background image

273

DWS-1008 User’s Manual 

D-Link Systems, Inc.

Configuring AAA for Network Users

 

For a user to be successfully authenticated by an 802.1X or WebAAA rule, the 

username and password entered by the user must be configured on the RADIUS 

servers used by the authentication rule or in the switch’s local database, if the local 

database is used by the rule.

 

For a user to be successfully authenticated based on the MAC address of the user’s 

device, the MAC address must be configured on the RADIUS servers used by the 

authentication rule or in the switch’s local database, if the local database is used 

by the rule. If the MAC address is configured in the local database, no password is 

required. However, since RADIUS requires a password, if the MAC address is on the 

RADIUS server, MSS checks for a password. The default well-known password is 

dlink

 

but it is configurable. (The same password applies to last-resort users.)

 

For a user to be successfully authenticated for last-resort access, the RADIUS 

severs or local database (whichever method is used by the last-resort authentication 

rule), must contain a user named 

last-resort-wired

 (for wired authentication access) 

or 

last-resort-

ssid

, where 

ssid

 is the SSID requested by the user. If the matching 

last-resort user is configured in the local database, no password is required. 

However, since RADIUS requires a password, if the matching last-resort user is on 

the RADIUS server, MSS checks for a password. The default well-known password is 

dlink

 but is configurable. (The same password applies to MAC users.)

If the last-resort authentication rule matches on SSID 

any

, which is a wildcard that matches 

on any SSID string, the RADIUS servers or local database must have user 

last-resort-any

exactly as spelled here.

Authorization

If the user is authenticated, MSS then checks the RADIUS server or local database (the 

same place MSS looked for user information to authenticate the user) for the authorization 

attributes assigned to the user. Authorization attributes specify the network resources the 

user can access. 

The  only  required  attribute  is  the  Virtual  LAN  (VLAN)  name  on  which  to  place  the  user. 

RADIUS and MSS have additional optional attributes. For example, you can provide further 

access controls by specifying the times during which the user can access the network, you 

can apply inbound and outbound access control lists (ACLs) to the user’s traffic, and so on. 

To assign attributes on the RADIUS server, use the standard RADIUS attributes supported on 

the server. To assign attributes in the switch’s local database, use the MSS vendor-specific 

attributes (VSAs). 

MSS provides the following VSAs, which you can assign to users configured in the local 

database or on a RADIUS server:

 

Encryption-Type - Specifies the type of encryption required for access by the client. 

Clients who attempt to use an unauthorized encryption method are rejected.

 

End-Date - Date and time after which the user is no longer allowed to be on the 

network. 

Summary of Contents for DWS-1008

Page 1: ......

Page 2: ...stomizing AAA with Globs and Groups Con guring and Managing Ports and VLANs Setting the Port Type Displaying Port Statistics Con guring and Managing VLANs Managing the Layer 2 Forwarding Database Con...

Page 3: ...dios Disabling or Reenabling Radios Displaying AP Con guration Information Con guring User Encryption Con guring WPA Con guring RSN Con guring WEP Encryption Con guration Scenarios Con guring RF Auto...

Page 4: ...ion Key and Certi cate Con guration Scenarios Con guring AAA for Network Users About AAA for Network Users AAA Tools for Network Users Con guring 802 1X Authentication Con guring Authentication and Au...

Page 5: ...DoS Alerts Displaying RF Detection Information Managing System Files About System Files Working with Files Managing Con guration Files Backing Up and Restoring the System Appendix A Troubleshooting Fi...

Page 6: ...by quali ed service personnel only Please follow all warning notices and instructions marked on the product or included in the documentation The manufacturer is not responsible for any radio or TV in...

Page 7: ...o an AAA server for complete veri cation This of oading capability ensures that the WLAN will not overload when clients are simultaneously connecting to the network User Based Authentication Services...

Page 8: ...green 100Mbps link is operational Solid amber 10Mbps link is operational Blinking green Traf c is active on the 100Mbps link Blinking amber Traf c is active on the 10Mbps link AP 1 6 Solid green For a...

Page 9: ...Protocol over Secure Sockets Layer HTTPS IP Services IP interfaces You can con gure an IP interface for each VLAN IP ping and traceroute You can test IP connectivity between the switch and other devic...

Page 10: ...nd 10 100 Ethernet Cable Wiring Connections on the 10 100 ports require CAT5 cable based on the EIA TIA 586 standard The 10 100 Ethernet ports on the DWS 1008 switch provide automatic MDI MDX which au...

Page 11: ...r on a tabletop Each switch is shipped with two brackets for rack mounting and four adhesive rubber feet for tabletop mounting The mounting brackets support front mounting only Warning Earth grounding...

Page 12: ...are on the DWS 1008 switch No additional software is required The switch supports two connection modes Administrative access mode which enables the network administrator to connect to the switch and c...

Page 13: ...Warning To prevent the switch from slipping do not release the switch until all the rack mount screws are tight Tabletop Installation 1 On a clean work surface with no debris carefully turn the switch...

Page 14: ...d con gure the following modem settings 9600 bps 8 bits 1 stop No parity Hardware ow control off or disabled 4 Open a connection on a serial port If the switch is already powered on press Enter three...

Page 15: ...the mains 1 Insert a CAT5 cable with a standard RJ 45 connector The 10 100 Ethernet ports on the DWS 1008 switch provide automatic MDI MDX 2 If the cable is directly attached to a DWL 8220AP access p...

Page 16: ...ce to con gure a new switch or to continue con guration of a partially con gured switch CLI Command Line Interface You can con gure a switch using the CLI by attaching a PC to the switch s Console por...

Page 17: ...lists the default if applicable You can advance to the next item and accept the default if applicable by pressing Enter Depending on your input the command also automatically generates the following k...

Page 18: ...ntry code For a list of valid country codes refer to the section Appendix Country of Operation Another question the script asks is Do you wish to con gure wireless If you answer y the script goes on t...

Page 19: ...port 2 and 3 The IP addresses usernames and passwords in this document are examples Use values that are appropriate for your organization If you con gure time and date parameters you will be required...

Page 20: ...y Enter a crypto SSID to use corporate Enter a username with which to do PEAP MSCHAPv2 cr to exit alice Enter a password for alice alicepass Enter a username with which to do PEAP MSCHAPv2 cr to exit...

Page 21: ...tems Inc Con guration continued Con guration 6 Optionally enable Telnet DWS 1008 aabbcc set ip telnet server enable 7 Verify the con guration changes DWS 1008 aabbcc show con g 8 Save the con guration...

Page 22: ...s Enter a third time to display a command prompt Username Password DWS 1008 Note For simplicity the command prompt examples in the documentation show a switch model such as DWS 1008 and the CLI access...

Page 23: ...e IP connectivity See Con guring IP Connectivity on page 22 4 Specify the country of operation See Specifying the Country of Operation on page 25 5 Specify a system IP address See Specifying a System...

Page 24: ...ready at the enabled access level enter the enable command DWS 1008 enable 2 At the enabled prompt enter set enablepass DWS 1008 set enablepass 3 When you are prompted for your old password press Ente...

Page 25: ...cates are valid for one year beginning with the system time and date that are in effect when you generate the certi cate request If the switch s time and date are incorrect the certi cate might not be...

Page 26: ...show timezone Timezone is set to PST offset from UTC is 8 0 hours DWS 1008 show summertime Summertime is enabled and set to PDT Start Sun Apr 04 2004 02 00 00 End Sun Oct 31 2004 02 00 00 Offset 60 mi...

Page 27: ...lthough you do not need to con gure every user s VLAN on every DWS 1008 switch To con gure a VLAN and an IP address use the following commands set vlan vlan num name name set vlan vlan id port port li...

Page 28: ...ute that uses gateway 10 10 20 19 with a path cost of 1 and verify the change DWS 1008 set ip route default 10 10 20 19 1 success change accepted DWS 1008 show ip route Router table for IPv4 Destinati...

Page 29: ...lias for the host device you can specify the DNS hostname or the alias instead of the IP address of the device The following command veri es IP connectivity to IP address 10 10 20 19 DWS 1008 ping 10...

Page 30: ...listed below Country Code Australia AU Austria AT Belgium BE Brazil BR Canada CA China CN Czech Republic CZ Denmark DK Finland FI France FR Germany DE Greece GR Hong Kong HK Hungary HU Iceland IS Indi...

Page 31: ...pper Power Supply missing Memory 115 09 496 04 23 Total Power Over Ethernet 32 000 Specifying a System IP Address You can designate one of the IP addresses con gured on a DWS 1008 switch s VLAN to be...

Page 32: ...m ip address 10 10 10 4 success change accepted DWS 1008 show system Product Name DWS 1008 System Name DWS 1008 System Countrycode System Location System Contact System Description DWS 1008 System IP...

Page 33: ...gured AP on that port The port numbers on the switch con gured for direct attached APs reference a particular AP An AP that is not directly connected to a switch is considered a Distributed AP The swi...

Page 34: ...or two 10 100 ports on a switch The switch port is then con gured speci cally for a direct attachment to an AP There is no intermediate networking equipment between the switch and AP and only one AP i...

Page 35: ...guration in order to boot and con gure AP2 The Layer 2 network must provide DHCP services to AP2 AP3 is connected through a Layer 3 network Layer 2 networks separated by IP routers to the switch The...

Page 36: ...guration The switch can communicate with the Distributed AP through any network port In the CLI a Distributed AP con guration is referred to as a DAP Because distributed APs are not directly attached...

Page 37: ...tacts the switch whose IP address is returned for TRPZ If only wlan switch is de ned in DNS the AP contacts the switch whose IP address is returned for wlan switch If both TRPZ and wlan switch are de...

Page 38: ...be con gured for 802 11b or 802 11g exclusively If the country of operation speci ed by the set system countrycode command does not allow 802 11g the default is 802 11b DWL 8220AP radios con gured for...

Page 39: ...retransmissions 10 Radio 2 type 802 11a mode disabled channel 36 tx pwr 11 pro le default auto tune max power default min client rate 24 max retransmissions 10 Con guring for a Distributed AP To crea...

Page 40: ...show dap con g dap num radio 1 2 Here is an example DWS 1008 show dap con g Dap 1 serial id 0322199999 AP model dwl 8220ap bias high name DAP01 ngerprint boot download enable YES load balancing group...

Page 41: ...0322199998 10 10 40 4 HIGH 0322199998 10 10 50 4 HIGH 0322199997 10 10 40 4 HIGH 0322199997 10 10 50 4 HIGH 0322199996 10 10 40 4 HIGH 0322199996 10 10 50 4 HIGH 0322199995 10 10 40 4 HIGH 0322199995...

Page 42: ...When the Wi Fi Protected Access WPA information element IE is enabled uses 802 1X to authenticate WPA clients auth fallthru web portal Uses WebAAA for users who do not match an 802 1X or MAC authenti...

Page 43: ...tion for WPA use the set radio pro le auth psk command ssid name default Uses the SSID name default ssid type crypto Encrypts wireless traf c for the SSID tkip mc time 60000 Uses Michael countermeasur...

Page 44: ...named set of radio parameters that you can apply to multiple radios A radio pro le can contain information for two types of SSIDs Encrypted SSID Clients using this SSID must use encryption Use the enc...

