Alcatel OmniAccess AP61 Dokumentacja

OmniAccessReferenceAOS-W System ReferenceTM

OmniAccess Reference: AOS-W System Referencex Part 031652-00 May 2005Configuring Captive Portal Authentication with Web UI . . . . . . . . . . . . . .

OmniAccess Reference: AOS-W System Reference78 Part 031652-00 May 2005FIGURE 5-13 LDAP Directory StructureAn entry at a given level in the directory’

Security Options 79Chapter 5and server is a TCP connection, there is a possibility for a third party to snoop the password from the connection. LDAP s

OmniAccess Reference: AOS-W System Reference80 Part 031652-00 May 2005Server Name – Specifies a human-readable name to reference the LDAP server.Host

Security Options 81Chapter 5authentication type, or the information may be learned from the authentication server through an attribute. Any attribute

OmniAccess Reference: AOS-W System Reference82 Part 031652-00 May 2005Internal Authentication DatabaseAOS-W supports an internal authentication databa

Security Options 83Chapter 5AccountingAOS-W supports standard RADIUS accounting for tracking user login/logout times. Accounting will track logins acc

OmniAccess Reference: AOS-W System Reference84 Part 031652-00 May 2005Once an authentication method has been enabled on the switch, it is automaticall

Security Options 85Chapter 5To configure 802.1x, navigate to Configuration > Security > Authentication Methods > 802.1x as shown in the figur

OmniAccess Reference: AOS-W System Reference86 Part 031652-00 May 2005Authentication Failure Timeout – After authentication fails, the 802.1x state ma

Security Options 87Chapter 5The equivalent CLI configuration for the example above is:aaa dot1x default-role "employee"aaa dot1x mode enable

xiDefining Roles Using Web UI. . . . . . . . . . . . . . 389Role Design . . . . . . . . . . . . . . . . . . . . . 389Configuring Roles. . . . . .

OmniAccess Reference: AOS-W System Reference88 Part 031652-00 May 2005VPN AuthenticationWhen the use of IPSec or PPTP is desired, Alcatel switches pro

Security Options 89Chapter 5aaa vpn-authentication auth-server Internalaaa vpn-authentication max-authentication-failures 0Captive Portal Authenticati

OmniAccess Reference: AOS-W System Reference90 Part 031652-00 May 2005Enable Guest Logon – When this option is selected, the captive portal page will

Security Options 91Chapter 5aaa captive-portal default-role "employee"aaa captive-portal guest-logonaaa captive-portal user-logonaaa captive

OmniAccess Reference: AOS-W System Reference92 Part 031652-00 May 2005Default Role – If a client is identified by MAC address, and the authentication

Security Options 93Chapter 5FIGURE 5-23 Stateful 802.1x ConfigurationAvailable configuration parameters are:Authentication Enabled – Enables or disab

OmniAccess Reference: AOS-W System Reference94 Part 031652-00 May 2005FIGURE 5-24 Stateful 802.1x AP/Server ConfigurationAvailable configuration para

Security Options 95Chapter 5FIGURE 5-25 SSID Role MappingAvailable configuration options are:Condition – Specifies how the value should be matched.Va

OmniAccess Reference: AOS-W System Reference96 Part 031652-00 May 2005bypassed, this method should always be combined with a firewall policy. To conf

Security Options 97Chapter 5Configuring VPN SettingsWhen the use of IPSec or PPTP is desired, Alcatel switches provide full VPN termination capabiliti

OmniAccess Reference: AOS-W System Referencexii Part 031652-00 May 2005AP Provisioning. . . . . . . . . . . . . . . . . . . . . . 428Plug and Play .

OmniAccess Reference: AOS-W System Reference98 Part 031652-00 May 2005FIGURE 5-27 IPSec ConfigurationAvailable configuration parameters are:Enable L2

Security Options 99Chapter 5Address Pools - IPSec tunnel endpoints are assigned IP addresses. The Alcatel switch endpoint will always use the switch

OmniAccess Reference: AOS-W System Reference100 Part 031652-00 May 2005crypto isakmp policy 10 authentication pre-sharePPTPPPTP provides an alternati

Security Options 101Chapter 5The equivalent CLI configuration for the example above is:vpdn group pptp client configuration dns 1.1.1.1 2.2.2.2 client

OmniAccess Reference: AOS-W System Reference102 Part 031652-00 May 2005As shown in the figure, two VPN dialers are currently configured. “Default-dia

Security Options 103Chapter 5Disable Wireless Devices when Client is Wired Allows the VPN dialer to detect when a wired network connection is in use.

OmniAccess Reference: AOS-W System Reference104 Part 031652-00 May 2005The equivalent CLI configuration for the example above is:vpn-dialer dialer2 e

Security Options 105Chapter 5The equivalent CLI configuration for the example above is:ip access-list session vpn-dst-nat any host 1.2.3.4 svc-ike ds

OmniAccess Reference: AOS-W System Reference106 Part 031652-00 May 2005To add the new condition, click Apply.SecureID Token CachingSecureID Token Cach

Security Options 107Chapter 5Adding IPSec Transform SetsTo create IPSec transform sets, click Add. The Add Transform Set screen appears.where:To add t

xiiiConfiguring IPSec Using the CLI . . . . . . . . . . . . 516Configuring PPTP Using the CLI . . . . . . . . . . . . 517Configuring the VPN Diale

OmniAccess Reference: AOS-W System Reference108 Part 031652-00 May 2005where:To apply the new firewall settings, click Apply. Parameter DescriptionMon

Security Options 109Chapter 5Advanced Security OptionsService AliasesService aliases aid in policy configuration by applying a human-readable label to

OmniAccess Reference: AOS-W System Reference110 Part 031652-00 May 2005Service Name – A human-readable name to identify the service alias. Default ser

Security Options 111Chapter 5User – When a traffic policy containing the “user” alias is applied to an authenticated user, this alias is replaced by t

OmniAccess Reference: AOS-W System Reference112 Part 031652-00 May 2005Source/destination aliases contain one or more IP addresses or ranges of IP add

Security Options 113Chapter 5Time RangeTo define a time range select Configuration > Security > Advanced > Time Range. The Time Range screen

OmniAccess Reference: AOS-W System Reference114 Part 031652-00 May 2005EncryptionEncrypting the transmitted data is only one part of the security proc

Security Options 115Chapter 5IPSec IP was originally developed within a highly restricted, secure network. Therefore, IP did not have security feature

OmniAccess Reference: AOS-W System Reference116 Part 031652-00 May 2005The PSK mode uses a pre-shared key (password) which is shared by all clients on

Security Options 117Chapter 5z CHAPz UNIX Loginz OthersRADIUS authentication is based on the exchange of shared secrets between a client and the authe

OmniAccess Reference: AOS-W System Referencexiv Part 031652-00 May 2005Wireless LAN Monitoring . . . . . . . . . . . . . . . . 576Debug Information

OmniAccess Reference: AOS-W System Reference118 Part 031652-00 May 2005z Microsoft Windows Mobile 203/CE 4.2 with built-in L2TP/IPSec VPN sup-port (PD

Security Options 119Chapter 5If you have a proxy server:z Navigate to Settings > Connections > Set up my proxy server.z Follow the on-screen ins

OmniAccess Reference: AOS-W System Reference120 Part 031652-00 May 2005

121PartSwitch Configuration3

OmniAccess Reference: AOS-W System Reference122 Part 031652-00 May 2005

Common Tasks 123CHAPTER 6Common TasksBasic Network ConfigurationVLANsVirtual Local Area Networks (VLANs) are used to divide LAN traffic into manageabl

OmniAccess Reference: AOS-W System Reference124 Part 031652-00 May 2005Provide a routing interface for the VLAN.Set the DHCP server for relaying DHCP

Common Tasks 125Chapter 6Set the port for access to the VLAN.Define whether the port is trusted (LAN) or untrusted (wireless).If connected to the trus

OmniAccess Reference: AOS-W System Reference126 Part 031652-00 May 2005z max-age <interval>Set the spanning tree maximum age interval.z priority

Common Tasks 127Chapter 6Save any current configuration changes.Determine the name of the current configuration file.In this example, default.cfg is t

xvNetwork Utilities . . . . . . . . . . . . . . . . . . . . . 627Ping . . . . . . . . . . . . . . . . . . . . . . . . . . 627Traceroute . . . . .

