3Com Video Game Controller 6046 User Manual

WIRELESS LAN SWITCH AND CONTROLLER

MSS VERSION 6.0.4.6 RELEASE NOTES

Related Documentation

What’s New in MSS Version 6.0

MSS Version 6.0 contains the following enhancements:

■ New AP3150 and AP3850 support

Please use these notes in conjunction with the following:

■ Wireless LAN Switch and Controller Quick Start Guide

■ Wireless LAN Switch and Controller Hardware

■ 802.1x Client Diagnostic Enhancement (additional

Installation Guide

debug information)

■ Wireless LAN Switch and Controller

■ SNMP/3ND Support

Configuration Guide

■ AP/DAP Unification

■ Wireless LAN Switch and Controller Command Reference

■ Wireless Switch Manager User’s Guide

■ New Web View interface

■ AeroScout RFID tag support

■ Wireless Switch Manager Reference Manual

■ 3Com Mobility System Antenna Guide

■ Newbury Networks Location appliance support

■ Persistent VLAN assignment for roaming clients

■ Simplified Web-Portal and last-resort configuration

■ RF Auto-Tuning enhancements

You can obtain the latest technical information for

these products, including a list of known problems and

solutions, from the 3Com Knowledgebase:

■ Unscheduled Automatic Powersave Delivery

http://knowledgebase.3com.com

(U-APSD) support

■ DHCP server enhancements

Software License Agreement

■ RADIUS accounting enhancements

Before you use these products, please ensure that you

read the license agreement text. You can find the

license.txt file on the CD-ROM that accompanies your

product, or in the self-extracting exe that you have

downloaded from the 3Com Web site.

■ Support for special characters in SNMP community

names

■ Increased life span of new self-signed certificates

■ CLI commands to specify location and contact infor-

mation for MAPs

Part No. 10016430 Rev. AA

Published November 2007

Download from Www.Somanuals.com. All Manuals Search And Download.

Points to Note When Using the WXR100, WX1200, WX4400, or WX2200

backup, refer to the section titled “Backing Up and

Restoring the System” on page 613 of the MSS con-

figuration guide. For details on the procedure for

3WXM, refer to the section titled “Upgrading

3WXM” of the 3WXM Reference Manual.

all Network changes before attempting to deploy any

Local changes.

7 After Network changes have been accepted and the

switch status has been refreshed, carefully examine

any remaining Local changes in 3WXM before decid-

ing whether to deploy them to the wireless switch.

2 Upgrade 3WXM before upgrading the wireless switch

(MSS). Newer versions of 3WXM are designed to

handle older versions of MSS and will change their

configuration model for switches that are running

older versions of MSS. For example, 3WXM 6.0 can

handle switches running 4.0.x, 4.1.x, 4.2.x, 5.0.x, or

6.0.x. However, older versions of 3WXM are not

designed to manage newer versions of MSS. For

example, 3WXM 4.2 is not designed to manage a

wireless switch running 6.0.

8 If you need to downgrade to an older version of MSS,

the system will provide the option to use an automat-

ically archived configuration file that was created

when the system was upgraded. To apply a configura-

tion that is compatible with the older version of MSS,

you may choose to apply this archived configuration

file.

Best Practice When Powering Down a Switch

3 After completing a successful upgrade of 3WXM,

upgrade the wireless switch to the same major soft-

ware version. 3Com recommends always running the

same major version of 3WXM and MSS in a produc-

tion environment. For example, 6.0.x.

If a WXR100 or WX1200 is connected to Power Sourc-

ing Equipment (PSE), it is possible for the switch to

remain powered on even when the power cord is

unplugged. PSE can be a dedicated PoE injector or even

another networking switch such as the WX that is capa-

ble of supplying PoE. To ensure that the switch is pow-

ered off, unplug the power cord, then unplug all

Ethernet cables that are connected to other PoE devices.

4 If the CLI of the wireless switch indicates unsaved

configuration changes after completing the upgrade

(indicated with a * in front of the system name on the

CLI), save the configuration using the 'save configura-

tion' command.

System Configuration Best Practices

5 When upgrading several switches, upgrade one at a

time. After the upgrade has been completed on each

switch, verify that it is operating properly before pro-

ceeding on to the next switch.

3Com strongly recommends that you use 3Com

Wireless Switch Manager (3WXM) for archiving and

version control of network-wide wireless LAN switch

configurations. 3Com also recommends that you

archive the CLI-based configuration files of individual

WX switches by copying the configurations to a

server.

6 After the MSS upgrade has been completed, refresh

the switch status in 3WXM. If Network changes are

detected, they should be reviewed carefully before

deciding whether to accept them into 3WXM. Accept

Download from Www.Somanuals.com. All Manuals Search And Download.

WIRELESS LAN SWITCH AND CONTROLLER MSS VERSION 6.0.4.6 RELEASE NOTES

Client and AAA Best Practices

Protocol

Advantages

Disadvantages

EAP-TTLS

■ Does not require

client certificates

■ Requires third-party

802.1X client software

Follow these best-practice recommendations during

configuration and implementation to avoid or solve

issues you might experience.

■ Broadest compatibil- ■ Username/pass-

ity with user directo-

ries

word-based access

might not be as

strong as certifi-

cate-based access

Get Clients and AAA Working First

The greatest majority of installation issues are related

to clients and AAA server (authentication, authoriza-

tion, and accounting) operation. 3Com recommends

first establishing a baseline of proper operation with a

sampling of wireless clients and the AAA server you

plan to use. Working out client and AAA configura-

tion methods first provides valuable information as

you scale the deployment.

EAP-TLS

■ Strongest authenti- ■ Client-side certifi-

cation using X.509

certificates.

cates require full PKI

infrastructure and

management over-

head

■ Native support in

Windows XP and

2000

■ Broad support in all

802.1X clients

PEAP-TLS

■ Strongest authenti- ■ Client-side certifi-

The selection of client and AAA server software will

depend heavily on the requirements of your deploy-

ment. First, decide which EAP Protocol you will be using

as that will restrict the available clients and servers. Each

protocol has different advantages and disadvantages,

which you will need to consider in your deployment. For

most enterprise deployments, 3Com recommends using

PEAP-MS-CHAP-V2 as the 802.1X protocol. The follow-

ing table compares the EAP protocols.

cation using X.509

certificates.

cates require full PKI

infrastructure and

management over-

head

■ Native support in Win-

dows XP and 2000

■ Minimal advantage

over EAP-TLS

■ Broad support in all

802.1X clients

Although LEAP uses the same ethertype as 802.1X

(0x888e), the LEAP protocol is proprietary and does

not conform to the IEEE 802.1X standard. Addition-

ally, the LEAP protocol has serious security flaws. For

example, LEAP-authenticated networks can be

breached using a simple dictionary attack.