Page 45: ...measures Not con gured Does not issue countermeasures against any device dtim interval 1 Sends the delivery traf c indication map DTIM after every beacon frag threshold 2346 Transmits frames up to 234...

Page 46: ...the lowest valid channel number for the country of operation Transmit power Highest setting allowed for the country of operation or highest setting supported on the hardware whichever is lower Externa...

Page 47: ...ly a radio pro le to radios use the following command set ap port list dap dap num radio 1 2 radio pro le name mode enable disable The following commands applies radio pro le rp1 to radio 1 on AP acce...

Page 48: ...x pwr 15 pro le default auto tune max power default min client rate 5 5 max retransmissions 10 Radio 2 type 802 11a mode disabled channel 36 tx pwr 11 pro le default auto tune max power default min cl...

Page 49: ...es MSS grants access Otherwise MSS attempts the fallthru authentication type which can be Web last resort or none Last resort A network user requests access to the network without entering a username...

Page 50: ...be set in the local database or on a RADIUS server to assign the user to a VLAN This is true regardless of the authentication type you use You can use either of the following attributes to assign a u...

Page 51: ...erver name4 To con gure MSS to load balance authentication requests among the servers use the following command set server group group name load balance enable disable To verify the change use the fol...

Page 52: ...the delimiter characters in user globs which are the at sign and the dot To match a username that contains a delimiter you must specify the delimiter in the user glob as shown in these examples Alter...

Page 53: ...through grp1 success change accepted DWS 1008 set authentication dot1x ssid private_wlan com pass through grp1 success change accepted Displaying the Server Group and Authentication Con guration The...

Page 54: ...r 802 1X users use the following command A user glob represents a set of users set authentication dot1x ssid ssid name wired user glob bonded protocol method1 method2 method3 method4 To verify the cha...

Page 55: ...AMPLE peap mschapv2 grp1 Displaying and Saving the Con guration MSS immediately implements con guration changes by updating the device s running con guration The software does not automatically retain...

Page 56: ...last sun oct 31 0 set service pro le corp1 ssid name private_wlan set service pro le corp1 ssid type crypto set radius server svr1 address 10 10 70 20 key rad1pword set radius server svr2 address 10 1...

Page 57: ...a small subset of status and monitoring commands is available Restricted mode is useful for administrators with basic monitoring privileges who are not allowed to change the con guration or run trace...

Page 58: ...con gure authentication authorization and accounting for administrative access mode D Link recommends enforcing authentication for administrative access using usernames and passwords stored either loc...

Page 59: ...y enabled To con gure a previously uncon gured DWS 1008 switch via the console you must complete the following tasks Enable an administrator Con gure authentication Optionally con gure accounting Save...

Page 60: ...d Password changed Caution D Link recommends that you change the enable password from the default no password to prevent unauthorized users from entering con guration commands The enable password is c...

Page 61: ...l MAC address for different AAA treatments A user glob is a string possibly containing wildcards for matching AAA and IEEE 802 1X authentication methods to a user or set of users The switch supports t...

Page 62: ...switch is the simplest way to store user information in a D Link system To con gure a user in the local database type the following command set user username password password Note Although MSS allows...

Page 63: ...up For example you can set accounting for administrative users using the start stop mode via the local database DWS 1008 set accounting admin EXAMPLE start stop local success change accepted The accou...

Page 64: ...or all commands that you enter and want to use for future sessions After you enter the administrator s AAA con guration type the following command to maintain these commands in nonvolatile memory DWS...

Page 65: ...e con g success con guration saved Local Authentication for Console Users and RADIUS Authentication for Telnet Users This scenario illustrates how to enable local authentication for console users and...

Page 66: ...et server group sg1 members r1 success change accepted DWS 1008 set authentication console local sg1 success change accepted DWS 1008 save con g success con guration saved Natasha also enables backup...

Page 67: ...ntication Natasha sets the authentication method to none She types the following commands in this order DWS 1008 set user natasha password m Jor User natasha created DWS 1008 set radius server r1 addr...

Page 68: ...DWS 1008 switch ports are network ports by default You must set the port type for ports directly connected to AP access ports and to wired user stations that must be authenticated to access the networ...

Page 69: ...1a 11b 11g The dap num parameter identi es the Distributed AP connection for the DWL 8220AP The range of valid connection ID numbers is 1 to 30 For the serial id parameter specify the serial ID of the...

Page 70: ...omatically denied access if neither 802 1X authentication or MAC authentication is successful To set port 2 as a wired authentication port type the following command DWS 1008 set port type wired auth...

Page 71: ...ttings from port 5 and reset the port as a network port type the following command DWS 1008 clear port type 5 This may disrupt currently authenticated users Are you sure y n n y success change accepte...

Page 72: ...ort list 10 100 auto To set the port speed on ports 1 3 through 6 to 10 Mbps type the following command DWS 1008 set port speed 1 3 6 10 Disabling or Reenabling a Port All ports are enabled by default...

Page 73: ...egularly update port statistics in a separate window Displaying Port Con guration and Status To display port con guration and status information use the following command show port status port list To...

Page 74: ...rom the switch Displaying Port Statistics To display port statistics use the following command show port counters octets packets receive errors transmit errors collisions receive etherstats transmit e...

Page 75: ...ach type of statistic is displayed separately Press the Spacebar to cycle through the displays for each type If you use an option to specify a statistic type the display begins with that statistic typ...

Page 76: ...c for that ow Link Redundancy A port group ensures link stability by providing redundant connections for the same link If an individual port in a group fails the switch reassigns traf c to the remaini...

Page 77: ...WS 1008 set port group name server2 3 5 mode on success change accepted DWS 1008 set vlan default port server2 success change accepted To verify the con guration change type the following command DWS...

Page 78: ...idual network ports You can con gure multiple VLANs on a switch s network ports Optionally each VLAN can have an IP address VLANs are not con gured onAPaccess ports or wired authentication ports becau...

Page 79: ...sume the VLAN is assigned on a RADIUS server with either of the valid attributes VLAN Names TocreateaVLAN youmustassignanametoit VLANnamesmustbegloballyunique toensure the intended user connectivity a...

Page 80: ...be used by different VLANs but on different network ports If you use a tag value D Link recommends that you use the same value as the VLAN number MSS does not require the VLAN number and tag value to...

Page 81: ...mmand DWS 1008 set vlan 2 name red After you create a VLAN you can use the VLAN number or the VLAN name in commands In addition the VLAN name appears in CLI displays Adding Ports to a VLAN To add a po...

Page 82: ...mation that uses the VLAN If you want to remove only a speci c port from the VLAN make sure you specify the port number in the command To remove port 5 from VLAN red type the following command DWS 100...

Page 83: ...sses within a particular VLAN To forward a packet to another device in a VLAN the switch searches the forwarding database for the packet s destination MAC address then forwards the packet out the port...

Page 84: ...rding database size and the entries contained in the database Displaying the Size of the Forwarding Database To display the number of entries contained in the forwarding database use the following com...

Page 85: ...ries Displayed 2 Adding an Entry to the Forwarding Database To add an entry to the forwarding database use the following command set fdb perm static mac addr port port list vlan vlan id tag tag value...

Page 86: ...ng the Aging Timeout Period To display the current setting of the aging timeout period use the following command show fdb agingtime vlan vlan id For example to display the aging timeout period for all...

Page 87: ...p up auto 100 full network 10 100BaseTx 2 nance up down auto network 10 100BaseTx 3 accounting up down auto network 10 100BaseTx 4 shipping up down auto network 10 100BaseTx 5 lobby up down auto netwo...

Page 88: ...rt status Port Name Admin Oper Con g Actual Type Media 1 mgmt up up auto 100 full network 10 100BaseTx 2 nance up up auto 100 full ap 10 100BaseTx 3 accounting up up auto 100 full ap 10 100BaseTx 4 sh...

Page 89: ...ts 7 and 8 as a load sharing port group to provide a redundant link to the backbone and verify the con guration change Type the following commands DWS 1008 set port group name backbonelink port 7 8 mo...

Page 90: ...85 DWS 1008 User s Manual D Link Systems Inc Con guring and Managing Ports and VLANs success con guration saved...

Page 91: ...does not support defragmentation except at the receiving end of an IP tunnel and only to reassemble fragments created by another D Link device for tunneling If the path MTU between D Link devices is l...

Page 92: ...e following options 12 Host Name the system name 55 Parameter request list consisting of 1 Subnet Mask 3 Router 15 Domain Name and 6 Domain Name Server 60 Vendor Class Identi er set to TRPZ x x x wher...

Page 93: ...subnet that is already con gured on another VLAN on the switch MSS sends a DHCP Decline message to the server and generates a log message If the switch is powered down or restarted MSS does not retai...

Page 94: ...UP Lease Allocation 65535 seconds Lease Remaining 65532 seconds IP Address 10 3 1 110 Subnet Mask 255 255 255 0 Default Gateway 10 3 1 1 DHCP Server 10 3 1 4 DNS Servers 10 3 1 29 DNS Domain Name myco...

Page 95: ...p address Con guring and Managing IP Routes The IP route table contains routes that MSS uses for determining the interfaces for a switch s external communications When you add an IP interface to a VLA...

Page 96: ...d a static route use the show interface command to verify that the switch has an IP interface in the same subnet as the route s gateway router MSS requires the routes for the interface to resolve the...

Page 97: ...o Down If the route table contains other static routes to the same destination MSS selects the resolved route that has the lowest cost In the following example the default route to 10 0 1 17 is down s...

Page 98: ...can no longer reach its estination For example if you are managing the Switch with a Telnet session and the session needs the static route removing the route also removes the Telnet connection to the...

Page 99: ...le timeout controls how long an open SSH session can remain idle before MSS closes the session The default idle timeout is 30 minutes You can set the idle timeout to a value from 0 disabled to 2 147 4...

Page 100: ...compare the SSH key checksum displayed by the Switch with the one displayed by the client to verify that you really are connected to the Switch and not another device Generally SSH clients remember t...

Page 101: ...minutes type the following command DWS 1008 set ip ssh absolute timeout 30 success absolute timeout set to 30 minutes Managing SSH Server Sessions Use the following commands to manage SSH server sessi...

Page 102: ...with Telnet a user must supply a valid username and password To add a username and password to the local database use the following command set user username password password Optionally you also can...

Page 103: ...ip telnet Managing Telnet Server Sessions Use the following commands to manage Telnet server sessions show sessions admin clear sessions admin telnet session id These commands display and clear manag...

Page 104: ...n IP address in a command For example as an alternative to the command ping 192 168 9 1 you can enter the command ping chris example com When you enter ping chris example com the Switch s DNS client q...

Page 105: ...r use the following command clear ip dns server ip addr Con guring a Default Domain Name You can con gure a single default domain name for DNS queries The Switch appends the default domain name to hos...

Page 106: ...ollowing command show ip dns The following example shows DNS server information on a switch con gured to use three DNS servers DWS 1008 show ip dns Domain Name example com DNS Status enabled IP Addres...

Page 107: ...following command show ip alias name Here is an example DWS 1008 show ip alias Name IP Address HR1 192 168 1 2 payroll 192 168 1 3 radius1 192 168 7 2 Con guring and Managing Time Parameters You can...