OmniAccess Reference: AOS-W System Reference128 Part 031652-00 May 2005For example:Here, the configuration file is downloaded to a TFTP server with IP

Common Tasks 129Chapter 6Upgrading the AOS-W SoftwareThe Alcatel AOS-W software can be upgraded as new releases become available.Obtain a valid Alcate

OmniAccess Reference: AOS-W System Reference130 Part 031652-00 May 2005Use the following command to check the memory partitions:In this example, parti

Common Tasks 131Chapter 6Verify that the new image is loaded.Use the following command to check the memory partitions:In this example, the new image c

OmniAccess Reference: AOS-W System Reference132 Part 031652-00 May 2005When the boot process is complete, verify the upgrade.In this example, Version

Common Tasks 133Chapter 6Reset Configuration to DefaultsUnder some conditions, like when reassigning a switch to a new environment, it may be helpful

OmniAccess Reference: AOS-W System Reference134 Part 031652-00 May 2005

Air Management 135CHAPTER 7Air ManagementThis chapter explains the main elements of wireless intrusion prevention.Alcatel Access Points (AP60, AP61, a

OmniAccess Reference: AOS-W System Reference136 Part 031652-00 May 2005Wireless LAN ClassificationThe WMS continually monitors wireless traffic to det

Air Management 137Chapter 7Wireless Client Station ClassificationsA wireless client station (STA) is classified as one of the following: z Valid STA (

OmniAccess Reference: AOS-W System Referencexvi Part 031652-00 May 2005aaa Commands . . . . . . . . . . . . . . . . . . . . . . 675aaa xml-api client

OmniAccess Reference: AOS-W System Reference138 Part 031652-00 May 2005Wired-Side MAC AddressesIf an AM is segregated from the LAN (by a firewall for

Air Management 139Chapter 7z Valid channel list for 802.11a channels:z Valid channel list for 802.11b channels:z SSID list:Enabling the PolicyOnce the

OmniAccess Reference: AOS-W System Reference140 Part 031652-00 May 2005Enabling the PolicyOnce the reserved channels are defined, the protection polic

Air Management 141Chapter 7Use the following commands to configure watermarks.z To set high and low watermarks for number of users per AP:z To set hig

OmniAccess Reference: AOS-W System Reference142 Part 031652-00 May 2005STA Impersonation Detection If the AM detects two stations with the same MAC ad

Air Management 143Chapter 7Global PoliciesWeak WEPIf the AM detects a station or AP encrypting 802.11 frames with weak WEP, a syslog event is generate

OmniAccess Reference: AOS-W System Reference144 Part 031652-00 May 2005generated. No new events are generated until the statistic value falls below th

Air Management 145Chapter 7z Poll intervalThis defines the interval in milliseconds for communication between the Alcatel Wireless LAN Switch and the

OmniAccess Reference: AOS-W System Reference146 Part 031652-00 May 2005z Laser beam debugWhen an AM generates a laser beam, it impersonates an AP or w

Air Management 147Chapter 7On the Alcatel Wireless LAN switch, configure the AM to send captured packets to the monitoring client station.NOTE—The Air

xviishutdown . . . . . . . . . . . . . . . . . . . . . . 774site-survey . . . . . . . . . . . . . . . . . . . . . . 774snmp-server . . . . . . .

OmniAccess Reference: AOS-W System Reference148 Part 031652-00 May 2005In the capture window, the absolute time stamps that are displayed corre-spond

Air Management 149Chapter 7Additional information TBC.

OmniAccess Reference: AOS-W System Reference150 Part 031652-00 May 2005

802.1x Client Setup 151CHAPTER 8802.1x Client SetupThis chapter describes how to configure your wireless client station for 802.1x authentication usin

OmniAccess Reference: AOS-W System Reference152 Part 031652-00 May 2005PEAP or TLS for Windows 2000Prepare the Operating SystemInstall Windows 2000 wi

802.1x Client Setup 153Chapter 8If necessary, enable the Wireless Configuration service for auto-matic startup.If the Wireless Configuration item in t

OmniAccess Reference: AOS-W System Reference154 Part 031652-00 May 2005Select the Wireless Network Connection properties.From the Windows Start menu,

802.1x Client Setup 155Chapter 8Configure the Association attributes.In the Wireless network properties window, select the Association tab and set the

OmniAccess Reference: AOS-W System Reference156 Part 031652-00 May 2005Configure the Authentication attributes.NOTE—To configure settings on the Authe

802.1x Client Setup 157Chapter 8Configure the Authentication Properties.Click on the Properties button. Depending on the authentication type selected,

OmniAccess Reference: AOS-W System Referencexviii Part 031652-00 May 2005Local Database Commands . . . . . . . . . . . . . . . 853VPN Commands . . .

OmniAccess Reference: AOS-W System Reference158 Part 031652-00 May 2005For EAP-PEAP authentication, set the following:z Enable Fast Reconnect: This en

802.1x Client Setup 159Chapter 8The wireless client station adapter should now use EAP authentication and the following type of message appears:This m

OmniAccess Reference: AOS-W System Reference160 Part 031652-00 May 2005PEAP or TLS for Windows XPNOTE—If using Cisco-PEAP with Windows XP, see the ins

802.1x Client Setup 161Chapter 8Select the Access Point for association.zIn the Network Connections window, right-click on the Wireless Network Connec

OmniAccess Reference: AOS-W System Reference162 Part 031652-00 May 2005Cisco-PEAP for Windows XPPresently, only EAP-PEAP is supported with the Cisco A

802.1x Client Setup 163Chapter 8From the Start menu, select Control Panel | Administrative Tools | Services.In the Services window, locate and double-

OmniAccess Reference: AOS-W System Reference164 Part 031652-00 May 2005On the General properties tab, set the Startup type to Auto-matic.If necessary,

802.1x Client Setup 165Chapter 8Specify the System Parameters.On the System Parameters tab, specify the following:z Client Name: Specify the name of t

OmniAccess Reference: AOS-W System Reference166 Part 031652-00 May 2005Specify the Network Security parameters.On the Network Security tab, specify th

802.1x Client Setup 167Chapter 8Configure the Wireless Network ConnectionEnable the Wireless Network Connection.From the Windows Start menu, select Co

Preface xixPrefaceThis preface includes the following information:z An overview of the sections in this manualz A list of related documentation for fu

OmniAccess Reference: AOS-W System Reference168 Part 031652-00 May 2005Select the Access Point for association.zIn the Network Connections window, rig

802.1x Client Setup 169Chapter 8Configure the Association attributes.In the Wireless network properties window, select the Association tab and set the

