 201
User Guide
Configuring 802.1x Authentication
Chapter 9
3. Under Firewall Policies, click Add. In Choose from Configured Policies, select
the predefined allowall policy. Click Done.
4. Click Apply.
Using the WebUI to create the computer role:
1. Navigate to Configuration > Security > Access Control > User Roles page.
Click Add to create the computer role.
2. For Role Name, enter computer.
3. Under Firewall Policies, click Add. In Choose from Configured Policies, select
the predefined allowall policy. Click Done.
4. Click Apply.
Using the CLI to create an alias for the internal network:
netdestination “Internal Network”
network 10.0.0.0 255.0.0.0
network 172.16.0.0 255.255.0.0
Using the CLI to create the student role:
ip access-list session student
user alias “Internal Network” svc-telnet deny
user alias “Internal Network” svc-pop3 deny
user alias “Internal Network” svc-ftp deny
user alias “Internal Network” svc-smtp deny
user alias “Internal Network” svc-snmp deny
user alias “Internal Network” svc-ssh deny
user-role student
session-acl student
session acl allowall
Using the CLI to create the faculty role:
ip access-list session faculty
user alias “Internal Network” svc-telnet deny
user alias “Internal Network” svc-ftp deny
user alias “Internal Network” svc-snmp deny
user alias “Internal Network” svc-ssh deny
Configuring 802.1x Authentication
Chapter 9
202 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
user-role faculty
session-acl faculty
session acl allowall
Using the CLI to create the guest role:
time-range working-hours periodic
weekday 07:30 to 17:00
ip access-list session guest
user host 10.1.1.25 svc-dhcp permit time-range working-hours
user host 10.1.1.25 svc-dns permit time-range working-hours
user alias “Internal Network” any deny
user any svc-http permit time-range working-hours
user any svc-https permit time-range working-hours
user any any deny
user-role guest
session-acl guest
Using the CLI to create the sysadmin role:
user-role sysadmin
session-acl allowall
Using the CLI to create the computer role:
user-role computer
session-acl allowall
Configuring the RADIUS Authentication Server
Configure the RADIUS server IAS1, with IP address 10.1.1.21 and shared key. The
RADIUS server is configured to sent an attribute called Class to the WLAN
Switch; the value of this attribute is set to either “student,” “faculty,” or
“sysadmin” to identify the user’s group. The WLAN Switch uses the literal value
of this attribute to determine the role name.
On the WLAN Switch, you add the configured server (IAS1) into a server group.
For the server group, you configure the server rule that allows the Class attribute
returned by the server to set the user role.
AOS-W 3.1 203
User Guide
Configuring 802.1x Authentication
Chapter 9
Using the WebUI to configure the RADIUS authentication server:
1. Navigate to the Configuration > Security > Authentication > Servers page.
2. In the Servers list, select Radius Server. In the RADIUS Server Instance list,
enter IAS1 and click Add.
A. Select IAS1 to display configuration parameters for the RADIUS server.
B. For IP Address, enter 10.1.1.21.
C. For Key, enter
|*a^t%183923!.
D. Click Apply.
3. In the Servers list, select Server Group. In the Server Group Instance list, enter
IAS and click Add.
A. Select the server group IAS to display configuration parameters for the
server group.
B. Under Servers, click New.
C. From the Server Name drop-down menu, select IAS1. Click Add.
4. Under Server Rules, click New.
A. For Condition, enter Class.
B. For Attribute, select value-of from the drop-down menu.
C. For Operand, select set role.
D. Click Add.
5. Click Apply.
Using the CLI to configure the RADIUS authentication server:
aaa authentication-server radius IAS1
host 10.1.1.21
key |*a^t%183923!
aaa server-group IAS
auth-server IAS1
set role condition Class value-of
Configure 802.1x Authentication
An AAA profile specifies the 802.1x authentication profile and 802.1x server
group to be used for authenticating clients for a WLAN. The AAA profile also
specifies the default user roles for 802.1x and MAC authentication.
Configuring 802.1x Authentication
Chapter 9
204 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
In the 802.1x authentication profile, configure enforcement of machine
authentication before user authentication. If a user attempts to log in without
machine authentication taking place first, the user is placed in the limited guest
role.
Using the WebUI to configure 802.1x authentication:
1. Navigate to the Configuration > Security > Authentication > L2
Authentication page.
2. Select 802.1x Authentication Profile.
A. In the list of instances, enter dot1x, then click Add.
B. Select the profile name you just added.
C. Select Enforce Machine Authentication.
D. For the Machine Authentication: Default Machine Role, select computer.
E. For the Machine Authentication: Default User Role, select guest.
F. Click Apply.
3. Select the AAA Profiles tab.
A. In the AAA Profiles Summary, click Add to add a new profile.
B. Enter aaa_dot1x, then click Add.
A. Select the profile name you just added.
B. For MAC Auth Default Role, select computer.
C. For 802.1x Authentication Default Role, select student.
D. Click Apply.
4. In the Profiles list (under the aaa_dot1x profile), select 802.1x Authentication
Profile.
A. From the drop-down menu, select the dot1x 802.1x authentication
profile you configured previously.
B. Click Apply.
5. In the Profiles list (under the aaa_dot1x profile), select 802.1x Authentication
Server Group.
A. From the drop-down menu, select the IAS server group you created
previously.
B. Click Apply.
AOS-W 3.1 205
User Guide
Configuring 802.1x Authentication
Chapter 9
Using the CLI to configure 802.1x authentication:
aaa authentication dot1x dot1x
machine-authentication enable
machine-authentication machine-default-role computer
machine-authentication user-default-role guest
aaa profile aaa_dot1x
dot1x-default-role student
mac-default-role guest
authentication-dot1x dot1x
dot1x-server-group IAS
Configure VLANs
In this example, wireless clients are assigned to either VLAN 60 or 61 while guest
users are assigned to VLAN 63. VLANs 60 and 61 split users into smaller IP
subnetworks, improving performance by decreasing broadcast traffic. The VLANs
are internal to the Alcatel WLAN Switch only and do not extend into other parts of
the wired network. The clients’ default gateway is the Alcatel WLAN Switch,
which routes traffic out to the 10.1.1.0 subnetwork.
You configure the VLANs, assign IP addresses to each VLAN, and establish the
“helper address” to which client DHCP requests are forwarded.
Using the WebUI to configure VLANs:
1. Navigate to the Configuration > Network > VLANs page. Click Add to add
VLAN 60.
A. For VLAN ID, enter 60.
B. Click Apply.
C. Repeat steps A and B to add VLANs 61 and 63.
2. To configure IP parameters for the VLANs, navigate to the Configuration >
Network > IP > IP Interfaces page.
A. Click Edit for VLAN 60.
B. For IP Address, enter 10.1.60.1.
C. For Net Mask, enter 255.255.255.0.
D. Under DHCP Helper Address, click Add. Enter 10.1.1.25 and click Add.
E. Click Apply.
3. In the IP Interfaces page, click Edit for VLAN 61.
A. For IP Address, enter 10.1.61.1.
Configuring 802.1x Authentication
Chapter 9
206 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
B. For Net Mask, enter 255.255.255.0.
C. Under DHCP Helper Address, click Add. Enter 10.1.1.25 and click Add.
D. Click Apply.
4. In the IP Interfaces page, click Edit for VLAN 63.
A. For IP Address, enter 10.1.63.1.
B. For Net Mask, enter 255.255.255.0.
C. Under DHCP Helper Address, click Add. Enter 10.1.1.25 and click Add.
D. Click Apply.
5. Select the IP Routes tab.
A. For Default Gateway, enter 10.1.1.254.
B. Click Apply.
Using the CLI to Configure VLANs
vlan 60
interface vlan 60
ip address 10.1.60.1 255.255.255.0
ip helper-address 10.1.1.25
vlan 61
interface vlan 61
ip address 10.1.61.1 255.255.255.0
ip helper-address 10.1.1.25
vlan 63
interface vlan 63
ip address 10.1.63.1 255.255.255.0
ip helper-address 10.1.1.25
ip default-gateway 10.1.1.254
Configure the WLANs
In this example, default AP parameters for the entire network are as follows: the
default ESSID is WLAN-01 and the encryption mode is TKIP. A second ESSID
called “guest” has the encryption mode set to static WEP with a configured WEP
key.
In this example, the non-guest clients that associate to an AP are mapped into
one of two different user VLANs. The initial AP to which the client associates
determines the VLAN: clients that associate to APs in the first floor of the building
are mapped to VLAN 60 and clients that associate to APs in the second floor of
the building are mapped to VLAN 61. Therefore, the APs in the network are
AOS-W 3.1 207
User Guide
Configuring 802.1x Authentication
Chapter 9
segregated into two AP groups, named “first-floor” and “second-floor”. (See
Chapter 5, “Configuring Access Points” for information about creating AP
groups.)
Guest WLAN
You create and configure the virtual AP profile “guest” and apply the profile to
each AP group. The “guest” virtual AP profile contains the SSID profile “guest”
which configures static WEP with a WEP key.
Using the WebUI to configure the WLAN:
1. Navigate to the Configuration > Wireless > AP Configuration page.
2. In the AP Group list, select first-floor.
3. In the Profiles list, select Wireless LAN, then select Virtual AP.
4. To configure the guest virtual AP:
A. Under Profile Details, select NEW. Enter guest, and click Add.
B. Click Apply.
C. Select the guest virtual AP that you just created.
D. For VLAN, enter 63.
E. Click Apply.
5. To configure the guest SSID:
A. Select SSID Profile (under the guest virtual AP).
B. From the drop-down menu for SSID Profile, select NEW. Enter guest.
C. For Network Name, enter guest.
D. For Network Authentication, select None.
E. For Encryption, select WEP.
F. Enter the WEP Key.
G. Click Apply.
6. Navigate to the Configuration > Wireless > AP Configuration page.
7. In the AP Group list, select second-floor.
8. In the Profiles list, select Wireless LAN then select Virtual AP.
9. Under Add a profile, select guest from the drop-down menu. Click Add.
10. Click Apply.
Configuring 802.1x Authentication
Chapter 9
208 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Using the CLI to configure the guest WLAN:
wlan ssid-profile guest
essid guest
wepkey1 aaaaaaaaaa
opmode static-wep
wlan virtual-ap guest
vlan 63
ssid-profile guest
ap-group first-floor
virtual-ap guest
ap-group second-floor
virtual-ap guest
Non-Guest WLANs
You create and configure the SSID profile “WLAN-01” with the ESSID “WLAN-01”
and WPA TKIP encryption. You need to create and configure two virtual AP
profiles: one with VLAN 60 for the first-floor AP group and the other with VLAN
61 for the second-floor AP group. Each virtual AP profile references the SSID
profile “WLAN-01” and the previously-configured AAA profile “aaa_dot1x”.
Using the WebUI to configure the non-guest WLANs:
1. Navigate to the Configuration > Wireless > AP Configuration page.
2. In the AP Group list, select first-floor.
3. In the Profiles list, select Wireless LAN, then select Virtual AP.
4. To configure the WLAN-01_first-floor virtual AP:
A. Under Profile Details, elect NEW. Enter WLAN-01_first-floor, and click
Add.
B. Click Apply.
C. Select the virtual AP you just created.
D. For VLAN, enter 60.
E. Click Apply.
5. To configure the aaa_dot1x AAA profile:
A. In the Profiles list, select AAA Profile (under WLAN-01_first-floor virtual
AP):
B. Select aaa_dot1x from the AAA Profile drop-down menu.
C. Click Apply.
AOS-W 3.1 209
User Guide
Configuring 802.1x Authentication
Chapter 9
6. To configure the WLAN-01 SSID profile:
A. In the Profiles list, select SSID Profile (under WLAN-01_first-floor virtual
AP):
B. Select NEW. Enter WLAN-01, then click Apply.
C. For Network Name, enter WLAN-01.
D. For Network Authentication, select WPA.
E. Click Apply.
7. Navigate to the Configuration > Wireless > AP Configuration page.
8. In the AP Group list, select second-floor.
9. In the Profiles list, select Wireless LAN, then select Virtual AP.
10. To configure the WLAN-01_second-floor virtual AP:
A. Under Profile Details, elect NEW. Enter WLAN-01_second-floor, and click
Add.
B. Click Apply.
C. Select the virtual AP you just created.
D. For VLAN, enter 61.
E. Click Apply.
11. To configure the aaa_dot1x AAA profile:
A. In the Profiles list, select AAA Profile (under WLAN-01_second-floor
virtual AP).
B. Select aaa_dot1x from the AAA Profile drop-down menu.
C. Click Apply.
12. To configure the WLAN-01 SSID profile:
A. In the Profiles list, select SSID Profile (under WLAN-01_second-floor
virtual AP).
B. Select WLAN-01 from the SSID Profile drop-down menu.
C. Click Apply.
Using the CLI to configure the non-guest WLANs:
wlan ssid-profile WLAN-01
essid WLAN-01
opmode wpa-tkip
wlan virtual-ap WLAN-01_first-floor
Configuring 802.1x Authentication
Chapter 9
210 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
vlan 60
ssid-profile WLAN-01
aaa-profile aaa_dot1x
wlan virtual-ap WLAN-01_second-floor
vlan 61
ssid-profile WLAN-01
aaa-profile aaa_dot1x
ap-group first-floor
virtual-ap WLAN-01_first-floor
ap-group second-floor
virtual-ap WLAN-01_second-floor
AOS-W 3.1 211
User Guide
Configuring 802.1x Authentication
Chapter 9
Authentication with the WLAN Switch’s Internal
Database
In the following example:
The WLAN Switch’s internal database provides user authentication.
The authentication type is WPA. From the 802.1x authentication exchange,
the client and the WLAN Switch derive dynamic keys to encrypt data
transmitted on the wireless network.
Configuring Policies and Roles
Create the following policies and user roles:
The student policy prevents students from using telnet, POP3, FTP, SMTP,
SNMP, or SSH to the wired portion of the network. The student policy is
mapped to the student user role.
The faculty policy is similar to the student policy, however faculty members
are allowed to use POP3 and SMTP for VPN remote access from home.
(Students are not permitted to use VPN remote access.) The faculty policy is
mapped to the faculty user role.
The guest policy permits only access to the Internet (via HTTP or HTTPS) and
only during daytime working hours. The guest policy is mapped to the guest
user role.
The allowall policy, a predefined policy, allows unrestricted access to the
network. The allowall policy is mapped to both the sysadmin user role and
the computer user role.
Using the Web to create the student policy and role:
1. Navigate to the Configuration > Security > Access Control > Policies page.
Select Add to add the student policy.
2. For Policy Name, enter student.
3. Under Rules, select Add to add rules for the policy.
A. Under Source, select user.
B. Under Destination, select alias.
NOTE:The following steps define an alias representing all internal
network addresses. Once defined, you can use the alias for other
rules and policies.
I. Under the alias selection, click New.
II. For Destination Name, enter “Internal Network”.
a. Click Add to add a rule.
Configuring 802.1x Authentication
Chapter 9
212 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
b. For Rule Type, select network.
c. For IP Address, enter 10.0.0.0.
d. For Network Mask/Range, enter 255.0.0.0.
e. Click Add to add the network range.
f. Repeat steps a-e to add the network range 172.16.0.0
255.255.0.0.
g. Click Apply. The alias “Internal Network” appears in the
Destination menu
C. Under Destination, select Internal Network.
D. Under Service, select service. In the Service scrolling list, select
svc-telnet.
E. Under Action, select drop.
F. Click Add.
4. Under Rules, click Add.
A. Under Source, select user.
B. Under Destination, select alias. Then select Internal Network.
C. Under Service, select service. In the Service scrolling list, select
svc-pop3.
D. Under Action, select drop.
E. Click Add.
5. Repeat steps 4A-E to create rules for the following services: svc-ftp,
svc-smtp, svc-snmp, and svc-ssh.
6. Click Apply.
7. Click the User Roles tab. Click Add to create the student role.
8. For Role Name, enter student.
9. Under Firewall Policies, click Add. In Choose from Configured Policies, select
the student policy you previously created. Click Done.
10. Click Apply.
Using the WebUI to create the faculty policy and role:
1. Navigate to the Configuration > Security > Access Control > Policies page.
Click Add to add the faculty policy.
2. For Policy Name, enter faculty.
3. Under Rules, click Add to add rules for the policy.
AOS-W 3.1 213
User Guide
Configuring 802.1x Authentication
Chapter 9
A. Under Source, select user.
B. Under Destination, select alias, then select Internal Network.
C. Under Service, select service. In the Service scrolling list, select
svc-telnet.
D. Under Action, select drop.
E. Click Add.
F. Repeat steps A-E to create rules for the following services: svc-ftp,
svc-snmp, and svc-ssh.
4. Click Apply.
5. Select the User Roles tab. Click Add to create the faculty role.
6. For Role Name, enter faculty.
7. Under Firewall Policies, click Add. In Choose from Configured Policies, select
the faculty policy you previously created. Click Done.
Using the WebUI to create the guest policy and role:
1. Navigate to the Configuration > Security > Access Control > Time Ranges
page to define the time range “working-hours”. Click Add.
A. For Name, enter working-hours.
B. For Type, select Periodic.
C. Click Add.
D. For Start Day, click Weekday.
E. For Start Time, enter 07:30.
F. For End Time, enter 17:00.
G. Click Done.
H. Click Apply.
2. Click the Policies tab. Click Add to add the guest policy.
3. For Policy Name, enter guest.
4. Under Rules, click Add to add rules for the policy.
To create rules to permit access to DHCP and DNS servers during working
hours:
A. Under Source, select user.
B. Under Destination, select host. In Host IP, enter 10.1.1.25.
C. Under Service, select service. In the Service scrolling list, select
svc-dhcp.
Configuring 802.1x Authentication
Chapter 9
214 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
D. Under Action, select permit.
E. Under Time Range, select working-hours.
F. Click Add.
G. Repeat steps A-F to create a rule for svc-dns.
To create a rule to deny access to the internal network:
A. Under Source, select user.
B. Under Destination, select alias. Select Internal Network.
C. Under Service, select any.
D. Under Action, select drop.
E. Click Add.
To create rules to permit HTTP and HTTPS access during working hours:
A. Under Source, select user.
B. Under Destination, select any.
C. Under Service, select service. In the Services scrolling list, select
svc-http.
D. Under Action, select permit.
E. Under Time Range, select working-hours.
F. Click Add.
G. Repeat steps A-F for the svc-https service.
To create a rule that denies the user access to all destinations and all
services:
A. Under Source, select user.
B. Under Destination, select any.
C. Under Service, select any.
D. Under Action, select deny.
E. Click Add.
5. Click Apply.
6. Click the User Roles tab. Click Add to create the guest role.
7. For Role Name, enter guest.
8. Under Firewall Policies, click Add. In Choose from Configured Policies, select
the guest policy you previously created. Click Done.
AOS-W 3.1 215
User Guide
Configuring 802.1x Authentication
Chapter 9
Using the WebUI to create the sysadmin role:
1. Navigate to Configuration > Security > Access Control > User Roles page.
Click Add to create the sysadmin role.
2. For Role Name, enter sysadmin.
3. Under Firewall Policies, click Add. In Choose from Configured Policies, select
the predefined allowall policy. Click Done.
4. Click Apply.
Using the WebUI to create the computer role:
1. Navigate to Configuration > Security > Access Control > User Roles page.
Click Add to create the computer role.
2. For Role Name, enter computer.
3. Under Firewall Policies, click Add. In Choose from Configured Policies, select
the predefined allowall policy. Click Done.
4. Click Apply.
Using the CLI to create an alias for the internal network:
netdestination “Internal Network”
network 10.0.0.0 255.0.0.0
network 172.16.0.0 255.255.0.0
Using the CLI to create the student role:
ip access-list session student
user alias “Internal Network” svc-telnet deny
user alias “Internal Network” svc-pop3 deny
user alias “Internal Network” svc-ftp deny
user alias “Internal Network” svc-smtp deny
user alias “Internal Network” svc-snmp deny
user alias “Internal Network” svc-ssh deny
user-role student
session-acl student
session acl allowall
Configuring 802.1x Authentication
Chapter 9
216 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Using the CLI to create the faculty role:
ip access-list session faculty
user alias “Internal Network” svc-telnet deny
user alias “Internal Network” svc-ftp deny
user alias “Internal Network” svc-snmp deny
user alias “Internal Network” svc-ssh deny
user-role faculty
session-acl faculty
session acl allowall
Using the CLI to create the guest role:
time-range working-hours periodic
weekday 07:30 to 17:00
ip access-list session guest
user host 10.1.1.25 svc-dhcp permit time-range working-hours
user host 10.1.1.25 svc-dns permit time-range working-hours
user alias “Internal Network” any deny
user any svc-http permit time-range working-hours
user any svc-https permit time-range working-hours
user any any deny
user-role guest
session-acl guest
Using the CLI to create the sysadmin role:
user-role sysadmin
session-acl allowall
Using the CLI to create the computer role:
user-role computer
session-acl allowall
Configuring the Internal Database
Configure the internal database with the username, password, and role (student,
faculty, or sysadmin) for each user.
AOS-W 3.1 217
User Guide
Configuring 802.1x Authentication
Chapter 9
Using the WebUI to configure the internal database:
1. Navigate to the Configuration > Security > Authentication > Servers page.
2. In the Servers list, select Internal DB.
3. Under Users, click Add User to add users.
4. For each user, enter a username and password.
5. Select the Role for each user (if a role is not specified, the default role is
guest).
6. Select the expiration time for the user account in the internal database.
7. Click Apply.
8. In the Servers list, select Server Group. In the Server Group Instance list, enter
Internal and click Add.
A. Select Internal to display configuration parameters for the server group.
B. Under Servers, click New.
C. From the Server Name drop-down menu, select Internal. Click Add.
9. Click Apply.
Using the CLI to configure the internal database:
aaa server-group Internal
auth-server internal
NOTE:Use the privileged mode in the CLI to configure users in the WLAN
Switch’s internal database.
local-userdb add username <user> password <password> role <role>
Configure 802.1x Authentication
An AAA profile specifies the 802.1x authentication profile and 802.1x server
group to be used for authenticating clients for a WLAN. The AAA profile also
specifies the default user role for 802.1x authentication.
For this example, you enable both 802.1x authentication and termination on the
WLAN Switch.
Using the WebUI to configure 802.1x authentication:
1. Navigate to the Configuration > Security > Authentication > L2
Authentication page. In the profiles list, select 802.1x Authentication Profile.
A. In the Instance list, enter dot1x, then click Add.
Configuring 802.1x Authentication
Chapter 9
218 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
B. Select the dot1x profile you just created.
C. Select Termination.
NOTE:The defaults for EAP Method and Inner EAP Method are
EAP-PEAP and EAP-MSCHAPv2, respectively.
D. Click Apply.
2. Select the AAA Profiles tab.
A. In the AAA Profiles Summary, click Add to add a new profile.
B. Enter aaa_dot1x, then click Add.
C. Select the aaa_dot1x profile you just created.
D. For 802.1x Authentication Default Role, select student.
E. Click Apply.
3. In the Profiles list (under the aaa_dot1x profile you just created), select 802.1x
Authentication Profile.
A. Select the dot1x profile from the 802.1x Authentication Profile
drop-down menu.
B. Click Apply.
4. In the Profiles list (under the aaa_dot1x profile you just created), select 802.1x
Authentication Server Group.
A. Select the Internal server group you created previously from the
drop-down menu.
B. Click Apply.
Using the CLI to configure 802.1x authentication:
aaa authentication dot1x dot1x
termination enable
aaa profile aaa_dot1x
dot1x-default-role student
authentication-dot1x dot1x
dot1x-server-group internal
Configure VLANs
In this example, wireless clients are assigned to either VLAN 60 or 61 while guest
users are assigned to VLAN 63. VLANs 60 and 61 split users into smaller IP
subnetworks, improving performance by decreasing broadcast traffic. The VLANs
AOS-W 3.1 219
User Guide
Configuring 802.1x Authentication
Chapter 9
are internal to the Alcatel WLAN Switch only and do not extend into other parts of
the wired network. The clients’ default gateway is the Alcatel WLAN Switch,
which routes traffic out to the 10.1.1.0 subnetwork.
You configure the VLANs, assign IP addresses to each VLAN, and establish the
“helper address” to which client DHCP requests are forwarded.
Using the WebUI to configure VLANs:
1. Navigate to the Configuration > Network > VLAN page. Click Add to add
VLAN 60.
A. For VLAN ID, enter 60.
B. Click Apply.
C. Repeat steps A and B to add VLANs 61 and 63.
2. To configure IP parameters for the VLANs, navigate to the Configuration >
Network > IP > IP Interfaces page.
A. Click Edit for VLAN 60.
B. For IP Address, enter 10.1.60.1.
C. For Net Mask, enter 255.255.255.0.
D. Under DHCP Helper Address, click Add. Enter 10.1.1.25 and click Add.
E. Click Apply.
3. In the IP Interfaces page, click Edit for VLAN 61.
A. For IP Address, enter 10.1.61.1.
B. For Net Mask, enter 255.255.255.0.
C. Under DHCP Helper Address, click Add. Enter 10.1.1.25 and click Add.
D. Click Apply.
4. In the IP Interfaces page, click Edit for VLAN 63.
A. For IP Address, enter 10.1.63.1.
B. For Net Mask, enter 255.255.255.0.
C. Under DHCP Helper Address, click Add. Enter 10.1.1.25 and click Add.
D. Click Apply.
5. Select the IP Routes tab.
A. For Default Gateway, enter 10.1.1.254.
B. Click Apply.
Configuring 802.1x Authentication
Chapter 9
220 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Using the CLI to Configure VLANs
vlan 60
interface vlan 60
ip address 10.1.60.1 255.255.255.0
ip helper-address 10.1.1.25
vlan 61
interface vlan 61
ip address 10.1.61.1 255.255.255.0
ip helper-address 10.1.1.25
vlan 63
interface vlan 63
ip address 10.1.63.1 255.255.255.0
ip helper-address 10.1.1.25
ip default-gateway 10.1.1.254
Configure the WLANs
In this example, default AP parameters for the entire network are as follows: the
default ESSID is WLAN-01 and the encryption mode is TKIP. A second ESSID
called “guest” has the encryption mode set to static WEP with a configured WEP
key.
In this example, the non-guest clients that associate to an AP are mapped into
one of two different user VLANs. The initial AP to which the client associates
determines the VLAN: clients that associate to APs in the first floor of the building
are mapped to VLAN 60 and clients that associate to APs in the second floor of
the building are mapped to VLAN 61. Therefore, the APs in the network are
segregated into two AP groups, named “first-floor” and “second-floor”. (See
Chapter 5, “Configuring Access Points” for information about creating AP
groups.)
Guest WLAN
You create and configure the virtual AP profile “guest” and apply the profile to
each AP group. The “guest” virtual AP profile contains the SSID profile “guest”
which configures static WEP with a WEP key.
Using the WebUI to configure the WLAN:
1. Navigate to the Configuration > Wireless > AP Configuration page.
2. In the AP Group list, select first-floor.
3. In the Profiles list, select Wireless LAN then select Virtual AP.
AOS-W 3.1 221
User Guide
Configuring 802.1x Authentication
Chapter 9
4. To configure the guest virtual AP:
A. Under Profile Details, select NEW. Enter guest, and click Add.
B. Click Apply.
C. Select the guest virtual AP profile you just created.
D. For VLAN, select 63.
E. Click Apply.
5. To create the guest SSID:
A. Select SSID Profile (under the guest virtual AP profile).
B. Under Profile Details, select NEW from the SSID Profile drop-down menu.
Enter guest.
C. For Network Name, enter guest.
D. For Network Authentication, select None.
E. For Encryption, select WEP.
F. Enter the WEP key.
G. Click Apply.
6. Navigate to the Configuration > Wireless > AP Configuration page.
7. In the AP Group list, select second-floor.
8. In the Profiles list, select Wireless LAN then select Virtual AP.
9. Under Add a profile, select guest from the drop-down menu. Click Add.
10. Click Apply.
Using the CLI to configure the guest WLAN:
wlan ssid-profile guest
essid guest
wepkey1 aaaaaaaaaa
opmode static-wep
wlan virtual-ap guest
vlan 63
ssid-profile guest
ap-group first-floor
virtual-ap guest
ap-group second-floor
virtual-ap guest
Configuring 802.1x Authentication
Chapter 9
222 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Non-Guest WLANs
You create and configure the SSID profile “WLAN-01” with the ESSID “WLAN-01”
and WPA TKIP encryption. You need to create and configure two virtual AP
profiles: one with VLAN 60 for the first-floor AP group and the other with VLAN
61 for the second-floor AP group. Each virtual AP profile references the SSID
profile “WLAN-01” and the previously-configured AAA profile “aaa_dot1x”.
Using the WebUI to configure the non-guest WLANs:
1. Navigate to the Configuration > Wireless > AP Configuration page.
2. In the AP Group list, select first-floor.
3. In the Profiles list, select Wireless LAN, then select Virtual AP.
4. To configure the WLAN-01_first-floor virtual AP:
A. Under Profile Details, select NEW. Enter WLAN-01_first-floor, and click
Add.
B. Click Apply.
A. Select the WLAN-01_first-floor virtual AP profile you just created.
B. For VLAN, enter 60.
C. Click Apply.
5. To configure the aaa_dot1x AAA profile:
A. Select AAA Profile (under the WLAN-01_first-floor virtual AP profile).
B. Under Profile Details, select aaa_dot1x from the AAA Profile drop-down
list.
C. Click Apply.
6. To configure the WLAN-01 SSID profile:
A. Select SSID Profile (under the WLAN-01_first-floor virtual AP profile).
B. Under Profile Details, select NEW from the SSID Profile drop-down menu.
Enter WLAN-01.
C. For Network Name, enter WLAN-01.
D. For Network Authentication, select WPA.
E. Click Apply.
7. Navigate to the Configuration > Wireless > AP Configuration page.
8. In the AP Group list, select second-floor.
9. In the Profiles list, select Wireless LAN then select Virtual AP.
AOS-W 3.1 223
User Guide
Configuring 802.1x Authentication
Chapter 9
10. To create the WLAN-01_second-floor virtual AP:
A. Under Profile Details, select NEW from the Add a profile drop-down
menu. Enter WLAN-01_second-floor, and click Add.
B. Click Apply.
C. Select the WLAN-01_second-floor virtual AP profile.
D. For VLAN, enter 61.
E. Click Apply.
11. To configure the aaa_dot1x AAA profile:
A. In the Profiles list, select AAA Profile (under the WLAN-01_second-floor
virtual AP profile).
B. Select aaa_dot1x from the AAA Profile drop-down menu.
C. Click Apply.
12. To configure the WLAN-01 SSID profile:
A. In the Profiles list, select SSID Profile (under the WLAN-01_second-floor
virtual AP profile).
B. Select WLAN-01 from the SSID Profile drop-down menu.
C. Click Apply.
Using the CLI to configure the non-guest WLANs:
wlan ssid-profile WLAN-01
essid WLAN-01
opmode wpa-tkip
wlan virtual-ap WLAN-01_first-floor
vlan 60
ssid-profile WLAN-01
aaa-profile aaa_dot1x
wlan virtual-ap WLAN-01_second-floor
vlan 61
ssid-profile WLAN-01
aaa-profile aaa_dot1x
ap-group first-floor
virtual-ap WLAN-01_first-floor
ap-group second-floor
virtual-ap WLAN-01_second-floor
Configuring 802.1x Authentication
Chapter 9
224 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Advanced Configuration Options for 802.1x
This section describes advanced configuration options for 802.1x authentication.
Reauthentication with Unicast Key Rotation
When enabled, unicast and multicast keys are updated after each reauthorization.
It is a best practice to configure the time intervals for reauthentication, multicast
key rotation, and unicast key rotation to be at least 15 minutes. Make sure these
intervals are mutually prime, and the factor of the unicast key rotation interval and
the multicast key rotation interval is less than the reauthentication interval.
NOTE:Unicast key rotation depends upon both the AP/WLAN Switch and
wireless client behavior. It is known that some wireless NICs have issues
with unicast key rotation.
The following is an example of the parameters you can configure for
reauthentication with unicast and multicast key rotation:
Reauthentication: Enabled
Reauthentication Time Interval: 6011 Seconds
Multicast Key Rotation: Enabled
Multicast Key Rotation Time Interval: 1867 Seconds
Unicast Key Rotation: Enabled
Unicast Key Rotation Time Interval: 1021 Seconds
Using the WebUI to configure reauthentication with unicast key
rotation:
1. Navigate to the Configuration > Security > Authentication > L2
Authentication page.
2. Select 802.1x Authentication Profile, then select the name of the profile you
want to configure.
3. Select the Advanced tab. Enter the following values:
zReauthentication Interval: 6011
zMulticast Key Rotation Time Interval: 1867
zUnicast Key Rotation Time Interval: 1021
zMulticast Key Rotation: (select)
zUnicast Key Rotation: (select)
zReauthentication: (select)
AOS-W 3.1 225
User Guide
Configuring 802.1x Authentication
Chapter 9
4. Click Apply.
Using the CLI to configure reauthentication with unicast key rotation:
aaa authentication dot1x profile
reauthentication
timer reauth-period 6011
unicast-keyrotation
timer ukey-rotation-period 1021
multicast-keyrotation
timer mkey-rotation-period 1867
Configuring 802.1x Authentication
Chapter 9
226 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
AOS-W 3.1 227
User Guide
Configuring Captive Portal 10
Captive portal is one of the methods of authentication supported by AOS-W. A
captive portal presents a web page which requires action on the part of the user
before network access is granted. The required action can be simply viewing and
agreeing to an acceptable use policy, or entering a user ID and password which
must be validated against a database of authorized users.
You can also configure captive portal to allow clients to download the Alcatel VPN
dialer for Microsoft VPN clients if the VPN is to be terminated on the Alcatel
WLAN Switch. For more information about the VPN dialer, see Chapter 11,
“Configuring Virtual Private Networks.
This chapter describes the following topics:
“Overview of Captive Portal Functions” on page 228
“Configuring Captive Portal in the Base AOS-W” on page 229
“Configuring Captive Portal with the Policy Enforcement Firewall License” on
page 233
“Example Authentication with Captive Portal” on page 236
“Captive Portal Configuration Parameters” on page 250
“Optional Captive Portal Configurations” on page 253
“Personalizing the Captive Portal Page” on page 259
Configuring Captive Portal
Chapter 10
228 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Overview of Captive Portal Functions
You can configure captive portal for guest users, where no authentication is
required, or for registered users who must be authenticated against an external
server or the WLAN Switch’s internal database.
NOTE:While you can use captive portal to authenticate users, it does not
provide for encryption of user data and should not be used in networks
where data security is required. Captive portal is most often used for
guest access, access to open systems (such as public hot spots), or as a
way to connect to a VPN.
You can use captive portal for guest and registered users at the same time. The
default captive portal web page provided with AOS-W displays login prompts for
both registered users and guests. (You can customize the default captive portal
page, as described in “Personalizing the Captive Portal Page” on page 259.)
You can also load up to 16 different customized login pages into the WLAN
Switch. The login page displayed is based on the SSID to which the client
associates.
Policy Enforcement Firewall License
You can use captive portal with or without the Policy Enforcement Firewall license
installed in the WLAN Switch. The Policy Enforcement Firewall license provides
identity-based security to wired and wireless clients through user roles and
firewall rules. You must purchase and install the Policy Enforcement Firewall
license on the WLAN Switch to use identity-based security features.
There are differences in how captive portal functions work and how you
configure captive portal, depending on whether the license is installed. Later
sections in this chapter describe how to configure captive portal in the base
operating system (without the Policy Enforcement Firewall license) and with the
license installed.
WLAN Switch Server Certificate
The Alcatel WLAN Switch is designed to provide secure services through the use
of digital certificates. Alcatel WLAN Switches ship with a demonstration digital
certificate. Until you install a customer-specific server certificate in the WLAN
Switch, this demonstration certificate is used by default for all secure HTTP
connections (such as the WebUI and captive portal) and AAA FastConnect. This
certificate is included primarily for the purposes of feature demonstration and
convenience and is not intended for long-term use in production networks. Users
in a production environment are urged to obtain and install a certificate issued for
their site or domain by a well-known certificate authority (CA).
AOS-W 3.1 229
User Guide
Configuring Captive Portal
Chapter 10
You can generate a Certificate Signing Request (CSR) on the WLAN Switch to
submit to a CA. For information on how to do this, see “Managing Certificates”
on page 373 in Chapter 18, “Configuring Management Access”.
Once you have received a signed server certificate from the CA, use the following
instructions to import the certificate into the WLAN Switch.
Using the WebUI to import captive portal server certificates:
1. Navigate to the Configuration > Management > Certificates > Captive Portal
Certificates page.
2. Click Browse to navigate to the appropriate file on your computer.
3. Click Upload to install the certificate in the WLAN Switch.
Configuring Captive Portal in the Base AOS-W
The base operating system allows full network access to all users who connect
to an ESSID, whether guest or registered user. In the base operating system, you
cannot configure or customize user roles; this function is only available by
installing the Policy Enforcement Firewall license. Captive portal allows you to
control or identify who has access to network resources.
When you create a captive portal profile in the base operating system, an implicit
user role is automatically created with same name as the captive portal profile.
This implicit user role allows only DNS and DHCP traffic between the client and
network and directs all HTTP or HTTPS requests to the captive portal. You cannot
directly modify the implicit user role or its rules. Upon authentication, captive
portal clients are allowed full access to their assigned VLAN.
Figure 10-21 illustrates the basic tasks for configuring captive portal in the base
operating system; example server group and profile names are in quotation
marks.
Configuring Captive Portal
Chapter 10
230 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
FIGURE 10-21 Captive Portal in Base Operating System Example
The following describes the tasks shown in Figure 10-21.
1. If you are configuring captive portal for registered users, configure the
server(s) and create the server group. In Figure 10-21, the server group is
called “cp-srv”. (See Chapter 8, “Configuring Authentication Servers” for
more information about configuring authentication servers and server
groups.)
2. Create and configure an instance of the captive portal authentication profile.
Creating the captive portal profile automatically creates an implicit user role
and ACL with the same name. In Figure 10-21, creating the profile “c-portal”
creates an implicit user role called “c-portal” that allows only DNS and DHCP
traffic between the client and network and directs all HTTP or HTTPS
requests to the captive portal.
3. Create and configure an instance of the AAA profile. For the initial role, enter
the implicit user role that was created when you created the captive portal
profile. In Figure 10-21, the initial role in the profile “aaa_c-portal” must be set
to “c-portal”.
4. Create and configure an instance of the virtual AP profile that you apply to an
AP group or AP name. Specify the AAA profile you just created.
5. Create and configure an instance of the SSID profile for the virtual AP.
The following sections describe how to use the WebUI or CLI to configure the
captive portal authentication profile, the AAA profile, and the virtual AP profile.
Other chapters in this manual describe the configuration of the VLAN and
authentication servers and server group.
1Create Server Group “cp-srv”
2Create Captive Portal Authentication Profile
“c-portal”
IMPLICIT USER ROLEC-PORTAL
IS CREATED AUTOMATICALLY
3Create AAA Profile “aaa_c-portal”
Set the initial role to “c-portal”
4Create SSID Profile “ssid_c-portal”
5Create Virtual AP Profile “vp_c-portal”
AOS-W 3.1 231
User Guide
Configuring Captive Portal
Chapter 10
NOTE:In AOS-W 2.5.2 and later 2.5.x releases, captive portal users in the base
operating system are placed into the predefined cpbase initial user role
before authentication. The cpbase role is not supported in AOS-W 3.x.
You need to create new captive portal profiles in the base operating
system, as described in this section, which automatically generates the
required policies and roles.
Using the WebUI to configure captive portal in the base operating
system:
1. To configure the captive portal authentication profile, navigate to the
Configuration > Security > Authentication > L3 Authentication page. Select
Captive Portal Authentication Profile.
A. In the Captive Portal Authentication Profile Instance list, enter the name
of the profile (for example, c-portal), then click Add.
B. Select the captive portal authentication profile you just created.
C. You can enable user login and/or guest login, and configure other
parameters described in Table 10-21.
D. Click Apply.
2. To specify authentication servers, select Server Group under the captive
portal authentication profile you just configured.
A. Select the server group (for example, cp-srv) from the drop-down menu.
B. Click Apply.
3. Select the AAA Profiles tab.
A. In the AAA Profiles Summary, click Add to add a new profile. Enter the
name of the profile (for example, aaa_c-portal), then click Add.
B. Select the AAA profile you just created.
C. For Initial Role, select the captive portal authentication profile (for
example, c-portal) you created previously.
NOTE:The Initial Role must be exactly the same as the name of the
captive portal authentication profile you created.
D. Click Apply.
4. To configure the virtual AP profile, navigate to the Configuration > Wireless >
AP Configuration page. Select either the AP Group or AP Specific tab. Click
Edit for the applicable AP group name or AP name.
5. Under Profiles, select Wireless LAN, then select Virtual AP. In the Virtual AP
list, select the “default” virtual AP profile. Select the “default” SSID profile.
Enter anynet for the SSID name. Click Save As, then enter anynet. Click
Apply.
Configuring Captive Portal
Chapter 10
232 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
NOTE:The WebUI prevents you from configuring the same ESSID in more
than one virtual AP for an AP group or name. Whenever you create a
new virtual AP profile, the profile automatically contains the “default”
SSID profile with the default “alcatel-ap” SSID. The above step allows
you to create a new virtual AP that does not have the same ESSID as
the “default” virtual AP profile.
6. Under Profiles, select Virtual AP to display the Profile Details.
A. To create a new virtual AP profile, select NEW for Add a profile.
B. Enter the profile name (for example, vp_c-portal), then click Add.
C. Click Apply.
7. Under Profiles, select the virtual AP profile you just created.
A. Make sure Virtual AP enable is selected.
B. For VLAN, select the VLAN to which users are assigned (for example, 20).
C. Click Apply.
8. Under Profiles, select the AAA profile under the virtual AP profile you just
configured.
A. From the AAA Profile drop-down menu, select aaa_c-portal for the AAA
Profile.
B. Click Apply.
9. Under Profiles, select the SSID profile under the virtual AP profile you just
configured.
A. From the SSID Profile drop-down menu, select NEW. Enter ssid_c-portal.
B. Enter c-portal-ap for the Network Name.
C. Click Apply.
Using the CLI to configure captive portal in the base operating system:
aaa authentication captive-portal c-portal
server-group cp-srv
aaa profile aaa_c-portal
initial-role c-portal
wlan ssid-profile ssid_c-portal
essid c-portal-ap
vlan 20
wlan virtual-ap vp_c-portal
ssid-profile ssid_c-portal
aaa-profile aaa_c-portal
AOS-W 3.1 233
User Guide
Configuring Captive Portal
Chapter 10
Configuring Captive Portal with the Policy
Enforcement Firewall License
The Policy Enforcement Firewall license provides identity-based security for wired
and wireless users. There are two user roles that are important for captive portal:
Default user role, which you specify in the captive portal authentication
profile, is the role granted to clients upon captive portal authentication. This
can be the predefined guest system role.
Initial user role, which you specify in the AAA profile, directs clients who
associate to the SSID to captive portal whenever the user initiates a Web
browser connection. This can be the predefined logon system role.
The captive portal authentication profile specifies the captive portal login
page and other configurable parameters. The initial user role configuration
must include the applicable captive portal authentication profile instance.
NOTE:MAC-based authentication, if enabled on the WLAN Switch, takes
precedence over captive portal authentication. If you use captive portal,
do not enable MAC-based authentication.
This section describes how to configure captive portal using role-based access
provided by the Policy Enforcement Firewall software module. You must install
the Policy Enforcement Firewall license, as described in Chapter 19, “Managing
Software Feature Licenses”.
The following are the basic tasks for configuring captive portal using role-based
access:
1. Create and configure user roles and policies for guest or registered captive
portal users. (See Chapter 7, “Configuring Roles and Policies” for more
information about configuring policies and user roles.)
2. If you are configuring captive portal for registered users, configure the
server(s) and create the server group. (See Chapter 8, “Configuring
Authentication Servers” for more information about configuring
authentication servers and server groups.)
NOTE:If you are using the WLAN Switch’s internal database for user
authentication, use the predefined “Internal” server group. You need
to configure entries in the internal database, as described in Chapter
8, “Configuring Authentication Servers”.
3. Create and configure an instance of the captive portal authentication profile.
Specify the default user role for captive portal users.
4. Create and configure the initial user role for captive portal. You need to
include the predefined captiveportal policy, which directs clients to the
captive portal, in the initial user role configuration.
Configuring Captive Portal
Chapter 10
234 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
You also need to specify the captive portal authentication profile instance in
the initial user role configuration. For example, if you are using the predefined
logon system role for the initial role, you need to edit the role to specify the
captive portal authentication profile instance.
5. Create and configure an instance of the AAA profile. Specify the initial user
role.
6. Create and configure an instance of the virtual AP profile that you apply to an
AP group or AP name. Specify the AAA profile you just created.
7. Create and configure an instance of the SSID profile for the virtual AP.
The following sections describe how to use the WebUI or CLI to configure the
captive portal authentication profile, initial user role, the AAA profile, and the
virtual AP profile. Other chapters in this manual describe the configuration of the
user roles and policies and authentication servers and server group.
Using the WebUI to configure captive portal with PEF license:
1. To configure the captive portal authentication profile, navigate to the
Configuration > Security > Authentication > L3 Authentication page. Select
Captive Portal Authentication Profile.
A. In the Captive Portal Authentication Profile Instance list, enter the name
of the profile (for example, c-portal), then click Add.
B. Select the captive portal authentication profile you just created.
C. Select the default role (for example, employee) for captive portal users.
D. You can enable guest login and/or user login, as well as other parameters
described in Table 10-21.
E. Click Apply.
2. To specify the authentication servers, select Server Group under the captive
portal authentication profile you just configured.
A. Select the server group (for example, cp-srv) from the drop-down menu.
B. Click Apply.
3. Select the AAA Profiles tab.
A. In the AAA Profiles Summary, click Add to add a new profile. Enter the
name of the profile (for example, aaa_c-portal), then click Add..
B. Set the Initial role to a role that you will configure with the captive portal
authentication profile.
C. Click Apply.
4. To configure the initial user role to use captive portal authentication, navigate
to the Configuration > Security > Access Control page.
AOS-W 3.1 235
User Guide
Configuring Captive Portal
Chapter 10
A. To edit the predefined logon role, select the System Roles tab, then click
Edit for the logon role.
B. To configure a new role, first configure policy rules in the Policies tab,
then select the User Roles tab to add a new user role and assign policies.
C. To specify the captive portal authentication profile, scroll down to the
bottom of the page. Select the profile from the Captive Portal Profile
drop-down menu, and click Change.
D. Click Apply.
5. To configure the virtual AP profile, navigate to the Configuration > Wireless >
AP Configuration page. Select either the AP Group or AP Specific tab. Click
Edit for the applicable AP group name or AP name.
6. Under Profiles, select Wireless LAN, then select Virtual AP. In the Virtual AP
list, select the “default” virtual AP profile. Select the “default” SSID profile.
Enter anynet for the SSID name. Click Save As, then enter anynet. Click
Apply.
NOTE:The WebUI prevents you from configuring the same ESSID in more
than one virtual AP for an AP group or name. Whenever you create a
new virtual AP profile, the profile automatically contains the “default”
SSID profile with the default “alcatel-ap” SSID. The above step allows
you to create a new virtual AP that does not have the same ESSID as
the “default” virtual AP profile.
7. Under Profiles, select Virtual AP to display the Profile Details.
A. To create a new virtual AP profile, select NEW for Add a profile.
B. Enter the profile name (for example, vp_c-portal), then click Add.
C. Click Apply.
8. Under Profiles, select the virtual AP profile you just created.
A. Make sure Virtual AP enable is selected.
B. For VLAN, select the VLAN to which users are assigned (for example, 20).
C. Click Apply.
9. Under Profiles, select the AAA profile under the virtual AP profile you just
configured.
A. From the AAA Profile drop-down menu, select aaa_c-portal for the AAA
Profile.
B. Click Apply.
10. Under Profiles, select the SSID profile under the virtual AP profile you just
configured.
A. From the SSID Profile drop-down menu, select NEW. Enter ssid_c-portal.
Configuring Captive Portal
Chapter 10
236 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
B. Enter c-portal-ap for the Network Name.
C. Click Apply.
Using the CLI to configure captive portal with PEF license:
aaa authentication captive-portal c-portal
default-role employee
server-group cp-srv
user-role logon
captive-portal c-portal
aaa profile aaa_c-portal
initial-role logon
wlan ssid-profile ssid_c-portal
essid c-portal-ap
vlan 20
wlan virtual-ap vp_c-portal
ssid-profile ssid_c-portal
aaa-profile aaa_c-portal
Example Authentication with Captive Portal
In the following example:
Guest clients associate to the guestnet SSID which is an open wireless LAN.
Guest clients are placed into VLAN 900 and assigned IP addresses by the
WLAN Switch’s internal DHCP server. The user has no access to network
resources beyond DHCP and DNS until they open a web browser and log in
with a guest account using captive portal.
Guest users are given a login and password from guest accounts created in
the WLAN Switch’s internal database. The temporary guest accounts are
created and administered by the site receptionist.
