User manual ALCATEL-LUCENT OMNIACCESS AOS-W SYSTEM REFERENCE

[. . . ] OmniAccess Reference TM AOS-W System Reference OmniAccess Reference: AOS-W System Reference Copyright Copyright © 2005 Alcatel Internetworking, Inc. Originated in the USA. Trademarks AOS-W, OmniAccess 4304, OmniAccess 4308, OmniAccess Wireless LAN, OmniAccess 6000, OmniAccess AP60, OmniAccess AP61, and OmniAccess AP 70 are trademarks of Alcatel Internetworking, Inc. Any other trademarks appearing in this manual are owned by their respective companies. Legal Notice The use of Alcatel Internetworking, Inc. switching platforms and software, by all individuals or corporations, to terminate Cisco or Nortel VPN client devices constitutes complete acceptance of liability by that individual or corporation for this action and indemnifies, in full, Alcatel Internetworking, Inc. [. . . ] Configure SSID Role Mapping by navigating to the Configuration > Authentication Methods > SSID page. 346 Part 031652-00 May 2005 Chapter 16 Adding a Role Map 1 2 Click Add. Select a role from the Role Name pull-down menu box. 3 4 Encryption Type Role Mapping This feature enables roles to be assigned based solely on the Layer 2 encryption type used by the client. This method of role assignment bypasses authentication and should therefore be combines with a strong firewall policy. Configure SSID Role Mapping by navigating to the Configuration > Authentication Methods > L2 Encryption page. Configuring Advanced Conditions This feature enables TBC. Configure SSID Role Mapping by navigating to the Configuration > Authentication Methods >Advanced page. Authentication Server Configuration 347 OmniAccess Reference: AOS-W System Reference Adding a Condition TBC where: Rule Type­specifies what rule will apply such as on MAC addresses, BSSIDs, or location. Condition­specifies how the rule type is treated, for example a MAC address equal to a value. Value­specifies the value of the condition, for example when location is not equal to Headquarters. When you finish defining the condition, click Apply. 348 Part 031652-00 May 2005 Chapter 16 Configuring General AAA Settings Using the CLI Configure the general AAA settings using the aaa timers command (Alcatel) (config) #aaa timers idle-timeout 5 (Alcatel) (config) #aaa timers dead-time 10 View the general authentication server settings using the show aaa timers command. (Alcatel) (config) #show aaa timers User idle timeout = 5 minutes Auth Server dead time = 10 minutes Configuring RADIUS Servers Using the CLI Configure RADIUS servers using the aaa radius-server command. (Alcatel) (config) #aaa radius-server rad2-radius-server (Alcatel) (config) #aaa radius-server rad2-radius-server host 192. 168. 200. 2 (Alcatel) (config) #aaa radius-server rad2-radius-server authport 1812 (Alcatel) (config) #aaa radius-server rad2-radius-server acctport 1813 (Alcatel) (config) #aaa radius-server rad2-radius-server key AbCdE12345 (Alcatel) (config) #aaa radius-server rad2-radius-server retransmit 3 (Alcatel) (config) #aaa radius-server rad2-radius-server timeout 5 (Alcatel) (config) #aaa radius-server rad2-radius-server mode "enable" Authentication Server Configuration 349 OmniAccess Reference: AOS-W System Reference The configured RADIUS server settings may be viewed using the show aaa radius-server server-name <name> command. Server Rules Define server rules for deriving roles or VLANS using the aaa derivation-rules command from the CLI. Enter the server-rule sub-mode using the aaa derivation-rules <ServerName> command. (Alcatel) (config) #aaa derivation-rules server rad2-radius-server (Alcatel) (server-rule) # Define the rules using the form set [role|vlan] condition <Attribute> <CONDITIONAL> <value> set-value [RoleName|VLAN] Conditionals: contains ends-with equals not-equals starts-with value-of (Alcatel) (server-rule) #set role condition User-Name contains foo set-value foo-user You may view the rule you create using the show aaa derivation-rules command from the CLI. (Alcatel) (config) #show aaa derivation-rules server rad2-radius-server Server Rule Table ----------------Priority Attribute Operation Operand Action Value Total Hits New Hits -------- --------- --------- ------- ------ ----- ---------- ------1 User-Name contains foo set role foo-user 0 0 350 Part 031652-00 May 2005 Chapter 16 Configuring LDAP Servers Using the CLI Configure LDAP servers using the aaa ldap-server command from the CLI. Authentication Server Configuration 351 OmniAccess Reference: AOS-W System Reference 1 Enter the config-ldapserver submode by executing the aaa ldap-server command with the name of the server you wish to configure as the argument. (Alcatel) (config) #aaa ldap-server horseradish_2_ldap (Alcatel) (config-ldapserver-horseradish_2_ldap)# 2 Enter the LDAP server's IP address. (Alcatel) (config-ldapserver-horseradish_2_ldap)#host 192. 