OmniAccess Reference: AOS-W System Reference170 Part 031652-00 May 2005Configure the Authentication attributes.NOTE—To configure settings on the Authe

802.1x Client Setup 171Chapter 8Configure the Authentication Properties.On the Authentication tab, click on the Properties button and set the followin

OmniAccess Reference: AOS-W System Reference172 Part 031652-00 May 2005z Second Phase EAP Type: Select the Generic Token Card option and click on prop

802.1x Client Setup 173Chapter 8z Static Password:z OTP:For OTP, select either the Hardware Token or Software Token option. If you select Software Tok

OmniAccess Reference: AOS-W System Reference174 Part 031652-00 May 2005In some cases, the following type of message appears:This message indicates the

Basic Switch Configuration 175CHAPTER 9Basic Switch ConfigurationThis chapter explains how to configure the Alcatel Wireless LAN switch using the AOS-

OmniAccess Reference: AOS-W System Reference176 Part 031652-00 May 2005To set the switch role from the CLI, use the command masterip from configuratio

Basic Switch Configuration 177Chapter 9 ip address 10.1.1.1Mobility ConfigurationTo enable mobility, select the Enable Mobility checkbox.FIGURE

OmniAccess Reference: AOS-W System Referenceii Part 031652-00 May 2005CopyrightCopyright © 2005 Alcatel Internetworking, Inc. All rights reserved.Spec

OmniAccess Reference: AOS-W System Referencexx Part 031652-00 May 2005Related DocumentsThe following items are part of the complete documentation for

OmniAccess Reference: AOS-W System Reference178 Part 031652-00 May 2005FIGURE 9-4 VLAN ConfigurationTo enable mux ports in the CLI, enter commands in

Basic Switch Configuration 179Chapter 9navigate to Configuration > Switch > General and specify them in the MUX VLANs section. In the example be

OmniAccess Reference: AOS-W System Reference180 Part 031652-00 May 2005Setting the 802.11d Regulatory DomainThe 802.11d regulatory domain controls whi

Basic Switch Configuration 181Chapter 9FIGURE 9-8 NTP ConfigurationThe equivalent CLI configuration for the example above is:ntp server 172.16.1.25NO

OmniAccess Reference: AOS-W System Reference182 Part 031652-00 May 2005FIGURE 9-9 Port Selection OptionsPorts may be selected based on their administ

Basic Switch Configuration 183Chapter 9To select multiple ports from the CLI, enter commands in the form:interface range FastEthernet 2/12-23This will

OmniAccess Reference: AOS-W System Reference184 Part 031652-00 May 2005Port Mode – Sets the mode of the port with respect to VLAN tagging. If the port

Basic Switch Configuration 185Chapter 9VLAN 1 is the default VLAN. All ports are part of VLAN 1 until configured otherwise. VLAN 1 cannot be deleted.V

OmniAccess Reference: AOS-W System Reference186 Part 031652-00 May 2005FIGURE 9-13 Adding a New VLANThe equivalent CLI configuration for the example

Basic Switch Configuration 187Chapter 9FIGURE 9-14 TunnelsTo create a tunnel, click Add and define the tunnel.IP Route ConfigurationAlcatel AOS-W sup

Preface xxiContacting AlcatelWeb SiteTelephone Numbers<Arguments> In the command examples, italicized text within angle brackets represents item

OmniAccess Reference: AOS-W System Reference188 Part 031652-00 May 2005VRRP ConfigurationAOS-W 2.2 supports redundant switch configurations using Virt

Basic Switch Configuration 189Chapter 9Description – An optional description of the VRRP instance that can be used for administrator convenience.IP Ad

OmniAccess Reference: AOS-W System Reference190 Part 031652-00 May 2005The figure below shows a sample VRRP configuration. In this example, the switch

Basic Switch Configuration 191Chapter 92. Follow the rules of operation below.Rules of Operating a Virtual Switch1. When a single SC is present in the

OmniAccess Reference: AOS-W System Reference192 Part 031652-00 May 2005When the reset button is pushed on a SC, it will reset the SC and only the line

Basic Switch Configuration 193Chapter 9FIGURE 9-19 VLAN Pool ConfigurationA different DHCP pool must be created for each IP subnet for which DHCP ser

OmniAccess Reference: AOS-W System Reference194 Part 031652-00 May 2005ip dhcp pool vlan26-pool default-router 10.26.1.1 dns-server 192.168.1.10 domai

802.1x Configuration 195CHAPTER 10802.1x ConfigurationIntroductionThis chapter will explain the process of configuring the server for 802.1x and using

OmniAccess Reference: AOS-W System Reference196 Part 031652-00 May 2005Definitions and Common AbbreviationsAuthentication serverAn entity that provide

802.1x Configuration 197Chapter 10PEAP(Protected EAP) is an authentication protocol that uses TLS to enhance the security of other EAP authentication

OmniAccess Reference: AOS-W System Referencexxii Part 031652-00 May 2005

OmniAccess Reference: AOS-W System Reference198 Part 031652-00 May 2005NOTE—To configure an SSID to support 802.1x, set its opmode to dynamicWep or dy

802.1x Configuration 199Chapter 10Enter Configuration commands, one per line. End with CNTL Z.NOTE—The command reference for this action may be found

OmniAccess Reference: AOS-W System Reference200 Part 031652-00 May 2005Assigning a Server to 802.1x AuthenticationEach instance of a RADIUS server, as

802.1x Configuration 201Chapter 10Assigning Default RolesA role is a broad classification of users and is associated with a specific set of permission

OmniAccess Reference: AOS-W System Reference202 Part 031652-00 May 2005Specify any for the source, destination, and port parameters and permit for the

802.1x Configuration 203Chapter 10Verify that the authorization server and default roles were correctly assigned.Ty p e show aaa dot1x <Enter>

OmniAccess Reference: AOS-W System Reference204 Part 031652-00 May 2005Configuring the 802.1x State MachineDot1x CLI CommandsThis section describes th

802.1x Configuration 205Chapter 10Dot1x serverThe dot1x server commands are used for setting the back-end authentication server configuration.dot1x se

OmniAccess Reference: AOS-W System Reference206 Part 031652-00 May 2005dot1x timeout quiet-period <quiet period>The state machine enters a quiet

802.1x Configuration 207Chapter 10802.1x Show CommandsThis sections describes the show commands applicable to 802.1x.show dot1x configThe show dot1x c

1PartOverview1

OmniAccess Reference: AOS-W System Reference208 Part 031652-00 May 2005show dot1x ap-tableThe show dot1x ap-table command and its variants display inf

802.1x Configuration 209Chapter 10z User Namez Authentication Status (yes/no)z AP MACz Encryption Keyz Authorization Modez EAP typeshow dot1x supplica

OmniAccess Reference: AOS-W System Reference210 Part 031652-00 May 2005show aaa dot1xThe show aaa dot1x commands displays which servers are configured

802.1x Configuration 211Chapter 10Debug CommandsThe commands in this section are used for debugging the authentication module. Debugging is accomplish

OmniAccess Reference: AOS-W System Reference212 Part 031652-00 May 2005RF Deauthentication DebuggingUsing Alcatel Air Management features, Alcatel APs

802.1x Configuration 213Chapter 10certificate. The client’s certificate is then verified against the CA certificate of the authority which issued it (

OmniAccess Reference: AOS-W System Reference214 Part 031652-00 May 2005Obtaining A Certification Authority (CA) CertificateCA Certificates are obtaine

802.1x Configuration 215Chapter 10Select the Retrieve the CA Certificate or certificate revocation list option, then click Next. The following screen

OmniAccess Reference: AOS-W System Reference216 Part 031652-00 May 2005You may receive one or both of the following warnings. In either case click Ye

802.1x Configuration 217Chapter 10Obtaining a Server CertificateThe following steps will guide you through the process of obtaining and installing an

OmniAccess Reference: AOS-W System Reference2 Part 031652-00 May 2005

OmniAccess Reference: AOS-W System Reference218 Part 031652-00 May 2005Select the Request a certificate option, then click Next.The web page below sho

802.1x Configuration 219Chapter 10The following web page should appear in your browser window.