Guest users must enter their assigned login and password into the captive
portal login before they are given access to use web browsers (HTTP and
HTTPS), POP3 email clients, and VPN clients (IPSEC, PPTP, and L2TP) on the
Internet and only during specified working hours. Guest users are prohibited
from accessing internal networks and resources. All traffic to the Internet is
source-NATed.
NOTE:This example assumes a Policy Enforcement Firewall license is installed in
the WLAN Switch.
AOS-W 3.1 237
User Guide
Configuring Captive Portal
Chapter 10
Configuring Policies and Roles
In this example, you create two user roles:
guest-logon is a user role assigned to any client who associates to the
guestnet SSID. Normally, any client that associates to an SSID will be placed
into the logon system role. The guest-logon user role is more restrictive than
the logon role.
auth-guest is a user role granted to clients who successfully authenticate via
the captive portal.
guest-logon User Role
The guest-logon user role consists of the following ordered policies:
1. captiveportal is a predefined policy that allows captive portal authentication.
2. guest-logon-access is a policy that you create with the following rules:
zAllows DHCP exchanges between the user and the DHCP server during
business hours while blocking other users from responding to DHCP
requests.
zAllows ICMP exchanges between the user and the WLAN Switch during
business hours.
3. block-internal-access is a policy that you create that denies user access to
the internal networks.
NOTE:The guest-logon user role configuration needs to include the name of the
captive portal authentication profile instance. You can modify the user
role configuration after you create the captive portal authentication profile
instance.
auth-guest User Role
The auth-guest user role consists of the following ordered policies:
1. cplogout is a predefined policy that allows captive portal logout.
2. guest-logon-access is a policy that you create with the following rules:
zAllows DHCP exchanges between the user and the DHCP server during
business hours while blocking other users from responding to DHCP
requests.
zAllows DNS exchanges between the user and the public DNS server
during business hours. Traffic is source-NATed using the IP interface of
the WLAN Switch for the VLAN.
3. block-internal-access is a policy that you create that denies user access to
the internal networks.
Configuring Captive Portal
Chapter 10
238 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
4. auth-guest-access is a policy that you create with the following rules:
zAllows DHCP exchanges between the user and the DHCP server during
business hours while blocking other users from responding to DHCP
requests.
zAllows DNS exchanges between the user and the public DNS server
during business hours. Traffic is source-NATed using the IP interface of
the WLAN Switch for the VLAN.
zAllows HTTP/S traffic from the user during business hours. Traffic is
source-NATed using the I interface of the WLAN Switch for the VLAN.
5. drop-and-log is a policy that you create that denies all traffic and logs the
attempted network access.
Using the WebUI to create a time range:
1. Navigate to the Configuration > Security > Access Control > Time Ranges
page to define the time range “working-hours”. Click Add.
A. For Name, enter working-hours.
B. For Type, select Periodic.
C. Click Add.
D. For Start Day, click Weekday.
E. For Start Time, enter 07:30.
F. For End Time, enter 17:00.
G. Click Done.
2. Click Apply.
Using the WebUI to create the guest-logon-access policy:
1. Navigate to the Configuration > Security > Access Control > Policies page.
Select Add to add the guest-logon-access policy.
2. For Policy Name, enter guest-logon-access.
3. Under Rules, select Add to add rules for the policy.
A. Under Source, select user.
B. Under Destination, select any.
C. Under Service, select udp. Enter 68.
D. Under Action, select drop.
E. Click Add.
4. Under Rules, click Add.
AOS-W 3.1 239
User Guide
Configuring Captive Portal
Chapter 10
A. Under Source, select user.
B. Under Destination, select any.
C. Under Service, select service. Select svc-dhcp.
D. Under Action, select permit.
E. Under Time Range, select working-hours.
F. Click Add.
5. Under Rules, click Add.
A. Under Source, select user.
B. Under Destination, select alias.
NOTE:The following steps define an alias representing the public DNS
server addresses. Once defined, you can use the alias for other
rules and policies.
I. Under the alias selection, click New.
II. For Destination Name, enter “Public DNS”.
a. Click Add to add a rule.
b. For Rule Type, select host.
c. For IP Address, enter 64.151.103.120.
d. Click Add.
e. For Rule Type, select host.
f. For IP Address, enter 216.87.84.209.
g. Click Add.
h. Click Apply. The alias “Public DNS” appears in the Destination
menu
C. Under Destination, select Public DNS.
D. Under Service, select svc-dns.
E. Under Action, select src-nat.
F. Under Time Range, select working-hours.
G. Click Add.
6. Click Apply.
Using the WebUI to configure the auth-guest-access policy:
1. Navigate to the Configuration > Security > Access Control > Policies page.
Select Add to add the guest-logon-access policy.
Configuring Captive Portal
Chapter 10
240 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
2. For Policy Name, enter auth-guest-access.
3. Under Rules, select Add to add rules for the policy.
A. Under Source, select user.
B. Under Destination, select any.
C. Under Service, select udp. Enter 68.
D. Under Action, select drop.
E. Click Add.
4. Under Rules, click Add.
A. Under Source, select user.
B. Under Destination, select any.
C. Under Service, select service. Select svc-dhcp.
D. Under Action, select permit.
E. Under Time Range, select working-hours.
F. Click Add.
5. Under Rules, click Add.
A. Under Source, select user.
B. Under Destination, select alias. Select Public DNS from the drop-down
menu.
C. Under Service, select service. Select svc-dns.
D. Under Action, select src-nat.
E. Under Time Range, select working-hours.
F. Click Add.
6. Under Rules, click Add.
A. Under Source, select user.
B. Under Destination, select any.
C. Under Service, select service. Select svc-http.
D. Under Action, select src-nat.
E. Under Time Range, select working-hours.
F. Click Add.
7. Under Rules, click Add.
A. Under Source, select user.
B. Under Destination, select any.
AOS-W 3.1 241
User Guide
Configuring Captive Portal
Chapter 10
C. Under Service, select service. Select svc-https.
D. Under Action, select src-nat.
E. Under Time Range, select working-hours.
F. Click Add.
8. Click Apply.
Using the WebUI to create the block-internal-access policy:
1. Navigate to the Configuration > Security > Access Control > Policies page.
Select Add to add the block-internal-access policy.
2. For Policy Name, enter block-internal-access.
3. Under Rules, select Add to add rules for the policy.
A. Under Source, select user.
B. Under Destination, select alias.
NOTE:The following steps define an alias representing all internal
network addresses. Once defined, you can use the alias for other
rules and policies.
I. Under the alias selection, click New.
II. For Destination Name, enter “Internal Network”.
a. Click Add to add a rule.
b. For Rule Type, select network.
c. For IP Address, enter 10.0.0.0.
d. For Network Mask/Range, enter 255.0.0.0.
e. Click Add to add the network range.
f. Repeat steps a-e to add the network ranges 172.16.0.0
255.255.0.0 and 192.168.0.0 255.255.0.0.
g. Click Apply. The alias “Internal Network” appears in the
Destination menu
C. Under Destination, select Internal Network.
D. Under Service, select any.
E. Under Action, select drop.
F. Click Add.
4. Click Apply.
Configuring Captive Portal
Chapter 10
242 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Using the WebUI to create the drop-and-log policy:
1. Navigate to the Configuration > Security > Access Control > Policies page.
Select Add to add the drop-and-log policy.
2. For Policy Name, enter drop-and-log.
3. Under Rules, select Add to add rules for the policy.
A. Under Source, select user.
B. Under Destination, select any.
C. Under Service, select any.
D. Under Action, select drop.
E. Select Log.
F. Click Add.
4. Click Apply.
Using the WebUI to create the guest-logon role:
1. Navigate to the Configuration > Security > Access Control > User Roles
page.
2. Click Add.
3. For Role Name, enter guest-logon.
4. Under Firewall Policies, click Add.
5. For Choose from Configured Policies, select captiveportal from the
drop-down menu.
6. Click Done.
7. Under Firewall Policies, click Add.
8. For Choose from Configured Policies, select guest-logon-access from the
drop-down menu.
9. Click Done.
10. Under Firewall Policies, click Add.
11. For Choose from Configured Policies, select block-internal-access from the
drop-down menu.
12. Click Done.
13. Click Apply.
AOS-W 3.1 243
User Guide
Configuring Captive Portal
Chapter 10
Using the WebUI to create the auth-guest role:
1. Navigate to the Configuration > Security > Access Control > User Roles
page.
2. Click Add.
3. For Role Name, enter auth-guest.
4. Under Firewall Policies, click Add.
5. For Choose from Configured Policies, select cplogout from the drop-down
menu.
6. Click Done.
7. Under Firewall Policies, click Add.
8. For Choose from Configured Policies, select guest-logon-access from the
drop-down menu.
9. Click Done.
10. Under Firewall Policies, click Add.
11. For Choose from Configured Policies, select block-internal-access from the
drop-down menu.
12. Click Done.
13. Under Firewall Policies, click Add.
14. For Choose from Configured Policies, select auth-guest-access from the
drop-down menu.
15. Click Done.
16. Under Firewall Policies, click Add.
17. For Choose from Configured Policies, select drop-and-log from the
drop-down menu.
18. Click Done.
19. Click Apply.
Using the CLI to create a time range:
time-range working-hours periodic
weekday 07:30 to 17:00
Configuring Captive Portal
Chapter 10
244 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Using the CLI to create aliases:
netdestination “Internal Network”
network 10.0.0.0 255.0.0.0
network 172.16.0.0 255.255.0.0
network 192.168.0.0 255.255.0.0
netdestination “Public DNS”
host 64.151.103.120
host 216.87.84.209
Using the CLI to create the guest-logon-access policy:
ip access-list session guest-logon-access
user any udp 68 deny
user any svc-dhcp permit time-range working-hours
user alias “Public DNS” svc-dns src-nat time-range working-hours
Using the CLI to create the auth-guest-access policy:
ip access-list session auth-guest-access
user any udp 68 deny
user any svc-dhcp permit time-range working-hours
user alias “Public DNS” svc-dns src-nat time-range working-hours
user any svc-http src-nat time-range working-hours
user any svc-https src-nat time-range working-hours
Using the CLI to create the block-internal-access policy:
ip access-list session block-internal-access
user alias “Internal Network” any deny
Using the CLI to create the drop-and-log policy:
ip access-list session drop-and-log
user any any deny log
Using the CLI to create the guest-logon role:
user-role guest-logon
session-acl captiveportal position 1
session-acl guest-logon-access position 2
session-acl block-internal-access position 3
AOS-W 3.1 245
User Guide
Configuring Captive Portal
Chapter 10
Using the CLI to create the auth-guest role:
user-role auth-guest
session-acl cplogout position 1
session-acl guest-logon-access position 2
session-acl block-internal-access position 3
session-acl auth-guest-access position 4
session-acl drop-and-log position 5
Configuring the Guest VLAN
Guests using the WLAN are assigned to VLAN 900 and are given IP addresses via
DHCP from the WLAN Switch.
Using the WebUI to configure the guest VLAN:
1. Navigate to the Configuration > Network > VLANs page.
A. Click Add.
B. For VLAN ID, enter 900.
C. Click Apply.
2. Navigate to the Configuration > Network > IP > IP Interfaces page.
A. Click Edit for VLAN 900.
B. For IP Address, enter 192.168.200.20.
C. For Net Mask, enter 255.255.255.0.
D. Click Apply.
3. Click the DHCP Server tab.
A. Select Enable DHCP Server.
B. Click Add under Pool Configuration.
C. For Pool Name, enter guestpool.
D. For Default Router, enter 192.168.200.20.
E. For DNS Server, enter 64.151.103.120.
F. For Lease, enter 4 hours.
G. For Network, enter 192.168.200.0. For Netmask, enter 255.255.255.0.
H. Click Done.
4. Click Apply.
Configuring Captive Portal
Chapter 10
246 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Using the CLI to configure the guest VLAN:
vlan 900
interface vlan 900
ip address 192.168.200.20 255.255.255.0
ip dhcp pool "guestpool"
default-router 192.168.200.20
dns-server 64.151.103.120
lease 0 4 0
network 192.168.200.0 255.255.255.0
Configuring Captive Portal Authentication
In this section, you create an instance of the captive portal authentication profile
and the AAA profile. For the captive portal authentication profile, you specify the
previously-created auth-guest user role as the default user role for authenticated
captive portal clients and the authentication server group (“Internal”).
Using the WebUI to configure captive portal authentication:
1. Navigate to the Configuration > Security > Authentication > L3
Authentication page. In the Profiles list, select Captive Portal Authentication
Profile.
A. In the Captive Portal Authentication Profile Instance list, enter guestnet
for the name of the profile, then click Add.
B. Select the captive portal authentication profile you just created.
C. For Default Role, select auth-guest.
D. Select User Login.
E. Deselect (uncheck) Guest Login.
F. Click Apply.
2. Select Server Group under the guestnet captive portal authentication profile
you just created.
A. Select internal from the Server Group drop-down menu.
B. Click Apply.
Using the CLI to configure captive portal authentication:
aaa authentication captive-portal guestnet
default-role auth-guest
user-logon
no guest-logon
AOS-W 3.1 247
User Guide
Configuring Captive Portal
Chapter 10
server-group internal
Modifying the Initial User Role
The captive portal authentication profile specifies the captive portal login page
and other configurable parameters. The initial user role configuration must include
the applicable captive portal authentication profile instance. Therefore, you need
to modify the guest-logon user role configuration to include the guestnet captive
portal authentication profile.
Using the WebUI to modify the guest-logon role:
1. Navigate to the Configuration > Security > Access Control > User Roles
page.
2. Select Edit for the guest-logon role.
3. Scroll down to the bottom of the page.
4. Select the captive portal authentication profile you just created from the
Captive Portal Profile drop-down menu, and click Change.
5. Click Apply.
Using the CLI to modify the guest-logon role:
user-role guest-logon
captive-portal guestnet
Configuring the AAA Profile
In this section, you configure the guestnet AAA profile, which specifies the
previously-created guest-logon role as the initial role for clients who associate to
the WLAN.
Using the WebUI to configure the AAA profile:
1. Navigate to the Configuration > Security > Authentication > AAA Profiles
page.
2. In the AAA Profiles Summary, click Add to add a new profile. Enter guestnet
for the name of the profile, then click Add.
3. For Initial role, select guest-logon.
4. Click Apply.
Configuring Captive Portal
Chapter 10
248 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Using the CLI to configure the AAA profile:
aaa profile guestnet
initial-role guest-logon
Configuring the WLAN
In this section, you create the guestnet virtual AP profile for the WLAN. The
guestnet virtual AP profile contains the SSID profile guestnet (which configures
opensystem for the SSID) and the AAA profile guestnet.
Using the WebUI to configure the guest WLAN:
1. Navigate to the Configuration > Wireless > AP Configuration page.
2. Select either AP Group or AP Specific tab. Click Edit for the AP group or AP
name.
3. To configure the virtual AP profile, navigate to the Configuration > Wireless >
AP Configuration page. Select either the AP Group or AP Specific tab. Click
Edit for the applicable AP group name or AP name.
4. Under Profiles, select Wireless LAN, then select Virtual AP. In the Virtual AP
list, select the “default” virtual AP profile. Select the “default” SSID profile.
Enter anynet for the SSID name. Click Save As, then enter anynet. Click
Apply.
NOTE:The WebUI prevents you from configuring the same ESSID in more
than one virtual AP for an AP group or name. Whenever you create a
new virtual AP profile, the profile automatically contains the “default”
SSID profile with the default “alcatel-ap” SSID. The step above allows
you to create a new virtual AP that does not have the same ESSID as
the “default” virtual AP profile.
5. Under Profiles, select Virtual AP to display the Profile Details.
A. To create a new virtual AP profile, select NEW for Add a profile.
B. Enter the profile name guestnet, then click Add.
C. Click Apply.
6. Under Profiles, select the guestnet virtual AP profile you just created.
A. Make sure Virtual AP enable is selected.
B. For VLAN, select VLAN 900.
C. Click Apply.
7. Under Profiles, select the AAA profile under the guestnet virtual AP profile.
AOS-W 3.1 249
User Guide
Configuring Captive Portal
Chapter 10
A. From the AAA Profile drop-down menu, select guestnet for the AAA
Profile.
B. Click Apply.
8. Under Profiles, select the SSID profile under the guestnet virtual AP profile.
A. From the SSID Profile drop-down menu, select NEW. Enter guestnet.
B. For Network Name, enter guestnet.
C. For Network Authentication, select None.
D. For Encryption, select Open.
E. Click Apply.
Using the CLI to configure the guest WLAN:
wlan ssid-profile guestnet
essid guestnet
opmode opensystem
aaa profile guestnet
initial-role guest-logon
wlan virtual-ap guestnet
vlan 900
ssid-profile guestnet
aaa-profile guestnet
User Account Administration
Temporary user accounts are created in the internal database on the WLAN
Switch. You can create a user role which will allow a receptionist to create
temporary user accounts. Guests can use the accounts to log into a captive portal
login page to gain Internet access.
See “Creating Guest Accounts” on page 393 for more information about
configuring guest provisioning users and administering guest accounts.
Configuring Captive Portal
Chapter 10
250 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Captive Portal Configuration Parameters
Table 10-21 describes configuration parameters on the WebUI Captive Portal
Authentication profile page.
NOTE:In the CLI, you configure these options with the aaa authentication
captive-portal commands.
TABLE 10-21 Captive Portal Authentication Profile Parameters
Parameter Description
Default role Role assigned to the Captive Portal user upon login.
When both user and guest logon are enabled, the
default role applies to the user logon; users logging in
using the guest interface are assigned the guest role.
NOTE:The Policy Enforcement Firewall license must
be installed.
Default: guest
Redirect Pause Time, in seconds, that the system remains in the initial
welcome page before redirecting the user to the final
web URL. If set to 0, the welcome page displays until
the user clicks on the indicated link.
Default: 10 seconds.
User Login Enables Captive Portal with authentication of user
credentials.
Default: enabled
Guest Login Enables Captive Portal logon without authentication.
Default: disabled
Logout popup window Enables a pop-up window with the Logout link for the
user to logout after logon. If this is disabled, the user
remains logged in until the user timeout period has
elapsed or the station reloads.
Default: enabled
Use HTTP for
authentication
Use HTTP protocol on redirection to the Captive Portal
page. If you use this option, modify the captiveportal
policy to allow HTTP traffic.
Default: Disabled (HTTPS is used)
AOS-W 3.1 251
User Guide
Configuring Captive Portal
Chapter 10
Logon wait minimum
wait
Minimum time, in seconds, the user will have to wait
for the logon page to pop up if the CPU load is high.
This works in conjunction with the Logon wait CPU
utilization threshold parameter.
Default: 5 seconds.
Logon wait maximum
wait
Maximum time, in seconds, the user will have to wait
for the logon page to pop up if the CPU load is high.
This works in conjunction with the Logon wait CPU
utilization threshold parameter.
Default: 10 seconds.
Logon wait CPU
utilization threshold
CPU utilization percentage above which the Logon
wait interval is applied when presenting the user with
the logon page.
Default: 60%
Max authentication
failures
Maximum number of authentication failures before the
user is blacklisted.
Default: 0
Show FQDN Allows the user to see and select the fully-qualified
domain name (FQDN) on the login page.
Default: disabled
Use CHAP Use CHAP protocol.
Default: PAP
Sygate-on-demand-
agent
Enables client remediation with
Sygate-on-demand-agent (SODA).
Default: disabled
Login page URL of the page that appears for the user logon. This
can be set to any URL.
Default: /auth/index.html
TABLE 10-21 Captive Portal Authentication Profile Parameters (Continued)
Parameter Description
Configuring Captive Portal
Chapter 10
252 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Welcome page URL of the page that appears after logon and before
redirection to the web URL. This can be set to any
URL.
Default: /auth/welcome.html
Show Welcome Page Enables the display of the welcome page. If this option
is disabled, redirection to the web URL happens
immediately after logon.
Default: Enabled
Proxy Server
Configuration
Configures IP address and port number for proxy
server.
Default: N/A
TABLE 10-21 Captive Portal Authentication Profile Parameters (Continued)
Parameter Description
AOS-W 3.1 253
User Guide
Configuring Captive Portal
Chapter 10
Optional Captive Portal Configurations
This section describes the following optional captive portal configurations:
“Per-SSID Captive Portal Page” on page 253
“Changing the Protocol to HTTP” on page 254
“Proxy Server Redirect” on page 255
“Redirecting Clients on Different VLANs” on page 257
“Web Client Configuration with Proxy Script” on page 257
Per-SSID Captive Portal Page
You can upload custom login pages for captive portal into the WLAN Switch
through the WebUI (see Appendix E, “Internal Captive Portal”). The SSID to which
the client associates determines the captive portal login page displayed.
You specify the captive portal login page in the captive portal authentication
profile, along with other configurable parameters. The initial user role
configuration must include the applicable captive portal authentication profile
instance. (In the case of captive portal in the base operating system, the initial
user role is automatically created when you create the captive portal
authentication profile instance.) You then specify the initial user role for captive
portal in the AAA profile for the WLAN.
When you have multiple captive portal login pages loaded in the WLAN Switch,
you must configure a unique initial user role and user role, and captive portal
authentication profile, AAA profile, SSID profile, and virtual AP profile for each
WLAN that will use captive portal. For example, if you want to have different
captive portal login pages for the following departments:
Engineering
Business
Faculty
Configuring Captive Portal
Chapter 10
254 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
you need to create and configure the following:
Changing the Protocol to HTTP
By default, the HTTPS protocol is used on redirection to the Captive Portal page. If
you need to use HTTP instead, you need to do the following:
1. Modify the captive portal authentication profile to enable the HTTP protocol.
2. (For captive portal with role-based access only) Modify the captiveportal
policy to permit HTTP traffic instead of HTTPS traffic.
NOTE:In the base operating system, the implicit ACL captive-portal-profile is
automatically modified.
The following sections describe how use the WebUI and CLI to do this.
Using the WebUI to change the protocol to HTTP:
1. Edit the captive portal authentication profile by navigating to the
Configuration > Security > Authentication > L3 Authentication page.
Engineering Business Faculty
1Captive portal
login page
/auth/eng-login.html /auth/bus-login.html /auth/fac-login.html
2Captive portal
user role
eng-user bus-user fac-user
3Captive portal
authentication
profile
eng-cp
(Specify
/auth/eng-login.html
and eng-user)
bus-cp
(Specify
/auth/bus-login.html
and bus-user)
fac-cp
(Specify
/auth/bus-login.html
and fac-user)
4Initial user role eng-logon
(Specify the eng-cp
profile)
bus-logon
(Specify the bus-cp
profile)
fac-logon
(Specify the
fac-logon profile)
5AAA profile eng-aaa
(Specify the
eng-logon user role)
bus-aaa
(Specify the
bus-logon user role)
fac-aaa
(Specify the
fac-logon user role)
6SSID profile eng-ssid bus-ssid fac-ssid
7Virtual AP
profile
eng-vap bus-vap fac-vap
AOS-W 3.1 255
User Guide
Configuring Captive Portal
Chapter 10
A. Enable (select) “Use HTTP for authentication”.
B. Click Apply.
2. (For captive portal with role-based access only) Edit the captiveportal policy
by navigating to the Configuration > Security > Access Control > Policies
page.
A. Delete the rule for “user mswitch svc-https permit”.
B. Add a new rule with the following values and move this rule to the top of
the rules list:
source is user
destination is the mswitch alias
service is svc-http
action is permit
C. Click Apply.
Using the CLI to change the protocol to HTTP:
aaa authentication captive-portal profile
protocol-http
(For captive portal with role-based access only)
ip access-list session captiveportal
no user alias mswitch svc-https permit
user alias mswitch svc-http permit
user any svc-http dst-nat 8080
user any svc-https dst-nat 8081
Proxy Server Redirect
You can configure captive portal to work with proxy Web servers. End users have
their browser proxy server settings configured for the proxy server’s IP address
and TCP port. When the user opens a Web browser, the HTTP/S connection
request must be redirected from the proxy server to the captive portal on the
WLAN Switch.
To configure captive portal to work with a proxy server:
1. Modify the captive portal authentication profile to specify the proxy server’s
IP address and TCP port.
2. (For captive portal with role-based access only) Modify the captiveportal
policy to have traffic for the proxy server’s port destination NATed to port
8088 on the WLAN Switch.
Configuring Captive Portal
Chapter 10
256 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
NOTE:In the base operating system, the implicit ACL captive-portal-profile is
automatically modified.
The following sections describe how use the WebUI and CLI to do this.
NOTE:When HTTPS traffic is redirected from a proxy server to the WLAN
Switch, the user’s browser will display a warning that the subject name
on the certificate does not match the hostname to which the user is
connecting.
Using the WebUI to redirect proxy server traffic:
1. Edit the captive portal authentication profile by navigating to the
Configuration > Security > Authentication > L3 Authentication page.
A. For Proxy Server, enter the IP address and port for the proxy server.
B. Click Apply.
2. (For captive portal with role-based access only) Edit the captiveportal policy
by navigating to the Configuration > Security > Access Control > Policies
page.
A. Add a new rule with the following values:
Source is user
Destination is any
Service is TCP
Port is the TCP port on the proxy server
Action is dst-nat
IP address is the IP address of the proxy port
Port is the port on the proxy server
B. Click Add to add the rule. Use the up arrows to move this rule just below
the rule that allows HTTP(S) traffic.
C. Click Apply.
Using the CLI to redirect proxy server traffic:
aaa authentication captive-portal profile
proxy host ipaddr port port
(For captive portal with role-based access only)
ip access-list session captiveportal
user alias mswitch svc-https permit
user any tcp port dst-nat 8088
AOS-W 3.1 257
User Guide
Configuring Captive Portal
Chapter 10
user any svc-http dst-nat 8080
user any svc-https dst-nat 8081
Redirecting Clients on Different VLANs
You can redirect wireless clients that are on different VLANs (from the WLAN
Switch’s IP address) to the captive portal on the WLAN Switch. To do this:
1. Specify the redirect address for the captive portal.
2. (For captive portal with Policy Enforcement Firewall license only) Modify the
captiveportal policy to permit HTTP/S traffic to the destination cp-redirect
instead of mswitch.
NOTE:In the base operating system, the implicit ACL captive-portal-profile is
automatically modified.
The following section describes how to use the CLI to do this.
Using the CLI:
ip cp-redirect-address ipaddr
(For captive portal with Policy Enforcement Firewall license)
ip access-list session captiveportal
user cp-redirect svc-https permit
user any svc-http dst-nat 8080
user any svc-https dst-nat 8081
Web Client Configuration with Proxy Script
If the web client proxy configuration is distributed through a proxy script (a .pac
file), you need to configure the captiveportal policy to allow the client to
download the file.
NOTE:To modify the captiveportal policy, you must have the Policy
Enforcement Firewall license installed in the WLAN Switch.
Using the WebUI to allow clients to download proxy script:
1. Edit the captiveportal policy by navigating to the Configuration > Security >
Access Control > Policies page.
2. Add a new rule with the following values:
zSource is user
Configuring Captive Portal
Chapter 10
258 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
zDestination is host
zHost IP is the IP address of the proxy server
zService is svc-https or svc-http
zAction is permit
3. Click Add to add the rule. Use the up arrows to move this rule above the rules
that perform destination NAT.
4. Click Apply.
Using the CLI to allow clients to download proxy script:
ip access-list session captiveportal
user alias mswitch svc-https permit
user any tcp port dst-nat 8088
user host ipaddr svc-https permit
user any svc-http dst-nat 8080
user any svc-https dst-nat 8081
AOS-W 3.1 259
User Guide
Configuring Captive Portal
Chapter 10
Personalizing the Captive Portal Page
The following can be personalized on the default captive portal page:
Captive portal background
Page text
Acceptance Use Policy
NOTE:You can create your own web pages and install them in the WLAN Switch
for use with captive portal. See Appendix E, “Internal Captive Portal.
1. Navigate to the Maintenance > Captive Portal > Customize Login Page
page.
You can choose one of three page designs. To select an existing design, click
the first or the second page design present.
2. To customize the page background:
A. Select the YOUR CUSTOM BACKGROUND page.
B. Under Additional options, enter the location of the JPEG image in the
Upload your own custom background field.
C. You can also set the background color in the Custom page background
color field. The color code must a hexadecimal value in the format
#hhhhhh.
Configuring Captive Portal
Chapter 10
260 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
D. You can view the background setting by first clicking Submit on the
bottom on the page, then clicking the View CaptivePortal link. This
displays the Captive Portal page as it will be seen by users.
3. To customize the captive portal background text:
A. Enter the text that needs to be displayed in the Page Text (in HTML
format) message box.
B. To view the changes, click Submit at the bottom on the page and then
click the View CaptivePortal link. This displays the Captive Portal page
as it will be seen by users.
4. To customize the text under the Acceptable Use Policy:
A. Enter the policy information in the Policy Text text box. This appears only
in case of guest logon.
B. To view the changes, click Submit at the bottom on the page and then
click the View CaptivePortal link. This displays the Captive Portal page
as it will be seen by users.
The text you entered appears in a text box when the user clicks the
Acceptable Use Policy on the Captive Portal web page.
To upload a customized login page, use the Maintenance > Captive Portal >
Upload Custom Login Pages page in the WebUI.
AOS-W 3.1 261
User Guide
Configuring Virtual Private
Networks 11
For wireless networks, virtual private network (VPN) connections can be used to
further secure the wireless data from attackers. The Alcatel WLAN Switch can be
used as a VPN concentrator that terminates all VPN connections from both wired
and wireless clients.
NOTE:VPN is an optional AOS-W software module. You must purchase and
install the license for the VPN software module on the WLAN Switch.
This chapter describes the following topics:
“VPN Configuration” on page 262
“Configuring VPN with L2TP IPSec” on page 263
“Configuring VPN with PPTP” on page 266
“Configuring Alcatel Dialer” on page 267
“Configuring Site-to-Site VPN” on page 269
Configuring Virtual Private Networks
Chapter 11
262 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
VPN Configuration
Before enabling VPN authentication, you must configure the following:
The default user role for authenticated VPN clients. See Chapter 7,
“Configuring Roles and Policies” for information about configuring user roles.
The authentication server group the WLAN Switch will use to validate the
clients. See Chapter 8, “Configuring Authentication Servers” for configuration
details.
NOTE:A server-derived role, if present, takes precedence over the default user
role.
You then specify the default user role and authentication server group in the VPN
authentication profile.
Using the WebUI to configure VPN authentication:
1. Navigate to the Configuration > Security > Authentication > L3
Authentication page.
2. In the Profiles list, select VPN Authentication Profile.
3. Select the Default Role from the drop-down menu.
4. (Optional) Set Max Authentication failures to an integer value (the default
value is 0, which disables this feature). This number indicates the number of
contiguous authentication failures before the station is blacklisted.
5. Click Apply.
6. In the Profiles list, select Server Group.
7. From the drop-down menu, select the server group to be used for VPN
authentication.
8. Click Apply.
Using the CLI to configure VPN authentication:
aaa authentication vpn
default-role <role>
max-authentication-failure <number>
server-group <name>
AOS-W 3.1 263
User Guide
Configuring Virtual Private Networks
Chapter 11
Configuring VPN with L2TP IPSec
The combination of Layer-2 Tunneling Protocol and Internet Protocol Security
(L2TP/IPSec) is a highly-secure technology that enables VPN connections across
public networks such as the Internet.
L2TP/IPSec provides a logical transport mechanism to send PPP frames as well
as tunneling or encapsulation so that the PPP frames can be sent across an IP
network. L2TP/IPSec relies on the PPP connection process to perform user
authentication and protocol configuration.
With L2TP/IPSec, the user authentication process is encrypted. L2TP/IPSec
connections use the Data Encryption Standard (DES) algorithm or Triple DES
(3DES). L2TP/IPSec requires two levels of authentication:
1. Computer-level authentication with a certificate or a preshared key to create
the IPSec security associations (SAs) to protect the L2TP-encapsulated data.
2. User-level authentication through a PPP-based authentication protocol after
the SAs are successfully created.
Complete the steps in “VPN Configuration” on page 262.
Using the WebUI to configure VPN with L2TP IPSec:
1. Navigate to the Configuration > Advanced Services > VPN Services > IPSEC
page.
Authentication Method and Server Addresses
2. To enable L2TP, select Enable L2TP.
3. Select the authentication method. Currently supported methods are
Password Authentication Protocol (PAP), Challenge Handshake
Authentication Protocol (CHAP), Microsoft Challenge Handshake
Authentication Protocol (MSCHAP) and MSCHAP version 2 (MSCHAPv2).
4. Configure the IP addresses of the primary and secondary Domain Name
System (DNS) servers and primary and secondary Windows Internet Naming
Service (WINS) Server that will be pushed to the VPN client.
Address Pools
This is the pool from which the clients are assigned addresses.
1. Under Address Pools, click Add to open the Add Address Pool page.
2. Specify the start address, the end address and the pool name.
3. Click Done to apply the configuration.
Configuring Virtual Private Networks
Chapter 11
264 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Source NAT
Use this option if the IP addresses of clients need to be translated to access the
network. To use this option, you must have created a NAT pool by navigating to
the Configuration > IP > NAT Pools page.
IKE Shared Secrets
You can configure a global IKE key or configure an IKE key for each subnet. Make
sure that this key matches the key on the client.
1. Under IKE Shared Secrets, click Add to open the Add IKE Secret page.
2. Enter the subnet and subnet mask. To make the IKE key global, specify
0.0.0.0 and 0.0.0.0 for both values.
3. Enter the IKE Shared Secret and Verify IKE Shared Secret.
4. Click Done to apply the configurations.
IKE Policies
1. Under IKE Policies, click Add to open the IPSEC Add Policy configuration
page.
2. Set the Priority to 1 for this configuration to take priority over the Default
setting.
3. Set the Encryption type from the drop-down menu.
4. Set the HASH Algorithm to SHA or MD5.
5. Set the Authentication to Pre-Share or RSA.
6. Set the Diffie Hellman Group to Group 1 or Group 2.
The configurations from 1 through 5 along with the pre-share key need to be
reflected in the VPN client configuration. When using a 3rd party VPN client,
set the VPN configuration on clients to match the choices made above. In
case the Alcatel dialer is used, these configuration need to be made on the
dialer prior to downloading the dialer onto the local client.
7. Click Done to activate the changes.
8. Click Apply to apply the changes made before navigating to other pages.
Using the CLI to configure VPN with L2TP IPSec:
Authentication Method and Server Addresses
vpdn group l2tp
enable
ppp authentication {cache-securid|chap|mschap|mschapv2|pap}
AOS-W 3.1 265
User Guide
Configuring Virtual Private Networks
Chapter 11
client configuration {dns|wins} <ipaddr1> [<ipaddr2>]
Address Pools
ip local pool <pool> <start-ipaddr> <end-ipaddr>
Source NAT
ip access-list session srcnat
user any any src-nat pool <pool> position 1
user-role guest
session-acl srcnat position 1
IKE Shared Secrets
crypto isakmp key <key> address <ipaddr> netmask <mask>
IKE Policies
crypto isakmp policy <priority>
encryption {3des|aes128|aes192|aes256|des}
authentication {pre-share|rsa-sig}
group {1|2}
hash {md5|sha}
lifetime <seconds>
Configuring Virtual Private Networks
Chapter 11
266 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Configuring VPN with PPTP
Point-to-Point Tunneling Protocol (PPTP) is an alternative to L2TP/IPSec. Like
L2TP/IPSec, PPTP provides a logical transport mechanism to send PPP frames as
well as tunneling or encapsulation so that the PPP frames can be sent across an
IP network. PPTP relies on the PPP connection process to perform user
authentication and protocol configuration.
With PPTP, data encryption begins after PPP authentication and connection
process is completed. PPTP connections use Microsoft Point-to-Point Encryption
(MPPE), which uses the Rivest-Shamir-Aldeman (RSA) RC-4 encryption algorithm.
PPTP connections require user-level authentication through a PPP-based
authentication protocol (MSCHAPv2 is the currently-supported method).
Complete the steps in “VPN Configuration” on page 262.
Using the WebUI to configure VPN with PPTP:
1. Navigate to the Configuration > Advanced Services > VPN Services > PPTP
page.
2. To enable PPTP, select Enable PPTP.
3. Select the authentication protocol. The currently-supported method is
MSCHAPv2.
4. Configure the primary and secondary DNS servers and primary and secondary
WINS Server that will be pushed to the VPN Dialer.
5. Configure the VPN Address Pool.
A. Click Add. The Add Address Pool page displays.
B. Specify the pool name, start address, and end address.
C. Click Done on completion to apply the configuration.
6. Click Apply to apply the changes made before navigating to other pages.
Using the CLI to configure VPN with PPTP:
vpdn group pptp
enable
client configuration {dns|wins} <ipaddr1> [<ipaddr2>]
ppp authentication {mschapv2}
pptp ip local pool <pool> <start-ipaddr> <end-ipaddr>
AOS-W 3.1 267
User Guide
Configuring Virtual Private Networks
Chapter 11
Configuring Alcatel Dialer
For Windows clients, a dialer can be downloaded from the WLAN Switch to
auto-configure tunnel settings on the dialer.
Using the WebUI to configure the Alcatel dialer:
1. Navigate to the Configuration > Advanced Services > VPN Services >
Dialers page. Click Add to add a new dialer or click the Edit tab to edit an
existing dialer.
2. Enter the Dialer Name that will be used to identify this setting.
3. Configure the dialer to work with PPTP or L2TP by selecting the Enable PPTP
or the Enable L2TP checkbox.
4. Select the authentication protocol. This should match the L2TP protocol list
selected if Enable L2TP is checked or the PPTP list configured if Enable PPTP
is checked.
5. For L2TP:
zSet the IKE Hash Algorithm to SHA or MD5 as in the IKE policy on the
Advanced Services > VPN Services > IPSEC page.
zIf a preshared key is configured for IKE Shared Secrets in the VPN
Services > IPSEC page, enter the key.
zThe key you enter in the Dialers page must match the preshared key
configured on the IPSEC page.
zSelect the IPSEC Mode Group that matches the Diffie Hellman Group
configured for the IPSEC policy.
zSelect the IPSEC Encryption that matches the Encryption configured for
the IPSEC policy.
zSelect the IPSEC Hash Algorithm that matches the Hash Algorithm
configured for the IPSEC policy.
6. Click Done to apply the changes made prior to navigating to another page.
Using the CLI to configure the Alcatel dialer:
vpn-dialer <name>
enable {dnctclear|l2tp|pptp|secureid_newpinmode|wirednowifi}
ike authentication {pre-share <key>|rsa-sig}
ike encryption {3des|des}
ike group {1|2}
ike hash {md5|sha}
ipsec encryption {esp-3des|esp-des}
Configuring Virtual Private Networks
Chapter 11
268 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
ipsec hash {esp-md5-hmac|esp-sha-hmac}
ppp authentication {cache-securid|chap|mschap|mschapv2|pap}
Captive Portal Download of Dialer
The VPN dialer can be downloaded using Captive Portal. For the user role
assigned through Captive Portal, configure the dialer by the name used to identify
the dialer.
For example, if the captive portal client is assigned the guest role after logging on
through captive portal and the dialer is called mydialer, configure mydialer as the
dialer to be used in the guest role.
Using the WebUI to configure the captive portal dialer:
1. Navigate to the Configuration > Security > Access Control > User Roles
page.
2. Click Edit for the user role.
3. Under VPN Dialer, select the dialer you configured and click Change.
4. Click Apply.
Using the CLI to configure the captive portal dialer:
user-role <role>
dialer <name>
AOS-W 3.1 269
User Guide
Configuring Virtual Private Networks
Chapter 11
Configuring Site-to-Site VPN
Site-to-site VPN allows sites at different physical locations to securely
communicate with each other over a Layer-3 network such as the Internet. You
can use Alcatel WLAN Switches instead of VPN concentrators to connect the
sites. Or, you can use a VPN concentrator at one site and a WLAN Switch at the
other site.
NOTE:VPN is an optional AOS-W software module. For site-to-site VPN
between two WLAN Switches, you must purchase and install licenses for
the VPN software module on both WLAN Switches.
You must configure VPN settings on the WLAN Switches at both the local and
remote sites. In the following figure, a VPN tunnel connects Network A to
Network B across the Internet.
FIGURE 11-22 Site-to-Site VPN Configuration Components
To configure the VPN tunnel on WLAN Switch A, you need to configure the
following:
The source network (Network A)
The destination network (Network B)
The VLAN on which the WLAN Switch As interface to the Layer-3 network is
located (Interface A in the figure)
The peer gateway, which is the IP address of WLAN Switch B’s interface to
the Layer-3 network (Interface B in the figure)
To configure a site-to-site VPN on the WLAN Switch:
NOTE:You must configure VPN settings on the WLAN Switches at both the
local and remote sites.
NETWORK A NETWORK B
LAYER 3
NETWORK
SOURCE NETWORK DESTINATION NETWORK
PEER GATEWAY
WLAN SWITCH A WLAN SWITCH B
VLAN
(SOURCE IP FOR IKE)
INTERFACE BINTERFACE A
Configuring Virtual Private Networks
Chapter 11
270 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Using the WebUI to configure site-to-site VPN:
1. Navigate to the Configuration > Advanced Services > VPN Services >
Site-to-Site page.
2. Under IPSec Maps, click Add to open the Add IPSec Map page.
3. Enter a name for this VPN connection in the Name field.
4. Enter the IP address and netmask for the source (the local network connected
to the WLAN Switch) in the Source Network and Source Subnet Mask
fields, respectively. (See WLAN Switch A in Figure 11-22.)
5. Enter the IP address and netmask for the destination (the remote network to
which the local network will communicate) in the Destination Network and
Destination Subnet Mask fields, respectively. (See WLAN Switch B in
Figure 11-22.)
6. In the Peer Gateway field, enter the IP address of the interface on the remote
WLAN Switch that connects to the Layer-3 network. (See Interface B in
Figure 11-22.)
7. Select the VLAN that contains the interface of the local WLAN Switch which
connects to the Layer-3 network. (See Interface A in Figure 11-22.)
This determines the source IP address used to initiate IKE. If you select 0 or
None, the default is the VLAN of the WLAN Switch’s IP address (either the
VLAN where the loopback IP is configured or VLAN 1 if no loopback IP is
configured).
8. Select Pre-Connect to have the VPN connection established even if there is
no traffic being sent from the local network. If this is not selected, the VPN
connection is only established when traffic is sent from the local network to
the remote network.
9. Select Trusted Tunnel if traffic between the networks is trusted. If this is not
selected, traffic between the networks is untrusted.
10. Enter the IKE shared secret.
11. Click Done to apply the configuration.
Using the CLI to configure site-to-site VPN:
crypto-local ipsec-map <name> <priority>
src-net <ipaddr> <mask>
dst-net <ipaddr> <mask>
peer-ip <ipaddr>
vlan <id>
preconnect enable|disable
trusted enable
crypto-local isakmp key <key> address <ipaddr> netmask <mask>
AOS-W 3.1 271
User Guide
Configuring Virtual Private Networks
Chapter 11
Dead Peer Detection
Dead Peer Detection (DPD) is enabled by default on the WLAN Switch for
site-to-site VPNs. DPD, as described in RFC 3706, “A Traffic-Based Method of
Detecting Dead Internet Key Exchange (IKE) Peers,” uses IPSec traffic patterns to
minimize the number of IKE messages required to determine the liveness of an IKE
peers. You can configure DPD parameters.
Using the CLI to configure DPD for site-to-site VPN:
crypto-local isakmp dpd idle-timeout <idle_seconds> retry-timeout
<retry_seconds> retry-attempts <number>
Configuring Virtual Private Networks
Chapter 11
272 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
AOS-W 3.1 273
User Guide
Configuring Advanced
Security 12
xSec (or Extreme Security) is a cryptographically secure, Layer-2 tunneling
network protocol implemented over the 802.1x protocol. The xSec protocol can
be used to secure Layer-2 traffic between the WLAN Switch and wired and
wireless clients, or between Alcatel WLAN Switches.
NOTE:xSec is an optional AOS-W software module. You must purchase and
install the license for the xSec software module on the WLAN Switch.
This chapter describes the following topics:
“Overview” on page 274
“Securing Client Traffic” on page 275
“Securing WLAN Switch-to-WLAN Switch Communication” on page 282
“Configuring the Odyssey Client on Client Machines” on page 284
Configuring Advanced Security
Chapter 12
274 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Overview
xSec encrypts an original Layer-2 data frame inside a Layer-2 xSec frame, the
contents of which are defined by the protocol. xSec relies on 256-bit Advanced
Encryption Standard (AES) encryption.
Upon 802.1x client authentication, xSec creates a tunnel between the client and
the WLAN Switch. The xSec frame sent over the air or wire between the user and
the WLAN Switch contains user and WLAN Switch information, as well as
original IP and MAC addresses, in encrypted form. The only visible address is the
MAC address assigned by the xSec protocol for the tunnel endpoints. All user
information is secured using xSec. This concept is also extended to secure
management information and data between two WLAN Switches on the same
VLAN.
For xSec tunneling between a client and WLAN Switch to work, a version of the
Funk Odyssey client1 software that supports xSec needs to be installed on the
client. It is possible to secure clients running Windows 2000 and XP operating
systems using xSec and the Odyssey client software.
NOTE:xSec is an optional licensed feature for Alcatel WLAN Switches. xSec is
automatically enabled on the WLAN Switch when you install the license.
xSec provides the following advantages:
Advanced security as Layer-2 frames are encrypted and tunneled.
Ease of implementation of advanced encryption in a heterogeneous
environment. xSec is designed to support multiple operating systems and a
wide range of network interface cards (NICs). All encryption and decryption
on the client machine is performed by the Odyssey client while the NICs are
configured with NULL encryption. This ensures that even older operating
systems that cannot be upgraded to support WPA or WPA2 authentication
can be secured using xSec and the Odyssey client.
Compatible with TLS, TTLS and PEAP.
Advanced authentication extended to wired clients allowing network
managers to secure wired ports.
1. For information about the currently supported release, please contact Juniper Networks.
AOS-W 3.1 275
User Guide
Configuring Advanced Security
Chapter 12
Securing Client Traffic
You can secure wireless or wired client traffic with xSec. On the client, install the
Odyssey Client software. The xSec client must complete 802.1x authentication.
to connect to the network. The client indicates the use of the xSec protocol
during 802.1x exchanges with the WLAN Switch. (Alcatel WLAN Switches
support 802.1x for both wired and wireless clients.) Upon successful client
authentication, an xSec tunnel is established between the WLAN Switch and the
client.
The authenticated client is placed into a configured VLAN, which determines the
client’s DHCP server, IP address, and Layer-2 connection. For wireless xSec
clients, the VLAN is the user VLAN configured for the WLAN. For wired xSec
clients and wireless xSec clients that connect to the WLAN Switch through a
non-Alcatel AP, the VLAN is a designated xSec VLAN. The VLAN can also be
derived from configured RADIUS server-derivation rules or from Vendor-Specific
Attributes (VSAs). Once an xSec tunnel is established, a DHCP server assigns the
xSec client an IP address from the address pool on the VLAN to which the client
is assigned. All traffic between the client and the WLAN Switch is then encrypted.
The following sections describe how to configure xSec on the WLAN Switch for
wireless and wired clients.
Securing Wireless Clients
The following are the basic steps for configuring the WLAN Switch for xSec
wireless clients:
1. Configure the user VLAN to which the authenticated clients will be assigned.
See Chapter 3, “Configuring Network Parameters” for more information.
2. Configure the user role for the authenticated xSec clients. See Chapter 7,
“Configuring Roles and Policies” for information.
3. Configure the server group that will be used to authenticate clients using
802.1x. See Chapter 8, “Configuring Authentication Servers” for more
information
4. Configure the AAA profile to specify the 802.1x default user role. Specify the
802.1x authentication server group.
NOTE:You can configure the 802.1x authentication profile if necessary. See
Chapter 9, “Configuring 802.1x Authentication” for more
information.
5. Configure the virtual AP profile for the WLAN. Specify the
previously-configured user VLAN.
A. Specify the previously-configured AAA profile.
B. Configure the SSID profile with xSec as the authentication.
Configuring Advanced Security
Chapter 12
276 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
NOTE:Only xSec clients will be allowed to connect to the WLAN and
non-xSec connections are dropped.
6. Install and set up the Odyssey Client on the wireless client. See “Configuring
the Odyssey Client on Client Machines” on page 284.
Figure 12-23 is an example network where a wireless xSec client is assigned to
the user VLAN 20 and the user role “employee” upon successful 802.1x
authentication. VLAN 1 includes the port on the WLAN Switch that connects to
the wired network on which the AP is installed. (APs can connect to the WLAN
Switch across either a Layer-2 or Layer-3 network.)
FIGURE 12-23 Wireless xSec Client Example
The following sections describe how to use the WebUI or CLI to configure the
AAA profile and virtual AP profile for this example. Other chapters in this manual
describe the configuration of the user role, VLAN, authentication servers and
server group, and 802.1x authentication profile.
Using the WebUI to configure xSec for wireless clients:
1. Navigate to the Configuration > Security > Authentication > AAA Profiles
page.
