Download Print this page

Alcatel-Lucent AOS-W 6.5.3.x User Manual

Table Of Contents

Table of Contents

Advertisement

Quick Links

Download this manual

AOS-W 6.5.3.x

Table of Contents

Advertisement

Table of Contents

Troubleshooting

Need help?

Need help?

Do you have a question about the AOS-W 6.5.3.x and is the answer not in the manual?

Questions and answers

Summary of Contents for Alcatel-Lucent AOS-W 6.5.3.x

Page 1 AOS-W 6.5.3.x...
Page 2 Copyright Information Alcatel-Lucent and the Alcatel-Lucent Enterprise logo are trademarks of Alcatel-Lucent. To view other trademarks used by affiliated companies of ALE Holding, visit: enterprise.alcatel-lucent.com/trademarks All other trademarks are the property of their respective owners. The information presented is subject to change without notice.
Page 3: Table Of Contents
Control Plane Security Control Plane Security Overview Configuring Control Plane Security Managing AP Whitelists Managing Whitelists on Master and Local Switches Working in Environments with Multiple Master Switches Replacing a Switch on a Multi-Switch Network AOS-W 6.5.3.x | User Guide Contents |...
Page 4 Configuring GRE Tunnel Groups Jumbo Frame Support IPv6 Support Understanding IPv6 Notation Understanding IPv6 Topology Enabling IPv6 Enabling IPv6 Support for Switch and APs Filtering an IPv6 Extension Header (EH) Configuring a Captive Portal over IPv6 4| Contents AOS-W 6.5.3.x | User Guide...
Page 5 Understanding Authentication Server Best Practices and Exceptions Understanding Servers and Server Groups Configuring Authentication Servers Managing the Internal Database Configuring Server Groups Assigning Server Groups Configuring Authentication Timers Authentication Server Load Balancing MAC-based Authentication Configuring MAC-Based Authentication AOS-W 6.5.3.x | User Guide Contents | ...
Page 6 Performing Advanced Configuration Options for 802.1X Application Single Sign-On Using L2 Authentication Device Name as User Name for Non-802.1X Authentication Stateful and WISPr Authentication Working With Stateful Authentication Working With WISPr Authentication Understanding Stateful Authentication Best Practices 6| Contents AOS-W 6.5.3.x | User Guide...
Page 7 Enabling Captive Portal Enhancements Netdestination for AAAA Records Virtual Private Networks Planning a VPN Configuration Working with VPN Authentication Profiles Configuring a Basic VPN for L2TP/IPsec Configuring a VPN for L2TP/IPsec with IKEv2 AOS-W 6.5.3.x | User Guide Contents | ...
Page 8 Virtual AP Profiles Changing a Virtual AP Forwarding Mode Radio Resource Management (802.11k) BSS Transition Management (802.11v) Fast BSS Transition ( 802.11r) SSID Profiles WLAN Authentication High-Throughput Virtual APs Guest WLANs Changing a Virtual AP Forwarding Mode 8| Contents AOS-W 6.5.3.x | User Guide...
Page 9 Detecting Rogue APs Working with Intrusion Detection Configuring Intrusion Protection Configuring the WLAN Management System Understanding Client Blacklisting Working with WIP Advanced Features Configuring TotalWatch Administering TotalWatch Tarpit Shielding Overview Configuring Tarpit Shielding AOS-W 6.5.3.x | User Guide Contents | ...
Page 10 Recording Consolidated AP-Provisioned Information Intelligent Power Monitoring Secure Enterprise Mesh Mesh Overview Information Mesh Configuration Procedures Understanding Mesh Access Points Understanding Mesh Links Understanding Mesh Profiles Understanding Remote Mesh Portals (RMPs) Understanding the AP Boot Sequence 10| Contents AOS-W 6.5.3.x | User Guide...
Page 11 Configuring VRRP Redundancy RSTP Understanding RSTP Migration and Interoperability Working with Rapid Convergence Configuring RSTP Troubleshooting RSTP PVST+ Understanding PVST+ Interoperability and Best Practices Enabling PVST+ in the CLI Enabling PVST+ in the WebUI AOS-W 6.5.3.x | User Guide Contents | ...
Page 12 Configuring Advanced Mobility Functions Understanding Bridge Mode Mobility Deployments Enabling Mobility Multicast External Firewall Configuration Understanding Firewall Port Configuration Among Alcatel-Lucent Devices Enabling Network Access Ports Used for Virtual Intranet Access (VIA) Configuring Ports to Allow Other Traffic Types PAPI Enhanced Security Interoperability Configuring PAPI Enhanced Security...
Page 13 Customizing Spectrum Analysis Graphs Working with Non-Wi-Fi Interferers Understanding the Spectrum Analysis Session Log Viewing Spectrum Analysis Data Recording Spectrum Analysis Data Troubleshooting Spectrum Analysis Dashboard Monitoring Performance Usage Potential Issues Traffic Analysis AOS-W 6.5.3.x | User Guide Contents | ...
Page 14 Configuring Centralized Image Upgrades Managing Certificates Configuring SNMP Enabling Capacity Alerts Configuring Logging Enabling Guest Provisioning Managing Files on the Switch Setting the System Clock ClearPass Profiling with IF-MAP Whitelist Synchronization Downloadable Regulatory Table 14| Contents AOS-W 6.5.3.x | User Guide...
Page 15 Uplink Monitoring and Management Voice and Video Voice and Video License Requirements Configuring Voice and Video Working with QoS for Voice and Video Unified Communication and Collaboration Understanding Extended Voice and Video Features Advanced Voice Troubleshooting AOS-W 6.5.3.x | User Guide Contents | ...
Page 16 Sample ESI Topology 1046 Understanding the ESI Syslog Parser 1048 Configuring ESI 1051 Sample Route-Mode ESI Topology 1058 Sample NAT-mode ESI Topology 1063 Understanding Basic Regular Expression (BRE) Syntax 1066 External User Management 1069 Overview 1069 16| Contents AOS-W 6.5.3.x | User Guide...
Page 17 Enabling Linux DHCP Servers 1107 802.1X Configuration for IAS and Windows Clients 1109 Configuring Microsoft IAS 1109 Configuring Management Authentication using IAS 1111 Window XP Wireless Client Sample Configuration 1113 Glossary of Terms 1116 AOS-W 6.5.3.x | User Guide Contents | ...
Page 18: Revision History
Revision History The following table lists the revisions of this document. Table 1: Revision History Revision Change Description Revision 02 Updated acronyms in the ClearPass Policy Manager Integration chapter. Revision 01 Initial release. 18| Contents AOS-W 6.5.3.x | User Guide...
Page 19: About This Guide
About this Guide This User Guide describes the features supported in AOS-W 6.5.3.x and provides instructions and examples to configure switches and access points (APs). This guide is intended for system administrators responsible for configuring and maintaining wireless networks and assumes administrator knowledge in Layer 2 and Layer 3 networking technologies.
Page 20 Starting with AOS-W 6.5.2.0, the centralized licensing feature supports Supports new Topology topologies where a licensing master is connected to a standalone master licensing client switch, a redundant licensing server, and a local licensing client switch. 20| About this Guide AOS-W 6.5.3.x | User Guide...
Page 21 Transmit Power Calculation Starting with AOS-W 6.5.2.0, this feature allows calculation of the transmit support power of each outgoing 802.11 packet so that AP adheres to the latest regulatory limits. AOS-W 6.5.3.x | User Guide About this Guide | ...
Page 22 Table 4: New Hardware Platforms in AOS-W 6.5.2.0 Check with your local Alcatel-Lucent sales representative on new switches and APs available in your country. Hardware Description OAW-AP203H Access Point The OAW-AP203H access point is an IEEE 802.11ac standard high- performance flex-radio wireless device ideal for hospitality and branch deployments.
Page 23 Table 4: New Hardware Platforms in AOS-W 6.5.2.0 Check with your local Alcatel-Lucent sales representative on new switches and APs available in your country. Hardware Description OAW-AP360 Series Outdoor The OAW-AP360 Series (OAW-AP365 and OAW-AP367) outdoor APs Access Points support IEEE 802.11ac standard for high performance WLAN, and are equipped with two radios, which provide network access and monitor the network simultaneously.
Page 24 Null Encryption for IKEv1 Starting with AOS-W 6.5.1.0, XLP-based switches are supported with null encryption for IKEv1 as an encryption algorithm. This helps in reducing the load on the local router for internet destined traffic. 24| About this Guide AOS-W 6.5.3.x | User Guide...
Page 25 If one or more subscription WebCC licenses expire so that a switch has fewer active WebCC subscription licenses than AP licenses, that switch will no longer be able to download WebCC updates from the cloud or perform classification using cloud lookup. AOS-W 6.5.3.x | User Guide About this Guide | ...
Page 26 3x3:3 MIMO 802.11ac wireless Access Point Module (APM). This product enhances the Ericsson Pico Radio Base Station by enabling Wi-Fi access as an add-on to indoor WCDMA or 3GPP cellular coverage. 26| About this Guide AOS-W 6.5.3.x | User Guide...
Page 27 MAC entries are dropped and a warning message is logged in syslog. The values for level of security and auto-recovery interval (in seconds) can also be set. AOS-W 6.5.3.x | User Guide About this Guide | ...
Page 28 This features allows Captive Portal whitelist to support IPv6 addresses for Records netdestination. NTP Standalone This feature enables an Alcatel-Lucent switch to act as an NTP server so that the devices that do not have access to internet can synchronize their clocks. Recording Consolidated AP- Starting with AOS-W 6.5.0.0, the switch stores the consolidated AP-...
Page 29 Wi-Fi Calling AOS-W 6.5.0.0 supports Wi-Fi Calling in the switch. Wi-Fi calling service allows cellular users to make or receive calls using a Wi-Fi network instead of using the carrier’s cellular network. AOS-W 6.5.3.x | User Guide About this Guide | ...
Page 30 AP125 access points OAW-4306 Series switches OAW-4306, OAW-4306G, and switches AOS-W 6.4.4.x OAW-4x04 Series switches OAW-4504XM, OAW-4604, and OAW-4704 switches AOS-W 6.4.4.x OAW-S3 and OAW-6000 OAW-S3 and OAW-6000 switches AOS-W 6.4.4.x switches 30| About this Guide AOS-W 6.5.3.x | User Guide...
Page 31: Fundamentals
Starting from AOS-W 6.5, an administrator can initiate a remote telnet or SSH session from the switch to a remote host. The host can be a switch or a non-Alcatel-Lucent host. This feature is supported from the SSH session of the switch.
Page 32: Related Documents
SSH session only. The administrator should designate unique control keys for each remote telnet sessions. Related Documents The following guides are part of the complete documentation for the Alcatel-Lucent user-centric network: Alcatel-Lucent Switch Installation Guides Alcatel-Lucent Access Point Installation Guides...
Page 33 The following informational icons are used throughout this guide: Indicates helpful suggestions, pertinent information, and important things to remember. Indicates a risk of damage to your hardware or loss of data. Indicates a risk of personal injury or death. AOS-W 6.5.3.x | User Guide About this Guide | ...
Page 34: Contacting Support
Support Site https://support.esd.alcatel-lucent.com Email ebg_global_supportcenter@al-enterprise.com Service & Support Contact Center Telephone North America 1-800-995-2696 Latin America 1-877-919-9526 EMEA +800 00200100 (Toll Free) or +1(650)385-2193 Asia Pacific +65 6240 8484 Worldwide 1-818-878-4507 34| About this Guide AOS-W 6.5.3.x | User Guide...
Page 35: The Basic User-Centric Networks
Chapter 1 The Basic User-Centric Networks This chapter describes how to connect an Alcatel-Lucent switch and Alcatel-Lucent AP to your wired network. After completing the tasks described in this chapter, see Access Points on page 509 for information on configuring APs.
Page 36 The uplink port on the switch is connected to a layer-2 switch or router; this port is an access port in VLAN 1. For this scenario, you must perform the following tasks: 1. Run the initial setup wizard. 36| The Basic User-Centric Networks AOS-W 6.5.3.x | User Guide...
Page 37 There are routers between the APs and the switch. The switch is connected to a layer-2 switch or router through a trunk port that carries traffic for all wireless client VLANs. An upstream router functions as the default gateway for the wireless users. AOS-W 6.5.3.x | User Guide The Basic User-Centric Networks | ...
Page 38: Switch Configuration Workflow
Configuring and connecting the switch to the wired network (described in this section) Deploying APs (described later in this section) The following workflow lists the tasks to configure an Alcatel-Lucent switch. Click any of the links below for details on the configuration procedures for that task.
Page 39: Connect The Switch To The Network
Use the VLAN 1 IP address to start an SSH session where you can enter CLI commands. Enter the VLAN 1 IP address in a browser window to start the WebUI. WebUI Wizards. AOS-W 6.5.3.x | User Guide The Basic User-Centric Networks | ...
Page 40: Oaw-40Xx Series And Oaw-4X50 Series Switches
The switchport port-security command is enhanced to include parameters for setting the levels of security and autorecovery interval time. You can set appropriate values for the level parameter to log a warning 40| The Basic User-Centric Networks AOS-W 6.5.3.x | User Guide...
Page 41 SpanningTree --------- -------- ---------- --------- ------- ------------ 0/0/0 Enabled Forwarding 0/0/1 Enabled Down Disabled 0/0/2 Enabled Down Disabled 0/0/3 Enabled Down Disabled 0/0/4 Enabled Down Disabled 0/0/5 Enabled Down Disabled AOS-W 6.5.3.x | User Guide The Basic User-Centric Networks | ...
Page 42: Using The Lcd Screen
To clear off the port-security error before bringing the port UP, execute the following command: (host) #clear port-security-error gigabitethernet 0/0/0 Supported Combinations of the Alcatel-Lucent OAW-40xx Series Switches A small OAW-40xx Series switches deployment with switch redundancy can be configured as a single master/single local, master/master-backup/multiple local switches for very small AP clusters/deployments (256 APs and under).
Page 43 PSU 1: [OK | FAILED | MISSING] Fan Tray Displays fan tray status. FAN STATUS: [OK | ERROR | MISSING] FAN TEMP: [OK | HIGH | SHUTDOWN] Exit Status Menu EXIT STATUS AOS-W 6.5.3.x | User Guide The Basic User-Centric Networks | ...
Page 44 1. Make a copy of a switchconfiguration (with the .cfg file extension), and save the copied file with the name Alcatel-Lucent_usb.cfg. 2. Move the saved configuration file onto your USB drive into a directory named /Alcatel-Lucentimage. 44| The Basic User-Centric Networks AOS-W 6.5.3.x | User Guide...
Page 45: Configuring A Vlan To Connect To The Network
Gigabit ports.) In the example configurations shown in this section, a switch is connected to the network through its Gigabit Ethernet port 1/25. Configure the port as a trunk port. Configure a default gateway for the switch. AOS-W 6.5.3.x | User Guide The Basic User-Centric Networks | ...
Page 46 To configure a Gigabit Ethernet port: (host)(config) #interface gigabitethernet <slot>/<module>/<port> (host)(config-if) #switchport mode trunk (host)(config-if) #switchport trunk native vlan <id> To confirm the port assignments, use the show vlan command: (host) (config) #show vlan 46| The Basic User-Centric Networks AOS-W 6.5.3.x | User Guide...
Page 47 Disable STP on the switch if you are not employing STP in your network. In the WebUI To configure a loopback IP address: 1. Navigate to Configuration > Network > Switch > System Settings. AOS-W 6.5.3.x | User Guide The Basic User-Centric Networks | ...
Page 48 LEDs indicate proper connections. Refer to the Installation Guide for the switch for port LED and cable descriptions. In many deployment scenarios, an external firewall is situated between various Alcatel-Lucent devices. External...
Page 49: Enabling Wireless Connectivity
The procedures below describe the steps to replace an existing standalone master switch and/or a redundant master switch. Best practices are to replace the backup master switch first, and replace the active master switch AOS-W 6.5.3.x | User Guide The Basic User-Centric Networks...
Page 50 If the switch being replaced was returned to Alcatel-Lucent as an RMA, the license keys on the RMA switch cannot be directly transferred to a new device, and must be regenerated. To generate a new license key for a switch returned as an RMA: 1.
Page 51 : Stop auto-provisioning and start mini setup dialog for branch role 'full-setup' : Stop auto-provisioning and start full setup dialog for any role Enter Option (partial string is acceptable): full-setup AOS-W 6.5.3.x | User Guide The Basic User-Centric Networks | ...
Page 52 Are you sure that you want to stop auto-provisioning and start full setup dialog? (yes/no): Reading configuration from factory-default.cfg ***************** Welcome to the Alcatel-Lucent OAW-4550 setup dialog ***************** This dialog will help you to set the basic configuration for the switch.
Page 53 (or a reachable subnet) with the switch it will replace. This is to prevent a possible IP address conflict. Do not save the configuration or write to memory at the end of this step. (host) #reload Do you want to save the configuration(y/n): n AOS-W 6.5.3.x | User Guide The Basic User-Centric Networks | ...
Page 54 This is required when migrating to a newer switch model. New switch models such as the OAW-40xx Series and OAW-4x50 Series switches use a different port numbering scheme than other Alcatel-Lucent switches. Ports on the newer switch models are numbered slot/module/port. Older switch ports are numbered slot/port. As a result, flash backup files restored from older switches onto a newer model switches can cause the newer switch lose network connectivity, as the imported port settings don't match up with the switch hardware.
Page 55 If you changed the VRRP priorities of your redundant master switches prior to replacing the primary master switch, you may wish to change them back once the new primary master is active on the network. AOS-W 6.5.3.x | User Guide The Basic User-Centric Networks...
Page 56: Control Plane Security
AP receives its certificate and establishes its secure connection. HP Platform interoperating with Alcatel-Lucent Switches Following HP TPM based switches can now inter-operate with the Alcatel-Lucent switches and create the IKE / IPSec tunnels. 2930F 5400R/v3 3810 5400R/v2 (compat.
Page 57: Control Plane Security Overview
Configuring Control Plane Security after Upgrading on page 76 for details on enabling this feature using the WebUI or CLI. In the WebUI 1. Navigate to Configuration > Network > Switch. 2. Select the Control Plane Security tab. 57| Control Plane Security AOS-W 6.5.3.x | User Guide...
Page 58 This prevents the switch from issuing a certificate to any rogue APs that may appear on your network at a later time. Figure 4 Control Plane Security Settings AOS-W 6.5.3.x | User Guide Control Plane Security | ...
Page 59: Managing Ap Whitelists
3. Select the whitelist to which you want to add an AP. The Whitelist tab displays status information for the Campus AP Whitelist by default. To add a Remote AP to the Remote AP whitelist, click the Remote AP link before you proceed to step 4 on page 59| Control Plane Security AOS-W 6.5.3.x | User Guide...
Page 60 The static inner IP address to be assigned to the Remote APs. 7. Click Add. In the CLI To add an AP to the campus AP whitelist: (host) #whitelist-db cpsec add mac-address <name> ap-group <ap_group> AOS-W 6.5.3.x | User Guide Control Plane Security | ...
Page 61 Number of entries in the campus AP whitelist that has been manually revoked. Marked for deletion entries Number of entries in the campus AP whitelist that has been marked for deletion, but not removed from the Remote AP whitelist. Remote AP whitelist configuration parameters 61| Control Plane Security AOS-W 6.5.3.x | User Guide...
Page 62 Last Update Time and date of the last AP status update. To view information about the campus and remote AP whitelists using the CLI, use the following commands: (host) #show whitelist-db cpsec AOS-W 6.5.3.x | User Guide Control Plane Security | ...
Page 63 The AP has been approved state and is ready to receive a certificate. certified-factory-cert: The AP is certified and has a factory-installed certificate. Description: Brief description of the campus AP. Revoked: Click the Revoked checkbox to revoke an invalid or rogue AP. 63| Control Plane Security AOS-W 6.5.3.x | User Guide...
Page 64 AP whitelist; the switch immediately re-certifies the AP and recreates its whitelist entry. In the WebUI To delete an AP from the campus AP whitelist: 1. Navigate to Configuration > Wireless > AP Installation. 2. Click the Whitelist tab. AOS-W 6.5.3.x | User Guide Control Plane Security | ...
Page 65 The following defaults are used when any of the supported parameters are not provided by the CPPM server in the RADIUS access accept response: ap-group: The default ap-group is assigned to the AP. ap-name: The MAC address of the AP is used as the AP name. 65| Control Plane Security AOS-W 6.5.3.x | User Guide...
Page 66: Managing Whitelists On Master And Local Switches
Every switch using the control plane security feature maintains a campus AP whitelist, a local switch whitelist and a master switch whitelist. The contents of these whitelists vary, depending upon the role of the switch, as shown in the table below. AOS-W 6.5.3.x | User Guide Control Plane Security | ...
Page 67 AP Whitelist Sync 67| Control Plane Security AOS-W 6.5.3.x | User Guide...
Page 68 If the null update count reaches five, the switch sends an “empty sync” heartbeat to the remote switch to ensure the sequence numbers on both switches are the same, then resets the null update count to zero. AOS-W 6.5.3.x | User Guide Control Plane Security | ...
Page 69 3. To clear the Local Switch whitelist: In the Local Switch List For AP Whitelist Sync section, click Purge. 4. To clear the Master Switch whitelist: In the Master Switch List For AP Whitelist Sync section, click Purge. 69| Control Plane Security AOS-W 6.5.3.x | User Guide...
Page 70: Working In Environments With Multiple Master Switches
Use the command-line interface to create a cluster root using an IPsec key, factory-installed certificate, or custom certificate. In the WebUI To create a cluster root: AOS-W 6.5.3.x | User Guide Control Plane Security | ...
Page 71 This parameter must be have the same value as the key defined for the cluster member in Creating a Cluster Root on page 6. Click Add. 7. Click Apply. 71| Control Plane Security AOS-W 6.5.3.x | User Guide...
Page 72 You should also synchronize the database any time the campus AP whitelist changes (APs are added or removed to ensure that the backup switch has the latest settings). Master and backup switches can be synchronized using either of the following methods: AOS-W 6.5.3.x | User Guide Control Plane Security | ...
Page 73: Replacing A Switch On A Multi-Switch Network
5. Purge the local switch whitelist using one of the following two methods: Access the command-line interface on the new local switch and issue the whitelist-db cpsec purge command. 73| Control Plane Security AOS-W 6.5.3.x | User Guide...
Page 74 The procedure to replace a local switch in a network with multiple master switches is the same as the procedure to replace a local switch in a single-master network. To replace a local switch in a multi-master network, follow the procedure described in Replacing a Local Switch on page 73 AOS-W 6.5.3.x | User Guide Control Plane Security | ...
Page 75 If you want the new switch to act as the primary switch, you can increase that switch’s priority after the settings have been resynchronized. 75| Control Plane Security AOS-W 6.5.3.x | User Guide...
Page 76: Configuring Control Plane Security After Upgrading
If control plane security was already enabled, then it remains enabled after the upgrade. If it was not enabled previously, but you want to use the feature after upgrading, then you must manually enable it. AOS-W 6.5.3.x | User Guide Control Plane Security | ...
Page 77: Troubleshooting Control Plane Security
If an AP is in this state due to connectivity problems, then the AP recovers and is taken out of this hold state as soon as connectivity is restored. 77| Control Plane Security AOS-W 6.5.3.x | User Guide...
Page 78 If you notice unwanted or rogue APs connecting to your switch via an IPsec tunnel, verify that automatic certificate provisioning has been disabled, then manually remove the unwanted APs by deleting their entries from the campus AP whitelist. AOS-W 6.5.3.x | User Guide Control Plane Security | ...
Page 79: Software Licenses
Licenses are platform independent and can be installed on any switch. Installation of the feature license unlocks that feature’s functionality for the maximum capacity of the switch. Table 25 lists the license types, and describe how licenses are consumed on the Switches. AOS-W 6.5.3.x | User Guide Software Licenses |...
Page 80 The licenses that are specific to an individual switch cannot be shared among switches via centralized licensing. Table 26: Sharable Licenses vs Switch-Specific Licenses Sharable via a Licensing Pool Switch-Specific License PEFV PEFNG 80| Software Licenses AOS-W 6.5.3.x | User Guide...
Page 81 Each license can be either an evaluation or permanent license. A permanent license permanently enables the desired software module on a specific Alcatel-Lucent switch. You obtain permanent licenses through the sales order process only. Permanent software license keys are sent to you via email. An evaluation license allows you to evaluate the unrestricted functionality of a software module on a specific switch for 90 days (in three 30-day increments).
Page 82: Licensing Best Practices And Limitations
Issuing the write erase command on a switch running software licenses does not affect the license key management database on the switch. Rebooting or resetting a switch has no effect on a license. 82| Software Licenses AOS-W 6.5.3.x | User Guide...
Page 83: Centralized Licensing Overview
AOS-W provides the ability to move a license from one standalone switch to another, for maximum flexibility in managing an organization’s network and to minimize an RMA impact. Alcatel-Lucent monitors and detects license fraud. Abnormally high volumes of license transfers for the same license certificate to multiple switches can indicate a breach of the Alcatel-Lucent end user software license agreement and will be investigated.
Page 84 The information in this table is then shared with all client switches as a pool of available licenses. When a client switch uses a 84| Software Licenses AOS-W 6.5.3.x | User Guide...
Page 85 AP has not enabled any features that would require that license. A switch cannot use more licenses than what is supported by its switch platform, regardless of how many licenses are available in the license pool. AOS-W 6.5.3.x | User Guide Software Licenses | ...
Page 86 Figure 11 License Pool Reflecting Used licenses Supported Topologies The following table describes the switch topologies supported by this feature. 86| Software Licenses AOS-W 6.5.3.x | User Guide...
Page 87 The master license server will reside on the master switch, and the standby license server will reside on the standby master switch. Local switches can only be license clients, not license servers. AOS-W 6.5.3.x | User Guide Software Licenses | ...
Page 88 If both the primary and the backup license servers fail, or if the backup switch reboots before the primary switch comes back up, License clients will retain the license limits sent to them by the licensing server for 30 days. 88| Software Licenses AOS-W 6.5.3.x | User Guide...
Page 89: Configuring Centralized Licensing
2. Identify a switch you want to designate as the primary licensing server. If that switch already has a redundant backup switch, that backup switch will automatically become the backup license server. AOS-W 6.5.3.x | User Guide Software Licenses | ...
Page 90 7. In the License Server IP field, enter the IP address the client will use to connect to the licensing server. If you have defined a backup licensing server using a virtual router ID, enter the IP address of that virtual router. 8. Click Apply. 90| Software Licenses AOS-W 6.5.3.x | User Guide...
Page 91: Installing A License
92). 2. Locate the system serial number of your switch (see Locating the System Serial Number on page 92). 3. Use your system’s serial number to obtain a software license key from the Alcatel-Lucent Software License Management website: https://licensing.alcateloaw.com/ (see Obtaining a Software License Key on page 92).
Page 92 Obtaining a Software License Key To obtain a software license key, you must log in to the Alcatel-Lucent License Management website. If you are a first time user, you can use the software license certificate ID number to log in and request a new user account.
Page 93: Deleting A License
List your certificates: View all currently available and active software license certificates for your account. Creating a Software License Key To create a software license key, you must log in to the Alcatel-Lucent License Management website at: https://licensing.alcateloaw.com/ If you are a first time user of the licensing site, you can use the software license certificate ID number to log in and request a new user account.
Page 94: Monitoring And Managing Centralized Licenses
License Client(s) Usage Table This table displays information about the different types of licenses in the license table, and how many total licenses of each type are available and used. 94| Software Licenses AOS-W 6.5.3.x | User Guide...
Page 95 Module Total number of Extreme Security (xSec) licenses sent from licensing clients associated with this switch. Total number of advanced Cryptography (ACR) licenses sent from licensing clients associated with this switch. AOS-W 6.5.3.x | User Guide Software Licenses | ...
Page 96 Heartbeat responses received from the license server. Total Missed Total number of heartbeats that were not received by the licensing client. Last Update Number of seconds elapsed since the licensing client last sent a heartbeat request. 96| Software Licenses AOS-W 6.5.3.x | User Guide...
Page 97: Network Configuration Parameters
The example below follows the suggested order of steps to configure a virtual AP using the command-line interface. (host)(config) #aaa server-group "THR-DOT1X-SERVER-GROUP-WPA2" auth-server Internal ip access-list session THR-POLICY-NAME-WPA2 user any any permit (host)(config) #user-role THR-ROLE-NAME-WPA2 session-acl THR-POLICY-NAME-WPA2 AOS-W 6.5.3.x | User Guide Network Configuration Parameters |...
Page 98: Understanding Vlan Assignments
1. Default or Virtual AP VLAN 2. VLAN from Initial role 3. VLAN from User Derivation Rule (UDR) role 4. VLAN from UDR 5. VLAN from DHCP option 77 UDR role (wired clients) 98| Network Configuration Parameters AOS-W 6.5.3.x | User Guide...
Page 99 If required, you can also configure the address of the DHCP server for the VLAN by clicking Add. 3. Click Apply. In the CLI (host)(config) #interface vlan <id> ip address <address> <netmask> AOS-W 6.5.3.x | User Guide Network Configuration Parameters | ...
Page 100 4. Enter a priority value for the VLAN ID in the Uplink Priority field. All wired uplink interfaces have the same priority by default. If you want to use an active-standby topology, then prioritize each uplink interfaces by entering a different priority value (1– 4) for each uplink interface. 100| Network Configuration Parameters AOS-W 6.5.3.x | User Guide...
Page 101 In the CLI In this example, a PPoE service name, username, and password are assigned, and the interface VLAN 14 has an uplink priority of 3: (host)(config) #interface vlan 14 ip address pppoe AOS-W 6.5.3.x | User Guide Network Configuration Parameters | ...
Page 102 8. For Network, enter 10.1.1.0 for IP Address and 255.255.255.0 for Netmask. 9. Click Done. In the CLI Use the following commands: (host)(config) #ip dhcp pool employee-pool default-router 10.1.1.254 dns-server import netbios-name-server import network 10.1.1.0 255.255.255.0 102| Network Configuration Parameters AOS-W 6.5.3.x | User Guide...
Page 103 Now, this feature resolves this issue by allowing only outbound traffic to perform NAT. Do not enable the NAT translation for inbound traffic option for VLAN 1, as this will prevent IPsec connectivity between the switch and its IPsec peers. AOS-W 6.5.3.x | User Guide Network Configuration Parameters | ...
Page 104 On the switch, you can map a VLAN to a layer-3 subnetwork by assigning a static IP address and a netmask, or by configuring a DHCP or PPPoE server to provide a dynamic IP address and netmask to the VLAN interface. 104| Network Configuration Parameters AOS-W 6.5.3.x | User Guide...
Page 105: Configuring Vlans
The switch operates as a layer-2 switch that uses a VLAN as a broadcast domain. As a layer-2 switch, the switch requires an external router to route traffic between VLANs. The switch can also operate as a layer-3 switch that can route traffic between VLANs defined on the switch. AOS-W 6.5.3.x | User Guide Network Configuration Parameters | ...
Page 106 3. Click OK. 4. To add physical ports to a VLAN, click Edit next to the VLAN you want to configure and click the port in the Port Selection section. 5. Click Apply. 106| Network Configuration Parameters AOS-W 6.5.3.x | User Guide...
Page 107 The Even named VLAN assignment type maintains a dynamic latest usage level of each VLAN ID in the named VLAN . Therefore, as users age out, the number of available addresses increases. This leads to a more even distribution of addresses. AOS-W 6.5.3.x | User Guide Network Configuration Parameters | ...
Page 108 Role Derivation for Named VLAN Pools You can configure Named VLANs under user rule, server derivation, user derivation, and VSA in this release. You cannot modify a VLAN name, so choose the name carefully. 108| Network Configuration Parameters AOS-W 6.5.3.x | User Guide...
Page 109 Trunking Protocol to the list of protocols that are not limited by VLAN bandwidth contracts. (host)(config) #vlan-bwcontract-explist mac 01:00:0C:CC:CC:CC To show entries in the VLAN bandwidth contracts MAC exception list execute the following command: (host)(config) #show vlan-bwcontract-explist internal AOS-W 6.5.3.x | User Guide Network Configuration Parameters | ...
Page 110: Configuring Ports
VLANs only. You can also specify the native VLAN for the port. A trunk port uses 802.1q tags to mark frames for specific VLANs, However, frames on a native VLAN are not tagged. 110| Network Configuration Parameters AOS-W 6.5.3.x | User Guide...
Page 111 6. In the Enter VLAN(s) section, clear the Trusted check box to make the VLAN untrusted. The default is trusted (checked). 7. In the VLAN Firewall Policy drop-down list, select the policy through which VLAN traffic must pass. You can select a policy for both trusted and untrusted VLANs. AOS-W 6.5.3.x | User Guide Network Configuration Parameters | ...
Page 112 VLAN traffic must pass, from the Policy drop-down list and click Add. Both the selected VLAN and the policy appear in the Session Firewall Policy field. 11.When you are finished listing VLANs and policies, click Cancel. 112| Network Configuration Parameters AOS-W 6.5.3.x | User Guide...
Page 113: Configuring Static Routes
If you are use the loopback IP address to access the WebUI, changing the loopback IP address will result in loss of connectivity. It is recommended that you use one of the VLAN interface IP addresses to access the WebUI. AOS-W 6.5.3.x | User Guide Network Configuration Parameters | ...
Page 114: Configuring The Switch Ip Address
IP address, then it will also appear in this list. Dynamically assigned IP addresses such as DHCP/PPPOE do not display. 4. Click Apply. Any change in the switch’s IP address requires a reboot. 114| Network Configuration Parameters AOS-W 6.5.3.x | User Guide...
Page 115: Configuring Gre Tunnels
The traffic flow illustrated by Figure 17 is as follows: 1. The frame enters the source switch (Switch-1) on VLAN 101. The frame is bridged through Switch-1 into the Layer-2 GRE tunnel. AOS-W 6.5.3.x | User Guide Network Configuration Parameters | ...
Page 116 Limitations for Static IPv6 Layer-3 Tunnels AOS-W does not support the following functions for static IPv6 Layer-3 GRE tunnels: IPv6 Auto-configuration and IPv6 Neighbor Discovery mechanisms do not apply to IPv6 GRE tunnels. 116| Network Configuration Parameters AOS-W 6.5.3.x | User Guide...
Page 117 3. Highlight the line for the tunnel ID of interest and click Edit. The Edit GRE Tunnel screen appears, as shown in Figure Figure 21 Layer-2 GRE Tunnel UI Configuration for Switch-1 AOS-W 6.5.3.x | User Guide Network Configuration Parameters | ...
Page 118 The following steps describe the procedure configure an IPv4 Layer-3 GRE tunnel for Switch-1 and Switch-2 via the WebUI. 1. Log into Switch-1. 2. Navigate to Configuration > Network > IP > GRE Tunnels. The GRE Tunnels page is displayed. 118| Network Configuration Parameters AOS-W 6.5.3.x | User Guide...
Page 119 If a VLAN interface has IPv6 addresses configured, one of them is used as the tunnel source IPv6 address. If the selected IPv6 address is deleted from the VLAN interface, then the tunnel source IP address is reconfigured with the next available IPv6 address. AOS-W 6.5.3.x | User Guide Network Configuration Parameters | ...
Page 120 The following command example configures a Layer-3 GRE tunnel for IPv6: IPv6 Switch-1 Configuration (Switch-1) (config) # interface tunnel 106 description “IPv6 Layer-3 GRE 106" tunnel mode gre ipv6 ip address 2001:1:2:1::1 tunnel source vlan 10 tunnel destination 2001:1:2:2020::1 trusted 120| Network Configuration Parameters AOS-W 6.5.3.x | User Guide...
Page 121 From the WebUI To direct traffic into a GRE tunnel via a firewall policy via the WebUI: 1. On the switch, navigate to the Configuration > Security > Access Control > Policies page. AOS-W 6.5.3.x | User Guide Network Configuration Parameters | ...
Page 122 Figure 25 Adding a New Firewall Policy 3. Enter the Policy Name. 4. For Policy Type, specify Session (the default). 5. To create a new policy rule, scroll to the Rules section and click Add. 122| Network Configuration Parameters AOS-W 6.5.3.x | User Guide...
Page 123 1. On the switch, navigate to the Configuration > Network > IP > GRE Tunnels page. 2. Locate the tunnel ID for which you are enabling keepalives, then click Edit. The Edit GRE Tunnel screen appears. AOS-W 6.5.3.x | User Guide Network Configuration Parameters | ...
Page 124: Configuring Gre Tunnel Groups
When the first tunnel fails, the second tunnel carries the traffic. The third tunnel in the tunnel-group takes over if the second tunnel also fails. In the meantime, if the first tunnel comes up, it becomes the most eligible standby tunnel. 124| Network Configuration Parameters AOS-W 6.5.3.x | User Guide...