OmniAccess Reference: AOS-W System Reference220 Part 031652-00 May 2005Select the Submit a certificate request to this CA using a form option, then cl

802.1x Configuration 221Chapter 10The web page form below should appear in your browser window.Enter the following information in the Identity Informa

OmniAccess Reference: AOS-W System Reference222 Part 031652-00 May 2005Select Server Authentication Server Certificate under the Intended Purpose sect

802.1x Configuration 223Chapter 10The web page shown below should appear in your browser window.Click the Install this certificate button.You may see

OmniAccess Reference: AOS-W System Reference224 Part 031652-00 May 2005Obtaining a Client CertificateThe following steps will guide you through the pr

802.1x Configuration 225Chapter 10Select the Request a certificate option, then click Next.The web page below should appear in your browser window.Sel

OmniAccess Reference: AOS-W System Reference226 Part 031652-00 May 2005The following web page should appear in your browser window.

802.1x Configuration 227Chapter 10Select the Submit a certificate request to this CA using a form option, then click Next.You may receive one of the

Overview 3CHAPTER 1OverviewThe AOS-W 2.2 Interface Reference is organized by product feature for the Alcatel Wireless LAN switches and access points.

OmniAccess Reference: AOS-W System Reference228 Part 031652-00 May 2005The web page form below should appear in your browser window.Enter the followin

802.1x Configuration 229Chapter 10Select Server Authentication Server Certificate under the Intended Purpose section.Set the following options under t

OmniAccess Reference: AOS-W System Reference230 Part 031652-00 May 2005The web page shown below should appear in your browser window.Click the Install

802.1x Configuration 231Chapter 10Configuration using Pocket PC Embedded Supplicant Export Trusted Certification Authority The first step in enabling

OmniAccess Reference: AOS-W System Reference232 Part 031652-00 May 2005To install the certificate authority, simply tap on the certificate file. The s

802.1x Configuration 233Chapter 10Configuration of the Funk Odyssey client can be performed either on the host PC or on the Pocket PC device. All perm

OmniAccess Reference: AOS-W System Reference234 Part 031652-00 May 2005The second and more secure method specifies the domain name of the authenticati

802.1x Configuration 235Chapter 10Captive Portal Certificates with Intermediate CAsTo install certificates for captive portal installations that have

OmniAccess Reference: AOS-W System Reference236 Part 031652-00 May 2005

802.1x Solution Cookbook 237CHAPTER 11802.1x Solution CookbookThis chapter describes the theory, configuration, and operation of a wireless network ba

OmniAccess Reference: AOS-W System Reference4 Part 031652-00 May 2005Enhanced Location ServicesAOS-W 2.2 adds more precise position tracking of wirele

OmniAccess Reference: AOS-W System Reference238 Part 031652-00 May 2005802.1x authentication based on PEAP is used to provide both computer and user a

802.1x Solution Cookbook 239Chapter 11a The laptop searches for the wireless ESSID “Wireless LAN-01”, chooses the AP with the best signal strength, an

OmniAccess Reference: AOS-W System Reference240 Part 031652-00 May 2005The IAS server has also been configured to transmit an RADIUS attribute called

802.1x Solution Cookbook 241Chapter 11a The laptop will transmit an EAPOL-Start message to the Alcatel switch. The Alcatel switch will then proceed wi

OmniAccess Reference: AOS-W System Reference242 Part 031652-00 May 2005authentication takes place when a user is not logged in to the laptop, the comp

802.1x Solution Cookbook 243Chapter 11netdestination district-network network 10.0.0.0 255.0.0.0 network 172.16.0.0 255.255.0.0 Student Policy The pol

OmniAccess Reference: AOS-W System Reference244 Part 031652-00 May 2005Printer Policy The following policy is used for the printer role. It restricts

802.1x Solution Cookbook 245Chapter 11user-role computer session-acl allowall ! user-role guest session-acl guest bandwidth-contract guest-1M Authenti

OmniAccess Reference: AOS-W System Reference246 Part 031652-00 May 2005802.1x Configuration The following statements enable 802.1x authentication. It

802.1x Solution Cookbook 247Chapter 11! interface vlan 60 ip address 10.1.60.1 255.255.255.0 ip helper-address 10.1.1.25 ! interface vlan 61 ip addres

Overview 5Chapter 1provides the ability to enable local probe responses for remotely connected APs. This feature may be configured under the Wireless

OmniAccess Reference: AOS-W System Reference248 Part 031652-00 May 2005staticWep deny-bcast enable virtual-ap “Guest” vlan-id 63 opmode opensystem den

802.1x Solution Cookbook 249Chapter 11Windows Group Membership Configuration The authentication policy configured in IAS depends on the group membersh

OmniAccess Reference: AOS-W System Reference250 Part 031652-00 May 2005z The encryption type is WEP z Open authentication should be used (this refers

802.1x Solution Cookbook 251Chapter 11Microsoft Internet Authentication Server Configuration Microsoft Internet Authentication Server (IAS) provides a

OmniAccess Reference: AOS-W System Reference252 Part 031652-00 May 2005z The Wireless-Student policy matches the “Student” group. z The Wireless-Facul

802.1x Solution Cookbook 253Chapter 11Advanced Attributes One of the principles in this network is that the Alcatel switch will restrict network acces

OmniAccess Reference: AOS-W System Reference254 Part 031652-00 May 2005z Specifies the EAP type as PEAP z Clients will not attempt to authenticate as

802.1x Solution Cookbook 255Chapter 11In the management console, select File > Add/Remove Snap-in. Select the Certificates snap-in. Typically, a tr

OmniAccess Reference: AOS-W System Reference256 Part 031652-00 May 2005If the appropriate ESSID is not already shown in the list, add it by selecting

Switch Management Configuration 257CHAPTER 12Switch Management ConfigurationThis Chapter discusses how to use the various management features of Alcat

OmniAccess Reference: AOS-W System Reference6 Part 031652-00 May 2005If no DNS information is available, the AP will begin using Alcatel Discovery Pro

OmniAccess Reference: AOS-W System Reference258 Part 031652-00 May 2005Navigate to the Configuration > Management > SNMP page. Add system inform

Switch Management Configuration 259Chapter 12Click Add in the Trap Receivers section of the SNMP page.The Add Host page appears on the screen.Enter th

OmniAccess Reference: AOS-W System Reference260 Part 031652-00 May 2005NOTE—The console will revert to the immediate (non-privileged mode) when you ch

Switch Management Configuration 261Chapter 12Configuring Administrative Access Using Web UIAOS-W allows different levels of access for administrative

OmniAccess Reference: AOS-W System Reference262 Part 031652-00 May 2005Navigate to the Configuration > Management > Access Control page.You can

Switch Management Configuration 263Chapter 12Adding and Editing Management UsersAdding and editing users is accomplished in the Management Users secti