A. To create a new AAA profile, click Add in the AAA Profiles Summary.
B. Enter a name for the profile (for example, xsec-wireless), and click Add.
C. To configure the AAA profile, click on the newly-created profile name.
D. For 802.1x Authentication Default Role, select a configured user role (for
example, employee).
E. Click Apply.
F. In the AAA Profile list, select 802.1x Authentication Server Group under
the AAA profile you configured.
G. Select the applicable server group (for example, xsec-svrs).
H. Click Apply.
2. Navigate to the Configuration > Wireless > AP Configuration page. Select
either the AP Group or AP Specific tab. Click Edit for the applicable AP group
name or AP name.
WLAN SWITCH ALCATEL AP XSEC CLIENT
VLAN 1
VLAN 20 VLAN 20
AOS-W 3.1 277
User Guide
Configuring Advanced Security
Chapter 12
3. Under Profiles, select Wireless LAN, then select Virtual AP.
4. In the Virtual AP list, select the “default” virtual AP profile. Select the
“default” SSID profile. Enter anynet for the SSID name. Click Save As, then
enter anynet. Click Apply.
NOTE:The WebUI prvents you from configuring the same ESSID in more
than one virtual AP for an AP group or name. Whenever you create a
new virtual AP profile, the profile automatically contains the “default”
SSID profile with the default “alcatel-ap” SSID. The step above allows
you to create a new virtual AP profile that does not have the same
ESSID as the “default” virtual AP profile.
5. To create a new virtual AP profile, select NEW from the Add a profile
drop-down menu. Enter the name for the virtual AP profile (for example,
xsec-wireless), and click Add. Click Apply.
A. Click on the new virtual AP name in the Profiles list or the Profile Details
to display configuration parameters. For VLAN, enter the ID of the VLAN
in which authenticated xSec clients are placed (for example, 20).
B. Click Apply.
6. Select AAA Profile under the virtual AP profile you just configured.
A. From the AAA Profile list, select the AAA profile you previously
configured.
B. Click Apply.
7. Create and configure the SSID profile.
A. In the Profiles list, select SSID Profile. In the SSID Profile drop-down
menu, select NEW and enter the name for the SSID profile (for example,
xsec-wireless). Click Apply.
B. In the Profile Details section, enter the Network Name for the SSID (for
example, xsec-ap).
C. For Network Authentication, select xSec.
D. Click Apply.
Using the CLI to configure xSec for wireless clients:
wlan ssid-profile xsec-wireless
essid xsec-ap
opmode xSec
aaa profile xsec-wireless
dot1x-default-role employee
dot1x-server-group xsec-svrs
wlan virtual-ap xsec-wireless
vlan 20
Configuring Advanced Security
Chapter 12
278 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
ssid-profile xsec-wireless
aaa-profile xsec-wireless
Securing Wired Clients
The following are the basic steps for configuring the WLAN Switch for xSec wired
clients:
1. Configure the VLAN to which the authenticated clients will be assigned. See
Chapter 3, “Configuring Network Parameters” for information.
NOTE:This VLAN must have an IP interface, and is a different VLAN from
the port’s “native” VLAN that provides connectivity to the network.
2. Configure the user role for the authenticated xSec clients. See Chapter 7,
“Configuring Roles and Policies” for information.
3. Configure the server group that will be used to authenticate clients using
802.1x. See Chapter 8, “Configuring Authentication Servers” for information.
4. Configure the WLAN Switch port to which the wired client(s) are connected.
Specify the VLAN to which the authenticated xSec clients are assigned.
NOTE:For firewall rules to be enforced after client authentication, the port
must be configured as untrusted.
5. Configure the AAA profile to specify the 802.1x default user role and the
802.1x authentication server group.
6. Configure the wired authentication profile to use the AAA profile.
7. Install and set up the Odyssey Client on the wireless client. See “Configuring
the Odyssey Client on Client Machines” on page 284.
Figure 12-24 is an example network where a wired xSec client is assigned to the
VLAN 20 and the user role “employee” upon successful 802.1x authentication.
Traffic between the WLAN Switch and the xSec client is encrypted.
FIGURE 12-24 Wired xSec Client Example
NOTE:The VLAN to which you assign an xSec client must be a different VLAN
from the VLAN that contains the WLAN Switch port to which the wired
xSec client or AP is connected.
WLAN SWITCH XSEC CLIENT
VLAN 1
VLAN 20 VLAN 20
AOS-W 3.1 279
User Guide
Configuring Advanced Security
Chapter 12
The following sections describe how to use the WebUI or CLI to configure the
WLAN Switch port to which the wired client is connected, the AAA profile, and
the wired authentication profile for this example. Other chapters in this manual
describe the configuration of the user role, VLAN, authentication servers and
server group, and 802.1x authentication profile.
Using the WebUI to configure xSec for wired clients:
1. Navigate to the Configuration > Networks > Ports page to configure the port
to which the wired client(s) are connected.
A. Click the port that you want to configure.
B. Make sure the Enable Port checkbox is selected.
C. For Enter VLAN(s), select the native VLAN on the port to ensure Layer-2
connectivity to the network. In Figure 12-24, this is VLAN 1.
D. For xSec VLAN, select the VLAN to which authenticated users are
assigned from the drop-down menu. In Figure 12-24, this is VLAN 20.
E. Click Apply.
2. Navigate to the Configuration > Security > Authentication > AAA Profiles
page to configure the AAA profile.
A. To create a new AAA profile, click Add.
B. Enter a name for the profile (for example, xsec-wired), and click Add.
C. To configure the AAA profile, click on the newly-created profile name.
D. For 802.1x Authentication Default Role, select a configured user role (for
example, employee).
E. Click Apply.
F. In the AAA Profile list, select 802.1x Authentication Server Group under
the AAA profile you configured.
G. Select the applicable server group (for example, xsec-svrs).
H. Click Apply.
3. Navigate to the Configuration > Advanced Services > Wired Access page.
A. Under Wired Access AAA Profile, select the AAA profile you just
configured.
B. Click Apply.
Using the CLI to configure xSec for wired clients:
interface fastethernet|gigabitethernet slot/port
switchport access vlan 1
Configuring Advanced Security
Chapter 12
280 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
xsec vlan 20
aaa profile xsec-wired
dot1x-default-role employee
dot1x-server-group xsec-svrs
aaa authentication wired
profile xsec-wired
Securing Wireless Clients Through Non-Alcatel
APs
If xSec clients are connecting through a non-Alcatel AP, you need to configure the
WLAN Switch port to which the AP is connected. The AP must be configured for
no (opensystem) authentication.
The following are the basic steps for configuring the WLAN Switch for xSec
wireless clients connecting through a non-Alcatel AP:
1. Configure the VLAN to which the authenticated clients will be assigned. See
Chapter 3, “Configuring Network Parameters” for information.
NOTE:This VLAN must have an IP interface, and is a different VLAN from
the port’s “native” VLAN that provides connectivity to the network.
2. Configure the user role for the authenticated xSec clients. See Chapter 7,
“Configuring Roles and Policies” for information.
3. Configure the server group that will be used to authenticate clients using
802.1x. See Chapter 8, “Configuring Authentication Servers” for information.
4. Configure the WLAN Switch port that connects to the wired network on
which the non-Alcatel AP is installed. Specify the VLAN to which the
authenticated xSec clients are assigned.
NOTE:The ingress and egress ports for xSec client traffic must be different
physical ports on the WLAN Switch.
5. Configure the AAA profile to specify the 802.1x default user role and the
802.1x authentication server group.
6. Configure the wired authentication profile to use the AAA profile.
7. Install and set up the Odyssey Client on the wireless client. See “Configuring
the Odyssey Client on Client Machines” on page 284.
The following sections describe how to use the WebUI or CLI to configure the
WLAN Switch port and AAA and wired authentication profiles for wireless clients
connecting with non-Alcatel APs. Other chapters in this manual describe the
configuration of the user role, VLAN, authentication servers and server group, and
802.1x authentication profile.
AOS-W 3.1 281
User Guide
Configuring Advanced Security
Chapter 12
Using the WebUI to configure xSec for non-Alcatel AP wireless clients:
1. Navigate to the Configuration > Networks > Ports page to configure the port
to which the wireless xSec client(s) are connected.
A. Click the port that you want to configure.
B. Make sure the Enable Port checkbox is selected.
C. For Enter VLAN(s), select the native VLAN (for example, VLAN 1) on the
port to ensure Layer-2 connectivity to the network.
D. For xSec VLAN, select the VLAN to which authenticated users are
assigned from the drop-down menu (for example, VLAN 20)
E. Click Apply.
2. Navigate to the Configuration > Security > Authentication > AAA Profiles
page to configure the AAA profile.
A. To create a new AAA profile, click Add.
B. Enter a name for the profile (for example, xsec-3party), and click Add.
C. To configure the AAA profile, click on the newly-created profile name.
D. For 802.1x Authentication Default Role, select a configured user role (for
example, employee).
E. Click Apply.
F. In the AAA Profile list, select 802.1x Authentication Server Group under
the AAA profile you configured.
G. Select the applicable server group (for example, xsec-svrs).
H. Click Apply.
3. Navigate to the Configuration > Advanced Services > Wired Access page.
A. Under Wired Access AAA Profile, select the AAA profile you just
configured.
B. Click Apply.
Using the CLI to configure xSec for non-Alcatel AP wireless clients:
interface fastethernet|gigabitethernet slot/port
switchport access vlan 1
xsec vlan 20
aaa profile xsec-wired
dot1x-default-role employee
dot1x-server-group xsec-svrs
aaa authentication wired
profile xsec-wired
Configuring Advanced Security
Chapter 12
282 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Securing WLAN Switch-to-WLAN Switch
Communication
xSec can be used to secure data and control traffic passed between two WLAN
Switches. The only requirement is that both WLAN Switches be members of the
same VLAN. To establish a point-to-point tunnel between the two WLAN
Switches, you need to configure the following for the connecting ports on each
WLAN Switch:
The MAC address of the xSec tunnel termination point. This would be the
MAC address of the “other” WLAN Switch.
A 16-byte shared key used to authenticate the WLAN Switches to each other.
You must configure the same shared key on both WLAN Switches.
The VLAN IDs for the VLANs that will extend across both the WLAN Switches
via the xSec tunnel.
Figure 12-25 is an example network where two WLAN Switches are connected to
the same VLAN, VLAN 1. On WLAN Switch 1, you configure the MAC address of
WLAN Switch 2 for the xSec tunnel termination point. On WLAN Switch 2, you
configure the MAC address of WLAN Switch 1 for the xSec tunnel termination
point. On both WLAN Switches, you configure the same 16-byte shared key and
the IDs for the VLANs which are allowed to pass through the xSec tunnel.
FIGURE 12-25 WLAN Switch-to-WLAN Switch xSec Example
The following sections describe how to use the WebUI or CLI to configure the
port that connects to the wired network on which the other WLAN Switch is
installed. Other chapters in this manual describe the configuration of VLANs.
Using the WebUI to configure WLAN Switches for xSec:
1. On each WLAN Switch, navigate to the Configuration > Network > Port
page.
2. Click on the port to be configured.
101
VLAN 1
WLAN SWITCH 1
MAC: 01:02:03:04:05:06
WLAN SWITCH 2
MAC: 10:11:12:13:14:15
200
250
101
200
250
AOS-W 3.1 283
User Guide
Configuring Advanced Security
Chapter 12
3. Select the VLAN from the drop-down list.
4. Configure the xSec point-to-point settings:
A. Enter the MAC address of the tunnel termination point (the “other” WLAN
Switch’s MAC address).
B. Enter the key (for example, 1234567898765432) used by xSec to
establish the tunnel between the WLAN Switches.
C. Select the VLANs that would be allowed across the point-to-point
connection from the Allowed VLANs drop-down menu, and click the <--
button.
5. Click Apply.
Using the CLI to configure WLAN Switches for xSec:
For WLAN Switch 1:
interface gigabitethernet|fastethernet slot/port
vlan 1
xsec point-to-point 10:11:12:13:14:15 1234567898765432 allowed vlan
101,200,250
For WLAN Switch 2:
interface gigabitethernet|fastethernet slot/port
vlan 1
xsec point-to-point 01:02:03:04:05:06 1234567898765432 allowed vlan
101,200,250
Configuring Advanced Security
Chapter 12
284 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Configuring the Odyssey Client on Client
Machines
You can obtain the Odyssey Client from Juniper Networks. For information on
Odyssey Client versions, contact Alcatel or Juniper Networks support.
To install the Odyssey Client:
1. Unzip and install the Odyssey client on the client laptop.
2. For wired xSec, to use the Odyssey client to control the wired port, modify
the registry:
A. On the windows machine, click Start and select Run.
B. Type regedit in the dialog box and click OK.
C. Navigate down the tree to HKEY_LOCAL_MACHINE\SOFTWARE\Funk Software,
Inc.\odyssey\client\configuration\options\wiredxsec.
FIGURE 12-26 The regedit Screen
AOS-W 3.1 285
User Guide
Configuring Advanced Security
Chapter 12
D. Select “policy” from the registry values and right click on it. Select
Modify to modify the contents of policy. Set the value in the resulting
window to required.
FIGURE 12-27 Modifying a regedit Policy
3. Open the Funk Odyssey Client. Click the Profile tab in the client window. This
allows the user to create the user profile for 802.1x authentication.
FIGURE 12-28 The Funk Odyssey Client Profile
Configuring Advanced Security
Chapter 12
286 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
A. In the login name dialog box, enter the login name used for 802.1x
authentication. For the password, the client could use the WINDOWS
password or use the configured password based on the selection made.
B. Click the certificate tab and enter the certificate information required. This
example shows the PEAP settings.
FIGURE 12-29 Certificate Information
C. Click the Authentication tab. In the resultant window, click the Add tab
and select EAP/PEAP. Move this option to the top of the list if PEAP is
the method chosen. If certification validation not required, uncheck the
Validate server certificates setting.
D. Click the PEAP Settings tab and select the EAP protocol supported.
E. Click OK.
F. To modify an existing profile, select the profile and then click the
Properties tab.
AOS-W 3.1 287
User Guide
Configuring Advanced Security
Chapter 12
4. Select the Network tab to configure the network for wireless client. For
wired clients, skip this step.
FIGURE 12-30 Network Profile
A. Click the Add tab. Enter the SSID to which the client connects.
B. Set the Network type to Infrastructure.
C. Set the Association mode to xSec, AES encryption is automatically
selected.
D. Under Authentication, select the Authenticate using profile checkbox.
E. From the pull down menu, select the profile used for 802.1x
authentication. This would be one of the profiles configured in step 2.
F. Select the keys that will be generated automatically for data privacy.
G. Apply the configuration changes made by clicking on the OK tab.
H. To modify an existing profile, select the profile and then click the
Properties tab.
5. Click the Adapters tab if the adapter used is not seen under the list of
adapters pull down menu under connections.
A. When using a wireless client, click the Wireless tab.
B. Select the Wireless adapters only radio button. From the resulting list,
select the adapter required from the list and click OK.
Configuring Advanced Security
Chapter 12
288 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
C. For wired 802.1x clients, select the Wired 802.1x tab and select the
Wired adapters only radio button. From the resulting list, select the
adapter required from the list and click OK.
6. Establish the connection.
A. Click the Connection tab.
B. From the pull down menu, select the adapter required. If the adapter in
use is not visible, add the adapter as explained in Step 5.
C. Select the Connect to network checkbox and select the Network option
from the pull down menu. To configure a new network, follow the
instructions in Step 4.
D. This will automatically start the connection process. To reconnect to the
network, click Reconnect.
7. Click Scan to display the SSIDs seen by the NIC after a site survey.
AOS-W 3.1 289
User Guide
Configuring MAC-Based
Authentication 13
This chapter describes how to configure MAC-based authentication on the
Alcatel WLAN Switch using the WebUI.
Use MAC-based authentication to authenticate devices based on their physical
media access control (MAC) address. While not the most secure and scalable
method, MAC-based authentication implicitly provides an addition layer of
security authentication devices. MAC-based authentication is often used to
authenticate and allow network access through certain devices while denying
access to the rest. For example, if clients are allowed access to the network via
station A, then one method of authenticating station A is MAC-based. Clients
may be required to authenticate themselves using other methods depending on
the network privileges required.
MAC-based authentication can also be used to authenticate WiFi phones as an
additional layer of security to prevent other devices from accessing the voice
network using what is normally an insecure SSID.
This chapter describes the following topics:
“Configuring MAC-Based Authentication” on page 290
“Configuring Clients” on page 292
Configuring MAC-Based Authentication
Chapter 13
290 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Configuring MAC-Based Authentication
Before configuring MAC-based authentication, you must configure:
The user role that will be assigned as the default role for the MAC-based
authenticated clients. (See Chapter 7, “Configuring Roles and Policies” for
information on firewall policies to configure roles).
You configure the default user role for MAC-based authentication in the AAA
profile. If derivation rules exist or if the client configuration in the internal
database has a role assignment, these values take precedence over the
default user role.
Authentication server group that the WLAN Switch uses to validate the
clients. The internal database can be used to configure the clients for
MAC-based authentication. See “Configuring Clients” on page 292 for
information on configuring the clients on the local database. For information
on configuring authentication servers and server groups, see Chapter 8,
“Configuring Authentication Servers.
Configuring the MAC Authentication Profile
Table 13-22 describes the parameters you can configure for MAC-based
authentication.
TABLE 13-22 MAC Authentication Profile Configuration Parameters
Parameter Description
Delimiter Delimiter used in the MAC string:
colon specifies the format xx:xx:xx:xx:xx:xx
dash specifies the format xx-xx-xx-xx-xx-xx
none specifies the format xxxxxxxxxxxx
Default: none
Case The case (upper or lower) used in the MAC string.
Default: lower
Max Authentication
failures
Number of times a station can fail to authenticate
before it is blacklisted. A value of 0 disables
blacklisting.
Default: 0
AOS-W 3.1 291
User Guide
Configuring MAC-Based Authentication
Chapter 13
Using the WebUI to configure a MAC authentication profile:
1. Navigate to the Configuration > Security > Authentication > L2
Authentication page.
2. Select MAC Authentication Profile.
3. Enter a profile name and click Add.
4. Select the profile name to display configurable parameters.
5. Configure the parameters, as described in Table 13-22.
6. Click Apply.
Using the CLI to configure a MAC authentication profile:
aaa authentication mac <profile>
case {lower|upper}
delimiter {colon|dash|none}
max-authentication-failures <number>
Configuring MAC-Based Authentication
Chapter 13
292 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Configuring Clients
You can create entries in the WLAN Switch’s internal database that can be used
to authenticate client MAC addresses. The internal database contains a list of
clients along with the password and default role for each client. To configure
entries in the internal database for MAC authentication, you enter the MAC
address for both the user name and password for each client.
NOTE:You must enter the MAC address using the delimiter format configured in
the MAC authentication profile. The default delimiter is none, which
means that MAC addresses should be in the format xxxxxxxxxxxx. If you
specify colons for the delimiter, you can enter MAC addresses in the
format xx:xx:xx:xx:xx:xx.
For each entry in the internal database, you can assign a role to the client that is
different from the MAC authentication default role; this server-derived role takes
precedence over the default role.
Using the WebUI to configure clients in the internal database:
1. Navigate to the Configuration > Security > Authentication > Servers > page.
2. Select Internal DB.
3. Click Add User in the Users section. The user configuration page displays.
4. For User Name and Password, enter the MAC address for the client. Use the
format specified by the Delimiter parameter in the MAC Authentication profile.
For example, if the MAC Authentication profile specifies the default delimiter
(none), enter MAC addresses in the format xxxxxxxxxxxx.
5. Click Enabled to activate this entry on creation.
6. Click Apply to apply the configuration.
NOTE:The configuration does not take effect until you perform this step.
Using the CLI to configure clients in the internal database:
Enter the following command in enable mode:
local-userdb add username <macaddr> password <macaddr> ...
Volume 5
Configuring
Multiple
WLAN Switch
Environments
AOS-W Version 3.1
294 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
AOS-W 3.1 295
User Guide
Adding Local WLAN
Switches 14
This chapter explains how to expand your network by adding a local WLAN
Switch to a master WLAN Switch configuration. Typically, this is the first
expansion of a network with just one WLAN Switch (which is a master WLAN
Switch). This chapter is a basic discussion of creating master-local WLAN Switch
configurations. More complicated multi-WLAN Switch configurations are
discussed in other chapters.
This chapter describes the following topics:
“Moving to a Multi-WLAN Switch Environment” on page 296
“Configuring Local WLAN Switches” on page 298
Adding Local WLAN Switches
Chapter 14
296 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Moving to a Multi-WLAN Switch Environment
For a single WLAN configuration, the master WLAN Switch is the WLAN Switch
which controls the RF and security settings of the WLAN. Additional WLAN
Switches to the same WLAN serve as local switches to the master WLAN Switch.
The local WLAN Switch operates independently of the master WLAN Switch and
depends on the master WLAN Switch only for its security and RF settings. You
configure the layer-2 and layer-3 settings on the local WLAN Switch independent
of the master WLAN Switch. The local WLAN Switch needs to have connectivity
to the master WLAN Switch at all times to ensure that any changes on the master
are propagated to the local WLAN Switch.
Some of the common reasons to move from a single to a multi-WLAN
Switch-environment include:
Scaling to include a larger coverage area
Setting up remote Access Points (APs)
Network setup requires APs to be redistributed from a single WLAN Switch
to multiple WLAN Switches
Preshared Key for Inter-WLAN Switch
Communication
A preshared key (PSK) is used to create IPSec tunnels between a master and
backup master WLAN Switches and between master and local WLAN Switches.
These inter-WLAN Switch IPSec tunnels carry management traffic such as
mobility, configuration, and master-local information.
NOTE An inter-WLAN Switch IPSec tunnel can be used to route data between
networks attached to the WLAN Switches if you have installed VPN
licenses in the WLAN Switches. To route traffic, configure a static route
on each WLAN Switch specifying the destination network and the name
of the IPSec tunnel.
There is a default PSK to allow inter-WLAN Switch communications, however, for
security you should configure a a unique PSK for each WLAN Switch pair (see
“Best Security Practices for the Preshared Key” on page 297). You can use either
the WebUI or CLI to configure a 6-64 character PSK on master and local WLAN
Switches.
To configure a unique PSK for each WLAN Switch pair, you must configure the
master WLAN Switch with the IP address of the local and the PSK, and configure
the local WLAN Switch with the IP address of the master and the PSK.
AOS-W 3.1 297
User Guide
Adding Local WLAN Switches
Chapter 14
You can configure a global PSK for all master-local communications, although this
is not recommended for networks with more than two WLAN Switches (see
“Best Security Practices for the Preshared Key” on page 297). On the master
WLAN Switch, use 0.0.0.0 for the IP address of the local. On the local WLAN
Switch, configure the IP address of the master and the PSK.
The local WLAN Switch can be located behind a NAT device or over the Internet.
On the local WLAN Switch, when you specify the IP address of the master WLAN
Switch, use the public IP address for the master. On the master WLAN Switch,
when you specify the IP address of the local WLAN Switch, specify the IP address
for the local and not its public IP address (or use 0.0.0.0).
Best Security Practices for the Preshared Key
Leaving the PSK set to the default value exposes the IPSec channel to serious
risk, therefore you should always configure a unique PSK for each WLAN Switch
pair.
Sharing the same PSK between more than two WLAN Switches increases the
likelihood of compromise. If one WLAN Switch is compromised, all WLAN
Switches are compromised. Therefore, best security practices include configuring
a unique PSK for each WLAN Switch pair.
Weak keys are susceptible to offline dictionary attacks, meaning that a hostile
eavesdropper can capture a few packets during connection setup and derive the
PSK, thus compromising the connection. Therefore the PSK selection process
should be the same process as selecting a strong passphrase:
the PSK should be at least ten characters in length
the PSK should not be a dictionary word
the PSK should combine characters from at least three of the following four
groups:
zlowercase characters
zuppercase characters
znumbers
zpunctuation or special characters, such as ~‘@#$%^&*()_-+=\|//.[]{}
Configuring the Preshared Key
The following sections describe how to configure a PSK using the WebUI or CLI.
Using the WebUI to configure the PSK:
1. Navigate to the Configuration > Network > Switch > System Settings page:
zOn the local WLAN Switch, enter the IPSec key under the Master IP
Address.
Adding Local WLAN Switches
Chapter 14
298 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
zOn the master WLAN Switch, click New under Local Switch IPSec Keys,
then enter the IP address for the local WLAN Switch and the IPSec key.
Click Add.
2. Click Apply.
Using the CLI to configure the PSK:
On the master WLAN Switch:
localip <ipaddr> ipsec <key>
On the local WLAN Switch:
masterip <ipaddr> ipsec <key>
Configuring Local WLAN Switches
A single master WLAN Switch configuration can be one WLAN Switch or a
master redundant configuration with one master WLAN Switch and the VRRP
redundant backup WLAN Switch. This section highlights the difference in
configuration for both of these scenarios.
The steps involved in migrating from a single to a multi-WLAN Switch
environment are:
1. Configure the role of the local WLAN Switch to local and specify the IP
address of the master.
2. Configure the layer-2 / layer-3 settings on the local WLAN Switch (VLANs, IP
subnets, IP routes).
3. Configure as trusted ports the ports the master and local WLAN Switch use
to communicate with each other.
4. For those APs that need to boot off the local WLAN Switch, configure the
LMS IP address to point to the new local WLAN Switch.
5. Reboot the APs that are already on the network, so that they now connect to
the local WLAN Switch.
These steps are explained below.
Configuring the Local WLAN Switch
You configure the role of a WLAN Switch by running the Initial Setup on an
unconfigured WLAN Switch, or by using the WebUI or CLI on a
previously-configured WLAN Switch.
AOS-W 3.1 299
User Guide
Adding Local WLAN Switches
Chapter 14
Using the Initial Setup
The Initial Setup allows you to configure the IP address of the WLAN Switch and
its role, in addition to other operating parameters. You can run the Initial Setup
through a Web browser connection to a line port on the WLAN Switch or through
a connection to the serial port on the WLAN Switch. (See the Alcatel Quick Start
Guide for more information.) You perform the Initial Setup the first time you
conect to and log into the WLAN Switch or whenever the WLAN Switch is reset
to its factory default configuration (after executing a write erase, reload
sequence).
When prompted to enter the WLAN Switch role in the Initial Setup, select or enter
local to set the WLAN Switch operational mode to be a local WLAN Switch. You
are then prompted for the master WLAN Switch IP address. Enter the IP address
of the master WLAN Switch for the WLAN network. Enter the preshared key
(PSK) that is used to authenticate communications between WLAN Switches.
NOTE:You need to enter the same PSK on the master WLAN Switch and on the
local WLAN Switches that are managed by the master.
Using the Web UI
For a WLAN Switch that is up and operating with layer-3 connectivity, configure
the following to set the WLAN Switch as local:
1. Navigate to the Configuration > Network > Switch > System Settings page.
2. Set the Switch Role to Local.
3. Enter the IP address of the master WLAN Switch. If master redundancy is
enabled on the master, this address should be the VRRP address for the
VLAN instance corresponding to the IP address of the WLAN Switch.
4. Enter the preshared key (PSK) that is used to authenticate communications
between WLAN Switches.
NOTE:You need to enter the same PSK on the master WLAN Switch and on the
local WLAN Switches that are managed by the master.
Using the CLI
For a WLAN Switch that is up and operating with layer-3 connectivity, configure
the following to set the WLAN Switch as local:
masterip <ipaddr> ipsec <key>
Configuring Layer-2/Layer-3 Settings
Configure the VLANs, subnets, and IP address on the local WLAN Switch for IP
connectivity.
Adding Local WLAN Switches
Chapter 14
300 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Verify connectivity to the master WLAN Switch by pinging the master WLAN
Switch from the local WLAN Switch.
Ensure that the master WLAN Switch recognizes the new WLAN Switch as its
local WLAN Switch. The local WLAN Switch should be listed with type local in the
Monitoring > Network > All WLAN Switches page on the master. It takes about 4
– 5 minutes for the master and local WLAN Switches to synchronize
configurations.
Configuring Trusted Ports
On the local WLAN Switch, navigate to the Configuration > Network > Ports
page and make sure that the port on the local WLAN Switch connecting to the
master is trusted. On the master WLAN Switch, check this for the port on the
master WLAN Switch that connects to the local WLAN Switch.
Configuring APs
APs download their configurations from a master WLAN Switch. However, an AP
or AP group can tunnel client traffic to a local WLAN Switch. To specify the WLAN
Switch to which an AP or AP group tunnels client traffic, you configure the LMS
IP in the AP system profile on the master WLAN Switch.
Configuration changes take effect only after you reboot the affected APs; this
allows them to reassociate with the local WLAN Switch. After rebooting, these
APs appear to the new local WLAN Switch as local APs.
Using the WebUI to configure the LMS IP:
1. Navigate to the Configuration > Wireless > AP Configuration page.
zIf you select AP Group, click Edit for the AP group name for which you
want to configure the LMS IP.
zIf you select AP Specific, select the name of the AP for which you want
to configure the LMS IP.
2. Under the Profiles section, select AP to display the AP profiles.
3. Select the AP system profile you want to modify.
4. Enter the WLAN Switch IP address in the LMS IP field.
5. Click Apply.
Using the CLI to configure the LMS IP:
ap system-profile <profile>
lms-ip <ipaddr>
AOS-W 3.1 301
User Guide
Adding Local WLAN Switches
Chapter 14
ap-group <group>
ap-system-profile <profile>
ap-name <name>
ap-system-profile <profile>
Adding Local WLAN Switches
Chapter 14
302 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
AOS-W 3.1 303
User Guide
Configuring IP Mobility 15
A mobility domain is a group of Alcatel WLAN Switches among which a wireless
user can roam without losing their IP address. Mobility domains are not tied with
the master WLAN Switch, thus it is possible for a user to roam between WLAN
Switches managed by different master WLAN Switches as long as all of the
WLAN Switches belong to the same mobility domain.
You enable and configure mobility domains only on Alcatel WLAN Switches. No
additional software or configuration is required on wireless clients to allow
roaming within the domain.
This chapter describes the following topics:
Alcatel Mobility Architecture”
“Configuring Mobility Domains”
“Tracking Mobile Users”
Advanced Configuration”
Configuring IP Mobility
Chapter 15
304 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Alcatel Mobility Architecture
Alcatel’s layer-3 mobility solution is based on the Mobile IP protocol standard, as
described in RFC 3344, “IP Mobility Support for IPv4”. This standard addresses
users who need both network connectivity and mobility within the work
environment.
Unlike other layer-3 mobility solutions, an Alcatel mobility solution does not
require that you install mobility software or perform additional configuration on
wireless clients. The Alcatel WLAN Switches perform all functions that enable
clients to roam within the mobility domain.
In a mobility domain, a mobile client is a wireless client that can change its point
of attachment from one network to another within the domain. A mobile client
receives an IP address (a home address) on a home network.
A mobile client can detach at any time from its home network and reconnect to a
foreign network (any network other than the mobile client’s home network) within
the mobility domain. When a mobile client is connected to a foreign network, it is
bound to a care-of address that reflects its current point of attachment. A care-of
address is the IP address of the Alcatel WLAN Switch in the foreign network with
which the mobile client is associated.
The home agent for the client is the WLAN Switch where the client appears for
the first time when it joins the mobility domain. The home agent is the single
point of contact for the client when the client roams. The foreign agent for the
client is the WLAN Switch which handles all Mobile IP communication with the
home agent on behalf of the client. Traffic sent to a client’s home address is
intercepted by the home agent and tunneled for delivery to the client on the
foreign network. On the foreign network, the foreign agent delivers the tunneled
data to the mobile client.
Figure 15-31 shows the routing of traffic from Host A to Mobile Client B when the
client is away from its home network. The client’s care-of address is the IP
address of the Alcatel WLAN Switch in the foreign network. The numbers in the
figure correspond to the following descriptions:
1. Traffic to Mobile Client B arrives at the client’s home network via standard IP
routing mechanisms.
2. The traffic is intercepted by the home agent in the client’s home network and
tunneled to the care-of address in the foreign network.
3. The foreign agent delivers traffic to the mobile client.
4. Traffic sent by Mobile Client B is also tunneled back to the home agent.
AOS-W 3.1 305
User Guide
Configuring IP Mobility
Chapter 15
FIGURE 15-31 Routing of Traffic to Mobile Client within Mobility Domain
Configuring Mobility Domains
NOTE:Alcatel mobility domains are supported only on Alcatel WLAN Switches.
Before configuring a mobility domain, you should determine the user VLAN(s) for
which mobility is required. For example, you may want to allow employees to be
able to roam from one subnetwork to another. All WLAN Switches that support
the VLANs into which employee users can be placed should be part of the same
mobility domain.
A WLAN Switch can be part of multiple mobility domains, although Alcatel
recommends that a WLAN Switch belong to only one domain. The WLAN
Switches in a mobility domain do not need to be managed by the same master
WLAN Switch.
You configure a mobility domain on a master WLAN Switch; the mobility domain
information is pushed to all local WLAN Switches that are managed by the same
master WLAN Switch. On each WLAN Switch, you must specify the active
domain (the domain to which the WLAN Switch belongs).
NOTE:Although you configure a mobility domain on a master WLAN Switch, the
master WLAN Switch does not need to be a member of the mobility
domain. For example, you could set up a mobility domain that contains
only local WLAN Switches; you still need to configure the mobility
domain on the master WLAN Switch that manages the local WLAN
Switches. You can also configure a mobility domain that contains
multiple master WLAN Switches; you need to configure the mobility
domain on each master WLAN Switch.
HOST A
MOBILE CLIENT B
HOME AGENT FOREIGN AGENT
CLIENTS HOME NETWORK
FOREIGN NETWORK
1
2
3
4
Configuring IP Mobility
Chapter 15
306 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
The basic tasks you need to perform to configure a mobility domain are listed
below. The sections following describe each task in further detail. A sample
mobility domain configuration is provided in “Example Configuration” on
page 308,
NOTE:You can enable or disable IP mobility in a virtual AP profile (IP mobility is
enabled by default). When IP mobility is enabled in a virtual AP profile, the
ESSID that is configured for the virtual AP supports layer-3 mobility. If
you disable IP mobility for a virtual AP, any clients that associate to the
virtual AP will not have mobility service.
Configuring a Mobility Domain
You configure mobility domains on master WLAN Switches. All local WLAN
Switches managed by the master WLAN Switch share the list of mobility domains
configured on the master.
NOTE:Mobility is disabled by default and must be explicitly enabled on all WLAN
Switches that will support client mobility. Disabling mobility does not
delete any mobility-related configuration.
The home agent table (HAT) provides mapping between a subnetwork or VLAN
and a home agent address. The WLAN Switch looks up information in the HAT to
obtain the IP address of a home agent for a mobile client. The home agent
address is typically the IP address of the WLAN Switch. Because there can be
multiple home agents on a subnetwork, the HAT can contain more than one entry
for the same subnetwork.
You configure the HAT with a list of every subnetwork, mask, VLAN ID, and home
agent IP address in the mobility domain. There must be an entry for every home
agent and user VLAN to which an IP subnetwork maps. If there is more than one
WLAN Switch in the mobility domain providing service for the same user VLAN,
you must configure an entry for the VLAN for each WLAN Switch.
There is a predefined mobility domain called “default”. All WLAN Switches, by
default, belong to this active domain. However, you have the flexibility to define
user-defined domains as well. Once you assign a WLAN Switch to a user-defined
domain, it automatically leaves the “default” mobility domain. For a WLAN Switch
On a master WLAN Switch: On all WLAN Switches in the mobility
domain:
Configure the mobility domain,
including the entries in the home
agent table (HAT)
Enable mobility (disabled by
default)
Join a specified mobility domain
(not required for “default” mobility
domain)
AOS-W 3.1 307
User Guide
Configuring IP Mobility
Chapter 15
to belong to both the “default” and user-defined mobility domain at the same
time, you must explicitly configure the “default” domain as an active domain for
the WLAN Switch.
The “default” mobility domain is the active domain for all WLAN Switches. If you
need only one mobility domain, you can use the default domain.
Using the WebUI to configure a mobility domain (on the master WLAN
Switch):
1. Navigate to the Configuration > Advanced Services > IP Mobility page.
2. Select the Enable IP Mobility checkbox.
3. To configure the default mobility domain, select the “default” domain in the
Mobility Domain list.
To create a new mobility domain, enter the name of the domain in Mobility
Domain Name and click Add; the new domain name appears in the Mobility
Domain list. Select the newly-created domain name.
4. Click Add under the Subnet column. Enter the subnetwork, mask, VLAN ID,
and home agent IP address and click Add.
Repeat this step for each HAT entry.
5. Click Apply.
Using the CLI to configure a mobility domain (on the master WLAN
Switch):
router mobile
ip mobile domain <name>
hat <subnetwork> <netmask> <vlan-id> <home-agent-address>
The VLAN ID must be the VLAN number on the home agent WLAN Switch.
To view currently-configured mobility domains in the CLI, use the show ip mobile
domain command.
NOTE:Make sure that the ESSID to which the mobile client will connect
supports IP mobility. You can disable IP mobility for an ESSID in the
virtual AP profile (IP mobility is enabled by default). If you disable IP
mobility for a virtual AP, any client that associates to the virtual AP will
not have mobility service.
Configuring IP Mobility
Chapter 15
308 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Joining a Mobility Domain
Assigning a WLAN Switch to a specific mobility domain is the key to defining the
roaming area for mobile clients. You should take extra care in planning your
mobility domains, including surveying the user VLANs and WLAN Switches to
which clients can roam, to ensure that there are no roaming holes.
NOTE:All WLAN Switches are initially part of the “default” mobility domain. If
you are using the default mobility domain, you do not need to specify this
domain as the active domain on a WLAN Switch. However, once you
assign a WLAN Switch to a user-defined domain, the “default” mobility
domain is no longer an active domain on the WLAN Switch.
Using the WebUI to join a mobility domain:
1. Navigate to the Configuration > Advanced Services > IP Mobility page.
2. In the Mobility Domain list, select the mobility domain.
3. Select the Active checkbox for the domain.
4. Click Apply.
Using the CLI to join a mobility domain:
ip mobile active-domain <name>
To view the active domains in the CLI, use the show ip mobile active-domains
command on the WLAN Switch.
Example Configuration
The following example is a campus with three buildings. An Alcatel WLAN Switch
in each building provides network connections for wireless users on several
different user VLANs. To allow wireless users to roam from building to building
without interrupting ongoing sessions, you configure a mobility domain that
includes all user VLANs on the three WLAN Switches. You configure the HAT on
the master WLAN Switch only (WLAN Switch A in this example). On the local
WLAN Switches (WLAN Switches B and C), you only need to enable mobility.
AOS-W 3.1 309
User Guide
Configuring IP Mobility
Chapter 15
FIGURE 15-32 Example Configuration: Campus-Wide Mobility
NOTE:This example uses the “default” mobility domain for the campus-wide
roaming area. Since all WLAN Switches are initially included in the default
mobility domain, you do not need to explicitly configure “default” as the
active domain on each WLAN Switch.
Using the WebUI:
On WLAN Switch A (the master WLAN Switch):
1. Navigate to the Configuration > Advanced Services > IP Mobility page.
2. Select the Enable IP Mobility checkbox.
3. Select the “default” domain in the Mobility Domain list.
4. Click Add under the Subnet column. Enter the subnetwork, mask, VLAN ID,
and home agent IP address for the first entry shown below and click Add.
BUILDING 1
BUILDING 2
BUILDING 3
SWITCH A
10.1.1.245
(MASTER)
SWITCH B
10.2.1.245
VLAN 1 10.1.1.0/24
VLAN 2 10.1.2.0/24
VLAN 3 10.1.3.0/24
VLAN 4 10.2.1.0/24
VLAN 6 10.2.3.0/24
VLAN 5 10.2.1.0/24
VLAN 1 10.1.1.0/24
SWITCH C
10.3.1.245
VLAN 7 10.3.1.0/24
VLAN 8 10.3.2.0/24
VLAN 9 10.3.3.0/24
Configuring IP Mobility
Chapter 15
310 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Repeat this step for each HAT entry.
5. Click Apply.
On WLAN Switches B and C:
1. Navigate to the Configuration > Advanced Services > IP Mobility page.
2. Select the Enable IP Mobility checkbox.
3. Click Apply.
Using the CLI:
On WLAN Switch A (the master WLAN Switch):
ip mobile domain default
hat 10.1.1.0 255.255.255.0 1 10.1.1.245
hat 10.1.1.0 255.255.255.0 1 10.2.1.245
hat 10.1.2.0 255.255.255.0 2 10.1.1.245
hat 10.1.3.0 255.255.255.0 3 10.1.1.245
hat 10.2.1.0 255.255.255.0 4 10.2.1.245
hat 10.2.2.0 255.255.255.0 5 10.2.1.245
hat 10.2.3.0 255.255.255.0 6 10.2.1.245
hat 10.3.1.0 255.255.255.0 7 10.3.1.245
hat 10.3.2.0 255.255.255.0 8 10.3.1.245
hat 10.3.3.0 255.255.255.0 9 10.3.1.245
router mobile
On WLAN Switches B and C:
router mobile
Subnetwork Mask VLAN ID Home Agent Address
10.1.1.0 255.255.255.0 1 10.1.1.245
10.1.1.0 255.255.255.0 1 10.2.1.245
10.1.2.0 255.255.255.0 2 10.1.1.245
10.1.3.0 255.255.255.0 3 10.1.1.245
10.2.1.0 255.255.255.0 4 10.2.1.245
10.2.2.0 255.255.255.0 5 10.2.1.245
10.2.3.0 255.255.255.0 6 10.2.1.245
10.3.1.0 255.255.255.0 7 10.3.1.245
10.3.2.0 255.255.255.0 8 10.3.1.245
10.3.3.0 255.255.255.0 9 10.3.1.245
AOS-W 3.1 311
User Guide
Configuring IP Mobility
Chapter 15
Tracking Mobile Users
This section describes the ways in which you can view information about the
status of mobile clients in the mobility domain.
Location-related information for users, such as roaming status, AP name, ESSID,
BSSID, and physical type are consistent in both the home agent and foreign
agent. The user name, role, and authentication can be different on the home
agent and foreign agent, as explained by the following: Whenever a client
connects to a WLAN Switch in a mobility domain, layer-2 authentication is
performed and the station obtains the layer-2 (logon) role. When the client roams
to other networks, layer-2 authentication is performed and the client obtains the
layer-2 role. If layer-3 authentication is required, this authentication is performed
on the client’s home agent only. The home agent obtains a new role for the client
after layer-3 authentication; this new role appears in the user status on the home
agent only. Even if re-authentication occurs after the station moves to a foreign
agent, the display on the foreign agent still shows the layer-2 role for the user.
Mobile Client Roaming Status
You can view the list of mobile clients and their roaming status on any WLAN
Switch in the mobility domain:
Using the WebUI to view mobile client status:
Navigate to the Monitoring > Switch > Clients page.
Using the CLI to view mobile client status:
show ip mobile host
Roaming status can be one of the following:
Home
Switch/Home
VLAN
This WLAN Switch is the home agent for a station and the
client is on the VLAN on which it has an IP address.
Mobile IP Visitor This WLAN Switch is not the home agent for a client.
Mobile IP Binding
(away)
This WLAN Switch is the home agent for a client that is
currently away.
Home
Switch/Foreign
VLAN
This WLAN Switch is the home agent for a client but the
client is currently on a different VLAN than its home VLAN
(the VLAN from which it acquired its IP address).
Configuring IP Mobility
Chapter 15
312 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
You can view the roaming status of users on any WLAN Switch in the mobility
domain:
Using the CLI to view user roaming status:
show user
Roaming status can be one of the following:
You can use the following CLI command to view the home agent, foreign agent,
and roaming status for a specific mobile client.
Using the CLI to view specific client information:
show ip mobile trace { <ipaddr> | <macaddr> }
Stale The client does not have connectivity in the mobility
domain. Either the WLAN Switch has received a
disassociation message for a client but has not received an
association or registration request for the client from
another WLAN Switch, or a home agent binding for the
station has expired before being refreshed by a foreign
agent.
No Mobility Service The WLAN Switch cannot provide mobility service to this
client. The mobile client may lose its IP address if it obtains
the address via DHCP and has limited connectivity. The
mobile client may be using an IP address that cannot be
served, or there may be a roaming hole due to improper
configuration.
Associated This client is on its home agent WLAN Switch and the client
is on the VLAN on which it has an IP address.
Visitor This client is visiting this WLAN Switch and the WLAN
Switch is not its home agent.
Away This client is currently away from its home agent WLAN
Switch.
Foreign VLAN This client is on its home agent WLAN Switch but the client
is currently on a different VLAN than the one on which it
has an IP address.
Stale This should be a temporary state as the client will either
recover connectivity or the client’s entry is deleted when
the stale timer expires.
AOS-W 3.1 313
User Guide
Configuring IP Mobility
Chapter 15
Mobile Client Roaming Locations
You can view information about where a mobile user has been in the mobility
domain. This information can only be viewed on the client’s home agent.
Using the WebUI to view client roaming locations:
1. Navigate to the Monitoring > Switch > Clients page.
2. Click Status. The mobility state section contains information about the user
locations.
Using the CLI to view client roaming locations:
show ip mobile trail { ip-address | MAC-address }
Advanced Configuration
You can configure various parameters that pertain to mobility functions on a
WLAN Switch in a mobility domain using either the WebUI or the CLI.
Using the WebUI to configure advanced mobility functions:
1. Navigate to the Configuration > Advanced Services > IP Mobility page.
2. Select the Global Parameters tab.
3. Click Apply after setting the parameter.
Using the CLI to configure mobility functions:
ip mobile foreign-agent ...
ip mobile home-agent ...
ip mobile proxy ...
ip mobile revocation ...
Proxy Mobile IP
The proxy mobile IP module in a mobility-enabled WLAN Switch detects when a
mobile client has moved to a foreign network and determines the home agent for
a roaming client. The proxy mobile IP module performs the following functions:
Configuring IP Mobility
Chapter 15
314 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Derives the address of the home agent for a mobile client from the HAT using
the mobile client’s IP address. If there is more than one possible home agent
for a mobile client in the HAT, the proxy mobile IP module uses a discovery
mechanism to find the current home agent for the client.
Detects when a mobile client has moved. Client moves are detected based on
ingress port and VLAN changes and mobility is triggered accordingly. For
faster roaming convergence between AP(s) on the same WLAN Switch, it is
recommended that you keep the “on-association” option enabled. This helps
trigger mobility as soon as 802.11 association packets are received from the
mobile client.
Proxy DHCP
When a mobile client first associates with a WLAN Switch, it sends a DHCP
discover request with no requested IP. The WLAN Switch allows DHCP packets
for the client onto the configured VLAN where, presumably, it will receive an IP
address. The incoming VLAN becomes the client’s home VLAN.
If a mobile client moves to another AP on the same WLAN Switch that places the
client on a different VLAN than its initial (home) VLAN, the proxy DHCP module
redirects packets from the client’s current/visited VLAN to the home VLAN. The
proxy DHCP module also redirects DHCP packets for the client from the home
VLAN to the visited VLAN.
If the mobile client moves to another WLAN Switch, the proxy DHCP module
attempts to discover if the client has an ongoing session on a different WLAN
Switch. When a remote WLAN Switch is identified, all DHCP packets from the
client are sent to the home agent where they are replayed on the home VLAN. The
proxy DHCP module also redirects DHCP packets for the client from the home
VLAN to the visited network. In either situation, operations of the proxy DHCP
module do not replace DHCP relay functions which can still operate on the client’s
home VLAN, either in the WLAN Switch or in another device.
Revocations
A home agent or foreign agent can send a registration revocation message, which
revokes registration service for the mobile client. For example, when a mobile
client roams from one foreign agent to another, the home agent can send a
registration revocation message to the first foreign agent so that the foreign
agent can free any resources held for the client.
AOS-W 3.1 315
User Guide
Configuring Redundancy 16
This chapter describes the following topics:
“Virtual Router Redundancy Protocol” on page 316
“Configuring Redundancy” on page 317
Configuring Redundancy
Chapter 16
316 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Virtual Router Redundancy Protocol
The underlying mechanism for the Alcatel redundancy solutions is the Virtual
Router Redundancy Protocol (VRRP). This mechanism can be used to create
various redundancy solutions, including the following:
Pairs of local Alcatel WLAN Switches acting in an active-active mode or a
hot-standby mode
A master WLAN Switch backing up a set of local WLAN Switches
A pair of WLAN Switches acting as a redundant pair of master WLAN
Switches in a hot standby mode
Each of these modes is explained in greater detail with the required configuration.
VRRP is designed to eliminate a single point of failure by providing an election
mechanism amongst WLAN Switches to elect a “master WLAN Switch. This
master WLAN Switch is the owner of the configured virtual IP address for the
VRRP instance. When the master becomes unavailable, one of the backup WLAN
Switches takes the place of the master and owns the virtual IP address. All
network elements (such as the APs and other WLAN Switches) can be configured
to access the virtual IP address, thereby providing a transparent redundant
solution to the rest of the network.
AOS-W 3.1 317
User Guide
Configuring Redundancy
Chapter 16
Configuring Redundancy
In an Alcatel network, the APs are controlled by a WLAN Switch. The APs tunnel
all data to the WLAN Switch which processes the data, including
encryption/decryption, bridging/forwarding, etc.