Page 125 A Layer-2 tunnel can only be part of one tunnel group. An Alcatel-Lucent Layer-2 tunnel-group is not interoperable with other vendors. You must set up Layer-2 tunnel groups between Alcatel-Lucent devices only. Configuring a Layer-2 or Layer-3 Tunnel Group Using the CLI To configure a Layer-2 or Layer-3 tunnel group using the CLI: (Controller-1) (config) #tunnel-group <tunnel_group_name>...
Page 126 - Convert RAs to unicast(VLAN Pooling/L3 Mobility enabled), s - Split tunnel V - enforce user vlan(open clients only), x - Striping IP H - Standby (HA-Lite), c - IP Compression, g - PAN GlobalProtect Tunnel 126| Network Configuration Parameters AOS-W 6.5.3.x | User Guide...
Page 127: Jumbo Frame Support
Wi-Fi tunnel: A Wi-Fi tunnel can support an AMSDU jumbo frame for an AP (The maximum MTU supported is up to 9216 bytes). Limitations for Jumbo Frame Support This release of AOS-W does not support the jumbo frames for the following scenarios: IPsec, IPIP, and xSec. AOS-W 6.5.3.x | User Guide Network Configuration Parameters | ...
Page 128 (host)#show firewall Execute the following command to view the jumbo frame status on a port: (host)#show interface gigabitethernet <slot>/<module>/<port> Execute the following command to view the jumbo frame status on a port channel: 128| Network Configuration Parameters AOS-W 6.5.3.x | User Guide...
Page 129 (host)#show interface port-channel <id> AOS-W 6.5.3.x | User Guide Network Configuration Parameters | ...
Page 130: Ipv6 Support
Advertisements (RA). You do not need an external IPv6 router in the subnet to generate RA for IPv6 APs and clients that depend on stateless autoconfiguration to obtain IPv6 address. The external IPv6 router is the AOS-W 6.5.3.x | User Guide IPv6 Support |...
Page 131: Enabling Ipv6
This release of AOS-W provides IPv6 support for switches and access points. You can now configure the master switch with an IPv6 address to manage the switches and APs. Both IPv4 and IPv6 APs can terminate on the 131| IPv6 Support AOS-W 6.5.3.x | User Guide...
Page 132 Table 35: IPv6 APs Support Matrix Features Supported on IPv6 APs? Forward Mode - Tunnel Forward Mode - Decrypt Tunnel Forward Mode - Bridge Forward Mode - Split Tunnel AP Type - CAP AOS-W 6.5.3.x | User Guide IPv6 Support | ...
Page 133 AOS-W, you can delete this IPv6 address. You can configure IPv6 interface address using the WebUI or CLI. As per Internet Assigned Numbers Authority (IANA), Alcatel-Lucent switches support the following ranges of IPv6 addresses: Global unicast—2000::/3 Unique local unicast—fc00::/7 Link local unicast—fe80::/10...
Page 134 You can configure a static neighbor on a VLAN interface either using the WebUI or the CLI. In the WebUI 1. Navigate to the Configuration > Network > IP page and select the IPv6 Neighbors tab. 2. Click Add and enter the following details of the IPv6 neighbor: AOS-W 6.5.3.x | User Guide IPv6 Support | ...
Page 135 1. Navigate to the Configuration > Network > Switch page and select the System Settings tab. 2. Under the Switch IP Details section, select the VLAN Id or the loopback interface Id in the IPv6 Address drop down. 3. Click Apply. 135| IPv6 Support AOS-W 6.5.3.x | User Guide...
Page 136 Query Interval (second): default value is 125 seconds Query Response Interval (in 1/10 second): default value is 100 (1/10 seconds). 3. Click Apply. To configure the SSM Range: 1. Navigate to Configuration>Network>IP page and select the Multicast tab. AOS-W 6.5.3.x | User Guide IPv6 Support | ...
Page 137 Use the Dynamic Multicast Optimization (DMO) Threshold field to set the maximum number of high-throughput stations in a multicast group. 6. Click Apply to save your changes. In the CLI To verify the DMO configuration, execute the following command: 137| IPv6 Support AOS-W 6.5.3.x | User Guide...
Page 138 Starting with AOS-W 6.3, a wired client can connect to the Ethernet interface of an IPv6 enabled AP. You can provision an IPv6 AP using the WebUI or CLI. In the WebUI 1. Navigate to the Configuration > AP Installation> Provision page and select the Provisioning tab. AOS-W 6.5.3.x | User Guide IPv6 Support | ...
Page 139: Filtering An Ipv6 Extension Header (Eh)
(host) (config-exthdr) #show netexthdr default Configuring a Captive Portal over IPv6 IPv6 is now enabled on the captive portal for user authentication on the Alcatel-Lucent switch. For user authentication, use the internal captive portal that is initiated from the switch. A new parameter...
Page 140: Working With Ipv6 Router Advertisements (Ras)
You must configure the IPv6 RA functionality on a VLAN for it to send solicited/unsolicited router advertisements on the IPv6 network. You must configure the following for the IPv6 RA to be operational on a VLAN: AOS-W 6.5.3.x | User Guide IPv6 Support | ...
Page 141 Each IPv6 prefix must have an on-link interface address configured on the VLAN. Ensure you configure the upstream routers to route the packets back to Alcatel-Lucent switch. You can use the WebUI or CLI to configure the IPv6 RA on a VLAN.
Page 142 Enter a value in the RA MTU Option option. The allowed range is 1,280-maximum MTU allowed for the link. j. Select the DHCP for Other Address check box to enable the hosts to use the DHCP server for autoconfiguration of other (non-address) information. AOS-W 6.5.3.x | User Guide IPv6 Support | ...
Page 143 You can enable IPv6 RA proxy using the CLI and WebUI. In the WebUI 1. Navigate to the Configuration > Advanced Services > Stateful Firewall page and select the Global Setting tab. 2. Select IPV6 Proxy Router Advertisement Enable check box. 143| IPv6 Support AOS-W 6.5.3.x | User Guide...
Page 144: Radius Over Ipv6
(host) (config) #ipv6 radius nas-ip6 <IPv6 address> You can also configure an IPv6 global source-interface for all the RADIUS server requests using the following commands: (host)(config) #ipv6 radius source-interface loopback (host)(config) #ipv6 radius source-interface vlan <vlan-id> <ip6addr> AOS-W 6.5.3.x | User Guide IPv6 Support | ...
Page 145: Tacacs Over Ipv6
3. Select the required server from the list to go to the TACACS server page. 4. To configure an IPv6 host for the selected server, specify an IPv6 address in the Host field. 5. Click Apply. 145| IPv6 Support AOS-W 6.5.3.x | User Guide...
Page 146: Dhcpv6 Server
10240 OAW-4750 15360 Configuring DHCPv6 Server You must enable the global DHCPv6 knob for the DHCPv6 functionality to be operational. You can enable and configure DHCPv6 server using the WebUI or CLI. AOS-W 6.5.3.x | User Guide IPv6 Support | ...
Page 147 (host)(config-dhcpv6)#dns-server <ipv6-address> To configure a domain name, use the following command: (host)(config-dhcpv6)#domain-name <domain> To configure DHCPv6 lease time, use the following command: (host)(config-dhcpv6)#lease <days> <hours> <minutes> <seconds> The default value is 12 hours. 147| IPv6 Support AOS-W 6.5.3.x | User Guide...
Page 148: Understanding Aos-W Supported Network Configuration For Ipv6 Clients
AOS-W provides wired or wireless clients using IPv6 addresses with services such as firewall functionality, layer- 2 authentication, and, with the installation of the Policy Enforcement Firewall Next Generation (PEFNG), identity-based security. The Alcatel-Lucent switch does not provide routing or Network Address Translation to IPv6 clients (see Understanding IPv6 Exceptions and Best Practices on page 155).
Page 149: Understanding Aos-W Authentication And Firewall Features That Support Ipv6
This release of AOS-W only supports 802.1X authentication for IPv6 clients. You cannot configure layer-3 authentications to authenticate IPv6 clients. Table 37: IPv6 Client Authentication Authentication Method Supported for IPv6 Clients? 802.1X Stateful 802.1X (with non-Alcatel- Lucent APs) Local database Captive Portal 149| IPv6 Support AOS-W 6.5.3.x | User Guide...
Page 150 Appletalk or IPX, from being forwarded. Default: Disabled Deny All IP Fragments Drops all IP fragments. NOTE: Do not enable this option unless instructed to do so by an Alcatel-Lucent representative. Default: Disabled AOS-W 6.5.3.x | User Guide...
Page 151 Set the time, in seconds, that a non-TCP session can be idle before it is removed from the session table. Specify a value in the range 16–259 seconds. You should not set this option unless instructed to do so by an Alcatel-Lucent representative. Default: 30 seconds...
Page 152 Logs a match to this rule. This is recommended when a rule indicates a security breach, such as a data packet on a policy that is meant only to be used for voice calls. AOS-W 6.5.3.x | User Guide IPv6 Support | ...
Page 153 Under IP Version column, select IPv6. b. Under Source, select network from the drop-down list. c. For Host IP, enter 2002:d81f:f9f0:1000::. d. For Mask, enter 64 as the prefix-length. e. Under Service, select service from the drop-down list. 153| IPv6 Support AOS-W 6.5.3.x | User Guide...
Page 154: Managing Ipv6 User Addresses
To delete a user entry for an IPv6 client, access the CLI in config mode and use the aaa ipv6 command. For example: user delete (host)(config) #aaa ipv6 user delete 2002:d81f:f9f0:1000:e409:9331:1d27:ef44 AOS-W 6.5.3.x | User Guide IPv6 Support | ...
Page 155: Understanding Ipv6 Exceptions And Best Practices
The switch offers limited routing services to IPv6 clients, so it is recommended to use an external IPv6 router for a complete routing experience (dynamic routing). VoIP ALG is not supported for IPv6 clients. 155| IPv6 Support AOS-W 6.5.3.x | User Guide...
Page 156 IPv6 Auto configuration and IPv6 Neighbor Discovery mechanisms does not apply to IPv6 tunnels. Tunnel Encapsulation Limit, Tunnel-group, and MTU discovery options on IPv6 tunnels are not supported. IPSec is not supported in this release, so IPv6 GRE cannot be used for master-local setup. AOS-W 6.5.3.x | User Guide IPv6 Support | ...
Page 157: Link Aggregation Control Protocol
<number> members, the command is rejected. The port uses the group number as its actor admin key. All ports use long timeout values (90 seconds) by default. AOS-W 6.5.3.x | User Guide Link Aggregation Control Protocol |...
Page 158: Configuring Lacp
A - Device is in active mode P - Device is in passive mode Partner's information --------------------- Port Flags OperKey State Num Dev Id ---- ----- ---- ------- ----- ---- ---------------- FE 1/1 0x10 0x45 00:0b:86:51:1e:70 FE 1/2 0x10 0x45 00:0b:86:51:1e:70 158| Link Aggregation Control Protocol AOS-W 6.5.3.x | User Guide...
Page 159 Timeout— time out value for the LACP session. The long default is 90 seconds; the short default is 3 seconds. For information on configuring LACP on OAW-AP220 Series and OAW-AP270 Series access points, see Link Aggregation Support on OAW-AP220 Series, OAW-AP270 Series, and OAW-AP320 Series on page 588 AOS-W 6.5.3.x | User Guide Link Aggregation Control Protocol | ...
Page 160: Lacp Sample Configuration
0 mode active interface fastethernet 1/1 description "FE1/1" trusted vlan 1-4094 lacp timeout short lacp group 0 mode active interface fastethernet 1/2 description "FE1/2" trusted vlan 1-4094 lacp group 0 mode passive 160| Link Aggregation Control Protocol AOS-W 6.5.3.x | User Guide...
Page 161: Ospfv2
OSPF control packets undergo GRE encapsulation before entering the IPsec tunnels. The default MTU value for a Layer 3 GRE tunnel in an Alcatel-Lucent switch is 1100. When running OSPF over a GRE tunnel between an Alcatel-Lucent switch and another vendor’s router, the MTU values must be the same on both sides of the GRE tunnel.
Page 162: Understanding Ospfv2 By Example Using A Wlan Scenario
Understanding OSPFv2 by Example using a WLAN Scenario In the WLAN scenario, the Alcatel-Lucent switch acts as a default gateway for all the clients, and talks to one or two upstream routers for redundancy. The switch advertises all the user subnet addresses as stub addresses to the routers via LSAs.
Page 163: Understanding Ospfv2 By Example Using A Branch Scenario
IPsec tunnels. The switches in the branch offices advertise all the user subnet addresses to the Central office switch as stub addresses in router LSA. The central office switch in turn forwards those router LSAs to the upstream routers. AOS-W 6.5.3.x | User Guide OSPFv2 | ...
Page 164 The routing table for Router 1 is below: (router1) #show ip route 14.1.1.0/24 [1/0] via 4.1.1.1 15.1.1.0/24 [1/0] via 4.1.1.1 4.1.1.0 is directly connected, VLAN4 The routing table for Router 2 is below: (router2) #show ip route 164| OSPFv2 AOS-W 6.5.3.x | User Guide...
Page 165: Configuring Ospf
3. Configure the OSPF interface settings in the Configuration screen (Figure 33). If OSPF is enabled, the parameters contain the correct default values. You can edit the OSPF values only when you enable OSPF on the interface. AOS-W 6.5.3.x | User Guide OSPFv2 | ...
Page 166: Sample Topology And Configuration
Sample Topology and Configuration The figure below displays a sample OSPF topology followed by sample configurations of the Remote Branch 1, Remote Branch 2, and the Central Office Switch (Active and Backup). 166| OSPFv2 AOS-W 6.5.3.x | User Guide...
Page 167 "GE1/1" trusted switchport access vlan 30 interface gigabitethernet description "GE1/2" trusted switchport access vlan 31 interface gigabitethernet description "GE1/3" trusted switchport access vlan 32 interface vlan 16 ip address 192.168.16.251 255.255.255.0 AOS-W 6.5.3.x | User Guide OSPFv2 | ...
Page 168 "GE1/1" trusted switchport access vlan 50 interface gigabitethernet description "GE1/2" trusted switchport access vlan 51 interface gigabitethernet description "GE1/3" trusted switchport access vlan 52 interface vlan 20 ip address 192.168.20.1 255.255.255.0 interface vlan 50 168| OSPFv2 AOS-W 6.5.3.x | User Guide...
Page 169 68 interface vlan 68 ip address 192.168.68.220 255.255.255.0 interface vlan 100 ip address 192.168.100.1 255.255.255.0 interface vlan 225 ip address 192.168.225.2 255.255.255.0 interface tunnel 2003 description "Tunnel Interface" ip address 2.1.0.3 255.0.0.0 AOS-W 6.5.3.x | User Guide OSPFv2 | ...
Page 170 10.10.10.10 stub router ospf redistribute vlan 100,225 Central Office Switch—Backup localip 0.0.0.0 ipsec db947e8d1b383813a4070ab0799fa6246b80fc5cfcc3268f switch-ip vlan 225 interface gigabitethernet description "GE1/0" trusted switchport access vlan 225 interface gigabitethernet description "GE1/1" trusted switchport access vlan 100 170| OSPFv2 AOS-W 6.5.3.x | User Guide...
Page 171 100 sub 40 tracking vlan 225 sub 40 no shutdown ip default-gateway 192.168.68.1 ip route 192.168.0.0 255.255.0.0 null 0 router ospf router ospf router-id 192.168.225.1 router ospf area 10.10.10.10 stub router ospf redistribute vlan 100,225 AOS-W 6.5.3.x | User Guide OSPFv2 | ...
Page 172 DOWN Switch will send Type-7 LSA (NSSA) of VPN route 202.202.202.0/24 to it’s upstream router, Cisco- 2950. UP Switch will send a Type-4 asbr-summary LSA. Configuring UP Switch interface vlan 21 ip address 21.21.21.2 255.255.255.0 ip ospf area 0.0.0.11 router ospf router ospf area 0.0.0.11 router ospf redistribute rapng-vpn 172| OSPFv2 AOS-W 6.5.3.x | User Guide...
Page 173 21.21.21.1 0x80000003 0x5064 0.0.0.11 ASBR_SUMMARY 25.25.25.1 21.21.21.1 0x80000003 0xefbc 0.0.0.11 ASBR_SUMMARY 192.100.2.3 192.100.2.3 1412 0x80000002 0xa85d AS_EXTERNAL 10.15.228.0 25.25.25.1 1014 0x8000000e 0xea43 AS_EXTERNAL 12.12.12.0 25.25.25.1 0x80000003 0x433a AS_EXTERNAL 25.25.25.0 25.25.25.1 1761 0x80000005 0x3d8d AOS-W 6.5.3.x | User Guide OSPFv2 | ...
Page 174 0x9ad9 0.0.0.10 NETWORK 22.22.22.2 192.100.2.2 0x80000004 0x8aeb 0.0.0.10 IPNET_SUMMARY 21.21.21.0 25.25.25.1 1990 0x80000003 0xe7bf 0.0.0.10 IPNET_SUMMARY 23.23.23.0 25.25.25.1 1990 0x80000003 0x950d 0.0.0.10 NSSA 0.0.0.0 25.25.25.1 0x80000002 0xaab9 0.0.0.10 NSSA 10.15.228.0 25.25.25.1 1228 0x80000010 0xca5f 174| OSPFv2 AOS-W 6.5.3.x | User Guide...
Page 175 2100::/64 2100::5 ::1/128 (host)# show clients Client List ----------- Name IP Address MAC Address Network Access Point Channel Type Role Signal Speed (mbps) ---- ---------- ----------- ------- ------------ ------- ---- ---- ------ ------------ AOS-W 6.5.3.x | User Guide OSPFv2 | ...
Page 176 ----------------------------- --------------------- ---- ---- ------ 2100::/64 2100::5 ::1/128 (host)# show clients Client List ----------- Name IP Address MAC Address Network Access Point Channel Type Role Signal Speed (mbps) ---- ---------- ----------- ------- ------------ ------- ---- ---- ------ ------------ 176| OSPFv2 AOS-W 6.5.3.x | User Guide...
Page 177 202.202.202.6 08:ed:b9:e1:51:7b 149.35 00:24:6c:c0:41:f2 149.35 (good) 48(poor) Info timestamp :80748 AOS-W 6.5.3.x | User Guide OSPFv2 | ...
Page 178: Authentication Servers
Understanding Authentication Server Best Practices and Exceptions For an external authentication server to process requests from the Alcatel-Lucent switch, you must configure the server to recognize the switch. Refer to the vendor documentation for information on configuring the authentication server.
Page 179: Configuring Authentication Servers
1. Navigate to the Configuration > Security > Authentication > Servers page. 2. Select Radius Server to display the Radius Server List. 3. To configure a RADIUS server, enter the name for the server and click Add. 179| Authentication Servers AOS-W 6.5.3.x | User Guide...
Page 180 Configuration > Security > Authentication > Advanced page, the global NAS IP address takes precedence. Enable IPv6 Enable or disable IPv6 for this server. Default: Disabled NAS IPv6 The NAS IPv6 address to be sent in RADIUS packets. AOS-W 6.5.3.x | User Guide Authentication Servers | ...
Page 181 Enabling this option allows to send this delimiter to separate csid_type and ssid in the Called Station ID. Default: colon (example: 00-1a-1e-00-1a-b8:dotx-ssid) RADIUS Service-Type Attribute The switch sends the following Service-Type attribute values for RADIUS authentication requests. 181| Authentication Servers AOS-W 6.5.3.x | User Guide...
Page 182 ServerCert and configuring Radsec to accept and use the switch's certificate. If a certificate is not configured, the switch will use the device certificate in its Trusted Platform Module (TPM). In this case, the Alcatel-Lucent device CA that signed the switch's certificate, should be configured as a Trusted CA on the Radsec server.
Page 183 Network Access Servers and RADIUS servers, allowing vendors to support their own extended attributes. You can use Alcatel-Lucent VSAs to derive the user role and VLAN for RADIUS-authenticated clients on the wired or Wi-Fi network, or define RTTS VSAs for a Cellular WLAN switch (CWC). The VSAs must be present on...
Page 184 Device- authorization to the internal RADIUS server within Name the CPPM. Device name checks against role mappings or enforcement policies to determine if the device is authorized to be onboarded. AOS-W 6.5.3.x | User Guide Authentication Servers | ...
Page 185 Instant APs. The CPPM sends the NT hash of the Hash password to the Instant AP which can be used by the Instant AP to authenticate the user if the CPPM server is not reachable. 185| Authentication Servers AOS-W 6.5.3.x | User Guide...
Page 186 WLAN due to the UE Wi-Fi estimated throughput being constantly higher than the RTTS-Reestimate-When-Below-Tput threshold. The following table describes the Hotspot 2.0 VSAs supported by AOS-W. AOS-W 6.5.3.x | User Guide Authentication Servers | ...
Page 187 1 = Release 2 This attribute indicates the Hotspot release Hotspot2-STA-Ver- integer Wi-Fi- 40808 version supported by the mobile device. sion Alliance Supported values are 0 and 1. 0 = Release 1 1 = Release 2 187| Authentication Servers AOS-W 6.5.3.x | User Guide...
Page 188 Requests sending to this RADIUS accounting server. To create a RADIUS modifier profile to customize the attributes that are included, excluded and modified in the RADIUS request before it is sent to the authentication or accounting server: AOS-W 6.5.3.x | User Guide Authentication Servers | ...
Page 189 (host) #show aaa radius modifier <profile_name> Dynamic Data Support Starting from AOS-W 6.5.2.0, Alcatel-Lucent supports dynamic data for the included attributes in the RADIUS Attribute modifier. Users can configure the dynamic value for each included attribute in the RADIUS modifier to be one or two data items.
Page 190 (host) (Radius Modifier Profile "dynamic-mod") #include Aruba-Location-Id dynamic essid1 with ap-macaddr2 delimiter ? Use '@' as delimiter between fields colon Use ':' as delimiter between fields dash Use '-' as delimiter between fields dollar Use '$' as delimiter between fields AOS-W 6.5.3.x | User Guide Authentication Servers | ...
Page 191 If you define a RADIUS server using the FQDN of the server rather than its IP address, the switch periodically generates a DNS request and caches the IP address returned in the DNS response. DNS requests are sent every 15 minutes by default. 191| Authentication Servers AOS-W 6.5.3.x | User Guide...
Page 192 Allows clear-text (unencrypted) communication with the LDAP server. Default: disabled Authentication Port Port number used for authentication. Default: 389 Base-DN Distinguished Name of the node that contains the entire user database. Default: N/A AOS-W 6.5.3.x | User Guide Authentication Servers | ...
Page 193 5. Click Apply. The configuration does not take effect until you perform this step. Using the CLI (host)(config) #aaa authentication-server ldap <name> Configuring a TACACS+ Server Table 48 defines the TACACS+ server parameters. 193| Authentication Servers AOS-W 6.5.3.x | User Guide...
Page 194 AOS-W 6.5.2.0 introduces the Source Interface parameter. This parameter provides a customer the option of specifying the source IP for a TACACS server. The source IP specified in the TACACS server overrides the one in AOS-W 6.5.3.x | User Guide Authentication Servers | ...
Page 195 (host) (config)#no ip tacacs source-interface vlan <vlan id> (host) (config)#no ipv6 tacacs source-interface vlan <vlan id> <ip6addr> The following command deletes per-server TACACS source interface on IPv4: (host) (TACACS Server <name>) #no source-interface vlan <vlanid> 195| Authentication Servers AOS-W 6.5.3.x | User Guide...
Page 196: Managing The Internal Database
. If you use the internal database in a local switch, you need to add clients on the local switch. switch Table 50 defines the required and optional parameters used in the internal database. AOS-W 6.5.3.x | User Guide Authentication Servers | ...
Page 197 AOS-W allows you to import and export user information tables to and from the internal database. These files should not be edited once they are exported. AOS-W only supports the importing of database files that were 197| Authentication Servers AOS-W 6.5.3.x | User Guide...
Page 198 4. Click OK. Repairing the Internal Database Use this utility under the supervision of Alcatel-Lucent technical support to recreate the internal database. This may clear internal database errors, but also removes all information from the database. Make sure you export your current user information before you start the repair procedure.
Page 199: Configuring Server Groups
Dynamic Server Selection on page 200). Certain servers, such as the RSA RADIUS server, lock out the switch if there are multiple authentication failures. Therefore, you should not enable fail-through authentication with these servers. 199| Authentication Servers AOS-W 6.5.3.x | User Guide...
Page 200 The server is selected if the client/user information contains a specified string. The server is selected if the client/user information begins with a specified string. The server is selected if the client/user information exactly matches a specified string. AOS-W 6.5.3.x | User Guide Authentication Servers | ...
Page 201 6. Under Servers, click New to add the radius-2 server to the group. Select radius-2 from the drop-down list. a. For Match Type, select Authstring. b. For Operator, select contains. c. For Match String, enter abc.corpnet.com. d. Click Add Rule >>. e. Scroll to the right and click Add Server. 201| Authentication Servers AOS-W 6.5.3.x | User Guide...
Page 202 <domain>\<user> : the <domain>\ portion is truncated <user>@<domain> : the @<domain> portion is truncated This option does not support client information sent in the format host/<pc-name>.<domain> AOS-W 6.5.3.x | User Guide Authentication Servers | ...
Page 203 These rules are applied uniformly across all servers in the server group. Table 51 describes the server rule parameters you can configure. 203| Authentication Servers AOS-W 6.5.3.x | User Guide...
Page 204 Value drop-down list. e. Or, to set the vlan, select set vlan from the Set drop-down list and select the VLAN name or ID from the Value drop-down list and click the left-arrow. AOS-W 6.5.3.x | User Guide Authentication Servers | ...
Page 205: Assigning Server Groups
52). Accounting is only supported with RADIUS and TACACS+ servers when RADIUS or TACACS+ is used for authentication. Table 52: Server Types and Purposes RADIUS TACACS+ LDAP Internal Database User authentication Management authentication Accounting 205| Authentication Servers AOS-W 6.5.3.x | User Guide...
Page 206 AOS-W User Guide. Management Authentication Users who need to access the switch to monitor, manage, or configure the Alcatel-Lucent user-centric network can be authenticated with RADIUS, TACACS+, or LDAP servers or the internal database. Only user record attributes are returned upon successful authentication. Therefore, to derive a management role other than the default mgmt auth role, set the server derivation rule based on the user attributes.
Page 207 Acct-Status-Type User-Name NAS-IP-Address NAS-Port NAS-Port-Type NAS-Identifier Framed-IP-Address Calling-Station-ID Called-station-ID Acct-Session-ID Acct-Authentic The following attributes are sent in Accounting-Request packets when Acct-Status-Type value is Stop: Acct-Status-Type User-Name NAS-IP-Address NAS-Port NAS-Port-Type NAS-Identifier Framed-IP-Address Calling-Station-ID Called-station-ID 207| Authentication Servers AOS-W 6.5.3.x | User Guide...
Page 208 You can enable roaming RADIUS accounting services by using the WebUI and CLI: Using the WebUI 1. Navigate to the Configuration > Security > Authentication > AAA Profiles page. 2. Select AAA Profile, then select the AAA profile instance. AOS-W 6.5.3.x | User Guide Authentication Servers | ...
Page 209 Command check boxes to enable accounting for all commands of specified types. c. select the Mode check box to enable or disable TACACS+ accounting. 4. Click Apply. 5. Click Save Configuration. 209| Authentication Servers AOS-W 6.5.3.x | User Guide...
Page 210: Configuring Authentication Timers
The commands below configure timers you can apply to clients. If the optional seconds keyword is not specified for the idle-timeout and stats-timeout parameters, the value defaults to minutes. (host)(config) #aaa timers dead-time <minutes> AOS-W 6.5.3.x | User Guide Authentication Servers | ...
Page 211: Authentication Server Load Balancing
Load balancing of authentication servers ensures that the authentication load is split across multiple authentication servers, thus avoiding any one particular authentication server from being overloaded. Authentication Server Load Balancing functionality enables the Alcatel-Lucent Switch to perform load balancing of authentication requests destined for external authentication servers (Radius/LDAP etc). This prevents any one authentication server from having to handle the full load during heavy authentication periods, such as at the start of the business day.
Page 212: Mac-Based Authentication
Chapter 9 MAC-based Authentication This chapter describes how to configure MAC-based authentication on the Alcatel-Lucent switch using the WebUI. Use MAC-based authentication to authenticate devices based on their physical media access control (MAC) address. Although this not the most secure and scalable method, MAC-based authentication implicitly provides an addition layer of security to authenticate devices.
Page 213: Configuring Clients
MAC addresses in the format xx:xx:xx:xx:xx:xx. In the WebUI 1. Navigate to the Configuration > Security > Authentication > Servers page. 2. Select Internal DB. 3. Click Add User in the Users section. The user configuration page displays. 213| MAC-based Authentication AOS-W 6.5.3.x | User Guide...
Page 214 5. Click Enabled to activate this entry on creation. 6. Click Apply. The configuration does not take effect until you perform this step. In the CLI Enter the following command in enable mode: (host)(config) #local-userdb add username <macaddr> password <macaddr>... AOS-W 6.5.3.x | User Guide MAC-based Authentication | ...
Page 215: Branch Switch Config For Cloud Services Switches
(or categories of applications) either sent from or received by a selected interface. Packet compression between Alcatel-Lucent devices (such as devices at the branch and main office), to maximize the amount of data that can be carried by the network.
Page 216: Branch Deployment Features
WAN Optimization through IP Payload Compression on page 224 Interface Bandwidth Contracts on page 225 Branch Integration with a Palo Alto Networks (PAN) Portal on page 226 Branch Switch Routing Features on page 229 216| Branch Switch Config for Cloud Services Switches AOS-W 6.5.3.x | User Guide...
Page 217: Scalable Site-To-Site Vpn Tunnels
When a provisioned branch switch detects that its primary master is unreachable, it attempts to reconnect to the primary master for the time period defined by the Master L3 Redundancy Switchover Timeout in its branch AOS-W 6.5.3.x | User Guide Branch Switch Config for Cloud Services Switches | ...
Page 218: Wan Failure (Authentication) Survivability
Termination disabled: Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) with an external RADIUS server Termination enabled: EAP-TLS with Common Name (CN) lookup with an external authentication server External Captive Portal clients using the XML-API 218| Branch Switch Config for Cloud Services Switches AOS-W 6.5.3.x | User Guide...
Page 219 Administrative Functions This section describes the scenarios that illustrate the functionality that the authentication survivability feature provides. For more information, see: WAN Failure (Authentication) Survivability on page 218 AOS-W 6.5.3.x | User Guide Branch Switch Config for Cloud Services Switches | ...
Page 220 Authenticated with an External RADIUS server using PAP or EAP-TLS b. Authenticated with an External LDAP server using PAP c. Successful query on Common Name (CN) with an External RADIUS or LDAP server 220| Branch Switch Config for Cloud Services Switches AOS-W 6.5.3.x | User Guide...
Page 221 When the authentication servers are not available, the Survival Server takes over the handling of authentication requests. AOS-W 6.5.3.x | User Guide Branch Switch Config for Cloud Services Switches | ...
Page 222 Name (CN) lookup, a query request about the Common Name is sent to the external authentication server. The external authentication server can be either a RADIUS server or an LDAP server. 222| Branch Switch Config for Cloud Services Switches AOS-W 6.5.3.x | User Guide...
Page 223 Survival Server takes over the handling of authentication requests. The external authentication server can be either a RADIUS server or an LDAP server. AOS-W 6.5.3.x | User Guide Branch Switch Config for Cloud Services Switches | ...
Page 224: Wan Health Check
IPsec tunnel between the branch switch and the master switch. IP payload should be enabled only between Alcatel-Lucent devices. When this hardware-based compression feature is enabled, the quality of unencrypted traffic (such as Skype4b or Voice traffic) is not compromised through increased latency or decreased throughput.
Page 225: Interface Bandwidth Contracts
Limiting lower-priority traffic: If there is a lower-priority application or application type that you want to limit, apply a bandwidth contract just to that application, and allow all other application traffic to pass without any limits. AOS-W 6.5.3.x | User Guide Branch Switch Config for Cloud Services Switches | ...
Page 226: Branch Integration With A Palo Alto Networks (Pan) Portal
Branch switch deployments can leverage their networks' existing PaloAlto infrastructure to access more advanced security services, including antivirus services, malware detection and seamless integration with the Palo Alto Networks WildFire cloud-based threat detection. 226| Branch Switch Config for Cloud Services Switches AOS-W 6.5.3.x | User Guide...
Page 227 Palo Alto portal sends the branch switch a list of PAN gateways and priority levels. Once the branch switch is authenticated, that device appears in the PAN satellite list, as shown in the figure below. AOS-W 6.5.3.x | User Guide Branch Switch Config for Cloud Services Switches | ...
Page 228 Kerberos or Local Database authentication as well. This allows a switch to authenticate to the portal even if the portal does not recognize the switch's MAC address. For details on configuring this feature using the Smart Config WebUI, see WAN Configuration on page 251. 228| Branch Switch Config for Cloud Services Switches AOS-W 6.5.3.x | User Guide...
Page 229: Branch Switch Routing Features
If your deployment uses policy-based routing based on a nexthop list, any of the uplink next-hop devices can be used for forwarding traffic. This requires a valid ARP entry (Route-cache) in the system for all the policy-based routing next hop devices. AOS-W 6.5.3.x | User Guide Branch Switch Config for Cloud Services Switches | ...
Page 230: Cloud Management
The main elements of ZTP are: auto discovery of the primary master (and optionally, backup master) switch. configuration download from the master switch 230| Branch Switch Config for Cloud Services Switches AOS-W 6.5.3.x | User Guide...
Page 231 IP addresses of the primary switch and any defined secondary switch from DHCP Options retrieves its branch config group from the primary master switch AOS-W 6.5.3.x | User Guide Branch Switch Config for Cloud Services Switches | ...
Page 232 - option 43) in its response to the switch. Before you deploy a branch switch using ZTP, configure the DHCP server with the following information: The option-60 vendor class identifier ArubaMC 232| Branch Switch Config for Cloud Services Switches AOS-W 6.5.3.x | User Guide...
Page 233: Using Smart Config To Create A Branch Config Group
VLANs, and a separate IP address that branch switch uses to create a GRE tunnel to the master switch. Branch switch VLAN pools and the tunnel pool are defined on the master switch. Branch switch address pools are AOS-W 6.5.3.x | User Guide Branch Switch Config for Cloud Services Switches | ...
Page 234 The export-RemoteNode.csv template defines the following settings for each branch switch in the branch config group. Complete the template by adding information for up to 16 IP address pools for each branch switch. 234| Branch Switch Config for Cloud Services Switches AOS-W 6.5.3.x | User Guide...
Page 235 For example, specify Edinburgh or UTC+00 or UTC or BST. AOS-W 6.5.3.x | User Guide Branch Switch Config for Cloud Services Switches | ...
Page 236 "Moscow", "UTC+04", "GST" "Bratislava", "UTC+01", "CET", "CEST" "St.Petersburg", "UTC+04", "GST" "Budapest", "UTC+01", "CET", "CEST" "Volgograd", "UTC+04", "GST" "Ljubljana", "UTC+01", "CET", "CEST" "Port-Louis", "UTC+04", "GST" "Prague", "UTC+01", "CET", "CEST" "Tbilisi", "UTC+04", "GST" 236| Branch Switch Config for Cloud Services Switches AOS-W 6.5.3.x | User Guide...
Page 237 Configure general system settings for the branch switches in a branch config group by navigating to Configuration > Branch > Smart Config and selecting the System tab. The settings on the System tab are described in the table below. AOS-W 6.5.3.x | User Guide Branch Switch Config for Cloud Services Switches | ...
Page 238 (Optional) Enable Web Content Classification. For more information, see Web Content on page 805. Mark (Optional) Enable or disable the marking of IPsec mangement frames. This option is disabled by Management default. Frames 238| Branch Switch Config for Cloud Services Switches AOS-W 6.5.3.x | User Guide...
Page 239 Edit to modify the certificates used to sign OCSP for the revocation check point. For more information on configuring a switch as an OCSP client, see Configuring the Switch as an OCSP Client on page 299. SNMP AOS-W 6.5.3.x | User Guide Branch Switch Config for Cloud Services Switches | ...
Page 240 The settings on the Networking tab are described in the table below. Figure 44 Branch Switch Networking Settings. Parameter Description User VLANs VLAN ID Identifier for the VLAN. Description Text string describing the VLAN. 240| Branch Switch Config for Cloud Services Switches AOS-W 6.5.3.x | User Guide...
Page 241 (Optional) text string used to describe the VLAN Operstate Identify the VLAN operational state as UP or DOWN. IP Address Specify whether the VLAN will receive its IP address using DHCP or PPPoE. Ports AOS-W 6.5.3.x | User Guide Branch Switch Config for Cloud Services Switches | ...
Page 242 1. Navigate to Configuration>Branch>Smart Config>Routing and select the Routing sub-tab. 2. Click the Controller-IP drop-down list and select a VLAN ID from the list of uplink VLANs configured on the Branch>Smart Config>Networking tab. 3. Click Apply. 242| Branch Switch Config for Cloud Services Switches AOS-W 6.5.3.x | User Guide...
Page 243 VLANs configured on the Branch>Smart Config>Networking tab. Pool Name Name that identifies this VLAN pool. Domain Name Domain name of the DNS server. DNS Server IP address of the DNS server. AOS-W 6.5.3.x | User Guide Branch Switch Config for Cloud Services Switches | ...
Page 244 A policy-based routing (PBR) rule is an ACL that can forward traffic as normal, or route traffic over a VPN tunnel specified by an IPsec map, routed to a nexthop router on a nexthop list, or redirected over an L3 GRE tunnel or tunnel group. 244| Branch Switch Config for Cloud Services Switches AOS-W 6.5.3.x | User Guide...
Page 245 This refers to using an alias for a host or network. You configure the alias by navigating to the Configuration > Advanced Services > Stateful Firewall > Destination page. Destination Destination of the traffic, which can be configured in the same manner as Source. (required) AOS-W 6.5.3.x | User Guide Branch Switch Config for Cloud Services Switches | ...
Page 246 If you selected the User Role type, click the Target drop-down list and select a user role. The rule will be applied to traffic from clients with the selected user role. 5. Click Done. 6. Click Apply. 246| Branch Switch Config for Cloud Services Switches AOS-W 6.5.3.x | User Guide...
Page 247 FQDN : This option allows you to use same FQDN across different branches. The FQDN resolves to different IP addresses for each branch, based on its local DNS setting. AOS-W 6.5.3.x | User Guide Branch Switch Config for Cloud Services Switches | ...