OmniAccess Reference: AOS-W System Reference264 Part 031652-00 May 2005Adding and Editing Management RolesAdd or edit Management Role by clicking Add

Switch Management Configuration 265Chapter 12Adding and Changing Administrative Access Using the CLIViewing Management UsersYou may view currently con

OmniAccess Reference: AOS-W System Reference266 Part 031652-00 May 2005Viewing Management RolesYou may view currently configured management roles and

Switch Management Configuration 267Chapter 12Adding Auth ServersLoggingThe logging feature in Alcatel AOS-W allows permanent system logs to be stored

Overview 7Chapter 1 option serverip 10.1.1.10; } range 10.200.10.200 10.200.10.252;}To configure Microsoft’s DHCP server for this feature:1

OmniAccess Reference: AOS-W System Reference268 Part 031652-00 May 2005Configuring Logging Using Web UIBegin configuring logging servers by navigating

Switch Management Configuration 269Chapter 12Enter the address of a logging server and click the Add button next to the text field.Select a check box

OmniAccess Reference: AOS-W System Reference270 Part 031652-00 May 2005Configuring Logging Using The CLIAdding A Logging ServerAdd a logging server us

Switch Management Configuration 271Chapter 12Viewing Current Logging LevelsView the current logging levels using the show logging level command from t

OmniAccess Reference: AOS-W System Reference272 Part 031652-00 May 2005

Wireless LAN Configuration 273CHAPTER 13Wireless LAN ConfigurationThis chapter discussed how to configure all the standard 802.11 features of an Alcat

OmniAccess Reference: AOS-W System Reference274 Part 031652-00 May 2005FIGURE 13-1 SSID Configuration The first SSID configured is primary and can be

Wireless LAN Configuration 275Chapter 13Radio Type – SSIDs may appear on only 802.11a radios, only 802.11b/g radios or on both types of radios.SSID De

OmniAccess Reference: AOS-W System Reference276 Part 031652-00 May 2005The 802.1x framework also allows the encryption key to be rotated at specific i

Wireless LAN Configuration 277Chapter 13The equivalent CLI configuration to add the SSID shown above is:ap location 0.0.0 phy-type a virtual-ap "

iiiPreface xixAn Overview of this Manual . . . . . . . . . . . . . . . xixRelated Documents . . . . . . . . . . . . . . . . . . . . xxText Conven

OmniAccess Reference: AOS-W System Reference8 Part 031652-00 May 20052. From a command prompt, enter:c:\>netshnetsh>dhcpnetsh dhcp>server \\&

OmniAccess Reference: AOS-W System Reference278 Part 031652-00 May 2005FIGURE 13-4 TKIP Configuration If PSK TKIP is selected, fill in the pre-shared

Wireless LAN Configuration 279Chapter 13NOTE—AOS-W versions 2.4.0.0 and later support different staticWep and stat-icTkip keys per SSID. In earliers r

OmniAccess Reference: AOS-W System Reference280 Part 031652-00 May 2005FIGURE 13-7 802.11b and g Radio ParametersFIGURE 13-8 802.11a Radio Parameter

Wireless LAN Configuration 281Chapter 13NOTE—Note: These parameters affect all APs in the network, unless a more specific configuration applies. Confi

OmniAccess Reference: AOS-W System Reference282 Part 031652-00 May 2005Default Channel – Sets the default channel on which the AP will operate, unless

Wireless LAN Configuration 283Chapter 13deny Deny wireless access according to timerange argumentdeny-bcast enable to

OmniAccess Reference: AOS-W System Reference284 Part 031652-00 May 2005telnet Enable or disable telnet to the APtx-power

Wireless LAN Configuration 285Chapter 13configuration section. To view or modify location-based configuration, navigate to Configuration > Wireless

OmniAccess Reference: AOS-W System Reference286 Part 031652-00 May 2005FIGURE 13-10 Location 2.0.0 ConfigurationAssuming that the same change is made

Wireless LAN Configuration 287Chapter 13FIGURE 13-11 Advanced Wireless LAN ConfigurationClick Add to display the four categories of advanced Wireless

Management Options 9CHAPTER 2Management OptionsAOS-W provides a number of methods for managing your Alcatel Wireless LAN Switch.Command-Line Interface

OmniAccess Reference: AOS-W System Reference288 Part 031652-00 May 2005FIGURE 13-12 General Wireless LAN Settings

Radio Resource Management 289CHAPTER 14Radio Resource ManagementThis chapter discusses the process of configuring the Radio Resource Management featur

OmniAccess Reference: AOS-W System Reference290 Part 031652-00 May 2005process allows the Alcatel switch to build an RF-based map of the network topol

Radio Resource Management 291Chapter 14FIGURE 14-3 Calibration Results The equivalent CLI command to perform calibration is “site-survey calibrate”.O

OmniAccess Reference: AOS-W System Reference292 Part 031652-00 May 2005Maximum neighbors to participate in self-healing – The maximum number of neighb

Radio Resource Management 293Chapter 14FIGURE 14-5 Load Balancing Configuration Available parameters are:Enable Load Balancing – Enables or disables

OmniAccess Reference: AOS-W System Reference294 Part 031652-00 May 2005The equivalent CLI configuration for the above example is:ap-policy ap-load-bal

Radio Resource Management 295Chapter 14DoS Client Block Time – Specifies the number of seconds a client will be quarantined from the network after a d

OmniAccess Reference: AOS-W System Reference296 Part 031652-00 May 2005FIGURE 14-7 Coverage Hole Detection Other than enabling or disabling the featu

Radio Resource Management 297Chapter 14stm poor-rssi-threshold 10stm hole-detection-interval 120stm good-sta-ageout 30stm idle-sta-ageout 90Interferen

OmniAccess Reference: AOS-W System Reference10 Part 031652-00 May 2005z Configure and manage wireless intrusion prevention and performance poli-ciesz

OmniAccess Reference: AOS-W System Reference298 Part 031652-00 May 2005wms global-policy detect-interference disable global-policy interference-inc-th

Radio Resource Management 299Chapter 14FIGURE 14-9 Event Threshold ConfigurationTo disable detection for any parameter, set the value to 0. Available

OmniAccess Reference: AOS-W System Reference300 Part 031652-00 May 2005Frame Error Rate High Watermark – If the frame error rate, as a percentage of t

Radio Resource Management 301Chapter 14Frame Retry Rate Low Watermark – After a frame retry rate exceeded condition exists, the condition will persist

OmniAccess Reference: AOS-W System Reference302 Part 031652-00 May 2005FIGURE 14-10 RF Management Advanced ParametersThe advanced parameters are:AP A

Radio Resource Management 303Chapter 14Station Scan Inactivity– TBC.Enable Statistics Update in DB– TBC:auto-rra scan-interval 10auto-rra scan-time 11

OmniAccess Reference: AOS-W System Reference304 Part 031652-00 May 2005

Intrusion Detection Configuration 305CHAPTER 15Intrusion Detection ConfigurationThis chapter discusses the various kinds of intrusion and Wireless LAN

OmniAccess Reference: AOS-W System Reference306 Part 031652-00 May 2005Network discovery is a normal part of 802.11, and allows client devices to disc

Intrusion Detection Configuration 307Chapter 15Rogue APRogue APs represent perhaps the largest threat to enterprise network security because they bypa

Management Options 11Chapter 2z Page Tree–Each tool has its own information or configuration pages and sub-pages.The page tree lists all of the pages