Protocol

Advantages

Disadvantages

PEAP-MS-CHAP-V2

■ Does not require

client certificates

■ Username/pass-

word-based access

might not be as

strong as certifi-

cate-based access

■ Compatible with

MSS EAP offload

When testing and evaluating MSS, enterprises using

primarily Microsoft platforms are recommended to use

Windows XP clients running PEAP-MS-CHAP-V2 with a

Windows 2000 or 2003 server running Internet

■ Native support in

Microsoft Windows

XP and 2000

Authentication Service (IAS) as the RADIUS back end.

This provides a test environment that is quick to set up

and does not require additional third-party software.

■ Broad support in

802.1X clients

Download from Www.Somanuals.com. All Manuals Search And Download.

Points to Note When Using the WXR100, WX1200, WX4400, or WX2200

Wireless NICs

As new drivers are released by the manufacturers,

3Com expects general compatibility to improve.

Most wireless NICs available now support 802.1X

authentication. The following table lists the NICs that

have been used successfully with MSS. The majority

were tested using recently available drivers using the

Microsoft native 802.1X client and a Microsoft IAS

RADIUS server. 3Com has not experienced any com-

patibility problems with NICs being unable to support

specific EAP protocols or specific RADIUS servers, so

we have only documented the differences in encryp-

tion type. Entries that have both Windows 2000 and

Windows XP listed together have the same results for

both operating systems. A result of Pass indicates suc-

cessful authentication and roaming with the listed

model and operating system. A result of Fail indicates

an inability to successfully complete authentication. A

result of NA (Not Applicable) indicates that the NIC

does not support the listed encryption type. A result

of NT (Not Tested) indicates that the combination has

not been tested yet.

Mfgr

Model, Driver,

WEP

Mixed TKIP

TKIP/

CCMP Web

and Driver Date

WEP

3Com

3CRPAG175B

1.1.0.21,

10/4/05

Pass

3Com

3CRBAG675B

1.1.0.21,

09/19/05

Pass

3CRPAG175

SL-3040 AA

5.1.2535.0,

7/1/2001

3Com

3CRDAG675

SL-3045 AA

1.0.0.25,

8/1/2003

Pass

3Com

3CRWE154A72

3CRXJK10075

3.3.0.156,

12/26/04

Pass

Not

Pass

Not

Tested

Tested Tested

Currently, WPA/CCMP (AES) encryption is supported

only when configured as the only cryptographic type

in service profile. Enabling dynamic WEP or WPA/TKIP

with AES on the same SSID can cause severe connec-

tivity issues as some manufacturers’ drivers do not

work properly when both encryption types are

enabled. 3Com recommends that you set up a sepa-

rate service profile for WPA/CCMP with a different

SSID for compatibility. If you are migrating from

Dynamic WEP to WPA/TKIP, 3Com recommends creat-

ing separate service profiles for each encryption type

and migrating users from one SSID to the other when

they are configured to use TKIP.

3Com

Belkin

3CRUSB10075

6.3.3.2,

06/05/06

Pass

F5D8010 1000

1.2.0.80,

9/21/2004

Pass^*

Buffalo WLI-CP-G54

Pass

Not

Tested

Pass

Not

Tested

Cisco

Aironet MPI350

3.8.26.0,

5/4/2004

Pass

Aironet

AIR-CB20A

3.9.16.0,

9/20/2004

Pass

Not

Tested

Not

Tested Tested Tested

Download from Www.Somanuals.com. All Manuals Search And Download.

WIRELESS LAN SWITCH AND CONTROLLER MSS VERSION 6.0.4.6 RELEASE NOTES

Mfgr

Model, Driver,

and Driver Date

WEP

Mixed TKIP

TKIP/

WEP

CCMP Web

Mfgr

Model, Driver,

and Driver Date

WEP

Mixed TKIP

TKIP/

WEP

CCMP Web

Cisco

Dell

Aironet 350

Pass

Fail

Pass

Fail

Not

Linksys

WPC54G 1.0

3.60.7.0,

3/22/2004

Pass

Tested Tested Tested

TrueMobile1150^†XP

A00

7.43.0.9

Pass

Linksys

WPC54GS

3.50.21.10,

1/23/2004

Pass

Dell

TrueMobile 1150^‡XP

Pass

Fail

Not

Tested

Not

Tested

WPC54G

version 2

Fail

Not

Tested

TrueMobile 1300 XP

TrueMobile 1400 XP

TrueMobile 1450 XP

Not

Tested

Not

Tested Tested Tested

Netgear WG-511 1.0

Pass

Fail^‡‡

2.1.25.0,

9/6/2004

Pass

Not

Tested

Netgear WAG-511 0.1

Pass

Fail⁶

Pass

3.1.1.754,

11/2/2004

3.100.35.0,

11/27/2004

Proxim

Orinoco Gold

8410

Pass

Not

D-link

DWLAG650

Pass

Fail

Pass

Not

Tested

Orinoco Gold

8460^***

3.1.2.19,

8/5/2004

Pass

DWL-AG660

A1,A2

3.0.0.44,

10/22/2003

Pass

Not

Proxim

Orinoco Gold

8470-WD

3.1.2.19,

8/5/2004

Pass

Intel

PRO/Wireless

2200BG

9.0.2.1,

8/23/2005

Pass

Proxim

Orinoco Gold

8480

Pass

Fail

Pass

Fail

Pass

Not

Tested

PRO/Wireless

2915ABG

9.0.2.1,

8/23/2005

Harmony 8450

1.4.1.1, 8/1/2002

Fail^†††

PRO/Wireless

WCB5000

1.0.1.33,

6/4/2003

SMC

SMC2336A-AG

Pass

2.0

(99-012084-221)

2.4.1.32,

9/29/2003

Intel

Pro2100(Cen-

trino)^**

Pass

Pass^††

Pass

Not

Tested Tested Tested

Linksys

WUSB54GS

Pass

1.0.0.1,

6/18/2004

Download from Www.Somanuals.com. All Manuals Search And Download.

Points to Note When Using the WXR100, WX1200, WX4400, or WX2200

Conversely, some adapters can associate only with a

beaconed SSID. Determine whether to beacon the

clear SSID based on the types of clients in the net-

work.

Mfgr

Model, Driver,

WEP

Mixed TKIP

TKIP/

CCMP Web

and Driver Date

WEP

SMC

SMC2835W

Pass

1.0

(99-012084-163)

Standby mode can prevent some clients from reasso-

ciating. If a laptop PC whose wireless adapter is asso-

ciated with a Managed Access Point (MAP) goes into

standby (hibernate) mode, the operating system can

either freeze or experience a Blue Screen of Death

(BSOD) when the laptop comes out of standby mode

and attempts to reassociate with the access point. To

work around this behavior, disable standby mode.