Page 108: ...ds Setting the Time Zone The time zone parameter adjusts the system date and optionally the time by applying an offset to UTC To set the time zone use the following command set timezone zone name hour...

Page 109: ...p to 32 alphanumeric characters long with no spaces The start and end dates and times are optional If you do not specify a start and end time MSS implements the time change starting at 2 00 a m on the...

Page 110: ...isplaying the Time and Date To display the time and date use the following command show timedate DWS 1008 show timedate Sun Feb 29 2004 23 58 02 PST Con guring and Managing NTP The Network Time Protoc...

Page 111: ...192 168 1 5 type the following command DWS 1008 set ntp server 192 168 1 5 Removing an NTP Server To remove an NTP server use the following command clear ntp server ip addr all If you use the all opt...

Page 112: ...s 8 0 hours Summertime is enabled Last NTP update Sun Feb 29 2004 23 58 00 NTP Server Peer state Local State 192 168 1 5 SYSPEER SYNCED The Timezone and Summertime elds are displayed only if you chang...

Page 113: ...ent an ARP request for the entry and is waiting for the reply RESOLVING Adding an ARP Entry MSS automatically adds a local entry for a switch and dynamic entries for addresses learned from traf c rece...

Page 114: ...vice that has IP address 10 1 1 1 type the following command DWS 1008 ping 10 1 1 1 PING 10 1 1 1 10 1 1 1 from 10 9 4 34 56 84 bytes of data 64 bytes from 10 1 1 1 icmp_seq 1 ttl 255 time 0 769 ms 64...

Page 115: ...clear Telnet sessions from an Switch s Telnet client to another device To display the Telnet client sessions on an Switch type the following command DWS 1008 show sessions telnet client Session Server...

Page 116: ...lity that it has reached the destination To trace a route to a destination subnet use the following command traceroute host dnf no dns port port num queries num size size ttl hops wait ms To trace the...

Page 117: ...nge accepted DWS 1008 show system Product Name DWS 1008 System Name DWS 1008 System Countrycode US System Location System Contact System IP 10 02 10 10 System MAC 00 0B 0E 00 04 0C Boot Time 2000 03 1...

Page 118: ...rify the con guration changes Type the following commands DWS 1008 set ip dns domain example com success change accepted DWS 1008 set ip dns server 10 10 10 69 PRIMARY success change accepted DWS 1008...

Page 119: ...of October DWS 1008 set ntp server 192 168 1 5 DWS 1008 set ntp enable success NTP Client enabled DWS 1008 show ntp NTP client enabled Current update interval 20 secs Current time Sun Feb 29 2004 23 5...

Page 120: ...gs SNMPv3 supports user security model USM users with individually con gurable access levels authentication options and encryption options All SNMP versions are disabled by default Con guring SNMP To...

Page 121: ...mands set a switch s location to 3rd_ oor_closet and set the contact to sysadmin1 DWS 1008 set system location 3rd_ oor_closet success change accepted DWS 1008 set system contact sysadmin1 success cha...

Page 122: ...et write them This is the default read notify An SNMP management application using the string can get object values on the switch but cannot set them The switch can use the string to send noti cations...

Page 123: ...32 alphanumeric characters long with no spaces You can con gure up to 10 SNMPv3 users The snmp engine id option speci es a unique identi er for an instance of an SNMP engine To send informs you must...

Page 124: ...cryption is used 3des Triple DES encryption is used aes Advanced Encryption Standard AES encryption is used If the encryption type is des 3des or aes you can specify a passphrase or a hexadecimal key...

Page 125: ...ncrypted auth req unsec notify You can specify one of the following options unsecured SNMP message exchanges are not secure This is the default and is the only value supported for SNMPv1 and SNMPv2c T...

Page 126: ...numeric characters long with no spaces To modify the default noti cation pro le specify default The noti cation type can be one of the following AuthenTraps Generated when the DWS 1008 switch s SNMP e...

Page 127: ...occurs DeviceOkayTraps Generated when a device returns to its normal state LinkDownTraps Generated when the link is lost on a port LinkUpTraps Generated when the link is detected on a port MichaelMICF...

Page 128: ...ated when an interfering device is no longer detected RFDetectSpoofedMacAPTraps Generated when MSS detects a wireless packet with the source MAC address of a D Link AP but without the spoofed AP s sig...

Page 129: ...RogueWiredAPTraps success change accepted DWS 1008 set snmp notify pro le snmpprof_rfdetect send RFDetectDoSTraps success change accepted DWS 1008 set snmp notify pro le snmpprof_rfdetect send RFDetec...

Page 130: ...NMP noti cations You can con gure the MSS SNMP engine to send con rmed noti cations informs or uncon rmed noti cations traps Some of the command options differ depending on the SNMP version and the ty...

Page 131: ...value on the target itself You can specify a number from 1 to 10 The ip addr udp port number is the IP address of the server You also can specify the UDP port number to send noti cations to The defau...

Page 132: ...onds MSS waits for acknowledgement of a noti cation You can specify from 1 to 5 seconds The default is 2 Command Examples The following command con gures a noti cation target for acknowledged noti cat...

Page 133: ...P community strings use the following command DWS 1008 show snmp community Displaying USM Settings To display USM settings use the following command DWS 1008 show snmp usm Displaying Noti cation Pro l...

Page 134: ...129 DWS 1008 User s Manual D Link Systems Inc Con guring SNMP Displaying SNMP Statistics Counters To display SNMP statistics counters use the following command DWS 1008 show snmp counters...

Page 135: ...ate Layer 2 or Layer 3 networks To con gure DWL 8220AP access points perform the following tasks in this order Specify the country of operation Con gure DWL 8220AP access ports Distributed AP connecti...

Page 136: ...routers and it can also be con gured for 802 1Q VLAN tagging The DWS 1008 contains a con guration for a Distributed AP based on the AP s serial number Similar to ports con gured for directly connecte...

Page 137: ...is directly connected to a Distributed AP you might need to change the STP con guration on the port to allow the AP to boot Note STP on a port directly connected to a Distributed AP can prevent the AP...

Page 138: ...ostname1 hostname2 You can use an IP address list or a hostname list but not both If the list contains both types of values the AP does not attempt to use the list The ip and host keywords can be in l...

Page 139: ...be preferred over switches with low bias for booting and managing the AP Note Bias applies only to switches that are indirectly attached to the AP through an intermediate Layer 2 or Layer 3 network a...

Page 140: ...ncy of DWS 1008 services by dual homing the AP to two directly connected switches or by con guring a Distributed AP con guration either on two or more indirectly connected switches or on a combination...

Page 141: ...lies with a unicast DHCP Offer message The Offer message must contain the following parameters IP address for the AP IP address of the network s DNS server IP address of the subnet s default gateway O...

Page 142: ...addresses or hostnames in the DHCP option 43 eld the AP contacts the switches If the DHCP ACK message contained a list of DWS 1008 IP addresses in DHCP option 43 the AP sends a unicast Find DWS 1008...

Page 143: ...reply the AP retries this method up to 11 more times If the DWS 1008 replies after all 12 attempts the AP begins the process again with step 1 on the other AP port If the other AP port does not have a...

Page 144: ...access point to a group does not affect sessions that are already active on the access point In addition MSS does not attempt to rebalance sessions when a client disassociates from an access point If...

Page 145: ...CCMP to encrypt traf c sent to WPA clients cipher tkip enable When the WPA IE is enabled uses Temporal Key Integrity Protocol TKIP to encrypt traf c sent to WPA clients cipher wep104 disable Does not...

Page 146: ...n of a second MIC failure within 60 seconds web portal form Not con gured For WebAAA users serves the default login web page or if con gured the SSID speci c login web page wep key index No keys de ne...

Page 147: ...already deployed and running on the network you can display the MAC address assignments by using the show ap dap status command All MAC addresses on a DWL 8220AP are assigned based on the AP s base M...

Page 148: ...n you assign the pro le The table below summarizes the parameters controlled by radio pro les Generally the only radio parameters controlled by the pro le that you need to modify are the SSIDs and if...

Page 149: ...ry 5 Sends a long unicast frame up to ve times without acknowledgment max rx lifetime 2000 Allows a received frame to stay in the buffer for up to 2000 ms 2 seconds max tx lifetime 2000 Allows a frame...

Page 150: ...wing tasks Assign initial channel and power settings when a DWL 8220AP radio is started Periodically assess the RF environment and change the channel or power setting if needed Change the transmit dat...

Page 151: ...ower and external antenna type on each radio Map the radio pro le to a service pro le Assign the radio pro le to radios and enable the radios Specifying the Country of Operation You must specify the c...

Page 152: ...ystem MAC 00 0B 0E 02 76 F6 Boot Time 2003 05 07 08 28 39 Uptime 0 days 04 00 07 Country Code Australia AU Austria AT Belgium BE Brazil BR Canada CA China CN Czech Republic CZ Denmark DK Finland FI Fr...

Page 153: ...ed APs When a switch determines the DWS 1008 IP address to send to a booting AP the switch gives preference to APs that are already con gured over uncon gured APs that require a template The DWS 1008...

Page 154: ...in the template The table below lists the con gurable template parameters and their defaults The only parameter that requires con guration is the template mode The template is disabled by default To...

Page 155: ...ap auto blink enable disable Radio Parameters set dap auto radiotype 11a 11b 11g set dap auto radio 1 2 mode enable disable set dap auto radio 1 2 radio pro le name mode enable disable set dap auto ra...

Page 156: ...3 ssid employee net bssid3 00 0b 0e 00 d2 c5 ssid mycorp tkip The output displays auto next to the Distributed AP number to indicate that the AP was con gured using a template Converting a DWL 8220AP...

Page 157: ...y APs you can con gure on a switch and how many APs a switch can boot The numbers are for directly connected and Distributed APs combined Maximum APs Supported Per Switch Switch Model Maximum That Can...

Page 158: ...g but can be con gured for 802 11b or 802 11g exclusively If the country of operation speci ed by the set system countrycode command does not allow 802 11g the default is 802 11b The DWL 8220AP has a...

Page 159: ...aution When you clear an access point MSS ends user sessions that are using the AP To clear the port settings from a port use the following command clear port type port list This command resets the po...

Page 160: ...named loadbalance1 that contains directly connected access points on ports 1 4 and 6 type the following command DWS 1008 set ap 1 4 6 group loadbalance1 success change accepted Disabling or Reenablin...

Page 161: ...for unencrypted management traf c is 1474 bytes Make sure the devices in the intermediate network between the switch and Distributed AP can support the higher MTU Encryption Key Fingerprint APs are c...

Page 162: ...is already installed and operating use the show dap status command to display the ngerprint The following example shows information for Distributed AP 8 including its ngerprint DWS 1008 show dap stat...

Page 163: ...37 58 f4 d0 10 75 43 2f 45 c9 52 c3 success change accepted Setting the AP Security Requirement on a switch Note A change to AP security support does not affect management sessions that are already e...

Page 164: ...pted The following command applies the name corporate users to the SSID managed by service pro le mycorp_srvcprf DWS 1008 set service pro le mycorp_srvcprf ssid name corporate users success change acc...

Page 165: ...e to one or more service pro les The channel number transmit power and external antenna type are unique to each radio and are not controlled by radio pro les Creating a New Pro le To create a radio pr...