OmniAccess Reference: AOS-W System Reference308 Part 031652-00 May 2005Mark All New APs as Valid – When installing an Alcatel switch in an environment

Intrusion Detection Configuration 309Chapter 15FIGURE 15-2 Rate Analysis Configuration Configuration is divided into two sections: Channel thresholds

OmniAccess Reference: AOS-W System Reference310 Part 031652-00 May 2005 ids-policy rate-frame-type-param assoc channel-quiet-time 900 ids-policy rate-

Intrusion Detection Configuration 311Chapter 15To configure detection of FakeAP, navigate to Configuration > Wireless LAN Intrusion Detection >

OmniAccess Reference: AOS-W System Reference312 Part 031652-00 May 2005Such an attack also enables other attacks that can learn a user’s authenticatio

Intrusion Detection Configuration 313Chapter 15FIGURE 15-5 Detect Station Disconnection Configuration parameters are:Enable Disconnect Station Analys

OmniAccess Reference: AOS-W System Reference314 Part 031652-00 May 2005FIGURE 15-7 EAP Handshake Analysis Configuration parameters are:Enable EAP Han

Intrusion Detection Configuration 315Chapter 15FIGURE 15-8 Sequence Number AnalysisConfiguration parameters are:Enable Sequence Number Discrepancy Ch

OmniAccess Reference: AOS-W System Reference316 Part 031652-00 May 2005FIGURE 15-9 AP Impersonation ProtectionConfiguration parameters are:Enable AP

Intrusion Detection Configuration 317Chapter 15FIGURE 15-10 Signature Analysis Configuration parameters are:Enable Signature Analysis – Enables and d

OmniAccess Reference: AOS-W System Reference12 Part 031652-00 May 2005z Check Boxes–Represented as small squares in front of the item text. These fiel

OmniAccess Reference: AOS-W System Reference318 Part 031652-00 May 2005Null-Probe-Response - An attack with the potential to crash or lock up the firm

Intrusion Detection Configuration 319Chapter 15Adding New SignaturesTo add new signatures, click the Add button. The Add IDS Signature screen is shown

OmniAccess Reference: AOS-W System Reference320 Part 031652-00 May 2005Wireless LAN PoliciesAd-hoc Network ProtectionAs far as network administrators

Intrusion Detection Configuration 321Chapter 15Wireless Bridge DetectionWireless bridges are normally used to connect multiple buildings together. How

OmniAccess Reference: AOS-W System Reference322 Part 031652-00 May 2005policy is useful in blocking access to that AP until the configuration can be f

Intrusion Detection Configuration 323Chapter 15Enforce WEP Encryption for all Traffic – Any valid AP not using WEP will be flagged as misconfigured.En

OmniAccess Reference: AOS-W System Reference324 Part 031652-00 May 2005configure detection of weak WEP implementations, navigate to Configuration >

Intrusion Detection Configuration 325Chapter 15FIGURE 15-16 Multi-Tenancy ConfigurationAvailable parameters are:Disable APs Violating Enterprise SSID

OmniAccess Reference: AOS-W System Reference326 Part 031652-00 May 2005FIGURE 15-17 MAC OUI CheckingAvailable parameters are:Enable MAC OUI Check – E

Authentication Server Configuration 327CHAPTER 16Authentication Server ConfigurationIntroductionStrong authentication methods use authentication serve

Command Line Basics 13CHAPTER 3Command Line BasicsThe Command Line Interface (CLI) is the most direct and comprehensive method for managing the Alcate

OmniAccess Reference: AOS-W System Reference328 Part 031652-00 May 2005You may configure 2 general parameters here, they are:Configuring RADIUS Server

Authentication Server Configuration 329Chapter 16Add a new server by clicking the Add button.The Add RADIUS Server page appears. Enter information abo

OmniAccess Reference: AOS-W System Reference330 Part 031652-00 May 2005Server RulesServer rules may be defined for each server to determine role and V

Authentication Server Configuration 331Chapter 16Add a rule by clicking the add button.The following parameters may be configured for server rules usi

OmniAccess Reference: AOS-W System Reference332 Part 031652-00 May 2005where:Attribute Name TBCAttribute ID TBCAttribute Type TBCVendor Name TBCVendor

Authentication Server Configuration 333Chapter 16Configuring LDAP Servers with Web UIAlcatel switches allow for authentication using LDAP servers. Con

OmniAccess Reference: AOS-W System Reference334 Part 031652-00 May 2005Adding a Server RuleTo add a server rule, click Add on the Add LDAP Server page

Authentication Server Configuration 335Chapter 16where:Rule type is Role Assignment or Vlan Assignment.TBCAttribute is TBCCondition is TBCValue is TBC

OmniAccess Reference: AOS-W System Reference336 Part 031652-00 May 2005Configuring the Internal Authentication Database with Web UIAlcatel AOS-W suppo

Authentication Server Configuration 337Chapter 16Configuring RADIUS Accounting with Web UIAlcatel AOS-W supports RADIUS accounting, tracking login and

OmniAccess Reference: AOS-W System Reference14 Part 031652-00 May 2005Local or Remote TelnetIf properly set up, the CLI can be accessed locally or rem

OmniAccess Reference: AOS-W System Reference338 Part 031652-00 May 2005Configuring 802.1x Authentication with Web UI802.1x authentication is designed

Authentication Server Configuration 339Chapter 16Click the Enable Authentication checkbox.Select a default role from the pull-down menuAdd an authenti

OmniAccess Reference: AOS-W System Reference340 Part 031652-00 May 2005Configuring VPN Authentication with Web UIAlcatel switches provide full VPN ter

Authentication Server Configuration 341Chapter 16Configuring Captive Portal Authentication with Web UIAlcatel switches provide the ability to allow wi

OmniAccess Reference: AOS-W System Reference342 Part 031652-00 May 2005Default Role Use this pull-down menu to select the default role for the client

Authentication Server Configuration 343Chapter 16Authentication FailureThreshold for Station BlacklistingSpecifies the number of time a station may fa

OmniAccess Reference: AOS-W System Reference344 Part 031652-00 May 2005Configuring MAC Address Role Mapping with Web UIMAC Address role mapping provid

Authentication Server Configuration 345Chapter 16Configuring Stateful 802.1x for Third Party Access PointsThis feature allows the switch to intercept

OmniAccess Reference: AOS-W System Reference346 Part 031652-00 May 2005Role MappingFrom the Web UI, you can perform role mapping based on SSID and enc

Authentication Server Configuration 347Chapter 16Adding a Role MapClick Add.Select a match condition from the Condition pull-down menu box.Enter a val

Command Line Basics 15Chapter 3Using Telnet to ConnectUse a Telnet client on your management workstation to connect to the Alcatel Wireless LAN Switch

OmniAccess Reference: AOS-W System Reference348 Part 031652-00 May 2005Adding a ConditionTBCwhere:Rule Type–specifies what rule will apply such as on

Authentication Server Configuration 349Chapter 16Configuring General AAA Settings Using the CLIConfigure the general AAA settings using the aaa timers

OmniAccess Reference: AOS-W System Reference350 Part 031652-00 May 2005The configured RADIUS server settings may be viewed using the show aaa radius-s

Authentication Server Configuration 351Chapter 16Configuring LDAP Servers Using the CLIConfigure LDAP servers using the aaa ldap-server command from t

OmniAccess Reference: AOS-W System Reference352 Part 031652-00 May 2005Enter the config-ldapserver submode by executing the aaa ldap-server command wi