168. 200. 251 3 Specify the authentication port number. (Alcatel) (config-ldapserver-horseradish_2_ldap)#authport 389 4 Specify a base distinguished name under which the server to search for all users. (Alcatel) (config-ldapserver-horseradish_2_ldap)#base-dn "cn=Users, dc=lm, dc=Alcatelnetworks, dc=com" 5 Specify an admin distinguished name to establish the user with administrative rights. (Alcatel) (config-ldapserver-horseradish_2_ldap)#admin-dn "cn=Users, dc=lm, dc=Alcatelnetworks, dc=com" 6 Specify the admin password. (Alcatel) (config-ldapserver-horseradish_2_ldap)#admin-passwd ABC123 7 Specify the key attribute to use when searching for the server. (Alcatel) (config-ldapserver-horseradish_2_ldap)#key-attribute sAMAaccountName 8 Select a filter (Alcatel) (config-ldapserver-horseradish-2-ldap)#filter "(objectclass=*)" 9 Set the server timeout in seconds. (Alcatel) (config-ldapserver-horseradish-2-ldap)#timeout 20 352 Part 031652-00 May 2005 Chapter 16 10 Set the mode, enable or disable LDAP . (Alcatel) (config-ldapserver-horseradish-2-ldap)#mode enable View the LDAP server settings using the show aaa ldap-server <Name> command from the CLI. (Alcatel) (config) # show aaa ldap-server horseradish_2_ldap LDAP Server Table ----------------LDAP Server Attribute Value --------------------- ----Priority 5 Name horseradish_2_ldap Hostname 192. 168. 200. 251 AuthPort 389 Retries 3 Timeout 20 AdminDN cn=Users, dc=lm, dc=Alcatelnetworks, dc=com AdminPasswd ***** BaseDN cn=Users, cd=lm, dc=Alcatelnetworks, dc=com KeyAttribute sAMAaccountName Filter (objectclass=*) Status Enabled InService no InitDone no AdminBound no Marked For Delete no In Use Callback Set no RefCount 0 RebindTimerSet yes RebindCount 19 Server Rules The steps and commands for deriving roles and VLANs for LDAP are exactly the same as for RADIUS servers, above. Authentication Server Configuration 353 OmniAccess Reference: AOS-W System Reference Configuring the Internal Authentication Database Using the CLI An internal authentication database may be configured using the local-userdb command from the CLI. Users are added to the local database from the command rather than the configuration prompt. (Alcatel) #local-userdb add username NewGuy password NewFoo role foo-user Users may be deleted using the local-userdb delete option from the CLI. (Alcatel) #local-userdb del username foolishGuy The users in the local database may be viewed using the show local-userdb command from the CLI. (Alcatel) #show local-userdb User Details -----------Name Password Role ----------- ---NewGuy ******** foo-user OldGuy ******** foo-user BIGGuy ******** foo-user Peonski ******** foo-user User Entries: 4 E-Mail Enabled ------ ------Yes Yes Yes Yes Configuring RADIUS Accounting Using the CLI Configure RADIUS accounting using the aaa radius-accounting command from the CLI. 1 Enable RADIUS accounting (Alcatel) (config) #aaa radius-accounting mode enable 354 Part 031652-00 May 2005 Chapter 16 2 Assign an accounting server. (Alcatel) (config) #aaa radius-accounting auth-server rad2-radius-server Configuring 802. 1x Authentication Using the CLI 802. 1x configuration is accomplished using 2 families of commands from the CLI, the aaa general accounting commands and the dot1x commands. This is the role that will be assigned unless the authentication server provides another role for the user. (Alcatel) (config) #aaa dot1x default-role foo-user 2 Enable or disable 802. 1x authentication. (Alcatel) (config) #aaa dot1x mode enable 3 Set the authentication server timeout, in seconds. (1 - 65535) (Alcatel) (config) #dot1x server server-timeout 30 4 Set the authentication failure timeout, in seconds. (1-65535) (Alcatel) (config) #dot1x timeout idrequest-period 30 5 Set the quiet time (time between authentication attempts), in seconds (1 65535). (Alcatel) (config) #dot1x timeout quiet-period 30 6 Set the maximum number of authentication attempts (1 - 10). (Alcatel) (config) #dot1x max-req 5 7 Set the maximum number of attempts to contact the server before it is considered down (0 - 3) (Alcatel) (config) #dot1x server server-retry 3 Authentication Server Configuration 355 OmniAccess Reference: AOS-W System Reference 8 Enable or disable re-authentication. Use the "no" form of the command to disable the feature. (Alcatel) (config) #dot1x re-authentication (Alcatel) (config) #no dot1x re-authentication 9 Set the reauthentication time interval, in seconds (60-2147483647). You may also specify that the interval provided by the server be used. (Alcatel) (config) #dot1x timeout reauthperiod 3600 10 Enable multicast key rotation. (Alcatel) (config) #dot1x multicast-keyrotation 11 Set the multicast key rotation interval, in seconds (60-2147483647). (Alcatel) (config) #dot1x timeout mcastkey-rotation-period 1200 12 Enable unicast key rotation. (Alcatel) (config) #dot1x unicast-keyrotation 13 Set the unicast key rotation interval, in seconds (5-2147483647) (Alcatel) (config) #dot1x timeout ucastkey-rotation-period 240 14 Set the authentication failure threshold for station blacklisting (Alcatel) (config) #aaa dot1x max-authentication-failures 0 356 Part 031652-00 May 2005 Chapter 16 You may view the 802. 1x configuration settings using the show aaa dot1x command from the CLI. (Alcatel) (config) #show aaa dot1x Mode = 'Enabled' Default Role = 'foo-user' Max authentication failures = 0 Auth Server Table ----------------Pri Name Type IP addr AuthPort Status Inservice Applied Users --- ---- ---- ------- -------- ------ --------- ------- ----(Alcatel) (config) #show dot1x ?ap-table Show 802. 1X AP Table config Show 802. 1X Authenticator Configuration supplicant-info Show details about supplicant(s) (Alcatel) (config) #show dot1x config Authentication Server Timeout: 30 Seconds Client Response Timeout: 30 Seconds Fail Timeout: 30 Seconds Client Retry Count: 5 Server Retry Count: 3 Key Retry Count: 1 Reauthentication: Disabled Reauthentication Time Interval: 3600 Seconds Multicast Key Rotation: Enabled Multicast Key Rotation Time Interval: 1200 Seconds Unicast Key Rotation: Enabled Unicast Key Rotation Time Interval: 240 Seconds Countermeasure: Disabled Wired Clients: Disabled Enforce Machine Authentication: Disabled Machine Auth Cache Timeout: 24 Hours Machine Auth Default Role: guest User Auth Default Role: guest Authentication Server Configuration 357 OmniAccess Reference: AOS-W System Reference Adding 802. 1x Authentication Servers Add an existing configured 802. 1x authentication server. (Alcatel) (config) #aaa dot1x auth-server foo-dot1auth-server Configuring VPN Authentication Using the CLI VPN authentication maybe configured when IPSec or PPTP is in use on the switch. VPN authentication is configured using the aaa vpn-authentication commands from the CLI. 1 Enable VPN authentication. (Alcatel) (config) #aaa vpn-authentication mode enable 2 Set the VPN Default role. This role will be assigned to the client if no other role is supplied by the authentication server. (Alcatel) (config) #aaa vpn-authentication default-role foo-user NOTE--You may view the roles currently defined on the switch using the show rights command from the CLI. 3 Specify the authentication server. (Alcatel) (config) #aaa vpn-authentication auth-server rad2-radius-server 4 Set the authentication failure threshold for station blacklisting parameter. (Alcatel) (config) #aaa vpn-authentication max-authentication-failures 0 Configuring Captive Portal Authentication Using the CLI Captive Portal authentication may be configured when clients wish to authenticate using a web-based portal. Captive Portal authentication may be accomplished via SSL, however it provides no encryption after authentication is completed. 358 Part 031652-00 May 2005 Chapter 16 Configure Captive Portal using the aaa captive-portal commands from the CLI. This is the role which will be assigned to the client if the authentication server provides no role information about the client when they authenticate. (Alcatel) (config) #aaa captive-portal default-role foo-user 2 Enable guest logon - optional. (Alcatel) (config) #aaa captive-portal guest-logon 3 Enable user logon - optional. (Alcatel) (config) #aaa captive-portal user-logon 4 Enable logout popup menu - optional. (Alcatel) (config) #aaa captive-portal logout-popup-window 5 Select the protocol type. [. . . ] Because an SSID can be sniffed in plain text from a packet, it does not supply any security to the network. An SSID is also referred to as a Network Name because essentially it is a name that identifies a wireless network. Glossary 923 OmniAccess Reference: AOS-W System Reference SSL* Commonly used encryption scheme used by many online retail and banking sites to protect the financial integrity of transactions. When an SSL session begins, the server sends its public key to the browser. The browser then sends a randomly generated secret key back to the server in order to have a secret key exchange for that session Subnetwork or Subnet* Found in larger networks, these smaller networks are used to simplify addressing between numerous computers. [. . . ]