Page 166: ...equest them in response to the DTIM The DTIM interval applies to both the beaconed SSID and the unbeaconed SSID The DTIM interval does not apply to unicast frames A DWL 8220AP access point also stores...

Page 167: ...shold 1500 success change accepted Changing the Fragmentation Threshold The fragmentation threshold speci es the longest a frame can be without being fragmented into multiple frames by a radio before...

Page 168: ...adio can remain in buffer memory To change the maximum receive lifetime use the following command set radio pro le name max rx lifetime time The time can be from 500 ms 0 5 second through 250 000 ms 2...

Page 169: ...n mode remains in effect until 60 seconds after the last 802 11b traf c is detected by the 802 11b g radio Protection mode lowers overall traf c throughput due to the additional messages sent by 802 1...

Page 170: ...is command does not apply to 802 11a radios To change the preamble length advertised by 802 11b g radios use the following command set radio pro le name preamble length long short To con gure 802 11b...

Page 171: ...wer in decibels referred to 1 milliwatt External antenna model if applicable These parameters have the following defaults Channel number The default channel number for 802 11b g is 6 The default chann...

Page 172: ...the 802 11a radio on port 5 for channel 36 with a transmit power of 10 dBm type the following command DWS 1008 set ap 5 radio 2 channel 36 tx power 10 success change accepted You also can change the...

Page 173: ...o le rp1 mode enable success change accepted To assign radio pro le rp1 to radio 2 on ports 1 4 and port 6 and enable the radios type the following command DWS 1008 set ap 1 4 6 radio 2 radio pro le r...

Page 174: ...o pro le rp1 mode disable success change accepted DWS 1008 set radio pro le rp1 beacon interval 200 success change accepted DWS 1008 set radio pro le rp1 mode enable success change accepted Resetting...

Page 175: ...f Distributed APs that are not con gured on a switch Connection information for Distributed APs Service pro le information Radio pro le information Status information Statistics counters Displaying AP...

Page 176: ...ult auto tune max power default min client rate 24 max retransmissions 10 Displaying a List of Distributed APs To display a list of the Distributed APs con gured on switches on your network use the fo...

Page 177: ...nformation is displayed only for Distributed APs that are con gured on this switch Displaying Service Pro le Information To display service pro le information use the following command show service pr...

Page 178: ...k state and DWS 1008 status use the following commands show ap status terse port list all radio 1 2 show dap status terse dap num all radio 1 2 The terse option displays a brief line of essential stat...

Page 179: ...counters 2 Port 2 radio 1 LastPktXferRate 2 PktTxCount 91594255 NumCntInPwrSave 4294966683 MultiPktDrop 0 LastPktRxSigStrength 54 MultiBytDrop 0 LastPktSigNoiseRatio 40 User Sessions 5 TKIP Pkt Trans...

Page 180: ...0 89354 1947920 0 0 421 9 0 508 0 149925 0 0 0 0 0 0 12 0 16 0 768 0 3 681 0 0 1 18 0 240 0 80769 0 5 1017 0 0 0 24 0 107057 7694 8085317 629107 1663 63543 0 0 141546 36 0 453 0 132499 0 254 20533 0...

Page 181: ...ork contains a combination of WPA RSN clients and non WPA clients you can con gure MSS to provide encryption for both types of clients To con gure encryption parameters for an SSID create or edit a se...

Page 182: ...information element IE Specify the supported cipher suites CCMP TKIP 40 bit WEP 104 bit WEP TKIP is enabled by default when the RSN IE is enabled WPA WPA clients Non WPA clients Disabled Enable the W...

Page 183: ...egrity Protocol TKIP TKIP uses the RC4 encryption algorithm a 128 bit encryption key a 48 bit initialization vector IV and a message integrity code MIC called Michael Wired Equivalent Privacy WEP with...

Page 184: ...asures timer expires the access point allows associations and reassociations and generates new session keys for them You can set the countermeasures timer for DWL 8200AP access point radios to a value...

Page 185: ...con frame Association request or reassociation sent by a client The WPA IE in an association request lists the authentication method and cipher suite the client wants to use Client Support To use the...

Page 186: ...ro le for each SSID that will support WPA clients 2 Enable the WPA IE in the service pro le 3 Enable the cipher suites you want to support in the service pro le TKIP is enabled by default Optionally y...

Page 187: ...wing cipher suites CCMP TKIP 40 bit WEP 104 bit WEP By default TKIP is enabled and the other cipher suites are disabled To enable or disable cipher suites use the following commands set service pro le...

Page 188: ...wpa type the following command DWS 1008 set service pro le wpa auth psk enable success change accepted Con guring a Global PSK Passphrase or Raw Key for All Clients To con gure a global passphrase for...

Page 189: ...service pro le wpa type the following command DWS 1008 set service pro le wpa auth dot1x disable success change accepted Displaying WPA Settings To display the WPA settings in a service pro le use th...

Page 190: ...lowing command DWS 1008 set ap 1 3 6 radio 1 radio pro le bldg1 mode enable success change accepted To assign radio pro le bldg1 to radio 2 on ports 4 5 and enable the radios type the following comman...

Page 191: ...ce pro le name rsn ie enable disable To enable RSN in service pro le wpa type the following command DWS 1008 set service pro le rsn rsn ie enable success change accepted Specifying the RSN Cipher Suit...

Page 192: ...abling the Radios After you con gure RSN settings in a service pro le you can map the service pro le to a radio pro le assign the radio pro le to radios and enable the radios to activate the settings...

Page 193: ...n change or disable the broadcast or multicast rekeying interval For static WEP MSS uses statically con gured keys typed in the switch s con guration and on the wireless client and does not rotate the...

Page 194: ...tic WEP Keys When static WEP is enabled static WEP key 1 is assigned to unicast and multicast traf c by default To assign another key to unicast or multicast traf c use the following commands set serv...

Page 195: ...tion dot1x ssid mycorp EXAMPLE pass through shorebirds 2 Create a service pro le named wpa for the SSID Type the following command DWS 1008 set service pro le wpa success change accepted 3 Set the SSI...

Page 196: ...AP6 boot download enable YES load balancing group none Radio 1 type 802 11g mode enabled channel 6 tx pwr 1 pro le rp1 auto tune max power default min client rate 5 5 max retransmissions 10 Radio 2 t...

Page 197: ...le wpa wep Type the following command DWS 1008 set service pro le wpa wep cipher wep40 enable success change accepted TKIP is already enabled by default when WPA is enabled 6 Display the service pro l...

Page 198: ...p none Radio 1 type 802 11g mode enabled channel 6 tx pwr 1 pro le rp2 auto tune max power default min client rate 5 5 max retransmissions 10 Radio 2 type 802 11a mode enabled channel 36 tx pwr 1 pro...

Page 199: ...null Radius Servers Server Addr Ports T o Tries Dead State Server groups Web Portal enabled set authentication mac ssid voice local mac usergroup wpa for mac vlan name blue mac user aa bb cc dd ee ff...

Page 200: ...mand DWS 1008 show service pro le wpa wep for mac ssid name voice ssid type crypto beacon yes auth fallthru none WEP Key 1 value none WEP Key 2 value none WEP Key 3 value none WEP Key 4 value none WEP...

Page 201: ...min client rate 5 5 max retransmissions 10 Port 6 AP model DWL 8220AP POE enable bias high name AP06 boot download enable YES load balancing group none Radio 1 type 802 11g mode enabled channel 6 tx p...

Page 202: ...io pro le or enable RF AutoTuning If RF AutoTuning is enabled for channel and power assignment the radio performs an RF scan and reports the results to the switch that is managing the AP the radio is...

Page 203: ...ese symptoms First if the data rate at which the radio is sending packets to the client is above the minimum data rate allowed the radio lowers the unicast data rate with the client down to the next v...

Page 204: ...es An RF anomaly is a sudden major change in the RF environment such as sudden major interference on the channel By default a radio cannot change its channel more often than every 900 seconds regardle...

Page 205: ...chever is lower power interval 300 Every 300 seconds MSS examines the RF information gathered from the network and determines whether the power needs to be changed to compensate for RF changes power b...

Page 206: ...eived by the radio from a client are retransmissions the radio lowers the data rate to the client and if necessary increases power to reduce the retransmissions min client rate 5 5 for 802 11b g 24 fo...

Page 207: ...ntervals However RF AutoTuning can still change the channel in response to RF anomalies D Link recommends that you use an interval of at least 300 seconds 5 minutes To change the channel tuning interv...

Page 208: ...a value from 1 to 65535 seconds To change the power tuning interval use the following command set radio pro le name auto tune power interval seconds To set the power tuning interval for radios in rad...

Page 209: ...considers changing the channel on the radio is 10 percent You can change the threshold to value from 1 to 100 percent To change the max retransmissions threshold use the following command set ap port...

Page 210: ...ong Retry Limit 5 Long Preamble no Allow 802 11g clients only no Tune Channel yes Tune Power no Tune Channel Interval 3600 Tune Power Interval 600 Power Backoff Timer 10 Channel Holddown 300 Counterme...

Page 211: ...ode disabled channel 36 tx pwr 1 pro le default auto tune max power default min client rate 24 max retransmissions 10 Displaying RF Neighbors To display the other radios that a speci c D Link radio ca...

Page 212: ...owing commands show auto tune attributes ap ap num radio 1 2 all show auto tune attributes dap dap num radio 1 2 all To display RF attribute information for radio 1 on the directly connected DWL 8220A...

Page 213: ...e IP ToS value in the data packets themselves QoS on the DWS 1008 Switch The switch obtains an inbound packet s QoS value from the packet s Layer 2 802 1p or Layer 3 IP ToS value Depending on the dest...

Page 214: ...D Link switches and APs perform these mappings automatically WMM Priority Mappings IP Precedence IP ToS DSCP 802 1p CoS AP Forwarding Queue 0 0 0 0 0 0 3 3 0x60 24 3 3 1 1 0x20 8 1 1 Best Effort 2 2 0...

Page 215: ...el yes Tune Power no Tune Channel Interval 3600 Tune Power Interval 600 Power Backoff Timer 10 Channel Holddown 300 Countermeasures none Active Scan yes WMM enabled yes Service pro les srvcprof1 Displ...

Page 216: ...twork ports as untagged members of the same VLAN MSS does not support running 802 1D on multiple tagged VLANs MSS uses PVST BPDUs on VLAN ports that are tagged PVST BPDUs include tag information in th...

Page 217: ...o the total cost of a path to the root bridge When a designated bridge has multiple equal cost paths to the root bridge the designated bridge uses the path with the lowest total cost You can set this...

Page 218: ...cost cost set spantree portvlancost port list cost cost all vlan vlan id The set spantree portcost command changes the cost for ports in the default VLAN VLAN 1 only The set spantree portvlancost comm...

Page 219: ...r ports in the default VLAN VLAN 1 only The set spantree portvlanpri command changes the priority for ports in a speci c other VLAN or in all VLANs Specify a priority from 0 highest priority through 2...

Page 220: ...no longer available and initiating a topology change You can specify an age from 6 through 40 seconds The default is 20 seconds Changing the STP Hello Interval To change the hello interval use the fo...

Page 221: ...ence features to bypass the forwarding delay Port fast Backbone fast Uplink fast Port Fast Convergence Port fast convergence bypasses both the listening and learning stages and immediately places a po...