Authentication Server Configuration 353Chapter 16Set the mode, enable or disable LDAP.View the LDAP server settings using the show aaa ldap-server <

OmniAccess Reference: AOS-W System Reference354 Part 031652-00 May 2005Configuring the Internal Authentication Database Using the CLIAn internal authe

Authentication Server Configuration 355Chapter 16Assign an accounting server.Configuring 802.1x Authentication Using the CLI802.1x configuration is ac

OmniAccess Reference: AOS-W System Reference356 Part 031652-00 May 2005Enable or disable re-authentication. Use the “no” form of the command to disabl

Authentication Server Configuration 357Chapter 16You may view the 802.1x configuration settings using the show aaa dot1x command from the CLI.(Alcatel

OmniAccess Reference: AOS-W System Reference16 Part 031652-00 May 2005z Privileged ModeAll configuration and management functions are available in pri

OmniAccess Reference: AOS-W System Reference358 Part 031652-00 May 2005Adding 802.1x Authentication ServersAdd an existing configured 802.1x authentic

Authentication Server Configuration 359Chapter 16Configure Captive Portal using the aaa captive-portal commands from the CLI.Set the default role. Thi

OmniAccess Reference: AOS-W System Reference360 Part 031652-00 May 2005Configuring MAC Address Role Mapping Using the CLIMAC Address Role Mapping is a

Authentication Server Configuration 361Chapter 16Specify the authentication server.AP/Server Configuration for Stateful 802.1xWhen stateful 802.1x aut

OmniAccess Reference: AOS-W System Reference362 Part 031652-00 May 2005Notes on Advanced AAA FeaturesThe Advanced AAA feature pack for AOS-W unlocks a

Authentication Server Configuration 363Chapter 16The AOS-W SolutionAll the problems outlined above are solved using the Advanced AAA feature pack for

OmniAccess Reference: AOS-W System Reference364 Part 031652-00 May 2005In an enterprise network, this capability can be used to authenticate users fro

Authentication Server Configuration 365Chapter 16number of different services to be provided. All users can connect to the network using the same met

OmniAccess Reference: AOS-W System Reference366 Part 031652-00 May 2005

IAS Server Configuration 367CHAPTER 17IAS Server ConfigurationThis chapter describes how to configure your IAS server for Extensible Authorization Pro

Command Line Basics 17Chapter 3z Show CommandsThe show commands list information about the switch configuration and performance and are invaluable for

OmniAccess Reference: AOS-W System Reference368 Part 031652-00 May 2005Starting the IAS ServerClick Start on task bar, click Settings, click Administr

IAS Server Configuration 369Chapter 17Change the Startup type to Automatic.Creating NAS Client EntriesOpen the IAS Administration Tool3

OmniAccess Reference: AOS-W System Reference370 Part 031652-00 May 2005Click Start on the task bar, click Programs, then Administrative Tools, and the

IAS Server Configuration 371Chapter 17Select New Client. The Add Client Dialog window appears.Enter a meaningful name in the Friendly name box.Use the

OmniAccess Reference: AOS-W System Reference372 Part 031652-00 May 2005Enter a word in the Shared secret text box, then re-enter the same word in the

IAS Server Configuration 373Chapter 17Remote access policies are created using the IAS Administration Tool. If the IAS Administration Tool is not alre

OmniAccess Reference: AOS-W System Reference374 Part 031652-00 May 2005Click Next. The Select Attribute dialog window appears.Click the Add button. Th

IAS Server Configuration 375Chapter 17When finished adding conditions, click the Next button on Add Remote Access Policy dialog.Select the Grant remot

OmniAccess Reference: AOS-W System Reference376 Part 031652-00 May 2005Click the Edit Profile button. The Edit Dial-In Profile window appears. Click o

IAS Server Configuration 377Chapter 17Click Start, then Run, then type mmc and press Enter. The Console window appears.Click Console and select Add/Re

OmniAccess Reference: AOS-W System Referenceiv Part 031652-00 May 2005Part 2Design and Planning . . . . . . . . . . . . 23Chapter 4RF Design . . . .

OmniAccess Reference: AOS-W System Reference18 Part 031652-00 May 2005ShortcutsCommand CompletionTo make command input easier, you can usually abbrevi

OmniAccess Reference: AOS-W System Reference378 Part 031652-00 May 2005Select the Active Directory User and Computer item in the Add Standalone Snap-i

IAS Server Configuration 379Chapter 17Type the user’s name information in the appropriate text fields., then click Next.Enter the password in the Pass

OmniAccess Reference: AOS-W System Reference380 Part 031652-00 May 2005Configuring SBRTBCConfiguring FunkTBC

Firewall Configuration 381CHAPTER 18Firewall ConfigurationSetting Policies Using Web UIAliasesAliases are a convenient way to associate a human unders

OmniAccess Reference: AOS-W System Reference382 Part 031652-00 May 2005Navigate to the Configuration > Security > Advanced > Services page.Ad

Firewall Configuration 383Chapter 18Enter a name in the Service Name text field.Check the appropriate Protocol radio button.Enter the Starting Port.En

OmniAccess Reference: AOS-W System Reference384 Part 031652-00 May 2005You may add, delete, or modify source and destination aliases on this page.Alca

Firewall Configuration 385Chapter 18Click Add to expand the page and expose the Add Rule section, near the bottom.Enter a name for the new destination

OmniAccess Reference: AOS-W System Reference386 Part 031652-00 May 2005Rules are organized in top-down lists where the first rule applied to the traff

Firewall Configuration 387Chapter 18The Source and Destination elements of a rule have the same 5 options. Those options are:The Service element of a

Command Line Basics 19Chapter 3List Matching CommandsWhen typed at the end of a possible command or abbreviation, the question mark lists the commands

OmniAccess Reference: AOS-W System Reference388 Part 031652-00 May 2005Add a policy by clicking Add, the Add New Policy page appears. The Add New Poli

Firewall Configuration 389Chapter 18Navigate to the Configuration > Switch > Port page. Select the port to which you wish to apply a policy, the

OmniAccess Reference: AOS-W System Reference390 Part 031652-00 May 2005Defining Roles Using Web UIRole DesignA role is assigned to a user when they co

Firewall Configuration 391Chapter 18Click Add to begin adding a new role to the list. The Add Role page appears.

OmniAccess Reference: AOS-W System Reference392 Part 031652-00 May 2005Adding Firewall PoliciesAdd firewall policies, begin by clicking the Add button

Firewall Configuration 393Chapter 18Specify an Existing PolicySelect the Choose from Configured Policies radio box.Specify a particular AP (if you wis

OmniAccess Reference: AOS-W System Reference394 Part 031652-00 May 2005additional options.Setting Policies Using the CLIThis portion of the chapter de

Firewall Configuration 395Chapter 18You may define a service alias by giving it a name, then choosing to specify one of three options:.Define the serv

OmniAccess Reference: AOS-W System Reference396 Part 031652-00 May 2005Defining Source and Destination AliasesDefine a source/destination alias and en

Firewall Configuration 397Chapter 18Enter rules in the order you wish them to be applied.If you wish to change the position of a rule in the list, use

OmniAccess Reference: AOS-W System Reference20 Part 031652-00 May 2005Command Line EditingThe command line editing feature allows you to make correcti

OmniAccess Reference: AOS-W System Reference398 Part 031652-00 May 2005Assign a policy to a the port used when entering the config-if mode.Defining Ro

Firewall Configuration 399Chapter 18Extended ACLsCreate extended ACLs using the extended option of the access-list command.MAC ACLsCreate MAC ACLs usi