Page 248 IKE. If you select None, the default is the VLAN of the switch’s IP address (either the VLAN where the loopback IP is configured, or VLAN 1 if no loopback IP is configured). 248| Branch Switch Config for Cloud Services Switches AOS-W 6.5.3.x | User Guide...
Page 249 This authentication type is generally required in IPsec maps for a VPN with dynamically addressed peers, but can also be used for a static site-to- site VPN. AOS-W 6.5.3.x | User Guide Branch Switch Config for Cloud Services Switches | ...
Page 250 SHA 96 hmac- 2 (1024 RSA protection Signature sha1 bit) suite Default IKEv2 10007 IKEv2 AES - 128 SHA 96 Pre-shared hmac- 2 (1024 PSK protection sha1 bit) suite 250| Branch Switch Config for Cloud Services Switches AOS-W 6.5.3.x | User Guide...
Page 251 AOS-W . The customer server certificate must be imported into the switch first, and then you can assign the server certificate to the local Survival Server. AOS-W 6.5.3.x | User Guide Branch Switch Config for Cloud Services Switches | ...
Page 252 Packet Burst per Probe parameter during each probe interval. To change the default interval of 10 seconds, enter a new value into this field. 252| Branch Switch Config for Cloud Services Switches AOS-W 6.5.3.x | User Guide...
Page 253 SSL connection to the portal. User Name Username to authenticate to the Palo Alto Networks portal. Password Password to authenticate to the Palo Alto Networks portal. AOS-W 6.5.3.x | User Guide Branch Switch Config for Cloud Services Switches | ...
Page 254: Portfast And Bpdu Guard
The following section describes some of the Layer-2 Spanning Tree Protocol (STP) features for the branch switch solution. Currently, PortFast and Bridge Protocol Data Unit (BPDU) Guard features are supported, 254| Branch Switch Config for Cloud Services Switches AOS-W 6.5.3.x | User Guide...
Page 255 RSTP and PVST modes Access and Trunk ports Physical and Logical ports The PortFast and BPDU Guard features can be applied either independently or together. AOS-W 6.5.3.x | User Guide Branch Switch Config for Cloud Services Switches | ...
Page 256 Execute the following command to display the status of BPDU Guard enabled port that is in ErrDis state. This command is applicable for ports that are in both the Global RSTP and Instance RSTP (PVST) modes. (host) (config-if) #show spanning-tree interface gigabitethernet 0/0/4 256| Branch Switch Config for Cloud Services Switches AOS-W 6.5.3.x | User Guide...
Page 257: Preventing Wan Link Failure On Virtual Aps
The WAN (Wide Area Network) dashboard, in the Dashboard section of the WebUI, is the landing page for the Branch switch. The WAN dashboard provides the WAN summary details for VLANs. Following figure shows a snapshot of the WAN summary dashboard: AOS-W 6.5.3.x | User Guide Branch Switch Config for Cloud Services Switches | ...
Page 258 Alerts : Lists the last five alerts with time stamp and description. Usage : Displays traffic based on Application Category or Application. Compression : Displays compression that occurred on all VLANs together. 258| Branch Switch Config for Cloud Services Switches AOS-W 6.5.3.x | User Guide...
Page 259: 802.1X Authentication
An example of an 802.1X authentication server is the Internet Authentication Service (IAS) in Windows (see http://technet.microsoft.com/en-us/library/cc759077(WS.10).aspx). In Alcatel-Lucent user-centric networks, you can terminate the 802.1X authentication on the switch. The switch passes user authentication to its internal database or to a “backend” non-802.1X server. This feature, also called AAA FastConnect, is useful for deployments where an 802.1X EAP-compliant RADIUS server is not...
Page 260 Figure 45 802.1X Authentication with RADIUS Server The supplicant and the authentication server must be configured to use the same EAP type. The switch does not need to know the EAP type used between the supplicant and authentication server. 260| 802.1X Authentication AOS-W 6.5.3.x | User Guide...
Page 261 If you use an LDAP server for user authentication, you need to configure both the LDAP server and the user IDs and passwords on the switch. If you use a RADIUS server for user authentication, you need to configure the RADIUS server on the switch. AOS-W 6.5.3.x | User Guide 802.1X Authentication | ...
Page 262: Configuring 802.1X Authentication
If you change a setting on one tab, then click and display the other tab without saving your configuration, that setting will revert to its previous value. 262| 802.1X Authentication AOS-W 6.5.3.x | User Guide...
Page 263 Configure Suite-B 128 bit or more security level authentication enforcement. or more security level Authentication Enforce Suite-B 128 bit Configure Suite-B 192 bit security level authentication enforcement. or more security level Authentication Advanced 802.1X Authentication Settings AOS-W 6.5.3.x | User Guide 802.1X Authentication | ...
Page 264 Set to 0 to disable blacklisting, otherwise Attempts enter a value from 0-5 to blacklist the user after the specified number of failures. NOTE: If changed from its default value, this option may require a license. 264| 802.1X Authentication AOS-W 6.5.3.x | User Guide...
Page 265 If the client does not support this feature, the client will attempt to renegotiate the key whenever it roams to a new AP. As a result, the key cached on the switch can be out of sync with the client's key. AOS-W 6.5.3.x | User Guide 802.1X Authentication | ...
Page 266 Select Handle EAPOL-Logoff to enable handling of EAPOL-LOGOFF messages. This option is disabled by default. Ignore EAP ID during Select Ignore EAP ID during negotiation to ignore EAP IDs during negotiation. negotiation This option is disabled by default. 266| 802.1X Authentication AOS-W 6.5.3.x | User Guide...
Page 267 Server Certificate—A server certificate installed in the switch verifies the authenticity of the switch for 802.1X authentication. Alcatel-Lucent switches ship with a demonstration digital certificate. Until you install a customer-specific server certificate in the switch, this demonstration certificate is used by default for all secure HTTP connections (such as the WebUI and captive portal) and AAA FastConnect.
Page 268 Passed Failed Machine authentication succeeded Machine authentication default and user authentication has not been machine role configured in the 802.1X initiated. Server-derived roles do not authentication profile. apply. 268| 802.1X Authentication AOS-W 6.5.3.x | User Guide...
Page 269 AP profile. present on the server) and user authentication succeeded. Passed Failed Machine authentication succeeded and VLAN configured in the user authentication has not been initiated. virtual AP profile. AOS-W 6.5.3.x | User Guide 802.1X Authentication | ...
Page 270: Enabling 802.1X Supplicant Support On An Ap
5. Enter the password again in the Confirm Password field and reconfirm it. 6. Click Apply and Reboot (at the bottom of the page). In the CLI (host) (config)# provision-ap (host) (AP provisioning) # apdot1x-username <username> (host) (AP provisioning) # apdot1x-passwd <password> 270| 802.1X Authentication AOS-W 6.5.3.x | User Guide...
Page 271: Sample Configurations
An EAP-compliant RADIUS server provides the 802.1X authentication. The RADIUS server administrator must configure the server to support this authentication. The administrator must also configure the server to all communications with the Alcatel-Lucent switch. The authentication type is WPA. From the 802.1X authentication exchange, the client and the switch derive dynamic keys to encrypt data transmitted on the wireless network.
Page 272 user alias “Internal Network” svc-pop3 deny user alias “Internal Network” svc-ftp deny user alias “Internal Network” svc-smtp deny user alias “Internal Network” svc-snmp deny user alias “Internal Network” svc-ssh deny (host)(config) #user-role student session-acl student session-acl allowall 272| 802.1X Authentication AOS-W 6.5.3.x | User Guide...
Page 273 For Name, enter working-hours. b. For Type, select Periodic. c. Click Add. d. For Start Day, click Weekday. e. For Start Time, enter 07:30. f. For End Time, enter 17:00. g. Click Done. AOS-W 6.5.3.x | User Guide 802.1X Authentication | ...
Page 274 9. Under Firewall Policies, click Add. In Choose from Configured Policies, select the guest policy you previously created. Click Done. In the CLI time-range working-hours periodic weekday 07:30 to 17:00 (host)(config) #ip access-list session guest user host 10.1.1.25 svc-dhcp permit time-range working-hours 274| 802.1X Authentication AOS-W 6.5.3.x | User Guide...
Page 275 Class to the switch; the value of this attribute is set to either “student,” “faculty,” or “sysadmin” to identify the user’s group. The switch uses the literal value of this attribute to determine the role name. AOS-W 6.5.3.x | User Guide 802.1X Authentication | ...
Page 276 Select the profile name you just added. c. Select Enforce Machine Authentication. d. For the Machine Authentication: Default Machine Role, select computer. e. For the Machine Authentication: Default User Role, select guest. f. Click Apply. 276| 802.1X Authentication AOS-W 6.5.3.x | User Guide...
Page 277 63. VLANs 60 and 61 split users into smaller IP subnetworks, improving performance by decreasing broadcast traffic. The VLANs are internal to the Alcatel-Lucent switch only and do not extend into other parts of the wired network. The clients’ default gateway is the Alcatel-Lucent switch, which routes traffic out to the 10.1.1.0 subnetwork.
Page 278 AP profile contains the SSID profile “guest” which configures static WEP with a WEP key. In the WebUI 1. Navigate to the Configuration > Wireless > AP Configuration page. 2. In the AP Group list, click Edit for first-floor. 278| 802.1X Authentication AOS-W 6.5.3.x | User Guide...
Page 279 1. Navigate to the Configuration > Wireless > AP Configuration page. 2. In the AP Group list, click Edit for the first-floor. 3. In the Profiles list, select Wireless LAN and then Virtual AP. AOS-W 6.5.3.x | User Guide 802.1X Authentication | ...
Page 280 In the CLI (host)(config) #wlan ssid-profile WLAN-01 essid WLAN-01 opmode wpa-tkip (host)(config) #wlan virtual-ap WLAN-01_first-floor vlan 60 aaa-profile aaa_dot1x ssid-profile WLAN-01 (host)(config) #wlan virtual-ap WLAN-01_second-floor vlan 61 aaa-profile aaa_dot1x ssid-profile WLAN-01 (host)(config) #ap-group first-floor 280| 802.1X Authentication AOS-W 6.5.3.x | User Guide...
Page 281 Select value-of from the drop-down list. c. Select Set Role from the drop-down list. d. Click Add. 5. Click Apply. In the CLI (host)(config) #aaa server-group internal set role condition Role value-of AOS-W 6.5.3.x | User Guide 802.1X Authentication | ...
Page 282 63. VLANs 60 and 61 split users into smaller IP subnetworks, improving performance by decreasing broadcast traffic. The VLANs are internal to the Alcatel-Lucent switch only and do not extend into other parts of the wired network. The clients’ default gateway is the Alcatel-Lucent switch, which routes traffic out to the 10.1.1.0 subnetwork.
Page 283 (host)(config) #vlan 61 (host)(config) #interface vlan 61 ip address 10.1.61.1 255.255.255.0 ip helper-address 10.1.1.25 (host)(config) #vlan 63 (host)(config) #interface vlan 63 ip address 10.1.63.1 255.255.255.0 ip helper-address 10.1.1.25 (host)(config) #ip default-gateway 10.1.1.254 AOS-W 6.5.3.x | User Guide 802.1X Authentication | ...
Page 284 8. In the Profiles list, select Wireless LAN and then Virtual AP. 9. Select guest from the Add a profile drop-down list. Click Add. 10.Click Apply. In the CLI (host)(config) #wlan ssid-profile guest essid guest wepkey1 aaaaaaaaaa 284| 802.1X Authentication AOS-W 6.5.3.x | User Guide...
Page 285 A pop-up window displays the configured AAA profile parameters. Click Apply. c. From the SSID profile drop-down list, select WLAN-01. A pop-up window displays the configured SSID profile parameters. Click Apply. d. At the bottom of the Profile Details page, click Apply. AOS-W 6.5.3.x | User Guide 802.1X Authentication | ...
Page 286 Success Fail — authentication Association dynamic- static- dynamic- static- Association Association Role Assignment 802.1X — 802.1X — logon Table 75 describes the different authentication possibilities In the CLI (host)(config) #aaa profile test l2-auth-fail-through 286| 802.1X Authentication AOS-W 6.5.3.x | User Guide...
Page 287: Performing Advanced Configuration Options For 802.1X
This feature allows single sign-on (SSO) for different web-based applications using Layer 2 authentication information. Single sign-on for web-based application uses Security Assertion Markup Language (SAML), which happens between the web service provider and an identity provider (IDP) that the web server trusts. A request AOS-W 6.5.3.x | User Guide 802.1X Authentication | ...
Page 288 Enabling application SSO using L2 network information requires configuration on the switch and on the IDP server. The Alcatel-Lucent ClearPass Policy Manager (CPPM) is the only IDP supported. The switch has been optimized to work with CPPM to provide better functionality as an IDP.
Page 289 2. Under IDP Server Certificate, select the IDP certificate from the Server Certificate drop-down menu. 3. Click Apply. In the CLI (host)(config) #web-server profile (host)(Web Server Configuration) #idp-cert <name of the certificate> AOS-W 6.5.3.x | User Guide 802.1X Authentication | ...
Page 290: Device Name As User Name For Non-802.1X Authentication
Using Device Name as User Name In the CLI (host) (config) #aaa profile <profile> (host) (AAA Profile “<profile >”) #username-from-dhcp-opt12 290| 802.1X Authentication AOS-W 6.5.3.x | User Guide...
Page 291: Stateful And Wispr Authentication
NTLM authentication must be assigned to the user role specified in the Stateful NTLM Authentication profile. Alcatel-Lucent’s stateful NTLM authentication does not support placing users in various roles based upon group membership or other role-derivation attributes.
Page 292: Working With Wispr Authentication
Stateful 802.1X profile. Configuring Stateful 802.1X Authentication When you configure 802.1X authentication for clients on non-Alcatel-Lucent APs, you must specify the group of RADIUS servers that performs the user authentication and select the role to assign to users who successfully complete authentication.
Page 293: Configuring Stateful Ntlm Authentication
1. Navigate to the Configuration > Security > Authentication > L3 Authentication page. 2. In the Profiles list, expand the Stateful NTLM Authentication Profile. 3. To define settings for an existing profile, click that profile name in the profiles list. AOS-W 6.5.3.x | User Guide Stateful and WISPr Authentication | ...
Page 294: Configuring Stateful Kerberos Authentication
1. Navigate to the Configuration > Security > Authentication > L3 Authentication page. 2. In the Profiles list, expand the Stateful Kerberos Authentication Profile. 3. To define settings for an existing profile, click the profile name in the Profiles list. 294| Stateful and WISPr Authentication AOS-W 6.5.3.x | User Guide...
Page 295: Configuring Wispr Authentication
Save As in the right window pane. Enter a name for the new profile in the entry field. at the top of the right window pane. 4. Define values for the parameters below. AOS-W 6.5.3.x | User Guide Stateful and WISPr Authentication | ...
Page 296 RADIUS server used for WISPr authentication, and the second set adds that server to a server group. The third set of commands associates that server group with the WISPR authentication profile, then defines the profile settings. (host)(config)# aaa authentication-server radius <rad_server_name> host 172.4.77.214 key qwERtyuIOp enable nas-identifier corp_venue1 296| Stateful and WISPr Authentication AOS-W 6.5.3.x | User Guide...
Page 297 (host)(config)# aaa server-group group <server-group> auth-server <radius_server_name> (host)(config)# aaa authentication wispr default-role <role> logon-wait {cpu-threshold|maximum-delay|minimum-delay} server-group <server-group> wispr-location-id-ac <wispr-location-id-ac> wispr-location-id-cc <wispr-location-id-cc> wispr-location-id-isocc <wispr-location-id-isocc> wispr-location-id-network <wispr-location-id-network> wispr-location-name-location <wispr-location-name-location> wispr-location-name-operator-name <wispr-location-name-location> AOS-W 6.5.3.x | User Guide Stateful and WISPr Authentication | ...
Page 298: Certificate Revocation
CA. A revocation checkpoint is a logical profile that is tied to each CA certificate that the switch has (trusted or intermediate). Also, the user can specify revocation preferences within each profile. The OCSP request is not signed by the Alcatel-Lucent OCSP client at this time. However, the OCSP response is always signed by the responder.
Page 299: Configuring The Switch As An Ocsp Client
Therefore, even unsigned OCSP requests are supported. The switch as an OCSP responder provides revocation status information to Alcatel-Lucent applications that use CRLs. This is useful in small disconnected networks where clients cannot reach outside OCSP server to validate certificates.
Page 300 6. Click Upload. The certificate appears in the Certificate Lists pane. 7. For detailed information about an uploaded certificate, click View next to the certificate. Figure 48 View certificate details 8. Select the Revocation Checkpoint tab. AOS-W 6.5.3.x | User Guide Certificate Revocation | ...
Page 301: Configuring The Switch As A Crl Client
7. For detailed information about an uploaded CRL, click View next to the CRL. 8. Select the Revocation Checkpoint tab. 9. In the Revocation Checkpoint pane, click Edit next to the revocation checkpoint that you want to configure. The Revocation Checkpoint pane displays. 301| Certificate Revocation AOS-W 6.5.3.x | User Guide...
Page 302: Configuring The Switch As An Ocsp Responder
10.Select the OCSP signer cert from the OCSP Certificates drop-down menu to be used to sign OCSP responses for this revocation check point. 11.In the Revocation Checkpoint pane, click Edit next to the revocation checkpoint that you want to configure. The Revocation Checkpoint pane displays. AOS-W 6.5.3.x | User Guide Certificate Revocation | ...
Page 303: Certificate Revocation Checking For Ssh Pubkey Authentication
“client1-rg,”, the username is “test1,” the role name is “root,” and the rcp is “ca-rg:” (host)(config) #mgmt-user ssh-pubkey client-cert client1-rg test1 root ? rcp Revocation Checkpoint for ssh user's client certificate (host)(config) #mgmt-user ssh-pubkey client-cert client1-rg test1 root rcp ca-rg 303| Certificate Revocation AOS-W 6.5.3.x | User Guide...
Page 304: Ocsp Configuration For Aos-W Via
These parameters will be picked up directly from the certificate. The WebUI path and the CLI command to enable OCSP certificate verification are as follows. In the WebUI To enable the OCSP certificate verification in the WebUI, perform the following steps: 1. Navigate to Configuration > Advanced Services > All Profiles. AOS-W 6.5.3.x | User Guide Certificate Revocation | ...
Page 305 (host) (VIA Connection Profile "default") #show aaa authentication via connection-profile default VIA Connection Profile "default" -------------------------------- Parameter Value --------- ----- VIA Servers Client Auto-Login Enabled VIA Authentication Profiles to provision OCSP Cert verification enabled Disable User idle timeout 305| Certificate Revocation AOS-W 6.5.3.x | User Guide...
Page 306: Captive Portal Authentication
You can also configure captive portal to allow clients to download the Alcatel-Lucent VPN dialer for Microsoft VPN clients if the VPN is to be terminated on the switch. For more information about the VPN dialer, see...
Page 307: Configuring Captive Portal In The Base Operating System
(without the PEFNG license) and with the license installed. Switch Server Certificate The Alcatel-Lucent switch is designed to provide secure services through the use of digital certificates. A server certificate installed in the switch verifies the authenticity of the switch for captive portal.
Page 308 2. To specify authentication servers, select Server Group under the captive portal authentication profile you just configured. a. Select the server group (for example, cp-srv) from the drop-down menu. b. Click Apply. 3. Select the AAA Profiles tab. AOS-W 6.5.3.x | User Guide Captive Portal Authentication | ...
Page 309: Using Captive Portal With A Pefng License
20 Using Captive Portal with a PEFNG License The PEFNG license provides identity-based security for wired and wireless users. There are two user roles that are important for captive portal: 309| Captive Portal Authentication AOS-W 6.5.3.x | User Guide...
Page 310 Configuring Captive Portal in the WebUI To configure captive portal with PEFNG license via the WebUI: AOS-W 6.5.3.x | User Guide Captive Portal Authentication | ...
Page 311 10.Click on the new virtual AP name in the Profiles list or in Profile Details to display configuration parameters. a. Make sure Virtual AP enable is selected. b. For VLAN, select the VLAN to which users are assigned (for example, 20). c. Click Apply. 311| Captive Portal Authentication AOS-W 6.5.3.x | User Guide...
Page 312: Sample Authentication With Captive Portal
DHCP requests. Allows ICMP exchanges between the user and the switch during business hours. block-internal-access is a policy that you create that denies user access to the internal networks. AOS-W 6.5.3.x | User Guide Captive Portal Authentication | ...
Page 313 2. Select Add to add the guest-logon-access policy. 3. For Policy Name, enter guest-logon-access. 4. For Policy Type, select IPv4 Session. 5. Under Rules, select Add to add rules for the policy. a. Under Source, select user. 313| Captive Portal Authentication AOS-W 6.5.3.x | User Guide...
Page 314 1. Navigate to the Configuration > Security > Access Control > Policies page. 2. Select Add to add the guest-logon-access policy. 3. For Policy Name, enter auth-guest-access. 4. For Policy Type, select IPv4 Session. AOS-W 6.5.3.x | User Guide Captive Portal Authentication | ...
Page 315 2. Select Add to add the block-internal-access policy. 3. For Policy Name, enter block-internal-access. 4. For Policy Type, select IPv4 Session. 5. Under Rules, select Add to add rules for the policy. 315| Captive Portal Authentication AOS-W 6.5.3.x | User Guide...
Page 316 8. For Choose from Configured Policies, select guest-logon-access from the drop-down menu. 9. Click Done. 10.Under Firewall Policies, click Add. 11.For Choose from Configured Policies, select block-internal-access from the drop-down menu. AOS-W 6.5.3.x | User Guide Captive Portal Authentication | ...
Page 317 (host)(config) #netdestination “Public DNS” host 64.151.103.120 host 216.87.84.209 Creating a Guest-Logon-Access Policy To create a guest-logon-access policy via the command-line interface, access the CLI in config mode and issue the following commands: 317| Captive Portal Authentication AOS-W 6.5.3.x | User Guide...
Page 318: Configuring Guest Vlans
Guests using the WLAN are assigned to VLAN 900 and are given IP addresses via DHCP from the switch. In the WebUI 1. Navigate to the Configuration > Network > VLANs page. a. Select the VLAN ID tab. AOS-W 6.5.3.x | User Guide Captive Portal Authentication | ...
Page 319: Configuring Captive Portal Authentication Profiles
For Default Role, select auth-guest. d. Select User Login. e. Deselect (uncheck) Guest Login. f. Click Apply. 2. Select Server Group under the guestnet captive portal authentication profile you just created. 319| Captive Portal Authentication AOS-W 6.5.3.x | User Guide...
Page 320 SSID profile guestnet (which configures opensystem for the SSID) and the AAA profile guestnet. To configure the guest WLAN via the WebUI: 1. Navigate to the Configuration > Wireless > AP Configuration page. AOS-W 6.5.3.x | User Guide Captive Portal Authentication | ...
Page 321 Configuring Captive Portal Configuration Parameters Table 77 describes configuration parameters on the WebUI Captive Portal Authentication profile page. In the CLI, you configure these options with the aaa authentication captive-portal commands. 321| Captive Portal Authentication AOS-W 6.5.3.x | User Guide...
Page 322 Default: Disabled Authentication Pro- Select the PAP, CHAP or MS-CHAPv2 authentication protocol. tocol NOTE: Do not use the CHAP = option unless instructed to do so by anAlcatel-Lucent representative. AOS-W 6.5.3.x | User Guide Captive Portal Authentication | ...
Page 323 If you have not yet defined a netdestination, use the CLI command netdestination to define a destination host or subnet before you add it to the blacklist. Show Acceptable Show the acceptable use policy page before the logon page. Use Policy Page Default: Disabled 323| Captive Portal Authentication AOS-W 6.5.3.x | User Guide...
Page 324: Enabling Optional Captive Portal Configurations
WLAN that will use captive portal. For example, if you want to have different captive portal login pages for the engineering, business and faculty departments, you need to create and configure according to Table AOS-W 6.5.3.x | User Guide Captive Portal Authentication | ...
Page 325 Click Apply. To change the protocol to HTTP via the command-line interface, access the CLI in config mode and issue the following commands: (host)(config) #aaa authentication captive-portal profile protocol-http 325| Captive Portal Authentication AOS-W 6.5.3.x | User Guide...
Page 326 To redirect proxy server traffic using the WebUI: 1. For captive portal with Alcatel-Lucent base operating system, edit the captive portal authentication profile by navigating to the Configuration > Security > Authentication > L3 Authentication page.
Page 327 3. Click Add to add the rule. Use the up arrows to move this rule above the rules that perform destination NAT. 4. Click Apply. To allow clients to download proxy script via the command-line interface, access the CLI in config mode and issue the following commands: 327| Captive Portal Authentication AOS-W 6.5.3.x | User Guide...
Page 328: Personalizing The Captive Portal Page
1. Navigate to the Configuration > Management > Captive Portal > Customize Login Page page. You can choose one of three page designs. To select an existing design, click the first or the second page design present. AOS-W 6.5.3.x | User Guide Captive Portal Authentication | ...
Page 329 View CaptivePortal link. The User Agreement Policy page appears. The text you entered appears in the Acceptable Use Policy text box. c. Click Accept. This displays the Captive Portal page as it will be seen by users 329| Captive Portal Authentication AOS-W 6.5.3.x | User Guide...
Page 330: Creating And Installing An Internal Captive Portal
In addition to customizing the default captive portal page, you can also create your own internal web page. A custom web page must include an authentication form to authenticate a user. The authentication form can include any of the following variables listed in Table AOS-W 6.5.3.x | User Guide Captive Portal Authentication | ...
Page 331 "Sets the size of the input box to 25 VALUE= ""Ensures no default value FQDN Example Minimal: <SELECT name=fqdn> <OPTION value="fqdn1" SELECTED> <OPTION value="fqdn2"> </SELECT> Recommended Options: None Finally, an HTML also requires an input button: <INPUT type="submit"> 331| Captive Portal Authentication AOS-W 6.5.3.x | User Guide...
Page 332 Note that for this feature to work, you need AOS-W release 2.4.2.0 or later. If you don't want this feature, delete the part of the script shown in red. <script> function createCookie(name,value,days) AOS-W 6.5.3.x | User Guide Captive Portal Authentication | ...
Page 333 Lucent captive portal system. However, other than posting site-specific messages onto the captive portal website, the most common type of customization is likely to be language localization. This section describes a simple method for creating a native language captive portal implementation using the Alcatel-Lucent internal captive portal system.
Page 334 "/auth/" in front of the image file. The original link should look similar to the following: <img src="default1/logo.gif"/> This should be replaced with a link like this: <img src="/auth/default1/logo.gif"/> d. Insert javascript to handle error cases: AOS-W 6.5.3.x | User Guide Captive Portal Authentication | ...
Page 335 In order to check that your site is operating correctly, go back to the "Customize Login Page" and click on "View Captive Portal" to view the page you have uploaded. Check that your browser has automatically detected the character set and that your text is not garbled. 335| Captive Portal Authentication AOS-W 6.5.3.x | User Guide...
Page 336 In order to actually use this file, you will need to configure the welcome page on the switch. To do this use the CLI command: "aaa captive-portal welcome-page /upload/welc.html" where "welc.html" is the name of the file AOS-W 6.5.3.x | User Guide Captive Portal Authentication | ...
Page 337 In AOS-W 6.4.x, the user returns Authentication failed message for all the reasons. In AOS-W 6.5, ClearPass can now include the reason why it is rejecting in the 337| Captive Portal Authentication AOS-W 6.5.3.x | User Guide...
Page 338 Title: set the second parameter in the window.open command to be the title of the pop-up box. Be sure to include the quotes as shown: <script language="JavaScript"> var url="/upload/popup.html"; var w=210; AOS-W 6.5.3.x | User Guide Captive Portal Authentication | ...
Page 339: Creating Walled Garden Access
On the Internet, a walled garden typically controls a user’s access to web content and services. The walled garden directs the user’s navigation within particular areas to allow access to a selection of websites or prevent access to other websites. 339| Captive Portal Authentication AOS-W 6.5.3.x | User Guide...
Page 340 It then adds the destination name Mywhite-list (which contains the allowed domain names example.com and example.net) to the white list. (host)(config)# netdestination "Mywhite-list" (host)(config)#name example.com (host)(config)#name example.net (host) (config) #aaa authentication captive-portal default (host)(Captive Portal Authentication Profile "default")#white-list Mywhite-list AOS-W 6.5.3.x | User Guide Captive Portal Authentication | ...
Page 341: Enabling Captive Portal Enhancements
Use the following commands to provide description for an IPv6 netdestination: (host) (config) #netdestination6 Local-Server6 (host) (config-dest) #description “This is a local server for IPv6 client registration” The following command displays the details of the specified IPv4 netdestination: 341| Captive Portal Authentication AOS-W 6.5.3.x | User Guide...
Page 342 Verifying a Captive Portal Profile Linked to a Whitelist Use the following commands to verify the Captive Portal profile linked to the whitelist: (host) (config) #show aaa authentication captive-portal CP_Profile AOS-W 6.5.3.x | User Guide Captive Portal Authentication | ...
Page 343 Action TimeRange Expired Queue 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 -------- ------ ----------- ------- ------ --------- ------- ----- ----- --------- ------ ------- ------------- ------ user whitelist svc-http permit user whitelist svc-https permit 343| Captive Portal Authentication AOS-W 6.5.3.x | User Guide...
Page 344 This eventually delays the loading of the Captive Portal page and logging into Captive Portal. Most of the increased activities are from non-browser based applications running on smart phones and tablets. AOS-W 6.5.3.x | User Guide Captive Portal Authentication | ...
Page 345: Netdestination For Aaaa Records
Captive Portal profile. This adds the required ACL policies to permit IPv6 traffic to the domain. In the CLI (host) (config) #netdestination6 <string> name <host_name> 345| Captive Portal Authentication AOS-W 6.5.3.x | User Guide...
Page 346: Virtual Private Networks
Virtual Private Networks Wireless networks can use virtual private network (VPN) connections to further secure wireless data from attackers. The Alcatel-Lucent switch can be used as a VPN concentrator that terminates all VPN connections from both wired and wireless clients.
Page 347 IKE_AUTH packets using the standards described in the RFC 7383 – Internet Key Exchange Protocol Version 2 (IKEv2) message fragmentation when the Aruba device acts as a responder and not as an initiator. Understanding Suite-B Encryption Licensing Alcatel-Lucent switches support Suite-B cryptographic algorithms when the Advanced Cryptography (ACR) license is installed. Table 80 describes the Suite-B algorithms supported by AOS-W IKE Policies and IPsec tunnels.
Page 348 Table 80 are also supported by Site-to-Site VPNs between Alcatel-Lucent switches, or between an Alcatel-Lucent switch and a server running Windows 2008 or StrongSwan 4.3. Working with IKEv2 Clients Not all clients support both the IKEv1 and IKEv2 protocols. Only the clients in...
Page 349 Not supported CPSEC-whitelist Working with Certificate Groups The certificate group feature allows you to access multiple types of certificates on the same switch. To create a certificate group, use the following command: 349| Virtual Private Networks AOS-W 6.5.3.x | User Guide...
Page 350: Working With Vpn Authentication Profiles
0 (feature is 0 (feature is 0 (feature is authentication failures authentication failures disabled) disabled) disabled) before the station is blacklisted. Check certificate common disabled enabled enabled name against AAA server AOS-W 6.5.3.x | User Guide Virtual Private Networks | ...
Page 351 9. In the Default profile menu in the left window pane, select Server Group. 10.From the Server Group drop-down list, select the server group to be used for VPN authentication. 11.Click Apply. 351| Virtual Private Networks AOS-W 6.5.3.x | User Guide...
Page 352: Configuring A Basic Vpn For L2Tp/Ipsec
2. Navigate to Configuration > Advanced Services > VPN Services and click the IPSEC tab. 3. To enable L2TP, select Enable L2TP (this is enabled by default). 4. Select the authentication method for IKEv1 clients. Currently supported methods include: Password Authentication Protocol (PAP) AOS-W 6.5.3.x | User Guide Virtual Private Networks | ...
Page 353 VPN clients using IKE. Note that these certificates must be imported into the switch, as described in Management Access on page 833. 1. Select the server certificate for client machines using IKE by clicking the IKE Server Certificate drop-down list and selecting an available certificate name. 353| Virtual Private Networks AOS-W 6.5.3.x | User Guide...
Page 354 6. AOS-W VPNs support client authentication using pre-shared keys, RSA digital certificates, or Elliptic Curve Digital Signature Algorithm (ECDSA) certificates. To set the authentication type for the IKE rule, click the Authentication drop-down list and select one of the following: AOS-W 6.5.3.x | User Guide Virtual Private Networks | ...
Page 355 Click the Transform Set drop-down list, and select the transform set for the dynamic peer. To view current configuration settings for an IPsec transform-set, access the command-line interface and issue the command crypto ipsec transform-set tag <transform-set-name>. 355| Virtual Private Networks AOS-W 6.5.3.x | User Guide...
Page 356: Configuring A Vpn For L2Tp/Ipsec With Ikev2
<seconds> Configuring a VPN for L2TP/IPsec with IKEv2 Only clients running Windows 7 (and later versions), StrongSwan 4.3, and Alcatel-Lucent VIA support IKEv2. For additional information on the authentication types supported by these clients, see “Working with IKEv2 Clients on page 348."...
Page 357 8. Navigate to Configuration > Advanced Services > VPN Services and click the IPSEC tab to return to the IPSEC window. 9. Click the NAT Pool drop-down list and select the NAT pool you just created. 357| Virtual Private Networks AOS-W 6.5.3.x | User Guide...
Page 358 The IKE policy selections must be reflected in the VPN client configuration. When using a third-party VPN client, set the VPN configuration on clients to match the choices made above. In case the Alcatel-Lucent dialer is used, these configurations must be made on the dialer prior to downloading the dialer onto the local client.
Page 359 Click the Set PFS drop-down list and select one of the following groups: Group 1: 768-bit Diffie–Hellman prime modulus group. Group 2: 1024-bit Diffie–Hellman prime modulus group. Group 14: 2048-bit Diffie–Hellman prime modulus group. 359| Virtual Private Networks AOS-W 6.5.3.x | User Guide...
Page 360 6. Define IKEv2 Policies: (host)(config) #crypto isakmp policy <priority> encryption {3des|aes128|aes192|aes256|des} version v2 authentication {pre-share|rsa-sig|ecdsa-256ecdsa-384} group {1|2|19|20} hash {md5|sha|sha1-96|sha2-256-128|sha2-384-192} prf PRF-HMAC-MD5|PRF-HMAC-SHA1|PRF-HMAC-SHA256|PRF-HMAC-SHA384 lifetime <seconds> 7. Define IPsec Tunnel parameters: (host)(config) #crypto ipsec mtu <max-mtu> AOS-W 6.5.3.x | User Guide Virtual Private Networks | ...
Page 361: Configuring A Vpn For Smart Card Clients
Ensure that the RADIUS server is part of the server group used for VPN authentication. Configure other VPN settings as described in Configuring a VPN for L2TP/IPsec with IKEv2 on page 356, while selecting the following options: 361| Virtual Private Networks AOS-W 6.5.3.x | User Guide...
Page 362: Configuring A Vpn For Clients With User Passwords
In the L2TP and XAUTH Parameters section of the Configuration > VPN Services > IPsec tab, enable L2TP. In the L2TP and XAUTH Parameters section of the Configuration > VPN Services > IPsec tab, select PAP as the authentication protocol. AOS-W 6.5.3.x | User Guide Virtual Private Networks | ...
Page 363: Configuring Remote Access Vpns For Xauth
Aggressive Mode section of the Configuration > VPN Services > IPsec tab, enter the authentication group name for aggressive mode to associate this setting to multiple clients. Make sure that the group name matches the aggressive mode group name configured in the VPN client software. 363| Virtual Private Networks AOS-W 6.5.3.x | User Guide...
Page 364: Working With Remote Access Vpns For Pptp
5. Configure the primary and secondary WINS Server IP addresses that are pushed to the VPN Dialer. 6. Configure the VPN Address Pool. a. Click Add. The Add Address Pool window displays. AOS-W 6.5.3.x | User Guide Virtual Private Networks | ...
Page 365: Working With Site-To-Site Vpns
Site-to-site VPNs allow sites in different locations to securely communicate with each other over a Layer-3 network such as the Internet. You can use Alcatel-Lucent switches instead of VPN concentrators to connect the sites. You can also use a VPN concentrator at one site and a switch at the other site.
Page 366 Pre-shared Key Authentication with IKE Aggressive Mode: The Alcatel-Lucent switch with a dynamic IP address must be configured as the initiator of IKE Aggressive-mode for Site-Site VPNs, while the switch with a static IP address must be configured as the responder of IKE Aggressive mode. Note that when the switch is operating in FIPS mode, IKE aggressive mode must be disabled.