Page 222: ...DWS 1008 switches that are in the network core Con guring Port Fast Convergence To enable or disable port fast convergence use the following command set spantree portfast port port list enable disabl...

Page 223: ...kbonefast Here is an example DWS 1008 show spantree backbonefast Backbonefast is enabled In this example backbone fast convergence is enabled Con guring Uplink Fast Convergence To enable or disable up...

Page 224: ...ted in the command output To list only the ports that are in the active forwarding state enter the active option To display STP information for VLAN mauve type the following command DWS 1008 show span...

Page 225: ...ort cost of port 1 type the following command DWS 1008 show spantree portvlancost 1 port 1 VLAN 1 have path cost 19 Displaying Blocked STP Ports To display information about ports that are in the STP...

Page 226: ...DU s xmitted port VLAN 0 1 con g BPDU s received port VLAN 21825 43649 tcn BPDU s xmitted port VLAN 0 0 tcn BPDU s received port VLAN 2 2 forward transition count port VLAN 1 1 scp failure count 0 roo...

Page 227: ..._mac 00 0b 0e 00 04 30 next_src_mac 00 0b 0e 02 76 f6 Clearing STP Statistics To clear the STP statistics counters use the following command clear spantree statistics port list vlan vlan id As soon as...

Page 228: ...ollowing commands DWS 1008 set vlan 10 name backbone port 2 3 success change accepted DWS 1008 show vlan con g Admin VLAN Tunl Port VLAN Name Status State Af n Port Tag State 1 default Up Up 5 1 none...

Page 229: ...100BaseTx 6 up down auto network 10 100BaseTx 7 up down auto network 10 100BaseTx 8 up down auto network 10 100BaseTx 5 Wait for STP to complete the listening and learning stages and converge then ve...

Page 230: ...oping IGMP snooping is enabled by default To disable or reenable the feature use the following command set igmp enable disable vlan vlan id If you do not specify a VLAN ID the change is applied to all...

Page 231: ...erier for the subnet For the switch to become the querier the pseudo querier feature must be enabled on the switch and the switch must have the lowest IP address among all the devices eligible to beco...

Page 232: ...for more traf c loss To change the robustness value use the following command set igmp rv num vlan vlan id You can specify a value from 2 through 255 The default is 2 Enabling Router Solicitation A DW...

Page 233: ...ports or wired authentication ports as static multicast ports However MSS can dynamically add these port types to the list of multicast ports based on multicast traf c Adding or Removing a Static Mul...

Page 234: ...0b 258 237 255 255 255 5 10 10 10 13 00 02 04 06 08 0d 258 237 255 255 255 5 10 10 10 14 00 02 04 06 08 0e 258 237 255 255 255 5 10 10 10 12 00 02 04 06 08 0c 258 237 255 255 255 5 10 10 10 10 00 02 0...

Page 235: ...information use the following command show igmp querier vlan vlan id To display querier information for VLAN orange type the following command DWS 1008dws 1008 show igmp querier vlan orange Querier f...

Page 236: ...parameter to display receivers for a speci c group or set of groups For example to display receivers for multicast groups 237 255 255 1 through 237 255 255 255 in all VLANs type the following command...

Page 237: ...iority handling A security ACL contains an ordered list of rules called access control entries ACEs which specify how to handle packets An ACE contains an action that can deny the traf c permit the tr...

Page 238: ...Security ACLs Overview of Security ACL Commands The gure below provides a visual overview of the way you use MSS commands to set a security ACL commit the ACL so it is stored in the con guration and m...

Page 239: ...set security acl ip acl name permit cos cos deny source ip addr mask before editbuffer index modify editbuffer index hits For example to create ACL acl 1 that permits all packets from IP address 192 1...

Page 240: ...ced Interior Gateway Routing Protocol EIGRP 89 Open Shortest Path First OSPF protocol 103 Protocol Independent Multicast PIM protocol 112 Virtual Router Redundancy Protocol VRRP 115 Layer Two Tunnelin...

Page 241: ...er non WMM type of prioritization you must con gure ACLs to tag the packets Optionally for WMM or non WMM traf c you can use ACLs to change the priority of traf c sent to an AP or VLAN Setting an ICMP...

Page 242: ...nd Host Redirect 3 Echo 8 None Time Exceeded 11 Time to Live TTL Exceeded 0 Fragment Reassembly Time Exceeded 1 Parameter Problem 12 None Timestamp 13 None Timestamp Reply 14 None Information Request...

Page 243: ...ample the following command permits UDP packets sent from IP address 192 168 1 7 to IP address 192 168 1 8 with any UDP destination port less than 65 535 It puts this ACE rst in the ACL and counts the...

Page 244: ...and the committed ACLs After you commit an ACL MSS removes it from the edit buffer To display ACLs use the following command show security acl editbuffer Use the editbuffer option to display the ACLs...

Page 245: ...d DWS 1008 show security acl info all ACL information for all set security acl ip acl 999 hits 2 0 1 deny IP source IP 192 168 0 1 0 0 0 0 destination IP any 2 permit IP source IP 192 168 0 2 0 0 0 0...

Page 246: ...econds type the following commands DWS 1008 hit sample rate 180 DWS 1008 show security acl hits ACL hit counters Index Counter ACL name 1 31986 acl red 2 0 acl green Clearing Security ACLs The clear s...

Page 247: ...tion to lter packets for the authenticated user Note The Filter Id attribute is more often received by the DWS 1008 switch through an external AAA RADIUS server than applied through the local database...

Page 248: ...ports VLANs virtual ports and Distributed APs Use the following command set security acl map acl name vlan vlan id port port list tag tag value dap dap num in out Specify the name of the ACL the port...

Page 249: ...al ports or Distributed APS rst display the mapping with show security acl map and then use clear security acl map to remove it This command removes the mapping but not the ACL For example to clear th...

Page 250: ...tion of the set security acl commands See Modifying an Existing Security ACL Use the rollback command set to clear changes made to the security ACL edit buffer since the last time it was saved The ACL...

Page 251: ...efore editbuffer index portion of the set security acl command to place a new ACE before an existing ACE For example suppose you want to deny some traf c from IP address 192 168 254 12 in acl 111 Foll...

Page 252: ...ocks some packets from IP address 192 168 254 12 with the mask 0 0 0 255 and you want to change the ACL to permit all packets from this address Follow these steps 1 To display all committed security A...

Page 253: ...remove an ACE that you just created in the edit buffer for acl 111 1 To display the contents of all committed security ACLs type the following command DWS 1008 show security acl info all ACL informat...

Page 254: ...0 1 permit SRC source IP 192 168 1 1 0 0 0 0 6 Alternatively to clear the entire edit buffer of all changes made since a security ACL was last committed and display the results type the following com...

Page 255: ...cedence value 5 and ToS value 12 to have CoS value 7 when they are forwarded to any 10 10 90 x address on Distributed AP 4 DWS 1008 set security acl ip acl2 permit cos 7 ip 10 10 50 2 0 0 0 0 10 10 90...

Page 256: ...abled the AP forwarding queue that maps to CoS values 6 and 7 is optimized for SVP You must map the ACL to the outbound traf c direction on an AP port Distributed AP or user VLAN An ACL can set a pack...

Page 257: ...L that assigns traf c for IP protocol 119 to CoS queue 6 or 7 and map the ACL to the outbound traf c direction For example to enable SVP support for all users in VLAN corp_vlan perform the following s...

Page 258: ...t security acl map acl 99 port 9 in mapping con guration accepted Because every security ACL includes an implicit rule denying all traf c that is not permitted port 9 now accepts packets only from 192...

Page 259: ...254 DWS 1008 User s Manual D Link Systems Inc Con guring and Managing Security ACLs 7 To save your con guration type the following command DWS 1008 save con g success con guration saved...

Page 260: ...eys and certi cates are fundamental to securing wireless wired authentication and administrative connections because they support Wi Fi Protected Access WPA encryption and dynamic Wired Equivalency Pr...

Page 261: ...ates generated by a CA Note The switch uses separate server certi cates for Admin EAP 802 1X and Web AAA authentication Where applicable the manuals refer to these server certi cates as Admin EAP or 8...

Page 262: ...transaction creates a key pair that includes the public and private keys The public key encrypts data and veri es digital signatures and the corresponding private key decrypts data and generates digi...

Page 263: ...urpose PKCS 7 Cryptographic Message Syntax Standard Contains a digital certi cate signed by a CA To install the certi cate from a PKCS 7 le use the crypto certi cate command to prepare MSS to receive...

Page 264: ...rti cates signed by a CA you must also install a certi cate from the CA to validate the digital signatures of the certi cates installed on the switch Each of the following types of access requires a s...

Page 265: ...hen cutting and pasting the CA s own certi cate into the CLI Creating Public Private Key Pairs To use a self signed certi cate or Certi cate Signing Request CSR certi cate for switch authentication yo...

Page 266: ...nformation see PKCS 7 PKCS 10 and PKCS 12 Object Files A PKCS 12 object le which you obtain from a CA includes the private key a certi cate and optionally the CA s own certi cate After transferring th...

Page 267: ...ds You must include a common name string when you generate a CSR Use a fully quali ed name if such names are supported on your network The other information is optional For example DWS 1008 dws 1008 c...

Page 268: ...VYxP56M CUAm908C2foYgOY40 END CERTIFICATE Displaying Certi cate and Key Information To display information about certi cates installed on an switch use the following commands show crypto ca certi cate...

Page 269: ...y pairs DWS 1008 crypto generate key admin 1024 key pair generated DWS 1008 crypto generate key eap 1024 key pair generated DWS 1008 crypto generate key webaaa 1024 key pair generated 3 Generate self...

Page 270: ...c0B0cnB6LmNvbTAeFw0wMzA0 Lm8wmVYLxP56M 4 Display certi cate information for veri cation DWS 1008 show crypto certi cate admin Certi cate Version 3 Serial Number 999 0x3e7 Subject C US ST CA L PLEAS O...

Page 271: ...time and date parameters if not already set 2 Obtain PKCS 12 object les from a certi cate authority 3 Copy the PKCS 12 object les to nonvolatile storage on the switch Use the following command copy t...

Page 272: ...eap 20481x p12 Unwrapped from PKCS12 le keypair device certi cate CA certi cate DWS 1008 crypto pkcs12 web 2048web p12 Unwrapped from PKCS12 le keypair device certi cate CA certi cate Note MSS erases...

Page 273: ...ATE REQUEST 4 Copy the CSR into the CA s application Note You must paste the entire block from the beginning BEGIN CERTIFICATE REQUEST to the end END CERTIFICATE REQUEST 5 Transfer the signed administ...

Page 274: ...command to display a prompt DWS 1008 crypto ca certi cate admin Enter PEM encoded certi cate 13 Paste the CA s signed certi cate under the prompt 14 Display information about the CA s certi cate to ve...

Page 275: ...counting AAA features in more detail Authentication When a user attempts to access the network MSS checks for an authentication rule that matches the following parameters For wireless access the authe...

Page 276: ...more detail in Authentication Algorithm Web A network user attempts to access a web page over the network The switch intercepts the HTTP or HTTPS request and serves a login Web page to the user The u...