OmniAccess Reference: AOS-W System Reference400 Part 031652-00 May 2005

Captive Portal Setup 401CHAPTER 19Captive Portal SetupOverviewThe following outline lists the steps used to configure captive portal authentication. E

OmniAccess Reference: AOS-W System Reference402 Part 031652-00 May 2005Add Users to the DatabaseAuthentication can be provided using one of the follow

Captive Portal Setup 403Chapter 19Configure RADIUS Server InformationIf using a Wireless LAN switch internal server, skip to the next section.Otherwis

OmniAccess Reference: AOS-W System Reference404 Part 031652-00 May 2005Use the no prefix to remove the server information from the database. For examp

Captive Portal Setup 405Chapter 19Customize the Logon RoleThe logon role is intended only to allow clients to access the captive portal logon page. Ty

OmniAccess Reference: AOS-W System Reference406 Part 031652-00 May 2005Modify the Captive Portal ACLA default captiveportal ACL is already configured

Captive Portal Setup 407Chapter 19Modify the Logon RoleThe logon role should have only the control and captive portal ACLs assigned. ACLs that allow o

Command Line Basics 21Chapter 3z Pipe | —denotes a two or more parameters, separated one from the other by the | symbol.For example:crypto ipsec tran

OmniAccess Reference: AOS-W System Reference408 Part 031652-00 May 2005Allow Guest AccessBy default, guest access is disabled. To allow guest access,

Captive Portal Setup 409Chapter 19In the example above, a destination alias is created that represents all IP addresses except the internal network (b

OmniAccess Reference: AOS-W System Reference410 Part 031652-00 May 2005Configuring Role DerivationThe simplest option for role derivation is to config

Captive Portal Setup 411Chapter 19For more information on how role derivation works, refer to “Setting Access Rights” on page 419.Import a Server Cert

OmniAccess Reference: AOS-W System Reference412 Part 031652-00 May 2005Log in using the admin accountWhen successful, the following page appears:FIGUR

Captive Portal Setup 413Chapter 19Customize the Login ScreenIf desired, the background image shown on the captive portal login screen can be replaced

OmniAccess Reference: AOS-W System Reference414 Part 031652-00 May 2005Sample ConfigurationListed below are the commands relevant to the captive porta

Captive Portal Setup 415Chapter 19user-role ap session-acl nonoc session-acl noilabsexitaaa captive-portal default-role nocaaa captive-portal auth-ser

OmniAccess Reference: AOS-W System Reference416 Part 031652-00 May 2005show rights <role-name>This command details the access rights associated

Captive Portal Setup 417Chapter 19show user-tableThis command shows all the users currently known to the system:The meaning for the various columns is

OmniAccess Reference: AOS-W System Reference22 Part 031652-00 May 2005

OmniAccess Reference: AOS-W System Reference418 Part 031652-00 May 2005

Setting Access Rights 419CHAPTER 20Setting Access RightsThis chapter will describe how to set access rights on the OmniAccess 6000 switch using the AO

OmniAccess Reference: AOS-W System Reference420 Part 031652-00 May 2005Defining Alias’Defining Service Alias’Alias’ are useful when creating filters,

Setting Access Rights 421Chapter 20Creating Session ACLs and RolesCreating A Session ACL for LogonA session ACL must first be created for the Logon ro

OmniAccess Reference: AOS-W System Reference422 Part 031652-00 May 2005Role DerivationThe simplest way to assign a role is to create a default role fo

Setting Access Rights 423Chapter 20The following flow illustrates how roles are derived.FIGURE 20-1 Role Derivation Flow Chart

OmniAccess Reference: AOS-W System Reference424 Part 031652-00 May 2005Show CommandsThe Show Commands associated with user rights are:z show rightsz s

Access Point Setup 425CHAPTER 21Access Point SetupThis chapter covers the following topics for the Alcatel Wireless Access Point (AP):z Overview of th

OmniAccess Reference: AOS-W System Reference426 Part 031652-00 May 2005System OverviewComponentsThe Alcatel Wireless LAN solution consists of the thre

Access Point Setup 427Chapter 21APs with a direct connection to the Wireless LAN switch can also utilize optional Serial and Power Over Ethernet (SPOE

23PartDesign and Planning2

OmniAccess Reference: AOS-W System Reference428 Part 031652-00 May 2005AP ProvisioningThere are several methods for setting up and configuring Alcatel

Access Point Setup 429Chapter 21Simplified AP ProvisioningThis is a streamlined example of the AP Programming Mode. This procedure represents the most

OmniAccess Reference: AOS-W System Reference430 Part 031652-00 May 2005Once the settings are correct, push the configuration to the APs.Disable the AP

Access Point Setup 431Chapter 21Connect the Alcatel APs that require configuration to one of the specified AP programming ports on the switch.NOTE—Alt

OmniAccess Reference: AOS-W System Reference432 Part 031652-00 May 2005z Disconnect and reconnect the AP from the switch port. If the AP list had prev

Access Point Setup 433Chapter 21My network uses direct IP addresses instead of DNS.If using direct IP addresses in your network, use the following com

OmniAccess Reference: AOS-W System Reference434 Part 031652-00 May 2005If you prefer to manually generate the location data, record the location you s

Access Point Setup 435Chapter 21Push the configuration to the APs.Depending on how specific your AP configuration must be applies, use one of the foll

OmniAccess Reference: AOS-W System Reference436 Part 031652-00 May 2005If no other APs are to be configured, disable the AP program-ming mode:This wil

Access Point Setup 437Chapter 21If desired, you can reset a deployed AP to its factory default set-tings:where AP index is the AP’s entry in the list

OmniAccess Reference: AOS-W System Reference24 Part 031652-00 May 2005

OmniAccess Reference: AOS-W System Reference438 Part 031652-00 May 2005Proceed to Step 3 on page 439.If using Telnet to connect to the AP remotely, ac

Access Point Setup 439Chapter 21Interrupt the AP boot process.Depending on how far the AP boot has booted, use one of the following lettered steps:If

OmniAccess Reference: AOS-W System Reference440 Part 031652-00 May 2005If the AP has completed booting.If no key is pressed before the autoboot timer

Access Point Setup 441Chapter 21Initial ConfigurationThe Alcatel AP requires some initial configuration before it will operate. All direct configurati

OmniAccess Reference: AOS-W System Reference442 Part 031652-00 May 2005Specify host information, if necessary.In order to provide centralized manageme

Access Point Setup 443Chapter 21NOTE—If the servername environment variable is configured in this scenario, it will be ignored.Specify an IP address,

OmniAccess Reference: AOS-W System Reference444 Part 031652-00 May 2005Advanced AP ConfigurationThe following sections cover the following:z How to ac

Access Point Setup 445Chapter 21APBoot Environment VariablesThe following environment variables can be configured using the setenv command and listed

OmniAccess Reference: AOS-W System Reference446 Part 031652-00 May 2005The following environmental variables should be kept at their default values un

Access Point Setup 447Chapter 21AP Configuration ExamplesFactory Default ValuesBy default, the environmental variables are as follows:NOTE—Variables n

RF Design 25CHAPTER 4RF DesignThe Alcatel RF Plan ToolRF Plan is a three-dimensional wireless deployment modeling tool that enables Network Administra

OmniAccess Reference: AOS-W System Reference448 Part 031652-00 May 2005z The AP location is set to -1.-1.-1 (unconfigured) and uses the default loca-t