Alternatively, disable and reenable the wireless

1.0.17.0,

6/16/2003

Symbol LA-4121-1020-US XP

Pass

3.9.71.178,

3/25/2004

* Belkin Wireless Pre-N requires WPA/TKIP on a TKIP/WEP mixed SSID.

† Dell TrueMobile 1150 drivers v7.86 and newer might not work with Dynamic

WEP when you have WPA/TKIP enabled. If you experience problems such as an

inability to associate with the MAP, install the previous revision of the driver,

which is available from Dell’s support site.

adapter after the client emerges from standby mode.

‡ Requires a registry change to work properly; for more information, see “Win-

dows 2000 Many enterprises have a large installed base of Windows 2000 lap-

tops, making this a common choice of platform. Windows 2000 Service Pack 4

includes a native 802.1X client. If you choose to use the 802.1X client built-in

to Windows 2000, please note the following:” on page 9.

** Intel Centrino based chipsets might not associate with the SSID when pow-

er-save mode is enabled. Future drivers or laptop firmware might resolve this

issue, but until then 3Com recommends disabling power-save mode complete-

ly in the driver properties for the NIC.

†† The Intel Centrino based chipset has not been tested with WPA yet, though

Dynamic WEP does operate properly in a mixed TKIP and WEP configuration.

‡‡ NetGear WG511/WAG511 doesn't associate properly to a WebAAA SSID.

The NIC does not support DHCP.

If a client passes authentication but fails authoriza-

tion, the client might indicate that authentication has

succeeded but the MAP nonetheless disassociates

from the client. In this case, the client might indicate

that the network is unavailable. For example, this situ-

ation can occur if the certificate exchange is valid but

the requested VLAN or ACL filter is not available, or a

Mobility Profile™ denies service to the client. Once

the MAP disassociates from the client, the network

continues to be unavailable to the client through the

MAP for the duration of the 802.1X quiet-period

timer, which defaults to 60 seconds. An error mes-

sage indicating that a client has failed authorization

appears in the WX switch’s system log.

*** Use the 848x driver, not the 846x driver.

††† Proxim Harmony 802.11a (8450) cannot associate properly.

Driver Dependent Behavior

Some clients prefer a beaconed clear SSID to their

configured SSIDs. If you configure MSS to beacon a

clear SSID, some client adapters prefer this beaconed

SSID over the SSIDs they are configured to use.

802.1X Clients

Properly preparing your clients for wireless connectiv-

ity is one of the most important things you can do to

ensure an easy rollout. Here are some guidelines for

preparing common 802.1X clients and platforms.

Download from Www.Somanuals.com. All Manuals Search And Download.

WIRELESS LAN SWITCH AND CONTROLLER MSS VERSION 6.0.4.6 RELEASE NOTES

Windows XP Windows XP is a popular platform for

wireless clients because of its native support of 802.1X

authentication and simplified configuration of wireless

networks. If you choose to use the 802.1X client

built-in to Windows XP, please note the following:

■ Download current drivers for your NICs from the

NIC vendor(s).

■ If your wireless NIC’s driver includes the AEGIS pro-

tocol manager for WPA support, 3Com recom-

mends against installing it. Some drivers install this

automatically if you run the setup.exe utility to

install the driver. 3Com strongly recommends that

you update the driver manually using the driver

properties in the Network control panel instead of

installing the client manager.

■ Microsoft has extensive documentation on how to

configure and use wireless 802.1X authentication

in an Active Directory environment, published on

their website. You can start with Microsoft’s Wi-Fi

center at:

www.microsoft.com/windowsserver2003/

technologies/networking/wifi/default.mspx

■ If you use computer authentication with different

VLANs for the Computer and User accounts and

do not have the WPA hotfix rollup (KB826942) or

Service Pack 2, you need to install Microsoft hotfix

KB822596. Otherwise, DHCP will not operate cor-

rectly after the user authenticates. You must con-

tact Microsoft technical support for this hotfix. It is

not available from their website. For more informa-

tion on computer authentication, see “Computer

Authentication”.

■ Installing Windows XP Service Pack 2 is recom-

mended for all wireless clients as it includes several

important hotfixes.

■ If you are not prepared to install Service Pack 2,

3Com strongly recommends that all wireless clients

use Service Pack 1a with the following hotfixes

installed:

■

KB826942—This is the WPA Hotfix Rollup and is

available through Microsoft Update

■ If MD5 challenge is configured on a Windows XP

client for wired authentication, the quiet period

must be set to 0 to guarantee successful authenti-

cation. In addition, if the authentication is carried

out manually, the timeout value must be set to no

less than 30 seconds in order to allow the user

ample time to enter their username and password.

For example, to configure 802.1X on a WX switch

to allow these users time to log in, type the follow-

ing commands:

■

KB834669—This corrects an 802.1X client issue

which can cause system instability problems in

Windows XP. You will need to contact Microsoft

directly for this hotfix.

■ If your network uses logon scripts, Active Directory

group policies, or your users regularly share their

laptops, you should enable computer authentica-

tion (also known as machine authentication) to

achieve full functionality over your wireless con-

nection.

WX1200# set dot1x quiet-period 0

WX1200# set dot1x tx-period 30

Download from Www.Somanuals.com. All Manuals Search And Download.

Points to Note When Using the WXR100, WX1200, WX4400, or WX2200

Windows 2000 Many enterprises have a large

installed base of Windows 2000 laptops, making this

a common choice of platform. Windows 2000 Service

Pack 4 includes a native 802.1X client. If you choose

to use the 802.1X client built-in to Windows 2000,

please note the following:

■ Windows 2000 does not include a full implemen-

tation of the Wireless Zero-Config service from

Windows XP, so you will need to use the client

manager software provided with your NIC to con-

figure your SSID and enable WEP encryption.

When using dynamic WEP in Windows 2000,

select static WEP 128bit and enter any static WEP

key as a placeholder. This temporary key config-

ures the driver to use WEP to encrypt packets, and

the Microsoft 802.1X client then overrides the

static WEP key you entered with a dynamic key

after you authenticate successfully.

■ Microsoft has extensive documentation on how to

configure and use wireless 802.1X authentication

in an Active Directory environment, published on

their website. Most of this documentation is

geared towards Windows XP, but both operating

systems have many similarities in the client. You

can start with Microsoft’s Wi-Fi center at:

■ If your wireless NIC’s driver includes the AEGIS pro-

tocol manager for WPA support, 3Com recom-

mends against installing it. Some drivers install this

automatically if you run the setup.exe utility to

install the driver. If you are unable to install the

client manager without the AEGIS component,

contact the driver manufacturer or download an

earlier version that does not contain the AEGIS

component.

www.microsoft.com/windowsserver2003/

technologies/networking/wifi/default.mspx

■ Installing Windows 2000 Service Pack 4 is required

for all wireless clients.