Page 277: ...e of the user s device If the address matches MSS grants access to the SSID requested by the user regardless of which SSID name it is However in a last resort authentication rule for wireless access i...

Page 278: ...esort user is on the RADIUS server MSS checks for a password The default well known password is dlink but is con gurable The same password applies to MAC users If the last resort authentication rule m...

Page 279: ...urity ACL that permits or denies traf c received input or sent output the switch Service Type Type of access the user is requesting which can be network access administrative access to the enabled con...

Page 280: ...ion provides access control by means of such mechanisms as per user security access control lists ACLs VLAN membership and timeout enforcement Because authorization is always performed on network acce...

Page 281: ...802 1X and Web Network Access The following AAA methods are supported by D Link for 802 1X and Web network access mode Client certi cates issued by a certi cate authority CA for authentication For thi...

Page 282: ...entication by a RADIUS server group as the rst method for these users and con gure local authentication last in case the RADIUS servers are unavailable 1 To con gure server 1 and server 2 at IP addres...

Page 283: ...Electronic Engineers IEEE IEEE 802 1X is an encapsulated form for carrying authentication messages in a standard message exchange between a user client and an authenticator EAP A summarizes the EAP pr...

Page 284: ...hese three basic authentication approaches Three Basic Approaches to EAP Authentication Approach Description Pass through An EAP session is established directly between the client and RADIUS server pa...

Page 285: ...f wireless users but they can be authenticated by an EAP method a MAC address a Web login page served by the switch or a last resort username Con guring 802 1X Authentication The IEEE 802 1X standard...

Page 286: ...switch while still performing MS CHAP V2 authentication via the server group shorebirds DWS 1008 set authentication dot1x ssid marshes example com peap mschapv2 shorebirds To of oad both PEAP and MS...

Page 287: ...y from a trusted machine known to Active Directory For example if user bob mycorp com has a trusted laptop PC used for work but also has a personal laptop PC you might want to bind Bob s authenticatio...

Page 288: ...odes for example nl mycorp com use an asterisk in each node that you want to match globally For example to match on all machines and users in mycorp com use the following userglobs host mycorp com use...

Page 289: ...ds D Link recommends that you try 60 seconds and change the period to a longer value only if clients are unable to authenticate within 60 seconds To set the Bonded Auth period use the following comman...

Page 290: ...mum requests 2 key transmission enabled reauthentication enabled authentication control enabled WEP rekey period 1800 WEP rekey enabled Bonded period 60 Information for the 802 1X authentication rule...

Page 291: ...r pro le or MAC user group on a RADIUS server see the documentation for your RADIUS server Adding MAC Users and Groups To create a MAC user group in the local database you must associate it with an au...

Page 292: ...sses of their devices with the following command set authentication mac ssid ssid name wired mac addr glob method1 method2 method3 method4 MAC addresses can be authenticated by either the switch s loc...

Page 293: ...ce To authenticate and authorize MAC users via RADIUS you must con gure a single prede ned password for MAC users which is called the outbound authorization password The same password is used for all...

Page 294: ...set authentication last resort ssid guestssid local success change accepted DWS 1008 set user last resort guestssid attr vlan name k3 success change accepted Note AlthoughMSSallowsyoutocon gureauserpa...

Page 295: ...from the AP to a real RADIUS server depending on the authentication method speci ed in the proxy authentication rule for the user For non 802 1X users the AP does not use 802 1X The switch sends a RA...

Page 296: ...to send a RADIUS stop accounting record when a user s session ends Switch Requirements The switch port connected to the third party AP must be con gured as a wired authentication port If SSID traf c f...

Page 297: ...h listens for RADIUS access requests and stop accounting records from the AP Use the following command set radius proxy client address ip address port udp port number acct port acct udp port number ke...

Page 298: ...key1 success change accepted The IP address is the AP s IP address The key is the shared secret con gured on the RADIUS servers MSS uses the shared secret to authenticate and encrypt RADIUS communicat...

Page 299: ...ning Authorization Attributes Authorization attributes can be assigned to users in the local database or on remote servers The attributes which include access control list ACL lters VLAN membership en...

Page 300: ...KIP Temporal Key Integrity Protocol 8 WEP_104 the default Wired Equivalent Privacy protocol using 104 bits of key strength 16 WEP_40 Wired Equivalent Privacy protocol using 40 bits of key strength 32...

Page 301: ...rt or wired authentication port or from the network via a network port Note If the Filter Id value returned through the authentication and authorization process does not match the name of a committed...

Page 302: ...user can still enter the enable command and the correct enable password to access the enabled mode For administrative sessions the switch always sends 6 Administrative The RADIUS server can reply wit...

Page 303: ...ate or both in conjunction with time of day time of day network access mode only Day s and time s during which the user is permitted to log into the network After authorization the user s session can...

Page 304: ...d RADIUS attribute Tunnel Pvt Group ID instead of VLAN Name Name of a VLAN that you want the user to use Assigning Attributes to Users and Groups You can assign authorization attributes to individual...

Page 305: ...ommands Security ACL Target Commands User authenticated by a password set user username attr lter id acl name in set user username attr lter id acl name out Group of users authenticated by a password...

Page 306: ...Verify the deletions by entering the show aaa command and checking the output TodeleteasecurityACLfromauser scon gurationonaRADIUSserver seethedocumentation for your RADIUS server Assigning Encryptio...

Page 307: ...ntegrity Protocol TKIP 8 Wired Equivalent Privacy protocol using 104 bits of key strength WEP_104 This is the default 16 Wired Equivalent Privacy protocol using 40 bits of key strength WEP_40 32 No en...

Page 308: ...can con gure the location policy on the switch YoucanusealocationpolicytolocallysetorchangetheFilter IdandVLAN Nameauthorization attributes obtained from AAA About the Location Policy Each switch can...

Page 309: ...operator user glob port port list dap dap num before rule number modify rule number You must specify whether to permit or deny access and you must identify a VLAN username or access port to match Use...

Page 310: ...4 and applies security ACLs svcs_2 to the traf c they send and svcs_3 to the traf c they receive DWS 1008 set location policy permit inacl svcs_2 outacl svcs_3 if vlan eq bldg4 You can optionally add...

Page 311: ...a switch delete all the location policy rules Con guring Accounting for Wireless Network Users Accounting records come in three types start stop stop only and update for network users The records prov...

Page 312: ...AA_ TTY_ATTR 2 Event Timestamp 1064599308 Sept 26 12 50 21 Acct Status Type STOP Acct Authentic 2 User Name geetha AAA_ TTY_ATTR 2 Acct Session Time 6513 Event Timestamp 1064605821 Acct Output Octets...

Page 313: ...kets 10 Acct Input Packets 15 Event Timestamp 1053536700 Vlan Name default Calling Station Id 00 06 25 09 39 5D Nas Port Id 2 1 Called Station Id 00 0B 0E 76 56 A0 The user terminated the session on D...

Page 314: ...rs Server Addr Ports T o Tries Dead State rs 3 198 162 1 1 1821 1813 5 3 0 UP rs 4 198 168 1 2 1821 1813 77 11 2 UP rs 5 198 162 1 3 1821 1813 42 23 0 UP Server groups sg1 rs 3 sg2 rs 4 sg3 rs 5 Web P...

Page 315: ...con guration before the rule with SSID any set authentication web ssid corpa corpasrvr Here is an example of a AAA con guration where the most speci c rules for 802 1X are rst and the rules with any a...

Page 316: ...ion for a Correct Processing Order To avoid processing errors for authentication and accounting commands that include order sensitive user globs enter the commands for each user glob in pairs For exam...

Page 317: ...pted You can then assign this Mobility Pro le to one or more users For example to assign the Mobility Pro le roses pro le to all users at EXAMPLE type the following command DWS 1008 set user EXAMPLE a...

Page 318: ...of Network User Commands The following example illustrates how to con gure IEEE 802 1X network users for authentication accounting ACL ltering and Mobility Pro le assignment 1 Con gure all 802 1X user...

Page 319: ...Name Ports tulip AP 2 AP 4 AP 5 AP 6 6 To assign Mobility Pro le tulip to all users at EXAMPLE type the following command for each EXAMPLE user DWS 1008 set user EXAMPLE username attr mobility pro le...

Page 320: ...Con gure the RADIUS server r1 at IP address 10 1 1 1 with the string sunny for the key Type the following command DWS 1008 set radius server r1 address 10 1 1 1 key sunny 2 Con gure the server group...

Page 321: ...asha password moon 3 To assign Natasha to a VLAN named red type the following command DWS 1008 set user Natasha attr vlan name red 4 To assign Natasha a session timeout value of 1200 seconds type the...

Page 322: ...DWS 1008 set server group sg1 members r1 3 Enable all 802 1X users of SSID thiscorp using PEAP MS CHAP V2 to authenticate MS CHAP V2 on server group sg1 Type the following command DWS 1008 set authen...

Page 323: ...g PEAP on the switch and MS CHAP V2 on server sg1 type the following command DWS 1008 set authentication dot1x ssid bobblehead mktg peap mschapv2 sg1 4 To authenticate all 802 1X users of SSID aircorp...

Page 324: ...structors normally authorized to use any techcomm VLAN in the college to access the network through the bldgb eng VLAN when they are in building B 1 Redirect bldga prof VLAN users to the VLAN bldgb en...

Page 325: ...t before making available any services offered by the switch or the wireless network The authentication server can reside either in the local database on the switch or on a remote RADIUS server When a...

Page 326: ...MSS does not hold down requests to unresponsive RADIUS servers Instead MSS attempts to send each new authentication or authorization request to a server even if the server is thought to be unresponsiv...

Page 327: ...h to select a source interface address based on information in its routing table as the RADIUS client address Con guring Individual RADIUS Servers You must set up a name and IP address for each RADIUS...

Page 328: ...s con gured you can use a server group name as the AAA method with the set authentication and set accounting commands Subsequently you can change the members of a group or con gure load balancing If y...

Page 329: ...a request to the following RADIUS server group This exception is called local override Con guring Load Balancing You can con gure the switch to distribute authentication requests across RADIUS servers...

Page 330: ...add RADIUS server coot to server group shorebirds 1 Determine the server group by typing the following command DWS 1008 show aaa Radius Servers Server Addr Ports T o Tries Dead State sandpiper 192 168...

Page 331: ...swampbirds and shorebirds 1 Con gure RADIUS servers Type the following commands DWS 1008 set radius server pelican address 192 168 253 11 key elm DWS 1008 set radius server seagull address 192 168 243...

Page 332: ...etrans 3 deadtime 0 key null author pass null Radius Servers Server Addr Ports T o Tries Dead State sandpiper 192 168 253 17 1812 1813 5 3 0 UP heron 192 168 253 12 1812 1813 5 3 0 UP egret 192 168 25...

Page 333: ...tionally authorize or unconditionally reject all users Enabling and Disabling 802 1X Globally The following command globally enables or disables 802 1X authentication on all wired authentication ports...

Page 334: ...reless supplicant client in an Extensible Authentication Protocol over LAN EAPoL packet after authentication is successful You can disable this feature or change the time interval for key transmission...

Page 335: ...ess point WEP uses a secret key shared between the communicators WEP rekeying increases the security of the network New unicast keys are generated every time a client performs 802 1X authentication Th...