Local WLAN Switch redundancy refers to providing redundancy for a WLAN
Switch such that the APs fail overto a backup WLAN Switch if a WLAN Switch
becomes unavailable. Local WLAN Switch redundancy is provided by running
VRRP between a pair of WLAN Switches.
NOTE:The two WLAN Switches need to be connected on the same broadcast
domain (or Layer-2 connected) for VRRP operation. The two WLAN
Switches should be of the same class (for example, A800 to A800 or
higher), and both WLAN Switches should be running the same version of
AOS-W.
The APs are then configured to connect to the virtual-IP configured for the
VRRP instance.
You configure the parameters described in Table 16-23 on the local WLAN
Switches.
TABLE 16-23 VRRP Parameters
Parameter Description
Virtual Router
ID
This is the virtual router ID that uniquely identifies this VRRP
instance. For ease in administration, you should configure this
with the same value as the VLAN ID.
Advertisement
Interval
This is the interval, in seconds, between successive VRRP
advertisements sent by the current master.
Recommended to use the default (1 second).
Authentication
Password
This is an optional password of up to eight characters that can
be used to authenticate VRRP peers in their advertisements. If
this is not configured, there is no authentication password set.
Description This is an optional text description to describe the VRRP
instance.
IP Address This is the virtual IP address that will be owned by the elected
VRRP master.
Enable Router
Pre-emption
Selecting this option means that a WLAN Switch can take over
the role of master if it detects a lower priority WLAN Switch
currently acting as master.
Priority Priority level of the VRRP instance for the WLAN Switch. This
value is used in the election mechanism for the master.
Configuring Redundancy
Chapter 16
318 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Configuring Local WLAN Switch Redundancy
Collect the following information needed to configure local WLAN Switch
redundancy:
VLAN ID on the two local WLAN Switches that are on the same Layer-2
network and is used to configure VRRP.
Virtual IP address to be used for the VRRP instance.
Configure VRRP
You can use either the WebUI or CLI to configure VRRP on the local WLAN
Switches. For this topology, it is recommended to use the default priority value.
Using the WebUI to configure redundancy for a local WLAN Switch:
1. Navigate to the Configuration > Advanced Services > Redundancy page on
the WebUI for each of the local WLAN Switches.
2. Under Virtual Router Table, click Add to create a VRRP instance.
3. Enter the IP Address for the virtual router. Select the VLAN on which VRRP
will run. Set the Admin State to Up.
4. Click Done to apply the configuration and add the VRRP instance.
Using the CLI to configure redundancy for a local WLAN Switch:
Tracking Configures a tracking mechanism that adds a specified value to
the priority after a WLAN Switch has been the master for the
VRRP instance. This mechanism is used to avoid failing over to
a backup Master for transient failures.
Tracking can be based on one of the following:
Master Up Time: how long the WLAN Switch has been the
master. The value of duration is the length of time that the
administrator expects will be long enough that the
database gathered in the time is too important to be lost.
This will obviously vary from instance to instance.
VRRP Master State Priority: the master state of another
VRRP.
Admin State Administrative state of the VRRP instance. To start the VRRP
instance, change the admin state to UP in the WebUI.
VLAN VLAN on which the VRRP protocol will run.
TABLE 16-23 VRRP Parameters (Continued)
Parameter Description
AOS-W 3.1 319
User Guide
Configuring Redundancy
Chapter 16
vrrp <id>
ip address <ipaddr>
vlan <vlan>
no shutdown
Configure the LMS IP
Configure the APs to terminate their tunnels on the virtual-IP address. To specify
the WLAN Switch to which an AP or AP group tunnels client traffic, you configure
the LMS IP in the AP system profile on the master WLAN Switch. For information
on how to configure the LMS IP in the AP system profile, see “Configuring APs”
on page 300.
NOTE:This configuration needs to be executed on the master WLAN Switch as
the APs obtain their configuration from the master WLAN Switch.
Master WLAN Switch Redundancy
The master WLAN Switch in the Alcatel solution acts as a single point of
configuration for global policies such as firewall policies, authentication
parameters, RF configuration to ease the configuration and maintenance of a
wireless network. It also maintains a database related to the wireless network
that is used to make any adjustments (automated as well as manual) in reaction
to events that cause a change in the environment (such as an AP becoming
unavailable). The master WLAN Switch is also responsible for providing the
configuration for any AP to complete its boot process. If the master WLAN
Switch becomes unavailable, the network continues to run without any
interruption. However any change in the network topology or configuration will
require the availability of the master WLAN Switch.
To maintain a highly redundant network, the administrator can use a WLAN
Switch to act as a hot standby for the master WLAN Switch. The underlying
protocol used is the same as in local redundancy, that is, VRRP.
1. Collect the following data before configuring master WLAN Switch
redundancy.
zVLAN ID on the two WLAN Switches that are on the same layer 2
network and will be used to configure VRRP.
zVirtual IP address that has been reserved to be used for the VRRP
instance
2. You can use either the WebUI or CLI to configure VRRP on the master WLAN
Switches (see Table 16-23). For this topology, the following are
recommended values:
zFor priority: Set the master to 110; set the backup to 100 (the default
value)
zEnable pre-emption
Configuring Redundancy
Chapter 16
320 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
zConfigure master up time or master state tracking with an add value of
20.
The following shows an example of the configuration on the “initially-preferred
master”.
vrrp 22
vlan 22
ip address 10.200.22.254
priority 110
preempt
authentication password
description Preferred-Master
tracking master-up-time 30 add 20
no shutdown
The following shows the corresponding VRRP configuration for the peer WLAN
Switch.
vrrp 22
vlan 22
ip address 10.200.22.254
priority 100
preempt
authentication password
description Backup-Master
tracking master-up-time 30 add 20
no shutdown
Use the following commands to associate the VRRP instance with master WLAN
Switch redundancy.
Command Explanation
master-redundancy
Enter the master-redundancy context.
master-vrrp <id>
Associates a VRRP instance with master
redundancy. Enter the virtual router ID of the
VRRP instance.
peer-ip-address <ipaddr>
Loopback IP address of the peer WLAN Switch
for master redundancy.
AOS-W 3.1 321
User Guide
Configuring Redundancy
Chapter 16
NOTE:All the APs and local WLAN Switches in the network should be
configured with the virtual IP address as the master IP address. The
master IP address can be configured for local WLAN Switches during
the Initial Setup (refer to the Alcatel Quick Start Guide). You can also
use the following commands to change the master IP of the local
WLAN Switch. The WLAN Switch will require a reboot after changing
the master IP on the WLAN Switch.
If DNS resolution is the chosen mechanism for the APs to discover their master
WLAN Switch, ensure that the name “aruba-master” resolves to the same virtual
IP address configured as a part of the master redundancy.
Master-Local WLAN Switch Redundancy
This section outlines the concepts behind a redundancy solution where a master
can act as a backup for one or more local WLAN Switches and shows how to
configure the Alcatel WLAN Switches for such a redundant solution. In this
solution, the local WLAN Switches act as the WLAN Switch for the APs. When
any one of the local WLAN Switches becomes unavailable, the master takes over
the APs controlled by that local WLAN Switch for the time that the local WLAN
Switch remains unavailable. It is configured such that when the local WLAN
Switch comes back again, it can take control over the APs once more.
This type of redundant solution is illustrated by the following topology diagram.
NOTE:This solution requires that the master WLAN Switch have Layer-2
connectivity to all the local WLAN Switches.
Command Explanation
masterip <ipaddr>
Configures the master IP address for a local WLAN
Switch.
Configure this to be the virtual IP address of the VRRP
instance used for master redundancy.
Configuring Redundancy
Chapter 16
322 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
FIGURE 16-33 Redundant Topology: Master-Local Redundancy
In the network shown above, the master WLAN Switch is connected to the local
WLAN Switches on VLANs 1 through n through a Layer-2 network. To configure
redundancy as described in the conceptual overview for master-local redundancy,
configure VRRP instances on each of the VLANs between the master and the
respective local WLAN Switch. The VRRP instance on the local WLAN Switch is
configured with a higher priority to ensure that when available, the APs always
choose the local WLAN Switch to terminate their tunnels.
To configure the master and local WLAN Switches for redundant
topology:
1. Configure the interface on the master WLAN Switch to be a trunk port with 1,
2… n being member VLANs.
2. Collect the following data before configuring master WLAN Switch
redundancy.
zVLAN IDs on the WLAN Switches corresponding to the VLANs 1, 2…n
shown in the topology above.
zVirtual IP addresses that has been reserved to be used for the VRRP
instances.
3. You can use either the WebUI or CLI to configure VRRP on the master WLAN
Switches (see Table 16-23). For this topology, the following are
recommended values:
zFor priority: Set the local to 110; set the master to 100 (the default value)
zEnable pre-emption
AOS-W 3.1 323
User Guide
Configuring Redundancy
Chapter 16
NOTE:The master WLAN Switch will be configured for a number of VRRP
instances (equal to the number of local WLAN Switches the master is
backing up).
The following shows an example configuration of the Master WLAN Switch in
such a topology for one of the VLANs (in this case VLAN 22).
vrrp 22
vlan 22
ip address 10.200.22.254
priority 100
preempt
authentication password
description Master-acting-as-backup-to-local
tracking master-up-time 30 add 20
no shutdown
The following shows the configuration on the corresponding local WLAN Switch.
vrrp 22
vlan 22
ip address 10.200.22.254
priority 110
preempt
authentication password
description local-backed-by-master
no shutdown
To configure APs, you configure the appropriate virtual IP address (depending on
which WLAN Switch is expected to control the APs) for the LMS IP address
parameter in the AP system profile for an AP group or specified AP.
As an example, the administrator can configure APs in the AP group “floor1” to
be controlled by local WLAN Switch 1, APs in the AP group “floor2” to be
controlled by local WLAN Switch 2 and so on. All the local WLAN Switches are
backed up by the master WLAN Switch. In the AP system profile for the AP group
“floor1”, enter the virtual IP address (10.200.22.154 in the example configuration)
for the LMS IP address on the master WLAN Switch.
NOTE:You configure APs on the master WLAN Switch.
Configuration changes take effect only after you reboot the affected APs; this
allows them to reassociate with the local WLAN Switch. After rebooting, these
APs appear to the new local WLAN Switch as local APs.
Using the WebUI to configure the LMS IP:
1. Navigate to the Configuration > Wireless > AP Configuration page on the
master WLAN Switch.
Configuring Redundancy
Chapter 16
324 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
zIf you select AP Group, click Edit for the AP group name for which you
want to configure the LMS IP.
zIf you select AP Specific, select the name of the AP for which you want
to configure the LMS IP.
2. Under the Profiles section, select AP to display the AP profiles.
3. Select the AP system profile you want to modify.
4. Enter the WLAN Switch IP address in the LMS IP field.
5. Click Apply.
Using the CLI to configure the LMS IP:
On the master WLAN Switch:
ap system-profile <profile>
lms-ip <ipaddr>
ap-group <group>
ap-system-profile <profile>
ap-name <name>
ap-system-profile <profile>
Volume 6
Configuring
Intrusion
Protection
AOS-W Version 3.1
326 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
AOS-W 3.1 327
User Guide
Configuring Wireless
Intrusion Prevention 17
This chapter describes how to configure various intrusion detection system (IDS)
capabilities of the Alcatel OmniAccess system. The Alcatel system offers a variety
of IDS/intrusion prevention system (IPS) features that you can configure and
deploy as required. Like most other security-related features of the Alcatel
system, the IDS configuration is done completely on the master WLAN Switch in
the network.
NOTE:To use the IDS features described in this chapter, you must install a
Wireless Intrusion Protection license in the WLAN Switch.
This chapter describes the following topics:
“IDS Features” on page 328
“IDS Configuration” on page 332
“Client Blacklisting” on page 354
Configuring Wireless Intrusion Prevention
Chapter 17
328 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
IDS Features
This section describes IDS features provided by the Alcatel system.
Unauthorized Device Detection
Unauthorized device detection includes the ability to detect and disable rogue APs
and other devices that can potentially disrupt network operations.
Rogue/Interfering AP Detection
The most important IDS functionality offered in the Alcatel system is the ability to
classify an AP as either a rogue AP or an interfering AP. An AP is considered to be
a rogue AP if it is both unauthorized and plugged into the wired side of the
network. An AP is considered to be an interfering AP if it is seen in the RF
environment but is not connected to the wired network. While the interfering AP
can potentially cause RF interference, it is not considered a direct security threat
since it is not connected to the wired network. However, an interfering AP may be
reclassified as a rogue AP.
You can enable a policy to automatically disable APs that are classified as a rogue
APs by the Alcatel system. When a rogue AP is disabled, no wireless stations are
allowed to associate to that AP. Refer to “Configuring Unauthorized Device
Detection” on page 344 for details on how to configure rogue AP detection,
classification, and containment.
You can manually reclassify an interfering AP. Refer to “Classifying APs” on
page 350 for details on how to change the classification of an AP.
Adhoc Network Detection and Containment
As far as network administrators are concerned, ad-hoc wireless networks are
uncontrolled. If they do not use encryption, they may expose sensitive data to
outside eavesdroppers. If a device is connected to a wired network and has
bridging enabled, an ad-hoc network may also function like a rogue AP.
Additionally, ad-hoc networks can expose client devices to viruses and other
security vulnerabilities. For these reasons, many administrators choose to prohibit
ad-hoc networks. The Alcatel system can perform both ad-hoc network detection
and also disable ad-hoc networks when they are found.
Wireless Bridge Detection
Wireless bridges are normally used to connect multiple buildings together.
However, an attacker could place (or have an authorized person place) a wireless
bridge inside the network that would extend the corporate network somewhere
outside the building. Wireless bridges are somewhat different from rogue APs in
AOS-W 3.1 329
User Guide
Configuring Wireless Intrusion Prevention
Chapter 17
that they do not use beacons and have no concept of association. Most networks
do not use bridges – in these networks, the presence of a bridge is a signal that a
security problem exists.
Misconfigured AP Detection
If desired, a list of parameters can be configured that defines the characteristics
of a valid AP. This is primarily used when non-Alcatel APs are being used in the
network since the Alcatel WLAN Switch cannot configure the third-party APs.
These parameters can include preamble type, WEP configuration, OUI of valid
MAC addresses, valid channels, DCF/PCF configuration, and ESSID. The system
can also be configured to detect an AP using a weak WEP key. If a valid AP is
detected as misconfigured, the system will deny access to the misconfigured AP
if protection is enabled. In cases where someone gains configuration access to a
third-party AP and changes the configuration, this policy is useful in blocking
access to that AP until the configuration can be fixed.
Weak WEP Detection
The primary means of cracking WEP keys is by capturing 802.11 frames over an
extended period of time and searching for patterns of WEP initialization vectors
(IVs) that are known to be weak. The Alcatel system will monitor for devices
using weak WEP implementations and generate reports for the administrator of
which devices require upgrades.
Multi Tenancy Protection
The Alcatel system provides the ability to configure SSID lists, and disable
unrecognized APs using these reserved resources. This feature can be used in a
multi-tenant building where different enterprises must share the RF environment.
This feature can also be used to defend against “honeypot” APs. A “honeypot”
AP is an attacker’s AP that is set up in close proximity to an enterprise,
advertising the ESSID of the enterprise. The goal of such an attack is to lure valid
clients to associate to the honeypot AP. From that point, a man in the middle
(MITM) attack can be mounted, or an attempt can be made to learn the client’s
authentication credentials. Most client devices have no way of distinguishing
between a valid AP and an invalid one – the devices only look for a particular
ESSID and will associate to the nearest AP advertising that ESSID.
MAC OUI Checking
The Alcatel system provides the ability to match MAC addresses seen in the air
with known manufacturers. The first three bytes of a MAC address are known as
the MAC OUI (Organizationally Unique Identifier) and are assigned by the IEEE.
Often, clients using a spoofed MAC address will not use a valid OUI, and instead
use a randomly generated MAC address. By enabling MAC OUI checking,
administrators will be notified if an unrecognized MAC address is in use.
Configuring Wireless Intrusion Prevention
Chapter 17
330 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Denial of Service (DoS) Detection
DoS attacks are designed to prevent or inhibit legitimate clients from accessing
the network. This includes blocking network access completely, degrading
network service, and increasing processing load on clients and network
equipment. Denial of Service attack detection encompasses both rate analysis
and the detection of a specific DoS attack known as Fake AP.
Rate Analysis
Many DoS attacks flood an AP or multiple APs with 802.11 management frames.
These can include authenticate/associate frames which are designed to fill up the
association table of an AP. Other management frame floods, such as probe
request floods, can consume excess processing power on the AP. The Alcatel
WLAN Switch can be configured with the thresholds that indicate a DoS attack
and can detect the same. Refer to “Configuring Denial of Service Attack
Detection” on page 335 for more details.
Fake AP
Fake AP is a tool that was originally created to thwart wardrivers by flooding
beacon frames containing hundreds of different addresses. This would appear to
a wardriver as though there were hundreds of different APs in the area, thus
concealing the real AP. While the tool is still effective for this purpose, a newer
purpose is to flood public hotspots or enterprises with fake AP beacons to
confuse legitimate clients and to increase the amount of processing client
operating systems must do. Refer to “Configuring Denial of Service Attack
Detection” on page 335 for more details.
Impersonation Detection
A successful man-in-the-middle attack will insert an attacker into the data path
between the client and the AP. In such a position, the attacker can delete, add, or
modify data, provided he has access to the encryption keys. Such an attack also
enables other attacks that can learn a client’s authentication credentials.
Man-in-the-middle attacks often rely on a number of different vulnerabilities.
Station Disconnection
Spoofed deauthenticate frames form the basis for most denial of service attacks,
as well as the basis for many other attacks such as man-in-the-middle. In a
station disconnection attack, an attacker spoofs the MAC address of either an
active client or an active AP. The attacker then sends deauthenticate frames to the
target device, causing it to lose its active association. In addition to a
deauthentication frame, Reassociate, Authenticate, and Disassociate frames can
also cause the target device to lose its active association.
AOS-W 3.1 331
User Guide
Configuring Wireless Intrusion Prevention
Chapter 17
EAP Handshake Analysis
EAP (Extensible Authentication Protocol) is a component of 802.1x used for
authentication. Some attacks, such as “ASLEAP” (used to attack Cisco LEAP)
send spoofed deauthenticate messages to clients in order to force the client to
re-authenticate multiple times. These attacks then capture the authentication
frames for offline analysis. EAP Handshake Analysis detects a client performing
an abnormal number of authentication procedures and generates an alarm when
this condition is detected.
Sequence Number Analysis
During an impersonation attack, the attacker will generally spoof the MAC
address of a client or AP. If two devices are active on the network with the same
MAC address, their 802.11 sequence numbers will not match – since the
sequence number is usually generated by the NIC firmware, even a custom driver
will not generally be able to modify these numbers. Sequence number analysis
will detect possible impersonation attacks by looking for anomalies between
sequence numbers seen in frames in the air.
AP Impersonation
AP impersonation attacks can be done for several purposes, including as a
Man-In-the-Middle attack, as a rogue AP attempting to bypass detection, and as a
possible honeypot attack. In such an attack, the attacker sets up an AP that
assumes the BSSID and ESSID of a valid AP.
Signature Detection
Many WLAN intrusion and attack tools generate characteristic signatures that can
be detected by the Alcatel network. The system is pre-configured with several
known signatures, and also includes the ability for you to create new signatures.
For more details on how to configure and create new signatures refer to
“Configuring Signature Detection” on page 341.
Configuring Wireless Intrusion Prevention
Chapter 17
332 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
IDS Configuration
This section describes how to configure IDS features using the IDS profiles. You
apply the top-level IDS profile to an AP group or specific AP.
IDS Profile Hierarchy
The top-level IDS profile, assigned to an AP group or AP name, refers to the
following IDS profiles:
Alcatel provides a set of predefined profiles that provide different levels of
sensitivity. The following are predefined IDS profiles:
ids-disabled
ids-high-setting
ids-low-setting
ids-medium-setting (the default setting)
NOTE:A predefined IDS profile refers to specific instances of the other IDS
profiles. You cannot create new instances of a profile within a predefined
IDS profile. You can modify parameters within the other IDS profiles.
Using the WebUI to configure IDS:
1. Navigate to the Configuration > AP Configuration page. Select either AP
Group or AP Specific.
zIf you select AP Group, click Edit for the AP group name for which you
want to configure IDS.
TABLE 17-24 IDS Profiles
Profile Description
IDS General profile Configures AM attributes.
IDS Signature Matching Configures signatures for intrusion detection. This
profile can include predefined signatures or
signatures that you configure.
IDS DoS profile Configures traffic anomalies for Denial of Service
attacks.
IDS Impersonation profile Configures anomalies for impersonation attacks.
IDS Unauthorized Device
profile
Configures detection for unauthorized devices. Also
configures rogue AP detection and containment.
AOS-W 3.1 333
User Guide
Configuring Wireless Intrusion Prevention
Chapter 17
zIf you select AP Specific, select the name of the AP for which you want
to configure IDS.
2. In the Profiles list, select IDS. Select IDS profile to display the IDS profiles that
are contained in the top-level profile. You can select a predefined IDS profile
or create a new profile.
3. Click Apply.
Using the CLI to configure IDS:
ap-group <group>
ids-profile <profile>
Configuring the IDS General Profile
Table 17-25 describes the parameters you can configure in the IDS general profile.
TABLE 17-25 IDS General Profile Configuration Parameters
Parameter Description
Stats Update Interval Time interval, in seconds, for the AP to update the
WLAN Switch with statistics.
NOTE:This setting takes effect only if the Alcatel
Mobility Manager is configured. Otherwise,
statistics update to the WLAN Switch is
disabled.
Default: 60 seconds
AP Inactivity Timeout Time, in seconds, after which an AP is aged out.
Default: 5 seconds
STA Inactivity Timeout Time, in seconds, after which a STA is aged out.
Default: 60 seconds
Min Potential AP Beacon
Rate
Minimum beacon rate acceptable from a potential
AP, in percentage of the advertised beacon interval.
Default: 25%
Min Potential AP Monitor
Time
Minimum time, in seconds, a potential AP has to be
up before it is classified as a real AP.
Default: 2 seconds
Configuring Wireless Intrusion Prevention
Chapter 17
334 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Using the WebUI to configure the IDS general profile:
1. Navigate to the Configuration > AP Configuration page. Select either AP
Group or AP Specific.
zIf you select AP Group, click Edit for the AP group name for which you
want to configure IDS.
zIf you select AP Specific, select the name of the AP for which you want
to configure IDS.
2. Select IDS. Select IDS profile to display the IDS profiles that are contained in
the top-level profile.
3. Select IDS General profile.
4. You can select a predefined IDS general profile from the drop-down menu. Or
you can modify parameters and click Save As to create an IDS general profile
instance.
NOTE:If you selected a predefined IDS profile, you cannot select or create a
different IDS general profile instance. You can modify parameters
within the IDS general profile instance.
5. Click Apply.
Using the CLI to configure the IDS general profile:
ids general-profile <profile>
<parameter> <value>
Signature Quiet Time Time to wait, in seconds, after detecting a signature
match after which the check can be resumed.
Default: 900 seconds
Wireless Containment Enable/disable containment from the wireless side.
Default: disabled
Debug Wireless
Containment
Enable/disable debugging of containment from the
wireless side.
Default: disabled
Wired Containment Enable/disable containment from the wired side.
Default: disabled
TABLE 17-25 IDS General Profile Configuration Parameters (Continued)
Parameter Description
AOS-W 3.1 335
User Guide
Configuring Wireless Intrusion Prevention
Chapter 17
Configuring Denial of Service Attack Detection
Table 17-26 describes the parameters you can configure in the IDS DoS profile.
TABLE 17-26 IDS Denial of Service Profile Configuration Parameters
Parameter Description
Detect Disconnect
Station Attack
Enables or disables detection of station
disconnection attacks.
Default: disabled
Disconnect STA
Detection Quiet Time
After a station disconnection attack is detected, the
time (in seconds) that must elapse before another
identical alarm can be generated.
Default: 900 seconds
Detect AP Flood Attack Enables or disables the detection of flooding with
fake AP beacons to confuse legitimate users and to
increase the amount of processing need on client
operating systems.
Default: disabled
AP Flood Threshold Number of Fake AP beacons that must be received
within the Flood Increase Time to trigger an alarm.
Default: 50
AP Flood Increase Time Time, in seconds, during which a configured number
of Fake AP beacons must be received to trigger an
alarm.
Default: 3 seconds
AP Flood Detection Quiet
Time
After an alarm has been triggered by a Fake AP
flood, the time (in seconds) that must elapse before
an identical alarm may be triggered.
Default: 900 seconds
Detect EAP Rate
Anomaly
Enables or disables Extensible Authentication
Protocol (EAP) handshake analysis to detect an
abnormal number of authentication procedures on a
channel and generates an alarm when this condition
is detected.
Default: disabled
Configuring Wireless Intrusion Prevention
Chapter 17
336 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Using the WebUI to configure the IDS DoS profile:
1. Navigate to the Configuration > AP Configuration page. Select either AP
Group or AP Specific.
zIf you select AP Group, click Edit for the AP group name for which you
want to configure IDS.
zIf you select AP Specific, select the name of the AP for which you want
to configure IDS.
2. Select IDS. Select IDS profile to display the IDS profiles that are contained in
the top-level profile.
3. Select IDS DoS profile.
4. You can select a predefined profile from the drop-down menu. Or you can
modify parameters and click Save As to create an IDS DoS profile instance.
NOTE:If you selected a predefined IDS profile, you cannot select or create a
different IDS DoS profile instance. You can modify parameters within
the IDS DoS profile instance.
5. Click Apply.
Using the CLI to configure the IDS DoS profile:
ids dos-profile <profile>
EAP Rate Threshold Number of EAP handshakes that must be received
within the EAP Rate Time Interval to trigger an alarm.
Default: 60
EAP Rate Time Interval Time, in seconds, during which the configured
number of EAP handshakes must be received to
trigger an alarm.
Default: 3 seconds
EAP Rate Quiet Time After an alarm has been triggered, the time (in
seconds) that must elapse before another identical
alarm may be triggered.
Default: 900 seconds
Detect Rate Anomalies Enables or disables detection of rate anomalies.
Default: disabled
TABLE 17-26 IDS Denial of Service Profile Configuration Parameters
Parameter Description
AOS-W 3.1 337
User Guide
Configuring Wireless Intrusion Prevention
Chapter 17
<parameter> <value>
IDS Rate Thresholds Profile
IDS rate threshold profile defines thresholds assigned to the different frame types
for rate anomaly checking. A profile of this type is attached to each of the
following 802.11 frame types in the IDS Denial of Service profile:
Association frames
Disassociation frames
Deauthentication frames
Probe Request frames
Probe Response frames
Authentication frames
A channel threshold applies to an entire channel, while a node threshold applies
to a particular client MAC address. Alcatel provides predefined default IDS rate
thresholds profiles for each of these types of frames. Default values depend upon
the frame type.
Table 17-27 describes the parameters you can configure for the IDS rate threshold
profile.
TABLE 17-27 IDS Rate Thresholds Profile Configuration Parameters
Parameter Description
Channel Increase Time Time, in seconds, in which the threshold must be
exceeded in order to trigger an alarm.
Channel Quiet Time After an alarm has been triggered, the time that must
elapse before another identical alarm may be
triggered. This option prevents excessive messages
in the log file.
Channel Threshold Specifies the number of a specific type of frame that
must be exceeded within a specific interval in an
entire channel to trigger an alarm.
Configuring Wireless Intrusion Prevention
Chapter 17
338 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Using the WebUI to configure an IDS rate thresholds profile:
1. In the Profiles list, under the IDS DoS profile, select the threshold profile you
want to configure.
2. You can select a predefined profile from the drop-down menu. Or you can
modify parameters and click Save As to create a threshold profile instance.
3. Click Apply.
Using the CLI to configure an IDS rate thresholds profile:
ids rate-thresholds-profile <profile>
<parameter> <value>
ids dos-profile <profile>
<frame-type> <thresholds-profile>
Configuring Impersonation Detection
Table 17-28 describes the parameters you can configure in the IDS DoS profile.
Node Quiet Time After an alarm has been triggered, the time that must
elapse before another identical alarm may be
triggered. This option prevents excessive messages
in the log file.
Node Threshold Specifies the number of a specific type of frame that
must be exceeded within a specific interval for a
particular client MAC address to trigger an alarm.
Node Time Interval Time, in seconds, in which the threshold must be
exceeded in order to trigger an alarm.
TABLE 17-27 IDS Rate Thresholds Profile Configuration Parameters
Parameter Description
AOS-W 3.1 339
User Guide
Configuring Wireless Intrusion Prevention
Chapter 17
TABLE 17-28 IDS Impersonation Profile Configuration Parameters
Parameter Description
Detect AP Impersonation Enables or disables detection of AP impersonation.
In AP impersonation attacks, the attacker sets up an
AP that assumes the BSSID and ESSID of a valid AP.
AP impersonation attacks can be done for
man-in-the-middle attacks, a rogue AP attempting to
bypass detection, or a honeypot attack.
Default: disabled
Protect from AP
Impersonation
When AP impersonation is detected, both the
legitimate and impersonating AP are disabled using a
denial of service attack.
Default: disabled
Beacon Diff Threshold Percentage increase in beacon rate that triggers an
AP impersonation event.
Default: 50%
Beacon Increase Wait
Time
Time, in seconds, after the Beacon Diff Threshold is
crossed before an AP impersonation event is
generated.
Default: 3 seconds
Detect Sequence
Anomaly
Enables or disables detection of anomalies between
sequence numbers seen in 802.11 frames. During an
impersonation attack, the attacker may spoof the
MAC address of a client or AP — if two devices are
active on the network with the same MAC address,
the sequence numbers in the frames will not match
since the sequence number is generated by NIC
firmware.
Default: disabled
Sequence Number
Difference
Maximum allowable tolerance between sequence
numbers within the Sequence Number Time
Tolerance period.
Default: 300
Configuring Wireless Intrusion Prevention
Chapter 17
340 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Using the WebUI to configure the IDS impersonation profile:
1. Navigate to the Configuration > AP Configuration page. Select either AP
Group or AP Specific.
zIf you select AP Group, click Edit for the AP group name for which you
want to configure IDS.
zIf you select AP Specific, select the name of the AP for which you want
to configure IDS.
2. Select IDS. Select IDS profile to display the IDS profiles that are contained in
the top-level profile.
3. Select IDS Impersonation profile.
4. You can select a predefined profile from the drop-down menu. Or you can
modify parameters and click Save As to create an IDS impersonation profile
instance.
NOTE:If you selected a predefined IDS profile, you cannot select or create a
different IDS impersonation profile instance. You can modify
parameters within the IDS impersonation profile instance.
5. Click Apply.
Using the CLI to configure the IDS impersonation profile:
ids impersonation-profile <profile>
<parameter> <value>
Sequence Number Time
Tolerance
Time, in seconds, during which sequence numbers
must exceed the Sequence Number Difference value
for an alarm to be triggered.
Default: 300 seconds
Sequence Number Quiet
Time
After an alarm has been triggered, the time (in
seconds) that must elapse before another identical
alarm may be triggered.
Default: 900 seconds
TABLE 17-28 IDS Impersonation Profile Configuration Parameters
Parameter Description
AOS-W 3.1 341
User Guide
Configuring Wireless Intrusion Prevention
Chapter 17
Configuring Signature Detection
The IDS signature matching profile contains signatures for intrusion detection.
This profile can include predefined signatures or signatures that you configure.
Table 17-29 describes the predefined signatures that you can add to the profile.
.
TABLE 17-29 Predefined Signatures
Signature Description
ASLEAP A tool created for Linux systems that has
been used to attack Cisco LEAP
authentication protocol.
Null-Probe-Response An attack with the potential to crash or lock
up the firmware of many 802.11 NICs. In this
attack, a client probe-request frame will be
answered by a probe response containing a
null SSID. A number of popular NIC cards will
lock up upon receiving such a probe
response.
AirJack Originally a suite of device drivers for
802.11(a/b/g) raw frame injection and
reception. It was intended to be used as a
development tool for all 802.11 applications
that need to access the raw protocol,
however one of the tools included allowed
users to force off all users on an Access
Point.
NetStumbler Generic NetStumbler is a popular wardriving
application used to locate 802.11 networks.
When used with certain NICs (such as
Orinoco), NetStumbler generates a
characteristic frame that can be detected.
NetStumbler Version 3.3.0x Version 3.3.0 of NetStumbler changed the
characteristic frame slightly. This signature
detects the updated frame.
Deauth-Broadcast A deauth broadcast attempts to disconnect
all stations in range – rather than sending a
spoofed deauth to a specific MAC address,
this attack sends the frame to a broadcast
address.
Configuring Wireless Intrusion Prevention
Chapter 17
342 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Using the WebUI to configure the IDS signature-matching profile:
1. Navigate to the Configuration > AP Configuration page. Select either AP
Group or AP Specific.
zIf you select AP Group, click Edit for the AP group name for which you
want to configure IDS.
zIf you select AP Specific, select the name of the AP for which you want
to configure IDS.
2. Select IDS. Select IDS profile to display the IDS profiles that are contained in
the top-level profile.
3. Select IDS Signature Matching profile.
4. You can select a predefined profile from the drop-down menu. Or you can
modify parameters and click Save As to create an IDS signature-matching
profile instance.
NOTE:If you selected a predefined IDS profile, you cannot select or create a
different IDS signature-matching profile instance. You can modify
parameters within the IDS signature-matching profile instance.
5. Click Apply.
Using the CLI to configure the IDS signature-matching profile:
ids signature-matching-profile <profile
signature <predefined-signature>
Creating a New Signature
Signature rules match an attribute to a value. For example, you can add a rule that
matches the BSSID to the value 00:00:00:00:00:0a. Table 17-30 describes the
attributes and values you can configure for a signature rule.
AOS-W 3.1 343
User Guide
Configuring Wireless Intrusion Prevention
Chapter 17
TABLE 17-30 Signature Rule Attributes
Attribute Description
BSSID BSSID field in the 802.11 frame header.
Destination MAC address Destination MAC address in 802.11 frame header.
Frame Type Type of 802.11 frame. For each type of frame
further details can be specified to filter and detect
only the required frames. It can be one of the
following:
association
auth
beacon
control (all control frames)
data (all data frames)
deauth
deassoc
management (all management frames)
probe-request
probe-response
SSID For beacon, probe-request, and probe-response
frame types, specify the SSID as either a string or
hex pattern.
SSID-length For beacon, probe-request, and probe-response
frame types, specify the SSID length. Maximum
length is 32 bytes.
Payload Pattern at a fixed offset in the payload of a 802.11
frame. Specify the pattern to be matched as a
sgring or hex pattern. Maximum length is 32
bytes.
Offset When a payload pattern is configured, specify the
offset in the payload where the pattern is expected
to be found in the frame.
Sequence Number Sequence number of the frame.
Source MAC address Source MAC address of the 802.11 frame.
Configuring Wireless Intrusion Prevention
Chapter 17
344 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Using the WebUI to create a new signature:
1. Navigate to the Configuration > Advanced Services > All Profiles page.
2. Scroll the list of profiles to select IDS Signature Profile. Enter the name of the
new signature profile and click Add.
3. Select the new signature profile name to display profile details.
4. Click New to add a rule to the profile.
5. After completing configuring the rule to be added, click Add to add the rule.
6. Click Apply.
Using the CLI to add a new signature:
ids signature-profile <profile>
<rule>
Configuring Unauthorized Device Detection
Table 17-31 describes the parameters you can configure in the IDS unauthorized
device detection profile.
TABLE 17-31 IDS Unauthorized Device Profile Configuration Parameters
Parameter Description
Detect Adhoc Networks Enable or disable detection of adhoc networks.
Default: disabled
Protect from Adhoc
Networks
Enable or disable protection from adhoc networks.
When adhoc networks are detected, they are
disabled using a denial of service attack.
Default: disabled
Detect Windows Bridge Enable or disable detection of Windows station
bridging.
Default: disabled
Detect Wireless Bridge Enable or disable detection of wireless bridging.
Default: disabled
AOS-W 3.1 345
User Guide
Configuring Wireless Intrusion Prevention
Chapter 17
Detect Devices with an
Invalid MAC OUI
Enables or disables the checking of the first three
bytes of a MAC address, known as the MAC
organizationally unique identifier (OUI), assigned by
the IEEE to known manufacturers. Often clients
using a spoofed MAC address do not use a valid OUI
and instead use a randomly generated MAC address.
Enabling MAC OUI checking causes an alarm to be
triggered if an unrecognized MAC address is in use.
Default: disabled
MAC OUI detection Quiet
Time
The time, in seconds, that must elapse after an
invalid MAC OUI alarm has been triggered before
another identical alarm may be triggered.
Default: 900 seconds
Adhoc Network detection
Quiet Time
The time, in seconds, that must elapse after an
adhoc network detection alarm has been triggered
before another identical alarm may be triggered.
Default: 900 seconds
Wireless Bridge detection
Quiet Time
The time, in seconds, that must elapse after a
wireless bridging alarm has been triggered before
another identical alarm may be triggered.
Default: 900 seconds
Rogue AP Classification Enable or disable rogue AP classification. A rogue
AP is one that is unauthorized and plugged into the
wired side of the network. Any other AP seen in the
RF environment that is not part of the valid
enterprise network is considered to be “interfering”
— it has the potential to cause RF interference but it
is not connected to the wired network and thus does
not represent a direct threat.
Default: disabled
Overlay Rogue
Classification
This option is useful when Alcatel APs are used for
monitoring a non-Alcatel wireless network, as it
allows APs that are plugged into the wired side of
the network to be classified as “suspected rogue”
instead of “rogue”. Suspected rogue APs are not
subject to rogue containment.
Default: enabled
TABLE 17-31 IDS Unauthorized Device Profile Configuration Parameters
Parameter Description
Configuring Wireless Intrusion Prevention
Chapter 17
346 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Valid Wired Macs List of MAC addresses of wired devices in the
network, typically gateways or servers.
Default: N/A
Rogue Containment By default, rogue APs are only detected but are not
automatically disabled. This option automatically
shuts down rogue APs. When this option is enabled,
clients attempting to associate to a rogue AP will be
disconnected from the rogue AP through a denial of
service attack.
Default: disabled
Protect Valid Stations Does not allow valid stations to connect to a
non-valid AP (see “Classifying APs” on page 350).
Default: disabled
Detect Bad WEP Enables or disables detection of WEP initialization
vectors that are known to be weak. A primary means
of cracking WEP keys is to capture 802.11 frames
over an extended period of time and searching for
such weak implementations that are still used by
many legacy devices.
Default: disabled
Detect Misconfigured AP Enables or disables detection of misconfigured APs.
An AP is classified as misconfigured if it does not
meet any of the following configurable parameters:
Valid channels
Encryption type
Short preamble
List of valid AP MAC OUIs
Valid SSID list
Default: disabled
Protect Misconfigured
AP
Enables or disables protection of misconfigured APs.
Default: disabled
Protect SSID Enables or disables use of SSID by only valid APs.
Default: disabled
TABLE 17-31 IDS Unauthorized Device Profile Configuration Parameters
Parameter Description
AOS-W 3.1 347
User Guide
Configuring Wireless Intrusion Prevention
Chapter 17
Using the WebUI to configure the IDS unauthorized device profile:
1. Navigate to the Configuration > AP Configuration page. Select either AP
Group or AP Specific.
zIf you select AP Group, click Edit for the AP group name for which you
want to configure IDS.
zIf you select AP Specific, select the name of the AP for which you want
to configure IDS.
2. Select IDS. Select IDS profile to display the IDS profiles that are contained in
the top-level profile.
3. Select IDS Unauthorized Device profile.
4. You can select a predefined profile from the drop-down menu. Or you can
modify parameters and click Save As to create an IDS unauthorized device
profile instance.
NOTE:If you selected a predefined IDS profile, you cannot select or create a
different IDS unauthorized device profile instance. You can modify
parameters within the IDS unauthorized device profile instance.
Privacy Enable or disables encryption as valid AP
configuration.
Default: disabled
Require WPA When enabled, any valid AP that is not using WPA
encryption is flagged as misconfigured.
Default: disabled
Valid 802.11a channel for
policy enforcement
(multi-valued)
List of valid 802.11a channels that third-party APs
are allowed to use.
Default: 36, 44, 52, 60, 40, 48, 56, 64
Valid 802.11g channel for
policy enforcement
(multi-valued)
List of valid 802.11g channels that third-party APs
are allowed to use.
Default: 1, 6, 11
Valid MAC OUIs
(multi-valued)
List of valid MAC organizationally unique identifiers
(OUIs).
Default: N/A
Valid and Protected
SSIDs (multi-valued)
List of valid and protected SSIDs.
Default: N/A
TABLE 17-31 IDS Unauthorized Device Profile Configuration Parameters
Parameter Description
Configuring Wireless Intrusion Prevention
Chapter 17
348 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
5. Click Apply.
Using the CLI to configure the IDS unauthorized device profile:
ids unauthorized-device-profile <profile>
<parameter> <value>
Configuring WMS Parameters
The WLAN management system (WMS) on the WLAN Switch monitors wireless
traffic to detect any new AP or wireless client station that tries to connect to the
network. When an AP or wireless client is detected, it is classified and its
classification is used to determine the security policies which should be enforced
on the AP or client.
Table 17-32 lists the parameters you can configure for WMS.
TABLE 17-32 WMS Configuration Parameters
Parameter Description
AP Ageout Interval The amount of time, in minutes, that an AP
is unseen by any probes before it is deleted
from the database. Enter 0 to disable ageout.
Default: 30 minutes
AM Poll Interval Interval, in milliseconds, for communication
between the WLAN Switch and Alcatel AMs.
The WLAN Switch contacts the AM at this
interval to download AP to STA associations,
update policy configuration changes, and
download AP and STA statistics.
Default: 60000 milliseconds (1 minute)
Number of AM Poll Retries Maximum number of failed polling attempts
before the polled AM is considered to be
down.
Default: 2
Station Ageout Interval The amount of time, in minutes, that a client
is unseen by any probes before it is deleted
from the database. Enter 0 to disable ageout.
Default: 30 minutes
AOS-W 3.1 349
User Guide
Configuring Wireless Intrusion Prevention
Chapter 17
Using the WebUI to configure WMS parameters:
1. Navigate to the Configuration > Advanced Services > Wireless page.
2. Configure the parameters, as described in Table 17-32.
3. Click Apply.
Using the CLI to configure WMS parameters:
wms general (parameters described in Table 17-32)
Enabling AP Learning
AP learning is typically used where there are non-Alcatel APs connected on the
same wired network as Alcatel APs. By default, AP learning is not enabled and
any non-Alcatel APs that are connected on the same networks as Alcatel APs are
classified as rogue APs. Enabling AP learning marks the non-Alcatel APs as valid
APs instead of as rogue APs. You can enable or disable AP learning from the CLI.
NOTE:Enabling AP learning is useful when you install the Alcatel WLAN Switch
in an environment with an existing third-party wireless network,
especially if there are a large number of installed APs. Leave AP learning
enabled until all APs in the network have been detected and classified as
valid. Then disable AP learning and reclassify any unknown APs as
interfering.
Using the WebUI to enable or disable AP learning:
1. Navigate to the Configuration > Advanced Services > Wireless page.
2. Select (or deselect) the Learn APs checkbox.
Enable Statistics Update in DB Enables or disables statistics update in the
database.
Default: Enabled
Mark Known Interfering APs as
Persistent Known Interfering APs
Enables or disables APs that are marked as
known interfering from being aged out.
Default: Disabled
Learn APs Enables or disables AP learning. Learning
affects the way APs are classified (see
“Enabling AP Learning” on page 349).
Default: Disabled
TABLE 17-32 WMS Configuration Parameters (Continued)
Parameter Description
Configuring Wireless Intrusion Prevention
Chapter 17
350 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
3. Click Apply.
Using the CLI to enable or disable AP learning:
wms general learn-ap {enable|disable}
Classifying APs
If AP learning is enabled, non-Alcatel APs connected on the same wired network
as Alcatel APs are classified as valid APs. If AP learning is disabled, a non-Alcatel
AP is classified as a rogue AP. You can also manually classify an AP. For example,
if you know about an interfering AP, you can manually reclassify it as a known
interfering AP. You can manually classify an AP into one of the following
categories:
Valid AP An AP that is part of the enterprise providing WLAN service.
Alcatel APs that successfully connect to the WLAN Switch
and load software and configuration should be classified as
valid APs.
NOTE:Any client that successfully authenticates with a
valid AP and passes encrypted traffic is classified
as a valid client. (Encrypted traffic includes
encrypted 802.11 frames and unencrypted 802.11
frames which are VPN encrypted.)
Interfering AP An AP that is seen in the RF environment but is not
connected to the wired network. An interfering AP is not
considered a direct security threat since it is not connected
to the wired network. For example, an interfering AP can be
an AP that belongs to a neighboring office’s WLAN and is
not part of your WLAN network.
Known Interfering
AP
An interfering AP where the BSSIDs are known. Once
classified, a known interfering AP does not change its
state.
Unsecure AP
(rogue AP)
A rogue AP is an unauthorized AP that is plugged into the
wired side of the network. You can configure automatic
shutdown of rogue APs in the IDS unauthorized device
detection profile.
Suspected
Unsecure AP
A suspected rogue AP is plugged into the wired side of the
network, but may not be an unauthorized device. Automatic
rogue containment does not apply to suspected rogue APs.
DoS AP An AP for which denial of service is enabled. Any clients
connected to this AP are disconnected.
AOS-W 3.1 351
User Guide
Configuring Wireless Intrusion Prevention
Chapter 17
Using the WebUI to Manually Classify APs
1. Navigate to the Reports > AP Reports> All Interfering APs page on the
master WLAN Switch.
2. Select the checkbox for the AP(s) you want to classify.
3. Click the appropriate “Set as” button on the page.
4. Click Apply.
Using the CLI to Manually Classify APs
Enter the following command in privilege mode:
wms ap <bssid> mode {dos|interfering|known-interfering|unsecure|valid}
Configuring Misconfigured AP Detection and Protection
An AP is classified as misconfigured if it does not meet any of the following
following configurable parameters:
Valid channels
Encryption type
Short preamble
List of valid AP MAC OUIs
Valid SSID list (exceptions are described in “Use of the Valid Enterprise SSID
List” on page 352)
This classification is primarily for enforcing security policies on non-Alcatel APs,
although the classification and protection mechanism also applies to all valid
Alcatel APs.
Updating the Valid Enterprise SSID List
SSIDs added to the Valid Enterprise SSID list are known as “Valid SSIDs” or
“Reserved SSIDs.” The list is empty by default and does not contain any SSIDs
configured on the WLAN Switch. You can add SSIDs to the list using the WebUI
or CLI.
Using the WebUI to add an SSID to the Valid Enterprise SSID list:
1. Navigate to the Configuration > Advanced > WLAN Intrusion Prevention >
Policies > Multi Tenancy page.
2. Click the Add button.
3. Enter the name of the SSID, then click Add.
Configuring Wireless Intrusion Prevention
Chapter 17
352 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Using the CLI to add an SSID to the Valid Enterprise SSID list:
wms valid-ssid <ssid_name>
Use of the Valid Enterprise SSID List
This section describes the use of the Valid Enterprise SSID list with both
Multi-Tenancy protection and Misconfigured AP protection.
As part of its function, Multi-Tenancy protection prevents an interfering AP from
advertising an SSID that is added to the Valid Enterprise SSID list. This feature
protects against honeypot attacks.
Misconfigured AP protection also uses the Valid Enterprise SSID list to classify an
AP as misconfigured.
Whether a client can connect to an SSID depends on whether Multi-Tenancy
protection or Misconfigured AP protection are enabled or disabled, whether the
AP is valid or interfering, and whether the SSID is in the Valid Enterprise SSID list.
Table 17-33 describes client connections to valid and non-valid SSIDs when
Multi-Tenancy protection and Misconfigured AP protection are enabled or
disabled.
TABLE 17-33 Valid SSIDs with Multi-Tenancy and Misconfigured AP
Protection
Multi-Tenancy
Protection
Misconfigured
AP Protection Client Connections
Enabled Disabled If there are entries in the valid SSID list:
Clients can connect to valid SSIDs on valid
APs.
Clients cannot connect to valid SSIDs on
interfering APs (including known
interfering APs).
Clients can connect to SSIDs not in the
valid SSID list on valid APs.
Clients can connect to SSIDs not in the
valid SSID list on interfering APs (including
known interfering APs).
If the valid SSID list is empty, it is ignored and
clients can connect to all SSIDs on both valid
APs and interfering APs (including known
interfering APs). Not adding an SSID to the
valid SSID list exposes that SSID to honeypot
attacks.
AOS-W 3.1 353
User Guide
Configuring Wireless Intrusion Prevention
Chapter 17
Enabled Enabled If there are entries in the valid SSID list:
Clients can connect to valid SSIDs on valid
APs.
Clients cannot connect to valid SSIDs on
interfering APs (including known
interfering APs).
Clients cannot connect to SSIDs not in the
valid SSID list on valid APs.
Clients can connect to SSIDs not in the
valid SSID list on interfering APs.