■ Some clients might experience system instability

when using PEAP-MS-CHAP-V2 in an Active Direc-

tory environment. The primary symptom of this is a

message displayed after login informing the user

that the service svchost.exe has stopped unexpect-

edly. If you experience this problem, please contact

Microsoft technical support and request hotfix

KB833865.

■ 16-bit PCMCIA and built-in NICs (some 802.11b

cards in Dell, Toshiba, and other manufacturers’

laptop PCs) might require a registry setting to be

changed before they will be able to associate with

any SSID. Microsoft Knowledge Base article

327947 documents the changes necessary to

resolve the problem. Multi-band cards (A/B or

A/B/G) are generally 32-bit and do not experience

this problem.

■ If your network uses logon scripts, Active Directory

group policies, or your users regularly share their

laptops, 3Com recommends that you enable com-

puter authentication to achieve full functionality

over your wireless connection.

■ If you use computer authentication with different

VLANs for the Computer and User accounts, you

need to install Microsoft hotfix KB822596. Other-

wise, DHCP will not operate correctly after the user

■ Download current drivers for your NICs from the

NIC vendor(s).

Download from Www.Somanuals.com. All Manuals Search And Download.

WIRELESS LAN SWITCH AND CONTROLLER MSS VERSION 6.0.4.6 RELEASE NOTES

authenticates. You must contact Microsoft techni-

cal support for this hotfix. It is not available from

their website. For more information on computer

authentication, see “Computer Authentication”.

■ The Panther client will only connect successfully to

an SSID which is only dynamic WEP, or only

WPA/TKIP. Any other configuration involving WEP

with WPA enabled or AES is not supported by the

current Panther client. If you need to run both

WPA/TKIP and Dynamic WEP at the same time you

must configured separate service profiles for each

encryption type in order to maintain compatibility

with Macintosh clients.

■ If you experience a delay in receiving your DHCP IP

address wirelessly while using 802.1X authentication,

you might need to install Microsoft hotfix KB829116.

You must contact Microsoft technical support for this

hotfix. It is not available from their website.

■ The Panther client requires you to specify the inner

and outer PEAP-MS-CHAP-V2 usernames in sepa-

rate areas. Depending on your AAA backend, both

usernames might require a domain prefix in the

form of DOMAIN\username.

Funk Odyssey ■The Funk Odyssey client is required

when you require WPA support on Windows 2000,

or when you need to authenticate to an LDAP

backend database that does not support

MS-CHAP-V2 over LDAP. If you choose to use this

client, please note the following:

Computer Authentication

Windows clients support 802.1X authentication of

the computer itself. This is called computer authenti-

cation (also known as machine authentication). Com-

puter authentication is useful when you want your

computer to be active on the domain even when no

users are logged in to the computer.

■ Download the latest version from Funk’s website

at: www.funk.com

■ Be sure to turn off Wireless Zero Config in Win-

dows 2000 by disabling the service.

■ If your wireless NIC’s driver includes the AEGIS pro-

tocol manager for WPA support, 3Com recom-

mends against installing it. Some drivers install this

automatically if you run the setup.exe utility to

install the driver. 3Com recommends that you

update the driver manually using the driver proper-

ties in the Network control panel instead of install-

ing the client manager.

Some features of Windows XP Professional and Win-

dows 2000 Professional work correctly only with an

active network connection to the domain controller

enabled before a user is logged on to the PC. Using

computer authentication ensures that this network

connection is established during the boot sequence,

providing a wire-like infrastructure that allows you to

use the following features on a wireless network.

Macintosh OS/X ■OS/X Version 10.3, also known

as Panther, includes an 802.1X client that supports

Dynamic WEP and WPA/TKIP. If you choose to use

this client, please note the following:

The following table lists Microsoft networking fea-

tures that require computer authentication.

Download from Www.Somanuals.com. All Manuals Search And Download.

Points to Note When Using the WXR100, WX1200, WX4400, or WX2200

tory domain. Microsoft Knowledgebase Article

Scenario Requiring Computer Authentication

Feature

KB313407 explains how to enable the automatic

distribution of computer certificates through

Active Directory.

Active Directory computer

Group Policy

Computer–based Group Policy is applied during

computer start up and at timed intervals—even

when no on is logged in to windows.

Network logon scripts

Network logon scripts are run during initial user

■ If the user and machine accounts use different

VLANs, you must install hotfixes on the client PCs

to enable them to DHCP for a new IP address

when the user authentications. Windows XP

requires either the WPA Rollup Hotfix (KB826942)

or Hotfix KB822596. Windows 2000 requires

hotfix KB822596.

Systems management

agents

Systems management application agents such as

those that come with Microsoft Systems Manage-

ment Server (SMS) frequently need network

access without user intervention.

Remote Desktop Connec-

tion

Computers are accessible from Windows Remote

Desktop Connection when no one is logged in to

windows.

Shared folders

Files and folders shared from a computer are still

available, even when no user is logged in.

■ Using PEAP-MS-CHAP-V2 with computer authenti-

cation will allow users who have never logged on

to a PC authenticate wirelessly without having to

time. EAP-TLS still requires the user to connect to

the network over a wired connection to generate a

profile on the PC and a user certificate.

Configuring computer authentication on the client is

simple, though it requires the use of the Microsoft

802.1X client built-in to Windows XP and Windows

2000. Keep the following information in mind when

configuring computer authentication on Microsoft

clients:

Enabling computer authentication also requires minor

reconfiguration of Active Directory and IAS. Please

note the following when configuring computer

authentication on an active directory domain:

■ To enable computer authentication, go to the

Authentication tab where you normally select

your 802.1X authentication method and enable

the checkbox labeled Authenticate as computer

when computer information is available.

■ You must grant dial-in access for the computer

accounts in Active Directory that you wish to enable

computer authentication on. If the tab to configure

dial-in access does not appear, follow the directions

in Microsoft Knowledgebase article KB306260.

■ The authentication protocol that is configured for

your user accounts will also be used for the com-

puter account.

■ If the EAP protocol you are using requires client

certificates, you must use the Microsoft Enterprise

Certificate Authority built-in to Windows 2000

Server and Windows Server 2003 to generate

Computer certificates for PCs on your active direc-

■ Review your remote access policies in IAS to insure

that the computer accounts have appropriate

group membership to allow them to match the

proper policy.

Download from Www.Somanuals.com. All Manuals Search And Download.

WIRELESS LAN SWITCH AND CONTROLLER MSS VERSION 6.0.4.6 RELEASE NOTES

Computer authentication also requires specific con-

figuration considerations on the WX switch:

ture. A result of NT (Not Tested) indicates that the fea-

ture was not tested.