Page 336: ...s1800 seconds 30 minutes Youcansettheintervalfrom30 to1 641 600 seconds 19 days For example type the following command to set the WEP rekey period to 900 seconds DWS 1008 set dot1x wep rekey period 90...

Page 337: ...reauthentication timeout is shorter than the session timeout MSS uses the global timeout instead Enabling and Disabling 802 1X Reauthentication The following command enables or disables the reauthent...

Page 338: ...bal setting or the value returned by the AAA server with the rest of the authorization attributes for that client For example type the following command to set the number of seconds to 100 before reau...

Page 339: ...onds For example type the following command to set the quiet period to 300 seconds DWS 1008 set dot1x quiet period 300 success dot1x quiet period set to 300 Type the following command to reset the 802...

Page 340: ...to 300 DWS 1008 set dot1x timeout supplicant 300 success dot1x supplicant timeout set to 300 Type the following command to reset the timeout period DWS 1008 clear dot1x timeout supplicant success chan...

Page 341: ...ticated vlan eng EXAMPLE nwong 00 06 80 00 5c 02 Authenticated vlan eng EXAMPLE hhabib 00 02 2d 6a de f2 Authenticated vlan pm smith exmpl com 00 02 2d 5e 5b 76 Authenticated vlan pm EXAMPLE natasha 0...

Page 342: ...mand to display 802 1X statistics about connecting and authenticating DWS 1008 show dot1x stats 802 1X statistic value Enters Connecting 709 Logoffs While Connecting 112 Enters Authenticating 467 Succ...

Page 343: ...isplaying and Clearing Administrative Sessions To display session information and statistics for a user with administrative access to the switch use the following command show sessions admin console t...

Page 344: ...e the following command DWS 1008 clear sessions console This will terminate manager sessions do you wish to continue y n y y Displaying and Clearing Administrative Telnet Sessions To view information...

Page 345: ...ired verbose In most cases you can display both summary and detailed verbose information for a session For example the following command displays summary information about all current network sessions...

Page 346: ...00 05 ff as of 00 37 35 ago 00 30 65 16 8d 69 4385 192 168 19 199 vlan wep 3 1 Client MAC 00 10 65 16 8d 69 GID SESS 4385 000430 842879 bf7a7 State ACTIVE prev AUTHORIZED now on 192 168 12 7 AP radio...

Page 347: ...f 00 23 32 ago 1 sessions match criteria of 10 total To clear all the network sessions of a user or group of users use the following command clear sessions network user user glob For example the follo...

Page 348: ...west 1 2 EXAMPLE jose 20 192 168 12 171 west 1 2 EXAMPLE geetha 21 192 168 12 169 west 3 2 To clear the sessions on a VLAN or set of VLANs use the following command clear sessions network vlan vlan gl...

Page 349: ...st packet signal strength 67 dBm Last packet data S N ratio 55 The verbose option is not available with the show sessions network session id command To clear network sessions by session ID type the fo...

Page 350: ...nterprise network by potentially allowing unchallenged access to the network by any wireless user or client in the physical vicinity Rogue access points and users can also interfere with the operation...

Page 351: ...ue detection MSS does not count devices on the ignore list as rogues or interfering devices and does not issue countermeasures against them An empty permitted SSID list or permitted vendor list implic...

Page 352: ...f scans on all channels allowed for the country of operation This is the regulatory domain set by the set system countrycode command 802 11b g radios scan in the 2 4 GHz to 2 4835 GHz spectrum 802 11a...

Page 353: ...generates a message Note The RF Auto tuning feature must be enabled Otherwise MSS cannot change the channel Countermeasures You can enable MSS to use countermeasures against rogues Countermeasures co...

Page 354: ...nt black list List of client or AP MAC addresses that are not allowed on the wireless network MSS drops all packets from these clients or APs Yes Yes Attack list List of AP MAC addresses to attack MSS...

Page 355: ...hird party AP or client vendors that are allowed on the network MSS does not list a device as a rogue or interfering device if the device s OUI is in the permitted vendor list By default the permitted...

Page 356: ...list speci es the SSIDs that are allowed on the network If MSS detects packets for an SSID that is not on the list the AP that sent the packets is classi ed as a rogue MSS issues countermeasures again...

Page 357: ...e network MSS drops all packets from the clients on the black list By default the client black list is empty In addition to manually con gured entries the list can contain entries added by MSS MSS can...

Page 358: ...ices that MSS should issue countermeasures against whenever the devices are detected on the network The attack list can contain the MAC addresses of APs and clients By default the attack list is empty...

Page 359: ...devices list To add a device to the ignore list use the following command set rfdetect ignore mac addr The mac addr is the BSSID of the device you want to ignore Note If you try to initiate counterme...

Page 360: ...ues only DWS 1008 set radio pro le radprof3 countermeasures rogue success change accepted To disable countermeasures on a radio pro le use the following command clear radio pro le name countermeasures...

Page 361: ...ected or disappears To disable or reenable the log messages use the following command set rfdetect log enable disable To display log messages on a switch use the following command show log buffer Enab...

Page 362: ...ges the radio to a different channel Deauthenticate frames Spoofed deauthenticate frames form the basis for most DoS attacks and are the basis for other types of attacks including man in the middle at...

Page 363: ...attack based on the ngerprint of the spoofed AP Packets from the real AP have the correct signature while spoofed packets lack the signature Netstumbler and Wellenreiter Applications Netstumbler and...

Page 364: ...t these lists are empty and all SSIDs vendors and clients are allowed Displaying Statistics Counters To display IDS and DoS statistics counters use the show rfdetect counters commands IDS Log Message...

Page 365: ...a bb cc dd ee ff is sending re associate request ood on port 2 Disassociate request ood Client aa bb cc dd ee ff is sending disassociate request ood on port 2 Weak WEP initialization vector IV Client...

Page 366: ...port 2 radio 1 on channel 11 with RSSI 53 SSID myssid Ad hoc client frame detected Adhoc client frame detected from aa bb cc dd ee ff Seen by AP on port 2 radio 1 on channel 11 with RSSI 53 SSID myss...

Page 367: ...re from rogues or interfering devices show rfdetect visible mac addr show rfdetect visible ap ap num radio 1 2 show rfdetect visible dap dap num radio 1 2 Displays the BSSIDs detected by a speci c D L...

Page 368: ...own dap 1 1 149 1 intfr 117 00 05 5d 7e 96 ce D Link Unknown dap 1 1 157 1 intfr 162 00 05 5d 84 d1 c5 D Link Unknown dap 1 1 1 1 intfr 52 The following command displays more details about a speci c c...

Page 369: ...od 0 0 802 11 association ood 0 0 802 11 reassociation ood 0 0 802 11 disassociation ood 0 0 Weak wep initialization vectors 0 0 Spoofed access point mac address attacks 0 0 Spoofed client mac address...

Page 370: ...ap dap num radio 1 2 To following command displays information about the rogues detected by radio 1 on AP port 3 DWS 1008 show rfdetect visible ap 3 radio 1 Total number of entries 104 Flags i infrast...

Page 371: ...mage then loads con guration information from a designated con guration le A DWS 1008 switch can also contain temporary les with trace information used for troubleshooting Temporary les are not stored...

Page 372: ...al Versions 5 DWL 8220AP 0123456789 H W A3 F W1 5 6 F W2 5 6 S W 3 0 0 6 DWL 8220AP 9876543210 H W A3 F W1 5 6 F W2 N A S W 3 0 0 Displaying Boot Information Boot information consists of the MSS versi...

Page 373: ...tware reload or power cycle The boot area is divided into two partitions boot0 and boot1 Each partition can contain one system image le The le area can contain subdirectories Subdirectory names are in...

Page 374: ...URL can be one of the following subdirname lename le subdirname lename tftp ip addr subdirname lename tmp lename The lename and le lename URLs are equivalent You can use either URL to refer to a le i...

Page 375: ...rom a TFTP server to nonvolatile storage type the following command DWS 1008 copy tftp 10 1 1 1 newcon g newcon g success received 637 bytes in 0 253 seconds 2517 bytes sec The above command copies th...

Page 376: ...ng the le MSS does not allow you to delete the currently running software image le or the running con guration To delete a le use the following command delete url The URL can be a lename of up to 128...

Page 377: ...al 8928 Kbytes used 3312 Kbytes free Boot1 Total 8197 Kbytes used 4060 Kbytes free temporary les Filename Size Created Total 0 bytes used 93537 Kbytes free Removing a Subdirectory To remove a subdirec...

Page 378: ...owing command DWS 1008 show con g Con guration nvgen d at 2004 5 10 19 08 38 Image 2 1 0 Model DWS 1008 Last change occurred at 2004 5 10 16 31 14 set trace authentication level 10 set ip dns server 1...

Page 379: ...on guration le that was loaded the last time the software was rebooted To save the running con guration to the le loaded the last time the software was rebooted type the following command DWS 1008 sav...

Page 380: ...type n MSS does not load the newcon g le and the running con guration remains unchanged Resetting to the Factory Default Con guration To reset the switch to its factory default con guration use the fo...

Page 381: ...size of an archive created by this option is generally 1MB or less This is the default for the restore command all Backs up or restores the same les as the critical option and all les in the user les...

Page 382: ...guration currently running on the switch use the load con g command to load the boot con guration le or restart the switch If instead you want to replace the con guration restored from the archive wi...

Page 383: ...chnical Support Fixing Common Setup Problems The table below contains remedies for some common problems that can occur during basic installation and setup of a DWS 1008 switch Setup Problems and Remed...

Page 384: ...switch allow the client to authenticate 2 Check the authorization rules in the switch s local database show aaa or on the RADIUS servers to ensure the client is authorized to join a VLAN that is con g...

Page 385: ...ch returns to the state it was in before you restarted it Once you have entered the command the switch returns to its initial uncon gured state For model DWS 1008 you also can recon gure basic paramet...

Page 386: ...igher are posted to the console and to the log buffer Debug output is logged to the trace buffer by default The table below summarizes the destinations and defaults for system log messages System Log...

Page 387: ...equired info Informational messages only No problem exists debug Output from debugging Note The debug level produces a lot of messages many of which can appear to be somewhat cryptic Debug messages ar...

Page 388: ...view log entries in the system log buffer use the following command show log buffer number of messages facility facility name matching string severity severity level You can display the most recent me...

Page 389: ...DWS 1008 set log buffer disable Logging to the Console By default console logging is enabled and messages at the error level and higher are sent to the console To modify console logging use the follow...

Page 390: ...Amessages are sent with facility 4 and boot messages are sent with facility 20 by default For example the following command sends all error level event messages generated by a switchto a server at IP...

Page 391: ...disable current session logging type the following command DWS 1008 set log current disable success change accepted Logging to the Trace Buffer Trace logging is enabled by default and stores debug lev...

Page 392: ...stic routines You can set a trace command with a keyword such as authentication or sm to trace activity for a particular feature such as authentication or the session manager Caution Using the set tra...

Page 393: ...l session manager sm activity at level 3 type the following command DWS 1008 set trace sm level 3 success change accepted Tracing Authorization Activity Tracing authorization activity can help diagnos...

Page 394: ...with the debug severity level By default the only log target that receives debug level messages is the volatile trace buffer The volatile trace buffer receives messages for all log severities when an...