Page 367 L3 GRE tunnel or tunnel group. For more information on creating a routing ACL, see Creating a Firewall Policy on page 376 367| Virtual Private Networks AOS-W 6.5.3.x | User Guide...
Page 368 The IKE policy selections, including any pre-shared key, must be reflected in the VPN client configuration. When using a third-party VPN client, set the VPN configuration on clients to match the choices made above. If you use the Alcatel-Lucent dialer, you must configure the dialer prior to downloading the dialer onto the local client.
Page 369 For a static IP switch that responds to IKE Aggressive-mode for Site-Site VPN: crypto-local ipsec-map <name2> <priority> src-net <ipaddr> <mask> dst-net <ipaddr> <mask> peer-ip 0.0.0.0 peer-fqdn fqdn-id <peer_id_fqdn> vlan <id> trusted enable For the Pre-shared-key: (host)(config) #crypto-local isakmp key <key> fqdn <fqdn-id> 369| Virtual Private Networks AOS-W 6.5.3.x | User Guide...
Page 370 (host)(config) #crypto ipsec transform-set test esp-null esp-sha-hmac Execute the following commands to add the transformation set in the crypto map created: (host)(config) #crypto-local ipsec-map test_map 500 (host)(config-ipsec-map) #set transform-set test AOS-W 6.5.3.x | User Guide Virtual Private Networks | ...
Page 371 You can do this in the CLI by using the crypto isakmp policy and crypto dynamic-map commands, or the WebUI by navigating to Advanced Services > VPN Services > IPSEC and using the Delete button next to the default IKE policy or IPsec dynamic map you want to delete. 371| Virtual Private Networks AOS-W 6.5.3.x | User Guide...
Page 372 Pre- hmac- 2 (1024 shared key sha1 bit) protection suite Default 10008 IKEv2 AES - 128 SHA 256- ECDSA- hmac- Random Suite-B sha2-256 128bit Signature Group ECDSA (256 bit) protection suite AOS-W 6.5.3.x | User Guide Virtual Private Networks | ...
Page 373: Working With Vpn Dialer
If a pre-shared key is configured for an IKE Shared Secret in the VPN Services > IPSEC window, enter the key. The key you enter in the Dialers window must match the pre-shared key configured on the IPsec page. 373| Virtual Private Networks AOS-W 6.5.3.x | User Guide...
Page 374 In the CLI To configure the Captive Portal dialer for a user-role via the CLI, access the CLI in config mode and issue the following commands: (host) (config) #user-role <role> dialer <name> AOS-W 6.5.3.x | User Guide Virtual Private Networks | ...
Page 375: Roles And Policies
A policy is a set of rules that applies to traffic that passes through the Alcatel-Lucent switch. You specify one or more policies for a user role. Finally, you can assign a user role to clients before or after they authenticate to the system.
Page 376 This section describes how to configure the rules that constitute a firewall policy. A firewall policy can then be applied to a user role (until the policy is applied to a user role, it does not have any effect). Table 86 describes required and optional parameters for a rule. 376| Roles and Policies AOS-W 6.5.3.x | User Guide...
Page 377 Configuration > Advanced Services > Stateful Firewall > Network Services page. protocol: Using this option, you specify a different layer 4 protocol (other than TCP/UDP) by configuring the IP protocol value. AOS-W 6.5.3.x | User Guide Roles and Policies | ...
Page 378 This option redirects traffic to the configured IP address and destination port. An example of this option is to redirect all HTTP packets to the captive portal port on the Alcatel-Lucent switch as used in the pre-defined policy called “captiveportal”. This action functions in tunnel/decrypt-tunnel forwarding mode.
Page 379 Rules can be re-ordered by using the up and down buttons provided for each rule. 7. Click Apply to apply this configuration. The policy is not created until the configuration is applied. In the CLI (host)(config) #ip access-list session web-only AOS-W 6.5.3.x | User Guide Roles and Policies | ...
Page 380 3. Select Deny Inbound Connections from Malicious IP Addresses and Deny Outbound Connections from Malicious IP Addresses to block inbound and outbound connections to malicious IP addresses. 4. Click Apply. In the CLI To enable IP reputation / geolocation classification based firewall, execute the following command: 380| Roles and Policies AOS-W 6.5.3.x | User Guide...
Page 381 If you selected Range, enter the starting and ending port numbers in the Starting Port and End Port fields. If you selected list, enter a comma-separated list of port numbers. AOS-W 6.5.3.x | User Guide Roles and Policies | ...
Page 382 Source drop-down list: For a specific IPv4 or IPv6 filter, select IP/Mask. Enter the IP address and mask of the IPv4 or IPv6 filter in the corresponding fields. 382| Roles and Policies AOS-W 6.5.3.x | User Guide...
Page 383 In the Add rule option, enter the Role Type as Override, the VLAN you want to offset and the VLAN offset number which is the Netmask/range. Figure 52 Net Destination Override AOS-W 6.5.3.x | User Guide Roles and Policies | ...
Page 384 (config) #show acl ace-table acl 744: any 55.55.55.36 255.255.255.255 f80001:permit 745: 55.55.55.36 255.255.255.255 any f80000:deny 746: any any f180000:deny Creating an IP Whitelist This features allow you to whitelist a range of IP addresses. 384| Roles and Policies AOS-W 6.5.3.x | User Guide...
Page 385: User Roles
10.Next, you must assign the user role to a AAA profile. After assigning the user role you can use the show reference user-role <role> command to see the profiles that reference this user role. For more information, see Assigning User Roles on page 387 AOS-W 6.5.3.x | User Guide Roles and Policies | ...
Page 386 You cannot delete a user-role that is referenced to profile or server derived role. Deleting a server referenced role will result in an error. Remove all references to the role and then perform the delete operation. 386| Roles and Policies AOS-W 6.5.3.x | User Guide...
Page 387: Assigning User Roles
SSID (even if the attribute is not returned by the server). Server-derivation rules are executed after client authentication. 5. The user role can be derived from Alcatel-Lucent Vendor-Specific Attributes (VSA) for RADIUS server authentication. A role derived from an Alcatel-Lucent VSA takes precedence over any other user roles.
Page 388 One of the following: Open (no encryption) based upon the encryption type used by equals WPA/WPA2 AES the client. does not equal WPA-TKIP (static or dynamic) Dynamic WEP WPA/WPA2 AES PSK Static WEP xSec 388| Roles and Policies AOS-W 6.5.3.x | User Guide...
Page 389 Device Type Classification option in the AP’s AAA profile. For details, see WLAN Authentication on page 438. Configuring a User-derived VLAN in the WebUI 1. Navigate to the Configuration > Security > Authentication > User Rules page. AOS-W 6.5.3.x | User Guide Roles and Policies | ...
Page 390 Be aware that each device type may not have a unique DHCP fingerprint signature. For example, devices from different manufacturers may use vendor class identifiers that begin with similar strings. If you create a DHCP- 390| Roles and Policies AOS-W 6.5.3.x | User Guide...
Page 391 Many Network Address Server (NAS) vendors, including Alcatel-Lucent, use VSAs to provide features not supported in standard RADIUS attributes. For Alcatel-Lucent systems, VSAs can be employed to provide the user role and VLAN for RADIUS-authenticated clients, however the VSAs must be present on your RADIUS server.
Page 392 183. Dictionary files that contain Alcatel-Lucent VSAs are available on the Alcatel-Lucent support website for various RADIUS servers. Log into the Alcatel-Lucent support website to download a dictionary file from the Tools folder. Configuring a Standard Role Starting from AOS-W 6.5.1.0, a new management role, Standard role, is supported which has all the root privileges but cannot make changes to the management users.
Page 393: Understanding Global Firewall Parameters
You can configure user role policies that prevent Layer-3 traffic between users or networks but this does not block Layer-2 traffic. This option can be used to prevent traffic, such as Appletalk or IPX, from being forwarded. Default: Disabled AOS-W 6.5.3.x | User Guide Roles and Policies | ...
Page 394 Default: Disabled Log ICMP Errors Enables logging of received ICMP errors. You should not enable this option unless instructed to do so by an Alcatel-Lucent representative. Default: Disabled Stateful SIP Processing Disables monitoring of exchanges between a voice over IP or voice over WLAN device and a SIP server.
Page 395 Normally, one event is logged per session. If you enable this option, each packet in the session is logged. You should not enable this option unless instructed to do so by an Alcatel-Lucent representative, as doing so may create unnecessary overhead on the switch.
Page 396 Specifies the trusted unicast traffic rate limit. Range is 1-65535 packets (pps) per seconds (pps). Default: 65535 pps Rate limit CP trusted mcast Specifies the trusted multicast traffic rate limit. Range is 1-65535 packets traffic (pps) per seconds (pps). Default: 1953 pps 396| Roles and Policies AOS-W 6.5.3.x | User Guide...
Page 397: Using Apprf 2.0
2. Check the Enable Deep Packet Inspection option. To disable DPI, uncheck the checkbox. 3. Click Apply. 4. Reload the switch. In the CLI To enable global DPI: (host)(config) #firewall dpi (host) #reload AOS-W 6.5.3.x | User Guide Roles and Policies | ...
Page 398 It can be modified using the WebUI, CLI, or dashboard on a master switch, however any modification results in the regeneration of ACE’s for that role. It cannot be applied to any other role. 398| Roles and Policies AOS-W 6.5.3.x | User Guide...
Page 399 40.1.0.0/16 destination: any service/application: TCP 80 action: permit TOS: 60 Rule 6: source: network 20.1.0.0/16 destination: any service/application: TCP 80 action: source-nat ACL Policy "NetRules", Policy Type: Session Rule 1 AOS-W 6.5.3.x | User Guide Roles and Policies | ...
Page 400 An optional exclude list is provided that allows you to exclude applications or application categories on which a generic user/role bandwidth-contract is not applied. 400| Roles and Policies AOS-W 6.5.3.x | User Guide...
Page 401 In the CLI To configure the bandwidth application-specific parameters using the CLI, access the command-line interface in config mode, and issue the following commands: (host)config t #user-role <string> (host)(config-role) #bw-contract exclude AOS-W 6.5.3.x | User Guide Roles and Policies | ...
Page 402: Clearpass Policy Manager Integration
In ClearPass Policy Manager, two or more attributes (as listed above) should not have the same name. The example below is considered invalid, as both the attributes have test as the profile/net destination name. qos-profile test netdestination test AOS-W 6.5.3.x | User Guide ClearPass Policy Manager Integration |...
Page 403: Enabling Downloadable Role On A Switch
1. From the Configuration > Network > Devices page, click the Add Device link. 2. On the Device tab, enter the Name, IP or Subnet Address, and RADIUS Shared Secret fields. Keep the rest of the fields as default. 403| ClearPass Policy Manager Integration AOS-W 6.5.3.x | User Guide...
Page 404 Keep the rest of the fields as default. 5. Click Next. For the rest of the configuration, see Advanced Role Configuration Mode. The fields are described in Figure 55 Table AOS-W 6.5.3.x | User Guide ClearPass Policy Manager Integration | ...
Page 405 3. In the Value field, enter the attribute for the downloadable-role. 4. Click the save icon to save the attribute. 5. Click Save to save the enforcement profile. The fields are described in Figure 56 Table 405| ClearPass Policy Manager Integration AOS-W 6.5.3.x | User Guide...
Page 406 3. From the Default Profile drop-down list, select [Deny Access Profile]. Keep the rest of the fields as default. 4. Click Next. The fields are described in Figure 57 Table Figure 57 Enforcement Policies Enforcement Tab AOS-W 6.5.3.x | User Guide ClearPass Policy Manager Integration | ...
Page 407 Drop-down list of context-appropriate (with respect to the attribute) operators. In this example, select EQUALS. Value Drop-down list of the Authentication source database. In this example, select [Local User Repository]. Profile Names Name of the RADIUS enforcement profile. 407| ClearPass Policy Manager Integration AOS-W 6.5.3.x | User Guide...
Page 408 5. On the Authentication tab, select [Local User Repository] [Local SQL DB] from the Authentication Sources drop-down list. Keep the rest of the fields as default. 6. Click Next twice. The fields are displayed in Figure AOS-W 6.5.3.x | User Guide ClearPass Policy Manager Integration | ...
Page 409 For additional command parameters, see the AOS-W 6.4.x CLI Reference Guide. Configuring a ClearPass Policy Manager Server on Switch (host) (config) #aaa authentication-server radius cppm_server (host) (RADIUS Server "cppm_server") #host <ip_address_of_cppm_server> (host) (RADIUS Server "cppm_server") #key <shared_secret> 409| ClearPass Policy Manager Integration AOS-W 6.5.3.x | User Guide...
Page 410 (host) (config) #aaa profile cppm_aaa_prof (host) (AAA Profile "cppm_aaa_prof") #authentication-dot1x cppm_dot1x_prof (host) (AAA Profile "cppm_aaa_prof") #dot1x-server-group cppm_grp (host) (AAA Profile "cppm_aaa_prof") #download-role Show AAA Profile (host) #show aaa profile cppm_aaa_prof AOS-W 6.5.3.x | User Guide ClearPass Policy Manager Integration | ...
Page 411: Virtual Aps
AP’s Basic Service Set Identifier (BSSID) which is usually the AP’s MAC address. In the Alcatel-Lucent network, an AP uses a unique BSSID for each WLAN. Thus, a physical AP can support multiple WLANs. The WLAN configuration applied to a BSSID on an AP is called a virtual AP. You can configure and apply multiple virtual APs to an AP group or to an individual AP by defining one or more virtual AP profiles.
Page 412: Virtual Ap Profiles
Toronto (see Table 96). Table 96: Applying WLAN Profiles to AP Groups WLAN Profiles “default” AP Group “Toronto” AP Group Virtual AP “Corpnet-Ed” “Corpnet-Tr” SSID “Corpnet” “Corpnet” “E-Servers” “T-Servers” 412| Virtual APs AOS-W 6.5.3.x | User Guide...
Page 413 Whenever you create a new virtual AP profile in the WebUI, the profile automatically contains the “default” SSID profile with the default “Alcatel-Lucent-ap” ESSID. You must configure a new ESSID and SSID profile for the virtual AP profile before you apply the profile.
Page 414 The band(s) on which to use the virtual AP: a—802.11a band only (5 GHz). g—802.11b/g band only (2.4 GHz). all—both 802.11a and 802.11b/g bands (5 GHz and 2.4 GHz). This is the default setting. 414| Virtual APs AOS-W 6.5.3.x | User Guide...
Page 415 ARP parameter on the virtual AP profile to prevent ARP requests from being dropped. You can enable this parameter by checking the Convert Broadcast ARP requests to unicast check box as described in the following parameter description. AOS-W 6.5.3.x | User Guide Virtual APs | ...
Page 416 AP profiles. If the setting to deny inter-user traffic is disabled globally but enabled on an individual virtual ap, only the traffic between un-trusted users and the clients on that particular virtual AP will be blocked. 416| Virtual APs AOS-W 6.5.3.x | User Guide...
Page 417 This parameter enables seamless failover for silent clients, allowing them to re- FDB Update on Assoc associate. If you select this option, the switch will generate a Layer 2 update on behalf of client to update forwarding tables in bridge devices. Default: Disabled AOS-W 6.5.3.x | User Guide Virtual APs | ...
Page 418 5. If a plus [+] sign appears beside an associated profile category, there is more than one profile type in that category. Select that profile category to display the associated profiles within that category. 418| Virtual APs AOS-W 6.5.3.x | User Guide...
Page 419 1. Navigate to the Configuration > Wireless > AP Configuration > AP Specific page. 2. Do one of the following: If the AP you want to exclude is included in the list, click Edit for the AP. AOS-W 6.5.3.x | User Guide Virtual APs | ...
Page 420: Changing A Virtual Ap Forwarding Mode
The handover process is available for voice clients that support the 802.11k standard and have the ability to transmit and receive beacon reports. For information on configuring the handoff trigger feature, see Enabling Wi-Fi Edge Detection and Handover for Voice Clients on page 976 420| Virtual APs AOS-W 6.5.3.x | User Guide...
Page 421 802.11k profile name in the field to the right of the drop-down list. 4. Configure your 802.11k radio settings. Table 98 outlines the parameters you can configure in the 802.11k profile. Click Apply to save your settings. AOS-W 6.5.3.x | User Guide Virtual APs | ...
Page 422 This value is sent in the 'Channel' field of the AP channel reports on the AP Channel 'A' radio. You can specify values in the range 34 to 165. The default Reports in 'A' value is 36. band 422| Virtual APs AOS-W 6.5.3.x | User Guide...
Page 423 Configuring Radio Resource Management Information Elements AOS-W supports the following radio resource management information elements (RRM IEs) for APs with 802.11k support enabled. These settings can be enabled through the WebUI or CLI. AOS-W 6.5.3.x | User Guide Virtual APs | ...
Page 424 802.11k capability is enabled. A value of "Disabled" prevents the advertisement of the Quiet IE in the beacon frames when 802.11k capability is enabled. 4. Click Apply Changes to save your settings. 424| Virtual APs AOS-W 6.5.3.x | User Guide...
Page 425 The Measurement Duration is set to the duration of the requested measurement. It is expressed in units of TUs. This field can be given a value in the range (0, 65535). The default value is 0. AOS-W 6.5.3.x | User Guide Virtual APs | ...
Page 426 To select the information to be sent in TSM report requests using the WebUI: 1. Navigate to Configuration > Advanced Services > All Profile Management. 2. Expand the Wireless LAN menu and select TSM Report Request. 426| Virtual APs AOS-W 6.5.3.x | User Guide...
Page 427 In the CLI To select the information to be sent in TSM report requests using the command-line interface, access the CLI in config mode and issue the following command. (host) (config)#wlan tsm-req-profile <profile> AOS-W 6.5.3.x | User Guide Virtual APs | ...
Page 428: Bss Transition Management (802.11V)
Fast BSS Transition establishes security and QoS states at the target AP before or during a re-association. This minimizes the time required to resume data connectivity when a BSS transition happens. The following table provides the modes in which Fast BSS Transition is supported: 428| Virtual APs AOS-W 6.5.3.x | User Guide...
Page 429 Enter the mobility domain ID value (1-65535) in the 802.11r Mobility Domain ID field. The default value is 1. c. Enter the R1 Key timeout value in seconds (60-86400) for decrypt-tunnel or bridge mode in the 802.11r R1 Key Duration field. The default value is 3600. AOS-W 6.5.3.x | User Guide Virtual APs | ...
Page 430: Ssid Profiles
Layer 3 protocol such as IP. A switch configured to advertise a bSec SSID will advertise an open network, however only bSec frames will be permitted on the network. This feature requires the ACR license. 430| Virtual APs AOS-W 6.5.3.x | User Guide...
Page 431 Follow the procedures below to create a new SSID profile and associate that profile to your Virtual AP. In the WebUI 1. Navigate to Configuration > ADVANCED SERVICES > All Profiles. 2. In the Profiles list, expand the Wireless LAN menu, then select SSID. AOS-W 6.5.3.x | User Guide Virtual APs | ...
Page 432 Advanced SSID Profile Settings SSID Enable Click this checkbox to enable or disable the SSID. The SSID is enabled by default. Encryption Select one of the following encryption types: 432| Virtual APs AOS-W 6.5.3.x | User Guide...
Page 433 When using wireless clients that employ power management features to sleep, the client must revive at least once during the DTIM period to receive broadcasts AOS-W 6.5.3.x | User Guide Virtual APs | ...
Page 434 Override the default DSCP mappings in the SSID profile with the ToS value. This for WMM clients setting is useful when you want to set a non-default ToS value for a specific traffic. 434| Virtual APs AOS-W 6.5.3.x | User Guide...
Page 435 Third Static WEP key associated with the key index. Can be 10 or 26 hex characters in length. WEP Key 4 Fourth Static WEP key associated with the key index. Can be 10 or 26 hex characters in length. AOS-W 6.5.3.x | User Guide Virtual APs | ...
Page 436 802.11a Beacon Rate Click this drop-down list to select the beacon rate for 802.11a (use for Distributed Antenna System (DAS) only). Using this parameter in normal operation may cause connectivity problems. 436| Virtual APs AOS-W 6.5.3.x | User Guide...
Page 437 Beacon frames and Probe Response frames. The AP’s latitude, longitude and altitude can be configured on the Configuration > Wireless> AP Installation page of the switch WebUI, or using the provision-ap command in the switch command-line interface. AOS-W 6.5.3.x | User Guide Virtual APs | ...
Page 438: Wlan Authentication
Enable OKC available for authentication between multiple APs in a network where those APs are under common administrative control. An Alcatel-Lucent deployment with multiple APs under the control of a single switch is one such example. Using OKC, a station roaming to any AP in the network will not have to complete a full authentication exchange, but will instead just perform the 4-way handshake to establish transient encryption keys.
Page 439 Global client table shown in the Monitoring > Network > All WLAN Clients window shows each client’s device type, if that client device can be identified. AOS-W 6.5.3.x | User Guide Virtual APs | ...
Page 440 Click the RADIUS Authentication Server Group drop-down list and select the MAC server group to associate with your AAA profile. b. Click Apply. Configuring an AAA Profile in the CLI (host)(config) #aaa authentication dot1x <profile> (host)(config) #aaa profile <profile> 440| Virtual APs AOS-W 6.5.3.x | User Guide...
Page 441: High-Throughput Virtual Aps
40 MHz operation. By default, this option is disabled, and 40 MHz operation is allowed. If you do not want to use 40 Mhz operation, select the 40MHz intolerance checkbox to enable this feature. Advanced AOS-W 6.5.3.x | User Guide Virtual APs | ...
Page 442 802.11n CDD data. This option is disabled by default, and should only be enabled under the supervision of Alcatel-Lucent technical support. Use this feature to turn off antenna diversity when the AP must support legacy clients such as Cisco 7921g VoIP phones, or older 802.11g clients (e.g.
Page 443 When this setting is enabled and the client is not responding to 802.11 packets, the AP will launch two hardware retries; if the hardware retries are not successful then it attempts software retries. Default: Disabled. AOS-W 6.5.3.x | User Guide Virtual APs | ...
Page 444 Minimum time between the start of adjacent MPDUs within an aggregate MPDU, in microseconds. Range: 0 (No restriction on MDPU start spacing), .25 µsec, .5 µsec, 1 µsec, 2 µsec, 4 µsec. Default: 0. 444| Virtual APs AOS-W 6.5.3.x | User Guide...
Page 445 VHT - Transmit Beamforming Sounding Interval Time interval in milliseconds between channel information updates between the AP and the beamformed client. Default: 25 msec. NOTE: This is applicable for 802.11ac-capable APs only. AOS-W 6.5.3.x | User Guide Virtual APs | ...
Page 446: Guest Wlans
DHCP and possibly DNS if an outside DNS server is not available. In most cases, a public DNS is always available. All other internal resources should be off limits for the guest. This restriction is achieved usually by denying any internal address space to the guest user. 446| Virtual APs AOS-W 6.5.3.x | User Guide...
Page 447 IP Version drop-down list and select IPv6. 6. Click the Service drop-down list, select service, then select svc-http. 7. Click the Time Range drop-down list and select the time range you previously configured. 8. Click Add. AOS-W 6.5.3.x | User Guide Virtual APs | ...
Page 448 In the Profile Details, enter Guest for the Network Name. d. Select None for Network Authentication and Open for Encryption. e. Click Apply. In the CLI (host)(config) #wlan ssid-profile guest opmode opensystem (host)(config) #wlan virtual-ap guest 448| Virtual APs AOS-W 6.5.3.x | User Guide...
Page 449: Changing A Virtual Ap Forwarding Mode
AP. 4. Issue the command ap-name <group> virtual-ap <vap-profile> or ap-group <group> virtual-ap <vap- profile> to reassociate the AP or group of APs with the virtual AP profile. AOS-W 6.5.3.x | User Guide Virtual APs | ...
Page 450: Adaptive Radio Management
Chapter 19 Adaptive Radio Management Alcatel-Lucent’s Adaptive Radio Management (ARM) takes the guesswork out of RF management by using automatic, infrastructure-based controls to maximize client performance and enhance the stability and predictability of the entire Wi-Fi network. ARM Feature Overviews The following sections provide a general overview of Adaptive Radio Management feature:...
Page 451 AOS-W version 3.3.x or later supports APs with the 802.11n standard, ensuring seamless integration of 802.11n devices into your RF domain. The Alcatel-Lucent AP’s 5 Ghz band capacity simplifies the integration of new APs into your legacy network. You can also replace older APs with newer 802.11n-compliant APs while reusing your existing cabling and PoE infrastructure.
Page 452: Client Match
Understanding ARM Application Awareness Alcatel-Lucent APs keep a count of the number of data bytes transmitted and received by their radios to calculate the traffic load. When a WLAN gets very busy and traffic exceeds a predefined threshold, load-aware ARM dynamically adjusts scanning behavior to maintain uninterrupted data transfer on heavily loaded systems.
Page 453 Client Match steers and aligns MU-MIMO-capable clients with MU-MIMO-capable radios using SNR values. Multiple MU-MIMO-capable clients can be grouped together on a MU-MIMO-capable radio. Successful MU-MIMO transmissions depend on the following: 453| Adaptive Radio Management AOS-W 6.5.3.x | User Guide...
Page 454: Arm Coverage And Interference Metrics
Coverage Index: The AP uses this metric to measure RF coverage. The coverage index is calculated as x/y, where “x” is the AP’s weighted calculation of the Signal-to-Noise Ratio (SNR) on all valid APs on a specified 802.11 channel, and “y” is the weighted calculation of the Alcatel-Lucent AP's SNR the neighboring APs see on that channel.
Page 455: Configuring Arm Profiles
There are two ways to create a new ARM profile. You can create an entirely new profile with all default settings using the WebUI or CLI interfaces, or you can make a copy of an existing profile using the CLI interface. 455| Adaptive Radio Management AOS-W 6.5.3.x | User Guide...
Page 456 80MHz support If enabled, this feature allows ARM to assign 80 MHz enabled channels on APs that support VHT. This setting is enabled by default. AOS-W 6.5.3.x | User Guide Adaptive Radio Management | ...
Page 457 However, if the wireless clients down on the floor do not have such a clear line back to the AP, you could end up with coverage gaps. 457| Adaptive Radio Management AOS-W 6.5.3.x | User Guide...
Page 458 ARM profile with Multi Band enabled, that device will ignore this setting.) VoIP Aware Scan Alcatel-Lucent’s VoIP Call Admission Control (CAC) Enabled prevents any single AP from becoming congested with voice calls. When you enable CAC, you should...
Page 459 60 seconds.) If you disable Client Aware , the AP may change to a more optimal channel, but this change may also disrupt current client traffic. 459| Adaptive Radio Management AOS-W 6.5.3.x | User Guide...
Page 460 Rogue AP Aware If you have enabled both the Scanning and Rogue Disabled AP options, Alcatel-Lucent APs may change channels to contain off-channel rogue APs with active clients. This security features allows APs to change channels even if the Client Aware setting is disabled.
Page 461 If one of these dual-radio devices are assigned an ARM profile with Multi Band enabled, that device will ignore this setting.) 461| Adaptive Radio Management AOS-W 6.5.3.x | User Guide...
Page 462 The Alcatel-Lucent coverage index metric is a In 6.4.4.0 and later weighted calculation based on the RF coverage for releases: all Alcatel-Lucent APs and neighboring APs on a default-a: 6 specified channel. The Ideal Coverage Index default-g: 6 specifies the ideal coverage that an AP should try to In earlier 6.4.x...
Page 463 ARM scanning if the load for the AP gets too high. The Load Aware Scan Threshold is the traffic throughput level an AP must reach before it stops scanning. Range: 0–20,000,000 bytes/second. (Specify 0 to disable this feature.) 463| Adaptive Radio Management AOS-W 6.5.3.x | User Guide...
Page 464 The default values for these settings are recommended for most users, and caution should be used when changing them to a non-default value. For complete details on all client match configuration settings, refer to the AOS-W CLI Reference Guide. AOS-W 6.5.3.x | User Guide Adaptive Radio Management | ...
Page 465: Assigning An Arm Profile To An Ap Group
When you first provision a single-radio AP, it initially operates in the radio band specified in its AP system profile. If the AP finds adequate coverage on multiple channels in its current band of operation, the mode- 465| Adaptive Radio Management AOS-W 6.5.3.x | User Guide...
Page 466: Band Steering
Ghz probe requests from a client if all the following conditions are met. The client has already probed the AP on the 5Ghz band and therefore is known to be capable of sending probes on the 5Ghz band. AOS-W 6.5.3.x | User Guide Adaptive Radio Management | ...
Page 467: Dynamic Bandwidth Switch
Use the following commands to enable and set dynamic bandwidth switch: (host) (config) #rf arm-profile default (host) (Adaptive Radio Management (ARM) profile "default") #dynamic-bw (host) (Adaptive Radio Management (ARM) profile "default") #dynamic-bw-beacon-failed-thresh 467| Adaptive Radio Management AOS-W 6.5.3.x | User Guide...
Page 468: Enabling Traffic Shaping
5. In the Profile Details pane, click the Station Shaping Policy drop-down list and select either default- access, fair-access or preferred-access. 6. Click Apply. The following table describes configuration settings available in the traffic management profile. AOS-W 6.5.3.x | User Guide Adaptive Radio Management | ...
Page 469 The following procedure configures the Hard Limit parameter in Traffic management profile: 1. Navigate to the Configuration > Advanced Services > All Profiles page. 2. Under QOS > Traffic management on the Profiles pane, select the profile name. 469| Adaptive Radio Management AOS-W 6.5.3.x | User Guide...
Page 470: Traffic Steering
(To create a new SSID AP profile, enter a name for a new profile in the Profile Details window, then click Add. The new profile will appear in the Profiles list. Select that profile to open the Profile Details pane.) AOS-W 6.5.3.x | User Guide Adaptive Radio Management | ...
Page 471: Spectrum Load Balancing
Alcatel-Lucent AP on another channel does not have any clients, load balancing will be enabled on that AP. When an AP has the spectrum load balancing feature enabled, the AP will send an association response with error code 17 to new clients trying to associate.
Page 472: Configuring Non-802.11 Noise Interference Immunity
ARM feature and ARM scanning have been enabled. Optimal ARM performance requires that the APs have IP connectivity to their master switch, as it is the master switch that gives each AP the global AOS-W 6.5.3.x | User Guide Adaptive Radio Management | ...
Page 473 APs will only change channels due to interference if you enable ARM noise checking. Check to verify that the ARM Noise Threshold is set to a value higher than 0 dBm. The suggested setting for this threshold is 75 dBm. 473| Adaptive Radio Management AOS-W 6.5.3.x | User Guide...
Page 474: Wireless Intrusion Prevention
The AOS-W Wireless Intrusion Prevention (WIP) features and configurations are discussed in this chapter. WIP offers a wide selection of intrusion detection and protection features to protect the network against wireless threats. Like most other security-related features of the Alcatel-Lucent network, the WIP configuration is done on the master switch in the network.
Page 475 To enable custom settings, click the Allow custom settings link to manually enable or disable the detection mechanisms for your clients. To revert to the standard settings from the custom settings mode, click the Revert to standard settings link. 475| Wireless Intrusion Prevention AOS-W 6.5.3.x | User Guide...
Page 476 To enable custom settings, click the Allow custom settings link to manually enable or disable the protection mechanisms for your clients. To revert to the standard settings from custom settings mode, click the Revert to standard settings link. AOS-W 6.5.3.x | User Guide Wireless Intrusion Prevention | ...
Page 477: Monitoring The Dashboard
The Event table contains data links. Selecting these data links will display information, in the bottom table, related to the Event you selected. Again, remember to use the scroll bar at the right to view all the Events. 477| Wireless Intrusion Prevention AOS-W 6.5.3.x | User Guide...
Page 478: Detecting Rogue Aps
Suspected-Rogue AP A suspected rogue AP is an unauthorized AP that may be plugged into the wired side of the network. Manually-contained AP An AP for which DoS is enabled manually. AOS-W 6.5.3.x | User Guide Wireless Intrusion Prevention | ...
Page 479 Manual: User-triggered classification. External-Wired-MAC: The MAC address matched a set of known wired devices that are maintained in an external database. Mobility-Manager: The classification was determined by the mobility manager, AMP. 479| Wireless Intrusion Prevention AOS-W 6.5.3.x | User Guide...
Page 480 Understanding SNR specification Each rule can have only one specification of the SNR. A minimum and/or maximum can be specified in each rule, and the specification is in SNR (db). AOS-W 6.5.3.x | User Guide Wireless Intrusion Prevention | ...
Page 481: Working With Intrusion Detection
APs, the RF medium, and the wired network. An authorized or valid-AP is defined as an AP that belongs to the WLAN infrastructure. The AP is either an Alcatel-Lucent AP or a third party AP. AOS-W automatically learns authorized Alcatel-Lucent APs.
Page 482 Detecting AP wlsxAPImpersonation 12600 ids impersonation-profile Impersonation detect-ap-impersonation on page 486 127006 beacon-diff-threshold beacon-inc-wait-time Detecting AP wlsxAPSpoofingDetected 12606 ids impersonation-profile Spoofing on wlsxClientAssociatingOn detect-ap-spoofing page 486 12607 WrongChannel ap-spoofing-quiet-time 12706 127070 AOS-W 6.5.3.x | User Guide Wireless Intrusion Prevention | ...
Page 483 487 time Detecting an wlsxMalformedOverflowEAPOLKey 12608 ids dos-profile Overflow EAPOL Detected detect-overflow-eapol-key Key on page 487 127082 overflow-eapol-key-quiet-time Detecting wlsxOverflowIEDetected 12608 ids dos-profile Overflow IE detect-overflow-ie Tags on page 127084 overflow-ie-quiet-time 483| Wireless Intrusion Prevention AOS-W 6.5.3.x | User Guide...
Page 484 SSID, Channel, wlsxOUIMisconfiguration valid-and-protected-ssid OUI) cfg-valid-11g-channel 12600 cfg-valid-11a-channel valid-oui 12600 12701 12702 12701 12700 127009 Detecting a CTS wlsxRtsRateAnomaly 12607 ids dos-profile Rate Anomaly detect-rts-rate-anomaly on page 487 127074 rts-rate-threshold rts-rate-time-interval rts-rate-quiet-time AOS-W 6.5.3.x | User Guide Wireless Intrusion Prevention | ...
Page 485 AP must use lower data rates with all of its clients. Network administrators often want to know if there are devices that are advertising 40MHz intolerance, as this can impact the performance of the network. 485| Wireless Intrusion Prevention AOS-W 6.5.3.x | User Guide...
Page 486 There are fake AP tools that can be used to attack wireless intrusion detection itself by generating a large number of fake clients that fill internal tables with fake information. If successful, it overwhelms the wireless intrusion system, resulting in a DoS. AOS-W 6.5.3.x | User Guide Wireless Intrusion Prevention | ...
Page 487 Malformed 802.11 authentication frames that do not conform to the specification can expose vulnerabilities in some drivers that have not implemented proper error checking. This feature checks for unexpected values in an Authentication frame. 487| Wireless Intrusion Prevention AOS-W 6.5.3.x | User Guide...
Page 488 A list of parameters can be configured to define the characteristics of a valid AP. This feature is primarily used when non-Alcatel-Lucent APs are used in the network, since the Alcatel-Lucent switch cannot configure the third-party APs. These parameters include WEP, WPA, OUI of valid MAC addresses, valid channels, and valid SSIDs.
Page 489 Detecting attacks against Alcatel-Lucent APs clients: An attacker can perform an active DOS attack against an associated client, or perform a replay attack to obtain the keys of transmission which could lead to more serious attacks.
Page 490 Attack on page tkip-replay-quiet-time Detecting wlsxValidClientNotUsingEncryption 126065, ids unauthorized-device-profile Unencrypted 127065 detect-unencrypted-valid-client Valid Clients on unencrypted-valid-client-quiet-time page 492 Detecting a wlsxValidClientMisassociation 126075, ids unauthorized-device-profile Valid Client 127075 detect-valid-client-misassociation Misassociation on page 492 AOS-W 6.5.3.x | User Guide Wireless Intrusion Prevention | ...
Page 491 APs in the WLAN. Detecting a FATA-Jack Attack Structure FATA-Jack is an 802.11 client DoS tool that tries to disconnect targeted stations using spoofed authentication frames that contain an invalid authentication algorithm number. 491| Wireless Intrusion Prevention AOS-W 6.5.3.x | User Guide...
Page 492 Authorized Client associated to Honeypot AP: A honeypot is an AP that is not valid but is using an SSID that has been designated as valid/protected. Authorized Client in ad hoc connection mode: A valid client that has joined an ad hoc network. AOS-W 6.5.3.x | User Guide Wireless Intrusion Prevention | ...
Page 493: Configuring Intrusion Protection
AP or a client that do not conform to the policy. These policies are discussed in the sections that follow. Understanding Infrastructure Intrusion Protection Table 113 presents a summary of the infrastructure intrusion protection features with their related commands, traps, and syslog identifications. Details of each feature follow the table. 493| Wireless Intrusion Prevention AOS-W 6.5.3.x | User Guide...
Page 494 Misconfigured 126102, wlsxTarpitContainment APs on page 496 126103, 126108, 127102, 127103, 127108 Protecting SSIDs wlsxAPDeauthContainment 106005, ids unauthorized-device-profile on page 496 106006, wlsxClientDeauthContainment protect-ssid 126102, wlsxTarpitContainment 126103, 126108, 127102, 127103, 127108 AOS-W 6.5.3.x | User Guide Wireless Intrusion Prevention | ...
Page 495 This feature requires that you enable the wireless-containment setting in the IDS general profile. Protecting Against AP Impersonation Protection from AP impersonation involves containing both the legitimate and impersonating AP so that clients can not connect to either AP. 495| Wireless Intrusion Prevention AOS-W 6.5.3.x | User Guide...
Page 496 AP with a preset wired MAC address that is completely different from the AP’s BSSID. In many non-Alcatel-Lucent APs, the MAC address the AP provides to wireless clients as a ‘gateway MAC’ is offset by one character from its wired MAC address. This enhanced feature allows AOS-W to check to see if a suspected Layer-3 rogue AP’s MAC address follows this common pattern.
Page 497: Configuring The Wlan Management System
AP or client. In the WebUI 1. Navigate to the Configuration > Advanced Services > Wireless page. 2. Configure the parameters, as described in Table 115. Then click Apply. 497| Wireless Intrusion Prevention AOS-W 6.5.3.x | User Guide...
Page 498 Default: 30 minutes AM Poll Interval Interval, in milliseconds, for communication between the switch and Alcatel-Lucent AMs. The switch contacts the AM at this interval to download AP to STA associations, update policy configuration changes, and download AP and STA statistics.
Page 499 In the WebUI 1. Navigate to the Configuration > Advanced Services > All Profiles > IDS > IDS General > Advanced page. 2. Configure the parameters, as described in the following table. Then click Apply. 499| Wireless Intrusion Prevention AOS-W 6.5.3.x | User Guide...
Page 500 <> valid-exempt Use the following command to view the number of MAC addresses added to the valid-exempt client list: show wms counters Valid Exempt Station Macs AOS-W 6.5.3.x | User Guide Wireless Intrusion Prevention | ...
Page 501: Understanding Client Blacklisting
Understanding Client Blacklisting When a client is blacklisted in the Alcatel-Lucent system, the client is not allowed to associate with any AP in the network for a specified amount of time. If a client is connected to the network when it is blacklisted, a deauthentication message is sent to force the client to disconnect.
Page 502 (the man in the middle), thus allowing the intruder the ability to add, delete, or modify data. When this type of attack is identified by the Alcatel-Lucent system, the client can be blacklisted, blocking the MITM attack. You can enable this blacklisting ability in the IDS DoSprofile (this is disabled by default).
Page 503: Working With Wip Advanced Features
APs and stations must be accurately classified to determine whether they are valid, rogue, or a neighboring AP. Then, an automated response can be implemented to prevent possible intrusion attempts. 503| Wireless Intrusion Prevention AOS-W 6.5.3.x | User Guide...
Page 504: Configuring Totalwatch
Configuring Tarpit Shielding on page 507 Configuring TotalWatch Alcatel-Lucent 802.11n APs and non-11n APs in AM-mode support for TotalWatch is the ability to scan all channels of the RF spectrum, including 2.4-and 5-GHz bands as well as the 4.9-GHz public safety band.
Page 505 Use the rf am-scan-profile command to set the dwell time and scan mode. Understanding TotalWatch Channel Visiting The Active and DOS channels are visited more frequently than the other channels. The order of preference in selecting the next channel is: 1. DOS 505| Wireless Intrusion Prevention AOS-W 6.5.3.x | User Guide...
Page 506: Administering Totalwatch
Configuring Per Radio Settings For each radio, you can configure the following settings (for detailed information on commands, refer to the AOS-W 6.5.3.x Command Line Reference Guide): the dwell times for the various channel types the channel list that should be used for scanning These settings are configured via the command rfam-scan-profile, which can be attached to the two profiles, dot11a-radio-profile and dot11g-radio-profile.
Page 507: Tarpit Shielding Overview
Use the ids-general-profile command to configure Tarpit Shielding (for detailed information on commands refer to the AOS-W Command Line Reference Guide). ids general-profile default wireless-containment [deauth-only | none | tarpit-all-sta | tarpit-non-valid-sta] 507| Wireless Intrusion Prevention AOS-W 6.5.3.x | User Guide...
Page 508 Under the ids general-profile default wireless-containment command, the ‘tarpit-non-valid-sta’ and ‘tarpit-all-sta’ options are available only with a RFprotect license. The ‘deauth-only’ and ‘none’ options are available with the Base OS license. AOS-W 6.5.3.x | User Guide Wireless Intrusion Prevention | ...
Page 509: Access Points
AP300 Series, OAW-AP303H, OAW-AP310 Series, OAW-AP320 Series, OAW-AP330 Series, or OAW-AP360 Series access points. When the radio restarts, wireless services will be briefly interrupted. Clients will automatically reconnect to the network when the radio is again up and running. AOS-W 6.5.3.x | User Guide Access Points |...
Page 510: Ap Discovery Logic
Instant APs. Each Instant AP is shipped with the Instant manufacturing image and must join an IAP cluster in order to receive configurations from a virtual switch. Instant APs run the Instant image and can also be converted into campus APs. 510| Access Points AOS-W 6.5.3.x | User Guide...
Page 511 2. Select the AP(s) on which you want to set the preference role to switch-less. 3. Click Convert to IAP. In the CLI To set the AP preference role to switch-less in the CLI, execute the following commands: (host) #ap redeploy controller-less ap-group ap-name AOS-W 6.5.3.x | User Guide Access Points | ...
Page 512 To view the complete list of IP address ranges to which the AP deployment policy is applied, execute the following command: (host) #show ap deploy-profile Discovery Logic Workflow The following steps describe the AP discovery logic: 512| Access Points AOS-W 6.5.3.x | User Guide...
Page 513 If the AP cannot locate a VC in an existing IAP cluster, the AP attempts to locate Activate, OmniVista, or Central to upgrade the image and form a new IAP cluster. APs running the manufacturing image cannot form an IAP cluster. AOS-W 6.5.3.x | User Guide Access Points | ...
Page 514 IAP cluster. The AP converts into the master, and other un-deployed APs can join the cluster to upgrade to the Instant image. Refer to the latest Alcatel-Lucent Central User Guide for more details on AP image upgrade.
Page 515 Users can provision switch-based APs in a test network before deploying the APs in a working network. Switches in a test network can only be discovered using the Alcatel-Lucent Discovery Protocol (ADP). APs are upgraded to the AOS-W image via ADP through the following steps: 1.
Page 516 During the Instant discovery process, the AP attempts to connect through Activate if it cannot locate an Instant VC. If Activate is provisioned to convert APs to switch-based CAPs/RAPs, any AP that connects to Activate is converted into a CAP or RAP. Refer to the latest Alcatel-Lucent Activate User Guide for details on configuring provisioning rules.
Page 517 See Customizing IAP Settings > Master Election and Virtual Controller in the latest Alcatel-Lucent Instant User Guide for more details on electing a master in an Instant network. APs are upgraded to the Instant image via a virtual switch through the following steps: 1.
Page 518 APs that connect to Activate are automatically upgraded from the manufacturing image to the latest Instant/AOS-W image. Refer to the latest Alcatel-Lucent Activate User Guide for more details on configuring provisioning rules. If the AP locates OmniVista, it can be upgraded to the Instant image. If an enforced image upgrade rule is configured in OmniVista, the AP is upgraded to the Instant image configured for the enforced upgrade rule.
Page 519 For example, switch-based APs can use a DHCP server to discover a switch, while switch-less APs can use a DNS server on OmniVista. If the same discovery method must be used for both switch-based APs and switch-less APs, Alcatel-Lucent recommends that you use DHCP-based discovery. DHCP servers can respond to DHCP requests based on the AP’s subnet and vendor ID.
Page 520 ADP is disabled If the Alcatel-Lucent Discovery Protocol (ADP) is disabled on the switch, the AP will not be able to locate any switches on its own. Execute the adp discovery enable command in the CLI to enable ADP.
Page 521 If the AP is marked as CAP-only, it cannot be upgraded to the Instant image. CAP-only APs can only be upgraded to the AOS-W image. Execute the show log provision command on the AP to check if your AP is CAP-only. If your AP is CAP-only, the “CAP-only sku” message appears. AOS-W 6.5.3.x | User Guide Access Points | ...
Page 522 11707191 Execute the following command to verify if the AP is powered up using an 802.3af Power Sourcing Equipment. (host) #show ap debug system-status ap-name <ap-name> | include POE Power Supply : POE-AF 522| Access Points AOS-W 6.5.3.x | User Guide...
Page 523: Basic Functions And Features
APs that are 802.11n standard compliant. Quality of Configure Voice over IP call admission control options and bandwidth allocation for 5 GHz Service (QoS) (802.11a) or 2.4 GHz (802.11b/g) frequency bands of traffic. AOS-W 6.5.3.x | User Guide Access Points | ...
Page 524: Naming And Grouping Aps
Mesh feature. Naming and Grouping APs In the Alcatel-Lucent user-centric network, each AP has a unique name and belongs to an AP group. Each AP is identified with an automatically-derived name. The default name depends on if the AP has been previously configured.
Page 525 (all discovered APs initially belong to the AP group named “default”). 2. Select the AP you want to reassign, and click Provision. From the Provisioning page, select the AP group from the drop-down menu. AOS-W 6.5.3.x | User Guide Access Points | ...
Page 526: Understanding Ap Configuration Profiles
802.11 data packets, action frames and EAPOL frames over a GRE tunnel to the switch for processing. When a remote AP or campus AP is in bridge mode, the AP handles all 802.11 association 526| Access Points AOS-W 6.5.3.x | User Guide...
Page 527 Network Policy profile defines the VLAN, priority levels, and DSCP values used by a voice or video application. Wired interfaces on Alcatel-Lucent APs support LLDP by periodically transmitting LLDP Protocol Data Units (PDUs) comprised of selected type-length-value (TLV) elements. The AP LLDP profile identifies which TLVs will be sent by the AP.
Page 528 RF Event Configuration on page 570. AM Scanning: Alcatel-Lucent 802.11n APs and non-11n APs in AM-mode support the TotalWatch scanning feature giving them the ability to scan all channels of the RF spectrum, including 2.4-and 5-GHz bands as well as the 4.9-GHz public safety band. The AM Scanning profile enables this feature, and defines the dwell types for different channel types.
Page 529 XML API server profile: specifies the IP address of an external XML API server. For additional information, Configuring the XML API Server on page 1076. RFC 3576 server: Specifies the IP address of a RFC 3576 RADIUS server. For additional information, see on page 192. AOS-W 6.5.3.x | User Guide Access Points | ...
Page 530 If the client authenticates via an NTLM authentication server, the switch can recognize that the client has been authenticated and assign that client a specified user role. or details on configuring stateful authentication, see Stateful and WISPr Authentication on page 291. 530| Access Points AOS-W 6.5.3.x | User Guide...
Page 531 291. Mesh Profiles You can provision Alcatel-Lucent APs to operate as mesh points, mesh portals or remote mesh portals. The secure enterprise mesh environment routes network traffic between APs over wireless hops to join multiple Ethernet LANs or to extend wireless coverage. The Mesh profiles are: Mesh high-throughput SSID profile: enables or disables high-throughput (802.11n) features and 40...
Page 532 887. Valid Equipment OUI Profile: Set one or more Alcatel-Lucent OUIs for the switch. Upgrade:configure the software upgrade feature that allows the master switch to automatically upgrade its associated local switches by sending an image from a image server to one or more local switches. For...
Page 533: Before You Deploy An Ap
If the master provisioning parameter is not set and no address was received via DHCP option 43, ADP is used to discover a switch address and that address is put on the list. AOS-W 6.5.3.x | User Guide Access Points | ...
Page 534: Enable Dhcp To Provide Aps With Ip Addresses
Switch Discovery using ADP ADP is enabled by default on all Alcatel-Lucent APs and switches. With ADP, APs send out periodic multicast and broadcast queries to locate the master switch. ADP requires that all APs and switches are connected to the same Layer-2 network.
Page 535: Ap Provisioning Profiles
5. (Optional) If you are provisioning a remote AP, select the Remote-AP checkbox. 6. Enter the IP address or the fully qualified domain name of the master switch in the Master IP/FQDN field. AOS-W 6.5.3.x | User Guide Access Points | ...
Page 536 Configuring the cellular link with a higher priority than your wired link priority will set your cellular link as the primary switch link. 536| Access Points AOS-W 6.5.3.x | User Guide...
Page 537 2. Click the Edit button by the name of the AP group to which you want to assign the provisioning profile. 3. In the profiles list, expand the AP menu, and select Provisioning Profile. The Profile Details window appears. AOS-W 6.5.3.x | User Guide Access Points | ...
Page 538: Configuring Installed Aps
Parameters section. If you want to use an External antenna for the remote AP you are provisioning, select External Antenna and define settings for that antenna. Otherwise, the remote AP will use its internal antenna by default. 538| Access Points AOS-W 6.5.3.x | User Guide...
Page 539 TTY Device Control Path The TTY device control path for the USB modem. This parameter only needs to be specified if the default path is incorrect. AOS-W 6.5.3.x | User Guide Access Points | ...
Page 540 USB cellular data-card. NOTE: You must enclose the entire modeswitch parameter string in quotation marks. Example follows: "-v <default_vendor> -p <default_product> -V <target_vendor> -P <target_product> -M <message_content>" 540| Access Points AOS-W 6.5.3.x | User Guide...
Page 541 APs using an Internet Key Exchange Pre-Shared Key (IKE PSK). RAP Configuration The steps to configure a remote AP using the WebUI are similar to the steps described in Configuring an AP using the WebUI , although some additional steps are required. AOS-W 6.5.3.x | User Guide Access Points | ...
Page 542 AP: Mesh portal—The gateway between the wireless mesh network and the enterprise wired LAN. Mesh point—APs that can provide traditional Alcatel-Lucent WLAN services (such as client connectivity, intrusion detection system (IDS) capabilities, user roles association, LAN-to-LAN bridging, and Quality of Service (QoS) for LAN-to-mesh communication) to clients on one radio and perform mesh backhaul/network connectivity on the other radio.
Page 543: Optional Ap Configuration Settings
3. Click Provision to reveal the Provisioning page. Locate the AP Installation Mode section. By default, the Default mode is selected. This means that the AP installation type is based on the AP model. AOS-W 6.5.3.x | User Guide Access Points | ...
Page 544 If an AP is recognized by the switch but is powered off or not connected to the network or switch when you execute the command, the request is queued until the AP is powered back on or reconnected. 544| Access Points AOS-W 6.5.3.x | User Guide...
Page 545 (host) (AP system profile "default") #spanning-tree The following example displays the spanning tree information of an AP, using the CLI command: (host) (config) #show ap debug spanning-tree ap-name <ap-name> Enabling PortFast Points to remember: AOS-W 6.5.3.x | User Guide Access Points | ...
Page 546 1. Navigate to Configuration > Advanced Services > All Profiles. 2. Click profile AP > AP wired port. 3. Select the AP profile to enable PortFast on trunk. 4. Select the Portfast on trunk checkbox. 546| Access Points AOS-W 6.5.3.x | User Guide...
Page 547 Before enabling PortFast on trunk ensure that the switchport mode is set to trunk using the ap wired-ap- profile command. QoS for AP Management Traffic Management traffic on the AP can be marked with Differentiated Service Code Point (DSCP) values to apply a priority level to that traffic. AOS-W 6.5.3.x | User Guide Access Points | ...
Page 548 Use the following procedures to configure an RTLS server with station message frequency in the WebUI: 1. Navigate to the Configuration > Wireless > AP Configuration page. 2. Under the AP Group tab, click the desired profile. 548| Access Points AOS-W 6.5.3.x | User Guide...
Page 549 The RTLS server configuration enables the AP to send RFID tag information to an RTLS server. Currently, when configuring the RTLS server under ap system-profile, the valid range of values for station-message- AOS-W 6.5.3.x | User Guide Access Points | ...
Page 550 Remote Access Points on page 695. The AP failback feature allows an AP associated with the backup switch (backup LMS) to fail back to the primary switch (primary LMS) if it becomes available. 550| Access Points AOS-W 6.5.3.x | User Guide...
Page 551 2. Select either the AP Group or AP Specific tab. Click Edit for the AP group or AP name. 3. Under Profiles, select AP to display the AP profiles. 4. Select the AP system profile you want to modify. 5. Under Profile Details, do the following: AOS-W 6.5.3.x | User Guide Access Points | ...
Page 552 The duplex mode of the Ethernet interface, either full, half, or auto- negotiated. 802.3az (EEE) Select this checkbox to enable support for 802.1az Energy Efficient Ethernet. (for OAW-AP130 Series only). 5. Select the 803.az checkbox. 6. Click Apply to save your changes. 552| Access Points AOS-W 6.5.3.x | User Guide...
Page 553 Use the ap-leds command to make the LEDs on a defined set of APs either blink or display in the currently configured LED operating mode. Note that if the LED operating mode defined in the AP’s system profile is set AOS-W 6.5.3.x | User Guide Access Points | ...
Page 554 4. In the Profile Details window, enter a name for the new anyspot profile then click Add, or select the name of an existing anyspot profile. 5. Configure the anyspot parameters described in Table 126. 554| Access Points AOS-W 6.5.3.x | User Guide...
Page 555 3. In the Profiles list, navigate to the AP > AP system profile menu. 4. In the Advanced tab of the Profile Details section, configure the BLE Operation Mode setting described Table 127. AOS-W 6.5.3.x | User Guide Access Points | ...
Page 556 BLE using a mobile application. This functionality is the superset of the Beaconing mode. NOTE: BLE is disabled on AOS-W FIPS build. You can verify the configured value by executing the show ap system-profile command. 556| Access Points AOS-W 6.5.3.x | User Guide...
Page 557 --------------------------- Parameter Value --------- ----- RF Band RF Band for AM mode scanning Native VLAN ID Tunnel Heartbeat Interval Session ACL ap-uplink-acl BLE Endpoint URL BLE Auth Token BLE Operation Mode Disabled AOS-W 6.5.3.x | User Guide Access Points | ...
Page 558: Rf Management
With the implementation of the high-throughput 802.11n standard, 40 MHz channels were added in addition to the existing 20 MHz channel options. Available 20 MHz and 40 MHz channels are dependent on the country 558| Access Points AOS-W 6.5.3.x | User Guide...
Page 559 --- 2.4GHz radio --- Distance[m] Slot Slot -------------------------------------------------------------------------- 0 (outdoor:16050m) 0 (indoor:600a,6450g) 25 200 (==default) 1050 5100 10050 15000 16050 58200(5G limit 20M) 52650(2.4G limit 20M) - 27450(5G limit 40M) 24750(2.4G limit 40M) - AOS-W 6.5.3.x | User Guide Access Points | ...
Page 560 If you selected AP Specific, click the Edit button by the AP for which you want to create or change an RF management profile. 2. In the Profiles list, expand the RF Management menu, then select either 802.11a radio profile or 802.11g radio profile. 560| Access Points AOS-W 6.5.3.x | User Guide...
Page 561 80 MHz mode. If you select the spectrum monitoring checkbox on this profile page, the AP will operate as a hybrid AP and scan the selected channel for spectrum analysis data. AOS-W 6.5.3.x | User Guide Access Points | ...
Page 562 20: Setting this parameter to 20 sets the cell-size-reduction value to 1. Cell-size- reduction is the receive coverage area of the AP. NOTE: Configure this parameter under the supervision of Alcatel-Lucent Technical Support. NOTE: Setting the spur immunity to a higher value may decrease the AP RF coverage.
Page 563 APs on other channels. If an AP’s client load is at or over a predetermined threshold as compared to its immediate neighbors, or if a neighboring Alcatel-Lucent AP on another channel does not have any clients, load balancing will be enabled on that AP.
Page 564 (in -dBm). The AP will filter out and ignore weak signals that are below the channel threshold signal strength. If the value for this parameter is set to zero, the feature will automatically determine an appropriate threshold. 564| Access Points AOS-W 6.5.3.x | User Guide...
Page 565 Alcatel-Lucent's proprietary Adaptive Radio Management (ARM) technology maximizes WLAN performance by dynamically and intelligently choosing the best 802.11 channel and transmit power for each Alcatel-Lucent AP in its current RF environment. Every RF management profile references an ARM profile. If you specify an active and enabled ARM profile, you do not need to manually configure the Channel and Transmit Power parameters for this 802.11a or 802.11g profile.
Page 566 Assigning an ARM Profile By default, an 802.11a or 802.11g profile references an ARM profile named default. Most network administrators will find that this one default ARM profile is sufficient to manage all the Alcatel-Lucent APs on 566| Access Points...
Page 567 Configuration details and any default values for each of these parameters are described in Table 128. This CLI command also allows you to reference an ARM profile and high-throughput radio profile for the 802.11a or AOS-W 6.5.3.x | User Guide Access Points | ...
Page 568 To view the settings of a specific RF management profile: show rf dot11a-radio-profile|dot11g-radio-profile <profile-name> Assigning a 802.11a/802.11g Profile To assign an 802.11a or 802.11g RF management profile to an AP group: ap-group <group> dot11a-radio-profile <profile-name> -or- ap-group <group> dot11g-radio-profile <profile-name> 568| Access Points AOS-W 6.5.3.x | User Guide...
Page 569 Default: 10 RSSI Check Frequency Interval, in seconds, to sample RSSI. Default: 3 seconds Using the CLI Use the following command to configure RF Optimization profiles. The parameters described in Table 129. AOS-W 6.5.3.x | User Guide Access Points | ...
Page 570 Frame Error Rate High If the frame error rate (as a percentage of total frames in an AP) exceeds Watermark this value, a frame error rate exceeded condition exists. The recommended value is 16%. 570| Access Points AOS-W 6.5.3.x | User Guide...
Page 571 Use the following command to configure RF event profiles. The available parameters for this profile are detailed in Table 130. rf event-thresholds-profile <profile> bwr-high-wm <percent> bwr-low-wm <percent> clone <profile> detect-frame-rate-anomalies fer-high-wm <percent> fer-low-wm <percent> ffr-high-wm <percent> ffr-low-wm <percent> flsr-high-wm <percent> flsr-low-wm <percent> fnur-high-wm <percent> fnur-low-wm <percent> AOS-W 6.5.3.x | User Guide Access Points | ...
Page 572: Optimizing Aps Over Low-Speed Links
APs and configuring SSIDs as bridge-mode SSIDs can also prevent link saturation. With high-latency links, consider the amount and type of client devices accessing the links. Alcatel-Lucent APs locally process 802.11 probe-requests and probe-responses, but the 802.11 association process requires interaction with the switch.
Page 573 LED override Override the LED action for normal LED operation mode . If enabled, LED auto-turn-off function will not work. This feature is supported on AP mod- els with a single LED only. AOS-W 6.5.3.x | User Guide Access Points | ...
Page 574 AP multicast aggregation Enable a list of VLANs where AP multicast aggregation is allowed. allowed VLANs Basic AP System Profile Settings—LMS SAP MTU Maximum Transmission Unit, in bytes, on the wired link for the AP. 574| Access Points AOS-W 6.5.3.x | User Guide...
Page 575 LMS IP In multi-switch networks, this parameter specifies the IP address of the local management switch (LMS)—the Alcatel-Lucent switch—which is responsible for terminating user traffic from the APs, and processing and forwarding the traffic to the wired network. This can be the IP address of the local or master switch.
Page 576 GRE tunnel timeout is 1.5 x bootstrap-threshold; the tunnel is torn down after this number of seconds of inactivity on the tunnel. The supported range is 1-65535, and the default value is 8. 576| Access Points AOS-W 6.5.3.x | User Guide...
Page 577 The secondary master switch is configured to be used when a Remote AP is not able to reach the primary master switch. Root AP Defines a remote AP as the root AP in a branch network with a multi-AP hierarchy. AOS-W 6.5.3.x | User Guide Access Points | ...
Page 578 Password for Backup Set a WPA passphrase to generate a pre-shared key for a backup Virtual AP USB power Override Enabling override enables the USB port of the AP with POE AT power. 578| Access Points AOS-W 6.5.3.x | User Guide...
Page 579 Number of seconds between health check reports sent from the AP to the . usage reports. packetsize: The size, in bytes, of a ping datagram. AOS-W 6.5.3.x | User Guide Access Points | ...
Page 580: Ap Scanning Optimization
{ap-name <name>|bssid <name>|ip-addr <ipaddr>} AP Scanning Optimization The scanning algorithm is enhanced to reduce the delay between visits to some channel types, by changing their scan priority. 580| Access Points AOS-W 6.5.3.x | User Guide...
Page 581 Unconventional (direction) Scans Unconventional scans are 40MHz scans of a channel in the direction away from the channel pair. For example, in the 44-48 channel pair: Conventional scans will be 44+ and 48- AOS-W 6.5.3.x | User Guide Access Points | ...
Page 582: Channel Group Scanning
Group scanning behavior is performed for OAW-AP200 Series access points on A-band channels. Scanning only once in each 80MHz wide group allows the AP to scan through the channel list faster and also hear frames on sub-channels. 582| Access Points AOS-W 6.5.3.x | User Guide...
Page 583: Configuring Ap Channel Assignments
10.Enter 36 in the Channel text field and select the Above radio button. In this instance, channel 36 becomes the primary channel and the secondary channel is 40. 11.Click Apply. 12.Under the Profiles list select the 802.11g radio profile used by the AP group. AOS-W 6.5.3.x | User Guide Access Points | ...
Page 584 Radio Management (ARM). Note that ARM assignments will override the static channel and power configurations done using the radio profile. For complete information on the Adaptive Radio Management feature, refer to Adaptive Radio Management on page 450. 584| Access Points AOS-W 6.5.3.x | User Guide...
Page 585: Managing Ap Console Settings
Upgrade the boot image. NOTE: Exercise caution when using this command. help Help text for the AP boot commands. mfginfo Shows manufacturing information of the AP. osinfo Shows the AOS-W image information on the AP. AOS-W 6.5.3.x | User Guide Access Points | ...
Page 586 The example below configures an AP location and domain name using an AP console connection: Hit <Enter> to stop autoboot: 0 apboot> <INTERRUPT> apboot> setenv group corporate-2 apboot> setenv domainname mycompany.com apboot> saveenv apboot>boot 586| Access Points AOS-W 6.5.3.x | User Guide...
Page 587 AP or the factory_reset AP boot command. If it is already connected to a switch, the AP password can be changed under the AP Console Password field of the AP System profile in the WebUI, or using the ap- console-password parameter of the ap system-profile command in the CLI. AOS-W 6.5.3.x | User Guide Access Points | ...
Page 588: Link Aggregation Support On Oaw-Ap220 Series, Oaw-Ap270 Series, And Oaw-Ap320 Series
If your topology includes a backup switch you must define GRE striping IP settings in the active and the backup switch. For more information on LACP features in AOS-W, see Configuring LACP on page 158. 588| Access Points AOS-W 6.5.3.x | User Guide...
Page 589 1. Access the active switch and navigate to the Configuration > Advanced Services > All Profiles page. 2. Expand the AP profiles menu in the Profiles pane. 3. Expand the AP System profiles menu, and select the AP system profile you want to modify. AOS-W 6.5.3.x | User Guide Access Points | ...
Page 590 The lms-ip value in the ap-system-profile is used as a key to look up entries in ap-lacp profile on all the switches that an AP can terminate on. This also helps in selectively disabling Ling Aggression on some APs by not configuring lms-ip in their ap-system-profile. 590| Access Points AOS-W 6.5.3.x | User Guide...
Page 591 LAG enabled/disabled per station and data drops due to LAG packet reordering. show datapath user—Using this command, you can verify if the gre-striping-ip has an entry with the ‘L’ (local) flag AOS-W 6.5.3.x | User Guide Access Points | ...
Page 592: Recording Consolidated Ap-Provisioned Information
When an AP loses connection with the switch, the AP’s provisioning information can be retrieved through the AP console. The consolidated AP-provisioned information can be accessed by executing the following shell script after logging in to the AP through console or backup-SSID: 592| Access Points AOS-W 6.5.3.x | User Guide...
Page 593: Intelligent Power Monitoring
You can configure IPM using the WebUI or CLI. In the WebUI To enable IPM, follow the steps below: 1. Navigate to Configuration > ADVANCED SERVICES > All Profiles. AOS-W 6.5.3.x | User Guide Access Points | ...
Page 594 (host) #show ap system-profile default | include IPM AP system profile "default" --------------------------- Parameter Value --------- ----- IPM activation Enabled IPM power reduction steps with priorities disable_usb/priority:2 IPM power reduction steps with priorities cpu_throttle_25/priority:1 594| Access Points AOS-W 6.5.3.x | User Guide...
Page 595: Secure Enterprise Mesh
Chapter 22 Secure Enterprise Mesh The Alcatel-Lucent secure enterprise mesh solution is an effective way to expand network coverage for outdoor and indoor enterprise environments without any wires. Using mesh, you can bridge multiple Ethernet LANs or you can extend your wireless coverage. As traffic traverses across mesh APs, the mesh network automatically reconfigures around broken or blocked paths.
Page 596 The mesh portal (MPP) is the gateway between the wireless mesh network and the enterprise wired LAN. You configure an Alcatel-Lucent AP to perform the mesh portal role, which uses its wired interface to establish a link to the wired LAN. You can deploy multiple mesh portals to support redundant mesh paths (mesh links between neighboring mesh points that establish the best path to the mesh portal) from the wireless mesh network to the wired LAN.
Page 597: Understanding Mesh Links
The mesh point scans the channels in its provisioned band of operation to identify a list of neighbors that match its mesh cluster profile. The mesh point then selects the from highest priority neighbors based on the least expected path cost. AOS-W 6.5.3.x | User Guide Secure Enterprise Mesh | ...
Page 598 Mesh portals typically advertise a path-cost of zero, but high-throughput portals add an offset penalty if they are connected to a 10/100mbps port that is too slow for the high- throughput link capacity. 598| Secure Enterprise Mesh AOS-W 6.5.3.x | User Guide...
Page 599: Understanding Mesh Profiles
Alcatel-Lucent provides a “default” version of the mesh radio, RF management, high-throughput SSID and cluster profiles with default values for most parameters. You can use the “default” version of a profile or create a new instance of a profile which you can then edit as you need.
Page 600 This initial startup scan evaluates more distant mesh points before closer mesh points, and incurs a dropout of 5–8 seconds for each mesh point. After 600| Secure Enterprise Mesh AOS-W 6.5.3.x | User Guide...
Page 601 If you want to manually assign channels to mesh portals or mesh points, disable the ARM profile associated with the 802.11a or 802.11g radio profile by setting the ARM profile’s assignment parameter to disable. AOS-W 6.5.3.x | User Guide Secure Enterprise Mesh | ...
Page 602 MAC protocol data units (MDPUs), and Modulation and Coding Scheme (MCS) ranges. Alcatel-Lucent provides a “default” version of the mesh high-throughput SSID profile. You can use the “default” version or create a new instance of a profile which you can then edit as you need. High-throughput mesh nodes operating in different cluster profiles can share the same high-throughput SSID radio profile.
Page 603: Understanding Remote Mesh Portals (Rmps)
MPV are sent over the split tunnel. Hence the MPV should be different from any user VLAN that is bridged using the mesh network. The RMP configuration requires an AP license. For more information about Alcatel-Lucent software licenses, see Software Licenses on page AOS-W 6.5.3.x | User Guide...
Page 604: Understanding The Ap Boot Sequence
A mesh virtual AP is created on the mesh portal radio interface, the regulatory 604| Secure Enterprise Mesh AOS-W 6.5.3.x | User Guide...
Page 605: Mesh Deployment Solutions
In these scenarios, a wireless backhaul carries traffic between the Alcatel-Lucent APs configured as the mesh portal and the mesh point, to the Ethernet LAN. Thin AP Services with Wireless Backhaul Deployment To expand your wireless coverage without bridging Ethernet LAN segments, you can use thin AP services with a wireless backhaul.
Page 606 In a point-to-multipoint scenario, multiple Ethernet LAN segments are bridged via multiple wireless/mesh backhauls that carry traffic between the mesh portal and the mesh points. This provides communication from the local LAN to multiple remote LANs. Figure 77 shows a single-hop point-to-multipoint deployment. 606| Secure Enterprise Mesh AOS-W 6.5.3.x | User Guide...
Page 607: Mesh Deployment Planning
The diagonal dotted lines represent possible links that could be formed in the event of a mesh link or mesh portal failure. Figure 78 Sample High-Availability Deployment Mesh Deployment Planning Following considerations are recommended when planning and deploying a mesh solution: AOS-W 6.5.3.x | User Guide Secure Enterprise Mesh | ...
Page 608 APs provisioned on another switch unless the recovery profile is on a master switch and the other mesh nodes were provisioned by a local switch connected to that master. 608| Secure Enterprise Mesh AOS-W 6.5.3.x | User Guide...
Page 609: Configuring Mesh Cluster Profiles
2. In the Profiles list, expand the Mesh menu, then select Mesh Cluster. 3. In the Profile Details window pane, click the Add a profile drop-down list and select NEW. 4. Enter a name for the new profile. AOS-W 6.5.3.x | User Guide Secure Enterprise Mesh | ...
Page 610 MSSID for the mesh cluster. When you first create a new mesh cluster profile, the profile uses the default cluster name “Alcatel-Lucent-mesh”. Use the Cluster Name parameter to define a new, unique MSSID before you assign APs or AP groups to the mesh cluster profile.
Page 611 Apply, then remove the encryption type you no longer want and click Apply again. You cannot delete one encryption type and add a different type in a single step. 5. Click Apply to save your changes. AOS-W 6.5.3.x | User Guide Secure Enterprise Mesh | ...
Page 612 The following commands associate a mesh cluster profile to an AP group or an individual AP. For deployments with multiple mesh clusters, you must also configure the profile’s priority. Remember, the lower the priority 612| Secure Enterprise Mesh AOS-W 6.5.3.x | User Guide...
Page 613: Creating And Editing Mesh Radio Profiles
1. Navigate to the Configuration > Wireless > AP Configuration window. Select either the AP Group or AP Specific tab. If you selected the AP Group tab, click the AP group name for which you want to configure the new mesh radio profile. AOS-W 6.5.3.x | User Guide Secure Enterprise Mesh | ...
Page 614 Default: All transmission rates are selected and used. If you do not select 802.11a or 802.11g transmit rates, all rates are selected by default when you click Apply. Allowed VLANs List the VLAN ID numbers of VLANs allowed on the mesh link. on Mesh Link 614| Secure Enterprise Mesh AOS-W 6.5.3.x | User Guide...
Page 615 This option evenly distributes the mesh points over high quality uplinks. Low quality uplinks are selected as a last resort. Default: distributed-tree-rssi. It is recommended to use the default value. AOS-W 6.5.3.x | User Guide Secure Enterprise Mesh | ...
Page 616 Configuration details and any default values for each of these parameters are described in Table 137. If you do not specify a parameter for a new profile, that profile uses the default value for that parameter. Put the no 616| Secure Enterprise Mesh AOS-W 6.5.3.x | User Guide...
Page 617 1. Navigate to the Configuration > Advanced Services> All Profiles window. 2. Expand the Mesh menu, then select Mesh radio profile. A list of mesh radio profiles appears in the Profile Details window pane. AOS-W 6.5.3.x | User Guide Secure Enterprise Mesh | ...
Page 618: Creating And Editing Mesh High-Throughput Ssid Profiles
Basic Mesh High-Throughput SSID Profile Settings 40 MHz channel usage Enable or disable the use of 40 MHz channels. Default: enabled Enable or disable the use of 80 MHz channels. 80 MHz channel usage Default: enabled 618| Secure Enterprise Mesh AOS-W 6.5.3.x | User Guide...
Page 619 (Supported on the OAW-AP130 Series, OAW-AP170 Series and OAW-AP105 only. The configured value adjusts based on AP capabilities.) If transmit beamforming is enabled, STBC is disabled for disabled for beamformed frames. AOS-W 6.5.3.x | User Guide Secure Enterprise Mesh | ...
Page 620 Minimum time between the start of adjacent MPDUs within an aggregate MPDU, in microseconds. Allowed values: 0 (No restriction on MDPU start spacing), .25 µsec, .5 µsec, 1 µsec, 2 µsec, 4 µsec. 620| Secure Enterprise Mesh AOS-W 6.5.3.x | User Guide...
Page 621 If the short guard interval does not allow enough time for reflections to settle in your mesh deployment, inter- symbol interference values may increase and degrade throughput. This parameter is enabled by default. AOS-W 6.5.3.x | User Guide Secure Enterprise Mesh | ...
Page 622 3. In the Profile Details window pane, click the Mesh High-throughput SSID profile drop-down list and select the name of the profile you want to edit. 4. Change the settings as desired. Table 138 describes the parameters you can configure in this profile. 5. Click Apply. 622| Secure Enterprise Mesh AOS-W 6.5.3.x | User Guide...
Page 623 (host)(config) #ap-name <name> mesh-ht-ssid-profile <profile-name> Viewing High-throughput SSID Settings To view a complete list of high-throughput profiles and their status: (host)(config) #show ap mesh-ht-ssid-profile To view the settings of a specific high-throughput profile: AOS-W 6.5.3.x | User Guide Secure Enterprise Mesh | ...
Page 624: Configuring Ethernet Ports For Mesh
VLANs field. d. Optionally, select Trusted to configure this as a trusted port. 5. Click Apply. Use the following commands to configure Ethernet port bridging via the CLI. (host)(config) #ap wired-ap-profile <profile> 624| Secure Enterprise Mesh AOS-W 6.5.3.x | User Guide...
Page 625 When configuring mesh Ethernet ports for secure jack operation, note the following guidelines: Mesh points support secure jack on enet0 and enet1. Mesh portals only support secure jack on enet1. This function is only applicable to Alcatel-Lucent APs that support a second Ethernet port and mesh, such as the OAW-AP130 Series.
Page 626: Provisioning Mesh Nodes
To do this, you must first configure mesh cluster profiles for each mesh node prior to deployment. See Creating and Editing Mesh Radio Profiles for more information. 626| Secure Enterprise Mesh AOS-W 6.5.3.x | User Guide...
Page 627 Reprovisioning the AP causes it to automatically reboot. The following procedures describe the process to provision a mesh portal or mesh node via the WebUI or CLI. (The easiest way to provision a mesh node is to AOS-W 6.5.3.x | User Guide Secure Enterprise Mesh | ...
Page 628: Verifying Your Mesh Network
<altitude> latitude <location> longitude <location> reprovision ap-name <name> Verifying Your Mesh Network To view a list of your Mesh APs via the WebUI, navigate to the one of the following windows: 628| Secure Enterprise Mesh AOS-W 6.5.3.x | User Guide...
Page 629 ------ --------- ------- ------ 13d:2h:25m:19s 14d:21h:23m:49s 14d:21h:14m:55s 14d:19h:5m:3s Use the show ap mesh topology command to verify the cluster topology, RSSI in presence of network traffic, and Tx and Rx rates. AOS-W 6.5.3.x | User Guide Secure Enterprise Mesh | ...
Page 630: Configuring Remote Mesh Portals (Rmps)
A remote mesh portal must be provisioned as both a remote access point and a mesh portal. For instructions on provisioning the remote mesh portal as a remote access point, see Configuring the Secure Remote Access Point Service on page 697. 630| Secure Enterprise Mesh AOS-W 6.5.3.x | User Guide...
Page 631 802.11a or 802.1g RF management profile to the remote mesh AP. Step 5: Assign a Mesh Cluster Profile Follow the procedures described in Configuring Mesh Cluster Profiles on page 609 to assign a mesh cluster profile to the remote mesh AP. AOS-W 6.5.3.x | User Guide Secure Enterprise Mesh | ...
Page 632 Reprovisioning the AP causes it to automatically reboot. When you use the CLI to reprovision a mesh node, you may also provision other AP settings. (host)(config) #provision-ap read-bootinfo ap-name <name> mesh-role remote-mesh-portal reprovision ap-name <name> 632| Secure Enterprise Mesh AOS-W 6.5.3.x | User Guide...
Page 633: Increasing Network Uptime Through Redundancy And Vrrp
The master switch owns the configured virtual IP address for the VRRP instance. AOS-W 6.5.3.x | User Guide Increasing Network Uptime Through Redundancy and VRRP |...
Page 634: High Availability Deployment Models
In this model, the active switch supports up to 100% of its rated capacity of APs, while the other switch is idle in standby mode. If the active switch fails, all APs served by the active switch failover to the standby switch. 634| Increasing Network Uptime Through Redundancy and VRRP AOS-W 6.5.3.x | User Guide...
Page 635 APs to use M1 as their active master. If an AP has not established a connection to M1 before it disassociates from M2, the AP rebootstraps before it reconnects back to M1. AOS-W 6.5.3.x | User Guide Increasing Network Uptime Through Redundancy and VRRP | ...
Page 636: Client State Synchronization
The following section of this document describes topologies, guidelines, and limitations for this feature. To view the procedure for enabling the client state synchronization feature, see Configuring High Availability. 636| Increasing Network Uptime Through Redundancy and VRRP AOS-W 6.5.3.x | User Guide...
Page 637: High Availability Inter-Switch Heartbeats
APs by up to four times that switch's rated AP capacity, as long as the tunnels consumed by the standby APs do not exceed the maximum tunnel capacity for that standby switch. AOS-W 6.5.3.x | User Guide Increasing Network Uptime Through Redundancy and VRRP | ...
Page 638: Configuring High Availability
AP. A dual switch can support both roles, acting as the active switch for one set of APs, and a standby switch for another set of APs. Starting with AOS-W 6.4, a switch is assigned the dual role if no other role is specified 638| Increasing Network Uptime Through Redundancy and VRRP AOS-W 6.5.3.x | User Guide...
Page 639 Pre-shared key field. Note, however, that this feature is not enabled until you complete the task in step 13 on page 640 AOS-W 6.5.3.x | User Guide Increasing Network Uptime Through Redundancy and VRRP | ...
Page 640: High Availability Alerting
This feature ensures that a customer gets the required notification for monitoring the network in the following representational situations: When the standby tunnel goes down When HA failover occurs due to AP-interswitch heartbeat miss 640| Increasing Network Uptime Through Redundancy and VRRP AOS-W 6.5.3.x | User Guide...
Page 641: Migrating From Vrrp Or Backup-Lms Redundancy
This could be because of an AP missing heartbeat with the serving switch, on receiving failover request from standby switch, or AP trying to preempt back to active switch. For more information on the SNMP traps, refer to https://support.esd.alcatel-lucent.com/. Migrating from VRRP or Backup-LMS Redundancy AOS-W has a local management switch (LMS) and a backup LMS.
Page 642 1. Configure the switch serving the AP with a dual role in the high availability group profile: (host) (config) #ha group-profile grp1 (host) (HA group information "grp1"): controller <ipaddress> role dual 642| Increasing Network Uptime Through Redundancy and VRRP AOS-W 6.5.3.x | User Guide...
Page 643: Configuring Vrrp Redundancy
Configuring VRRP Redundancy In an Alcatel-Lucent network, APs are controlled by a switch. The APs tunnel all data to the switch for processing, including encryption/decryption and bridging/forwarding data. Local switch redundancy provides APs with failover to a backup switch if a switch becomes unavailable.
Page 644 VRRP, the VRRP stops the timer and does not transition to master. Priority Priority level of the VRRP instance for the switch. This value is used in the election mechanism for the master. 644| Increasing Network Uptime Through Redundancy and VRRP AOS-W 6.5.3.x | User Guide...
Page 645 <text> ipv6 address <ipaddr> no... preempt priority <level> shutdown tracking interface {fastethernet <slot>/<module>/<port>|gigabitethernet <slot>/<module>/<port>} {sub <value>} tracking master-up-time <duration> add <value> tracking vlan <vlanid> {sub <value>} AOS-W 6.5.3.x | User Guide Increasing Network Uptime Through Redundancy and VRRP | ...
Page 646 <profile> Configuring the Master Switch for Redundancy The master switch in the Alcatel-Lucent user-centric network acts as a single point of configuration for global policies such as firewall policies, authentication parameters, and RF configuration to ease the configuration and maintenance of a wireless network.
Page 647 If DNS resolution is the chosen mechanism for the APs to discover their master switch, ensure that the name “aruba-master” resolves to the same virtual IP address configured as a part of the master redundancy. AOS-W 6.5.3.x | User Guide Increasing Network Uptime Through Redundancy and VRRP | ...
Page 648 When the master and local are synchronized, the complete configuration is typically sent to the local. However, you now have the option to send only the incremental updates to the local using the following CLI commands: 648| Increasing Network Uptime Through Redundancy and VRRP AOS-W 6.5.3.x | User Guide...
Page 649 This section outlines the concepts behind a redundancy solution where a master can act as a backup for one or more local switches, and shows how to configure the Alcatel-Lucent switches for such a redundant solution. In this solution, the local switches act as the switch for the APs. When any one of the local switches becomes unavailable, the master takes over the APs controlled by that local switch for the time that the local switch remains unavailable.
Page 650 Configuration changes take effect only after you reboot the affected APs, allowing them to reassociate with the local switch. After rebooting, these APs appear as local APs to the new local switch. 650| Increasing Network Uptime Through Redundancy and VRRP AOS-W 6.5.3.x | User Guide...
Page 651: Rstp
The AOS-W implementation of Rapid Spanning Tree Protocol (RSTP) is as specified in 802.1w, with backward compatibility to legacy Spanning Tree (STP) 802.1D. RSTP takes advantage of point-to-point links and provides rapid convergence of the spanning tree. RSTP is enabled by default on all Alcatel-Lucent switches. Topics in this chapter include:...
Page 652: Configuring Rstp
Use either the CLI or the WebUI to configure RSTP. In the WebUI The RSTP port interface is designated as point-to-point, by default, under Configuration > Network > Ports in the WebUI (Figure 84). 652| RSTP AOS-W 6.5.3.x | User Guide...
Page 653 Change the default configurations using the command line interface: (host) (config-if)#spanning-tree cost Change an interface's spanning tree path cost point-to-point Set interface as point-to-point link port-priority Change an interface's spanning tree priority portfast Allow a change from blocking to forwarding AOS-W 6.5.3.x | User Guide RSTP | ...
Page 654: Troubleshooting Rstp
Rx counter remains the same. This is reversed when a port's role is “root/alternate/backup”. For more details and examples on the show spanning-tree command, refer to show spaning-tree in the AOS-W Command-Line Interface Reference Guide. interface 654| RSTP AOS-W 6.5.3.x | User Guide...
Page 655: Pvst
PVST+ sends untagged STP BPDUs on the access port; it also transmits untagged STP BPDUs (in addition to the other PVST+ BPDUs) on the native VLAN trunk port. If the Alcatel-Lucent switch is the root, it detects a loop on the native VLAN.
Page 656: Enabling Pvst+ In The Webui
2-6,11 Enabling PVST+ in the WebUI From the WebUI, add a VLAN instance and enable PVST+ under Configuration > Network > Ports > Spanning Tree: Figure 86 Configuring a VLAN with PVST+ 656| PVST+ AOS-W 6.5.3.x | User Guide...
Page 657: Link Layer Discovery Protocol
AOS-W supports the following optional basic management TLVs that are enabled by default: MAC Phy configuration TLV Management address TLV Maximum frame size TLV Port-description TLV Port VLAN ID TLV System capabilities TLV System description TLV System name TLV VLAN name TLV AOS-W 6.5.3.x | User Guide Link Layer Discovery Protocol |...
Page 658: Configuring Lldp
(host) (config) ap lldp med-network-policy-profile vid-stream (host) (AP LLDP-MED Network Policy Profile "vid-stream") dscp 48 (host) (AP LLDP-MED Network Policy Profile "vid-stream")l2-priority 6 (host) (AP LLDP-MED Network Policy Profile "vid-stream")tagged 658| Link Layer Discovery Protocol AOS-W 6.5.3.x | User Guide...
Page 659: Monitoring Lldp Configuration
Local Intf Chassis ID Capability Remote Intf Expiry-Time (Secs) --------- ----------- ---------- ----------- ------------------ GE1/3 00:0b:86:6a:25:40 GE0/0/17 GE1/4 00:0b:86:6a:25:40 GE0/0/18 System name ----------- Alcatel-Lucent OAW-4650 Alcatel-Lucent OAW-4650 Number of neighbors: 2 AOS-W 6.5.3.x | User Guide Link Layer Discovery Protocol | ...
Page 660 (host)# show lldp statistics LLDP Statistics --------------- Interface Received Unknow TLVs Malformed Transmitted --------- -------- ----------- --------- ----------- GE1/3 GE1/4 Display LLDP Statistics Interface (host)# show lldp statistics interface gigabitethernet 1/3 660| Link Layer Discovery Protocol AOS-W 6.5.3.x | User Guide...
Page 661 ----------- gigabitethernet1/3 Display LLDP-MED Network Policy profiles (host) #show ap lldp med-network-policy-profile AP LLDP-MED Network Policy Profile List --------------------------------------- Name References Profile Status ---- ---------- -------------- default video voice Total:2 AOS-W 6.5.3.x | User Guide Link Layer Discovery Protocol | ...
Page 663: Ip Mobility
When a mobile client is connected to a foreign network, it is bound to a care-of address that reflects its current point of attachment. A care-of address is the IP address of the Alcatel-Lucent switch in the foreign network with which the mobile client is associated.
Page 664: Configuring Mobility Domains
VLANs into which employee users can be placed should be part of the same mobility domain. Alcatel-Lucent mobility domains are supported only on Alcatel-Lucent switches. A switch can be part of multiple mobility domains, although it is recommended that a switch belong to only one domain.
Page 665 3. Select the newly-created domain name. Click Add under the Subnet column. Enter the subnetwork, mask, VLAN ID, VRIP, and home agent IP address, and click Add. Repeat this step for each HAT entry. 4. Click Apply. In the CLI router mobile AOS-W 6.5.3.x | User Guide IP Mobility | ...
Page 666 The following example (Figure 88) configures a network in a campus with three buildings. An Alcatel-Lucent switch in each building provides network connections for wireless users on several different user VLANs. To allow wireless users to roam from building to building without interrupting ongoing sessions, you configure a mobility domain that includes all user VLANs on the three switches.
Page 667 Home Agent Address or VRIP 10.1.1.245 10.2.1.245 10.3.1.245 10.4.1.245 On switches B and C: 1. Navigate to the Configuration > Advanced Services > IP Mobility page. 2. Select the Enable IP Mobility checkbox. 3. Click Apply. AOS-W 6.5.3.x | User Guide IP Mobility | ...
Page 668: Tracking Mobile Users
You can view the list of mobile clients and their roaming status on any switch in the mobility domain: In the WebUI Navigate to the Monitoring > switch > Clients page. In the CLI #show ip mobile host Roaming status can be one of the following: 668| IP Mobility AOS-W 6.5.3.x | User Guide...
Page 669 #show ip mobile trace <ip-address>|<mac-address> Mobile Client Roaming Locations You can view information about where a mobile user has been in the mobility domain. This information can only be viewed on the client’s home agent. AOS-W 6.5.3.x | User Guide IP Mobility | ...
Page 670: Configuring Advanced Mobility Functions
Clear Trail Entries Clear the station location trail table. You can view entries in this table using the show ip mobile trail command. Clear Mobility Counters Clear counters for IP mobility statistics. 670| IP Mobility AOS-W 6.5.3.x | User Guide...
Page 671 Allows a client to roam only if has been authenticated. If a client has not been Authenticated Stations authenticated, no mobility service is offered if it roams to a different VLAN or Only switch. AOS-W 6.5.3.x | User Guide IP Mobility | ...
Page 672 To configure proxy mobile IP and DHCP functionality, use the following command: ip mobile proxy auth-sta-roam-only | event-threshold <number> | log-trail | no-service-timeout <seconds> | on-association | stale-timeout <seconds> | trail-length <number> |trail-timeout <seconds> To configure revocation functionality, use the following command: 672| IP Mobility AOS-W 6.5.3.x | User Guide...
Page 673 In the previous release, the Alcatel-Lucent Switches supported L3 mobility only for single stacked IPv4 clients. The following changes in the existing behavior is observed in the Alcatel-Lucent switch when you enable IPv6 L3 Mobility support : The switch throttles and proxies Router Advertisements (RAs) if the router mobile command is enabled.
Page 674 The outputs of the following commands are enhanced to support IPv6 L3 mobility: how ip mobile host show ip mobile trace show ip mobile remote show ip mobile binding show ip mobile visitor show ip mobile trail show ip mobile packet-trace 674| IP Mobility AOS-W 6.5.3.x | User Guide...
Page 675 The following commands displays the initial configuration on HA and FA: (host-HA) #show ip mobile domain Mobility Domains:, 2 domain(s) ------------------------------ Domain name default Home Agent Table Domain name 6.3mobility Home Agent Table Home Agent Description --------------- ---------------- 10.15.45.10 10.15.44.60 AOS-W 6.5.3.x | User Guide IP Mobility | ...
Page 676 4095 4095 local 01:80:C2:00:00:02 4095 4095 local 00:0B:86:16:6A:A0 0/0/0 3C:77:E6:7C:44:09 tunnel 12 (host-HA) #show datapath station +----+------+-----------------------------------------------------+ |SUM/| |CPU | Addr | Description Value | +----+------+-----------------------------------------------------+ | [03] | Maximum Entries 16383 | 676| IP Mobility AOS-W 6.5.3.x | User Guide...
Page 677 Flags: P - Permanent, D - Deny, R - Roamed Client, M - Mobile, X - Xsec, A - Auth, O - Outer V LAN, T - Trusted VLAN Assigned VLAN Destination Flags Age ----------------- ---- ------------- ----------- ----- --- 24:77:03:9E:DC:4C 4095 60 tunnel 15 AOS-W 6.5.3.x | User Guide IP Mobility | ...
Page 678 Flags: P - Permanent, D - Deny, R - Roamed Client, M - Mobile, X - Xsec, A - Auth, O - Outer V LAN, T - Trusted VLAN Assigned VLAN Destination Flags Age ----------------- ---- ------------- ----------- ----- --- 24:77:03:9E:DC:4C 4095 50 tunnel 9 24:77:03:9E:DC:4C 50 tunnel 9 PMTR 678| IP Mobility AOS-W 6.5.3.x | User Guide...
Page 679: Understanding Bridge Mode Mobility Deployments
3. Only AP1 responds to the broadcast, and sends the current session table of the client. 4. AP2 acknowledges receipt of the session table. 5. AP1 deletes the session state of the client. AOS-W 6.5.3.x | User Guide IP Mobility | ...
Page 680: Enabling Mobility Multicast
IGMPv3 Support AOS-W 6.4 supports IGMPv3 functionality that makes Alcatel-Lucent switches aware of the Source Specific Multicast (SSM) and is used to optimize bandwidth of the network. The SSM functionality is an extension of IP multicast where the datagram traffic is forwarded to receivers from only those multicast sources to which the receivers have explicitly joined.
Page 681 Remote switch A locates the mobile client's local switch and learns about the client's multicast groups. Remote switch A then joins group1 on behalf the mobile client, using its VLAN 50 source IP. Upstream AOS-W 6.5.3.x | User Guide IP Mobility | ...
Page 682 Enable IGMP proxy on the GigabitEthernet (IEEE 802.3) interface gigabitethernet Any command that references a Fast Ethernet or Gigabit Ethernet <slot>/<module>/<port> interface requires that you specify the corresponding port on the switch in the format <slot>/<module>/<port>. 682| IP Mobility AOS-W 6.5.3.x | User Guide...
Page 683 The following table describes the maximum multicast group limit per switch platform. Maximum multicast group is the sum of IPv4 IGMP and IPv6 MLD groups. Table 152: Multicast Group Limits Platform Multicast Group Limit OAW-4005 OAW-4010 OAW-4024 OAW-4030 OAW-4x50 Series 4096 AOS-W 6.5.3.x | User Guide IP Mobility | ...
Page 684: External Firewall Configuration
Alcatel-Lucent network. You can also use this information to configure session ACLs to apply to physical ports on the switch for enhanced security. However, this chapter does not describe requirements for allowing specific types of user traffic on the network.
Page 685: Enabling Network Access
This section describes the network ports that need to be configured on the firewall to allow other types of traffic in the Alcatel-Lucent network. You should only allow traffic as needed from these ports. For logging: SYSLOG (UDP port 514) between the switch and syslog servers.
Page 686 For External Services Interface (ESI): ICMP (protocol 1) and syslog (UDP port 514) between a switch and any ESI servers. For XML API: HTTP (TCP port 80) or HTTPS (TCP port 443) between a switch and an XML-API client. AOS-W 6.5.3.x | User Guide External Firewall Configuration | ...
Page 687: Papi Enhanced Security
Configuring PAPI Enhanced Security on page 687 Verifying PAPI Enhanced Security on page 688 Interoperability The following list of references provides the Alcatel-Lucent devices interoperability information with respect to PAPI Enhanced security feature: For information on interoperability with OmniVista, refer to the OmniVista 8.2.0.3 Release Notes.
Page 688: Verifying Papi Enhanced Security
Rx Msg Rx Drop Rx Err AP LLDP Service AP STM RF Client BLE Daemon AP Nanny Tx Ack Tx Sign Rx Sign Rx Denied Allocated Buffers Static Buffers Static Buffer Size 1476 688| PAPI Enhanced Security AOS-W 6.5.3.x | User Guide...
Page 689: Palo Alto Networks Firewall Integration
IP address of the device which the user is logged into. Additionally, a firewall policy can be applied based on the type of device the user is using to connect to the network. Since the Alcatel-Lucent switch maintains the network and user information of the clients on the network, it is the best source to provide the information for the User-ID feature on the PAN firewall.
Page 690 HIP objects with a specified Is Value in the Client Version field, which must be preconfigured on the PAN firewall. Table 153: HIP Objects Client Version Is Value Android Apple AppleTV BlackBerry Chrome OS iPad iPhone iPod Kindle Linux Nintendo Nintendo 3DS Nintento Wii 690| Palo Alto Networks Firewall Integration AOS-W 6.5.3.x | User Guide...
Page 691 PS Vita RIM Tablet Roku Symbian webOS Win 7 Win 8 Win 95 Win 98 Win 2000 Win CE Win ME Win NT Win Server Win Vista Win XP AOS-W 6.5.3.x | User Guide Palo Alto Networks Firewall Integration | ...
Page 692: Configuring Pan Firewall Integration
The password must match the Admin account previously created on the PAN firewall. 8. Re-enter the Password entered in the previous step. 9. Click Add. 10.Click Apply. Up to twenty (20) PAN firewalls are supported. 692| Palo Alto Networks Firewall Integration AOS-W 6.5.3.x | User Guide...
Page 693 1. Navigate to the Configuration > Security > Authentication > AAA Profiles page. 2. In the AAA Profiles Summary, select the desired profile. 3. Check the PAN Firewalls Integration check box. 4. Click Apply. AOS-W 6.5.3.x | User Guide Palo Alto Networks Firewall Integration | ...
Page 694 2. In the profiles list on the left, click VPN Authentication and select the default profile. 3. Check the PAN Firewalls Integration check box. 4. Click Apply. Using the CLI (host)(config) #aaa authentication vpn default pan-integration 694| Palo Alto Networks Firewall Integration AOS-W 6.5.3.x | User Guide...
Page 695: Remote Access Points
Chapter 31 Remote Access Points The Secure Remote Access Point Service allows AP users, at remote locations, to connect to an Alcatel-Lucent switch over the Internet. Because the Internet is involved, data traffic between the switch and the remote AP is VPN encapsulated.
Page 696 IPSec tunnel is established. Make sure that the L2TP IP pool configured on the local switch (from which the remote AP obtains its address) is reachable in the switch network by the master switch. 696| Remote Access Points AOS-W 6.5.3.x | User Guide...
Page 697: Configuring The Secure Remote Access Point Service
Figure 95 Remote AP in a Multi-Switch Environment Configuring the Secure Remote Access Point Service The tasks for configuring an Alcatel-Lucent Access Points as a Secure Remote Access Point Service are: Configure a public IP address for the switch. You must install one or more AP licenses in the switch. There are several AP licenses available that support different maximum numbers of APs.
Page 698 1. Navigate to the Configuration > Wireless > AP Installation page. The list of discovered APs are displayed on this page. 2. Select the AP you want to configure using CHAP and click Provision button. 3. Enter the CHAP Secret in the text box under Authentication Method. 698| Remote Access Points AOS-W 6.5.3.x | User Guide...
Page 699 2. Click New and provide the following details: AP MAC Address—mandatory parameter. Enter the MAC address of the AP. Username—enter a username that is used when the AP is provisioned. AP Group—select a group to add the AP. AOS-W 6.5.3.x | User Guide Remote Access Points | ...
Page 700 6. Click Apply . Note that the configuration does not take effect until you perform this step. 7. At the Servers page, click Apply. In the CLI (host) (config) #local-userdb add username rapuser1 password <password> 700| Remote Access Points AOS-W 6.5.3.x | User Guide...
Page 701 When connected and powered on, the AP must also be able to obtain an IP address from a DHCP server on the local network or from the switch. AOS-W 6.5.3.x | User Guide Remote Access Points | ...
Page 702 If an AP has not been configured to a switch after deployment the secondary master feature will not be applicable. In the WebUI To enable the secondary master switch feature: 1. Navigate to Configuration > Advanced services > All Profiles. 2. Click AP > AP System. 702| Remote Access Points AOS-W 6.5.3.x | User Guide...
Page 703: Deploying A Branch/Home Office Solution
Figure 100 is a graphic representation of a remote AP in a branch or home office, with a single switch providing access to both a corporate WLAN and a branch office WLAN. AOS-W 6.5.3.x | User Guide Remote Access Points | ...
Page 704 Remote APs support 802.1q VLAN tagging. Data from the remote AP will be tagged on the wired side. Troubleshooting Remote AP The following WebUI options are available to troubleshoot issues with remote AP: Using local debugging feature Viewing the remote AP summary report Viewing remote AP connectivity report 704| Remote Access Points AOS-W 6.5.3.x | User Guide...
Page 705 The Summary tab has two views; basic and advanced. Click the basic or advanced links at the top of this tab to toggle between the two views. The table below shows the information displayed for both the basic and advanced views of the Summary tab. AOS-W 6.5.3.x | User Guide Remote Access Points | ...
Page 706 MAC Address: MAC address of the wired wired user. user. IP address: IP address of the wired IP address: IP address of the wired user. user. Port: AP port used by the wired user. 706| Remote Access Points AOS-W 6.5.3.x | User Guide...
Page 707 The uplink becomes active based on the order of priority configured on the RAP. The RAP switches back to the primary link when the primary connection is restored. AOS-W 6.5.3.x | User Guide Remote Access Points | ...
Page 708 AP and the switch, and does not require any additional test configuration settings. 3. Click OK to start the test. The results of the test will appear in the Diagnostics window. 708| Remote Access Points AOS-W 6.5.3.x | User Guide...
Page 709: Enabling Remote Ap Advanced Configuration Options
The “all” column and row lists features that all remote AP operation and forward mode settings have in common regardless of other settings. For example, at the intersection of “all” and “bridge,” the description outlines what happens in bridge mode regardless of the remote AP mode of operation. AOS-W 6.5.3.x | User Guide Remote Access Points | ...
Page 710 AP that is always is up available for local regardless of access. whether the switch is reachable. Supports PSK ESSID only. SSID configuration stored in flash on AP. bridge split-tunnel tunnel 710| Remote Access Points AOS-W 6.5.3.x | User Guide...
Page 711 Always—Permanently enables the virtual AP. Recommended for bridge SSIDs. Backup—Enables the virtual AP if the remote AP cannot connect to the switch. This SSID is advertised until the switch is reachable. Recommended for bridge SSIDs. AOS-W 6.5.3.x | User Guide Remote Access Points | ...
Page 712 (for example “default”), then click Apply. If you need to create an 802.1X authentication server group, select new from the 802.1X Authentication Server Group drop-down list, and enter the appropriate parameters. 712| Remote Access Points AOS-W 6.5.3.x | User Guide...
Page 713 5. Click the new virtual AP name in the Profiles list or the Profile Details to display configuration parameters. 6. Under Profile Details, do the following: a. Make sure Virtual AP enable is selected. AOS-W 6.5.3.x | User Guide Remote Access Points | ...
Page 714 1. Navigate to the Configuration > Wireless > AP Configuration page. 2. Select either the AP Group or AP Specific tab. Click Edit for the AP group or AP name. 3. Under Profiles, select AP to display the AP profiles. 714| Remote Access Points AOS-W 6.5.3.x | User Guide...
Page 715 (host) (config) #wlan virtual-ap <name> ssid-profile <profile> vlan <vlan> forward-mode bridge aaa-profile <name> rap-operation {always|backup|persistent} (host) (config) #ap-group <name> ap-system-profile <name> virtual-ap <name> (host) (config) #ap-name <name> ap-system-profile <name> virtual-ap <name> AOS-W 6.5.3.x | User Guide Remote Access Points | ...
Page 716 3. Enter the policy name in the Policy Name field. 4. From the Policy Type drop-down list, select IPv4 Session. 5. To create the first rule: a. Under Rules, click Add. b. Under Source, select any. 716| Remote Access Points AOS-W 6.5.3.x | User Guide...
Page 717 3. Select the AAA profile that you just created: a. For Initial role, select the user role you just created. b. For 802.1X Authentication Default Role, select the appropriate role for your remote AP configuration, then click Apply. AOS-W 6.5.3.x | User Guide Remote Access Points | ...
Page 718 7. Under Profiles, select AP, then AP system profile. 8. Under Profile Details, do the following: a. Select the AP system profile to edit. b. At the LMS IP field, enter the LMS IP address. 718| Remote Access Points AOS-W 6.5.3.x | User Guide...
Page 719 The DNS setting is part of provisioning the AP. The easiest way to provision an AP is to use the Provisioning page in the WebUI. These instructions assume you are only modifying the switch information in the Master Discovery section of the Provision page. AOS-W 6.5.3.x | User Guide Remote Access Points | ...
Page 720 You define the LMS parameters in the AP system profile. Figure 101 Sample Backup Switch Scenario Configuring the LMS and backup LMS IP addresses In the WebUI 1. Navigate to the Configuration > Wireless > AP Configuration page. 720| Remote Access Points AOS-W 6.5.3.x | User Guide...
Page 721 RAP through wired or wireless interfaces in split-tunnel/bridge forwarding modes. This allows the clients to effectively communicate with each other without routing the traffic via the switch. You can use WebUI or CLI to enable the local network access. AOS-W 6.5.3.x | User Guide Remote Access Points | ...
Page 722 To edit an existing profile, select a profile from the Profile Details pane. To create a new authorization profile, enter a new profile name in the entry blank on the Profile Details pane, then click Add. 722| Remote Access Points AOS-W 6.5.3.x | User Guide...
Page 723: Understanding Split Tunneling
MAC ACLs—Filter traffic on a specific source MAC address or range of MAC addresses. Firewall policies (session ACLs)—Identifies specific characteristics about a data packet passing through the Alcatel-Lucent switch and takes some action based on that identification. You apply these ACLs to user roles or uplink ports.
Page 724 5. From the IP Version drop-down list, select IPv4 or IPv6. 6. To create the first rule: a. Under Rules, click Add. b. Under Source, select any. c. Under Destination, select any. 724| Remote Access Points AOS-W 6.5.3.x | User Guide...
Page 725 (host) (config) #ap system-profile <profile> lms-preemption lms-hold-down period <seconds>netdestination <policy> network <ipaddr> <netmask> network <ipaddr> <netmask> (host) (config) #ip access-list session <policy> any any svc-dhcp permit any alias <name> any permit AOS-W 6.5.3.x | User Guide Remote Access Points | ...
Page 726 4. From the Policy Type drop-down list, select IPv4 Session. 5. To create the first rule: a. Under Rules, click Add. b. Under Source, select localip. c. Under Destination, select any. d. Under Action, select permit. e. Click Apply. 726| Remote Access Points AOS-W 6.5.3.x | User Guide...
Page 727 Select the Radius Accounting Server Group profile associated with the AAA profile. Click the RADIUS Accounting Server Group drop-down list to select a RADIUS server group. (For more information on configuring a RADIUS server or server group, see Configuring a RADIUS Server on page 179.) AOS-W 6.5.3.x | User Guide Remote Access Points | ...
Page 728 From the VLAN drop-down menu, select the VLAN ID for the VLAN to be used for split tunneling. c. From the Forward mode drop-down menu, select split-tunnel. d. Click Apply. In the CLI (host) (config) #wlan ssid-profile <profile> essid <name> opmode <method> 728| Remote Access Points AOS-W 6.5.3.x | User Guide...
Page 729: Understanding Bridge
Only the 802.1X authentication request is sent to the corporate network. This feature is useful for guest users. AOS-W does not support Wired 802.1X authentication in bridge mode for RAP and CAP. 802.1X authentication is supported only in tunnel and split modes. AOS-W 6.5.3.x | User Guide Remote Access Points | ...
Page 730 First you need to configure a session ACL that “permits” corporate traffic to be forwarded to the switch and that routes, or locally bridges, local traffic. In the WebUI 1. Navigate to the Configuration > Security > Access Control > Policies page. 730| Remote Access Points AOS-W 6.5.3.x | User Guide...
Page 731 Enter the desired name for the role in the Role Name field. c. Under Firewall Policies, click Add. d. From the Choose from Configured Policies drop-down menu, select the policy you just configured. e. Click Done. AOS-W 6.5.3.x | User Guide Remote Access Points | ...
Page 732 RADIUS accounting server. 5. Click Apply. If you need to create an authentication server group, select new and enter the appropriate parameters. In the CLI Use the following command: (host) (config) #aaa profile <name> 732| Remote Access Points AOS-W 6.5.3.x | User Guide...
Page 733 (host) (config) #opmode <method> (host) (config) #wlan virtual-ap <profile> (host) (config) #ssid-profile <name> (host) (config) #forward-mode bridge (host) (config) #vlan <vlan id> (host) (config) #aaa-profile <profile> (host) (config) #ap-group <name> (host) (config) #virtual-ap <profile> AOS-W 6.5.3.x | User Guide Remote Access Points | ...
Page 734: Provisioning Wi-Fi Multimedia
2. Under Profiles, navigate to AP > AP System Profile. You can create a new AP system profile to configure bandwidth reservation or edit an existing AP system profile. Under the Profiles Details page, specify bandwidth reservation values. 734| Remote Access Points AOS-W 6.5.3.x | User Guide...
Page 735: Provisioning 4G Usb Modems On Remote Access Points
4G modem in the 4G USB type field. Starting with AOS-W 6.3, you can configure drivers for both a 3G or a 4G modem using the USB field, and the 4G USB Type field is deprecated. AOS-W 6.5.3.x | User Guide Remote Access Points | ...
Page 736 (host) (Provisioning profile "<profile-name>") usb-type <USB modem type> (host) (Provisioning profile "<profile-name>") #usb-type none (host) (Provisioning profile "<profile-name>") #cellular_nw_preference 3g_only To enable 3G/4G network switch support, execute the following commands: (host) (config) #ap provisioning-profile <profile-name> 736| Remote Access Points AOS-W 6.5.3.x | User Guide...
Page 737: Provisioning Raps At Home
Provisioning RAP Using Zero Touch Provisioning You provision the RAP using provisioning wizard: 1. Navigate to the RAP configuration URL: http://rapconsole.alcatel-lucent.com. 2. Enter the IP address or hostname of the switch. 3. Click the Show Advanced Settings link, shown in Figure 107.
Page 738 Click Save after you have entered all the details. Provision the RAP on a PPPoE Connection Select the PPPoE tab and enter the required details. See Table 160 for information on parameters. Figure 109 Provision RAP on a PPPoE Connection 738| Remote Access Points AOS-W 6.5.3.x | User Guide...
Page 739 Figure 110 Provision using a preconfigured USB Modem 2. If your modem name is not listed, select Other and manually enter the following details. These are available from the manufacturer of your modem or from your IT administrator: AOS-W 6.5.3.x | User Guide Remote Access Points | ...
Page 740: Configuring Oaw-Rap3Wn And Oaw-Rap3Wnp Access Points
802.11 b/g wireless services. See the Alcatel-Lucent OAW-RAP3WN Installation Guide for more information. These access points require Alcatel-Lucent Instant 3.0 or later to operate as an Instant AP, or AOS-W 6.1.4.0 or later to operate as a Remote AP.
Page 741: Converting An Iap To Rap Or Cap
6. The IAP reboots and begins operating in RAP mode. 7. After conversion, the IAP is managed by the Alcatel-Lucent switch which has been specified in the Instant UI. In order for the RAP conversion to work, ensure that you configure the Instant AP in the RAP white-list and enable the FTP service on the switch.
Page 742: Enabling Bandwidth Contract Support For Raps
Applying Contracts Per-Role Use the following commands to apply the contracts on a per-role basis for upstream and downstream: For upstream contract of 512 Kbps: (host) (config) #user-role authenticated bw-contract 512k upstream 742| Remote Access Points AOS-W 6.5.3.x | User Guide...
Page 743 Flags: P - Permanent, W - WEP, T- TKIP, A - AESCCM, G - AESGCM, V - ProxyArp to/for MN (Visitor), N - VPN, L - local, Y - Any IP user, R - Routed user, M - Media Capable, AOS-W 6.5.3.x | User Guide Remote Access Points | ...
Page 744 C - client, M - mirror, V - VOIP Q - Real-Time Quality analysis I - Deep inspect, U - Locally destined E - Media Deep Inspect, G - media signal r - Route Nexthop A - Application Firewall Inspect 744| Remote Access Points AOS-W 6.5.3.x | User Guide...
Page 745: Rap Tftp Image Upgrade
1. Navigate to Configuration > ADVANCED SERVICES > All Profiles. 2. In the Profiles section, expand AP > AP system. 3. Select the default ap system-profile. 4. In the Profile Details section, click the Advanced tab. AOS-W 6.5.3.x | User Guide Remote Access Points | ...
Page 746 Remote-AP bw reservation 3 Remote-AP Local Network Access Disabled Bootstrap threshold Double Encrypt Disabled Dump Server Heartbeat DSCP Maintenance Mode Disabled Maximum Request Retries Request Retry Interval 10 sec Number of IPSEC retries 746| Remote Access Points AOS-W 6.5.3.x | User Guide...
Page 747 Disabled AP Console Password ******** Password for Backup ******** AP USB Power override Disabled RF Band for Backup Operation for Backup BLE Endpoint URL BLE Auth Token BLE Operation Mode Disabled AOS-W 6.5.3.x | User Guide Remote Access Points | ...
Page 748: Virtual Intranet Access
AOS-W VIA requires the PEFV license and is supported on OAW-40xx Series and OAW-4x50 Series switches. Figure 112 AOS-W VIA Topology For more details on configuring, installing, and using AOS-W VIA, refer to the latest version of the Alcatel-Lucent AOS-W VIA 2.0 User Guide.
Page 749: Spectrum Analysis
AP on that radio can be configured as a spectrum monitor. However, dual-radio mesh APs can have the client access radio configured as a Spectrum monitor or hybrid AP while the other radio supports mesh backhaul traffic. AOS-W 6.5.3.x | User Guide Spectrum Analysis |...
Page 750 Spectrum Monitors: this window displays a list of active spectrum monitors and hybrid APs streaming data to your client, the radio band the device is monitoring, and the date and time the SM or hybrid AP was 750| Spectrum Analysis AOS-W 6.5.3.x | User Guide...
Page 751 Trend Spectrum monitors can show data for multiple channels, while a hybrid AP shows utilization levels for its one monitored channel only. For details, see Channel Utilization Trend on page 774. AOS-W 6.5.3.x | User Guide Spectrum Analysis | ...
Page 752 The maximum number of spectrum monitor radios and hybrid AP radios on a switch is limited only by the number of APs on that switch. If desired, you can configure every radio on an AP that supports the Spectrum 752| Spectrum Analysis AOS-W 6.5.3.x | User Guide...
Page 753 For details on changing the channel monitored by a hybrid AP, see 802.11a and 802.11g RF Management Profiles on page 558 AOS-W 6.5.3.x | User Guide Spectrum Analysis | ...
Page 754: Creating Spectrum Monitors And Hybrid Aps
2. Click Edit by the name of the AP group you want to convert to hybrid APs. 3. Under the Profiles list, expand the RF Management menu. 4. To enable a spectrum monitor on the 802.11a radio band, select the 802.11a radio profile menu. 754| Spectrum Analysis AOS-W 6.5.3.x | User Guide...
Page 755 6. (Optional) Repeat steps 4-6 to convert other AP radios to spectrum monitors, as desired. To remove a spectrum monitor from the override entry list, select that radio name in the override entry list, then click Delete. 7. Click Apply. AOS-W 6.5.3.x | User Guide Spectrum Analysis | ...
Page 756: Connecting Spectrum Devices To The Spectrum Analysis Client
To connect one or more spectrum devices to your client: 1. Navigate to Monitoring > Spectrum Analysis. 2. Click the Spectrum Monitors tab. 756| Spectrum Analysis AOS-W 6.5.3.x | User Guide...
Page 757 Monitoring > Spectrum Analysis > Spectrum Monitors window displays a table of currently connected spectrum devices. This table includes the name of each spectrum monitor or hybrid AP and its current radio band (2GHz or 5GHz): AOS-W 6.5.3.x | User Guide Spectrum Analysis | ...
Page 758 60 seconds after you close the spectrum client browser window. During this 60-second period, the spectrum monitor is still connected to the client. 758| Spectrum Analysis AOS-W 6.5.3.x | User Guide...
Page 759: Configuring The Spectrum Analysis Dashboards
After you have selected the initial spectrum monitor or hybrid AP for a graph, you can display data for a different spectrum device at any time by clicking the down arrow by the device name in the chart titlebar and selecting a different connected spectrum monitor or hybrid AP. AOS-W 6.5.3.x | User Guide Spectrum Analysis | ...
Page 760 To rename a Spectrum Analysis Dashboard view: 1. From the Monitoring > Spectrum Analysis > Spectrum Dashboards window, click the down arrow to the right of the dashboard view you want to rename. 2. Select Rename. 760| Spectrum Analysis AOS-W 6.5.3.x | User Guide...
Page 761 If you change graphs in a spectrum view but do not save your settings, you are prompted to save or cancel your changes when you close the spectrum dashboard browser window AOS-W 6.5.3.x | User Guide Spectrum Analysis | ...
Page 762: Customizing Spectrum Analysis Graphs
4. When you are done, click OK at the bottom of the Options window to hide the options window. 5. (Optional) Click Save Spectrum View at the top of the window to save your new settings. 762| Spectrum Analysis AOS-W 6.5.3.x | User Guide...
Page 763 Channel Numbering drop-down list and select either 20 MHz or 40 MHz channel numbering to identify a channel numbering scheme for the graph. Graphs for AP radios that support 802.11ac include an additional 80MHz option for very-high- throughput channels. AOS-W 6.5.3.x | User Guide Spectrum Analysis | ...
Page 764 ID number by clicking the icon below any column heading and specifying the values or value ranges that should appear in the table. Table 165 describes each of the columns in the table and the filters that can be applied to the table output. 764| Spectrum Analysis AOS-W 6.5.3.x | User Guide...
Page 765 To display entries within a specific range of duty cycles, enter the minimum duty cycle percentage in the Min field and enter the maximum duty cycle percentage in the Max field. Click OK to save your settings and return to the Active Devices table. AOS-W 6.5.3.x | User Guide Spectrum Analysis | ...
Page 766 Click OK to save your settings and return to the Active Devices table. NOTE: This option is not available for Active Devices tables created by a hybrid AP, because each hybrid AP monitors a single channel only. 766| Spectrum Analysis AOS-W 6.5.3.x | User Guide...
Page 767 Options menu to access the Active Devices Trend configuration settings. Once you have configured the desired parameters, click OK at the bottom of the Options menu to save your settings and return to the spectrum dashboards. AOS-W 6.5.3.x | User Guide Spectrum Analysis | ...
Page 768 ACI and non-Wi-Fi interfering devices. Unlike the ACI shown in the Interference Power chart, the ACI shown in this graph indicates the percentage of channel time that is occupied by ACI or unavailable for Wi-Fi communication due to ACI. 768| Spectrum Analysis AOS-W 6.5.3.x | User Guide...
Page 769 Options menu to access these configuration settings. Once you have configured the desired parameters, click OK at the bottom of the Options menu to save your settings and return to the spectrum dashboards. AOS-W 6.5.3.x | User Guide Spectrum Analysis | ...
Page 770 For more information on how the spectrum analysis feature determines the quality of a channel, see Channel Metrics on page 768. When you hover your mouse over any line in the chart, a tooltip displays channel quality or availability data for that individual channel at the selected time. 770| Spectrum Analysis AOS-W 6.5.3.x | User Guide...
Page 771 Channel Quality, or Channel Availability. Select the checkbox beside each channel entry to show that information on the chart, or deselect the checkbox to hide that information. AOS-W 6.5.3.x | User Guide Spectrum Analysis | ...
Page 772 This value is calculated by determining the maximum noise-floor and interference-signal levels, and then calculating how strong the desired signal is above this maximum. 772| Spectrum Analysis AOS-W 6.5.3.x | User Guide...
Page 773 Options menu to access these configuration settings. Once you have configured the desired parameters, click OK at the bottom of the Options menu to save your settings and return to the spectrum dashboards. AOS-W 6.5.3.x | User Guide Spectrum Analysis | ...
Page 774 When you hover your mouse over any line in the chart, a tooltip shows the percentage of the channel being utilized at the specified time. The example in Figure 127 shows that channel 1 was 70% used at the selected time in the chart. 774| Spectrum Analysis AOS-W 6.5.3.x | User Guide...
Page 775 If a device affects more than one channel, it is recorded as a device on all channels it affects. For example, if a 20Mhz Wi-Fi AP has a center frequency of 2437 Mhz (channel 6) it is counted as a device on channels 3-9 AOS-W 6.5.3.x | User Guide Spectrum Analysis | ...
Page 776 This graph displays all channels within the spectrum monitor’s radio band by default. NOTE: This parameter is not configurable for graphs created by hybrid APs. 776| Spectrum Analysis AOS-W 6.5.3.x | User Guide...
Page 777 This chart shows the current duty cycle for devices on all channels being monitored by the spectrum monitor radio by default. Table 173 describes the other optional parameters you can use to customize the FFT Duty AOS-W 6.5.3.x | User Guide Spectrum Analysis | ...
Page 778 Power Chart is the ACI power level based on the signal strength(s) of the Wi-Fi APs on adjacent channels. A higher ACI value in Interference Power Chart does not necessarily mean higher interference, because the AP 778| Spectrum Analysis AOS-W 6.5.3.x | User Guide...
Page 779 Click the down arrow in the upper right corner of this chart then click the Options menu to access these configuration settings. Once you have configured the desired parameters, click OK at the bottom of the Options menu to save your settings and return to the spectrum dashboards. AOS-W 6.5.3.x | User Guide Spectrum Analysis | ...
Page 780 Channel availability is indicated by a range of colors between dark blue, which represents 100% channel availability, and red, which represents 0% availability. For additional information on interpreting an Alcatel-Lucent Spectrogram plot, see Swept Spectrogram on page 783.
Page 781 Older data is pushed up higher on the chart until it reaches the top of the spectrogram and ages out. The example below shows the Alcatel-Lucent Quality Spectrogram chart after it has recorded over 1,500 seconds of FFT data. Figure 131 Quality Spectrogram...
Page 782 Options menu to access these configuration settings. Once you have configured the desired parameters, click OK at the bottom of the Options menu to save your settings and return to the spectrum dashboards. 782| Spectrum Analysis AOS-W 6.5.3.x | User Guide...
Page 783 -90 dBm, and red, which represents a higher -50 dBm. The duty cycle Swept Spectrogram chart shows the percentage of the time tick interval that the selected channel or frequency AOS-W 6.5.3.x | User Guide Spectrum Analysis | ...
Page 784 If the graph was then flattened so each channel’s FFT power for that single1-second sweep was represented only by a color (and not by a value on the y-axis), the graph could then appear as follows: 784| Spectrum Analysis AOS-W 6.5.3.x | User Guide...
Page 785 Options menu to access these configuration settings. Once you have configured the desired parameters, click OK at the bottom of the Options menu to save your settings and return to the spectrum dashboards. AOS-W 6.5.3.x | User Guide Spectrum Analysis | ...
Page 786 Show Select FFT Avg, FFT Max or FFT Duty Cycle to select the type of data you want to appear in this chart. 786| Spectrum Analysis AOS-W 6.5.3.x | User Guide...
Page 787: Working With Non-Wi-Fi Interferers
Hopper (Other) categories, it is classified as Frequency Hopper (Other). Some examples include IEEE 802.11 FHSS devices, game consoles, and cordless/hands-free devices that do not use one of the known cordless phone protocols. AOS-W 6.5.3.x | User Guide Spectrum Analysis | ...
Page 788: Understanding The Spectrum Analysis Session Log
Viewing Spectrum Analysis Data You can use the command-line interface to view spectrum analysis data from any spectrum monitor, even if that spectrum monitor is currently sending data to another spectrum monitor client’s WebUI. 788| Spectrum Analysis AOS-W 6.5.3.x | User Guide...
Page 789: Recording Spectrum Analysis Data
80211g radio on a spectrum monitor. Shows a list of APs currently configured as spectrum show ap spectrum monitors monitors. Saves spectrum data for later analysis by your Alcatel-Lucent show ap spectrum technical-support technical support representative. Recording Spectrum Analysis Data The spectrum analysis tool allows you to record up to 60 continuous minutes (or up to 10 Mb) of spectrum analysis data.
Page 790 After the recording has ended, either because the recording period has elapsed, the recording maximum file size has been reached, the Spectrum Monitor Recording Complete window appears and displays information for the current recording. Figure 139 Saving Spectrum Analysis Data To save the recording file: 790| Spectrum Analysis AOS-W 6.5.3.x | User Guide...
Page 791 The Omnivista RFPlayback tool can play spectrum recordings created in this and earlier versions of AOS-W. Alcatel-Lucent uses the Adobe AIR application to display spectrum recording information. If you have not done so already, follow the steps below to download and install the free Adobe AIR application and the Alcatel- Lucent spectrum playback tool.
Page 792: Troubleshooting Spectrum Analysis
If you access the spectrum analysis dashboard using the Safari 5.0 browser, clicking the backspace button may return you to the previous browser screen. Avoid using the backspace button when changing dashboard view names or chart options. 792| Spectrum Analysis AOS-W 6.5.3.x | User Guide...
Page 793 Analysis feature. The RFPlayback tool can play spectrum recordings created in the same version of AOS-W or earlier releases. If the RFPlayback tool cannot load a newer recording, you may need to download a more recent version of the tool from the Alcatel-Lucent website. AOS-W 6.5.3.x | User Guide...
Page 794: Dashboard Monitoring
APs, and WLANs to navigate the related summary page with the filters applied. The WAN page displays the Wide Area Network (WAN) summary details for VLANs. The WAN page is available only in branch switches. displays a snapshot of the WAN summary dashboard: AOS-W 6.5.3.x | User Guide Dashboard Monitoring |...
Page 795: Performance
AP is taking four times longer than the ideal transmission time, or sending 3 extra transmissions to that client for every packet. To understand histogram information, see Using Dashboard Histograms on page 796. 795| Dashboard Monitoring AOS-W 6.5.3.x | User Guide...
Page 796: Usage
AirGroup servers sorted by the services they advertise. For more information, see Switch Dashboard Monitoring on page 1018. Overall Usage: The total number of clients and APs that have the low usage and throughput data in the last 15 minutes. AOS-W 6.5.3.x | User Guide Dashboard Monitoring | ...
Page 797: Potential Issues
Custom Columns; choose the Edit Current View option to select the columns that you want to view. Traffic Analysis Starting from AOS-W 6.5, the AppRF page has been renamed to Traffic Analysis. This page has the following tabs: AppRF Web Content 797| Dashboard Monitoring AOS-W 6.5.3.x | User Guide...
Page 798 The Action bar displays the total traffic depending on the filters applied, allows the user to configure per Application, per Role, and Global Policy, and includes Action buttons namely, Block/Unblock, Throttle, and QoS. Figure 143 Action Bar AOS-W 6.5.3.x | User Guide Dashboard Monitoring | ...
Page 799 Application categories == web and Application == https. See the following figure. Figure 145 Multiple Filters Applied The action bar reflects the total traffic based on the filter applied. For example, see Figure 146 Figure 147. Figure 146 Total traffic with Web Filter 799| Dashboard Monitoring AOS-W 6.5.3.x | User Guide...
Page 800 In the WLANs rectangle tile, wired indicates the traffic initiated by wired users and traffic from uplink ports. Figure 148 Details Figure 149 User filtered by <filter> Clicking on Details or User filtered by <filter> shows the user table, See Figure 150 Figure 151. AOS-W 6.5.3.x | User Guide Dashboard Monitoring | ...
Page 801 AppRF main page. When filters are not applied, all the pop-up windows allow the user to configure global or per –role configuration. The following table shows the pop-up window with respect to the Action button and the filter applied: 801| Dashboard Monitoring AOS-W 6.5.3.x | User Guide...
Page 802 180. Click on Show policy tables. Block allows only permit action and priority setting. 2. To create a new Global rule: a. Click on the Global Policy tab, the following pop-up window appears: AOS-W 6.5.3.x | User Guide Dashboard Monitoring | ...
Page 803 Click on the Per-role policies tab, the following pop-up window appears: Figure 154 Per-role Policies Tab b. Select a role from the list, or click on New below the role pane to create a new role and select the newly created role. 803| Dashboard Monitoring AOS-W 6.5.3.x | User Guide...
Page 804 AOS-W 6.5.3.x | User Guide Dashboard Monitoring | ...
Page 805 Alcatel-Lucent uses Webroot classified categories and score for web categories and reputation for WebCC. The current policy enforcement model in Alcatel-Lucent relies on L3/L4 information of the packet or L7 information with Deep Packet Inspection (DPI) support to apply rules. WebCC complements this as the user is allowed to apply firewall policies based on web content category and reputation.
Page 806 Clicking on box filters rest of page data with the clicked Role as filter, and this chart is locked until the filter is removed by clicking on Remove filter on <role name>. For example, see the following figure. AOS-W 6.5.3.x | User Guide Dashboard Monitoring | ...
Page 807 Top 9 category view with reputation chart. Figure 161 Category View- Top 9 Details Table: Click on the web category link above the Category view chart to display the details table as shown in the following figure. 807| Dashboard Monitoring AOS-W 6.5.3.x | User Guide...
Page 808 Traffic: Traffic of the user on the website Web Content Filters Web content tree chart filter behaves in the same way described in Filters on page 799. Filters can be applied to Web Categories, Roles, and Reputation containers. AOS-W 6.5.3.x | User Guide Dashboard Monitoring | ...
Page 809 Click OK. For example, the following two figures show applying a policy on web category filter and on Role + Category + Reputation filter: Figure 165 Policy on Web Category Filter 809| Dashboard Monitoring AOS-W 6.5.3.x | User Guide...
Page 810 Figure 167 Throttle on Category Filter When multiple bandwidth contracts exist, the precedence is as follows: WebCC Global bandwidth contract Application bandwidth exception List Application Category bandwidth exception List AOS-W 6.5.3.x | User Guide Dashboard Monitoring | ...
Page 811 The new CLI extends the existing policy configuration to take web category or reputation or both. Use the following command to configure a new policy to create ACL rule with web category and reputation: 811| Dashboard Monitoring AOS-W 6.5.3.x | User Guide...
Page 812 ACLs this wouldn’t be possible. (config) #user-role guest2 (config-role) #access-list session whitelist If there a web-cc/app rule that is applicable globally across user-roles, then there is no way to override such behavior. This is a limitation. AOS-W 6.5.3.x | User Guide Dashboard Monitoring | ...
Page 813 AMON feed generation is enabled by default. Only for system logging , enable blk-session option of firewall visibility CLI command. In the switch WebUI, navigate to Dashboard > Traffic Analysis > Blocked Sessions to view blocked sessions. You can view this page for the following information: 813| Dashboard Monitoring AOS-W 6.5.3.x | User Guide...
Page 814 To view the Traffic dashboard in the WebUI: 1. Navigate to the Dashboard > Traffic Analysis page. 2. Click Traffic tab, and select Inbound Traffic/Outbound Traffic to view the traffic in various countries. AOS-W 6.5.3.x | User Guide Dashboard Monitoring | ...
Page 815 Click Unblock to unblock all inbound traffic coming from the selected country. Threats This dashboard displays the geolocation threat map indicating the top countries/regions from where virus/spyware/malware/botnet attacks originated or are destined to. 815| Dashboard Monitoring AOS-W 6.5.3.x | User Guide...
Page 816 The Threats Map View displays a map of the world with countries color-coded to illustrate the number of threats detected. Following is a sample of the threat map and the number of threats that each color indicates. AOS-W 6.5.3.x | User Guide Dashboard Monitoring | ...
Page 817 Threat Map List The Threats Map List displays a list of countries, the type of threat, and the source and destination IP. Following is a sample of the threat map list. 817| Dashboard Monitoring AOS-W 6.5.3.x | User Guide...
Page 818 The Threats by Type treemap displays a treemap with the number of threats grouped by type. Click Details link under the Threats by Type treemap to view the Threats List View filtered for the selected threat type. AOS-W 6.5.3.x | User Guide Dashboard Monitoring | ...
Page 819: Airgroup
AirGroup Server’s IP address AirGroup Server’s MAC address Role Role assigned to the AirGroup server Wired/Wireless Type of connection between the device and the LAN AP Name Name of the AP to which the device is associated 819| Dashboard Monitoring AOS-W 6.5.3.x | User Guide...
Page 820: Security
A new UCC tab is introduced under the Dashboard tab. Navigate to the Dashboard > UCC page to view UCC dashboard. Clicking the UCC hyperlink displays the following characteristics (in graphical format) of the UCC deployment. AOS-W 6.5.3.x | User Guide Dashboard Monitoring | ...
Page 821 QoS setting, the call is classified as QoS Corrected. This graph displays the number of UCC calls where the switch has corrected the DSCP QoS value for such calls. The QoS correction is categorized as: No – No UCC QoS call correction. 821| Dashboard Monitoring AOS-W 6.5.3.x | User Guide...
Page 822: Controller
CDRs. See Figure 179. Figure 179 External Call List Controller The Controller page displays details of the switch and its health related information, such as CPU usage, memory usage, temperature, and fan speed. AOS-W 6.5.3.x | User Guide Dashboard Monitoring | ...
Page 823 If temperature is high, then that data will be shown in red color. Each color represents the percentage of usage where red is high, yellow is moderate, and green is low. Figure 181 Temperature Tab 823| Dashboard Monitoring AOS-W 6.5.3.x | User Guide...
Page 824: Wlans
Radios: The summary of APs and clients, channel, and its utilization. Charts: The summary of WLAN details in graphs. Firewall: The summary of users, destination, applications, devices and its roles. You can perform the following tasks on this page: AOS-W 6.5.3.x | User Guide Dashboard Monitoring | ...
Page 825: Access Points
Custom Columns; choose the Edit Current View option to select the columns that you want to view. You can also choose one of the following system defined views that have the appropriate pre-selected columns. Default Columns—You cannot edit this view. 825| Dashboard Monitoring AOS-W 6.5.3.x | User Guide...
Page 826: Clients
View AP details: Click on the hyperlinked AP name to view the Access Points page. View WLAN details: Click on the hyperlinked SSID of the WLAN to view the WLANs page. AOS-W 6.5.3.x | User Guide Dashboard Monitoring | ...
Page 827: Firewall
The Alcatel-Lucent AppRF technology integrated with PEF delivers mobile application traffic visibility through a simple dashboard that shows the applications in use by user and device. It gives network administrators insights on the applications that are running on their network, and the users using them.
Page 828 Description Bytes Total number of bytes transmitted and received by an element. Tx Bytes Total number of bytes transmitted by an element. Rx Bytes Total number of bytes received by an element. AOS-W 6.5.3.x | User Guide Dashboard Monitoring | ...
Page 829 The Element Summary View displays a detailed view of all the six elements and their corresponding fields: Figure 1a Element Summary View Figure 1b Element Summary View (continued) See the following table for more information on Element Summary View fields: 829| Dashboard Monitoring AOS-W 6.5.3.x | User Guide...
Page 830 Destination, and salesforce.com under Application, the Element Summary View and Aggregated Sessions sections display session information based on the selected rows. The following figure shows the selected row in each element: AOS-W 6.5.3.x | User Guide Dashboard Monitoring | ...
Page 831 Figure 186 Usage Breakdown Aggregated Sessions The Aggregated Sessions displays a list of all user and non-user sessions on the switch. Figure 2a Aggregated Sessions 831| Dashboard Monitoring AOS-W 6.5.3.x | User Guide...
Page 832 Sort: click a column header of the table to sort the list by column. You can also use the sort icon that appears when you click on a column. Filter: click the filter icon on the first column and select the filter criterion to filter the entries. AOS-W 6.5.3.x | User Guide Dashboard Monitoring | ...
Page 833: Management Access
854. 2. Configure certificate authentication for WebUI management. You can optionally also select username/password authentication. 3. Configure a user with a management role. Specify the client certificate for authentication of the user. AOS-W 6.5.3.x | User Guide Management Access |...
Page 834: Secure Shell (Ssh)
1. Import the X.509 client certificate into the switch using the WebUI, as described in Importing Certificates on page 857 2. Configure SSH for client public key authentication. You can optionally also select username/password authentication. 834| Management Access AOS-W 6.5.3.x | User Guide...
Page 835: Webui Session Timer
The switch supports two types of WebUI session timer. They are: Idle Session Timeout: This setting specifies the time of inactivity after which the WebUI session times out and requires login for continued access. AOS-W 6.5.3.x | User Guide Management Access | ...
Page 836: Enabling Radius Server Authentication
Enable WebUI access on HTTPS port (443) false Web Skype4B Listen Protocol/Port Config Enable bypass captive portal landing page true Enabling RADIUS Server Authentication This section include many different types of RADIUS server configuration and related procedures. 836| Management Access AOS-W 6.5.3.x | User Guide...
Page 837 In this scenario, an external RADIUS server authenticates management users and returns to the switch the Alcatel-Lucent vendor-specific attribute (VSA) called Alcatel-Lucent-Admin-Role that contains the name of the management role for the user. The authenticated user is placed into the management role specified by the VSA.
Page 838 Configuring RADIUS Server Authentication with Server Derivation Rule Alcatel-Lucent switches do not make use of any returned attributes from a TACACS+ server. A RADIUS server can return to the switch a standard RADIUS attribute that contains one of the following...
Page 839 Click Apply. In the CLI aaa authentication-server radius rad1 host <ipaddr> enable aaa server-group corp_rad auth-server rad1 set role condition Class equals it set-value root aaa authentication mgmt default-role read-only enable server-group corp_rad AOS-W 6.5.3.x | User Guide Management Access | ...
Page 840 For details, see Implementing a Specific Management Password Policy on page 848. Figure 187 is an example of how to reset the password. The commands in bold type are what you enter. 840| Management Access AOS-W 6.5.3.x | User Guide...
Page 841 To define a timeout interval for a WebUI session, use the command: (host)(config) #web-server profile (host)(Web Server Configuration) #session-timeout <session-timeout> In the above command, <session-timeout> can be any number of seconds from 30 to 3600, inclusive. AOS-W 6.5.3.x | User Guide Management Access | ...
Page 842: Connecting To An Omnivista Server
Specify if the switch and OmniVista serer should communicate using SNMP v2 or SNMPv3. SNMPv3 communications between a switch and an OmniVista server use SHA authentication and AES encryp- tion. For SNMPv2 If you select SNMPv2, you must enter an SNMP community string. 842| Management Access AOS-W 6.5.3.x | User Guide...
Page 843 AMON Message Size Changes on the Switch Data communication between Alcatel-Lucent switches and OmniVista servers has shifted from the SNMP model to the faster, more reliable, and scalable AMON model. Though the SNMP model can still be used to communicate data, users generally encounter delayed OmniVista updates and high switch and process CPU usage.
Page 844 Provides network administrator and engineers information on the client connectivity failures. Easier DHCP debugging. Enabling Inline Monitoring Statistics You can enable the Inline Monitoring statistics using the mgmt-server profile command in the CLI interface. 844| Management Access AOS-W 6.5.3.x | User Guide...
Page 845 Provide whole network overview (WLAN and Wired) Support Wi-Fi and Internet Protocol Service Level Agreement (IP SLA) Troubleshoot Remote network using client traffic (Synthetic) For more information, refer to the Clarity chapter of the OmniVista 8.2.3 User Guide. AOS-W 6.5.3.x | User Guide Management Access | ...
Page 846: Custom Certificate Support For Rap
RAP flash. A corresponding CSR is exported so it can be signed by the required CA to use as the RAP certificate. This RAP certificate can then be uploaded using the Upload button on the RAP Console page. 846| Management Access AOS-W 6.5.3.x | User Guide...
Page 847 Uploading the Certificate When using the “rapconsole.alcatel-lucent.com” page on a bridge/split-tunnel RAP to manage certificates on the RAP, a blank page or a page that does not have the Certificates tabs on it may display. The RAP provisioning page that is standard on the RAP may conflict with the “rapconsole”...
Page 848: Implementing A Specific Management Password Policy
<, >, {, }, [, ], :, ., comma, |, +, ~, Username or Reverse of When you select this checkbox, the password cannot be the management username NOT in Password users’ current username or the username spelled backwards. 848| Management Access AOS-W 6.5.3.x | User Guide...
Page 849 Standard Role A role that has all the root privileges but cannot make changes to the management users. network- Network operations role. operations no-access No commands are accessible for this role. AOS-W 6.5.3.x | User Guide Management Access | ...
Page 850: Configuring Ap Image Preload
Preload.” Click the link in the warning message to enable this feature and display the AP Image Preload settings. 2. Configure the settings described in the table below, then click Apply to save your changes. 850| Management Access AOS-W 6.5.3.x | User Guide...
Page 851 Maintenance > WLAN > Preload AP Image window in the WebUI. The output of the show ap image-preload-status CLI command and the AP Image Preload Status and AP Image Preload Status Summary tables in the WebUI contain the following information: AOS-W 6.5.3.x | User Guide Management Access | ...
Page 852: Configuring Centralized Image Upgrades
1. Navigate to Maintenance > Controller > Image Management. 2. Click the Local Configuration tab. 3. Click the Enable checkbox to enable this feature. When this option is selected, the WebUI displays the following centralized image configuration parameters. 852| Management Access AOS-W 6.5.3.x | User Guide...
Page 853 2. Enter the IP address of a switch or the subnet mask of a group of local switches. 3. Click Add. 4. (Optional) Repeat steps 1-3 to add a new target. 5. Click Apply to save your changes. AOS-W 6.5.3.x | User Guide Management Access | ...
Page 854: Managing Certificates
There is a default server certificate installed in the switch to demonstrate the authentication of the switch for captive portal and WebUI management access. However, this certificate does not guarantee security in 854| Management Access AOS-W 6.5.3.x | User Guide...
Page 855 Alcatel-Lucent strongly recommends that you replace the default certificate with a custom certificate issued for your site or domain by a trusted Certificate Authority (CA). This section describes how to generate a Certificate Signing Request (CSR) to submit to a CA and how to import the signed certificate received from the CA into the switch.
Page 856 <country_val> state_or_province <state> city <city_val> organization <organization_ val> unit <unit_val> email <email_val> RSA-1024 is not permitted if the switch is operating in the FIPS mode. 2. Display the CSR output with the following command: show crypto pki csr 856| Management Access AOS-W 6.5.3.x | User Guide...
Page 857 In the CLI Use the following command to import CSR certificates: crypto pki-import {der|pem|pfx|pkcs12|pkcs7} {PublicCert|ServerCert|TrustedCA} <name> The following example imports a server certificate named cert_20 in DER format: crypto pki-import der ServerCert cert_20 AOS-W 6.5.3.x | User Guide Management Access | ...
Page 858 When a client certificate is being authenticated for a user-centric network service, the switch checks with the appropriate CA to make sure that the certificate has not been revoked. 858| Management Access AOS-W 6.5.3.x | User Guide...
Page 859 Follow the steps below to configure the USB certificate store: 1. Copy the PKCS12 certificate bundle to a USB device. 2. Enter a name for the certificate using the correct naming convention as mentioned above. AOS-W 6.5.3.x | User Guide Management Access | ...
Page 860: Configuring Snmp
Configuring SNMP Alcatel-Lucent switches support versions 1, 2c, and 3 of Simple Network Management Protocol (SNMP) for reporting purposes only. In other words, SNMP cannot be used for setting values in an Alcatel-Lucent system in 860| Management Access AOS-W 6.5.3.x | User Guide...
Page 861 Alcatel-Lucent-specific management information bases (MIBs) describe the objects that can be managed using SNMP. See the AOS-W MIB Reference Guide for information about the Alcatel-Lucent MIBS and SNMP traps. SNMP Parameters for the Switch You can configure the following SNMP parameters for the switch.
Page 862: Enabling Capacity Alerts
A wlsxThresholdCleared SNMP trap and error message will be triggered if the resource usage drops below the threshold once again. The following table describes the thresholds that can be configured with this feature. 862| Management Access AOS-W 6.5.3.x | User Guide...
Page 863 May 14 13:13:58 nanny[1393]: <399816> <ERRS> |nanny| Resource 'Control-Path Memory' has gone above threshold, value : 93 May 14 13:16:58 nanny[1393]: <399816> <ERRS> |nanny| Resource 'Control-Path Memory' has come below threshold, value : 87 AOS-W 6.5.3.x | User Guide Management Access | ...
Page 864: Configuring Logging
Protocol packet dump messages mobility Mobility messages dhcp DHCP messages SDN messages GP messages System System messages All system messages configuration Configuration messages messages Messages snmp SNMP messages webserver Web server messages 864| Management Access AOS-W 6.5.3.x | User Guide...
Page 865 VPN messages dot1x 802.1X messages IKE messages webserver Web server messages ntlm NTLM messages kerberos Kerberos messages IDS messages ids-ap IDS-AP messages cpsec CPsec messages Databse messages certmgr CertMgr messages wl-sync WL-Sync messages AOS-W 6.5.3.x | User Guide Management Access | ...
Page 866 Any critical conditions such as a hard drive error. Errors Error conditions. Warnings Warning messages. Notifications Significant events of a non-critical and normal nature. Informational Messages of general interest to system users. Debugging Messages containing information useful for debugging. 866| Management Access AOS-W 6.5.3.x | User Guide...
Page 867 The IP address associated with the source-interface vlan specified by the user is set as the source IP to send the syslog messages to the remote server. AOS-W 6.5.3.x | User Guide Management Access | ...
Page 868: Enabling Guest Provisioning
1. Navigate to the Configuration > Management > Guest Provisioning page. The Guest Provisioning configuration page displays with the Guest Fields tab on top. This tab contains the following columns: Internal Name—The unique identifier that is mapped to the label in the UI. 868| Management Access AOS-W 6.5.3.x | User Guide...
Page 869 Best practices is to check the Display in Listing field for only the most essential fields, so that the Guest Provisioning user does not have to scroll the guest listing horizontally to see all the columns. AOS-W 6.5.3.x | User Guide Management Access | ...
Page 870 “Supervisor.” You can enter username, full name, department and Email information into the optional fields. Or, you can use this category for some other purpose. optional_field_1 optional_field_1 description optional_field_2 optional_field_2 description optional_field_3 optional_field_2 description optional_field_4 optional_field_2 description 870| Management Access AOS-W 6.5.3.x | User Guide...
Page 871 You can complete this step using the WebUI or CLI commands: Configuring the SMTP Server and Port in the WebUI on page 872 Configuring an SMTP server and port in the CLI on page 872 AOS-W 6.5.3.x | User Guide Management Access | ...
Page 872 Regardless of whether you select this option, the person responsible for managing the Guest Provisioning page may choose to send this email message manually at any time. Figure 192 shows a sample email message that is sent to the guest after the guest account is created. 872| Management Access AOS-W 6.5.3.x | User Guide...
Page 873 5. In the Password and Confirm Password fields, enter the user’s password and reconfirm it. 6. From the Role drop-down menu, select guest-provisioning. 7. Click Apply. Static Authentication Method Before using this method, make sure that the correct CA certificate is uploaded to the switch. AOS-W 6.5.3.x | User Guide Management Access | ...
Page 874 (host) (config) #web-server profile (host)(Web Server Configuration) #mgmt-auth username/password certificate (host)(Web Server Configuration) #! (host) (config) #mgmt-user webui-cacert <certificate_name> (host) (config) #aaa authentication mgmt (host) (config) #server-group "internal" 874| Management Access AOS-W 6.5.3.x | User Guide...
Page 875 A guest user account that is created by the network administrator can only be viewed, modified or deleted by the network administrator. Figure 194 Creating a Guest Account—Guest Provisioning Page AOS-W 6.5.3.x | User Guide Management Access | ...
Page 876 Email from this window to either the guest or the sponsor. When you send an email from the Details pop- up window, a pop-up message confirming that the email was successfully processed displays Figure 195 Creating a Guest Account—Show Details Pop-up Window 876| Management Access AOS-W 6.5.3.x | User Guide...
Page 877 To import a CSV file that contains multiple guest entries, the Guest Provisioning user must follow these steps: 1. Log in to the WebUI using the username and password assigned to the Guest Provisioning user. 2. Click on Import. The Import Guest List pop-up window displays. See Figure 197. AOS-W 6.5.3.x | User Guide Management Access | ...
Page 878 4. Click Import. A window displays that lets you open CSV file in text format. (See Figure 198.) Open the text file to see a summary of the number of users and error messages if users are not imported. 878| Management Access AOS-W 6.5.3.x | User Guide...
Page 879 (username) is automatically generated based on the default value in the Suffix for auto-generated field. Make changes or corrections to the guest entry information in text file. A user can also change the start time and end time from this window. Save and exit the file. AOS-W 6.5.3.x | User Guide Management Access | ...
Page 880 3. Optionally, click Print policy text if you want your company policy text to appear on the print out. 4. Click Show preview to view the information before it is printed. 5. Click Print to print the guest account information. 880| Management Access AOS-W 6.5.3.x | User Guide...
Page 881 You can set the maximum expiration time (in minutes) for guest accounts. If the guest-provisioning user attempt to add a guest account that expires beyond this time period, an error message is displayed and the AOS-W 6.5.3.x | User Guide Management Access | ...
Page 882: Managing Files On The Switch
The SCP server or remote host must support SSH version 2 protocol. The following table lists the parameters that you configure to copy files to or from a switch. 882| Management Access AOS-W 6.5.3.x | User Guide...
Page 883 In the CLI copy tftp: <tftphost> <filename> {flash: <destfilename> | system: partition [0|1]} copy ftp: <ftphost> <user> <filename> {flash: <destfilename> | system: partition [0|1]} copy scp: <scphost> <username> <filename> {flash: <destfilename> | system: partition [0|1]} AOS-W 6.5.3.x | User Guide Management Access | ...
Page 884 3. Select Download Logs to download the log files into a WinZip file on your local PC, 4. Click Apply. In the CLI tar logs copy flash: logs.tar tftp: <tftphost> <destfilename> copy flash: logs.tar scp: <scphost> <username> <destfilename> 884| Management Access AOS-W 6.5.3.x | User Guide...
Page 885: Setting The System Clock
<WORD> <-23 - 23> clock summer-time <zone> [recurring] <1-4> <start day> <start month> <hh:mm> first <start day> <start month> <hh:mm> last <start day> <start month> <hh:mm> <1-4> <end day> <end month> <hh:mm> AOS-W 6.5.3.x | User Guide Management Access | ...
Page 886 7. Under NTP Trusted Keys, enter a string in the Trusted Key field. This is a subset of keys which are trusted. The trusted key value must be numeric values between 1 to 65535. 8. Click Apply. 886| Management Access AOS-W 6.5.3.x | User Guide...
Page 887: Clearpass Profiling With If-Map
(host) (config) #ntp server <server IP> <iburst key> <key> Configuring NTP Standalone NTP standalone feature enables an Alcatel-Lucent switch to act as an NTP server so that the devices that do not have access to internet can synchronize their clocks. Enabling this feature eliminates the need to provision and maintain another virtual machine on the network.
Page 888: Whitelist Synchronization
10.4.191.32:443 Whitelist Synchronization AOS-W allows switches to synchronize their remote AP whitelists with the Alcatel-Lucent Activate cloud-based services. When you configure Activate whitelist synchronization, the switch will securely contact the Activate server and download the contents of the whitelist on the Activate server to the whitelist on the switch. The switch and the Activate server must have layer-3 connectivity to communicate.
Page 889: Downloadable Regulatory Table
The switch's CLI displays the following message upon failure: (host0) #ap regulatory activate reg-data-1.0_00002.txt Failed to activate regulatory file reg-data-1.0_00002.txt. File Version should be greater than 1.0_43859 APs do not rebootstrap or reboot on activation. AOS-W 6.5.3.x | User Guide Management Access | ...
Page 890 In the WebUI To activate a specific regulatory file using the WebUI: 1. Navigate to Maintenance > File > Regulatory Files. 2. Select a regulatory file from the File List. 3. Click Activate. 890| Management Access AOS-W 6.5.3.x | User Guide...
Page 891 To view the version of Regulatory Cert currently active on all switches, execute the following command: (host) #show switches regulatory To view the file synching profile settings, execute the following command: (host) #show file syncing profile AOS-W 6.5.3.x | User Guide Management Access | ...
Page 892: 802.11U Hotspots
AOS-W Hotspot Support for GAS Queries An Organization Identifier (OI) is a unique identifier assigned to a service provider when it registers with the IEEE registration authority. An Alcatel-Lucent AP can include its service provider OI in beacons and probe AOS-W 6.5.3.x | User Guide...
Page 893 Uploading an Icon file on page 917 Hotspot Profile Types AOS-W supports several different ANQP and H2QP profile types for defining Hotspot data. The following table describes the profiles in the Hotspot profile set. 893| 802.11u Hotspots AOS-W 6.5.3.x | User Guide...
Page 894 Use this profile to specify the channels on which the hotspot is Indication profile capable of operating For more information on configuring this profile, refer to Configuring H2QP Operating Class Indication Profiles on page 913 AOS-W 6.5.3.x | User Guide 802.11u Hotspots | ...
Page 895: Configuring Hotspot 2.0 Profiles
4. Select an existing profile from the Profile Details pane or create a new profile by entering a profile name into the entry blank, and then clicking Add. 5. Configure the parameters described in Table 208 as desired, and then click Apply. 895| 802.11u Hotspots AOS-W 6.5.3.x | User Guide...
Page 896 AP will provide the query response (or information on how to receive the query response) in a GAS Initial Response frame. This parameter sets the maximum length of the GAS query response, in octets. The supported range is 1-255 octets. AOS-W 6.5.3.x | User Guide 802.11u Hotspots | ...
Page 897 Independent (PAME-BI) bit, which is used by an AP to indicate whether the AP indicates that the Advertisement Server can return a query response that is independent of the BSSID used for the GAS Frame exchange. 897| 802.11u Hotspots AOS-W 6.5.3.x | User Guide...
Page 898 If a mobile device's credentials are about to expire or the device has become unauthorized, it can receive the URL of a server that explains how to correct any errors. This URL must be in the format http://www.example.com. AOS-W 6.5.3.x | User Guide 802.11u Hotspots | ...
Page 899: Configuring Hotspot Advertisement Profiles
ANQP and H2QP profile types, but only a single instance of other ANQP and H2QP profiles. The table below shows how the different ANQP and H2QP profile types can be associated to a single advertisement profile. 899| 802.11u Hotspots AOS-W 6.5.3.x | User Guide...
Page 900 Add. e. (Optional) To remove an existing reference to an ANQP or H2QP profile, select the profile name in the Profile Details pane, then click Delete. 8. Click Apply . AOS-W 6.5.3.x | User Guide 802.11u Hotspots | ...
Page 901: Configuring Anqp Venue Name Profiles
Protocol (ANQP) information element in a Generic Advertisement Service (GAS) query response. If a client uses the Generic Advertisement Service (GAS) to post an ANQP query to an Access Point, the AP will return ANQP Information Elements with the values configured in this profile. 901| 802.11u Hotspots AOS-W 6.5.3.x | User Guide...
Page 902 The complete list of supported venue types is described the table below Venue Types The following list describes the different venue types that may be configured in a Hotspot 2.0 or ANQP Venue Name profile: AOS-W 6.5.3.x | User Guide 802.11u Hotspots | ...
Page 903: Configuring Anqp Network Authentication Profiles
Advertisement Profiles on page 899. In the WebUI To configure an ANQP network authentication profile from the switch WebUI: 1. Navigate to Configuration>Advanced Services>All Profiles. 2. In the profiles list, expand the Wireless LAN section. 903| 802.11u Hotspots AOS-W 6.5.3.x | User Guide...
Page 904: Configuring Anqp Domain Name Profiles
Add. 5. In the Domain Name field, enter the domain name of the hotspot operator. This alphanumeric text string must be 255 characters or less. 6. Click Apply. AOS-W 6.5.3.x | User Guide 802.11u Hotspots | ...
Page 905: Configuring Anqp Ip Address Availability Profiles
4. Select an existing profile from the list of profiles on the profile details pane or create a new profile by entering a profile name into the entry blank, then clicking Add. 5. Configure the following parameters as desired, then click Apply to save your settings. 905| 802.11u Hotspots AOS-W 6.5.3.x | User Guide...
Page 906: Configuring Anqp Nai Realm Profiles
In the WebUI To configure an ANQP NAI Realm profile from the switch WebUI: 1. Navigate to Configuration>Advanced Services>All Profiles. 2. In the profiles list, expand the Wireless LAN section. 3. Select ANQP NAI Realm AOS-W 6.5.3.x | User Guide 802.11u Hotspots | ...
Page 907 The hotspot realm uses EAP Notification messages for authentication. one-time-password: Authentication with a single-use password peap: Protected Extensible Authentication Protocol peap-mschapv2: Protected Extensible Authentication Protocol with Microsoft Challenge Handshake Authentication Protocol version 2 907| 802.11u Hotspots AOS-W 6.5.3.x | User Guide...
Page 908 The following example configures two ANQP NAI realm profiles from the switch CLI wlan hotspot anqp-nai-realm-profile home enable nai-realm-name corp-hotspot.com nai-realm-auth-param-1 id credential-type value cred-cert nai-home-realm wlan hotspot anqp-nai-realm-profile non-home nai-realm-name corp-hotspot-roam.com nai-realm-eap-method eap-sim nai-realm-auth credential-type AOS-W 6.5.3.x | User Guide 802.11u Hotspots | ...
Page 909: Configuring Anqp Roaming Consortium Profiles
2.0 profile. For details, see Configuring Hotspot Advertisement Profiles on page 899. In the WebUI To configure an ANQP 3GPP cellular network profile from the switch WebUI: 909| 802.11u Hotspots AOS-W 6.5.3.x | User Guide...
Page 910: Configuring H2Qp Connection Capability Profiles
Configuring H2QP Connection Capability Profiles Use this profile to specify hotspot protocol and port capabilities. This information is sent in a Access Network Query Protocol (ANQP) information element in a Generic Advertisement Service (GAS) query response. AOS-W 6.5.3.x | User Guide 802.11u Hotspots | ...
Page 911 Select this option to enable the UDP VoIP port. (port 5060) H2QP Connection Capability VOIP port (UDP Protocol) Select this option to enable the IPsec VPN port. (ports 500, 4500 and 0) H2QP Connection Capability IKEv2 port for IPSec VPN 911| 802.11u Hotspots AOS-W 6.5.3.x | User Guide...
Page 912: Configuring H2Qp Operator Friendly Name Profiles
4. Select an existing profile from the list of profiles on the profile details pane or create a new profile by entering a profile name into the entry blank, then clicking Add. 5. Configure the following parameters as desired, then click Apply to save your settings. AOS-W 6.5.3.x | User Guide 802.11u Hotspots | ...
Page 913: Configuring H2Qp Operating Class Indication Profiles
In the CLI To configure a H2QP operating class profile from the switch CLI, access the CLI in config mode and issue the following commands: wlan hotspot h2qp-op-cl-profile <profile> clone <profile-name> op-cl <1-255> 913| 802.11u Hotspots AOS-W 6.5.3.x | User Guide...
Page 914: Configuring H2Qp Wan Metrics Profiles
This parameter defines the current WAN backhaul downlink speed in Kbps. If no value WAN Metrics downlink is set, this parameter will show a default value of 0 to indicate that the downlink speed speed is unknown or unspecified. Range: 0 - 2147483647, Default: 0 AOS-W 6.5.3.x | User Guide 802.11u Hotspots | ...
Page 915: Configuring H2Qp Osu Provider List Profiles
To configure an H2QP OSU Provider List profile from the switch WebUI: 1. Navigate to Configuration > Advanced Services > All Profiles. 2. In the Profiles list, expand the Wireless LAN section. 3. Select H2QP OSU Provider List Profiles 915| 802.11u Hotspots AOS-W 6.5.3.x | User Guide...
Page 916 Width of the second icon, in pixels. (1-256 pixels) Icon2 height Height of the second icon, in pixels. (1-256 pixels) Icon2 Language Code An ISO 639 language code that identifies the language used in the Icon2 filename field. AOS-W 6.5.3.x | User Guide 802.11u Hotspots | ...
Page 917 Host IP address. 3. In the Destination Selection section, select Flash File System, and enter a name for the icon file. 4. Click Apply. 917| 802.11u Hotspots AOS-W 6.5.3.x | User Guide...
Page 918 To copy an OSU icon file to the switch using the CLI, access the CLI in config mode and issue the following command: (host)(config) # copy {tftp: <tftphost> <destfilename>}|{usb: partition {0|1} <destfilename>}| {ftp: <ftphost> <user> <filename>}flash: <destfilename> AOS-W 6.5.3.x | User Guide 802.11u Hotspots | ...
Page 920: Adding Local Switches
If your master and local switches use PSK for authentication, the IPsec tunnel will be created using IKEv1. If they use a factory-installed or custom certificate, they will use IKEv2 to create the IPsec tunnel. Switches using AOS-W 6.5.3.x | User Guide Adding Local Switches |...
Page 921 You need to change the secret key to a non-default PSK value even if you use a per-local switch PSK configuration. To configure a master switch PSK: (host)(config) #localip 0.0.0.0 ipsec <secret_key> 921| Adding Local Switches AOS-W 6.5.3.x | User Guide...
Page 922 <key> [interface uplink|{vlan <id>}] [fqdn <fqdn>] ipsec-custom-cert master-mac1 <mac1> [master-mac2 <mac2>] ca-cert <ca> server-cert <cert> [interface uplink|{vlan <id>}] [fqdn <fqdn>] [suite-b gcm-128|gcm-256] ipsec-factory-cert master-mac1 <mac1> [master-mac2 <mac2>] [interface uplink|{vlan <id>}] [fqdn <fqdn>] AOS-W 6.5.3.x | User Guide Adding Local Switches | ...
Page 923: Configuring Local Switches
Configuring Layer-2/Layer-3 Settings Configure the VLANs, subnets, and IP address on the local switch for IP connectivity. Verify connectivity to the master switch by pinging the master switch from the local switch. 923| Adding Local Switches AOS-W 6.5.3.x | User Guide...
Page 924 Configuration changes take effect only after you reboot the affected APs; this allows them to reassociate with the local switch. After rebooting, these APs appear to the new local switch as local APs. In the WebUI To configure the LMS IP: AOS-W 6.5.3.x | User Guide Adding Local Switches | ...
Page 925: Uplink Monitoring And Management
6. (Optional) If you enabled the Uplink Health-Check feature in step 4, you can use the Health Check Settings parameters to modify the health-check ping probe settings described in the table below. 7. Click Apply. 925| Adding Local Switches AOS-W 6.5.3.x | User Guide...
Page 926 Probe Retries In the CLI (host) (config) #uplink enable (host) (config) #uplink wired priority 200 (host) (config) #uplink cellular priority 100 (host) (config) #uplink health-check enable (host) (config) #uplink health-check ip '192.0.2.2' AOS-W 6.5.3.x | User Guide Adding Local Switches | ...
Page 927: Voice And Video
Chapter 38 Voice and Video This chapter outlines the steps required to configure voice and video services on the Alcatel-Lucent switch for Voice over IP (VoIP) devices, including Session Initiation Protocol (SIP), Spectralink Voice Priority (SVP), H323, SCCP, Vocera, Wi-Fi calling, Alcatel NOE phones, clients running Microsoft Lync Server, and Apple devices running the Facetime application.
Page 928 Using the Default User Role The switch is configured with the default voice role. This role has the following settings: No limit on upload or download bandwidth Default L2TP and PPTP pool Maximum sessions: 65535 928| Voice and Video AOS-W 6.5.3.x | User Guide...
Page 929 For Service, select service, then the correct voice or video ALG service. See Table 222 Table 223 service names for all ALGs: Table 222: Services for ALGs Service Name svc-noe sip-noe-oxo svc-sips svc-sip-tcp svc-sip-udp svc-svp VOCERA svc-vocera SCCP svc-sccp AOS-W 6.5.3.x | User Guide Voice and Video | ...
Page 930 (host)(config) #user-role <role-name> (host)(config-role) #session-acl <policy-name> Replace the following strings: policy-name with a string that you want to identify the roles policy role-name with the name you want to identify the voice user role 930| Voice and Video AOS-W 6.5.3.x | User Guide...
Page 931 7. For Value, enter the first three octets (the OUI) of the MAC address of the phones (for example, the Spectralink OUI is 00:09:7a). 8. For Roles, select the user role you previously created. 9. Click Add. 10.Click Apply. AOS-W 6.5.3.x | User Guide Voice and Video | ...
Page 932 Configuring Firewall Settings for Voice and Video ALGs After configuring the user roles, you must configure the firewall settings for the voice and video Application- Level Gateways (ALGs) to pass traffic securely through the Alcatel-Lucent devices. In the WebUI To enable the firewall settings for the ALGs: 1.
Page 933 Navigate to Configuration > Security > Access Control and click the Policies tab. b. Click Add to create a new policy. c. Enter the appropriate values under Rules to match the DSCP mapping values. AOS-W 6.5.3.x | User Guide Voice and Video | ...
Page 934 8. Enable multicast shaping on the firewall: a. Navigate to Configuration > Advanced Services > Stateful Firewall. b. Click the Global Setting tab and select the Multicast automatic shaping check box. c. Click Apply. 934| Voice and Video AOS-W 6.5.3.x | User Guide...
Page 935 Enable a bandwidth shaping policy so that the allocated bandwidth share is appropriately used: (host) (config) #wlan wmm-traffic-management-profile default (host) (WMM Traffic management profile "default") # enable-shaping b. Set a bandwidth percentage for the following categories: AOS-W 6.5.3.x | User Guide Voice and Video | ...
Page 936: Working With Qos For Voice And Video
The maximum number of simultaneous calls that the AP radio can handle. You can use the bandwidth calculator in the WebUI to calculate the call capacity. To access the bandwidth calculator, navigate to Configuration > Management > Bandwidth Calculator. Default value: 10. 936| Voice and Video AOS-W 6.5.3.x | User Guide...
Page 937 Select the VoIP TSPEC Enforcement check box to validate TSPEC requests for CAC. VOIP TSPEC Enforcement Select the maximum time, in seconds, for the station to start the call after Period the TSPEC request. AOS-W 6.5.3.x | User Guide Voice and Video | ...
Page 938 WMM supports four access categories (ACs): voice, video, best effort, and background. Table 225 shows the mapping of the WMM access categories to 802.1p priority values. The 802.1p priority value is contained in a two-byte QoS control field in the WMM data frame. 938| Voice and Video AOS-W 6.5.3.x | User Guide...
Page 939 Voice Highest In non-WMM, or hybrid environments where some clients are not WMM-capable, Alcatel-Lucent uses voice and best effort to prioritize traffic from these clients. Unscheduled Automatic Power Save Delivery (U-APSD) is a component of the IEEE 802.11e standard that extends the battery life on voice over WLAN devices.
Page 940 To map WMM AC with DSCP: 1. Navigate to the Configuration > Wireless > AP Configuration page. 2. Select either the AP Group or AP Specific tab. Click Edit for the AP group or AP name. 940| Voice and Video AOS-W 6.5.3.x | User Guide...
Page 941 802.1p priority to voice. Consider a deployment where Cisco Softphone, Lync, and Scopia are configured with the following DSCP : Cisco Softphone - DSCP 46 Lync - DSCP 44 AOS-W 6.5.3.x | User Guide Voice and Video | ...
Page 942 WMM is an extension to the Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA) protocol’s Distributed Coordination Function (DCF). The collision resolution algorithm responsible for traffic prioritization depends on the following configurable parameters for each AC: arbitrary inter-frame space number (AIFSN) 942| Voice and Video AOS-W 6.5.3.x | User Guide...
Page 943 3. Expand the SSID profile. Select the EDCA Parameters Station or EDCA Parameters AP profile. 4. Configure your desired EDCA Profile Parameters. Table 228 describes the parameters you can configure in this profile. AOS-W 6.5.3.x | User Guide Voice and Video | ...
Page 944 A value of 0 disables this option. 5. Click Apply. Using the CLI to configure EDCA parameters Use the following commands: wlan edca-parameters-profile {ap|station} <profile> {background | best-effort | video | voice} 944| Voice and Video AOS-W 6.5.3.x | User Guide...
Page 945: Unified Communication And Collaboration
AOS-W provides a seamless user experience for Microsoft® Lync/Skype for Business users using voice or video calls, desktop sharing, and file transfer in a wireless environment. Microsoft Lync/Skype for Business is an enterprise solution for UCC. It provides support for voice, video, desktop-sharing, and file-transfer. AOS-W 6.5.3.x | User Guide Voice and Video | ...
Page 946 Microsoft Lync/Skype for Business SDN Interface works with Microsoft Lync/Skype for Business server to export details about voice or video calls, desktop-sharing, and file-transfer to Alcatel-Lucent switch’s Web server. The communication between the Lync/Skype for Business SDN Interface and Web server occurs over HTTP or HTTPS.
Page 947 Microsoft Lync/Skype for Business server supporting Lync/Skype for Business SDN Interface versions up to 2.4.1. Alcatel-Lucent switch running AOS-W 6.4.x. If you are running Lync/Skype for Business Interface 2.2, the switch must run AOS-W 6.4.4.0 or later. If your setup does not have a Lync/Skype for Business SDN Interface, use Media Classification as described in Understanding Extended Voice and Video Features on page 964.
Page 948 Configuring the Lync/Skype for Business Listening Port Configure the port number on which Microsoft Lync/Skype for Business SDN Interface sends HTTP or HTTPS call information (XML) messages to Alcatel-Lucent switch. Before you configure Lync/Skype for Business listening port, disable classify-media. To disable classify-media, see Disable Media Classification on page 952.
Page 949 For the switch to accept STUN messages, you must allow ICE- STUN based firewall traversal on the switch and allow UDP 3478 and TCP 443 ports in the user role. AOS-W 6.5.3.x | User Guide Voice and Video | ...
Page 950 2. Select Other Profiles to expand the Other Profiles section. 3. Click the Traffic Control Prioritization profile. 4. Under the Traffic Control Prioritization Profile section, enter the profile name and click Add. 950| Voice and Video AOS-W 6.5.3.x | User Guide...
Page 951 Link the newly created Lync/Skype for Business traffic control profile to the user-role. (host) (config) #user-role <STRING> (host) (config-role) #traffic-control-profile <STRING> Recommended DSCP Mapping for Lync/Skype for Business Traffic in Alcatel-Lucent Switch The following DSCP values for Lync/Skype for Business ALG are recommended: AOS-W 6.5.3.x | User Guide...
Page 952 --------- Priority Source Destination Service Action TimeRange -------- ------ ----------- ------- ------ --------- svc-sips permit Expired Queue 8021P Blacklist Mirror DisScan ClassifyMedia ------- ----- ----- --------- ------ ------- ------------- High IPv4/6 ------ 952| Voice and Video AOS-W 6.5.3.x | User Guide...
Page 953 Enabling Lync/Skype for Business ALG Debug Logs Lync/Skype for Business ALG related debug logs are available under logs. Use the following command to enable this: (host) (config) #logging level debugging user process stm subcat voice AOS-W 6.5.3.x | User Guide Voice and Video | ...
Page 954 Chart View Navigate to Dashboard > UCC. The UCC page displays the overall health (in graphical format) of the UCC deployment in the switch as shown in Figure 202. 954| Voice and Video AOS-W 6.5.3.x | User Guide...
Page 955 WMM-DSCP configured in the corresponding SSID profile definition, the switch corrects this value as per the SSID profile definition and classifies the call as QoS corrected. This graph displays AOS-W 6.5.3.x | User Guide Voice and Video | ...
Page 956 VoIP calls made to/from clients outside the local switch are displayed in the External Call List pane. This pane lists all the external and wired client call CDRs. See Figure 204. Figure 204 External Call List 956| Voice and Video AOS-W 6.5.3.x | User Guide...
Page 957 When VoIP calls are prioritized using media classification, the End-to-End call quality is not available. Figure 206 All Calls Figure 207 displays the VoIP call summary for a selected call of a client. AOS-W 6.5.3.x | User Guide Voice and Video | ...
Page 958 Figure 209 Call Quality vs. Client Health Viewing UCC Information This section describes the commands to view UCC clients, calls, and configuration information in the switch. For detailed command parameters, see the AOS-W 6.4.x CLI Reference Guide. 958| Voice and Video AOS-W 6.5.3.x | User Guide...
Page 959 Adding AMP as a Management Server in the Switch You can view and add the default AMP management server profile using the switch WebUI or CLI. In the WebUI To view the default AMP management server profile: AOS-W 6.5.3.x | User Guide Voice and Video | ...
Page 960 (host)(Mgmt Config profile “default-amp”)#uccmonitoring-enable Verifying the Configuration Execute the following command in the switch CLI to view the management server configuration profile: (host) #show mgmt-server profile default-amp Mgmt Config profile "default-amp" (Predefined (changed)) -------------------------------------------------------- 960| Voice and Video AOS-W 6.5.3.x | User Guide...
Page 961 RTP Analysis on the master switch. Issue the following CLI commands: (host) (config) #voice real-time-config (host) (Configure Real-Time Analysis) #config-enable Table 233 shows the call quality parameters displayed on the switch for various UCC ALGs. AOS-W 6.5.3.x | User Guide Voice and Video | ...
Page 962 Vocera Audio Delay Jitter Packet Loss UCC Score H.323 Audio Delay Jitter Packet Loss Delay Video Jitter Packet Loss Table 234 shows the quality parameters displayed for Lync/Skype for Business collaborative services. 962| Voice and Video AOS-W 6.5.3.x | User Guide...
Page 963 The RTP sessions are tagged with the Q flag indicating real time analysis is computed for the session. show datapath application show datapath user show rights show datapath acl <id> show datapath session show voice real-time-config AOS-W 6.5.3.x | User Guide Voice and Video | ...
Page 964: Understanding Extended Voice And Video Features
Real-time quality analysis for Lync/Skype4b voice and video calls (voice RTP streams only) Real-time computation of UCC score (delay, jitter, and packet loss) for Lync/Skype4b VoIP calls prioritized using media classification. The UCC score is computed by the AP in the downstream direction. 964| Voice and Video AOS-W 6.5.3.x | User Guide...
Page 965 When VoIP calls are prioritized using media classification, end-to-end call quality metrics such as Mean Opinion Score (MOS), delay, jitter, and packet loss are not available. Media classification is not supported when clients are behind a Network Address Translation (NAT) device. AOS-W 6.5.3.x | User Guide Voice and Video | ...
Page 966 3478-3497 NAT-STUN Port for FaceTime and Game Center 5223 Apple Push Notification 16384- RTP and RTCP for iChat Audio and 16387 Video 16393- RTP and RTCP for FaceTime and Game 16402 Center 966| Voice and Video AOS-W 6.5.3.x | User Guide...
Page 967 Match any IPv4 or IPv6 destination traffic. The values can be: alias host localip network user Service/Application Match any service or application. The values can be: Application Application category protocol service Web category/Reputation AOS-W 6.5.3.x | User Guide Voice and Video | ...
Page 968 "Viceroy". Do not configure this feature unless a new version of the Apple FaceTime uses a different User-Agent string other than "Viceroy". Contact Alcatel-Lucent Technical Support for more information. In the WebUI The following procedure configures a pattern to recognize FaceTime sessions using the WebUI.
Page 969 If the ePDG FQDN of the carrier does not match with the default patterns, use this option to configure the DNS pattern for the carrier. service-provider–Add the service provider name for enhanced visibility. AOS-W 6.5.3.x | User Guide Voice and Video | ...
Page 970 Registration State --------- ---------- ----------- ---------- ------------------ 10.15.17.208 fc:c2:de:6c:01:9c Client WiFi-Calling T-Mobile REGISTERED 10.15.17.206 d8:bb:2c:51:16:b2 Client WiFi-Calling T-Mobile REGISTERED Call Status AP Name Flags Device Type ----------- ------- ----- ----------- In-Call 4-105-2 Android 970| Voice and Video AOS-W 6.5.3.x | User Guide...
Page 971 Client Health vs Call Quality metrics are not available. Wi-Fi Calling does not work in split and bridge-tunnel forwarding mode. After clients failover from one switch to another, subsequent calls may not get prioritized. AOS-W 6.5.3.x | User Guide Voice and Video | ...
Page 972 For deployments where there are expected to be considerable delays between the switch and APs (for example, in a remote location where an AP is not in range of another Alcatel-Lucent AP) you can increase the value for the bootstrap threshold in the AP System profile to minimize the chance of the AP rebooting due to temporary loss of connectivity with the Alcatel-Lucent switch.
Page 973 If you select AP Group, click Edit for the AP group name for which you want to configure the SIP client user role. If you select AP Specific, select the name of the AP for which you want to configure the SIP client user role. AOS-W 6.5.3.x | User Guide Voice and Video | ...
Page 974 2. Expand Other Profiles under the Profiles section and click Configure Real-Time Analysis. 3. Enable Real Time call quality analysis for the voice calls by selecting the Real-Time Analysis of voice calls check box. Figure 210 Enable Real Time Analysis 4. Click Apply. 974| Voice and Video AOS-W 6.5.3.x | User Guide...
Page 975 For more information on the SIP session timer support, See section 8.0, Proxy Behaviour in the RFC 4028. This release of AOS-W does not support the configurable Min-SE parameter for SIP ALG. Therefore, the ALG will not generate the 422 responses for the session refresh requests. AOS-W 6.5.3.x | User Guide Voice and Video | ...
Page 976 Wi-Fi connection. If the signal strength is weak, the switch will trigger the handover process to switch the voice client to an alternate carrier or connection. This process ensures QoS for voice calls. 976| Voice and Video AOS-W 6.5.3.x | User Guide...
Page 977 PSTN call facility from a SIP device. After the dial plan is configured, a user can make SIP calls by dialing the destination number without any prefixes. Dial plan can be configured only for SIP over UDP. AOS-W 6.5.3.x | User Guide Voice and Video | ...
Page 978 In the WebUI 1. In the WebUI, navigate to Configuration > Advanced Services > All Profiles > Switch > Dialplan Profile. Enter a name for the dial plan profile and click Add. 978| Voice and Video AOS-W 6.5.3.x | User Guide...
Page 979 3. Click Apply. 4. Under Profile, navigate to Switch > SIP settings and select Dialplan Profile. In the Profile Details section, select the Dialplan Profile from the drop-down list and click Apply . AOS-W 6.5.3.x | User Guide Voice and Video | ...
Page 980 To view the SIP dial plan profile: (host) (config) #show voice sip SIP settings ------------ Parameter Value --------- ----- Dialplan Profile local To view the dial plan details: (host) (config) #show voice dialplan-profile local Dialplan Profile "local" 980| Voice and Video AOS-W 6.5.3.x | User Guide...
Page 981 100 XXXXXXX 9%e Enabling Enhanced 911 Support AOS-W provides seamless support for emergency calls in the Alcatel-Lucent network by interoperating with RedSky emergency call server. The switch uses SNMP to interoperate with RedSky call handling system. This release of AOS-W supports only RedSky emergency call server.
Page 982 If you selected AP Group, click Edit by the AP group name for which you want to enable battery boost. If you selected AP Specific, select the name of the AP for which you want to enable battery boost. 982| Voice and Video AOS-W 6.5.3.x | User Guide...
Page 983 Link Layer Discovery Protocol (LLDP), is a Layer-2 protocol that allows network devices to advertise their identity and capabilities on a LAN. Wired interfaces on Alcatel-Lucent APs support LLDP by periodically transmitting LLDP Protocol Data Units (PDUs) comprised of selected type-length-value (TLV) elements. For a...
Page 984 TLV to indicate which capabilities are supported by the AP. management-address: transmit a TLV that indicates the AP’s management IP address, in either IPv4 or IPV6 format. 984| Voice and Video AOS-W 6.5.3.x | User Guide...
Page 985 LLDP profile before you can configure any LLDP-MED settings. Click the Add a profile drop-down list in the Profile Details window. To associate an existing LLDP-MED network policy, click an LLDP-MED policy name, then click Add. AOS-W 6.5.3.x | User Guide Voice and Video | ...
Page 986 VLAN ID or untagged. The default value is untagged. NOTE: When an LLDP-MED network policy is defined for use with an untagged VLAN, then the L2 priority field is ignored and only the DSCP value is used. 986| Voice and Video AOS-W 6.5.3.x | User Guide...
Page 987 AP wired-port profile: (host) (config) ap lldp profile video1 (host) (AP LLDP Profile "video1")lldp-med-network-policy-profile vid-stream (host) (AP LLDP Profile "video1")! (host) (config)ap wired-port-profile corp2 (host) (AP wired port profile "corp2")lldp-profile video1 AOS-W 6.5.3.x | User Guide Voice and Video | ...
Page 988: Advanced Voice Troubleshooting
00:0b:86:b7:83:91 Call Call Start Aug 13 11:29:34 00:0b:86:b7:83:91 Call Call End Aug 13 11:29:41 00:0b:86:b7:83:91 Call Call Start Aug 13 11:30:29 00:0b:86:b7:83:91 Call Call End Aug 13 11:30:39 00:0b:86:b7:83:91 Call Call Start 988| Voice and Video AOS-W 6.5.3.x | User Guide...
Page 989 ----------- ------------ -------- Aug 13 12:38:03 00:1a:1e:a8:2d:80 795216 44158 794838 147824 78010395 58366710 Current Active Calls -------------------- Session Information Peer Party Status Dur(sec) Orig time value Codec Band Setup Time(sec) Re-Assoc AOS-W 6.5.3.x | User Guide Voice and Video | ...
Page 990 Aug 14 06:48:53 00:1a:1e:a8:2d:80 AP Management Assoc Resp AP Station Reports ------------------ Timestamp BSS Id RSSI Tx-Drop Tx-Data Tx-Data-Retry Tx-Data- Bytes Tx-Data-Time Rx-Retry --------- ------ ---- ------- ------- ------------- ------------ ------------ -------- 990| Voice and Video AOS-W 6.5.3.x | User Guide...
Page 991 In the CLI To set the voice logging level to debugging: (host) #configure terminal (config) #logging level debugging user subcat voice To debug voice logs for a specific client: (config) #voice logging AOS-W 6.5.3.x | User Guide Voice and Video | ...
Page 992 SIP settings. Additionally, you can view the status of RTCP analysis, and SIP mid-call request timeout. This release of AOS-W does not support viewing the voice configuration details using the WebUI. In the CLI To view the voice configuration details on your switch: (host) #show voice configurations 992| Voice and Video AOS-W 6.5.3.x | User Guide...
Page 993 802.11K Profiles ---------------- Profile Name Advertise 802.11K Capability ------------ ---------------------------- default Disabled SIP settings ------------ Parameter Value --------- ----- Session Timer Disabled Session Expiry 300 sec Dialplan Profile Voice rtcp-inactivity:disable Voice sip-midcall-req-timeout:disable AOS-W 6.5.3.x | User Guide Voice and Video | ...
Page 994: Airgroup
All the features and policies that are applicable to mDNS are extended to DLNA. This ensures full interoperability between compliant devices. AirGroup Solution AirGroup leverages key elements of Alcatel-Lucent’s solution portfolio including the AOS-W software for Alcatel- Lucent switches and Alcatel-Lucent ClearPass Policy Manager (CPPM). AirGroup performs the following functions: Enables users to discover network services across IP subnet boundaries in enterprise wireless and wired networks.
Page 995 GoogleCast — Google Chromecast uses this service to stream video and music content from a smart phone to a TV screen using a wireless network. If this service is manually configured before the switch is upgraded to AOS-W 6.4.1, the service continues to remain in the existing state. 995| AirGroup AOS-W 6.5.3.x | User Guide...
Page 996 1010 Enabling the allowall Service on page 1015. AirGroup Solution Components AirGroup leverages key elements of Alcatel-Lucent’s solution portfolio that includes the AOS-W software for Alcatel-Lucent switches, CPPM, and ClearPass Guest. Table 241 describes the supported versions for each portfolio.
Page 997 Figure 221 AirGroup in a Typical Wireless Deployment AirGroup deployments that include both CPPM and an AirGroup switch support features that are described in AirGroup Services on page 995. 997| AirGroup AOS-W 6.5.3.x | User Guide...
Page 998: Airgroup Integrated Deployment Model
With AirGroup, the context-based policies determine the services visible to the end-user devices. Figure 222 Integrated AirGroup Network Topology AOS-W 6.5.3.x | User Guide AirGroup | ...
Page 999: Features Supported In Airgroup
CPPM delivers identity and device-based network access control across any wired, wireless, and VPN infrastructure. AirGroup can be deployed with Alcatel-Lucent ClearPass Policy Manager (recommended for large WLANs), or without ClearPass in smaller networks. If your deployment does not include ClearPass Policy...
Page 1000 223, Switch 1, 2, and 3 belong to AirGroup Domain 1. Sample AirGroup Cluster Topology Figure 224 shows a typical master-local multi-switch deployment. In this topology, four local switches terminate on a single master switch. AOS-W 6.5.3.x | User Guide AirGroup | 1000...
Page 1001 L1 and L3 cannot communicate with L3 and L4, because they do not have a common active-domain and they do not share the same VLAN. AirGroup Server Discovery iPad users in L1, M, and L3 can discover any Apple TV or AirPrint Printer in L1, M, and L3. 1001| AirGroup AOS-W 6.5.3.x | User Guide...
Page 1002 Any switch that shares VLANs with another switch must be part of the same AirGroup multi-switch cluster. When an AirGroup switch has the list of all the switches in the multi-switch table, it uses an Alcatel-Lucent proprietary protocol called Process Application Programming Interface (PAPI) to communicate with other switches in the table.

Save PDF