If the valid SSID list is empty, it is ignored and
clients can connect to all SSIDs on both valid
APs and interfering APs (including known
interfering APs). Not adding an SSID to the
valid SSID list exposes that SSID to honeypot
attacks.
Disabled Enabled If there are entries in the valid SSID list:
Clients can connect to valid SSIDs on valid
APs.
Clients can connect to valid SSIDs on
interfering APs (including known
interfering APs).
Clients cannot connect to SSIDs not in the
valid SSID list on valid APs.
Clients can connect to SSIDs not in the
valid SSID list on interfering APs.
If the valid SSID list is empty, it is ignored and
clients can connect to all SSIDs on both valid
APs and interfering APs (including known
interfering APs). When Multi-Tenancy
protection is disabled, the network is
susceptible to honeypot attacks.
TABLE 17-33 Valid SSIDs with Multi-Tenancy and Misconfigured AP
Protection
Multi-Tenancy
Protection
Misconfigured
AP Protection Client Connections
Configuring Wireless Intrusion Prevention
Chapter 17
354 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Client Blacklisting
When a client is blacklisted in the Alcatel system, the client is not allowed to
associate with any AP in the network for a specified amount of time. If a client is
connected to the network when it is blacklisted, a deauthentication message is
sent to force the client to disconnect. While blacklisted, the client cannot
associate with another SSID in the network.
Methods of Blacklisting
There are several ways in which a client can be blacklisted in the Alcatel system:
You can manually blacklist a specific client. See “Manual Blacklisting” on
page 354 for more information.
A client fails to successfully authenticate for a configured number of times for
a specified authentication method. The client is automatically blacklisted. See
Authentication Failure Blacklisting” on page 355 for more information.
A denial of service or man in the middle (MITM) attack has been launched in
the network. Detection of these attacks can cause the immediate blacklisting
of a client. See Attack Blacklisting” on page 355 for more information.
An external application or appliance that provides network services, such as
virus protection or intrusion detection, can blacklist a client and send the
blacklisting information to the WLAN Switch via an XML API server. When the
WLAN Switch receives the client blacklist request from the server, it blacklists
the client, logs an event, and sends an SNMP trap.
NOTE:This requires that the External Services Interface (ESI) license be
installed in the WLAN Switch.
See Chapter 21, “External Services Interface” for more information.
Manual Blacklisting
There are several reasons why you may choose to blacklist a client. For example,
you can enable different Alcatel intrusion detection system (IDS) features that
detect suspicious activities, such as MAC address spoofing or denial of service
attacks. When these activities are detected, an event is logged and an SNMP trap
is sent with the client information.
To blacklist a client, you need to know its MAC address.
Using the WebUI to manually blacklist a client:
1. Navigate to the Monitoring > Switch > Clients page.
2. Select the client to be blacklisted and click the Blacklist button.
AOS-W 3.1 355
User Guide
Configuring Wireless Intrusion Prevention
Chapter 17
Using the CLI to manually blacklist a client:
stm add-blacklist-client <macaddr>
Authentication Failure Blacklisting
You can configure a maximum authentication failure threshold for each of the
following authentication methods:
802.1x
MAC
Captive portal
VPN
When a client exceeds the configured threshold for one of the above methods,
the client is automatically blacklisted by the WLAN Switch, an event is logged,
and an SNMP trap is sent. By default, the maximum authentication failure
threshold is set to 0 for the above authentication methods, which means that
there is no limit to the number of times a client can attempt to authenticate.
With 802.1x authentication, you can also configure blacklisting of clients who fail
machine authentication.
NOTE:When clients are blacklisted because they exceed the authentication
failure threshold, they are blacklisted indefinitely by default. You can
configure the duration of the blacklisting; see “Blacklist Duration” on
page 356.
Using the WebUI to set the authentication failure threshold:
1. Navigate to the Configuration > Security > Authentication > Profiles page.
2. In the Profiles list, select the appropriate authentication profile, then select
the profile instance.
3. Enter a value in the Max Authentication failures field.
4. Click Apply.
Using the CLI to set the authentication failure threshold:
aaa authentication {captive-portal|dot1x|mac|vpn} <profile>
max-authentication-failures <number>
Attack Blacklisting
There are two type of automatic client blacklisting that can be enabled:
blacklisting due to spoofed deauthentication, or blacklisting due to other types of
denial of service (DoS) attacks.
Configuring Wireless Intrusion Prevention
Chapter 17
356 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Automatic blacklisting for DoS attacks other than spoofed deauthentication is
enabled by default. You can disable this blacklisting on a per-SSID basis in the
virtual AP profile.
Man in the middle (MITM) attacks begin with an intruder impersonating a valid
enterprise AP. If an AP needs to reboot, it sends deauthentication packets to
connected clients to enable them to disconnect and reassociate with another AP.
An intruder or attacker can spoof deauthentication packets, forcing clients to
disconnect from the network and reassociate with the attacker’s AP. A valid
enterprise client associates to the intruder’s AP, while the intruder then associates
to the enterprise AP. Communication between the network and the client flows
through the intruder (the man in the middle), thus allowing the intruder the ability
to add, delete, or modify data. When this type of attack is identified by the Alcatel
system, the client can be blacklisted, blocking the MITM attack. You enable this
blacklisting ability in the IDS DoS profile (this is disabled by default).
Using the WebUI to enable spoofed deauth detection and blacklisting:
1. Navigate to the Configuration > Wireless > AP Configuration page.
2. Select either AP Group or AP Specific tab. Click Edit for the AP group or AP
name.
3. In the Profiles list, select IDS, then select IDS profile.
4. Select the IDS DOS profile instance.
5. Select (check) Spoofed Deauth Blacklist.
6. Click Apply.
Using the CLI to enable spoofed deauth detection and blacklisting:
ids dos-profile <profile>
spoofed-deauth-blacklist
Blacklist Duration
You can configure the duration that clients are blacklisted on a per-SSID basis.
There are two different blacklist duration settings:
For clients that are blacklisted due to authentication failure. By default, this is
set to 0 (the client is blacklisted indefinitely).
For clients that are blacklisted due to other reasons, including manual
blacklisting. By default, this is set to 3600 seconds (one hour). You can set
this to 0 to blacklist clients indefinitely.
You configure these settings in the virtual AP profile.
AOS-W 3.1 357
User Guide
Configuring Wireless Intrusion Prevention
Chapter 17
Using the WebUI to configure the blacklist duration:
1. Navigate to the Configuration > Wireless > AP Configuration page.
2. Select either AP Group or AP Specific tab. Click Edit for the AP group or AP
name.
3. In the Profiles list, select Wireless LAN, then Virtual AP. Select the virtual AP
instance.
zTo set a blacklist duration for authentication failure, enter a value for
Authentication Failure Blacklist Time.
zTo set a blacklist duration for other reasons, enter a value for Blacklist
Time.
4. Click Apply.
Using the CLI to configure the blacklist duration:
wlan virtual-ap <profile>
auth-failure-blacklist-time <seconds>
blacklist-time <seconds>
Removing a Client from Blacklisting
You can manually remove a client from blacklisting using either the WebUI or CLI:
Using the WebUI to remove a client from blacklisting:
1. Navigate to the Monitoring > Switch > Blacklist Clients page.
2. Select the client that you want to remove from the blacklist, then click
Remove from Blacklist.
Using the CLI to remove a client from blacklisting:
Enter the following in enable mode:
stm remove-blacklist-client <macaddr>
Configuring Wireless Intrusion Prevention
Chapter 17
358 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Volume 7
Managing the
OmniAccess
System
AOS-W Version 3.1
360 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
AOS-W 3.1 361
User Guide
Configuring Management
Access 18
This chapter describes management access for an Alcatel wireless network.
This chapter describes the following topics:
“Management Interfaces” on page 362
“Managing Certificates” on page 373
“Configuring SNMP” on page 381
“Configuring Logging” on page 391
“Creating Guest Accounts” on page 393
“Setting the System Clock” on page 396
Configuring Management Access
Chapter 18
362 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Management Interfaces
There are several interfaces that you can use to configure and manage
components of the Alcatel OmniAccess system:
The Web User Interface (WebUI) allows you to configure and manage Alcatel
WLAN Switches. The WebUI is accessible through a standard Web browser
from a remote management console or workstation.
The command line interface (CLI) allows you to configure and manage Alcatel
WLAN Switches. The CLI is accessible from a local console connected to the
serial port on the WLAN Switch or through a Telnet or Secure Shell (SSH)
session from a remote management console or workstation.
NOTE:By default, you can only access the CLI from the serial port or from
an SSH session. To use the CLI in a Telnet session, you must
explicitly enable Telnet on the WLAN Switch by issuing the telnet cli
command.
The Alcatel Mobility Manager System is a suite of applications for monitoring
multiple master WLAN Switches and their related local WLAN Switches and
APs. Each application provides a Web-based user interface. The Alcatel
Mobility Manager System is available as an integrated appliance and as a
software application that runs on a dedicated system. See the Mobility
Manager User Guide for more information.
NOTE:Before you can use the management interface from a remote console or
workstation you must configure the WLAN Switch with an IP address
and default gateway and connect it to your network. See “Deploying a
Basic OmniAccess System” on page 45 for more information.
All Alcatel WLAN Switches have a serial port for connecting to a local console.
The OAW 6000 WLAN Switch contains a 10/100 Mbps Fast Ethernet port for
out-of-band management (see the Installation Guide for your WLAN Switch for
more information).
By default, management sessions through the serial port, SSH, Telnet, or the
WebUI time out after 15 minutes. You can change or disable the timeout with the
CLI loginsession timeout command.
NOTE:In many deployment scenarios, an external firewall is situated between
various Alcatel devices. Appendix B, “External Firewall Configuration”
describes the network ports that need to be configured on the external
firewall to allow proper operation of the Alcatel network.
AOS-W 3.1 363
User Guide
Configuring Management Access
Chapter 18
Web Access
NOTE:Alcatel WLAN Switches ship with a demonstration digital certificate. Until
you install a customer-specific server certificate in the WLAN Switch, this
demonstration certificate is used by default for all secure HTTP
connections (such as the WebUI and captive portal) and AAA
FastConnect. This certificate is included primarily for the purposes of
feature demonstration and convenience and is not intended for long-term
use in production networks. Users in a production environment are urged
to obtain and install a certificate issued for their site or domain by a
well-known certificate authority (CA). See “Managing Certificates” on
page 373 for more information.
To use the WebUI, enter the IP address of the WLAN Switch in the URL of a
browser window.
NOTE:The WebUI requires Internet Explorer 6.0. Other browsers may work but
with limited functionality and are therefore not supported.
When you connect to the WLAN Switch using the WebUI, the system displays the
login page. Log in using the administrator user account (the password does not
display). For example:
When you are logged in, the browser window shows the default Monitor
Summary page. For example:
Configuring Management Access
Chapter 18
364 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
The following describes the elements in all WebUI pages:
The tabs at the top of the page allow you to select tools available in the Web
UI software. Click on a tab to select the tool.
When you select a tab, the tool and its available pages appear in the
navigation pane. You can navigate to any of the listed pages by clicking on
the page name.
NOTE:Some of the items in the listed pages are merely headings for their
sub-pages and cannot be selected. Selectable pages become
highlighted when you place the cursor over them. Non-selectable
items do not react.
The name of the currently-selected page is highlighted in the page tree.
The main page display area displays all the information and/or input fields
relevant to the current page of the current tool.
The Logout button at the top right corner of the page allows you to end your
WebUI session.
Tools
The tool bar at the top of the WebUI browser window contains tabs for the
various tools available. Click on the tab to select the tool. Table 18-34 lists the
tools that are available in the WebUI.
TOOL TABS
LOGOUT
BUTTON
CURRENT
TOOL
CURRENT
PAGE
NAVIGATION
PANE FOR
SELECTED
TOOL
AOS-W 3.1 365
User Guide
Configuring Management Access
Chapter 18
Configuration Tool
Table 18-35 describes the Configuration pages.
TABLE 18-34 WebUI Tools
Menu Description
Monitoring This tool allows you to view the status of the Alcatel
components and clients in the Alcatel OmniAccess
system, the connections on the local WLAN Switch,
WLANs, and custom logs.
Configuration This tool allows you to configure the Alcatel OmniAccess
system.
Diagnostics This tool allows you to run ping and traceroute, store and
view output files for technical support, and view AP
configuration and statistics.
Maintenance This tool allows you to upgrade the image file, load
licenses, copy files to/from flash, configure and reboot
APs, and configure the captive portal feature.
Plan This tools allows you to specify how Wi-Fi coverage
should be provided for your floor plans. RF Plan then
provides coverage maps and AP and AM placement
locations. See Chapter 4, “RF Plan.
Events This tool allows you to view events in the Alcatel system.
Reports This tool allows you to view reports on APs and clients as
well as create custom reports.
Configuring Management Access
Chapter 18
366 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
The following buttons are available on the Configuration pages:
TABLE 18-35 Configuration Pages
Page Description
Network These pages allow you to configure:
Switch role, IP address, and preshared key, licenses,
and certificates
VLANs
Ports
Interface addresses
Security These pages allow you to configure:
Authentication servers and profiles
User roles and policies
Wireless The pages allow you to configure profiles, including SSID
and related WLAN options, for AP groups and for specific
APs.
Management These pages allow you to configure:
Users, roles, and authentication servers for
administering the Alcatel system
SNMP-related information
Logging
System clock
Advanced Services These pages allow you to configure various Alcatel
OmniAccess features. Some of these features require that
you install an optional license.
Apply Accepts all configuration changes made on the current
page and places them in the running configuration.
Save
Configuration
(Appears in top right corner of the WebUI when the
Configuration tool is selected) Saves all applied
configuration changes made during the current
configuration session. Saved settings are retained when
the WLAN Switch is rebooted or powered off while
unsaved configuration changes are lost. Clicking this
button performs the same function as issuing the CLI write
memory command.
Clear Resets options on current page to the last-applied or saved
settings.
AOS-W 3.1 367
User Guide
Configuring Management Access
Chapter 18
CLI Access
The CLI is available through the serial console connection or from a Telnet or SSH
session.
NOTE:Telnet access is disabled by default on Alcatel WLAN Switches. To enable
Telnet access, enter the telnet cli command from a serial connection or
from an SSH session.
When you connect to the WLAN Switch using the CLI, the system displays its
host name followed by the login prompt. Log in using the administrator user
account (the password displays as asterisks). For example:
(alcatel)
user: admin
password: *****
When you are logged in, the user mode CLI prompt displays. For example:
(alcatel) >
User mode provides only limited access for basic operational testing such as
running ping and traceroute.
All configuration and management functions are available in privileged mode. To
move from user mode to privileged mode requires you to enter an additional
password. For example:
(alcatel) > enable
Password: ******
When you are in privileged mode, the > prompt changes to a pound sign (#):
(alcatel) #
Saving Configuration Changes
Configuration changes made using the CLI affect only the current state of the
WLAN Switch. Unless saved, the changes are lost when the WLAN Switch is
rebooted. To save your changes so that they are retained after a reboot, use the
following privileged mode CLI command:
Add Adds a new item to the current page. Typically a set of
relevant configuration fields for the item to be added is
displayed.
Edit Allows you to edit the configuration of the selected item.
Delete Removes the selected item from the page configuration.
View Commands Displays the equivalent CLI command(s) for the WebUI
configuration.
Configuring Management Access
Chapter 18
368 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
(alcatel) # write memory
Saving Configuration...
Saved Configuration
Command Completion
To make command input easier, you can usually abbreviate each key word in the
command. You need type only enough of each keyword to distinguish it from
similar commands. For example:
(alcatel) # configure terminal
could also be entered as:
(alcatel) # con t
Three characters (con) represent the shortest abbreviation allowed for configure.
Typing only c or co would not work because there are other commands (like copy)
which also begin with those letters. The configure command is the only one that
begins with con.
As you type, you can press the spacebar or tab to move to the next keyword. The
system then attempts to expand the abbreviation for you. If there is only one
command keyword that matches the abbreviation, it is filled in for you
automatically. If the abbreviation is too vague (too few characters), the cursor
does not advance and you must type more characters or use the help feature to
list the matching commands.
Command Help
You can use the question mark (?) to view various types of command help.
When typed at the beginning of a line, the question mark lists all the commands
available in your current mode or sub-mode. A brief explanation follows each
command. For example:
(alcatel) > ?
enable Turn on Privileged commands
logout Exit this session. Any unsaved changes are lost.
ping Send ICMP echo packets to a specified IP address.
traceroute Trace route to specified IP address.
When typed at the end of a possible command or abbreviation, the question mark
lists the commands that match (if any). For example:
(alcatel) > c?
AOS-W 3.1 369
User Guide
Configuring Management Access
Chapter 18
clear Clear configuration
clock Configure the system clock
configure Configuration Commands
copy Copy Files
If more than one item is shown, type more of the keyword characters to
distinguish your choice. However, if only one item is listed, the keyword or
abbreviation is valid and you can press tab or the spacebar to advance to the next
keyword.
When typed in place of a parameter, the question mark lists the available options.
For example:
(alcatel) # write ?
erase Erase and start from scratch
file Write to a file in the file system
memory Write to memory
terminal Write to terminal
<cr>
The <cr> indicates that the command can be entered without additional
parameters. Any other parameters are optional.
Command Line Editing
The command line editing feature allows you to make corrections or changes to a
command without retyping. Table 18-36 lists the editing controls:
TABLE 18-36 Line Editing Keys
Key Effect Description
<Ctrl-a> Home Move the cursor to the beginning of the line.
<Ctrl-b> or
<left arrow>
Back Move the cursor one character left.
<Ctrl-d> Delete
Right
Delete the character to the right of the cursor.
<Ctrl-e> End Move the cursor to the end of the line.
<Ctrl-f> or
<right
arrow>
Forward Move the cursor one character right.
<Ctrl-k> Kill Right Delete all characters to the right of the cursor.
<Ctrl-n> or
<down
arrow>
Next Display the next command in the command
history.
Configuring Management Access
Chapter 18
370 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Alphanumeric characters are always inserted into the line at the cursor position.
Command History
The system records your most recently entered commands. You can review the
history of your actions, or reissue a recent command easily, without having to
retype it.
To view items in the command history, use the <up arrow> to move back through
the list and <down arrow> key to forward. To reissue a specific command, press
<enter> when it appears. You can even use the command line editing feature to
make changes to the command prior to entering it.
Viewing the Configuration
You can view two configuration images from the CLI:
startup-config holds the configuration options which will be used the next
time the WLAN Switch is rebooted. It contains all the options last saved using
the write memory command. Presently unsaved changes are not included.
To view the startup-config, use the following command:
(alcatel) # show startup-config
running-config holds the current switch configuration, including all pending
changes which have yet to be saved.
To view the running-config, use the following command:
(alcatel) # show running-config
Both configurations can also be saved to a file or sent to a TFTP server for backup
or transfer to another system using the copy command.
<Ctrl-p> or
<up arrow>
Previous Display the previous command in the command
history.
<Ctrl-t> Transpose Swap the character to the left of the cursor with
the character to the right of the cursor.
<Ctrl-u> Clear Clear the line.
<Ctrl-w> Delete
Word
Delete the characters from the cursor up to and
including the first space encountered.
<Ctrl-x> Kill Left Delete all characters to the left of the cursor.
TABLE 18-36 Line Editing Keys (Continued)
Key Effect Description
AOS-W 3.1 371
User Guide
Configuring Management Access
Chapter 18
Alcatel Mobility Manager
The Alcatel Mobility Manager System (MMS) is an element management system
(EMS) application that enables you to manage Alcatel APs and WLAN Switches
from a single platform. The MMS software is embedded on the Alcatel OmniVista
Mobility Manager Appliance. You can also install the MMS software on a
dedicated server platform. Multiple Windows, Linux, or MacOS clients can access
the MMS interface simultaneously. Each client must have the compatible Java
Runtime Environment (JRE) installed; you can download the appropriate JRE from
the Mobility Manager application.
The 1.x version of MMS allows you to scope, plan, filter, and monitor the wireless
network. The 2.0 version of MMS adds the capability to centrally configure
settings on the WLAN Switches. When a configuration change is made on the
MMS server, the configuration is synchronized with the master WLAN Switch
before being applied.
To configure MMS on AOS-W:
1. On the master WLAN Switch, configure the IP address of the MMS server
and an SNMP username and password for the MMS server to use to
communicate with the WLAN Switch. You can configure up to two MMS
servers.
Once you configure the MMS server on the Mobility Manager, the Plan,
Events, and Reports tabs no longer appear in the WebUI and the functions
previously provided by these tabs are handled by MMS.
2. To support configuration by the MMS server, you must enable the master
WLAN Switch to receive, apply, and communicate the status of configuration
changes with the MMS server (this is disabled by default in AOS-W).
NOTE:You must be running MMS version 2.0 or later on the MMS server to
configure WLAN Switches.
On the MMS server, you must configure the IP address of the master WLAN
Switch and specify the SNMP username and password you configured on the
WLAN Switch.
Configuring an MMS Server
Before the WLAN Switch can communicate with an MMS server, you need to
configure the IP address and username and password for the MMS server on the
master WLAN Switch. This configuration creates an SNMP version 3 user profile
with the configured username and password that allows SNMP SETs from the
MMS server to be received by the WLAN Switch. This configuration also allows
SNMP traps and notifications to be sent to the MMS server.
Using the WebUI to configure an MMS server on the WLAN Switch:
1. Navigate to the Configuration > Management > General page.
Configuring Management Access
Chapter 18
372 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
2. In the Mobility Manager Servers section, click New.
3. Enter the IP address for the MMS server in the Mobility Manager Server IP
Address field.
4. Enter an SNMP username and password for the MMS server.
5. Click Apply.
Using the CLI to configure an MMS server on the WLAN Switch:
mobility-manager <ipaddr> user <username> <password>
Enabling Configuration Updates from MMS
When a configuration change is made on the MMS server, the changes are
synchronized with the master WLAN Switch before being applied. On the master
WLAN Switch, you must enable the WLAN Switch to receive, apply, and
communicate the status of the configuration change with the MMS server.
NOTE:MMS configuration updates only apply to global configurations that are
shared by all WLAN Switches in the network. Local configurations, such
as hostname or VLANs, apply only to the WLAN Switch on which they
are configured and are not updated by MMS.
Using the WebUI to enable MMS configuration on the WLAN Switch:
1. Navigate to the Configuration > Management > General page.
2. Select the Update of Global Configuration from MMS checkbox.
3. Click Apply.
Using the CLI to enable MMS configuration on the WLAN Switch:
cfgm mms config enable
On the MMS server, you must configure the IP address of the master WLAN
Switch and specify the SNMP username and password you configured on the
WLAN Switch. For more information about the Alcatel Mobility Manager, see the
Mobility Manager User Guide.
AOS-W 3.1 373
User Guide
Configuring Management Access
Chapter 18
Managing Certificates
The Alcatel WLAN Switch is designed to provide secure services through the use
of digital certificates. Certificates provide security when authenticating users and
computers and eliminate the need for less secure password-based
authentication.
There is a default server certificate installed in the WLAN Switch, however this
certificate does not guarantee security for production networks. Alcatel strongly
recommends that you replace the default certificate with a custom certificate
issued for your site or domain by a trusted Certificate Authority (CA). This section
describes how to generate a Certificate Signing Request (CSR) to submit to a CA
and how to import the signed certificate received from the CA into the WLAN
Switch.
The WLAN Switch supports client authentication using digital certificates for
specific OmniAccess services, such as AAA FastConnect (see Chapter 9,
“Configuring 802.1x Authentication”) and WebUI and SSH management access.
Each service can employ different sets of client and server certificates.
During certificate-based authentication, the WLAN Switch provides its server
certificate to the client for authentication. After validating the WLAN Switch’s
server certificate, the client presents its own certificate to the WLAN Switch for
authentication. To validate the client certificate, the WLAN Switch checks the
certificate revocation list (CRL) maintained by the CA that issued the client
certificate. After validating the client’s certificate, the WLAN Switch can check the
user name in the certificate with the configured authentication server (this action
is optional and configurable).
About Digital Certificates
Clients and the servers to which they connect may hold authentication
certificates that validate their identities. When a client connects to a server for the
first time, or the first time since its previous certificate has expired or been
revoked, the server requests that the client transmit its authentication certificate.
The client’s certificate is then verified against the CA which issued it. Clients can
also request and verify the server’s authentication certificate. For some
applications, such as 802.1x authentication, clients do not need to validate the
server certificate for the authentication to function.
Digital certificates are issued by a CA which can be either a commercial,
third-party company or a private CA controlled by your organization. The CA is
trusted to authenticate the owner of the certificate before issuing a certificate. A
CA-signed certificate guarantees the identity of the certificate holder. This is done
by comparing the digital signature on a client or server certificate to the signature
on the certificate for the CA. When CA-signed certificates are used to
authenticate clients, the WLAN Switch checks the validity of client certificates
using certificate revocation lists (CRLs) maintained by the CA that issued the
certificate.
Configuring Management Access
Chapter 18
374 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Digital certificates employ public key infrastructure (PKI), which requires a
private-public key pair. A digital certificate is associated with a private key, known
only to the certificate owner, and a public key. A certificate encrypted with a
private key is decrypted with its public key. For example, party A encrypts its
certificate with its private key and sends it to party B. Party B decrypts the
certificate with party As public key.
Obtaining a Server Certificate
Alcatel strongly recommends that you replace the default server certificate in the
WLAN Switch with a custom certificate issued for your site or domain by a
trusted CA. To obtain a security certificate for the WLAN Switch from a CA:
1. Generate a Certificate Signing Request (CSR) on the WLAN Switch using
either the WebUI or CLI.
2. Submit the CSR to a CA. Copy and paste the output of the CSR into an email
and send it to the CA of your choice.
3. The CA returns a signed server certificate and the CAs certificate and public
key.
4. Install the server certificate, as described in “Importing Certificates” on
page 375.
NOTE:There can be only one outstanding CSR at a time in the WLAN Switch.
Once you generate a CSR, you need to import the CA-signed certificate
into the WLAN Switch before you can generate another CSR.
Using the WebUI to generate a CSR:
1. Navigate to the Configuration > Management > Certificates > CSR page.
2. Click Generate New.
3. Enter the following information:
Parameter Description Range Default
key Length of private/public key. 1024/2048/
4096
common_name Typically, this is the host and domain name, as in
www.yourcompany.com.
——
country Two-letter ISO country code for the country in which
your organization is located.
——
state_or_pro
vince
State, province, region, or territory in which your
organization is located.
——
city City in which your organization is located. ——
organization Name of your organization. ——
AOS-W 3.1 375
User Guide
Configuring Management Access
Chapter 18
4. Click View Current to display the generated CSR. Select and copy the CSR
output between the BEGIN CERTIFICATE REQUEST and END CERTIFICATE
REQUEST lines, paste it into an email and send it to the CA of your choice.
Using the CLI to generate a CSR:
1. Run the following command:
crypto pki csr key {1024|2048|4096} common-name <value> country <country>
state_or_province <state> city <city> organization <org> unit <string>
email <email>
2. Display the CSR output with the following command:
show crypto pki csr
3. Copy the CSR output between the BEGIN CERTIFICATE REQUEST and END
CERTIFICATE REQUEST lines, paste it into an email and send it to the CA of
your choice.
Obtaining a Client Certificate
You can use the CSR generated on the WLAN Switch to obtain a certificate for a
client. However, since there may be a large number of clients in a network, you
typically obtain client certificates from a corporate CA server. For example, in a
browser window, enter http://<ipaddr>/crtserv, where <ipaddr> is the IP address
of the CA server.
Importing Certificates
NOTE:The following information does not apply to server certificates used for
captive portal services. For information about importing server
certificates into the WLAN Switch for captive portal, see Chapter 10,
“Configuring Captive Portal”.
You must use the WebUI to import certificates into the WLAN Switch. You cannot
use a CLI command to import certificates, although a ‘crypto-local pki’ command
is saved to the configuration file when you import a certificate from the WebUI.
NOTE:You cannot export certificates from the WLAN Switch.
You can import the following types of certificates into the WLAN Switch using the
WebUI:
unit Optional field to distinguish a department or other
unit within your organization.
——
email Email address referenced in the CSR. ——
Configuring Management Access
Chapter 18
376 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Server certificate signed by a trusted CA. This includes a public and private
key pair.
CA certificate used to validate other server or client certificates. This includes
only the public key for the certificate.
Client certificate and client’s public key. (The public key is used for
applications such as SSH which does not support X509 certificates and
requires the public key to verify an allowed certificate.)
Certificates can be in the following formats:
X509 PEM unencrypted
X509 PEM encrypted with a key
DER
PKCS12 encrypted
NOTE:You can import a certificate only through the WebUI.
Using the WebUI to import certificates:
1. Navigate to the Configuration > Management > Certificates > Upload page.
2. For Certificate Name, enter a user-defined name.
3. For Certificate Filename, click Browse to navigate to the appropriate file on
your computer.
4. If the certificate is encrypted, enter the passphrase.
5. Select the Certificate Format from the drop-down menu.
6. Select the Certificate Type from the drop-down menu.
7. Click Upload to install the certificate in the WLAN Switch.
The Certificate Lists section of the page lists the certificates that are currently
installed in the WLAN Switch.
Imported certificates and keys and CRLs are stored in the following locations in
flash on the WLAN Switch:
Location Description
/flash/certmgr/trustedCAs Trusted CA certificates, either for root or
intermediate CAs. Alcatel recommends that if you
import the certificate for an intermediate CA, you
also import the certificate for the signing CA.
AOS-W 3.1 377
User Guide
Configuring Management Access
Chapter 18
To view the contents of a certificate, use the following CLI commands:
Updating CRLs
A CA maintains a CRL that contains a list of certificates that have been revoked
before their expiration date. Expired client certificates are not accepted for any
OmniAccess service. Certificates may be revoked because certificate key has
been compromised or the user specified in the certificate is no longer authorized
to use the key.
/flash/certmgr/serverCerts Server certificates. These certificates must contain
both a public and private key (the public and
private key must match). You can import
certificates in PKCS12 and X509 PEM formats, but
they are stored in X509 PEM DES encrypted
format.
/flash/certmgr/CSR Temporary certificate signing requests (CSRs) that
have been generated on the WLAN Switch and are
awaiting a CA to sign them.
/flash/certmgr/publiccert Public key of certificates. This allows a service on
the WLAN Switch to identify a certificate as an
allowed certificate.
/flash/certmgr/CRLs CRLs of expired client certificates.
Command Description
show crypto-local pki
trustedCAs [<name>]
<[attribute>]
Displays the contents of a trusted CA certificate. If a
name is not specified, all CA certificates imported
into the WLAN Switch are displayed. If name and
attribute are specified, then only the attribute in the
certificate are displayed. Attributes can be CN,
validity, serial-number, issuer, subject, public-key.
show crypto-local pki
serverCerts [<name>]
[<attribute>]
Displays the contents of a server certificate. If a
name is not specified,all server certificates imported
into the WLAN Switch are displayed.
show crypto-local pki
publiccert [<name>]
[<attribute>]
Displays the contents of a public certificate. If a
name is not specified, all public certificates
imported into the WLAN Switch are displayed.
Location Description
Configuring Management Access
Chapter 18
378 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
When a client certificate is being authenticated for a OmniAccess service, the
WLAN Switch checks the appropriate CRL to make sure that the certificate has
not been revoked. The WLAN Switch automatically downloads CRLs once a day
(you can change the download interval up to 365 days). If the CRL server is not
reachable, an SNMP trap is sent and a critical error is logged.
Using the CLI to modify the CRL update interval:
crypto pki update-crl period <update-interval>
Service-Specific Use of Certificates
The WLAN Switch supports client authentication using digital certificates for
specific OmniAccess services, such as AAA FastConnect (see Chapter 9,
“Configuring 802.1x Authentication”) and WebUI and SSH management access.
The WLAN Switch’s server certificate must be associated with a OmniAccess
service. You can have a different server certificate for each service (for example, a
server certificate for WebUI management access and a server certificate for AAA
FastConnect).
AAA FastConnect
To use certificate authentication for AAA FastConnect, you need to configure the
following in the 802.1x authentication profile:
WLAN Switch’s server certificate
CA certificate
Using the WebUI to configure AAA FastConnect certificate
authentication:
1. Navigate to the Configuration > Security > Authentication > L2
Authentication page.
2. In the Profiles list, select 802.1x Authentication Profile.
3. Select the “default” 802.1x authentication profile from the drop-down menu
to display configuration parameters.
4. In the Basic tab, select Termination.
5. Select the Advanced Tab.
6. In the Server-Certificate field, select the server certificate imported into the
WLAN Switch.
7. In the CA-Certificate field, select the CA certificate imported into the WLAN
Switch.
8. Click Save As. Enter a name for the 802.1x authentication profile.
AOS-W 3.1 379
User Guide
Configuring Management Access
Chapter 18
9. Click Apply.
Using the CLI to configure AAA FastConnect certificate
authentication:
aaa authentication dot1x <profile>
termination enable
server-cert <certificate>
ca-cert <certificate>
WebUI Management Access
The WLAN Switch allows certificate authentication for WebUI management users.
(The default is for management users to login with username and password only.)
To use this authentication, you must do the following:
1. Configure WebUI management for certificate authentication.
2. Configure the management username, role and client certificate.
Using the WebUI to configure certificate authentication for WebUI
access:
1. Navigate to the Configuration > Management > General page.
2. Under WebUI Management Authentication Method, select Client Certificate.
You can select Username and Password as well; in this case, the user is
prompted to manually enter the username and password only if the client
certificate is invalid.
3. Select the server certificate to be used for this service.
4. Click Apply.
5. To configure the management user, navigate to the Configuration >
Management > Administration page.
A. Under Management Users, click Add.
B. Select Certificate Management.
C. Select WebUI Certificate.
D. Enter the username.
E. Select the user role assigned to the user upon validation of the client
certificate
F. Enter the serial number for the client certificate.
G. Select the name of the CA that issued the client certificate.
H. Click Apply.
Configuring Management Access
Chapter 18
380 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Using the CLI to configure certificate authentication for WebUI access:
web-server
mgmt-auth [username/password] [certificate]
switch-cert <certificate>
mgmt-user webui-cacert <ca> serial <number> <username> < role>
SSH
The WLAN Switch allows public key authentication of management users
accessing the WLAN Switch using SSH. (The default is for management users to
login with username and password only.) To use this authentication, you must do
the following:
1. Import the X.509 client certificate into the WLAN Switch using the WebUI, as
described in “Importing Certificates”.
2. Configure SSH for certificate authentication.
3. Configure the management username, role and client certificate.
Using the WebUI to configure certificate authentication for SSH
access:
1. Navigate to the Configuration > Management > General page.
2. Under SSH (Secure Shell) Authentication Method, select Client Public Key.
3. Click Apply.
4. To configure the management user, navigate to the Configuration >
Management > Administration page.
A. Under Management Users, click Add.
B. Select Certificate Management.
C. Select SSH Public Key.
D. Enter the username.
E. Select the user role assigned to the user upon validation of the client
certificate.
F. Select the client certificate.
G. Click Apply.
Using the CLI to configure certificate authentication for SSH access:
ssh mgmt-auth [username/password] [public-key]
mgmt-user ssh-pubkey client-cert <certificate> <username> <role>
AOS-W 3.1 381
User Guide
Configuring Management Access
Chapter 18
Configuring SNMP
Alcatel WLAN Switches and APs support versions 1, 2c, and 3 of SNMP for
reporting purposes only. In other words, SNMP cannot be used for setting values
in an Alcatel system in the current version.
There are separate SNMP configurations for the WLAN Switch and for APs,
described in the following sections.
SNMP for the WLAN Switch
You can configure the following SNMP parameters for the WLAN Switch.
TABLE 18-37 SNMP Parameters for the WLAN Switch
Field Description
Host Name Host name of the WLAN Switch.
System Contact Name of the person who acts as the System Contact or
administrator for the WLAN Switch.
System Location String to describe the location of the WLAN Switch.
Read Community
Strings
Community strings used to authenticate requests for SNMP
versions before version 3.
NOTE:This is needed only if using SNMP v2c and is not
needed if using version 3.
Enable Trap
Generation
Enables generation of SNMP traps to configured SNMP trap
receivers. Refer to the list of traps in the “SNMP traps”
section below for a list of traps that are generated by the
Alcatel WLAN Switch.
Trap receivers Host information about a trap receiver. This host needs to
be running a trap receiver to receive and interpret the traps
sent by the Alcatel WLAN Switch. Configure the following
for each host/trap receiver:
IP address
SNMP version: can be 1 or 2c.
Community string
UDP port on which the trap receiver is listening for
traps. The default is the UDP port number 162. This is
optional, and will use the default port number if not
modified by the user.
Configuring Management Access
Chapter 18
382 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Follow the steps below to configure a WLAN Switch’s basic SNMP parameters.
Using the WebUI to configure SNMP on the WLAN Switch:
1. Navigate to the Configuration > Management > SNMP page.
2. If the WLAN Switch will be sending SNMP traps, click Add in the Trap
Receivers section to add a trap receiver.
3. If you are using SNMPv3 to obtain values from the Alcatel WLAN Switch,
click Add in the SNMPv3 Users section to add a new SNMPv3 user.
4. Click Apply.
Using the CLI to configure SNMP on the WLAN Switch:
hostname name
syscontact name
syslocation string
If you are using SNMPv3 to obtain values from the Alcatel WLAN Switch, you
can configure the following parameters:
User name A string representing the name of the user.
Authentication
protocol
An indication of whether messages sent on behalf of this
user can be authenticated, and if so, the type of
authentication protocol used. This can take one of the two
values:
MD5: HMAC-MD5-96 Digest Authentication Protocol
SHA: HMAC-SHA-96 Digest Authentication Protocol
Authentication
protocol password
If messages sent on behalf of this user can be
authenticated, the (private) authentication key for use with
the authentication protocol. This is a string password for
MD5 or SHA depending on the choice above.
Privacy protocol An indication of whether messages sent on behalf of this
user can be protected from disclosure, and if so, the type of
privacy protocol which is used. This takes the value DES
(CBC-DES Symmetric Encryption Protocol).
Privacy protocol
password
If messages sent on behalf of this user can be
encrypted/decrypted with DES, the (private) privacy key for
use with the privacy protocol.
TABLE 18-37 SNMP Parameters for the WLAN Switch (Continued)
Field Description
AOS-W 3.1 383
User Guide
Configuring Management Access
Chapter 18
snmp-server community string
snmp-server enable trap
snmp-server host ipaddr version {1|2c|3} string [udp-port number]
snmp-server trap source ipaddr
snmp-server user name [auth-prot {md5|sha} password priv-prot DES password]
SNMP for Access Points
Alcatel APs also support SNMP and you can configure all or some of the APs for
SNMP user access. The APs can be acting as Air Monitors.
For APs, you configure SNMP-related configuration in an SNMP profile, which
you apply to an AP group or to a specific AP. The SNMP profile references one or
more more instances of SNMPv3 user profiles.
NOTE:You always configure APs on the master WLAN Switch.
You can configure the following SNMP parameters for an AP or AP group:
SNMP User Profile
The SNMP User profile configures SNMPv3 users.
TABLE 18-38 SNMP Profile Configuration Parameters
Parameter Description
SNMP enable Enables or disables SNMP reporting by the Alcatel
AP.
Default: enabled
Community One or more community strings used to authenticate
requests for data from the AP.
NOTE:This is required for SNMP v2c but is not
needed for SNMP version 3.
Default: N/A
SNMP user One or more SNMP user profiles.
Default: N/A
Configuring Management Access
Chapter 18
384 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Follow the steps below to configure SNMP parameters for APs in the network.
Using the WebUI to configure SNMP:
1. Navigate to the Configuration > Wireless > AP Configuration page on the
Master WLAN Switch.
2. Click Edit for the AP group.
3. Under the Profiles section, select AP to display the AP profiles. Select SNMP
profile.
4. Under the Profile Details section, enable SNMP and add community strings.
Click Apply.
5. To configure an SNMPv3 user:
A. Under the Profiles section, select SNMP user.
B. Select NEW from the Add a profile drop-down menu.
TABLE 18-39 SNMP User Profile Configuration Parameters
Parameter Description
User name String that represents the name of the user.
Default: N/A
Authentication protocol If messages sent on behalf of this user can be
authenticated, the type of authentication protocol
used:
md5: HMAC-MD5-96 Digest Authentication
Protocol
sha: HMAC-SHA-96 Digest Authentication
Protocol
Default: sha
Authentication password Authentication key for use with the authentication
protocol.
Default: N/A
Privacy password Privacy key for use with the cipher block chaining -
data encryption standard (CBC-DES) Symmetric
Encryption Protocol.
Default: N/A
AOS-W 3.1 385
User Guide
Configuring Management Access
Chapter 18
C. Enter a profile name, and click Add.
D. Click Apply. The new user profile appears in the Profiles list.
E. Select the user profile in the Profiles list to enter information in the Profile
Details section.
F. Enter the SNMP user information, and click Apply.
Using the CLI to configure SNMP:
ap snmp-user-profile profile
user-name name
auth-passwd password
auth-prot protocol
priv-passwd password
ap snmp-profile profile
snmp-enable
community string
snmp-user profile
SNMP Traps
The following is a list of key traps generated by the Alcatel WLAN Switch.
1. WLAN Switch IP changed.
Description: This indicates the WLAN Switch IP has been changed. The
WLAN Switch IP is either the loopback IP address or the IP address of the
VLAN 1 interface (if no loopback IP address is configured).
Priority Level: Critical
2. WLAN Switch role changed
Description: This indicates that the WLAN Switch has transitioned from
being a Master WLAN Switch to a Local WLAN Switch or vice versa.
Priority Level: Critical
3. User entry created/deleted/authenticated/de-authenticated/authentication
failed.
Description: Each of these traps are triggered by an event related to a user
event. The event can be a new user entry being created in the user table,
deletion of a user entry, a user getting authenticated successfully, a user
getting de-authenticated, or a failed authentication attempt. Each of these
traps will be generated by the WLAN Switch on which the user event occurs.
In other words this is a local event to the WLAN Switch where the user is
visible.
Configuring Management Access
Chapter 18
386 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Priority Level: Medium.
4. Authentication server request timed out.
Description: This trap indicates that a request to a authentication server did
not receive a response from the server within a specified amount of time and
therefore the request timed out. This usually indicates a connectivity problem
from the Alcatel WLAN Switch to the authentication server or some other
problem related to the authentication server.
Priority Level: High.
5. Authentication server timed out
Description: This trap indicates that an authentication server has been taken
out of service. This is almost always same as AuthServerReqTimedOut except
when there is only one authentication server in which case the server will
never be taken out of service. In that case the AuthServerReqTimedOut will
continue to be raised but not then AuthServerTimedOut.
Priority level: High
6. Authentication server up.
Description: This trap indicates that an authentication server that was
previously not responding has started responding to authentication requests.
This will be triggered by a user event that causes the WLAN Switch to send
an authentication request to the authentication server.
Priority Level: Low.
7. Authentication user table full.
Description: This trap indicates that the authentication user table has reached
its limit with the number of user entries it can hold. This event is local to the
WLAN Switch that generates the traps. The maximum number of user entries
that can be present at the same time in the user table is 4096.
Priority Level: Critical.
8. Authentication Bandwidth contracts table full
Description: This trap indicates that the maximum number of configured
bandwidth contracts on the WLAN Switch has been exceeded. The threshold
for this is 4096
Priority Level: High
9. Authentication ACL table full.
Description: This trap indicates that the maximum number of ACL entries in
the ACL table has been exceeded. The limit for this is 2048 entries on a WLAN
Switch.
Priority Level: High
AOS-W 3.1 387
User Guide
Configuring Management Access
Chapter 18
10. Power supply failure
Description: As the name indicates, this trap indicates the failure of one of
the two possible power supplies in the WLAN Switch.
Priority Level: Critical
11. Fan failure
Description: As the name indicates, this trap indicates a failure of the fan in
the WLAN Switch.
Priority Level: Critical
12. Out of Range Voltage
Description: This trap indicates an out of range voltage being supplied to the
WLAN Switch.
Priority Level: Critical
13. Out of Range temperature.
Description: This trap indicates an out of range operating temperature being
supplied to the WLAN Switch.
Priority Level: Critical
14. Line card inserted/removed.
Description: These traps indicate that a Line Card has been inserted or
removed from the WLAN Switch.
Priority Level: Critical.
15. Supervisor card inserted/removed.
Description: These traps indicate that a Supervisor card has been inserted or
removed from the WLAN Switch
Priority Level: Critical
16. Power supply missing
Description: This trap indicates that one of the power supplies is missing.
Priority Level:. Critical.
Access Point/Air Monitor Traps
The following are the key traps that can be generated by the Alcatel Access Point
or an Air Monitor:1
1. Unsecure AP detected.
Description: This trap indicates that an Air Monitor has detected and
classified an Access Point as unsecure. It will indicate the location of the Air
Monitor that has detected the unsecure AP, the channel on which the AP was
detected as well as the BSSID and SSID of the detected AP.
Configuring Management Access
Chapter 18
388 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Priority Level: Critical.
2. Station impersonation.
Description: This trap indicates an Air Monitor has detected a Station
impersonation event. The trap will provide the location of the Air Monitor that
has detected the event and the MAC address of the Station.
Priority level: Critical
3. Reserved channel impersonation.
Description: This trap indicates an Access Point is being detected is violating
the Reserved Channels. The location of the AP/AM that detects the event is
provided in the trap. In addition to this, the BSSID and SSID of the detected
AP is also included.
Priority Level: High
4. Valid SSID violation
Description: This indicates a configuration in the configuration of the SSID of
the AP. The AP generates the trap and includes its BSSID, the configured SSID
and the location of the AP in the trap.
Priority Level: High
5. Channel misconfiguration
Description: This trap indicates an error in channel configuration of an AP.
The AP generates the trap and includes its BSSID, the configured SSID and
the location of the AP in the trap
Priority Level: High
6. OUI misconfiguration.
Description: This trap indicates an error in the OUI configuration of an Access
Point. The AP generates the trap and includes its BSSID, the configured SSID
and the location of the AP in the trap
Priority: High
7. SSID misconfiguration.
Description: This trap indicates an error in the SSID configuration of an
Access Point. The AP generates the trap and includes its BSSID, the
configured SSID and the location of the AP in the trap
Priority level: High
8. Short Preamble misconfiguration.
1. For a complete list of traps, refer to the Alcatel MIB Reference.
AOS-W 3.1 389
User Guide
Configuring Management Access
Chapter 18
Description: This trap indicates an error in the Short Preamble configuration
of an Access Point. The AP generates the trap and includes its BSSID, the
configured SSID and the location of the AP in the trap. This check will be
done only if the short-preamble option is selected for the AP from the CLI or
the WebUI.
Priority level: High
9. AM misconfiguration.
Description: This trap indicates an error in the Short Preamble configuration
of an Access Point. The AP generates the trap and includes its BSSID, the
configured SSID and the location of the AP in the trap
Priority Level: High
10. Repeat WEP-IV violation.
Description: This trap indicates that the Air Monitor has detected a valid
station or a valid AP sending consecutive frames that has the same IV
(Initialization vector). This usually means that entity has a “flawed” WEP
implementation and is therefore a potential security risk.
Priority Level: High
11. Weak WEP-IV violation.
Description: This trap indicates that the Air Monitor has detected a valid
station or a valid AP sending frames with an IV that is in the range of IV that
are known to be cryptographically weak and therefore are a potential security
risk.
Priority Level: High.
12. Adhoc networks detected.
Description: This trap indicates that the Air Monitor has detected Adhoc
networks.
Priority Level: High.
13. Valid station policy violation.
Description: This trap indicates that a valid Station policy is being violated.
Priority Level: High.
14. AP interference.
Description: This trap indicates that the indicated Air Monitor (identified by
the BSSID/ SSID) is detecting AP interference on the indicated channel.
Priority Level: Medium
15. Frame Retry rate exceeded.
Configuring Management Access
Chapter 18
390 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Description: This trap refers to the event when the percentage of received
and transmitted frames with the retry bit crosses the High watermark. This
event can be triggered for an AP, a station or a channel. The two values that
should be configured related to this event are Frame Retry Rate – High
Watermark and Frame Retry Rate –Low watermark. The High Watermark
refers to the percentage threshold which if surpassed triggers the event that
causes the trap to be sent. The Low Watermark refers to the percentage
threshold such that if the retry rate reaches a value lower than this value the
event is reset. What this means is that the trap will be triggered the first time
the Frame Retry rate crosses the High Watermark and then will only be
triggered if the Frame Retry Rate goes under the Low Watermark and then
crosses the High Watermark again. This holds true for all the thresholds
explained below as well.
Priority level: Medium.
16. Frame Bandwidth rate exceeded.
Description: This trap refers to the event of the bandwidth rate for a station
exceeding a configured threshold (High watermark). The terms High
Watermark and Low Watermark hold the same meaning as explained above.
Priority Level: Medium
17. Frame low speed rate exceeded.
Description: This trap refers to the event when the percentage of received
and transmitted frames at low speed (less that 5.5Mbps for 802.11b and less
that 24 Mbps for 802.11a) exceeds the configured High Watermark. The
terms High Watermark and Low Watermark hold the same meaning as
explained above.