Page 395: ...t in the log number of messages Displays the speci ed number of the most recent entries in the log starting with the least recent To lter trace output by MSS area use the facility facility name keywor...

Page 396: ...formation if you are experiencing MSS performance issues Viewing VLAN Interfaces To view interface information for VLANs type the following command DWS 1008 show interface From DHCP VLAN Name Address...

Page 397: ...splays the hosts learned by the switch and the ports to which they are connected To display forwarding database FDB information type the following command DWS 1008 show fdb Static Entry Permanent Entr...

Page 398: ...37008 for its transport TZSP was created by Chris Waters of Network Chemistry You can map up to eight snoop lters to a radio A lter does not become active until you enable it Filters and their mappin...

Page 399: ...nform you of this condition MSS generates a log message such as the following the rst time an ICMP error message is received following the start of a snoop lter AP Mar 25 13 15 21 681369 ERROR DAP 3 a...

Page 400: ...ecifying a snap length of 100 bytes or less The following command con gures a snoop lter named snoop1 that matches on all traf c and copies the traf c to the device that has IP address 10 10 30 2 DWS...

Page 401: ...the AP sends the packet and stops comparing the packet against other lters for the same observer If the lter does not have an observer the AP still maintains a counter of the number of packets that ma...

Page 402: ...lter after the speci ed number of packets match the lter Without the stop after option the lter operates until you disable it or until the AP is restarted Caution The lter mode is not retained if you...

Page 403: ...eachable messages from the observer back to the radio You can obtain Netcat through the following link http www securityfocus com tools 139 scoreit If the observer is a PC you can use a Tcl script ins...

Page 404: ...e stop after num pkts disable 7 Stop the Ethereal capture and view the monitored packets The source IP address of a monitored packet identi es the Distributed AP that copied the packet s payload and s...

Page 405: ...s are based on these IETF RFCs and drafts RFC 2865 Remote Authentication Dial in User Service RADIUS RFC 2866 RADIUS Accounting RFC 2868 RADIUS Attributes for Tunnel Protocol Support RFC 2869 RADIUS E...

Page 406: ...dministrative The RADIUS server can reply with one of the values listed above If the service type is not set on the RADIUS server administrative users receive NAS Prompt access and network users recei...

Page 407: ...uses the global timeout instead Called Station Id 30 No Yes Yes For IEEE 802 1X authenticators stores the DWL 8220AP access point MAC address in uppercase ASCII format with octet values separated by...

Page 408: ...t Session Id Acct Authentic 45 No No Yes Valid values RADIUS Local Acct Session Time 46 No No Yes Number of seconds for which the user has received service Can be present only in Accounting Request re...

Page 409: ...869 Acct Output Gigawords 53 No No Yes Number of times the Acct Output Octets counter has wrapped around 232 over the course of this service being provided Can be present only in Accounting Request re...

Page 410: ...can con gure the DHCP server on more than one VLAN You can con gure a DHCP client and DHCP server on the same VLAN but only the client or the server can be enabled The DHCP client and DHCP server can...

Page 411: ...d cannot be con gured Option 1 Subnet Mask of the VLAN s IP interface Option 15 Domain Name which is the default domain name con gured on the switch If the default domain name is not con gured this op...

Page 412: ...nter the command without the interface or verbose option the command displays a table of all the IP addresses leased by the server You can use the interface option to display addresses leased by a spe...

Page 413: ...45 seconds IP Address 10 10 20 2 Subnet Mask 255 255 255 0 Default Gateway 10 10 20 1 DNS Servers 10 10 20 4 10 10 20 5 DNS Domain Name mycorp com In addition to information for addresses leased from...

Page 414: ...ch is based on the Extensible Authentication Protocol EAP provides an authentication framework that supports a variety of methods for authenticating and authorizing network access for wired or wireles...

Page 415: ...orks that have a mixture of both client types However association by any 802 11b clients restricts the maximum data transmit rate for all clients To allow the radios to operate at the higher 802 11g d...

Page 416: ...also known as a peer to peer network or independent basic service set IBSS you can set up a wireless network in which a wireless infrastructure does not exist or is not required for services in a cla...

Page 417: ...appropriate subprotocol and back end authentication authorization and accounting AAA service to roam to different access points APs without reauthentication authentication server An entity that provi...

Page 418: ...i speci cation CCMP uses a symmetric key block cipher mode that provides privacy by means of counter mode and data origin authenticity by means of cipher block chaining message authentication code CBC...

Page 419: ...urity TTLS client The requesting program or device in a client server relationship In a wireless LAN WLAN the client or supplicant requests access to the services provided by the authenticator See als...

Page 420: ...on rm each other s identity and the information s origin and destination CSR Certi cateSigningRequest Amessagesentbyanadministratortorequestasecuritycerti cate from a certi cate authority CA A CSR is...

Page 421: ...f aggregated ows even if those ows contain thousands or millions of individual ows digital certi cate A document containing the name of a user client or server a digital signature a public key and oth...

Page 422: ...data transfer and uses the other link s as backups in case the active link fails If the AP has two direct physical links to one or more switches the Power over Ethernet PoE load is shared across both...

Page 423: ...or supplicant and the authenticator must support the same EAP type for successful authentication to occur EAP types supported in a D Link Mobility System wireless LAN WLAN include EAPMD5 EAPTLS PEAPTL...

Page 424: ...service FCC Federal Communications Commission The United States governing body for telecommunications radio television cable and satellite communications FDB See forwarding database FDB Federal Commu...

Page 425: ...it Ethernet port to link the port with a ber optic or copper network The data transfer rate is 1 gigabit per second Gbps or more Typically employed as high speed interfaces GBICs allow you to easily c...

Page 426: ...y the European Telecommunications Standards Institute ETSI HMAC Hashed message authentication code A function de ned in RFC 2104 for keyed hashing for message authentication HMAC is used with MD5 and...

Page 427: ...RFC 2236 that enables an Internet computer to report its multicast group membership to neighboring multicast routers Multicasting allows a computer on the Internet to send content to other computers t...

Page 428: ...ad hoc network initialization vector IV In encryption random data used to make a message unique Institute of Electrical and Electronic Engineers See IEEE integrity check value See ICV interface A pla...

Page 429: ...encoding rules BER Lightweight Directory Access Protocol See LDAP location policy An ordered list of rules that overrides the virtual LAN VLAN assignment and security ACL ltering applied to users dur...

Page 430: ...es of the address See also user glob VLAN glob MAC protocol data unit See MPDU MAC service data unit See MSDU managed device In a D Link network wireless LAN WLAN a DWS 1008 switch or DWL 8220AP acces...

Page 431: ...ation and accounting AAA functions manages DWS 1008 switches and DWL 8220AP access points and maintains the wireless LAN WLAN by means of such network structures as MobileLAN groups virtual LANs VLANs...

Page 432: ...nslation See NAT nonvolatile storage A way of storing images and con gurations so that they are maintained in a unit s memory whether power to the unit is on or off Odyssey An 802 1X security and acce...

Page 433: ...to a minimal number of widely distributed routers PIM SM packets are sent only if they are explicitly requested at a rendezvous point RP PKCS Public Key Cryptography Standards A group of speci cation...

Page 434: ...comes out at the device end is kept separate from the data signal so neither interferes with the other policy A formal set of statements that de ne the way a network s resources are allocated among it...

Page 435: ...generator An algorithm of predictable behavior that generates a sequence of numbers with little or no discernible order except for broad statistical patterns Protected Extensible Authentication Proto...

Page 436: ...o le A group of parameters such as the beacon interval fragmentation threshold and security policies that you con gure in common across a set of radios in one or more DWL 8220AP access points A few pa...

Page 437: ...group to locate rogue clients rogue access points and ad hoc users A sweep can be either a scheduled sweep or a continuous SentrySweep search During a scheduled sweep each included DWL 8220AP access...

Page 438: ...access control list An ordered list of rules to control access to and from a network by determining whether to forward or lter packets that are entering or exiting it Associating a security ACL with...

Page 439: ...set identi er The unique name shared among all computers and other devices in a wireless LAN WLAN SSL Secure Sockets Layer protocol A protocol developed by Netscape for managing the security of messa...

Page 440: ...on command Temporal Key Integrity Protocol See TKIP TKIP Temporal Key Integrity Protocol A wireless encryption protocol that xes the known problems in the Wired Equivalent Privacy WEP protocol for exi...

Page 441: ...e transmission of data by one network through the connections of another network by encapsulating its data and protocol information within the other network s transmission units To forward traf c for...

Page 442: ...single device into multiple logical Layer 2 switches with each VLAN operating as a separate switch or make multiple devices members of multiple logical Layer 2 networks By default all DWS 1008 switch...

Page 443: ...Sockets Layer HTTPS WECA Wireless Ethernet Compatibility Alliance See Wi Fi Alliance WEP Wired Equivalent Privacy protocol A security protocol speci ed in the IEEE 802 11 standard that attempts to pro...

Page 444: ...less Internet service provider A company that provides public wireless LAN WLAN services WLAN Wireless LAN A LAN to which mobile users clients can connect and communicate by means of high frequency ra...

Page 445: ...rnational Telecommunications Union Telecommunication Standardization Sector ITU T Recommendation and the most widely used standard for de ning digital certi cates XML Extensible Markup Language Asimpl...

Page 446: ...90 132 VAC 180 264 VAC 50 60 Hz Amperage draw maximums At 115Vrms 4Arms At 230Vrms 2Arms Interfaces 8 10 100 Mbps ports with no restrictions on port usage 6 ports provide integrated PoE Power over Et...

Page 447: ...oft RADIUS VSAs RFC 2716 PPP EAP TLS Authentication Protocol RFC 2759 Microsoft PPP CHAP Extensions Version 2 RFC 2865 RADIUS Authentication RFC 2866 RADIUS Accounting RFC 2869 RADIUS Extensions RFC 2...

Page 448: ...ICMP RFC 793 TCP RFC 826 ARP IEEE 802 1D Spanning Tree IEEE 802 1Q VLAN tagging IEEE 802 3ad static con g Management RFC 854 Telnet server and client SSHv2 Secure Shell V2 RFC 1157 SNMP v1 v2c RFC 12...

Page 449: ...defective Hardware or any part thereof with any reconditioned product that D Link reasonably determines is substantially equivalent or superior in all material respects to the defective Hardware Repa...

Page 450: ...he product is within warranty the customer shall submit a claim to D Link as outlined below The customer must submit with the product as part of the claim a written description of the Hardware defect...

Page 451: ...al adjustments covered in the operating manual for the product and normal maintenance Damage that occurs in shipment due to act of God failures due to power surge and cosmetic damage Any hardware soft...

Page 452: ...REMEDIES ARE EXCLUSIVE AND ARE IN LIEU OF ANY OTHER WARRANTIES OR REMEDIES EXPRESS IMPLIED OR STATUTORY Governing Law This Limited Warranty shall be governed by the laws of the State of California So...

Page 453: ...eceiver is connected Consult the dealer or an experienced radio TV technician for help For detailed warranty outside the United States please contact corresponding local D Link of ce FCC Caution The m...

Page 454: ...Manual D Link Systems Inc Registration Appendix G Registration Revised 10 12 2005 Version 1 00 Product registration is entirely voluntary and failure to complete or return this form will not diminish...

Reviews: