Detailed instructions for use are in the User's Guide.
[. . . ] OmniAccess Reference
TM
AOS-W System Reference
OmniAccess Reference: AOS-W System Reference
Copyright
Copyright © 2005 Alcatel Internetworking, Inc. Originated in the USA.
Trademarks
AOS-W, OmniAccess 4304, OmniAccess 4308, OmniAccess Wireless LAN, OmniAccess 6000, OmniAccess AP60, OmniAccess AP61, and OmniAccess AP 70 are trademarks of Alcatel Internetworking, Inc. Any other trademarks appearing in this manual are owned by their respective companies.
Legal Notice
The use of Alcatel Internetworking, Inc. switching platforms and software, by all individuals or corporations, to terminate Cisco or Nortel VPN client devices constitutes complete acceptance of liability by that individual or corporation for this action and indemnifies, in full, Alcatel Internetworking, Inc. [. . . ] Configure SSID Role Mapping by navigating to the Configuration > Authentication Methods > SSID page.
346
Part 031652-00
May 2005
Chapter 16
Adding a Role Map
1 2
Click Add. Select a role from the Role Name pull-down menu box.
3 4
Encryption Type Role Mapping
This feature enables roles to be assigned based solely on the Layer 2 encryption type used by the client. This method of role assignment bypasses authentication and should therefore be combines with a strong firewall policy. Configure SSID Role Mapping by navigating to the Configuration >
Authentication Methods > L2 Encryption page.
Configuring Advanced Conditions
This feature enables TBC. Configure SSID Role Mapping by navigating to the Configuration >
Authentication Methods >Advanced page.
Authentication Server Configuration
347
OmniAccess Reference: AOS-W System Reference
Adding a Condition
TBC
where: Rule Typespecifies what rule will apply such as on MAC addresses, BSSIDs, or location. Conditionspecifies how the rule type is treated, for example a MAC address equal to a value. Valuespecifies the value of the condition, for example when location is not equal to Headquarters. When you finish defining the condition, click Apply.
348
Part 031652-00
May 2005
Chapter 16
Configuring General AAA Settings Using the CLI
Configure the general AAA settings using the aaa timers command
(Alcatel) (config) #aaa timers idle-timeout 5 (Alcatel) (config) #aaa timers dead-time 10
View the general authentication server settings using the show aaa timers command.
(Alcatel) (config) #show aaa timers User idle timeout = 5 minutes Auth Server dead time = 10 minutes
Configuring RADIUS Servers Using the CLI
Configure RADIUS servers using the aaa radius-server command.
(Alcatel) (config) #aaa radius-server rad2-radius-server (Alcatel) (config) #aaa radius-server rad2-radius-server host 192. 168. 200. 2 (Alcatel) (config) #aaa radius-server rad2-radius-server authport 1812 (Alcatel) (config) #aaa radius-server rad2-radius-server acctport 1813 (Alcatel) (config) #aaa radius-server rad2-radius-server key AbCdE12345 (Alcatel) (config) #aaa radius-server rad2-radius-server retransmit 3 (Alcatel) (config) #aaa radius-server rad2-radius-server timeout 5 (Alcatel) (config) #aaa radius-server rad2-radius-server mode "enable"
Authentication Server Configuration
349
OmniAccess Reference: AOS-W System Reference
The configured RADIUS server settings may be viewed using the show aaa radius-server server-name <name> command.
Server Rules
Define server rules for deriving roles or VLANS using the aaa derivation-rules command from the CLI. Enter the server-rule sub-mode using the aaa derivation-rules <ServerName> command.
(Alcatel) (config) #aaa derivation-rules server rad2-radius-server (Alcatel) (server-rule) #
Define the rules using the form
set [role|vlan] condition <Attribute> <CONDITIONAL> <value> set-value [RoleName|VLAN] Conditionals:
contains ends-with equals not-equals starts-with value-of
(Alcatel) (server-rule) #set role condition User-Name contains foo set-value foo-user
You may view the rule you create using the show aaa derivation-rules command from the CLI.
(Alcatel) (config) #show aaa derivation-rules server rad2-radius-server Server Rule Table ----------------Priority Attribute Operation Operand Action Value Total Hits New Hits -------- --------- --------- ------- ------ ----- ---------- ------1 User-Name contains foo set role foo-user 0 0
350
Part 031652-00
May 2005
Chapter 16
Configuring LDAP Servers Using the CLI
Configure LDAP servers using the aaa ldap-server command from the CLI.
Authentication Server Configuration
351
OmniAccess Reference: AOS-W System Reference
1
Enter the config-ldapserver submode by executing the aaa ldap-server command with the name of the server you wish to configure as the argument.
(Alcatel) (config) #aaa ldap-server horseradish_2_ldap (Alcatel) (config-ldapserver-horseradish_2_ldap)#
2
Enter the LDAP server's IP address.
(Alcatel) (config-ldapserver-horseradish_2_ldap)#host 192. 168. 200. 251
3
Specify the authentication port number.
(Alcatel) (config-ldapserver-horseradish_2_ldap)#authport 389
4
Specify a base distinguished name under which the server to search for all users.
(Alcatel) (config-ldapserver-horseradish_2_ldap)#base-dn "cn=Users, dc=lm, dc=Alcatelnetworks, dc=com"
5
Specify an admin distinguished name to establish the user with administrative rights.
(Alcatel) (config-ldapserver-horseradish_2_ldap)#admin-dn "cn=Users, dc=lm, dc=Alcatelnetworks, dc=com"
6
Specify the admin password.
(Alcatel) (config-ldapserver-horseradish_2_ldap)#admin-passwd ABC123
7
Specify the key attribute to use when searching for the server.
(Alcatel) (config-ldapserver-horseradish_2_ldap)#key-attribute sAMAaccountName
8
Select a filter
(Alcatel) (config-ldapserver-horseradish-2-ldap)#filter "(objectclass=*)"
9
Set the server timeout in seconds.
(Alcatel) (config-ldapserver-horseradish-2-ldap)#timeout 20
352
Part 031652-00
May 2005
Chapter 16
10
Set the mode, enable or disable LDAP .
(Alcatel) (config-ldapserver-horseradish-2-ldap)#mode enable
View the LDAP server settings using the show aaa ldap-server <Name> command from the CLI.
(Alcatel) (config) # show aaa ldap-server horseradish_2_ldap LDAP Server Table ----------------LDAP Server Attribute Value --------------------- ----Priority 5 Name horseradish_2_ldap Hostname 192. 168. 200. 251 AuthPort 389 Retries 3 Timeout 20 AdminDN cn=Users, dc=lm, dc=Alcatelnetworks, dc=com AdminPasswd ***** BaseDN cn=Users, cd=lm, dc=Alcatelnetworks, dc=com KeyAttribute sAMAaccountName Filter (objectclass=*) Status Enabled InService no InitDone no AdminBound no Marked For Delete no In Use Callback Set no RefCount 0 RebindTimerSet yes RebindCount 19
Server Rules
The steps and commands for deriving roles and VLANs for LDAP are exactly the same as for RADIUS servers, above.
Authentication Server Configuration
353
OmniAccess Reference: AOS-W System Reference
Configuring the Internal Authentication Database Using the CLI
An internal authentication database may be configured using the local-userdb command from the CLI. Users are added to the local database from the command rather than the configuration prompt.
(Alcatel) #local-userdb add username NewGuy password NewFoo role foo-user
Users may be deleted using the local-userdb delete option from the CLI.
(Alcatel) #local-userdb del username foolishGuy
The users in the local database may be viewed using the show local-userdb command from the CLI.
(Alcatel) #show local-userdb User Details -----------Name Password Role ----------- ---NewGuy ******** foo-user OldGuy ******** foo-user BIGGuy ******** foo-user Peonski ******** foo-user User Entries: 4
E-Mail Enabled ------ ------Yes Yes Yes Yes
Configuring RADIUS Accounting Using the CLI
Configure RADIUS accounting using the aaa radius-accounting command from the CLI. 1 Enable RADIUS accounting
(Alcatel) (config) #aaa radius-accounting mode enable
354
Part 031652-00
May 2005
Chapter 16
2
Assign an accounting server.
(Alcatel) (config) #aaa radius-accounting auth-server rad2-radius-server
Configuring 802. 1x Authentication Using the CLI
802. 1x configuration is accomplished using 2 families of commands from the CLI, the aaa general accounting commands and the dot1x commands. This is the role that will be assigned unless the authentication server provides another role for the user.
(Alcatel) (config) #aaa dot1x default-role foo-user
2
Enable or disable 802. 1x authentication.
(Alcatel) (config) #aaa dot1x mode enable
3 Set the authentication server timeout, in seconds. (1 - 65535)
(Alcatel) (config) #dot1x server server-timeout 30
4 Set the authentication failure timeout, in seconds. (1-65535)
(Alcatel) (config) #dot1x timeout idrequest-period 30
5 Set the quiet time (time between authentication attempts), in seconds (1 65535).
(Alcatel) (config) #dot1x timeout quiet-period 30
6 Set the maximum number of authentication attempts (1 - 10).
(Alcatel) (config) #dot1x max-req 5
7 Set the maximum number of attempts to contact the server before it is considered down (0 - 3)
(Alcatel) (config) #dot1x server server-retry 3
Authentication Server Configuration
355
OmniAccess Reference: AOS-W System Reference
8
Enable or disable re-authentication. Use the "no" form of the command to disable the feature.
(Alcatel) (config) #dot1x re-authentication (Alcatel) (config) #no dot1x re-authentication
9 Set the reauthentication time interval, in seconds (60-2147483647). You may also specify that the interval provided by the server be used.
(Alcatel) (config) #dot1x timeout reauthperiod 3600
10 Enable multicast key rotation.
(Alcatel) (config) #dot1x multicast-keyrotation
11 Set the multicast key rotation interval, in seconds (60-2147483647).
(Alcatel) (config) #dot1x timeout mcastkey-rotation-period 1200
12 Enable unicast key rotation.
(Alcatel) (config) #dot1x unicast-keyrotation
13 Set the unicast key rotation interval, in seconds (5-2147483647)
(Alcatel) (config) #dot1x timeout ucastkey-rotation-period 240
14 Set the authentication failure threshold for station blacklisting
(Alcatel) (config) #aaa dot1x max-authentication-failures 0
356
Part 031652-00
May 2005
Chapter 16
You may view the 802. 1x configuration settings using the show aaa dot1x command from the CLI.
(Alcatel) (config) #show aaa dot1x Mode = 'Enabled' Default Role = 'foo-user' Max authentication failures = 0 Auth Server Table ----------------Pri Name Type IP addr AuthPort Status Inservice Applied Users --- ---- ---- ------- -------- ------ --------- ------- ----(Alcatel) (config) #show dot1x ?ap-table Show 802. 1X AP Table config Show 802. 1X Authenticator Configuration supplicant-info Show details about supplicant(s) (Alcatel) (config) #show dot1x config Authentication Server Timeout: 30 Seconds Client Response Timeout: 30 Seconds Fail Timeout: 30 Seconds Client Retry Count: 5 Server Retry Count: 3 Key Retry Count: 1 Reauthentication: Disabled Reauthentication Time Interval: 3600 Seconds Multicast Key Rotation: Enabled Multicast Key Rotation Time Interval: 1200 Seconds Unicast Key Rotation: Enabled Unicast Key Rotation Time Interval: 240 Seconds Countermeasure: Disabled Wired Clients: Disabled Enforce Machine Authentication: Disabled Machine Auth Cache Timeout: 24 Hours Machine Auth Default Role: guest User Auth Default Role: guest
Authentication Server Configuration
357
OmniAccess Reference: AOS-W System Reference
Adding 802. 1x Authentication Servers
Add an existing configured 802. 1x authentication server.
(Alcatel) (config) #aaa dot1x auth-server foo-dot1auth-server
Configuring VPN Authentication Using the CLI
VPN authentication maybe configured when IPSec or PPTP is in use on the switch. VPN authentication is configured using the aaa vpn-authentication commands from the CLI. 1 Enable VPN authentication.
(Alcatel) (config) #aaa vpn-authentication mode enable
2 Set the VPN Default role. This role will be assigned to the client if no other role is supplied by the authentication server.
(Alcatel) (config) #aaa vpn-authentication default-role foo-user
NOTE--You may view the roles currently defined on the switch using the show rights command from the CLI.
3
Specify the authentication server.
(Alcatel) (config) #aaa vpn-authentication auth-server rad2-radius-server
4 Set the authentication failure threshold for station blacklisting parameter.
(Alcatel) (config) #aaa vpn-authentication max-authentication-failures 0
Configuring Captive Portal Authentication Using the CLI
Captive Portal authentication may be configured when clients wish to authenticate using a web-based portal. Captive Portal authentication may be accomplished via SSL, however it provides no encryption after authentication is completed.
358
Part 031652-00
May 2005
Chapter 16
Configure Captive Portal using the aaa captive-portal commands from the CLI. This is the role which will be assigned to the client if the authentication server provides no role information about the client when they authenticate.
(Alcatel) (config) #aaa captive-portal default-role foo-user
2 Enable guest logon - optional.
(Alcatel) (config) #aaa captive-portal guest-logon
3 Enable user logon - optional.
(Alcatel) (config) #aaa captive-portal user-logon
4 Enable logout popup menu - optional.
(Alcatel) (config) #aaa captive-portal logout-popup-window
5 Select the protocol type. [. . . ] Because an SSID can be sniffed in plain text from a packet, it does not supply any security to the network. An SSID is also referred to as a Network Name because essentially it is a name that identifies a wireless network.
Glossary
923
OmniAccess Reference: AOS-W System Reference
SSL*
Commonly used encryption scheme used by many online retail and banking sites to protect the financial integrity of transactions. When an SSL session begins, the server sends its public key to the browser. The browser then sends a randomly generated secret key back to the server in order to have a secret key exchange for that session
Subnetwork or Subnet*
Found in larger networks, these smaller networks are used to simplify addressing between numerous computers. [. . . ]