Priority level: Medium
AOS-W 3.1 391
User Guide
Configuring Management Access
Chapter 18
Configuring Logging
This section outlines the steps required to configure logging on an Alcatel WLAN
Switch. The logging level can be set for each of the modules in the software
system. Table 18-40 summarizes these modules:
TABLE 18-40 Software Modules
Module Description
Management AAA The module responsible for authentication of
management users (telnet/ssh/WebUI).
Authentication The module responsible for authentication of wireless
clients.
Configuration Manager The module responsible for configuration changes in
the Alcatel network and configuration synchronization
amongst all Alcatel WLAN Switches.
VPN server The module responsible for all VPN connections.
DHCP server The DHCP server in the WLAN Switch.
Switching The module responsible for all layer 2/3 switching
functionality.
Mobility The module responsible for inter- and intra-WLAN
Switch mobility for wireless clients.
User The module responsible for user state maintenance.
Access Point Manager The module responsible for managing the Access
Points in the network.
Station Manager The module responsible for all wireless stations at a
802.11 level.
Traffic A logical module to track traffic patterns to help
troubleshooting.
RF Director The monitor responsible for monitoring the wireless
network for any rogues/intrusions etc.
Configuring Management Access
Chapter 18
392 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
For each module, you can configure a logging level, as described in Table 18-41:
You can configure IP address of a syslog server to which the WLAN Switch can
direct these logs.
Using the WebUI to configure logging:
1. Navigate to the Configuration > Management > Logging > Servers page.
2. To add a logging server, click Add in the Logging Servers section.
3. Click Add to add the logging server to the list of logging servers. Ensure that
the syslog server is enabled and configured on this host. Click Apply.
4. To select the module(s) you want to log, select the Levels tab.
5. Select the category or subcategory to be logged. Scroll to the bottom of the
page and select the appropriate logging level. Click Done.
6. Click Apply to apply the configuration.
Using the CLI to configure logging:
logging ipaddr
logging level level module
TABLE 18-41 Logging Levels
Logging Level Description
Emergency Panic conditions that occur when the system becomes
unusable.
Alert Any condition requiring immediate attention and
correction.
Critical Any critical conditions such as a hard drive error.
Errors Error conditions.
Warning Warning messages.
Notice Significant events of a non-critical and normal nature.
Informational Messages of general interest to system users.
Debug Messages containing information useful for
debugging.
AOS-W 3.1 393
User Guide
Configuring Management Access
Chapter 18
Creating Guest Accounts
You can assign the predefined guest-provisioning role to a user, such as a front
desk receptionist, that allows the user to create and manage temporary guest
accounts. When the guest-provisioning user logs in to the WLAN Switch using
the username and password you configured, a special page allows them to create
guest accounts in the WLAN Switch’s internal database and configure the
expiration for the accounts (see Figure 18-34). The guest-provisioning user can
also disable, delete, or modify guest accounts as needed.
FIGURE 18-34 Creating a Guest Account
After creating a guest account, the guest-provisioning user can print the account
information from the browser to give to the guest account user (see
Figure 18-35). You can customize the window on which the account information
appears.
FIGURE 18-35 Guest Account Information
Configuring the Guest Provisioning User
You can use the WebUI or CLI to create the guest provisioning user.
Configuring Management Access
Chapter 18
394 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Using the WebUI to create the guest-provisioning user:
1. Navigate to the Configuration > Management > Administration page.
2. In the Management Users section, click Add.
3. In the Add User page, make sure that Conventional User Accounts is
selected. Enter the name that the user will log in with to access the guest
account page.
4. Enter the password for the user login.
5. For Role, select guest-provisioning from the drop-down list.
6. Click Apply.
Using the CLI to create the guest-provisioning user:
mgmt-user <username> guest-provisioning
After you press Enter, you are prompted for the <password> for this user.
Guest-Provisioning User Tasks
To log into the WLAN Switch, the guest-provisioning user enters the IP address of
the WLAN Switch in the URL of a browser window. (In a multi-WLAN Switch
network, this must be the IP address of the master WLAN Switch.) In the login
window, the guest-provisioning user enters the previously-configured user name
and password. This is similar to the login for WebUI management access, except
that once the user has logged in, the displayed window is limited to the Guest
Provisioning page (see Figure 18-36).
FIGURE 18-36 Guest Provisioning Page
The guest-provisioning user clicks Add User to create a new guest account. The
guest-provisioning user can either enter a user name and password or accept the
automatically-generated user name and password (clicking Generate creates a
new user name or password), and configure the expiration for the account.
Clicking Apply adds the guest account to the database. Clicking Apply and Print
Preview adds the guest account to the database and displays the account
information in a pop-up window which can be printed from browser.
AOS-W 3.1 395
User Guide
Configuring Management Access
Chapter 18
Optional Configurations
This section describes guest provisioning options that you, the administrator, can
configure.
NOTE:These options are not configurable by the guest-provisioning user.
Setting the Maximum Time for Guest Accounts
You can set the maximum expiration time (in minutes) for guest accounts. If the
guest-provisioning user attempt to add a guest account that expires beyond this
time period, an error message is displayed and the guest account is created with
the maximum time you configured.
Using the WebUI to set the maximum time for guest accounts:
1. Navigate to the Configuration > Authentication > Servers page.
2. Select Internal DB.
3. Under Internal DB Maintenance, enter a value in Maximum Expiration.
4. Click Apply.
Using the CLI to set the maximum time for guest accounts:
local-userdb maximum-expiration <minutes>
Customizing the Account Information Window
In the WebUI, you can customize the pop-up window that displays the guest
account information.
1. Navigate to the Configuration > Security > Access Control > Guest Access
page.
2. Click Browse to insert a logo or other banner information on the window.
3. You can enter text for the Terms and Conditions portion of the window.
4. Click Submit to save your changes. Click Preview Pass to preview the
window.
Configuring Management Access
Chapter 18
396 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Setting the System Clock
You can set the clock on a WLAN Switch manually or by configuring the WLAN
Switch to use a Network Time Protocol (NTP) server to synchronize its system
clock with a central time source.
Manually Setting the Clock
You can use either the WebUI or CLI to manually set the time on the WLAN
Switch’s clock.
Using the WebUI to set the system clock:
1. Navigate to the Configuration > Management > Clock page.
2. Under Switch Date/Time, set the date and time for the clock.
3. Under Time Zone, enter the name of the time zone and the offset from
Greenwich Mean Time (GMT).
4. To adjust the clock for daylight savings time, click Enabled under Summer
Time. Additional fields appear that allow you to set the offset from UTC, and
the start and end recurrences.
5. Click Apply.
Using the CLI to set the system clock:
To set the date and time, enter the following command in privileged mode:
clock set <year> <month> <date> <hour> <minutes> <seconds>
To set the time zone and daylight savings time adjustment, enter the following
commands in configure mode:
clock timezone <WORD> <-23 - 23>
AOS-W 3.1 397
User Guide
Configuring Management Access
Chapter 18
clock summer-time <zone> [recurring]
<1-4> <start day> <start month> <hh:mm>
first <start day> <start month> <hh:mm>
last <start day> <start month> <hh:mm>
<1-4> <end day> <end month> <hh:mm>
first <end day> <end month> <hh:mm>
last <end day> <end month> <hh:mm>
[<-23 - 23>]
Configuring an NTP Server
You can use NTP to synchronize the WLAN Switch to a central time source.
Configure the WLAN Switch to set its system clock using NTP by configuring one
or more NTP servers.
For each NTP server, you can optionally specify the NTP iburst mode for faster
clock synchronization. The iburst mode sends up ten queries within the first
minute to the NTP server. (When iburst mode is not enabled, only one query is
sent within the first minute to the NTP server.) After the first minute, the iburst
mode typically synchronizes the clock so that queries need to be sent at intervals
of 64 seconds or more.
NOTE:The iburst mode is a configurable option and not the default behavior for
the WLAN Switch, as this option is considered “aggressive” by some
public NTP servers. If an NTP server is unresponsive, the iburst mode
continues to send frequent queries until the server responds and time
synchronization starts.
Using the WebUI to configure an NTP server:
1. Navigate to the Configuration > Management > Clock page.
2. Under NTP Servers, click Add.
3. Enter the IP address of the NTP server.
4. Select (check) the iburst mode, if desired.
5. Click Add.
Using the CLI to configure an NTP server:
ntp server ipaddr [iburst]
Configuring Management Access
Chapter 18
398 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
AOS-W 3.1 399
User Guide
Managing Software
Feature Licenses 19
AOS-W consists of a base software package with optional software modules that
you can activate by installing one or more license keys. This chapter describes
license types and how to install the licenses on your Alcatel WLAN Switch.
This chapter describes the following topics:
Alcatel Software Licenses” on page 400
“The Software Licensing Process” on page 401
Additional Software License Information” on page 405
“Getting Help with Licenses” on page 407
Managing Software Feature Licenses
Chapter 19
400 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Alcatel Software Licenses
Alcatel product licenses enable the following software modules:
Policy Enforcement Firewall (PEF)
Wireless Intrusion Protection (WIP)
VPN Server (VPN)
Remote Access Point (RAP)
xSEC (XSC)
Client Integrity (CIM)
External Services Interface (ESI)
Voice Services
Software License Types
For all licensed software modules, two categories of licenses are available:
Permanent license - This type of license permanently enables the desired
software module on a specific Alcatel WLAN Switch. You obtain permanent
licenses through the sales order process only. Permanent software license
certificates are printed documents that are physically mailed to you; you will
also receive the license information in an e-mail confirmation.
Evaluation license - This type of license allows you to evaluate the
unrestricted functionality of a software module on a specific WLAN Switch
for 90 days (in three 30-day increments) without requiring you to purchase a
permanent software license.
At the end of the 90-day period, you must apply a permanent license to re-enable
this software module on the WLAN Switch. Evaluation software license
certificates are only available in electronic form and are e-mailed to you.
AOS-W 3.1 401
User Guide
Managing Software Feature Licenses
Chapter 19
The Software Licensing Process
A software license (permanent or evaluation) is unlocked individually by module
type and is applied to each WLAN Switch as a software license key. A software
license key is a unique alphanumerical string created for an individual WLAN
Switch and is only valid for the designated WLAN Switch.
Software license keys can be installed in the WLAN Switch in two ways:
Pre-installed at the factory. In this case, the licensed features are available
upon initial setup of the WLAN Switch.
Installed by you using the instructions provided in this chapter.
NOTE:Alcatel recommends that you obtain a user account on the Alcatel
Software License Management web site even if software license keys are
pre-installed in your WLAN Switch. You should also be familiar with the
software license installation process as described in this chapter.
To enable a software license feature on your WLAN Switch:
1. Obtain a valid Alcatel software license certificate for the feature from your
sales account manager or authorized reseller.
2. Locate the system serial number (or Supervisor Card serial number) of the
WLAN Switch to which you wish to apply the software license.
3. Use the software license certificate ID and the system serial number to obtain
a software license key from the Alcatel Software License Management web
site at https://licensing.alcateloaw.com/login.php.
4. Apply the software license key by using the WebUI to the WLAN Switch on
which you wish to apply the license. Log in to the WebUI and navigate to the
Configuration > Network > Switch > Licenses page. Enter the software
license key, and click Apply.
5. You must now reboot your WLAN Switch in order for the new feature to
become available.
See the following sections for details on each step.
Obtaining a Software License Certificate
To obtain either a permanent or evaluation software license, contact your sales
account manager or authorized reseller. They will process your order for a
permanent license certificate or email an evaluation license certificate to you as
desired.
Managing Software Feature Licenses
Chapter 19
402 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Software License Certificates
The software license certificate is a software-module and WLAN Switch-class
specific document that states:
The orderable part number for the license
A description of the software module type and Alcatel WLAN Switch for
which it is valid
A unique, 32-character alphanumerical string that can be used to access the
license management Web site and which, in conjunction with the serial
number of an Alcatel WLAN Switch or Supervisor Card, generates a unique
software license key
In addition to the printed software license certificate, you will also receive an
e-mail confirmation with the certificate ID.
AOS-W 3.1 403
User Guide
Managing Software Feature Licenses
Chapter 19
Locating the System Serial Number
The serial number of a WLAN Switch is unique. You can find it as follows:
zSystem serial number that is specified on the rear of an Alcatel WLAN Switch
chassis
zSystem serial number of the Supervisor Card (not the chassis) for an
OmniAccess 6000 WLAN Switch
You can obtain system serial numbers by physically inspecting the chassis or card
or by using the WebUI (by navigating to the Switch > Inventory page).
NOTE:To physically inspect the system serial number on a Supervisor Card, you
need to remove the card from the WLAN Switch chassis, which can
result in network down time.
Obtaining a Software License Key
To obtain a software license key, you must log in to the Alcatel License
Management Web site at https://licensing.alcateloaw.com/login.php.
If you are a first time user of the licensing site, you can use the software license
certificate ID number to log in initially and request a user account. If you already
have a user account, log in to the site.
Once logged in, you are presented with several options:
Activate a certificate: Activate a new certificate and create the software
license key that you will apply to your WLAN Switch.
Transfer a certificate: Transfer a software license certificate ID from one
WLAN Switch to another (for example, transferring licenses to a spare
system).
Import preloaded certificates: For WLAN Switches on which licenses are
pre-installed at the factory. transfer all software license certificate IDs used on
the sales order to this user account.
List your certificates: View all currently available and active software license
certificates for your account.
To create a software license key:
1. Select Activate a Certificate.
2. Enter the certificate ID number and the system serial number of the WLAN
Switch to which you wish to apply the license.
3. Review the license agreement and select Ye s to accept the agreement.
4. Click Activate it. A copy of the transaction and the software license key will
be emailed to you at the e-mail address you entered for your user account.
Managing Software Feature Licenses
Chapter 19
404 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
NOTE:The software license key is only valid for the system serial number for
which you activated the certificate.
Applying the Software License Key
To enable the software module and functionality, you must now apply the
software license key to your Alcatel WLAN Switch:
1. Using the WebUI, log into your WLAN Switch with Administrative access
rights.
2. Navigate to the Configuration > Network > Switch > Licenses page to display
system license information and the License Table.
3. Copy the software license key that was emailed to you, and paste it into the
Add New License Key field. Click Add to apply the license key.
4. You must now reboot your WLAN Switch for the new feature to become
available.
CAUTION:When license keys are applied on an Alcatel WLAN Switch,
abnormal tampering of the devices system clock (setting the
system clock back by 2 hours or more) results in the disabling
of software licensed modules and their supported features.
This can affect network services.
AOS-W 3.1 405
User Guide
Managing Software Feature Licenses
Chapter 19
Additional Software License Information
This section includes other information about software licenses.
Permanent Licenses
Once installed, permanent software licenses report the software module as
Enabled in the WebUI for the WLAN Switch. These license types never expire,
even when you upgrade the AOS-W software to a newer version.
Evaluation Licenses
Evaluation licenses support the following behavior:
Evaluation licenses are limited to three 30-day periods. Evaluation licenses
time individually; evaluation licenses for various software modules will expire
at different times.
During evaluation, full functionality relating to a specific software module is
available to the user.
During evaluation, the WebUI for the WLAN Switch reports that software
licenses are expiring.
When you log in through the CLI, the time remaining on the licensing term
displays as shown below:
(host)
User: admin
Password: *****
NOTICE
NOTICE -- This switch has active licenses that will expire in 29 days
NOTICE
NOTICE -- See 'show license' for details.
NOTICE
(host) >
NOTE:If multiple evaluation licenses are running concurrently on the same
WLAN Switch, the reported expiration time is for the licensed feature
with the least amount of time remaining.
The time remaining on an evaluation license is also logged every day.
When an evaluation period expires, the following occurs:
zThe WLAN Switch automatically backs up the startup configuration and
reboots itself at midnight (according to the system clock).
Managing Software Feature Licenses
Chapter 19
406 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
zAll permanent licenses are unaffected. The expired evaluation licensed feature
is no longer available and is shown as Expired in the WebUI.
You can reapply a software license key to the WLAN Switch only if the 90-day
evaluation time for the feature has not been reached. If the maximum time for the
evaluation license has been reached, the startup configuration is backed up,
however, you can only re-enable the feature by installing a permanent license key.
Deleting a License Key
To remove a license from a system:
1. Navigate to the Configuration > Network > Switch > Licenses page.
2. Click Delete to the right of the entry in the License Table.
If a feature is a fully-licensed feature, deleting the feature results in the
feature key being displayed. If a feature is under the trial period of an
evaluation license, no key is generated when the feature is deleted.
NOTE:If you are unable to delete a license key on a disabled or damaged system
that is subsequently returned to the factory, you can reinstall the license
key on another machine. The factory will take the necessary steps to
remove the license key from the returned system.
Moving Licenses
It may become necessary to move licenses from one chassis to another or simply
delete the license for future use. To move licenses, delete the license from the
chassis as described in “Deleting a License Key” on page 406. Then install the
license key on the new WLAN Switch as described in Applying the Software
License Key” on page 404.
Resetting the WLAN Switch
The following sections describe the effects of rebooting a WLAN Switch or
resetting the configuration on software licenses.
CAUTION:The ability to move a license from one WLAN Switch to
another is provided to allow customers maximum flexibility in
managing their organization’s network and to minimize the
need to contact Alcatel customer support. License fraud
detection is monitored and enforced by Alcatel. Abnormally
high volumes of license transfers for the same license
certificate to multiple WLAN Switches can indicate breach of
the Alcatel end user software license agreement and will be
investigated.
AOS-W 3.1 407
User Guide
Managing Software Feature Licenses
Chapter 19
Rebooting a WLAN Switch
Rebooting or resetting a WLAN Switch has no effect on either permanent or
evaluation licenses.
Resetting the WLAN Switch Configuration
Issuing the write erase command on a WLAN Switch running software licenses
does not affect the license key management database on the WLAN Switch.
Issuing the write erase all command resets the WLAN Switch to factory
defaults, and deletes all databases on the WLAN Switch including the license key
management database. You must reinstall all previously-installed license keys.
Getting Help with Licenses
For information or support with licensing issues, contact your Alcatel sales
representative or log onto the Alcatel support website at:
http://eservice.ind.alcatel.com.
Managing Software Feature Licenses
Chapter 19
408 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Volume 8
Configuring
Advanced Services
AOS-W Version 3.1
410 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
AOS-W 3.1 411
User Guide
Configuring QoS for Voice 20
This chapter outlines the steps required to configure QoS on an Alcatel WLAN
Switch for Voice over IP (VoIP) devices, including Session Initiation Protocol (SIP)
and Spectralink Voice Priority (SVP) phones. Since voice applications are more
vulnerable to delay and jitter, the network infrastructure must be able to prioritize
voice traffic over data traffic.
This chapter describes the following topics:
“Roles and Policies for Voice Traffic” on page 412
“Optional Configurations” on page 424
“Voice Services Module Features” on page 428
NOTE:To use the features described in this chapter, you must install the Policy
Enforcement Firewall license in the WLAN Switch. Certain voice features
require that the Voice Services Module also be installed in the WLAN
Switch.
Configuring QoS for Voice
Chapter 20
412 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Roles and Policies for Voice Traffic
In the Alcatel OmniAccess system, the user role of a wireless client determines its
privileges, including the priority that every type of traffic to or from the client
receives in the wireless network. Thus, QoS for voice applications is configured
when you configure firewall roles and policies.
In an Alcatel system, you can configure roles for clients that use mostly data
traffic, such as laptops, and roles for clients that use mostly voice traffic, such as
VoIP phones. Although there are different ways for a client to derive a user role, in
most cases the clients using data traffic will be assigned a role after they are
authenticated through a method such as 802.1x, VPN, or captive portal. The user
role for VoIP phones can be derived from the OUI of their MAC addresses or the
SSID to which they associate. This user role will typically be configured to have
access allowed only for the voice protocol being used (for example, SIP or SVP).
The following sections describe how to configure user roles with the required
privileges and priorities assigned to different types of traffic. You must install the
Policy Enforcement Firewall license in the WLAN Switch. Refer to Chapter 7,
“Configuring Roles and Policies,” for details on how to create and configure a
user role.
NOTE:Assigning voice traffic to the high priority queue is recommended when
deploying voice over WLAN networks. If the Voice Services Module
license is installed in the WLAN Switch, VoIP traffic is automatically
assigned to the high priority queue.
Configuring a User Role for SIP Phones
This section describes how to configure the user role “sip-phones” for SIP traffic.
The user role consists of the predefined policy “control”, which permits basic IP
connection, and a user-defined policy “sip-policy” which permits SIP traffic and
assigns the traffic to the high priority queue. The “sip-policy” includes rules that
permit SIP traffic over both TCP and UDP ports and traffic to DHCP and TFTP
servers. All traffic is set to high priority.
NOTE:The “sip-policy” configuration shown is an example; you can configure
more restrictive rules for a policy if additional security is required.
Using the WebUI to configure a SIP user role:
1. Navigate to the Configuration > Security > Access Control page.
2. Select the Policies tab. Click Add to create a new policy.
3. For Policy Name, enter sip-policy.
4. Under Rules, click Add.
AOS-W 3.1 413
User Guide
Configuring QoS for Voice
Chapter 20
A. For Source, select any.
B. For Destination, select any.
C. For Service, select service, then select svc-sip-tcp.
D. For Action, select permit.
E. For Queue, select High.
F. Click Add.
5. Under Rules, click Add.
A. For Source, select any.
B. For Destination, select any.
C. For Service, select service, then select svc-sip-udp.
D. For Action, select permit.
E. For Queue, select High.
F. Click Add.
6. Under Rules, click Add.
A. For Source, select any.
B. For Destination, select any.
C. For Service, select service, then select svc-tftp.
D. For Action, select permit.
E. For Queue, select High.
F. Click Add.
7. Under Rules, click Add.
A. For Source, select any.
B. For Destination, select alias, then click New.
I. For Destination Name, enter dhcp-server.
II. Under Type, click Add.
III. Enter the IP address(es) of the DHCP server(s) in your network, then
click Add.
IV. Click Apply to add this alias to the Destination menu.
V. Select this alias from the Destination drop-down menu.
C. For Service, select service, then select svc-dhcp.
D. For Action, select permit.
E. For Queue, select High.
Configuring QoS for Voice
Chapter 20
414 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
F. Click Add.
8. Under Rules, click Add.
A. For Source, select any.
B. For Destination, select alias, then click New.
I. For Destination Name, enter tftp-server.
II. Under Type, click Add.
III. Enter the IP address(es) of the TFTP server(s) in your network, then
click Add.
IV. Click Apply to add this alias to the Destination menu.
V. Select this alias from the Destination drop-down menu.
C. For Service, select service, then select svc-tftp.
D. For Action, select permit.
E. For Queue, select High.
F. Click Add.
9. Click Apply.
10. Select the User Roles tab. Click Add to add a user role.
A. For Role Name, enter sip-phones.
B. Under Firewall Policies, click Add.
C. For Choose from Configured Policies, select the previously-configured
sip-policy from the drop-down menu.
D. Click Done.
E. Under Firewall Policies, click Add.
F. For Choose from Configured Policies, select control from the drop-down
menu.
G. Click Done.
11. Click Apply.
Using the CLI to configure a SIP user role:
netdestination dhcp-server
host ipaddr
netdestination tftp-server
host ipaddr
ip access-list session sip-policy
AOS-W 3.1 415
User Guide
Configuring QoS for Voice
Chapter 20
any any svc-sip-tcp permit queue high
any any svc-sip-udp permit queue high
any any svc-tftp permit queue high
any alias dhcp-server svc-dhcp permit queue high
any alias tftp-server svc-tftp permit queue high
user-role sip-phones
session-acl sip-policy
session-acl control
Configuring a User Role for SVP Phones
This section describes how to configure the user role “svp-phones” for SVP
traffic. The user role consists of the predefined policy “control”, which permits
basic IP connection, and a user-defined policy “svp-policy”. The “svp-policy
policy includes rules that permit SVP traffic and traffic to DHCP and TFTP servers.
All traffic is set to high priority.
NOTE:The “svp-policy” configuration shown is an example; you can configure
more restrictive rules for a policy if additional security is required.
Using the WebUI to configure an SVP user role:
1. Navigate to the Configuration > Security > Access Control page.
2. Select the Policies tab. Click Add to create a new policy.
3. For Policy Name, enter svp-policy.
4. Under Rules, click Add.
A. For Source, select any.
B. For Destination, select any.
C. For Service, select service, then select svc-svp.
D. For Action, select permit.
E. For Queue, select High.
F. Click Add.
5. Under Rules, click Add.
A. For Source, select any.
B. For Destination, select any.
C. For Service, select service, then select svc-tftp.
D. For Action, select permit.
Configuring QoS for Voice
Chapter 20
416 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
E. For Queue, select High.
F. Click Add.
6. Under Rules, click Add.
A. For Source, select any.
B. For Destination, select alias, then click New.
I. For Destination Name, enter dhcp-server.
II. Under Type, click Add.
III. Enter the IP address(es) of the DHCP server(s) in your network, then
click Add.
IV. Click Apply to add this alias to the Destination menu.
V. Select this alias from the Destination drop-down menu.
C. For Service, select service, then select svc-dhcp.
D. For Action, select permit.
E. For Queue, select High.
F. Click Add.
7. Under Rules, click Add.
A. For Source, select any.
B. For Destination, select alias, then click New.
I. For Destination Name, enter tftp-server.
II. Under Type, click Add.
III. Enter the IP address(es) of the TFTP server(s) in your network, then
click Add.
IV. Click Apply to add this alias to the Destination menu.
V. Select this alias from the Destination drop-down menu.
C. For Service, select service, then select svc-tftp.
D. For Action, select permit.
E. For Queue, select High.
F. Click Add.
8. Click Apply.
9. Select the User Roles tab. Click Add to add a user role.
A. For Role Name, enter svp-phones.
B. Under Firewall Policies, click Add.
AOS-W 3.1 417
User Guide
Configuring QoS for Voice
Chapter 20
C. For Choose from Configured Policies, select the previously-configured
svp-policy from the drop-down menu.
D. Click Done.
E. Under Firewall Policies, click Add.
F. For Choose from Configured Policies, select control from the drop-down
menu.
G. Click Done.
10. Click Apply.
Using the CLI to configure an SVP user role:
netdestination dhcp-server
host ipaddr
netdestination tftp-server
host ipaddr
ip access-list session svp-policy
any any svc-svp permit queue high
any any svc-tftp permit queue high
any alias dhcp-server svc-dhcp permit queue high
any alias tftp-server svc-tftp permit queue high
user-role svp-phones
session-acl svp-policy
session-acl control
Configuring a User Role for Vocera Badges
This section describes how to configure the user role “vocera” for traffic using
the Vocera Communications System. The user role consists of the predefined
policy “control”, which permits basic IP connection, and a user-defined policy
“vocera-policy”. The “vocera-policy” policy includes rules that permit Vocera
traffic (UDP port 5002) and traffic to DHCP and TFTP servers. All traffic is set to
high priority.
NOTE:The “vocera-policy” configuration shown is an example; you can
configure more restrictive rules for a policy if additional security is
required.
Using the WebUI to configure a vocera user role:
1. Navigate to the Configuration > Security > Access Control page.
Configuring QoS for Voice
Chapter 20
418 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
2. Select the Policies tab. Click Add to create a new policy.
3. For Policy Name, enter vocera-policy.
4. Under Rules, click Add.
A. For Source, select any.
B. For Destination, select any.
C. For Service, select service, then select svc-vocera.
D. For Action, select permit.
E. For Queue, select High.
F. Click Add.
5. Under Rules, click Add.
A. For Source, select any.
B. For Destination, select any.
C. For Service, select service, then select svc-tftp.
D. For Action, select permit.
E. For Queue, select High.
F. Click Add.
6. Under Rules, click Add.
A. For Source, select any.
B. For Destination, select alias, then click New.
I. For Destination Name, enter dhcp-server.
II. Under Type, click Add.
III. Enter the IP address(es) of the DHCP server(s) in your network, then
click Add.
IV. Click Apply to add this alias to the Destination menu.
V. Select this alias from the Destination drop-down menu.
C. For Service, select service, then select svc-dhcp.
D. For Action, select permit.
E. For Queue, select High.
F. Click Add.
7. Under Rules, click Add.
A. For Source, select any.
B. For Destination, select alias, then click New.
AOS-W 3.1 419
User Guide
Configuring QoS for Voice
Chapter 20
I. For Destination Name, enter tftp-server.
II. Under Type, click Add.
III. Enter the IP address(es) of the TFTP server(s) in your network, then
click Add.
IV. Click Apply to add this alias to the Destination menu.
V. Select this alias from the Destination drop-down menu.
C. For Service, select service, then select svc-tftp.
D. For Action, select permit.
E. For Queue, select High.
F. Click Add.
8. Click Apply.
9. Select the User Roles tab. Click Add to add a user role.
A. For Role Name, enter vocera.
B. Under Firewall Policies, click Add.
C. For Choose from Configured Policies, select the previously-configured
vocera-policy from the drop-down menu.
D. Click Done.
E. Under Firewall Policies, click Add.
F. For Choose from Configured Policies, select control from the drop-down
menu.
G. Click Done.
10. Click Apply.
Using the CLI to configure a vocera user role:
netdestination dhcp-server
host ipaddr
netdestination tftp-server
host ipaddr
ip access-list session vocera-policy
any any svc-vocera permit queue high
any any svc-tftp permit queue high
any alias dhcp-server svc-dhcp permit queue high
any alias tftp-server svc-tftp permit queue high
user-role vocera
Configuring QoS for Voice
Chapter 20
420 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
session-acl vocera-policy
session-acl control
Configuring a User Role for SCCP Phones
This section describes how to configure the user role “sccp-phones” for SCCP
traffic. The user role consists of the predefined policy “control”, which permits
basic IP connection, and a user-defined policy “sccp-policy”. The “sccp-policy”
policy includes rules that permit SCCP traffic (TCP port 2000) and traffic to DHCP
and TFTP servers. All traffic is set to high priority.
NOTE:The “sccp-policy” configuration shown is an example; you can configure
more restrictive rules for a policy if additional security is required.
Using the WebUI to configure an SCCP user role:
1. Navigate to the Configuration > Security > Access Control page.
2. Select the Policies tab. Click Add to create a new policy.
3. For Policy Name, enter sccp-policy.
4. Under Rules, click Add.
A. For Source, select any.
B. For Destination, select any.
C. For Service, select service, then select svc-sccp.
D. For Action, select permit.
E. For Queue, select High.
F. Click Add.
5. Under Rules, click Add.
A. For Source, select any.
B. For Destination, select any.
C. For Service, select service, then select svc-tftp.
D. For Action, select permit.
E. For Queue, select High.
F. Click Add.
6. Under Rules, click Add.
A. For Source, select any.
B. For Destination, select alias, then click New.
AOS-W 3.1 421
User Guide
Configuring QoS for Voice
Chapter 20
I. For Destination Name, enter dhcp-server.
II. Under Type, click Add.
III. Enter the IP address(es) of the DHCP server(s) in your network, then
click Add.
IV. Click Apply to add this alias to the Destination menu.
V. Select this alias from the Destination drop-down menu.
C. For Service, select service, then select svc-dhcp.
D. For Action, select permit.
E. For Queue, select High.
F. Click Add.
7. Under Rules, click Add.
A. For Source, select any.
B. For Destination, select alias, then click New.
I. For Destination Name, enter tftp-server.
II. Under Type, click Add.
III. Enter the IP address(es) of the TFTP server(s) in your network, then
click Add.
IV. Click Apply to add this alias to the Destination menu.
V. Select this alias from the Destination drop-down menu.
C. For Service, select service, then select svc-tftp.
D. For Action, select permit.
E. For Queue, select High.
F. Click Add.
8. Click Apply.
9. Select the User Roles tab. Click Add to add a user role.
A. For Role Name, enter sccp-phones.
B. Under Firewall Policies, click Add.
C. For Choose from Configured Policies, select the previously-configured
sccp-policy from the drop-down menu.
D. Click Done.
E. Under Firewall Policies, click Add.
F. For Choose from Configured Policies, select control from the drop-down
menu.
Configuring QoS for Voice
Chapter 20
422 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
G. Click Done.
10. Click Apply.
Using the CLI to configure an SCCP user role:
netdestination dhcp-server
host ipaddr
netdestination tftp-server
host ipaddr
ip access-list session sccp-policy
any any svc-sccp permit queue high
any any svc-tftp permit queue high
any alias dhcp-server svc-dhcp permit queue high
any alias tftp-server svc-tftp permit queue high
user-role sccp-phones
session-acl sccp-policy
session-acl control
Configuring User-Derivation Rules
The user role can be derived from attributes from the client’s association with an
AP. For VoIP phones, you can configure the devices to be placed in their user role
based on the SSID or the Organizational Unit Identifier (OUI) of the clients MAC
address.
NOTE:User-derivation rules are executed before the client is authenticated.
Using the WebUI to derive the role based on SSID:
1. Navigate to the Configuration > Security > Authentication > User Rules
page.
2. Click Add to add a new set of derivation rules. Enter a name for the set of
rules, and click Add. The name appears in the User Rules Summary list.
3. In the User Rules Summary list, select the name of the rule set to configure
rules.
4. Click Add to add a rule. For Set Type, select Role from the drop-down menu.
5. For Rule Type, select ESSID.
6. For Condition, select equals.
7. For Value, enter the SSID used for the phones.
AOS-W 3.1 423
User Guide
Configuring QoS for Voice
Chapter 20
8. For Roles, select the user role you previously created.
9. Click Add.
10. Click Apply.
Using the CLI to derive the role based on SSID:
aaa derivation-rules user name
set role condition essid equals ssid set-value role
Using the WebUI to derive the role based on MAC OUI:
1. Navigate to the Configuration > Security > Authentication > User Rules
page.
2. Click Add to add a new set of derivation rules. Enter a name for the set of
rules, and click Add. The name appears in the User Rules Summary list.
3. In the User Rules Summary list, select the name of the rule set to configure
rules.
4. Click Add to add a rule. For Set Type, select Role from the drop-down menu.
5. For Rule Type, select MAC Address.
6. For Condition, select contains.
7. For Value, enter the first three octets (the OUI) of the MAC address of the
phones (for example, the Spectralink OUI is 00:09:7a).
8. For Roles, select the user role you previously created.
9. Click Add.
10. Click Apply.
Using the CLI to derive the role based on MAC OUI:
aaa derivation-rules user name
set role condition macaddr contains xx:xx:xx set-value role
Configuring QoS for Voice
Chapter 20
424 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Optional Configurations
This section describes other voice-related features that you can configure in the
base AOS-W.
Wi-Fi Multimedia
Wi-Fi Multimedia (WMM), is a Wi-Fi Alliance specification based on the IEEE
802.11e wireless Quality of Service (QoS) standard. WMM works with 802.11a,
b, and g physical layer standards.
WMM supports four access categories: voice, video, best effort, and background.
Table 20-42 shows the mapping of the WMM access categories to 802.1D
priority values. The 802.1D priority value is contained in a two-byte QoS control
field in the WMM data frame.
Unscheduled Automatic Power Save Delivery (U-APSD) is a component of the
IEEE 802.11e standard that extends the battery life on voice over WLAN devices.
When enabled, clients trigger the delivery of buffered data from the AP by
sending a data frame.
For those environments in which the wireless clients support WMM, you can
enable both WMM and U-APSD in the SSID profile.
NOTE:Installing the Voice Services Module license in the WLAN Switch allows
you to utilize other WMM-related features described in “Voice Services
Module Features” on page 428.
TABLE 20-42 WMM Access Category to 802.1D Priority Mapping
Priority 802.1D Priority WMM Access Category
lowest 1
Background
2
0
Best effort
3
4
Video
5
6
Voice
highest 7
AOS-W 3.1 425
User Guide
Configuring QoS for Voice
Chapter 20
Using the WebUI to enable WMM:
1. Navigate to the Configuration > Wireless > AP Configuration page.
2. Select either the AP Group or AP Specific tab. Click Edit for the AP group or
AP name.
3. In the Profiles list, select Wireless LAN. Select Virtual AP, then select the
applicable virtual AP profile. Select the SSID profile.
4. In the Profile Details, select the Advanced tab.
5. Scroll down to the Wireless Multimedia (WMM) option. Select (check) this
option.
6. Click Apply.
Using the CLI to enable WMM:
wlan ssid-profile profile
wmm
Battery Boost
Battery boost converts all multicast traffic to unicast before delivery to the client.
This feature is disabled by default. Enabling this feature on an SSID allows you to
set the DTIM interval from 10 - 100 (the previous allowed values were 1 or 2),
equating to 1,000 - 10,000 milliseconds. This longer interval keeps associated
wireless clients from activating their radios for multicast indication and delivery,
leaving them in power-save mode longer, and thus lengthening battery life. The
DTIM configuration is performed on the WLAN, so no configuration is necessary
on the client.
NOTE:Although you can enable battery boost on a per-virtual AP basis, it must
be enabled for any SSIDs that support voice traffic.
Although the multicast to unicast conversion generates more traffic, but that
traffic is buffered by the AP and delivered to the client when the client emerges
from power-save mode.
An associated parameter available on some clients is the Listening Interval (LI).
This defines the interval (in number of beacons) after which the client must wake
to read the Traffic Indication Map (TIM). The TIM indicates whether there is
buffered unicast traffic for each sleeping client. With battery boost enabled, the
DTIM is increased but multicast traffic is buffered and delivered as unicast.
Increasing the LI can further increase battery life, but can also decrease client
responsiveness.
You enable the battery boost feature and set the DTIM interval in the SSID profile.
Configuring QoS for Voice
Chapter 20
426 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Using the WebUI to enable battery boost:
1. Navigate to the Configuration > AP Configuration page. Select either AP
Group or AP Specific.
zIf you select AP Group, click Edit for the AP group name for which you
want to enable battery boost.
zIf you select AP Specific, select the name of the AP for which you want
to enable battery boost.
2. Under Profiles, select Wireless LAN, then select Virtual AP. In the Virtual AP
list, select the appropriate virtual AP instance.
3. Select the SSID profile instance to display in the Profile Details section.
4. Click the Advanced tab.
5. Scroll down the Advanced options and select the Battery Boost check box.
6. Scroll up to change the DTIM Interval.
7. Click Apply.
Using the CLI to enable battery boost:
wlan ssid-profile <profile>
battery-boost
dtim-period <milliseconds>
WPA Fast Handover
In the 802.1x Authentication profile, the WPA fast handover feature allows certain
WPA clients to use a pre-authorized PMK, significantly reducing handover
interruption. Check with the manufacturer of your handset to see if this feature is
supported. This feature is disabled by default.
NOTE:This feature supports WPA clients, while opportunistic key caching (also
configured in the 802.1x Authentication profile) supports WPA2 clients.
Using the WebUI to enable WPA fast handover:
1. Navigate to the Configuration > AP Configuration page. Select either AP
Group or AP Specific.
zIf you select AP Group, click Edit for the AP group name for which you
want to enable battery boost.
zIf you select AP Specific, select the name of the AP for which you want
to enable battery boost.
2. Under Profiles, select Wireless LAN, then select Virtual AP. In the Virtual AP
list, select the appropriate virtual AP instance.
AOS-W 3.1 427
User Guide
Configuring QoS for Voice
Chapter 20
3. Select AAA profile. Select the 802.1x Authentication Profile to display in the
Profile Details section.
4. Scroll down to select the WPA-Fast-Handover check box.
5. Click Apply.
Using the CLI to enable WPA fast handover:
aaa authentication dot1x <profile>
wpa-fast-handover
For deployments where there are expected to be considerable delays between the
WLAN Switch and APs (for example, in a remote location where an AP is not in
range of another Alcatel AP), Alcatel recommends that you enable the “local
probe response” option in the SSID profile. (Generating probe responses on the
Alcatel WLAN Switch is an optimization that allows AOS-W to make better
decisions.) This option is enabled by default in the SSID profile. You can also
increase the value for the bootstrap threshold in the AP System profile to
minimize the chance of the AP rebooting due to temporary loss of connectivity
with the Alcatel WLAN Switch.
Configuring QoS for Voice
Chapter 20
428 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Voice Services Module Features
This section describes features that require installation of the Voice Services
Module license in the WLAN Switch. For information about obtaining and
installing licenses, see Chapter 19, “Managing Software Feature Licenses”.
Configuring the VoIP CAC Profile
VoIP call admission control prevents any single AP from becoming congested
with voice calls. You configure call admission control options in the VoIP CAC
profile which you apply to an AP group or a specific AP.
Using the WebUI to configure the VoIP CAC profile:
1. Navigate to the Configuration > AP Configuration page. Select either AP
Group or AP Specific.
zIf you select AP Group, click Edit for the AP group name for which you
want to configure VoIP CAC.
zIf you select AP Specific, select the name of the AP for which you want
to configure VoIP CAC.
2. In the Profiles list, select QoS.
3. Select VoIP Call Admission Control profile.
4. You can select a profile instance from the drop-down menu. Or you can
modify parameters and click Save As to create a new VoIP CAC profile
instance.
5. To enable CAC options, select VoIP Call Admission Control (this option is
disabled by default).
6. Click Apply.
Using the CLI to configure the VoIP CAC profile:
wlan voip-cac-profile profile
call-admission-control
parameter value
Disconnecting Excess Calls on a Radio
In the VoIP Call Admission Control (CAC) profile, you can limit the number of
active voice calls allowed on a radio. This feature is disabled by default. When the
disconnect extra call feature is enabled, the system monitors the number of active
voice calls, and if the defined threshold is reached, any new calls are
disconnected. The AP denies association requests from a device that is on call.
AOS-W 3.1 429
User Guide
Configuring QoS for Voice
Chapter 20
You enable this feature in the VoIP CAC profile. You also need to enable call
admission control, which is disabled by default, in this profile.
Using the WebUI to disconnect excess calls:
1. Navigate to the Configuration > AP Configuration page. Select either AP
Group or AP Specific.
zIf you select AP Group, click Edit for the AP group name for which you
want to enable battery boost.
zIf you select AP Specific, select the name of the AP for which you want
to enable battery boost.
2. In the Profiles list, select QoS.
3. Select the VoIP Call Admission Control profile.
4. Select the VoIP Call Admission Control check box.
5. Scroll down to select the VoIP Disconnect Extra Call check box.
6. You can optionally change the VoIP High-capacity Threshold value.
7. Click Apply.
Using the CLI to disconnect excess calls:
wlan voip-cac-profile <profile>
call-admission-control
disconnect-extra-call
high-capacity-threshold <percent>
Enabling VoIP-Aware Scanning in ARM
When you enable CAC options, you should also enable VoIP-aware scanning in
the Adaptive Radio Management (ARM) profile.
Using the WebUI to enable VoIP aware scanning in the ARM profile:
1. Navigate to the Configuration > AP Configuration page. Select either AP
Group or AP Specific.
zIf you select AP Group, click Edit for the AP group name for which you
want to configure IDS.
zIf you select AP Specific, select the name of the AP for which you want
to configure IDS.
2. In the Profiles list, select RF Management.
3. Select Adaptive Radio Management (ARM) Profile.
Configuring QoS for Voice
Chapter 20
430 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
4. You can select a profile instance from the drop-down menu. Or you can
modify parameters and click Save As to create a new VoIP CAC profile
instance.
5. Select (check) the VoIP Aware Scan option.
6. Click Apply.
Using the CLI to enable VoIP aware scanning in the ARM profile:
rf arm-profile profile
voip-aware-scan
Dynamic WMM Queue Management
Traditional wireless networks provide all clients with equal bandwidth access.
However, delays or reductions in throughput can adversely affect voice and video
applications, resulting in disrupted VoIP conversations or dropped frames in a
streamed video. Thus, data streams that require strict latency and throughput
need to be assigned higher traffic priority than other traffic types.
The Wi-Fi Alliance defined the Wi-Fi Multimedia (WMM) standard in response to
industry requirements for Quality of Service (QoS) support for multimedia
applications for wireless networks. WMM anticipates the ratification of the IEEE
802.11e standard that is currently in development.
WMM requires:
the access point is Wi-Fi Certified and has WMM enabled
the client device is Wi-Fi Certified
the application supports WMM
Enhanced Distributed Channel Access
WMM provides media access prioritization through Enhanced Distributed Channel
Access (EDCA). EDCA defines four access categories (ACs) to prioritize traffic:
voice, video, best effort, and background. These ACs correspond to 802.1d
priority tags, as shown in Table 20-43.
AOS-W 3.1 431
User Guide
Configuring QoS for Voice
Chapter 20
While the WMM ACs designate specific types of traffic, you can determine the
priority of the ACs. For example, you can choose to give video traffic the highest
priority. With WMM, applications assign data packets to an AC. In the client, the
data packets are then added to one of the transmit queues for voice, video, best
effort, or background.
WMM is an extension to the Carrier Sense Multiple Access with Collision
Avoidance (CSMA/CA) protocol’s Distributed Coordination Function (DCF). The
collision resolution algorithm responsible for traffic prioritization depends on the
following configurable parameters for each AC:
arbitrary inter-frame space number (AIFSN)
minimum and maximum contention window (CW) size
For each AC, the backoff time is the sum of the AIFSN and a random value
between 0 and the CW value. The AC with the lowest backoff time is granted the
opportunity to transmit (TXOP). Frames with the highest-priority AC are more
likely to get TXOP as they tend to have the lowest backoff times (a result of
having smaller AIFSN and CW parameter values). The value of the CW varies
through time as the CW doubles after each collision up to the maximum CW. The
CW is reset to the minimum value after successful transmission. In addition, you
can configure the TXOP duration for each AC.
On the WLAN Switch, you configure the AC priorities in the WLAN EDCA
parameters profile. There are two sets of EDCA profiles you can configure:
AP parameters affect traffic from the AP to the client
STA parameters affect traffic from the client to the AP
Using the WebUI to configure EDCA parameters:
1. Navigate to the Configuration > AP Configuration page. Select either AP
Group or AP Specific.
zIf you select AP Group, click Edit for the AP group name for which you
want to enable battery boost.
TABLE 20-43 WMM Access Categories and 802.1d Tags
WMM Access
Category Description 802.1d Tag
Voice Highest priority 7, 6
Video Prioritize video traffic above other data traffic 5, 4
Best Effort Traffic from legacy devices or traffic from
applications or devices that do not support QoS
0, 3
Background Low priority traffic (file downloads, print jobs) 2, 1
Configuring QoS for Voice
Chapter 20
432 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
zIf you select AP Specific, select the name of the AP for which you want
to enable battery boost.
2. Under Profiles, select Wireless LAN, then select Virtual AP. In the Virtual AP
list, select the appropriate virtual AP instance.
3. Select the SSID profile. Select the EDCA Parameters Station or EDCA
Parameters AP profile.
4. You can select a profile instance from the drop-down menu. Or you can
modify parameters and click Save As to create a new EDCA Parameters
profile instance.
5. Click Apply.
Using the CLI to configure EDCA parameters:
wlan edca-parameters-profile {ap|sta} <profile>
To specify the EDCA profile instance in the SSID profile:
wlan ssid-profile <profile>
edca-parameters-profile {ap|sta} <profile>
TSPEC Signaling Enforcement
A WMM client can send a Traffic Specification (TSPEC) signaling request to the
AP before sending traffic of a specific AC type, such as voice. You can configure
the WLAN Switch so that the TSPEC signaling request from a client is ignored if
the underlying voice call is not active; this feature is disabled by default. If you
enable this feature, you can also configure the number of seconds that a client
must wait to start the call after sending the TSPEC request (the default is one
second).
You enable TSPEC signaling enforcement in the VoIP Call Admission Control
profile.
Using the WebUI to configure TSPEC signaling enforcement:
1. Navigate to the Configuration > AP Configuration page. Select either AP
Group or AP Specific.
zIf you select AP Group, click Edit for the AP group name for which you
want to enable battery boost.
zIf you select AP Specific, select the name of the AP for which you want
to enable battery boost.
2. In the Profiles list, select QoS.
3. Select the VoIP Call Admission Control profile.
AOS-W 3.1 433
User Guide
Configuring QoS for Voice
Chapter 20
4. Scroll down to select the VoIP TSPEC Enforcement check box.
5. You can optionally change the VoIP TSPEC Enforcement Period value.
6. Click Apply.
Using the CLI to configure TSPEC signaling enforcement:
wlan voip-cac-profile <profile>
wmm-tspec-enforcement
wmm-tspec-enforcement-period <seconds>
WMM Queue Content Enforcement
WMM queue content enforcement is a firewall setting that you can enable to
ensure that the voice priority is used for voice traffic. When this feature is
enabled, if traffic to or from the user is inconsistent with the associated QoS
policy for voice, the traffic is reclassified to best effort and data path counters
incremented. If TSPEC admission were used to reserve bandwidth, then TSPEC
signaling is used to inform the client that the reservation is terminated.
Using the WebUI to enable WMM queue content enforcement:
1. Navigate to the Configuration > Advanced Services > Stateful Firewall page.
2. Select Enforce WMM Voice Priority Matches Flow Content.
3. Click Apply.
Using the CLI to enable WMM queue content enforcement:
firewall wmm-voip-content-enforcement
Voice-Aware 802.1x
Although reauthentication and rekey timers are configurable on a per-SSID basis,
an 802.1x transaction during a call can affect voice quality. If a client is on a call,
802.1x reauthentication and rekey are disabled by default until the call is
completed. You disable or re-enable the “voice aware” feature in the 802.1x
authentication profile.
Using the WebUI to disable voice awareness for 802.1x:
1. Navigate to the Configuration > AP Configuration page. Select either AP
Group or AP Specific.
Configuring QoS for Voice
Chapter 20
434 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
zIf you select AP Group, click Edit for the AP group name for which you
want to enable battery boost.
zIf you select AP Specific, select the name of the AP for which you want
to enable battery boost.
2. Under Profiles, select Wireless LAN, then select Virtual AP. In the Virtual AP
list, select the appropriate virtual AP instance.
3. Select AAA profile. Select the 802.1x Authentication Profile to display in the
Profile Details section.
4. Scroll down to deselect the Disable rekey and reauthentication for clients on
call check box.
5. Click Apply.
Using the CLI to disable voice awareness for 802.1x:
aaa authentication dot1x <profile>
no voice-aware
SIP Authentication Tracking
The WLAN Switch supports the stateful tracking of session initiation protocol
(SIP) authentication between a SIP client and a SIP registry server. Upon
successful registration, a user role is assigned to the SIP client (the default role is
guest). You specify a configured user role for the SIP client in the AAA profile.
Using the WebUI to configure the SIP client user role:
1. Navigate to the Configuration > AP Configuration page. Select either AP
Group or AP Specific.
zIf you select AP Group, click Edit for the AP group name for which you
want to enable battery boost.
zIf you select AP Specific, select the name of the AP for which you want
to enable battery boost.
2. Under Profiles, select Wireless LAN, then select Virtual AP. In the Virtual AP
list, select the appropriate virtual AP instance.
3. Select the AAA profile. Enter the configured user role for SIP authentication
role.
4. Click Apply.
Using the CLI to configure the SIP client user role:
aaa profile <profile>
AOS-W 3.1 435
User Guide
Configuring QoS for Voice
Chapter 20
sip-authentication-role <role>
Use the show voice sip client-status command to view the state of the client
registration.
SIP Call Setup Keepalive
The SIP invite call setup message is time-sensitive, as the originator retries the
call as quickly as possible if it does not proceed. You can direct the WLAN Switch
to immediately reply to the call originator with a “SIP 100 - trying” message to
indicate that the call is proceeding and to avoid a possible timeout. This is useful
in conditions where the SIP invite may be redirected through a number of servers
before reaching the WLAN Switch/
You enable SIP call setup keepalive in the VoIP Call Admission Control profile.
Using the WebUI to enable SIP call setup keepalive:
1. Navigate to the Configuration > AP Configuration page. Select either AP
Group or AP Specific.
zIf you select AP Group, click Edit for the AP group name for which you
want to enable battery boost.
zIf you select AP Specific, select the name of the AP for which you want
to enable battery boost.
2. In the Profiles list, select QoS.
3. Select the VoIP Call Admission Control profile.
4. Scroll down to select the VoIP Send SIP 100 Trying check box.
5. Click Apply.
Using the CLI to enable SIP call setup keepalive:
wlan voip-cac-profile <profile>
send-sip-100-trying
Mobile IP Home Agent Assignment
When you enable IP mobility in a mobility domain, the proxy mobile IP module
determines the home agent for a roaming client. (See Chapter 15, “Configuring IP
Mobility”.) An option related to voice clients that you can enable allows on-hook
phones to be assigned a new home agent to load balance voice client home
agents across WLAN Switches in the mobility domain.
Configuring QoS for Voice
Chapter 20
436 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Using the CLI to enable mobile IP home agent assignment:
ip mobile proxy re-home
AOS-W 3.1 437
User Guide
External Services Interface 21
The Alcatel External Services Interface (ESI) provides an open interface that can
be used to integrate security solutions that solve interior network problems such
as viruses, worms, spyware, and corporate compliance. ESI allows selective
redirection of traffic to external service appliances such as anti-virus gateways,
content filters, and intrusion detection systems. When “interesting” traffic is
detected by these external devices, it can be dropped, logged, modified, or
transformed according to the rules of the device. ESI also permits configuration of
different server groups— with each group potentially performing a different action
on the traffic.
The Alcatel ESI can be configured to do one or more of the following for each
group:
Redirect specified types of traffic to the server
Perform health checks on each of the servers in the group
Perform per-session load balancing between the servers in each group
Provide an interface for the server to return information about the client that
can place the client in special roles such as “quarantine”
ESI also provides the ESI syslog parser, which is a mechanism for interpreting
syslog messages from third-party appliances such as anti-virus gateways,
content filters, and intrusion detection systems. The ESI syslog parser is a generic
syslog parser that accepts syslog messages from external devices, processes
them according to user-defined rules, and then takes configurable actions on
system users.
This chapter describes the following topics:
“Understanding ESI” on page 438
“Understanding the ESI Syslog Parser” on page 440
“ESI Configuration Overview” on page 443
“Example Route-mode ESI Topology” on page 463
“Example NAT-mode ESI Topology” on page 474
“Basic Regular Expression Syntax” on page 481
NOTE:To use the features described in this chapter, you must install an ESI
software license in the WLAN Switch.
External Services Interface
Chapter 21
438 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Understanding ESI
In the example shown in this section, ESI is used to provide an interface to the
AntiVirusFirewall (AVF) server device for providing virus inspection services. An
AVF server device is one of many different types of services supported in the ESI.
FIGURE 21-37 The ESI-Fortinet Topology
In the topology shown in Figure 21-37, the clients connect to access points (both
wireless and wired). The wired access points tunnel all traffic back to the WLAN
Switch over the existing network.
The WLAN Switch receives the traffic and redirects relevant traffic (including but
not limited to all HTTP/HTTPS and email protocols such as SMTP and POP3) to
the AVF server device to provide services such as anti-virus scanning, email
scanning, web content inspection, etc. This traffic is redirected on the
“untrusted” interface between the WLAN Switch and the AVF server device. The
WLAN Switch also redirects the traffic intended for the clients—coming from
either the Internet or the internal network. This traffic is redirected on the
“trusted” interface between the WLAN Switch and the AVF server device. The
WLAN Switch forwards all other traffic (for which the AVF server does not
perform any of the required operations such as AV scanning). An example of such
traffic would be database traffic running from a client to an internal server.
arun_007
Corporate
Network
Untrusted
Interface
Trusted
Interface
Mobility
Controller
DMZ/
Internet
AntiVirus
Firewall
Server
Wireless
Users
Wired Users
AOS-W 3.1 439
User Guide
External Services Interface
Chapter 21
The WLAN Switch can also be configured to redirect traffic only from clients in a
particular role such as “guest” or “non-remediated client” to the AVF server
device. This might be done to reduce the load on the AVF server device if there is
a different mechanism such as the Alcatel-Sygate integrated solution to enforce
client policies on the clients that are under the control of the IT department. These
policies can be used to ensure that an anti-virus agent runs on the clients and the
client can get access to the network only if this agent reports a “healthy” status
for the client. Refer to the paper (available from Sygate) on Sygate integrated
solutions for more details on this solution.
The WLAN Switch is also capable of load balancing between multiple external
server appliances. This provides more scalability as well as redundancy by using
multiple external server appliances. Also, the WLAN Switch can be configured to
have multiple groups of external server devices and different kinds of traffic can
be redirected to different groups of devices—with load balancing occurring within
each group (see Figure 21-38 for an example).
FIGURE 21-38 Load Balancing Groups
arun_003
Corporate
Network
DMZ/
Internet
Load
Balancing
Email Group
HTTP
Group
Wireless
Users
Wired Users
External Services Interface
Chapter 21
440 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Understanding the ESI Syslog Parser
The ESI syslog parser adds a UNIX-style regular expression engine for parsing
relevant fields in messages from third-party appliances such as anti-virus
gateways, content filters, and intrusion detection systems.
The user creates a list of rules that identify the type of message, the username to
which this message pertains, and the action to be taken when there is a match on
the condition.
ESI Parser Domains
The ESI servers are configured into ESI parser domains (see Figure 21-39) to
which the rules will be applied. This condition ensures that only messages
coming from configured ESI parser domains are accepted, and reduces the
number of rules that must be examined before a match is detected (see “Syslog
Parser Rules” on page 442).
FIGURE 21-39 ESI Parser Domains
The ESI syslog parser begins with a list of configured IP interfaces to which it
listens for ESI messages. When a syslog message is received, it is checked
against the list of defined ESI servers. If a server match is found, the message is
then tested against the list of predefined rules.
arun_006
Access
Point
Mobility
Controller
Fortinet 1
10.1.1.1
Acme 1
10.2.2.1
Acme 2
10.2.2.2
Acme 3
10.2.2.3
Fortinet 2
10.1.1.2
Fortinet 3
10.1.1.3
Domain Fortinet Domain Acme
AOS-W 3.1 441
User Guide
External Services Interface
Chapter 21
Within the rule-checking process, the incoming message is checked against the
list of rules to search first for a condition match (see “Syslog Parser Rules” on
page 442). If a condition match is made, and the user name can be extracted from
the syslog message, the resulting user action is processed by first attempting to
look up the user in the local user table. If the user is found, the appropriate action
is taken on the user. The default behavior is to look for users only on the local
WLAN Switch. If the user is not found, the event is meaningless and is ignored.
This is the typical situation when a single WLAN Switch is connected to a
dedicated ESI server.
Peer WLAN Switches
As an alternative, consider a topology where multiple WLAN Switches share one
or more ESI servers (see Figure 21-40).
FIGURE 21-40 Peer WLAN Switches
In this scenario, several WLAN Switches (master and local) are defined in the
same syslog parser domain and are also configured to act as peers. From the
standpoint of the ESI servers—because there is no good way of determining from
which WLAN Switch a given user came—the event is flooded out to all WLAN
Switches defined as peers within this ESI parser domain. The corresponding
WLAN Switch holding the user entry acts on the event, while other WLAN
Switches ignore the event.
arun_002
Master Mobility Controller
10.0.0.1
Fortinet Server
30.0.0.2
Fortinet Server
30.0.0.1
Fortinet Server
30.0.0.3
Peer Controllers
ESI Server Group
AP Wireless Client
Jack
Wireless Client
Joe
Local Mobility Controller
20.0.0.1
AP
External Services Interface
Chapter 21
442 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Syslog Parser Rules
The user creates an ESI rule by using characters and special operators to specify a
pattern (regular expression) that uniquely identifies a certain amount of text
within a syslog message. (Regular expression syntax is described in “Basic
Regular Expression Syntax” on page 481.) This “condition” defines the type of
message and the ESI domain to which this message pertains. The rule contains
three major fields:
Condition: The pattern that uniquely identifies the syslog message type.
User: The username identifier. It can be in the form of a name, MAC address,
or IP address.
Action: The action to take when a rule match occurs.
Once a condition match has been made, no further rule-matching will be made.
For the rule that matched, only one action can be defined.
After a condition match has been made, the message is parsed for the user
information. This is done by specifying the target region with the regular
expression (REGEX) regex() block syntax. This syntax generates two blocks: The
first block is the matched expression; the second block contains the value inside
the parentheses. For username matching, the focus is on the second block, as it
contains the username.
Condition Pattern Matching
The following description uses the Fortigate virus syslog message format as an
example to describe condition pattern matching. The Fortigate virus syslog
message takes the form:
< Sep 26 18:30:02 log_id=0100030101 type=virus subtype=infected src=1.2.3.4 >
This message example contains the Fortigate virus log ID number 0100030101
(“log_id=0100030101”), which can be used as the condition—the pattern that
uniquely identifies this syslog message.
The parser expression that matches this condition is “log_id=0100030101,” which
is a narrow match on the specific log ID number shown in the message, or
“log_id=[0–9]{10}[ ],” which is a regular expression that matches any Fortigate log
entry with a ten-digit log ID followed by a space.
User Pattern Matching
To extract the user identifier in the example Fortigate virus message shown above
(“src=1.2.3.4”), use the following expression, src=(.*)[ ], to parse the user
information contained between the parentheses. The () block specifies where the
username will be extracted. Only the first block will be processed.
AOS-W 3.1 443
User Guide
External Services Interface
Chapter 21
More examples:
Given a message wherein the username is a MAC address:
< Sep 26 18:30:02 log_id=0100030101 type=virus subtype=infected mac 00:aa:bb:cc:dd:00 >
The expression “mac[ ](.{17})” will match “mac 00:aa:bb:cc:dd:00” in the example
message.
Given a message wherein the username is a user name:
< Sep 26 18:30:02 log_id=0100030101 type=virus subtype=infected user<johndoe> >
The expression “user<(.*)>” will match “user<johndoe>” in the example message.
ESI Configuration Overview
You can use the following interfaces to configure and manage ESI and ESI syslog
parser behavior:
The Web user interface (WebUI), which is accessible through a standard Web
browser from a remote management console or workstation.
The command line interface (CLI), which is accessible from a local console
device connected to the serial port on the WLAN Switch or through a Telnet
or Secure Shell (SSH) connection from a remote management console or
workstation.
NOTE:By default, you can access the CLI only from the serial port or from
an SSH session. To use the CLI in a Telnet session, you must
explicitly enable Telnet on the WLAN Switch.
The Alcatel Mobility Manager System, which is a suite of applications for
monitoring multiple master WLAN Switches and their related local WLAN
Switches and APs. Each application provides a Web-based user interface.
The Alcatel Mobility Manager System is available as an integrated appliance
and as a software application that runs on a dedicated system. See the
Mobility Manager User Guide for more information.
For more information about using these interfaces, see Chapter 18, “Configuring
Management Access”.
NOTE:The general configuration descriptions in the following sections include
both the WebUI pages and the CLI configuration commands. The
configuration overview section is followed by several examples that
show specific configuration procedures.
External Services Interface
Chapter 21
444 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
In general, there are three ESI configuration “phases” on the WLAN Switch as a
part of the solution:
The first phase configures the ESI ping health-check method, servers, and
server groups.The term server here refers to external server devices—for
example, an AVF.
The second phase configures the redirection policies instructing the WLAN
Switch how to redirect the different types of traffic to different server groups.
The final phase configures the ESI syslog parser domains and the rules that
interpret and act on syslog message contents.
NOTE:The procedures shown in the following sections are general descriptions.
Your application might be broader or narrower than this example, but the
same general operations apply.
Health-Check Method, Groups, and Servers
To configure the ESI health-check method, servers, and server groups, navigate to
the Configuration > Advanced Services > External Services view on the WebUI
(see Figure 21-41).
FIGURE 21-41 The External Services View
AOS-W 3.1 445
User Guide
External Services Interface
Chapter 21
Defining the Ping Health-Check Method
Using the WebUI to Configure a Health-Check Method
To configure a health check profile:
1. Navigate to the Configuration > Advanced Services > External Services
page on the WebUI.
2. Click Add in the Health Check Configuration section.
(To change an existing profile, click Edit.)
3. Provide the following details:
A. Enter a Profile Name.
B. Frequency (secs)—Indicates how often the WLAN Switch checks to see
if the server is up and running. Default: 5 seconds.
C. Timeout (secs)—Indicates the number of seconds the WLAN Switch
waits for a response to its health check query before marking the health
check as failed. Default: 2 seconds.
D. Retry count—Is the number of failed health checks after which the WLAN
Switch marks the server as being down. Default: 2.
4. Click Done when you are finished.
5. To apply the configuration (changes), click Apply. (The configuration will not
take effect until you click Apply.)
Using the CLI to Configure a Health-Check Method
Use these CLI commands to configure a health-check method:
esi ping profile_name
frequency seconds
retry-count count
timeout seconds
For example:
esi ping default
frequency 5
retry-count 2
External Services Interface
Chapter 21
446 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Defining the ESI Server
The following sections describe how to configure an ESI server using the WebUI
and CLI.
Using the WebUI to Configure an ESI Server
To configure an ESI server:
1. Navigate to the Configuration > Advanced Services > External Services
page on the WebUI.
2. Click Add in the External Servers section.
3. Provide the following details:
A. Server Name.
B. Server Group. Use the drop-down list to assign this server to a group
from the existing configured groups.
C. Server Mode. Use the drop-down list to choose the mode (bridge, nat, or
route) your topology requires. Refer to the description above to
understand the differences between these modes.
For routed mode, enter the Trusted IP Address (the IP address of the
trusted interface on the external server device) and the Untrusted IP
Address (the IP address of the untrusted interface on the external
server device). (You can also choose to enable a health check on
either or both of these interfaces.)
For bridged mode, enter the Trusted Port number (the port
connected to the trusted side of the ESI server) and the Untrusted
Port number (the port connected to the untrusted side of the ESI
server).
For NAT mode, enter the Trusted IP Address (the trusted interface
on the external server) and the NAT Destination Port number (the
port a packet is redirected to rather than the original destination port
in the packet). (You can also choose to enable a health check on the
trusted IP address interface.)
4. Click Done when you are finished.
5. To apply the configuration (changes), click Apply. (The configuration will not
take effect until you click Apply.)
Using the CLI to Configure an ESI Server
Use these CLI commands to configure an ESI server and identify its associated
attributes:
esi server server_identity
dport destination_tcp/udp_port
mode {bridge | nat | route}
AOS-W 3.1 447
User Guide
External Services Interface
Chapter 21
trusted-ip-addr ip-addr [health-check]
trusted-port slot/port
untrusted-ip-addr ip-addr [health-check]
untrusted-port slot/port
For example:
esi server forti_1
mode route
trusted-ip-addr 10.168.172.3
untrusted-ip-addr 10.168.171.3
Defining the ESI Server Group
The following sections describe how to configure an ESI server group using the
WebUI and CLI.
Using the WebUI to Configure an ESI Server Group
To configure an ESI server group on the WLAN Switch:
1. Navigate to the Configuration > Advanced Services > External Services
page.
2. Click Add in the Server Groups section.
(To change an existing group, click Edit.)
3. Provide the following details:
A. Enter a Group Name.
B. In the drop-down list, select a health check profile.
4. Click Done when you are finished.
5. To apply the configuration (changes), click Apply. (The configuration will not
take effect until you click Apply.)
Using the CLI to Configure an ESI Server Group
Use these CLI commands to configure an ESI server group, identify its associated
ping health-check method, and associate a server with this group:
esi group name
ping profile_name
server server_identity
For example:
esi group fortinet
ping default
server forti_1
External Services Interface
Chapter 21
448 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Redirection Policies and User Role
The following sections describe how to configure the redirection policies and user
role using the WebUI and CLI.
Using the WebUI to Configure the User Role
To configure user roles to redirect the required traffic to the server(s), navigate to
the Configuration > Access Control > User Roles view (see Figure 21-42).
FIGURE 21-42 The User Roles View
1. To add a new role, click Add.
(To change an existing role, click Edit for the firewall policy to be changed.)
The WebUI displays the User Roles tab on top (see Figure 21-43).
FIGURE 21-43 The Add Role View
AOS-W 3.1 449
User Guide
External Services Interface
Chapter 21
2. Role Name. Enter the name for the role.
3. To add a policy for the new role, click Add in the Firewall Policies section.
The WebUI expands the Firewall Policies section (see Figure 21-44).
FIGURE 21-44 Firewall Polices Choices
Choose from existing configured policies, create a new policy based on
existing policies, or create a new policy.
A. If you elect to create a new policy, click on the radio button for Create
New Policy and then click Create.
The WebUI displays the Policies tab (see Figure 21-45).
FIGURE 21-45 Firewall Policy Attributes
B. In the Policies tab:
a. Policy Name. Provide the policy name and select the policy type
from the drop-down list.
External Services Interface
Chapter 21
450 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
The WebUI expands the Policies tab (see Figure 21-46).
FIGURE 21-46 Setting Firewall Policy Parameters
b. In the drop-down lists, choose parameters such as source,
destination, service in the same way as other firewall policy
rules.
For certain choices, the WebUI expands and adds drop-down
lists (see Figure 21-47).
FIGURE 21-47 Selecting Parameters in Drop-down Lists
c. In the Action drop-down menu, select the redirect to ESI group
option.
d. In the Action drop-down menu, select the appropriate ESI group.
e. Select the traffic direction. Forward refers to the direction of
traffic from the (untrusted) client or user to the (trusted) server
(such as the HTTP server or email server).
f. To add this rule to the policy, click Add.
C. Repeat the steps to configure additional rules.
AOS-W 3.1 451
User Guide
External Services Interface
Chapter 21
D. Click Done to return to the User Roles tab.
The WebUI returns to the User Roles tab (see Figure 21-42 on page 448).
4. To apply the configuration (changes), click Apply. (The configuration will not
take effect until you click Apply.)
5. Refer to Chapter 7, “Configuring Roles and Policies,” for directions on how to
apply a policy to a user role.
Using the CLI to Configure Redirection and User Role
Use these commands to define the redirection filter for sending traffic to the ESI
server and apply the firewall policy to a user role.
ip access-list session policy
any any any redirect esi-group group direction both blacklist
//For any incoming traffic, going to any destination,
//redirect the traffic to servers in the specified ESI group.
any any any permit
//For everything else, allow the traffic to flow normally.
user-role role
access-list {eth | mac | session}
bandwidth-contract name
captive-portal name
dialer name
pool {l2tp | pptp}
reauthentication-interval minutes
session-acl name
vlan vlan_id
For example:
ip access-list session fortinet
any any svc-http redirect esi-group fortinet direction both blacklist
any any any permit
user-role guest
access-list session fortinet
External Services Interface
Chapter 21
452 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
ESI Syslog Parser Domains and Rules
To configure the ESI syslog parser, navigate to the Configuration > Advanced
Services > External Services view on the WebUI (see Figure 21-48).
FIGURE 21-48 The External Services View
Managing Syslog Parser Domains
The following sections describe how to manage syslog parser domains using the
WebUI and CLI.
AOS-W 3.1 453
User Guide
External Services Interface
Chapter 21
Using the WebUI to Manage Syslog Parser Domains
Click on the Syslog Parser Domains tab to display the Syslog Parser Domains
view (see Figure 21-49).
FIGURE 21-49 The Syslog Parser Domains View
This view lists all the domains by domain name and server IP address, and
includes a list of peer WLAN Switches (when peer WLAN Switches have been
configured—as described in “Peer WLAN Switches” on page 441).
Adding a New Syslog Parser Domain
To add a new syslog parser domain:
1. Click Add in the Syslog Parser Domains section.
External Services Interface
Chapter 21
454 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
The system displays the add domain view (see Figure 21-50).
FIGURE 21-50 The Add Domain View
2. In the Domain Name text box, type the name of the domain to be added.
3. In the Server (IP Address) text box, type a valid IP address.
NOTE:You must ensure that you type a valid IP address, because the IP
address you type is not automatically validated against the list of
external servers that has been configured.
4. Click << Add.
5. Click Apply.
Deleting an Existing Syslog Parser Domain
To delete an existing parser domain:
1. Identify the target parser domain in the list shown in the Domain section of
the Syslog Parser Domains view.
2. Click Delete on the same row in the Actions column.
Editing an Existing Syslog Parser Domain
To change an existing syslog parser domain:
1. Identify the target parser domain in the list shown in the Syslog Parser
Domains view (see Figure 21-49 on page 453).
AOS-W 3.1 455
User Guide
External Services Interface
Chapter 21
2. Click Edit on the same row in the Actions column.
The system displays the edit domain view (see Figure 21-51).
FIGURE 21-51 The Edit Domain View
NOTE:You cannot modify the domain name when editing a parser domain.
3. To delete a server from the selected domain, highlight the server IP address
and click >> Delete, then click Apply to commit the change.
4. To add a server or a peer WLAN Switch to the selected domain, type the
server IP address into the text box next to the << Add button, click << Add,
then click Apply to commit the change, or click Cancel to discard the
changes you made and exit the parser domain editing process.
When you make a change in the domain, you can click the View Commands link
in the lower right corner of the window to see the CLI command that corresponds
to the edit action you performed.
Using the CLI to Manage Syslog Parser Domains
Use these CLI commands to manage syslog parser domains.
Adding a New Syslog Parser Domain
esi parser domain name
peer peer-ip
server ipaddr
Showing ESI Syslog Parser Domain Information
show esi parser domains
External Services Interface
Chapter 21
456 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Deleting an Existing Syslog Parser Domain
no esi parser domain name
Editing an Existing Syslog Parser Domain
esi parser domain name
no
peer peer-ip
server ipaddr
For example (based on the example shown in Figure 21-40 on page 441):
esi parser domain forti_domain
server 30.0.0.1
server 30.0.0.2
server 30.0.0.3
peer 20.0.0.1
Managing Syslog Parser Rules
The following sections describe how to manage syslog parser domains using the
WebUI and CLI.
Using the WebUI to Manage Syslog Parser Rules
Click on the Syslog Parser Rules tab to display the Syslog Parser Rules view
(see Figure 21-52).
FIGURE 21-52 The Syslog Parser Rules View
AOS-W 3.1 457
User Guide
External Services Interface
Chapter 21
This view displays a table of rules with the following columns:
Rule name
Ena—where “y” indicates the rule is enabled and “n” indicates the rule is
disabled (not enabled)
Condition—Match condition (a regular expression)
Match—Match type (IP address, MAC address, or user)
User—Match pattern (a regular expression)
Set—Set type (blacklist or role)
Value—Set value (role name)
Domain—Parser domain to which this rule is to be applied
Actions—The actions that can be performed on each rule.
Adding a New Parser Rule
To add a new syslog parser rule:
1. Click Add in the Syslog Parser Rules view.
The system displays the new rule view (see Figure 21-53).
FIGURE 21-53 The New Rule View
2. In the Rule Name text box, type the name of the rule to be added.
3. Click the Enable checkbox to enable the rule.
4. In the Condition Pattern text box, type the regular expression to be used as
the condition pattern.
External Services Interface
Chapter 21
458 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
For example, “log_id=[0–9]{10}[ ]” to search for and match a 10-digit string
preceded by “log_id=” and followed by one space.
5. In the drop-down Match list, use the drop-down menu to select the match
type (ipaddr, mac, or user).
6. In the Match Pattern text box, type the regular expression to be used as the
match pattern.
For example, if you selected “mac” as the match type, type the regular
expression to be used as the match pattern. You could use “mac[ ](.{17})” to
search for and match a 17-character MAC address preceded by the word
“mac” plus one space.
7. In the drop-down Set list, select the set type (blacklist or role).
When you select role as the Set type, the system displays a second
drop-down list. Click the list to display the possible choices and select the
appropriate role value. Validation on the entered value will be based on the
Set selection.
8. In the drop-down Parser Group list, select one of the configured parser
domain names.
Deleting a Syslog Parser Rule
To delete an existing syslog parser rule:
1. Identify the target parser rule in the list shown in the Syslog Parser Rules
view.
2. Click Delete on the same row in the Actions column.
Editing an Existing Syslog Parser Rule
To change an existing syslog parser rule:
1. Identify the target parser rule in the list shown in the Syslog Parser Rules
view (see Figure 21-52).
2. Click Edit on the same row in the Actions column.
AOS-W 3.1 459
User Guide
External Services Interface
Chapter 21
The system displays the attributes for the selected rule (see Figure 21-54).
FIGURE 21-54 The Edit Rule View
NOTE:You cannot modify the rule name when editing a parser rule.
3. Change the other rule attributes as required:
A. Click the Enable checkbox to enable the rule.
B. In the Condition Pattern text box, type the regular expression to be used
as the condition pattern.
C. In the drop-down Match list, select the match type (ipaddr, mac, or user).
D. In the Match Pattern text box, type the regular expression to be used as
the match pattern.
E. In the drop-down Set list, select the set type (blacklist or role).
When you select role as the Set type, the system displays a second
drop-down list. Click the list to display the possible choices and select
the appropriate role value. Validation on the entered value will be based
on the Set selection.
F. In the drop-down Parser Group list, select one of the configured parser
domain names.
NOTE:At this point, you can test the rule you just edited by using the Test
section of the edit rule view. You can also test rules outside the add or
edit processes by using the rule test in the Syslog Parser Test view
(accessed from the External Services page by clicking the
Syslog Parser Test tab, described in Testing a Parser Rule” on
page 460.
4. Click Apply to commit the change, or click Cancel to discard the changes you
made and exit the rule editing process.
External Services Interface
Chapter 21
460 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Testing a Parser Rule
You can test or validate enabled Syslog Parser rules against a sample syslog
message, or against a syslog message file containing multiple syslog messages.
Access the parser rules test from the External Services page by clicking the
Syslog Parser Test tab, which displays the Syslog Parser Rule Test view
(see Figure 21-55).
FIGURE 21-55 The Syslog Parser Rule Test View
To test against a sample syslog message:
A. In the drop-down Test Type list, select Syslog message as the test
source type.
B. In the Message text box, type the syslog message text.
C. Click Te s t to start the test.
The test results are displayed in a box in the area below the Test button. The
test results contain information about the matching rule and match pattern.
To test against a syslog message file:
A. In the drop-down Test Type list, select Syslog file as the test type.
B. In the Filename text box, type the syslog file name.
C. Click Te s t to start the test.
The test results are displayed in a box in the area below the Test button. The
test results contain information about the matching rule and match pattern.
AOS-W 3.1 461
User Guide
External Services Interface
Chapter 21
Using the CLI to Manage Syslog Parser Rules
Use these CLI commands to manage syslog parser rules.
Adding a New Parser Rule
esi parser rule rule-name
condition expression
domain name
enable
match {ipaddr expression | mac expression |userexpression}
position position
set {blacklist | role role}
For example:
esi parser rule forti_virus
condition “log_id=[0-9]{10}[ ]”
match “src=(.*)[ ]”
set blacklist
enable
Showing ESI Syslog Parser Rule Information
show esi parser rules
Deleting a Syslog Parser Rule
no esi parser rule rule-name
Editing an Existing Syslog Parser Rule
esi parser rule rule-name
condition expression
domain name
enable
match {ipaddr expression | mac expression |userexpression}
no
position position
set {blacklist | role role}
Testing a Parser Rule
esi parser rule rule-name
test {file filename |msgmessage}
External Services Interface
Chapter 21
462 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Monitoring Syslog Parser Statistics
The following sections describe how to monitor syslog parser statistics using the
WebUI and CLI.
Using the WebUI to Monitor Syslog Parser Statistics
You can monitor syslog parser statistics in the External Servers monitoring page
(see Figure 21-56), accessed by selecting Monitoring > Switch >
External Services Interface > Syslog Parser Statistics.
FIGURE 21-56 The Syslog Parser Statistics View
The Syslog Parser Statistics view displays statistics such as the number of
matches and number of users per rule, as well as the number of respective
actions fired by the syslog parser.
NOTE:The Syslog Parser Statistics view also displays the last refresh time
stamp and includes a Refresh Now button, to allow the statistics
information to be refreshed manually. There is no automatic refresh on
this page.
Using the CLI to Monitor Syslog Parser Statistics
show esi parser stats
AOS-W 3.1 463
User Guide
External Services Interface
Chapter 21
Example Route-mode ESI Topology
This section introduces the configuration for a sample route-mode topology using
the WLAN Switch and Fortinet Anti-Virus gateways. In route mode, the trusted
and untrusted interfaces between the WLAN Switch and the Fortinet gateways
are on different subnets. Figure 21-57 shows an example route-mode topology.
NOTE:ESI with Fortinet Anti-Virus gateways is supported only in route mode.
FIGURE 21-57 Example Route-Mode Topology
In the topology shown, the following configurations are entered on the WLAN
Switch and Fortinet gateway:
ESI Server configuration on WLAN Switch:
Trusted IP address = 10.168.172.3 (syslog source)
Untrusted IP address = 10.168.171.3
Mode = route
arun_004
Wireless User Subnet
= 10.168.173.0/24
Fortinet Gateway
Mobility Controller
Untrusted interface IP
address = 10.168.171.3/24
Trusted interface IP
address = 10.168.172.3/24
Untrusted interface IP
address = 10.168.171.1/24
Trusted interface IP
address = 10.168.172.1/24
Core Router (default gateway)
= 10.168.172.1/24
External Services Interface
Chapter 21
464 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
IP routing configuration on Fortinet Gateway:
Default gateway (core router) = 10.168.172.1
Static route for wireless user subnet (10.168.173.0/24) through the WLAN
Switch (10.168.171.2)
Configuring the Example Routed ESI Topology
This section describes how to implement the example routed ESI topology shown
in Figure 21-57 on page 463. The description includes the relevant configuration—
both the WebUI and the CLI configuration processes are described—required on
the WLAN Switch to integrate with a AVF server appliance.
The ESI configuration process will redirect all HTTP user traffic to the Fortinet
server for examination, and any infected user will be blacklisted. The
configuration process consists of these general tasks:
Defining the ESI server.
Defining the default ping health check method.
Defining the ESI group.
Defining the HTTP redirect filter for sending HTTP traffic to the ESI server.
Applying the firewall policy to the guest role.
Defining ESI parser domains and rules.
There are three configuration “phases” on the WLAN Switch as a part of the
solution.
The first phase configures the ESI ping health-check method, servers, and
server groups.The term server here refers to external AVF server devices.
In the second phase of the configuration task, the user roles are configured
with the redirection policies (session ACL definition) instructing the WLAN
Switch to redirect the different types of traffic to different server groups.
In the final phase, the ESI parser domains and rules are configured.
NOTE:The procedures shown in the following sections are based on the
requirements in the example routed ESI topology. Your application might
be broader or narrower than this example, but the same general
operations apply.
Health-Check Method, Groups, and Servers
To configure the ESI health-check method, servers, and server groups, navigate to
the Configuration > Advanced Services > External Services view on the WebUI
(see Figure 21-48 on page 452).
AOS-W 3.1 465
User Guide
External Services Interface
Chapter 21
Defining the Ping Health-Check Method
Using the WebUI to Configure a Health-Check Method
To configure a health check profile:
1. Navigate to the Configuration > Advanced Services > External Services
page on the WebUI.
2. Click Add in the Health Check Configuration section.
(To change an existing profile, click Edit.)
3. Provide the following details:
A. Enter enter the name default for the Profile Name.
B. Frequency (secs)—Enter 5.)
C. Timeout (secs)—Indicates the number of seconds the WLAN Switch
waits for a response to its health check query before marking the health
check as failed. Default: 2 seconds. (In this example, enter 3.)
D. Retry count—Is the number of failed health checks after which the WLAN
Switch marks the server as being down. Default: 2. (In this example,
enter 3.)
4. Click Done when you are finished.
5. To apply the configuration (changes), click Apply. (The configuration will not
take effect until you click Apply.)
Using the CLI to Configure a Health-Check Method
Use these CLI commands to configure a health-check method:
esi ping profile_name
frequency seconds
retry-count count
timeout seconds
For example:
esi ping default
frequency 5
retry-count 3
timeout 3
External Services Interface
Chapter 21
466 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Defining the ESI Server
The following sections describe how to configure an ESI server using the WebUI
and CLI.
Using the WebUI to Configure an ESI Server
To configure an ESI server:
1. Navigate to the Configuration > Advanced Services > External Services
page on the WebUI.
2. Click Add in the External Servers section.
3. Provide the following details:
A. Server Name. (This example uses the name forti_1.)
B. Server Group. Use the drop-down list to assign this server to a group
from the existing configured groups. (This example uses fortinet.)
C. Server Mode. Use the drop-down list to choose the mode (bridge, nat, or
route) your topology requires. Refer to the description above to
understand the differences between the modes. (This example uses
route mode.)
D. Trusted IP Address. Enter 10.168.172.3.)
E. Untrusted IP Address. Enter 10.168.171.3.)
4. Click Done when you are finished.
5. To apply the configuration (changes), click Apply. (The configuration will not
take effect until you click Apply.)
Using the CLI to Configure an ESI Server
Use these CLI commands to configure an ESI server and identify its associated
attributes:
esi server server_identity
dport destination_tcp/udp_port
mode {bridge | nat | route}
trusted-ip-addr ip-addr [health-check]
trusted-port slot/port
untrusted-ip-addr ip-addr [health-check]
untrusted-port slot/port
For example:
esi server forti_1
mode route
trusted-ip-addr 10.168.172.3
untrusted-ip-addr 10.168.171.3
AOS-W 3.1 467
User Guide
External Services Interface
Chapter 21
Defining the ESI Server Group
The following sections describe how to configure an ESI server group using the
WebUI and CLI.
Using the WebUI to Configure an ESI Server Group
To configure an ESI server group on the WLAN Switch:
1. Navigate to the Configuration > Advanced Services > External Services
page.
2. Click Add in the Server Groups section.
3. Provide the following details:
A. Enter a Group Name. Enter fortinet.)
B. In the drop-down list, select default as the health check profile.
4. Click Done when you are finished.
5. To apply the configuration (changes), click Apply. (The configuration will not
take effect until you click Apply.)
Using the CLI to Configure an ESI Server Group
Use these CLI commands to configure an ESI server group, identify its associated
ping health-check method, and associate a server with this group:
esi group name
ping profile_name
server server_identity
For example:
esi group fortinet
ping default
server forti_1
External Services Interface
Chapter 21
468 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Redirection Policies and User Role
The following sections describe how to configure the redirection policies and user
role using the WebUI and CLI.
Using the WebUI to Configure the User Role
To configure user roles to redirect the required traffic to the server(s), navigate to
the Configuration > Access Control > User Roles view (see Figure 21-58).
FIGURE 21-58 The User Roles View
1. To add a new role, click Add.
The WebUI displays the Add Role view (see Figure 21-59).
FIGURE 21-59 The Add Role View
2. Role Name. Enter “guest” as the name for the role.
AOS-W 3.1 469
User Guide
External Services Interface
Chapter 21
3. To add a policy for the new role, click Add in the Firewall Policies section.
The WebUI expands the Firewall Policies section (see Figure 21-60).
FIGURE 21-60 Firewall Polices Choices
Choose from existing configured policies, create a new policy based on
existing policies, or create a new policy.
A. If you elect to create a new policy, click on the radio button for Create
New Policy and then click Create.
The WebUI displays the Policies tab (see Figure 21-61).
FIGURE 21-61 Firewall Policy Attributes
B. In the Policies tab:
a. Policy Name. Enter the policy name fortinet and the session
type.) Click Add to proceed.
External Services Interface
Chapter 21
470 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
The WebUI expands the Policies tab (see Figure 21-62).
FIGURE 21-62 Setting Firewall Policy Parameters
b. In the drop-down lists, choose parameters such as source,
destination, service in the same way as other firewall policy
rules. (This example uses any source, any destination, service
type svc-http (tcp 80),
For certain choices, the WebUI expands and adds drop-down
lists (see Figure 21-63).
FIGURE 21-63 Selecting Parameters in Drop-down Lists
c. In the Action drop-down menu, select the redirect to ESI group
option.
d. Select fortinet as the appropriate ESI group.
The three steps above translate to “for any incoming HTTP
traffic, going to any destination, redirect the traffic to servers in
the ESI group named fortinet.”)
e. Select both as the traffic direction. Forward refers to the
direction of traffic from the (untrusted) client or user to the
(trusted) server (such as the HTTP server or email server).
AOS-W 3.1 471
User Guide
External Services Interface
Chapter 21
f. To add this rule to the policy, click Add.
C. Repeat the steps to configure additional rules. (This example adds a rule
that specifies any,any,any,permit.)
D. Click Done to return to the User Roles tab.
4. To apply the configuration (changes), click Apply. (The configuration will not
take effect until you click Apply.)
5. Refer to Chapter 7, “Configuring Roles and Policies,” for directions on how to
apply a policy to a user role.
Using the CLI to Configure the User Role
Use these commands to define the redirection filter for sending traffic to the ESI
server and apply the firewall policy to a user role in the route-mode ESI topology
example.
ip access-list session policy
any any any redirect esi-group group direction both blacklist
//For any incoming traffic, going to any destination,
//redirect the traffic to servers in the specified ESI group.
any any any permit
//For everything else, allow the traffic to flow normally.
user-role role
access-list {eth | mac | session}
bandwidth-contract name
captive-portal name
dialer name
pool {l2tp | pptp}
reauthentication-interval minutes
session-acl name
vlan vlan_id
For example:
ip access-list session fortinet
any any svc-http redirect esi-group fortinet direction both blacklist
any any any permit
user-role guest
access-list session fortinet
External Services Interface
Chapter 21
472 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Syslog Parser Domain and Rules
The following sections describe how to configure the syslog parser domain and
rules for the route-mode example using the WebUI and CLI.
Using the WebUI to Add a New Syslog Parser Domain
To add a new syslog parser domain for the routed example:
1. Click Add in the Syslog Parser Domains tab (Advanced Services > External
Services > Syslog Parser Domain).
The system displays the new domain view (see Figure 21-50 on page 454).
2. In the Domain Name text box, type the name of the domain to be added.
3. In the Server (IP Address) text box, type a valid IP address.
NOTE:You must ensure that you type a valid IP address, because the IP
address you type is not automatically validated against the list of
external servers that has been configured.
4. Click << Add.
5. Click Apply.
Using the WebUI to Add a New Parser Rule
To add a new syslog parser rule for the route-mode example:
1. Click Add in the Syslog Parser Rules tab (Advanced Services > External
Services > Syslog Parser Rule).
The system displays the new rule view (see Figure 21-53 on page 457).
2. In the Rule Name text box, type the name of the rule to be added (in this
example, “forti_virus”).
3. Click the Enable checkbox to enable the rule.
4. In the Condition Pattern text box, type the regular expression to be used as
the condition pattern. (In this example, the expression “log_id=[0–9]{10}[ ]”
searches for and matches a 10-digit string preceded by “log_id=” and
followed by one space.)
5. In the drop-down Match list, use the drop-down menu to select the match
type (in this example, ipaddr).
6. In the Match Pattern text box, type the regular expression to be used as the
match pattern (in this example, “src=(.*)[ ]”).
7. In the drop-down Set list, select the set type (in this example, blacklist).
8. In the drop-down Parser Group list, select one of the configured parser
domain names (in this example, “forti_domain”).
AOS-W 3.1 473
User Guide
External Services Interface
Chapter 21
9. Click Apply.
Using the CLI to Define a New Syslog Parser Domain and Rules
Use these CLI commands to define a syslog parser domain and the rule to be
applied in the route-mode example shown in Figure 21-57 on page 463.
esi parser domain name
peer peer-ip
server ipaddr
esi parser rule rule-name
condition expression
domain name
enable
match {ipaddr expression | mac expression |userexpression }
position position
set {blacklist | role role}
For example:
esi parser domain forti_domain
server 10.168.172.3
esi parser rule forti_virus
condition “log_id=[0-9]{10}[ ]”
match ipaddr “src=(.*)[ ]”
set blacklist
enable
External Services Interface
Chapter 21
474 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Example NAT-mode ESI Topology
This section describes the configuration for a sample NAT-mode topology using
the WLAN Switch and three external captive-portal servers. NAT mode uses a
trusted interface for each external captive-portal server and a different destination
port to redirect a packet to a port other than the original destination port in the
packet. An example topology is shown below in Figure 21-64.
FIGURE 21-64 Example NAT-Mode Topology
In this example, all HTTP traffic received by the WLAN Switch is redirected to the
external captive portal server group and load-balanced across the captive portal
servers. All wireless client traffic with destination port 80 is redirected to the
captive portal server group, with the new destination port 8080.
NOTE:The external servers do not necessarily have to be on the subnet as the
WLAN Switch. The policy that redirects traffic to the external servers for
load balancing is routed to the external servers if they are on a different
subnet.
arun_001
Mobility Controller
10.1.1.1
10.1.1.2
10.1.1.3
Access Points
External Captive
Portal Servers
AOS-W 3.1 475
User Guide
External Services Interface
Chapter 21
In the topology shown, the following configurations are entered on the WLAN
Switch and external captive-portal servers:
ESI Server configuration on the WLAN Switch:
External captive-portal server 1:
zName = external_cp1
zMode = NAT
zTrusted IP address = 10.1.1.1
zAlternate destination port = 8080
External captive-portal server 2:
zName = external_cp2
zMode = NAT
zTrusted IP address = 10.1.1.2
External captive-portal server 3:
zName = external_cp3
zMode = NAT
zTrusted IP address = 10.1.1.3
Health-check ping:
zName = externalcp_ping
zFrequency = 30 seconds
zRetry-count = 2 attempts
zTimeout = 2 seconds (2 seconds is the default)
ESI group = external_cps
Session access control list (ACL)
zName = cp_redirect_acl
zSession policy = user any svc-http redirect esi-group external_cps
direction both
Configuring the Example NAT-mode ESI Topology
This section describes how to implement the example NAT-mode ESI topology
shown in Figure 21-64 on page 474 using both the WebUI, then the CLI.
The configuration process consists of these general tasks:
Configuring captive portal (see the “Configuring Captive Portal” chapter).
Configuring the health-check ping method.
External Services Interface
Chapter 21
476 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Configuring the ESI servers.
Configuring the ESI group.
Defining the redirect filter for sending traffic to the ESI server.
Using the WebUI to Configure the NAT-mode ESI Example
Navigate to the Configuration > Advanced Services > External Services view on
the WebUI (see Figure 21-41 on page 444).
Using the WebUI to configure the Health-Check Ping Method
1. Click Add in the Health-Check Configuration section External Services view
on the WebUI.
2. Provide the following details:
A. Profile Name. (This example uses externalcp_ping.)
B. Frequency (seconds). (This example uses 30.)
C. Retry Count. (This example uses 3.)
NOTE:If you do not specify a value for a parameter, the WebUI assumes the
default value. In this example, the desired timeout value is two seconds;
therefore, not specifying the timeout causes the WebUI to use the default
value of two seconds.
3. Click Done when you are finished.
NOTE:To apply the configuration (changes), you must click Apply in the
External Services view on the WebUI. In this example, you can wait until
you finish configuring the servers and groups, or you can apply after each
configuration portion.
Using the WebUI to Configure the ESI Group
1. Click Add in the Server Groups section External Services view on the
WebUI.
2. Provide the following details:
A. Group Name. (This example uses external_cps.)
B. Health-Check Profile. Select the health-check ping from the drop-down
list. (This example uses externalcp_ping.)
3. Click Done when you are finished.
NOTE:To apply the configuration (changes), you must click Apply in the
External Services view on the WebUI. In this example, you can wait until
you finish configuring the servers and groups, or you can apply after each
configuration portion.
AOS-W 3.1 477
User Guide
External Services Interface
Chapter 21
Using the WebUI to Configure the ESI Servers
1. Click Add in the External Servers section External Services view on the
WebUI.
2. Provide the following details:
A. Server Name.
B. Server Group. Use the drop-down list to assign this server to a group
from the existing configured groups.
C. Server Mode. Use the drop-down list to choose NAT mode.)
D. Trusted IP Address. For nat mode, enter the IP address of the trusted
interface on the external captive portal server.
E. NAT Destination Port. Enter the port number (to redirect a packet to a
port other than the original destination port in the packet).
3. Click Done when you are finished.
4. Repeat step 1 through step 3 for the remaining external captive portal
servers.
5. To apply the configuration (changes), click Apply. (The configuration will not
take effect until you click Apply.)
Using the WebUI to Configure the Redirection Filter
To redirect the required traffic to the server(s) using the WebUI, navigate to the
Configuration > Access Control > User Roles view on the WebUI (see
Figure 21-42 on page 448).
1. Click the Policies tab.
2. Click Add in the Policies section of the Policies view on the WebUI.
3. Provide the following details:
A. Policy Name. (This example uses cp_redirect_acl.)
B. Policy Type. Select Session from the drop-down list.
4. Click Add in the Rules section of the Policies view.
A. Source. Select user from the drop-down list.
B. Destination. Accept any.
C. Service. Select service from the drop-down list; select svc-http (tcp 80)
from the secondary drop-down list.
D. Action. Select redirect to ESI group from the drop-down list; select
external_cps from the secondary drop-down list; click <-- to add that
group.
E. Click Add.
External Services Interface
Chapter 21
478 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
5. Click Done when you are finished.
6. To apply the configuration (changes), click Apply. (The configuration will not
take effect until you click Apply.)
Using the CLI to Configure the Example NAT-mode Topology
The CLI configuration process consists of these general tasks:
Configuring captive portal (see Chapter 10, “Configuring Captive Portal”).
Configuring the health-check ping method.
Configuring the ESI servers.
Configuring the ESI group.
Defining the redirect filter for sending traffic to the ESI server.
Configure a Health-Check Ping
The health-check ping will be associated with an ESI group, along with servers,
so that WLAN Switch will send ICMP echo requests to each server in the group
and mark the server down if the WLAN Switch does not hear from the server. The
health-check parameters used in this example are:
Frequency—30 seconds. (The default is 5 seconds.)
Retry-count—3. (The default is 2.)
Timeout—2 seconds. (The default is 2 seconds.)
Use these CLI commands to configure a health-check ping method:
esi ping profile_name
frequency seconds
retry-count count
timeout seconds
Configuring ESI Servers
Here are the ESI server CLI configuration tasks:
Configure server mode to be NAT.
Configure the trusted IP address (the server IP address to which packets
should be redirected).
To redirect to a different port than the original destination port in the packet,
configure an alternate destination port.
AOS-W 3.1 479
User Guide
External Services Interface
Chapter 21
Use these CLI commands to configure an ESI server and identify its associated
attributes:
esi server server_identity
dport destination_tcp/udp_port
mode {bridge | nat | route}
trusted-ip-addr ip-addr [health-check]
Configure an ESI Group, Add the Health-Check Ping and ESI Servers
Use these CLI commands to configure an ESI server group, identify its associated
ping health-check method, and associate a server with this group:
esi group name
ping profile_name
server server_identity
Use This ESI Group in a Session Access Control List
Use these CLI commands to define the redirection filter for sending traffic to the
ESI server.
ip access-list session policy
user any svc-http redirect esi-group group direction both
CLI Configuration Example 1
esi ping externalcp_ping
frequency 30
retry-count 3
esi server external_cp1
dport 8080
mode nat
trusted-ip-addr 10.1.1.1
esi server external_cp2
dport 8080
mode nat
trusted-ip-addr 10.1.1.2
esi server external_cp3
dport 8080
mode nat
trusted-ip-addr 10.1.1.3
External Services Interface
Chapter 21
480 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
esi group external_cps
ping externalcp_ping
server external_cp1
server external_cp2
server external_cp3
ip access-list session cp_redirect_acl
user any svc-http redirect esi-group external_cps direction both
CLI Configuration Example 2
esi server https-proxy1
dport 44300
mode nat
trusted-ip-addr 1.2.3.4
esi server https-proxy2
dport 44300
mode nat
trusted-ip-addr 1.2.3.5
esi group https-proxies
ping default
server https-proxy1
server https-proxy2
ip access-list session https-proxy
user any svc-https redirect esi-group https-proxies direction both
any any permit
AOS-W 3.1 481
User Guide
External Services Interface
Chapter 21
Basic Regular Expression Syntax
The ESI syslog parser supports regular expressions created using the Basic
Regular Expression (BRE) syntax described in this section. BRE syntax consists of
instructions—character-matching operators (described in Table 21-44), repetition
operators (described in Table 21-45), or expression anchors (described in
Table 21-46)—used to defined the search or match target.
This section contains the following topics:
“Character-Matching Operators” on page 481
“Regular Expression Repetition Operators” on page 482
“Regular Expression Anchors” on page 482
“References” on page 483
Character-Matching Operators
Character-matching operators define what the search will match.
TABLE 21-44 Character-matching operators in regular expressions
Operator Description Sample Result
. Match any one character. grep .ord
sample.txt
Matches ford, lord, 2ord,
etc. in the file sample.txt.
[ ] Match any one character
listed between the
brackets
grep [cng]ord
sample.txt
Matches only cord, nord,
and gord
[^] Match any one character
not listed between the
brackets
grep [^cn]ord
sample.txt
Matches lord, 2ord, etc.,
but not cord or nord
grep
[a-zA-Z]ord
sample.txt
Matches aord, bord, Aord,
Bord, etc.
grep [^0-9]ord
sample.txt
Matches Aord, aord, etc.,
but not 2ord, etc.
External Services Interface
Chapter 21
482 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Regular Expression Repetition Operators
Repetition operators are quantifiers that describe how many times to search for
a specified string. Use them in conjunction with the character-matching operators
in Table 21-45 to search for multiple characters.
TABLE 21-45 Regular expression repetition operators
Regular Expression Anchors
Anchors describe where to match the pattern, and are a handy tool for searching
for common string combinations. Some of the anchor examples use the vi line
editor command :s, which stands for substitute. That command uses the syntax:
s/pattern_to_match/pattern_to_substitute.
TABLE 21-46 Regular expression anchors
Operator Description Sample Result
? Match any character one
time if it exists
egrep “?erd”
sample text
Matches berd, herd, etc.,
erd
* Match declared element
multiple times if it exists
egrep “n.*rd”
sample.txt
Matches nerd, nrd, neard,
etc.
+ Match declared element
one or more times
egrep
“[n]+erd”
sample.txt
Matches nerd, nnerd, etc.,
but not erd
{n} Match declared element
exactly n times
egrep
“[a-z]{2}erd”
sample.txt
Matches cherd, blerd, etc.,
but not nerd, erd, buzzerd,
etc.
{n,} Match declared element at
least n times
egrep
“.{2,}erd”
sample.txt
Matches cherd and
buzzerd, but not nerd
{n,N} Match declared element at
least n times, but not
more than N times
egrep
“n[e]{1,2}rd”
sample.txt
Matches nerd and neerd
Operator Description Sample Result
^ Match at the beginning of
a line
s/^/blah / Inserts “blah” at the
beginning of the line
$ Match at the end of a line s/$/ blah/ Inserts “ blah” at the end
of the line
\< Match at the beginning of
a word
s/\</blah/ Inserts “blah” at the
beginning of the word
AOS-W 3.1 483
User Guide
External Services Interface
Chapter 21
References
This implementation is based, in part, on the following resources:
Lonvick, C., “The BSD syslog Protocol”, RFC 3164, August 2001
Regular expression (regex) reference:
http://en.wikipedia.org/wiki/Regular_expression
Regex syntax summary:
http://www.greenend.org.uk/rjk/2002/06/regexp.html
Basic regular expression (BRE) syntax:
http://builder.com.com/5100-6372-1050915.html
egrep “\<blah
sample.txt
Matches blahfield, etc.
\> Match at the end of a
word
s/\>/blah/ Inserts “blah” at the end of
the word
egrep “\>blah
sample.txt
Matches soupblah, etc.
\b Match at the beginning or
end of a word
egrep
“\bblah”
sample.txt
Matches blahcake and
countblah
\B Match in the middle of a
word
egrep
“\Bblah”
sample.txt
Matches sublahper, etc.
Operator Description Sample Result
External Services Interface
Chapter 21
484 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Volume 9
Appendices
AOS-W Version 3.1
486 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
AOS-W 3.1 487
User Guide
Configuring DHCP with
Vendor-Specific Options A
A standards-compliant DHCP server can be configured to return the host Alcatel
WLAN Switch’s IP address through the Vendor-Specific Option Code (option 43)
in the DHCP reply. In the Alcatel OmniAccess system, this information can allow
an Alcatel AP to automatically discover the IP address of a master WLAN Switch
for its configuration and management. This appendix describes how to configure
vendor-specific option 43 on various DHCP servers.
This appendix contains the following topics:
“Overview” on page 488
“Windows-Based DHCP Server” on page 488
“Linux DHCP Servers” on page 491
Configuring DHCP with Vendor-Specific Options
Chapter A
488 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Overview
DHCP servers are a popular way of configuring clients with basic networking
information such as an IP address, a default gateway, network mask, DNS server,
and so on. Most DHCP servers have the ability to also send a variety of optional
information, including the Vendor-Specific Option Code, also called option 43.
Here is how option 43 works:
1. The DHCP client on an Alcatel AP adds an optional piece of information called
the Vendor Class Identifier Code (option 60) to its DHCP request. The value of
this code is ArubaAP.
2. The DHCP server sees the Vendor Class Identifier Code in the request and
checks to see if it has option 43 configured. If it does, it sends the
Vendor-Specific Option Code (option 43) to the client. The value of this option
is the loopback address of the Alcatel master WLAN Switch.
3. The AP receives a response from the DHCP server and checks if option 43 is
returned. If it is, the AP contacts the master WLAN Switch using the supplied
IP address.
Windows-Based DHCP Server
Configuring a Microsoft Windows-based DHCP server to send option 43 to the
DHCP client on an Alcatel AP consists of the following two tasks:
Configuring Option 60
Configuring Option 43
Configuring Option 60
This section describes how to configure the Vendor Class Identifier Code (option
60) on a Microsoft Windows-based DHCP server.
As mentioned in the overview section, option 60 identifies and associates a
DHCP client with a particular vendor. Any DHCP server configured to take action
based on a client’s vendor ID should also have this option configured.
Since option 60 is not a predefined option on a Windows DHCP server, you must
add it to the option list for the server.
AOS-W 3.1 489
User Guide
Configuring DHCP with Vendor-Specific Op-
tions
To configure option 60 on the Windows DHCP server:
1. On the DHCP server, open the DHCP server administration tool by clicking
Start > Administration Tools > DHCP.
2. Find your server and right-click on the scope to be configured under the
server name. Select Set Predefined Options.
3. In the Predefined Options and Values dialog box, click the Add button.
4. In the Option Type dialog box, enter the following information:
5. Click the OK button to save this information.
6. In the Predefined Options and Values dialog box, make sure 060 Alcatel
Access Point is selected from the Option Name drop-down list.
7. In the Value field, enter the following information:
8. Click the OK button to save this information.
Configuring Option 43
Option 43 returns the IP address of the Alcatel master WLAN Switch to an Alcatel
DHCP client. This information allows Alcatel APs to auto-discover the master
WLAN Switch and obtain their configuration.
To configure option 43 on the Windows DHCP server:
1. On the DHCP server, open the DHCP server administration tool by clicking
Start > Administration Tools > DHCP.
2. Find your server and right-click on the scope to be configured under the
server name. Click on the Scope Options entry and select Configure Options.
Name Alcatel Access Point
Data Type String
Code 60
Description Alcatel AP vendor class identifier
String Alcatel Access Point
Configuring DHCP with Vendor-Specific Options
Chapter A
490 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
3. In the Scope Options dialog box, scroll down and select 043 Vendor Specific
Info.
FIGURE A-65 Scope Options Dialog Box
4. In the Data Entry field, click anywhere in the area under the ASCII heading and
enter the following information:
5. Click the OK button to save the configuration.
Option 43 is configured for this DHCP scope. Note that even though you
entered the IP address in ASCII text, it displays in binary form.
FIGURE A-66 DHCP Scope Values
ASCII Loopback address of the master WLAN Switch
AOS-W 3.1 491
User Guide
Configuring DHCP with Vendor-Specific Op-
tions
Linux DHCP Servers
The following is an example configuration for the Linux dhcpd.conf file:
NOTE:After you enter the configuration, you must restart the DHCP service.
option serverip code 43 = ip-address;
class "vendor-class" {
match option vendor-class-identifier;
}
.
.
.
subnet 10.200.10.0 netmask 255.255.255.0 {
default-lease-time 200;
max-lease-time 200;
option subnet-mask 255.255.255.0;
option routers 10.200.10.1;
option domain-name-servers 10.4.0.12;
option domain-name "vlan10.aa.arubanetworks.com";
subclass "vendor-class" "ArubaAP" {
option vendor-class-identifier "ArubaAP";
option serverip 10.200.10.10;
}
range 10.200.10.200 10.200.10.252;
}
Configuring DHCP with Vendor-Specific Options
Chapter A
492 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
AOS-W 3.1 493
User Guide
External Firewall
Configuration B
In many deployment scenarios, an external firewall is situated between various
Alcatel devices. This appendix describes the network ports that need to be
configured on the external firewall to allow proper operation of the Alcatel
network. You can also use this information to configure session ACLs to apply to
physical ports on the WLAN Switch for enhanced security. This appendix does
not describe requirements for allowing specific types of user traffic on the
network.
NOTE:A WLAN Switch uses both its loopback address and VLAN addresses for
communications with other network elements. If host-specific ACLS are
used on the firewall, specify all IP addresses used on the WLAN Switch.
This appendix contains the following topics:
“Communication Between Alcatel Devices” on page 494
“Network Management Access” on page 495
“Other Communications” on page 496
External Firewall Configuration
Chapter B
494 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Communication Between Alcatel Devices
This section describes the network ports that need to be configured on the
firewall to allow proper operation of the Alcatel network.
Between any two WLAN Switches:
zIPSec (UDP ports 500 and 4500) and ESP (protocol 50)
NOTE:PAPI between a master and a local WLAN Switch is encapsulated
in IPSec in AOS-W 3.x.
zIP-IP (protocol 4) and UDP port 443 if Layer-3 mobility is enabled
zGRE (protocol 47) if tunneling guest traffic over GRE to DMZ WLAN
Switch
Between an AP and the master WLAN Switch:
zPAPI (UDP port 8211) If DNS is used for the AP to discover the LMS
WLAN Switch, the AP first attempts to connect to the master WLAN
Switch.
NOTE:Also allow DNS (UDP port 53) traffic from the AP to the DNS
server.
zPAPI (UDP port 8211) All APs running as Air Monitors (AM) require a
permanent PAPI connection to the master WLAN Switch.
Between an AP and the LMS WLAN Switch
zFTP (TCP port 20 and TCP port 21)
zTFTP (UDP port 69) for AP-52. For all other APs, if there is no local image
on the AP (for example, a brand new AP) the AP will use TFTP to retrieve
the initial image.
zNTP (UDP port 123)
zSYSLOG (UDP port 514)
zPAPI (UDP port 8211)
zGRE (protocol 47)
Between a Remote AP (IPSec) and a WLAN Switch
zNAT-T (UDP port 4500)
zTFTP (UDP port 69)
NOTE:TFTP is not needed for normal operation. If the remote AP loses
its local image for any reason, TFTP is used to download the
latest image.
AOS-W 3.1 495
User Guide
External Firewall Configuration
Chapter B
Network Management Access
This section describes the network ports that need to be configured on the
firewall to allow management of the Alcatel network.
For WebUI access between the network administrator’s computer (running a
Web browser) and a WLAN Switch:
zHTTP (TCP ports 80 and 8888) or HTTPS (TCP ports 443 and 4343)
zSSH (TCP port 22) or TELNET (TCP port 23)
For Alcatel Mobility Manager System (MMS) access between the network
administrator's computer (running a Web browser) and the MMS Server
(either the MM-100 appliance or a server running MMS software):
zHTTPS (TCP port 443)
zHTTP (TCP port 80)1
zSSH (TCP port 22) for troubleshooting
For MMS access between the MMS Server and WLAN Switches:
zSNMP (UDP ports 161 and 162)
zPAPI (UDP port 8211 and TCP port 8211)
1. Check the MMS release documentation for requirements, as this network port may not
be required for future releases.
External Firewall Configuration
Chapter B
496 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Other Communications
This section describes the network ports that need to be configured on the
firewall to allow other types of traffic in the Alcatel network. You should only
allow traffic as needed from these ports.
For logging: SYSLOG (UDP port 514) between the WLAN Switch and syslog
servers.
For software upgrade or retrieving system logs: TFTP (UDP port 69) or FTP
(TCP ports 20 and 21) between the WLAN Switch and a software distribution
server.
If the WLAN Switch is a PPTP VPN server, allow PPTP (UDP port 1723) and
GRE (protocol 47) to the WLAN Switch.
If the WLAN Switch is an L2TP VPN server, allow NAT-T (UDP port 4500),
ISAKMP (UDP port 500) and ESP (protocol 50) to the WLAN Switch.
If a third-party network management system is used, allow SNMP (UDP ports
161 and 162) between the network management system and all WLAN
Switches. If the AOS-W version is earlier than 2.5, allow SNMP traffic
between the network management system and APs.
For authentication with a RADIUS server: RADIUS (typically, UDP ports 1812
and 813, or 1645 and 1646) between the WLAN Switch and the RADIUS
server.
For authentication with an LDAP server: LDAP (UDP port 389) or LDAPS (UDP
port 636) between the WLAN Switch and the LDAP server.
For authentication with a TACACS+ server: TACACS (TCP port 49) between
the WLAN Switch and the TACACS+ server.
For NTP clock setting: NTP (UDP port 123) between all WLAN Switches and
the MMS server and the NTP server.
For packet captures: UDP port 5555 from an AP to an Ethereal packet-capture
station; UDP port 5000 from an AP to a Wildpackets packet-capture station.
For telnet access: Telnet (TCP port 23) from the network administrator's
computer to any AP if "telnet enable" is present in the "ap location 0.0.0"
section of the WLAN Switch configuration.
For External Services Interface (ESI): ICMP (protocol 1) and syslog (UDP port
514) between a WLAN Switch and any ESI servers,
For XML API: HTTP (TCP port 80) or HTTPS (TCP port 443) between a WLAN
Switch and an XML-API client.
AOS-W 3.1 497
User Guide
Alcatel System Defaults C
This appendix contains the following topics:
“Basic System Defaults” on page 498
“Firewall Defaults” on page 498
“Default Open Ports” on page 501
Alcatel System Defaults
Chapter C
498 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Basic System Defaults
The default administrator user name is admin, and the default password is also
admin.
Firewall Defaults
The AOS-W software includes prdefined network services, firewall policies, and
roles.
Network Services
The following lists the predefined network services and their protocols and ports.
svc-snmp-trap udp 162
svc-dhcp udp 67 68
svc-smb-tcp tcp 445
svc-https tcp 443
svc-ike udp 500
svc-l2tp udp 1701
svc-syslog udp 514
svc-pptp tcp 1723
svc-telnet tcp 23
svc-sccp tcp 2000
svc-tftp udp 69
svc-sip-tcp tcp 5060
svc-kerberos udp 88
svc-pop3 tcp 110
svc-adp udp 8200
svc-dns udp 53
svc-msrpc-tcp tcp 135 139
svc-rtsp tcp 554
svc-http tcp 80
svc-vocera udp 5002
svc-nterm tcp 1026 1028
svc-sip-udp udp 5060
svc-papi udp 8211
svc-ftp tcp 21
svc-natt udp 4500
svc-svp 119 0
svc-gre gre 0
svc-smtp tcp 25
AOS-W 3.1 499
User Guide
Alcatel System Defaults
Chapter C
svc-smb-udp udp 445
svc-esp esp 0
svc-bootp udp 67 69
svc-snmp udp 161
svc-icmp icmp 0
svc-ntp udp 123
svc-msrpc-udp udp 135 139
svc-ssh tcp 22
Policies
The following are predefined policies.
ip access-list session allowall
any any any permit
!
ip access-list session control
any any svc-icmp permit
any any svc-dns permit
any any svc-papi permit
any any svc-adp permit
any any svc-tftp permit
any any svc-dhcp permit
any any svc-natt permit
!
ip access-list session captiveportal
user alias mswitch svc-https permit
user any svc-http dst-nat 8080
user any svc-https dst-nat 8081
!
ip access-list session cplogout
user alias mswitch svc-https permit
!
ip access-list session vpnlogon
any any svc-ike permit
any any svc-esp permit
any any svc-l2tp permit
any any svc-pptp permit
any any svc-gre permit
!
ip access-list session ap-acl
any any svc-gre permit
any any svc-syslog permit
Alcatel System Defaults
Chapter C
500 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
any user svc-snmp permit
user any svc-snmp-trap permit
user any svc-ntp permit
System Roles
The following are predefined system roles.
user-role ap-role
session-acl control
session-acl ap-acl
!
user-role trusted-ap
session-acl allowall
!
user-role guest
session-acl control
session-acl cplogout
!
user-role logon
session-acl control
session-acl captiveportal
session-acl vpnlogon
AOS-W 3.1 501
User Guide
Alcatel System Defaults
Chapter C
Default Open Ports
By default, Alcatel WLAN Switches and Access Points treat ports as untrusted.
However, certain ports are open by default only on the trusted side of the
network. These open ports are listed in Table C-47 below.
TABLE C-47 Default (Trusted) Open Ports
Port
Number Protocol Where Used Description
17 TCP WLAN
Switch
This is use for certain types of VPN
clients that accept a banner (QOTD).
During normal operation, this port will
only accept a connection and
immediately close it.
21 TCP WLAN
Switch
FTP server for AP6X software
download.
22 TCP WLAN
Switch
SSH
23 TCP AP and
WLAN
Switch
Telnet is disabled by default but the port
is still open
53 UDP WLAN
Switch
Internal domain
67 UDP AP (and
WLAN
Switch if
DHCP server
is
configured)
DHCP server
68 UDP AP (and
WLAN
Switch if
DHCP server
is
configured)
DHCP client
69 UDP WLAN
Switch
TFTP
80 TCP AP and
WLAN
Switch
HTTP Used for remote packet capture
where the capture is saved on the
Access Point. Provides access to the
WebUI on the WLAN Switch.
Alcatel System Defaults
Chapter C
502 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
123 UDP WLAN
Switch
NTP
161 UDP AP and
WLAN
Switch
SNMP. Disabled by default.
443 TCP WLAN
Switch
Used internally for captive portal
authentication (HTTPS) and is exposed
to wireless users. A default self-signed
certificate is installed in the WLAN
Switch. Users in a production
environment are urged to install a
certificate from a well known CA such
as Verisign. Self-signed certs are open
to man-in-the-middle attacks and should
only be used for testing.
500 UDP WLAN
Switch
ISAKMP
514 UDP WLAN
Switch
Syslog
1701 UDP WLAN
Switch
L2TP
1723 TCP WLAN
Switch
PPTP
2300 TCP WLAN
Switch
Internal terminal server opened by telnet
soe command.
3306 TCP WLAN
Switch
Remote wired MAC lookup.
4343 TCP WLAN
Switch
HTTPS. A different port is used from
443 in order to not conflict with captive
portal. A default self-signed certificate is
installed in the WLAN Switch. Users in a
production environment are urged to
install a certificate from a well known
CA such as Verisign. Self-signed certs
are open to man-in-the-middle attacks
and should only be used for testing
4500 UDP WLAN
Switch
sae-urn
TABLE C-47 Default (Trusted) Open Ports (Continued)
Port
Number Protocol Where Used Description
AOS-W 3.1 503
User Guide
Alcatel System Defaults
Chapter C
8080 TCP WLAN
Switch
Used internally for captive portal
authentication (HTTP-proxy). Not
exposed to wireless users.
8081 TCP WLAN
Switch
Used internally for captive portal
authentication (HTTPS). Not exposed to
wireless users. A default self-signed
certificate is installed in the WLAN
Switch. Users in a production
environment are urged to install a
certificate from a well known CA such
as Verisign. Self-signed certs are open
to man-in-the-middle attacks and should
only be used for testing.
8082 TCP WLAN
Switch
Used internally for single sign-on
authentication (HTTP). Not exposed to
wireless users.
8083 TCP WLAN
Switch
Used internally for single sign-on
authentication (HTTPS). Not exposed to
wireless users.
8088 TCP WLAN
Switch
Internal
8200 UDP WLAN
Switch
Alcatel Discovery Protocol (ADP)
8211 UDP WLAN
Switch
Internal
8888 TCP WLAN
Switch
Used for HTTP access.
TABLE C-47 Default (Trusted) Open Ports (Continued)
Port
Number Protocol Where Used Description
Alcatel System Defaults
Chapter C
504 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
AOS-W 3.1 505
User Guide
Windows Client Example
Configuration for 802.1x D
This appendix provides an example configuration for a wireless client (the 802.1x
supplicant) in a Windows environment.
For detailed information about configuring computers in a Windows environment
for PEAP-MS-CHAPv2 and EAP-TLS authentication, see the Microsoft document
Step-by-Step Guide for Setting Up Secure Wireless Access in a Test Lab, available
from Microsoft’s Download Center (at www.microsoft.com/downloads).
Additional information on client configuration is available at
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/wificomp.ms
px#EQGAC.
Window XP Wireless Client Example
Configuration
This section shows an example of how to configure a Windows XP wireless
client using Windows XP’s Wireless Zero Configuration service.
NOTE:The following steps apply to a computer running Windows XP
Professional Version 2002 with Service Pack 2. To configure a wireless
client on other Windows platforms, see your Microsoft Windows
documentation.
1. On the desktop, right-click My Network Places and select Properties.
2. In the Network Connections window, right-click on Wireless Network
Connection and select Properties.
3. Select the Wireless Networks tab.
This screen displays the available wireless networks and the list of preferred
networks. Windows connects to the preferred networks in the order in which
they appear in the list.
Windows Client Example Configuration for 802.1x
Chapter D
506 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
FIGURE D-67 Wireless Networks
4. Click the Advanced button to display the Networks to access window.
FIGURE D-68 Networks to Access
This window determines what types of wireless networks the client can
access. By default, Windows connects to any type of wireless network.
Make sure that the option Computer-to-computer (ad hoc) networks only is
not selected. Click Close.
5. In the Wireless Networks tab, click Add to add a wireless network.
6. Click the Association tab to enter the network properties for the SSID.
AOS-W 3.1 507
User Guide
Windows Client Example Configuration for
802.1x
NOTE:This tab configures the authentication and encryption used between
the wireless client and the Alcatel Mobile Edge system. Therefore,
the settings for the SSID that you configure on the client must match
the configuration for the SSID on the WLAN Switch.
zFor an SSID using dynamic WEP, enter the following:
Network Authentication: Open
Data Encryption: WEP
Select the option “The key is provided for me automatically”. Each
client will use a dynamically-generated WEP key that is automatically
derived during the 802.1x process.
zFor an SSID using WPA, enter the following:
Network Authentication: WPA
Data Encryption: TKIP
zFor an SSID using WPA-PSK, enter the following:
Network Authentication: WPA-PSK
Data Encryption: TKIP
Enter the preshared key.
zFor an SSID using WPA2, enter the following:
Network Authentication: WPA2
Data Encryption: AES
zFor an SSID using WPA2-PSK, enter the following:
Network Authentication: WPA2-PSK
Data Encryption: AES
Enter the preshared key
NOTE:Do not select the option “This is a computer-to-computer (ad hoc)
network; wireless access points are not used”.
Figure D-69 shows the configuration for the SSID WLAN-01 which uses WPA
network authentication with TKIP data encryption.
Windows Client Example Configuration for 802.1x
Chapter D
508 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
FIGURE D-69 Wireless Network Association
7. Click the Authentication tab to enter the 802.1x authentication parameters for
the SSID.
NOTE:This tab configures the EAP type used between the wireless client
and the authentication server.
Configure the following, as shown in Figure D-70:
zSelect Enable IEEE 802.1x authentication for this network.
zSelect Protected EAP (PEAP) for the EAP type.
zSelect Authenticate as computer when computer information is available.
The client will perform computer authentication when a user is not
logged in.
zDo not select Authenticate as guest when user or computer information
is unavailable. The client will not attempt to authenticate as a guest.
AOS-W 3.1 509
User Guide
Windows Client Example Configuration for
802.1x
FIGURE D-70 Wireless Network Authentication
8. Under EAP type, select Properties to display the Protected EAP Properties
window. Configure the client PEAP properties, as shown in Figure D-71:
zSelect Validate server certificate. This instructs the client to check the
validity of the server certificate from an expiration, identity, and trust
perspective.
zSelect the trusted Certification Authority (CA) that can issue server
certificates for the network.
zSelect Secured password (EAP-MSCHAP v2) — the PEAP “inner
authentication” mechanism will be an MS-CHAPv2 password.
zSelect Enable Fast Reconnect to speed up authentication in some cases.
Windows Client Example Configuration for 802.1x
Chapter D
510 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
FIGURE D-71 Protected EAP Properties
9. Under Select Authentication Method, click Configure to display the
EAP-MSCHAPv2 Properties window. Select the option Automatically use my
Windows logon name and password (and domain if any). This option
specifies that the user’s Windows logon information is used for
authentication to the wireless network. This option allows the same logon
credentials to be used for access to the Windows domain as well as the
wireless network.
FIGURE D-72 EAP MSCHAPv2 Properties
AOS-W 3.1 511
User Guide
Internal Captive Portal E
You can customize the default captive portal page through the WebUI, as
described in Chapter 10, “Configuring Captive Portal. This appendix discusses
creating and installing a new internal captive portal page and other customization.
“Creating a New Internal Web Page” on page 512
“Installing a New Captive Portal Page” on page 514
“Displaying Authentication Error Message” on page 515
“Reverting to the Default Captive Portal” on page 516
“Language Customization” on page 516
“Customizing the Welcome Page” on page 522
“Customizing the Pop-Up box” on page 524
“Customizing the Logged Out Box” on page 525
Internal Captive Portal
Chapter E
512 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Creating a New Internal Web Page
You can also create your own web page to display.
A custom web page must include an authentication form to authenticate a user.
The authentication form can include any of the following variables:
The form can use either the "get" or the "post" methods, but the "post" method
is recommended. The form's action must absolutely or relatively reference
"https://<switch_IP>/auth/index.html/u".
You can construct an authentication form using the following HTML:
<FORM method="post" ACTION="/auth/index.html/u">
...
</FORM>
A recommended option for the <FORM> element is:
autocomplete="off" - this tells Internet Explorer. not to cache form inputs
The form variables can be input using any form control method available such as
INPUT, SELECT, TEXTAREA and BUTTON. Example HTML code follows.
Username:
Minimal:
<INPUT type="text" name="user">
Recommended Options:
accesskey="u" Sets the keyboard shortcut to 'u'
SIZE="25"Sets the size of the input box to 25
VALUE= ""Ensures no default value
Password:
Minimal:
<INPUT type="password" name="password">
Recommended Options:
accesskey="p" Sets the keyboard shortcut to 'p'
user (Required)
password (Required)
FQDN The fully-qualified domain name (this is dependent on the
setting of the WLAN Switch and is supported only in Global
Catalog Servers software
AOS-W 3.1 513
User Guide
Internal Captive Portal
Chapter E
SIZE="25"Sets the size of the input box to 25
VALUE= ""Ensures no default value
FQDN:
Minimal:
<SELECT name=fqdn>
<OPTION value="fqdn1" SELECTED>
<OPTION value="fqdn2">
</SELECT>
Recommended Options:
None.
Finally, an HTML also requires an input button:
<INPUT type="submit">
Basic HTML Example
<HTML>
<HEAD>
</HEAD>
<BODY>
<FORM method="post" autocomplete="off" ACTION="/auth/index.html/u">
Username:<BR>
<INPUT type="text" name="user" accesskey="u" SIZE="25" VALUE="">
<BR>
Password:<BR>
<INPUT type="password" name="password" accesskey="p" SIZE="25"
VALUE="">
<BR>
<INPUT type="submit">
</FORM>
</BODY>
</HTML>
You can find a more advanced example simply by using your browser’s
"view-source" function while viewing the default captive portal page.
Internal Captive Portal
Chapter E
514 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Installing a New Captive Portal Page
You can install the captive portal page by using the Maintenance function of the
WebUI.
Log into the WebUI and navigate to Maintenance > Captive Portal > Upload
Custom Login Pages.
This page lets you upload your own files to the WLAN Switch. There are different
page types that you can choose:
Captive Portal Login (top level): This type uploads the file into the WLAN
Switch and sets the captive portal page to reference the file that you are
uploading. Use with caution on a production WLAN Switch as this takes
effect immediately.
Captive Portal Welcome Page: This type uploads the file that appears after
logon and before redirection to the web URL. The display of the welcome
page can be disabled or enabled in the captive portal profile.
Content: The content page type allows you to upload all miscellaneous files
that you need to reference from your main captive portal login page. This can
be used for images, CSS files, scripts or any other file that you need to
reference. These files are uploaded into the same directory as the top level
captive portal page and thus all files can be referenced relatively.
Sygate Remediation Failure: This is used as part of the Alcatel Client Integrity
Module and is outside the scope of this appendix.
All uploaded files can also be referenced from your top-level captive portal page
using any of the following:
https://<switch_IP>/upload/<file>
/upload/<file>
<file>
AOS-W 3.1 515
User Guide
Internal Captive Portal
Chapter E
Displaying Authentication Error Message
This section contains a script that performs the following tasks:
When the user is redirected to the main captive portal login when there is
authentication failure, the redirect URL includes a query parameter "errmsg"
which java script can extract and display.
Store the originally requested URL in a cookie so that once the user has
authenticated, they are automatically redirected to its original page. Note that
for this feature to work, you need AOS-W release 2.4.2.0 or later. If you don't
want this feature, delete the part of the script shown in red.
<script>
{
function createCookie(name,value,days)
{
if (days)
{
var date = new Date();
date.setTime(date.getTime()+(days*24*60*60*1000));
var expires = "; expires="+date.toGMTString();
}
else var expires = "";
document.cookie = name+"="+value+expires+"; path=/";
}
var q = window.location.search;
var errmsg = null;
if (q && q.length > 1) {
q = q.substring(1).split(/[=&]/);
for (var i = 0; i < q.length - 1; i += 2) {
if (q[i] == "errmsg") {
errmsg = unescape(q[i + 1]);
break;
}
if (q[i] == "host") {
createCookie('url',q[i+1],0)
}
}
}
Internal Captive Portal
Chapter E
516 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
if (errmsg && errmsg.length > 0) {
errmsg = "<div id='errorbox'>\n" + errmsg + "\n</div>\n";
document.write(errmsg);
}
}
</script>
Reverting to the Default Captive Portal
You can reassign the default captive portal site using the "Revert to factory
default settings" check box in the "Upload Custom Login Pages" section of the
Maintenance tab in the WebUI.
Language Customization
The ability to customize the internal captive portal provides you with a very
flexible interface to the Alcatel captive portal system. However, other than posting
site-specific messages onto the captive portal website, the most common type of
customization is likely to be language localization. This section describes a simple
method for creating a native language captive portal implementation using the
Alcatel internal captive portal system.
1. Customize the configurable parts of the captive portal settings to your liking.
To do this, navigate to the Maintenance > Customize Captive Portal in the
WebUI:
For example, choose a page design, upload a custom logo and/or a custom
background. Also include any page text and acceptable use policy that you
would like to include. Put this in your target language or else you will need to
translate this at a later time.
Also ensure that Guest login is enabled or disabled as you prefer. Navigate to
Configuration > Authentication Methods > Captive Portal and select or
deselect "Enable Guest Login".
2. Click Submit and then click on View Captive Portal. Check that your
customization and text/html is correct, with the default interface still in
English and the character set still autodetects to ISO-8859-1.
Repeat steps 1 and 2 until you are satisfied with your page.
3. Once you have a page you find acceptable, click on View Captive Portal one
more time to display your login page. From your browser, choose
"View->Source" or its equivalent. Your system will display the HTML source
for the captive portal page. Save this source as a file on your local system.
AOS-W 3.1 517
User Guide
Internal Captive Portal
Chapter E
4. Open the file that you saved in step 3 above using a standard text editor.to
make the following changes:
A. Fix the character set. The default <HEAD>...</HEAD> section of the file
will look similar to the following:
<head>
<title>Portal Login</title>
<link href="default1/styles.css" rel="stylesheet" media="screen"
type="text/css" />
<script language="javascript" type="text/javascript">
function showPolicy() {
win = window.open("/auth/acceptableusepolicy.html", "policy",
"height=550,width=550,scrollbars=1");
}
</script>
</head>
In order to control the character set that the browser will use to show the
text with, you will need to insert the following line inside the
<HEAD>...</HEAD> element:
<meta http-equiv="Content-Type" content="text/html; charset=Shift_JIS"/>
Replace the "Shift_JIS" part of the above line with the character set that
is used by your system. In theory, any character encoding that has been
registered with IANA can be used, but you must ensure that any text you
enter uses this character set and that your target browsers support the
required character set encoding.
The final <HEAD>...</HEAD> portion of the document should look similar
to this:
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Shift_JIS"/>
<title>Portal Login</title>
<link href="default1/styles.css" rel="stylesheet" media="screen"
type="text/css" />
<script language="javascript" type="text/javascript">
function showPolicy() {
Internal Captive Portal
Chapter E
518 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
win = window.open("/auth/acceptableusepolicy.html", "policy",
"height=550,width=550,scrollbars=1");
}
</script>
</head>
B. Fix references: If you have used the built-in preferences, you will need to
update the reference for the logo image and the CSS style sheet.
To update the CSS reference, search the text for "<link href" and update
the reference to include "/auth/" in front of the reference. The original link
should look similar to the following:
<link href="default1/styles.css" rel="stylesheet" media="screen"
type="text/css" />
This should be replaced with a link like the following:
<link href="/auth/default1/styles.css" rel="stylesheet" media="screen"
type="text/css" />
The easiest way to update the image reference is to search for "src"
using your text editor and updating the reference to include "/auth/" in
front of the image file. The original link should look similar to the
following:
<img src="default1/logo.gif"/>
This should be replaced with a link like this:
<img src="/auth/default1/logo.gif"/>
C. Insert javascript to handle error cases:
When the WLAN Switch detects an error situation, it will pass the user's
page a variable called "errmsg" with a value of what the error is in
English. Currently, only "Authentication Failed" is supported as a valid
error message.
To localize the authentication failure message, replace the following text
(it is just a few lines below the <body> tag):
AOS-W 3.1 519
User Guide
Internal Captive Portal
Chapter E
<div id="errorbox" style="display: none;">
</div>
with the script below.
You will need to translate the "Authentication Failed" error message into
your local language and add it into the script below where it states:
localized_msg="...":
<script>
{
var q = window.location.search;
var errmsg = null;
if (q && q.length > 1) {
q = q.substring(1).split(/[=&]/);
for (var i = 0; i < q.length - 1; i += 2) {
if (q[i] == "errmsg") {
errmsg = unescape(q[i + 1]);
break;
}
}
}
if (errmsg && errmsg.length > 0) {
switch(errmsg) {
case "Authentication Failed":
localized_msg="Authentication Failed";
break;
default:
localised_msg=errmsg;
break;
}
errmsg = "<div id='errorbox'>\n" + localised_msg + "\n</div>\n";
document.write(errmsg);
};
}
</script>
D. Translate the web page text. Once you have made the changes as above,
you only need to translate the rest of the text that appears on the page.
The exact text that appears will depend on the WLAN Switch settings
when you originally viewed the captive portal. You will need to translate
all relevant text such as "REGISTERED USER", "USERNAME",
"PASSWORD", the value="" part of the INPUT type="submit" button and
all other text. Ensure that the character set you use to translate into is the
same as you have selected in part i) above.
Internal Captive Portal
Chapter E
520 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Feel free to edit the HTML as you go if you are familiar with HTML.
5. After saving the changes made in step 4 above, upload the file to the WLAN
Switch using the Maintenance > Upload Custom Login Pages section of the
WebUI. Choose "Captive Portal Login (top level)" and browse your local
computer for the file you saved above.
Ensure that the "Revert to factory default settings" box is NOT checked and
click Apply. This will upload the file to the WLAN Switch and set the captive
portal system to use this page as the redirection page.
In order to check that your site is operating correctly, go back to the
"Customize Login Page" and click on "View Captive Portal" button to view
the page you have uploaded. Check that your browser has automatically
detected the character set and that your text is not garbled.
To make any adjustments to your page, edit your file locally and simply
re-upload to the WLAN Switch in order to view the page again.
6. Finally, it is possible to customize the welcome page on the WLAN Switch,
however for language localization it is recommended to use an "external
welcome page" instead. This can be a web site on an external server, or it can
be a static page that is uploaded to a WLAN Switch.
You set the welcome page using the CLI command "aaa captive-portal
welcome-page <URL>". This is the page that the user will be redirected to
after a success authentication.
If this is required to be a page on the WLAN Switch, the user needs to
create their own web page (using the charset meta attribute in step 4i
above) and upload this page to the designated WLAN Switch in the same
manner as uploading the captive portal page, except using "content" as
opposed to "Captive Portal Login" under "Maintenance > Captive Portal >
Upload Login Pages". Any required CSS, Client side Script files and media
files can also be uploaded using content, however file space is limited
(check using "show memory" under "flash free" and remember to leave
ample room for system files).
NOTE:- The "Registered User" and "Guest User" sections of the login page are
implemented as graphics files, referenced by the default CSS styles. In
order to change these, you will need to create new graphic files,
download the CSS file, edit the reference to the graphics files, change the
style reference in your index file and then upload all files as "content" to
the WLAN Switch.
A sample of a translated page is show below.
AOS-W 3.1 521
User Guide
Internal Captive Portal
Chapter E
Internal Captive Portal
Chapter E
522 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Customizing the Welcome Page
Once a user has authenticated to the WLAN Switch, they are presented with the
Welcome page. The default welcome page will depend slightly on your
configuration, but will look similar to this:
You can customize this welcome page by building your own HTML page and
uploading it to the WLAN Switch. You upload it to the WLAN Switch using the
GUI under Maintenance > Captive Portal > Upload custom pages and choose
"content as the page type. This file is stored in a directory called "/upload/" in the
WLAN Switch in the file's original name.
In order to actually use this file, you will need to configure the welcome page on
the WLAN Switch. To do this use the CLI command: "aaa captive-portal
welcome-page /upload/welc.html" where "welc.html" is the name of the file that
you uploaded, or you can change this via the GUI under
Configuration->Authentication Methods->Captive-Portal->Welcome Page Login
A simple example that will create the same page as above is shown below:
<html>
<head>
<script>
{
function readCookie(name)
{
var nameEQ = name + "=";
var ca = document.cookie.split(';');
for(var i=0;i < ca.length;i++)
{
var c = ca[i];
AOS-W 3.1 523
User Guide
Internal Captive Portal
Chapter E
while (c.charAt(0)==' ') c =
c.substring(1,c.length);
if (c.indexOf(nameEQ) == 0) return
c.substring(nameEQ.length,c.length);
}
return null;
}
var cookieval = readCookie('url');
if (cookieval.length>0) document.write("<meta
http-equiv=\"refresh\" content=\"2;url=http://"+cookieval+"\""+">");
}
</script>
</head>
<body bgcolor=white text=000000>
<font face="Verdana, Arial, Helvetica, sans-serif" size=+1>
<b>User Authenticated </b>
<p>In 2 seconds you will be automatically redirected to your original web
page</p>
<p> Press control-d to bookmark this page.</p>
<FORM ACTION="/auth/logout.html">
<INPUT type="submit" name="logout" value="Logout">
</FORM>
</font>
</body>
</html>
NOTE:If you customize the Welcome Page, then you must also customize the
Pop-Up box if you want to have one.
The part in red will redirect the user to the web page they originally requested. For
this to work, please follow the procedure described above in this document.
Internal Captive Portal
Chapter E
524 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
Customizing the Pop-Up box
In order to customize the Pop-Up box, you must first customize your Welcome
page. Once you have customized your welcome page, then you can configure
your custom page to make a pop-up box so as to enable your users to log
themselves out.
The first step is to generate the HTML that will be displayed within the pop-up
box. The default HTML is as shown:
<html>
<body bgcolor=white text=000000>
<font face="Verdana, Arial, Helvetica, sans-serif" size=+1>
<b>Logout</b></font>
<p>
<a href="/auth/logout.html"> Click to Logout </a>
</body>
</html>
If you wish your users to be able to logout using this pop-up box, then you must
include a reference to /auth/logout.html Once a user accesses this URL then the
WLAN Switch will log them out. It is easiest to simply edit the above HTML to suit
your users and then upload the resulting file to the WLAN Switch using the GUI
under Maintenance > Captive Portal > Upload custom pages and choose
"content” as the page type.
Once you have completed your HTML, then you must get the clients to create the
pop-up box once they have logged into the WLAN Switch. This is done by
inserting the following code into your welcome page text and re-uploading the
welcome page text to your WLAN Switch.
Common things to change:
URL: set the URL to be the name of the pop-up HTML file that you created
and uploaded. This should be preceded by "/upload/"
Width: set w to be the required width of the pop-up box
Height: set h to be the required height of the pop-up box
Title: set the second parameter in the window.open command to be the title
of the pop-up box. Be sure to include quotes
<script language="JavaScript">
var url="/upload/popup.html";
var w=210;
AOS-W 3.1 525
User Guide
Internal Captive Portal
Chapter E
var h=80;
var x=window.screen.width - w - 20;
var y=window.screen.height - h - 60;
window.open(url, 'logout',
"toolbar=no,location=no,width="+w+",height="+h+",top="+y+",left="+x+",scree
nX="+x+",screenY="+y);
</script>
This will let you customize your pop-up window.
Customizing the Logged Out Box
In order to customize the Logged Out box, you must first customize your
Welcome page and also your Pop-Up box. To customize the message that occurs
after you have logged out then you need to replace the URL that the pop-up box
will access in order to log out with your own HTML file.
Firstly you must write the HTML web page that will actually log out the user and
will also display page that you wish. An example page is shown below. The key
part that must be included is the <iframe>..</iframe> section. This is the part of
the HTML that actually does the user logging out. The logout is always performed
by the client accessing the /auth/logout.html file on the WLAN Switch and so it is
hidden in the html page here in order to get the client to access this page and for
the WLAN Switch to update its authentication status. If a client does not support
the iframe tag, then the text between the <iframe> and the </iframe> is used. This
is simply a 0 pixel sized image file that references /auth/logout.html. Either
method should allow the client to logout from the WLAN Switch.
Everything else can be customized.
<html>
<body bgcolor=white text=000000>
<iframe src='/auth/logout.html' width=0 height=0 frameborder=0><img
src=/auth/logout.html width=0 height=0></iframe>
<P><font face="Verdana, Arial, Helvetica, sans-serif" size=+1>
You have now logged out.</font></P>
<form> <input type="button" onclick="window.close()" name="close"
value="Close Window"></form>
</body>
Internal Captive Portal
Chapter E
526 AOS-W 3.1 032063-00 Rev A
User Guide February 2007
</html>
After writing your own HTML, then you need to ensure that your customized
pop-up box will access your new logged out file. In the pop-up box example
above, you simply replace the "/auth/logout.html" with your own file that you
upload to the WLAN Switch. For example, if your customized logout HTML is
stored in a file called "loggedout.html" then your "pop-up.html" file should
reference it like this:
<html>
<body bgcolor=white text=000000>
<font face="Verdana, Arial, Helvetica, sans-serif" size=+1>
<b>Logout</b></font>
<p>
<a href="/upload/loggedout.html"> Click to Logout </a>
</body>
</html>
AOS-W 3.1 IX-527
User Guide
Index
Numerics
802.1x authentication
configuring 185
A
access control lists 152
Access Points 24
connecting to switch 24
deploying 55
IP addresses 56
locating switches 57
thin 25
accounting
configuring 181
Adaptive Radio Management 27
adding WLAN Switches 295
Air Monitors
functions 28
shared or dedicated 28
Alcatel Discovery Protocol 25
AOS-W
functions 31
licenses 32
software modules 31
AP configuring 115
AP groups 118
AP names 116
authentication 33
authentication server
configuring timers 182
authentication server group
configuring 170
B
basic deployment 45
blacklisting clients 354
C
captive portal
changing to HTTP protocol 254
configuring 227
default page customization 259
different VLAN clients 257
per-SSID configuration 253
proxy Web server configuration 255
web client proxy script 257
captive portal page
customizing 259
care-of address 304
certificates 373
AAA FastConnect 378
importing 375
obtaining server certificate 374
SSH access 380
WebUI management 379
channel switch announcement 135
client association 39
client blacklisting 354
client mobiliity 41
Command Line Interface 42, 362
connecting switch to network 53
coverage holes 27
D
dead peer detection
configuring 271
DHCP client 65
DHCP with option 43 487
dialer
configuring 267
Domain Name Service 25
double encryption 148
Dynamic Host Configuration Protocol 25
Index
IX-528AOS-W 3.1 032063-00 Rev A
User Guide February 2007
E
encryption 35
example configuration
802.1x 196
captive portal 236
example configurations
WLANs 126
external firewall configuration 493
External Services Interface
configuring 437
syslog parser 440
F
firewall parameters 166
foreign agent 304
foreign network 304
G
Generic Routing Encapsulation tunnel 25
guest account
creating 393
H
home agent 304
home agent table 306
home network 304
I
IDS configuring 327
initial setup 50
internal database
configuring 175
IP mobility 303
K
keys, line editing 369
L
L2TP
configuring 263
LDAP server
configuring 173
licenses 32, 399
line editing keys 369
local switch 29
local WLAN Switch
configuring 298
logging
configuring 391
loopback address
configuring 71
M
MAC-based authentication
configuring 289
management authentication
configuring 180
master switch 29
mobile client 304
mobility domain 303
configuring 305
example configuration 308
Mobility Manager 42, 362, 371
N
network ports on external firewall 493
NTPconfiguring 397
O
option 43 on DHCP server 487
P
policies 152
configuring 153
port configuring 63
Power over Ethernet 28
PPPoE client 66
PPTP
configuring 266
preshared key 296
profiles
configuring 121
PSK 296
AOS-W 3.1 IX-529
User Guide
Index
Q
QoS for voice
configuring 411
R
RADIUS server
configuring 171
remote AP
configuring 137
RF Plan 55, 73
add background image, name first floor 107
add background image, name second floor 107
add/edit floors 106
create a building 104
create area
don’t care 108
don’t deploy 109
image guidelines 90
model access points 105
model air monitors 106
run RF Plan 110
run the AM plan 112
role assigning 160
configuring 156
S
self-healing 27
server derivation rules
configuring 164
server group
assigning 180
configuring 170, 177
server rules
configuring 177
server-derived role 160
site-to-site VPN
configuring 269
SNMP
configuring 381
traps 385
software licenses 399
software modules 31
source NAT 68
source NAT and dynamic VLAN 68
static route
configuring 70
T
TACACS+ server
configuring 174
timers
authentication 182
U
user derivation rules
configuring 161
user role 38
and firewall policies 38
assigning 160
configuring 156
user-derived role 160
V
virtual APs 120
VLAN 36
assignment 63
configuring 62
dynamic address 64
static address 64
Voice Services Module
features 428
VoIP
configuring for 411
VPN
configuring 261
VRRP
configuring 316
VSA-derived role 166
W
WebUI 42, 362
WLAN policy configuration 344
WLAN Switches
adding 295
connecting to network 53
initial setup 50
master and local 29
Power over Ethernet 28
Index
IX-530AOS-W 3.1 032063-00 Rev A
User Guide February 2007
X
xSecconfiguring 273
configuring for wired clients 278
configuring for wireless clients 275
configuring wireless clients 280
switch-switch communication 282

Navigation menu