■ The username of a computer authentication connection

will be in the form of host/fully-qualified-domain-name,

for example host/bob-laptop.3Com.com or

RADIUS Servers Tested

Win

Funk

Cisco

ACS

Free-

Configuration

2000 IAS 2003 IAS Steel

Radius

(Linux)

host/tac1-laptop.support.3Com.com. This username is

the same regardless of the configured protocol

(PEAP-MS-CHAP-V2 or EAP-TLS). An appropriate user-

glob would be host/*.domain.com where domain.com

is the Active Directory domain name. Alternatively, in a

smaller deployment you could use a userglob of ** and

have both user and computer authentication go to the

same RADIUS server.

Belted

Radius

PEAP-MS-CHAP-V2 Pass

Pass

PEAP-MS-CHAP-V2 Pass

Offload

EAP-TLS

Pass

EAP-TTLS

Pass

Single-Sign-On

Active Directory &

PEAP-MS-CHAP-V2

Pass

■ PEAP-MS-CHAP-V2 offload mode is not supported

with computer authentication. You must use

pass-through 802.1X authentication policies with

computer authentication.

Single-Sign-On

LDAP & EAP-TTLS

Pass

3Com VSAs

Pass

MAC-based

authentication

AAA

The following table lists the AAA servers and configu-

rations that have been tested with MSS. Tests were

performed to a local user database in most cases, and

additionally to Microsoft Active Directory and LDAP

with specific protocols as noted in the table. The tests

were initially performed using Dynamic WEP, though

subsequent testing has revealed no noticeable differ-

ences in RADIUS compatibility when using WPA.

Microsoft Active

Directory computer

authentication

Pass

Testing notes Single-Sign-On is defined as clients

being able to use the same username and password

for 802.1X authentication that they use to authenti-

cate with network services and logon to their local PC.

■ A Pass result for 3Com VSAs indicates that the

VSAs were able to be added to the RADIUS server

manually. Future versions of Steel Belted RADIUS

and FreeRadius are planned to include standard

definitions of the 3Com VSAs.

A result of Pass indicates that the combination is sup-

ported by MSS. A result of NA (Not Applicable) indi-

cates that the RADIUS server tested does not support

the feature. A result of Fail indicates that the RADIUS

server does not interoperate with MSS for that fea-

■ Funk Steel Belted Radius version used for testing is

4.53

Download from Www.Somanuals.com. All Manuals Search And Download.

Points to Note When Using the WXR100, WX1200, WX4400, or WX2200

■ Windows 2000 with Service Pack 4

ent’s re-association attempt because the key infor-

mation presented by the client is invalid.

■ Cisco ACS 3.2 or later is required to support

PEAP-MS-CHAP-V2

If you experience this issue, clear the Session-Time-

out attribute on the affected users.

WPA

The WX switch will not force a reauthentication of

WPA/TKIP and WPA/CCMP users periodically like it

does with dynamic WEP users.

WPA compatibility testing was conducted with a vari-

ety of NICs. See “Wireless NICs” for complete details

of the results. If you choose to use WPA to secure

your wireless network, please note the following:

■ Do not use the set service-profile

shared-key-auth command in a WPA configura-

tion. This command does not enable PSK authenti-

cation for WPA. To enable PSK for WPA, use the

set service-profile auth-psk command.

■ CCMP (AES 802.11i draft support) is supported only

when it is the only encryption type enabled on that

SSID. Enabling TKIP or Dynamic WEP on the same

SSID with CCMP can cause serious connectivity

issues as most clients do not properly support this

configuration. 3Com recommends that you create a

separate service profile and SSID for WPA/CCMP.

■ Use one WPA authentication method per SSID,

either 802.1X authentication or preshared key

(PSK) authentication, but not both.

■ Enabling TKIP and Dynamic WEP on the same SSID

is not recommended. This configuration forces the

group key (multicast/broadcast key) to use the

lowest common encryption type, in this case

Dynamic WEP. Additionally, compatibility with

wireless NICs is reduced.

Security — Best Practice When Mixing Encrypted

Access and Clear Access

It is possible to configure a RADIUS server or a WX

switch’s local authentication database so that a user

with encrypted access and a user with unencrypted

access are authorized to join the same VLAN from dif-

ferent SSIDs. This configuration might allow a hacker

to more quickly discover keys by listening to both the

encrypted traffic and unencrypted traffic for compari-

sons. You can either use the MSS SSID VSA or the

encryption assignment VSA to prevent this problem.

■ Downloading the latest drivers for your wireless

NIC is strongly recommended. See “802.1X Cli-

ents” for specific information on installing drivers

for your operating system.

■ When a session key is changed, Microsoft WPA cli-

ents can sometimes incorrectly start using the new

key before the end of the four-way handshake that

is used to establish the key information. This issue

can occur when the session timeout for the client

session expires. As a result, the MAP rejects the cli-

If you only have one VLAN that each MAC-auth client

should connect to, add the SSID VSA to the account

for the MAC-address (either local or RADIUS). This

will force the WX switch to only allow that MAC

address to connect to the specified SSID.

Download from Www.Somanuals.com. All Manuals Search And Download.

WIRELESS LAN SWITCH AND CONTROLLER MSS VERSION 6.0.4.6 RELEASE NOTES

http://www.verisign.com

http://www.entrust.com

http://www.microsoft.com

If you require the same MAC user to be able to con-

nect to more than one SSID, you can use encryption

assignment to enforce the type of encryption a user

or group must have to access the network. When you

assign the Encryption-Type attribute to a user or

group, the encryption type or types are entered as an

authorization attribute into the user or group record

in the local WX switch database or on the RADIUS

server. Encryption-Type is an MSS VSA. Clients who

attempt to use an unauthorized encryption method

are rejected. In this way, a client could connect to any

WEP encrypted SSID, but not a clear SSID. (See the

Wireless LAN Switch and Controller Configuration

Guide for more information.)

If you use a self-signed certificate, configure the cli-

ents to not validate server certificates. If a client is

configured to validate server certificates, the client

will not be able to validate a self-signed certificate

from the WX switch.

Usernames

3Com recommends that you do not create usernames

that have the same spelling but use different case. For

example, do not create both username dang and

username DANG.

Security Best Practices

MSS and 3WXM provide robust options for securing

Passwords

management access, to WX switches and to the

3WXM client and 3WXM monitoring service. To opti-

mize security for management access, use the follow-

ing best practices.

The CLI, as well as 3WXM, can be secured using pass-

words. By default, the following access types do not have

passwords configured. Each uses a separate password.

■ Console access to the CLI. To secure console

access, configure a username and password in the

WX switch’s local database, using the set user

command. After you configure at least one user-

name and password and an access rule to permit

them, access to the CLI through the console

requires a password. (Access through Telnet or SSH

is not possible without a password, even on an

unconfigured switch.)

Certificates

When anyone attempts to access a WX switch, the

switch authenticates itself by presenting a signed cer-

tificate to the management application that is

requesting access. The switch’s certificate can come

from a certificate authority (CA) or it can be gener-

ated and signed by the switch itself.

3Com recommends that you use certificates assigned

by a CA. Certificates from a trusted CA are more

secure than self-signed certificates. Here are some

trusted CAs:

■ Access to the enable (configuration) level of the

CLI, through the console, or through Telnet or SSH.

To secure enable access, configure the enable

password using the set enablepass command.

Download from Www.Somanuals.com. All Manuals Search And Download.

Points to Note When Using the WXR100, WX1200, WX4400, or WX2200

■ Access to 3WXM. To secure access, configure user

Configure a username and password, so that MSS

requires login even for console access. Usernames

and their passwords are not specific to the type of

management access. You can use the same username

and password for access through the console, Telnet,

or SSH.

accounts within 3WXM.

■ Access to the 3WXM monitoring service. To secure

access, configure user accounts within the moni-

toring service.

■ Do not use passwords that are easy to guess, such

as vehicle registration plates, family birthdays and

names, or common words. Use combinations of

uppercase and lowercase letters as well as num-

bers in all passwords.

Leave Telnet disabled unless you need it. Use SSH

instead.

Web Access

WebView uses HTTPS for encrypted communications

and certificate-based server authentication, and

requires use of the enable password.

SNMP

SNMP is disabled by default. 3Com recommends that

you leave SNMP disabled unless you are using 3Com

Network Director or a similar product to manage your

wired network. If you do need to use SNMP, do not

use the well-known community strings public (com-

monly used for read-only access) or private (com-

monly used for read-write access.) By default, no

SNMP community strings are configured. Use SNMP

on an isolated management VLAN so that the clear

text community strings are not visible on the public

network.

WebView access through HTTPS is disabled by

default. Unless you need to use WebView, leave the

HTTPS server on the WX switch disabled. (Even

though 3WXM also uses HTTPS, disabling the HTTPS

server does not disable access by 3WXM.)

If you do need to use WebView, you can enable it

using the set ip https server enable command. Use

the following best practices to preserve or increase

the security level related to Web access:

To disable SNMP (if not already disabled), use the set

ip snmp server disable command.

■ Use an enable password that follows the password

recommendations given above.

To change the community strings, use the set snmp

community command.

■ Use a CA-signed certificate instead of a self-signed

certificate on the WX switch.

CLI Access

If a user’s client does not trust the certificate, the user

might experience an additional delay during login. To

avoid the additional delay, use a certificate signed by

your CA or an Internet CA.

MSS allows CLI access through the console, through

Telnet, and through SSH. Console and SSH access are

enabled by default. Telnet is disabled by default.

Download from Www.Somanuals.com. All Manuals Search And Download.

WIRELESS LAN SWITCH AND CONTROLLER MSS VERSION 6.0.4.6 RELEASE NOTES

3WXM

mentation and its configuration requirements

changed in MSS Version 4.0.

By default, access to 3WXM and the 3WXM monitor-

ing service do not require passwords. To secure

access, configure user accounts within each instance

of 3WXM and the monitoring service.

Communication Between the WX Switch and 3WXM

or WebView

Administration certificate requirement (11974)

The monitoring service uses a signed certificate for

authentication. The service has a self-signed certifi-

cate by default. For added security, used a certificate

signed by a CA instead. To use a CA-signed certifi-

cate, install the certificate in a key store file on the

machine where the monitoring service is installed,

and change the name of the key store file used by the

monitoring service from its default to the one where

you installed the certificate signed by the CA.

Before the WX switch can communicate successfully

with 3WXM, you must create an administrative

encryption certificate on the WX switch. For details,

see the Wireless LAN Switch and Controller Installa-

tion and Basic Configuration Guide.

Mobility Domain^™(Multiple WX Switch) Best Practices

3Com recommends that you run the same MSS

version on all WX switches in a Mobility Domain.

Guest Access (unencrypted SSIDs)

If you need to prevent all guest access (access to

unencrypted SSIDs):

Helpful commands

Use the following commands to verify the proper

operation of a Mobility Domain in support of features

such as subnet roaming:

■ Do not create any service profiles for SSID type

clear.

■ Delete any existing service profiles for a clear SSID.

■ display mobility-domain status — In a func-

tioning Mobility Domain, the output on every WX

switch displays every WX switch in the Mobility

Domain.

WebAAA Best Practices

If you plan to use WebAAA, see the “Configuring

WebAAA” section in the “Configuring AAA for Net-

work Users” chapter of the Wireless LAN Switch and

Controller Configuration Guide. The section has con-

figuration requirements and recommendations, in

addition to an overview of the WebAAA process.

■ display roaming vlan — In a functioning Mobility

Domain, the output on every WX switch displays

the network-attached VLAN of every other WX

switch in the Mobility Domain.

Other useful commands, documented in the Wireless

LAN Switch and Controller Command Reference,

include display tunnel and display roaming station.

If you are upgrading from MSS Version 3.2, 3Com

recommends that you read the manual even if the

switch already uses WebAAA. The WebAAA imple-

Download from Www.Somanuals.com. All Manuals Search And Download.

Points to Note When Using the WXR100, WX1200, WX4400, or WX2200

reports using a 0.0.0.0 source IP address. In this

case, either assign an IP address to the VLAN inter-

face on the WX switch or disable IGMP proxy

reporting. To disable proxy reporting, use the

command set igmp proxy-report disable.

Distributed MAP Best Practice When Using STP

A Distributed MAP is a leaf device. You need not

enable STP on the port directly connected to the MAP.

If Spanning Tree Protocol (STP) is enabled on the port

that is directly connected to a Distributed MAP, you

might need to change the STP configuration on the

port to allow the MAP to boot.

Disabling proxy reporting can increase IGMP over-

head traffic to the multicast router.

■ Enable the IGMP querier only if needed. The IGMP

pseudo-querier function is disabled by default.

Enable it only if the source of a multicast stream is

on a subnet the WX switch is also connected to. If

this is the case, you must assign an IP address to

the VLAN interface. The IP address must be higher

than the IP address of the querier multicast router

on the same subnet. To enable the IGMP

STP on a port directly connected to a Distributed MAP

can prevent the MAP from booting.

Use IGMP Snooping Effectively

Using IGMP (11909, 12863, 12866)

MSS supports the Internet Engineering Task Force

(IETF) draft draft-ietf-magma-snoop for controlling

the forwarding of IP multicast traffic by a Layer 2

switch. The draft mandates the use of a 0.0.0.0

source IP address if no IP address is available on the

switch for the subnet. However, some multicast rout-

ers and even other Layer 2 switches report errors in

the presence of the 0.0.0.0 source IP address.

pseudo-querier, use the command set igmp

querier enable.

■ Disable multicast router discovery. This multicast

router solicitation protocol (part of

draft-ietf-magma-snoop) is known to cause error

messages with other IGMP snooping switches and

multicast routers. To disable the protocol, use the

command set igmp mrsol disable. (The protocol

is disabled by default in the current software

version.)

Apply the following methods to use IGMP snooping

effectively:

■ Set IP addresses on all VLAN interfaces. This

straightforward workaround prevents most known

issues. If querier functionality might be needed,

ensure that the IP address of the WX switch VLAN

is higher than the address of any multicast router

servicing the same subnet.

User ACLs Require Explicit Source and Destination

Addresses

A user ACL is an ACL that is applied to a specific user-

name. You can apply ACLs to a user’s inbound or out-

bound wireless traffic. For a user ACL to take effect,

you must explicitly set both the source and destina-

tion addresses in the ACL.

■ Consider disabling IGMP proxy reporting. The

IGMP proxy reporting function is enabled by

default, but some multicast routers do not accept

Download from Www.Somanuals.com. All Manuals Search And Download.

WIRELESS LAN SWITCH AND CONTROLLER MSS VERSION 6.0.4.6 RELEASE NOTES

Rogue Detection Active Scan Interval Is Longer

During a SpectraLink SVP Call. (23317)

System Parameter Support

The following tables list the recommended or maxi-

mum supported values for major system parameters.

The active scan feature can be used during SVP calls.

However, when a call is active, the interval at which

active scan goes off-channel to look for rogues in-

creases from once a second to once every 60 seconds.

Mobility System Parameter

Supported Value

WX switches in a single Network

Domain

500

Due to the longer interval between active scans, it can

take longer for MSS to detect a rogue AP when an

SVP call is active. Generally, detection of a rogue

while a call is active can take from 3.5 to around 7.5

minutes. To reduce the detection time, add more

MAPs to the coverage area.

WX switches in a single Mobility

Domain

Roaming VLANs per WX switch

300

Does not include local statically config-

ured VLANs

VLANs per Mobility Domain

400

This number consists of 300 roaming

VLANs plus 100 local statically config-

ured VLANs.

Active Scanning and the AP3850

MAPs per WX

WX4400:

Active Scanning is not supported and must not be

used with the AP3850 for the following countries:

■ 300 configured

■ Up to 120 active, depending on

the MAP type and licensing

Argentina (AR)

Australia (AU)

Bolivia (BO)

Brazil (BR)

Canada (CA)

Malaysia (MY)

Mexico (MX)

New Zealand (NZ)

Panama (PA)

Puerto Rico (PR)

Singapore (SG)

South Africa (ZA)

Taiwan (TW)

United States (US)

Uruguay (UY)

WX2200:

■ 320 configured

■ Up to 120 active, depending on

the MAP type and licensing

China (CN)

WX1200:

Colombia (CO)

Dominican Republic (DO)

Guatemala (GT)

Hong Kong (HK)

■ 30 configured

■ 12 active

WXR100:

■ 8 configured

■ 3 active

IPv6 Support

Includes directly attached MAPs and

Distributed MAPs. Inactive configura-

tions are backups.

MSS 6.0 can forward IPv6 traffic transparently, at

Layer 2. IPv6 clients in the same subnet can communi-

cate with one another through a WX switch. How-

ever, MSS 6.0 does not support communication of

IPv6 clients across subnets.

Minimum link speed within a Mobility 128 Kbps

Domain

Download from Www.Somanuals.com. All Manuals Search And Download.

System Parameter Support

Network Parameter

Supported Value

Management Parameter

Supported Value

Forwarding database entries

WX4400: 16383

WX2200: 16383

WX1200: 8192

WXR100: 8192

Maximum instances of Wireless Switch

Manager (3WXM) simultaneously

managing a network

Telnet management sessions

WX4400: 8

WX2200: 8

WX1200: 4

WXR100: 4

The maximum combined number of

management sessions for Telnet and

SSH together is 8, in any combination.

Statically configured VLANs

100

Virtual ports (sum of all statically con- 256

figured VLAN physical port member-

ships)

Spanning trees (STP/PVST+ instances) 64

SSHv2 management sessions

WX4400: 8

WX2200: 8

WX1200: 4

WXR100: 4

ACLs and Location Policies

ACEs per switch:

■ WX4400: 2308

■ WX2200: 2308

■ WX1200: 700

Telnet client sessions (client for remote WX4400: 8

■ WXR100: 700

ACEs per ACL:

WX2200: 8

WX1200: 4

WXR100: 4

■ WX4400: 267

NTP servers

■ WX2200: 267

SNMP trap receivers

Syslog servers

RADIUS servers

■ WX1200: 267

■ WXR100: 25

Location Policies per switch: 1

100 configured on the switch

10 in a server group

4 server groups in a AAA rule

The Location Policy can have up to 150

rules.

IGMP streams

500

Replication of a stream on multiple

VLANs counts as a separate stream on

each VLAN.

Client and Session Parameter

Supported Value

Authenticated and associated clients

per radio

100

Clients who are authenticated but not

yet associated are included in the total.

Active clients per radio

Total number of active clients simulta-

neously sending or receiving data.

Wired authentication users per port

500

Download from Www.Somanuals.com. All Manuals Search And Download.

WIRELESS LAN SWITCH AND CONTROLLER MSS VERSION 6.0.4.6 RELEASE NOTES

When upgrading systems with large

Client and Session Parameter

Supported Value

configurations, it may be necessary to save the

configuration to a backup file. (41330)

Active AAA sessions (clients trying to

establish active connections) per WX

switch

WX4400: 2500

WX2200: 3200

WX1200: 300

WXR100: 75

These are the suggested maximums.

The switch might be able to support

even more sessions, but performance

or system stability might be affected.

When upgrading systems with very large configura-

tions, for example, hundreds of APs or hundreds of

users, it may be necessary to save the configuration to

a backup file, generate a minimal configuration, per-

form the update, load the backup configuration from

the command line, and then save the configuration.

AAA users configured in local data-

base

WX4400: 999

WX2200: 999

WX1200: 250

WXR100: 250

Time and date do not synchronize with an NTP

server, if the switch's NTP client is enabled

before the NTP service is started on the server.

(20382)

Known Problems

Using set ap <apnum> boot configuration

commands. (38517)

System Configuration Issues

The set ap <apnum> boot-configuration switch

switch-ip cannot be set at the same time as set ap

<apnum> boot-configuration switch name

<switch-name> dns <ip addr>. The commands

overwrite each other when used.

Adding a static VLAN with the same name as a

VLAN whose traffic is being tunneled through

the switch can cause the switch to restart.

(18367)

MSS can tunnel traffic for a VLAN through a WX

switch that does not have that VLAN statically config-

ured. If you attempt to add a static VLAN to a switch

that is already tunneling traffic for a VLAN with the

same name, the switch can restart.

The auto-config feature does not work properly

if the 3WXM server is unreachable when the

auto-config feature is enabled. (44477)

To work around this issue, be sure that the 3WXM

server is reachable from the wireless switch before

you enable auto-config. If auto-config is enabled by

default on the wireless switch, be sure that the

3WXM server is reachable before you boot the wire-

less switch.

To create the VLAN, clear the Mobility Domain config-

uration from the switch, create the VLAN, and then

configure the Mobility Domain again.

The default value for RADIUS “deadtime” shown

in the CLI help is incorrect. (41689)

The correct default value is 0.

Download from Www.Somanuals.com. All Manuals Search And Download.

Known Problems

Static IP settings do not work on the 8x50 or

AP7250 Access Points. (28529)

Mixing Autonegotiation with full-duplex mode

on a link causes slow throughput and can cause

a WX port to stop forwarding. (26276)

The configuration of static settings including VLAN

tag, WX IP, WX name, AP IP and AP IP mask are not

supported on the AP8750, AP8250, or AP7250.

3Com recommends that you do not configure the mode

of a WX port so that one side of the link is set to autone-

gotiation while the other side is set to full-duplex.

Switching and Port Issues

Although MSS allows this configuration, it can result

in slow throughput on the link. The slow throughput

occurs because the side that is configured for autone-

gotiation falls back to half-duplex. A stream of large

packets sent to a WX port in such a configuration can

cause forwarding on the link to stop.

Port Mirroring is not active after the switch is

rebooted. (29684)

Port mirroring configuration cannot be saved and is

not retained through reboots of the WX switch.

Router redundancy protocol on intermediary

devices between WX switches in a Mobility

Domain can interfere with communication

among the switches. (16910)

Antenna sensing has been deprecated from

system software. The antenna configuration is

the authoritative source to enabling external

antenna operation on the AP, even if the

external antenna isn't actually connected.

(34904)

If the Mobility Domain contains intermediary switches

or routers that use a router redundancy protocol, WX

switches that communicate through those intermedi-

ary devices might lose communication with one other

due to the way some router redundancy protocols

handle MAC addresses. If this issue occurs, log mes-

sages appear periodically on the seed WX switch indi-

cating that member WX switches are entering or

leaving the Mobility Domain.

FDB entry is not cleared when tagging mode on

a port changes. (44970)

When the tagging mode on a port is changed,

learned entries in the fdb are not cleared. As a result,

connectivity may be lost. To work around this issue

and restore connectivity, clear the fdb manually.

Set the FDB timer (default 300 seconds) and the ARP

timer (default 1200 seconds) to the same values on

the WX switches. 3Com recommends using 300 sec-

onds as the value for both timers. To set the FDB

timer, use the set fdb agingtime command. To set

the ARP timer, use the set arp agingtime command.

Client connecting to local switched untethered

AP causes Mesh APs to time out. (44982)

In some configurations, a client connecting to a mesh

AP that also has local switching enabled will cause

other mesh APs in the network to time out and

reboot.

Download from Www.Somanuals.com. All Manuals Search And Download.

WIRELESS LAN SWITCH AND CONTROLLER MSS VERSION 6.0.4.6 RELEASE NOTES

A distributed AP may not successfully boot if

Port 1 of the AP has an operational Ethernet

link, but an WX is unreachable via this data link.

(38807)

Mesh Issues

The Ethernet port is not brought up on the

bridge link if it was not up when the mesh link is

established. (46037)

All other combinations of power and data connectiv-

ity are fully supported.

If the mesh AP is brought up without the Ethernet

port connected, after the mesh link is established, the

bridge link will not come up and no traffic will flow

through the AP to the Ethernet port. To work around

this issue and restore connectivity, reset the mesh AP

ensuring that the Ethernet port is always up by con-

necting a hub or switch to the mesh AP Ethernet port.

Distributed MAP can change IP addresses during

boot sequence in environments with multiple

DHCP servers. (16499)

To become fully active, a Distributed MAP does a full

restart after downloading its software image. The first

time the MAP is powered up, it sends a DHCP dis-

cover for an IP address, uses DNS to find its config-

ured WX switch, and then downloads its software

image from that WX.

MAP Issues

Distributed MAPs and Link Autonegotiation (16726)

The Ethernet interfaces on a MAP are configured to

autonegotiate the link speed (10 Mbps or 100 Mbps)

and mode (half duplex or full duplex). The setting

cannot be changed. A common setting on third-party

switches is 100 Mbps, with full duplex. If you connect

a Distributed MAP to a port that is set for 100 Mbps

with full duplex, the MAP operates at 100 Mbps with

half duplex. This results in an unusable link. Configure

the port on the other device to autonegotiate.

After downloading the image, the MAP restarts itself

with the downloaded image and sends a second

DHCP discover to again obtain its IP address. In a net-

work containing more than one DHCP server, it is pos-

sible for the MAP to use one IP address when

downloading the image, but end up with a second IP

address after rebooting the second time. This can

occur if the DHCP server that responds to the DHCP

request after the second reboot is not the same server

that responded to the first request.

Wireless clients connected to directly attached

APs may not display as connected in the show

system output information. (41792)

This issue does not prevent the MAP from operating

normally but can make managing the MAP more diffi-

cult if the address the MAP receives the second time is

not predictable. To prevent the MAP from using more

than one address, use static address assignment in

your DHCP server.

When connected to the network using an Intel

2100 wireless network card, large file transfers

may cause the wireless client to disconnect.

(40721)

Download from Www.Somanuals.com. All Manuals Search And Download.

Known Problems

configured to automatically use the user’s Windows

the interval is too short for users who must manually

enter their network login information.

WebView Issues

Unless otherwise noted, the workaround for Web-

View issues is to use the CLI or 3WXM.

WebView does not display more than 32 service

profiles. (18374)

If the network has clients that do not automatically

use the Windows username and password as the net-

work username and password, use the set dot1x

tx-period command to increase the retransmit time.

WebView allows configuration of duplicate SSID

names in the same service profile. (18375)

CAUTION: Changes to 802.1X parameters affect all

SSIDs managed by the WX switch.

In WebView, self-signed certificate for network

user is not accepted with only a Common Name

value. (15651)

Deleting a user group or MAC user group does

not delete membership from its members.

(14833)

If you use WebView to configure a self-signed certifi-

cate for network users, the switch does not generate

the certificate if you enter information only in the

Common Name field and not in other fields.

If you type the clear usergroup or clear mac-user-

group command to delete a user group or MAC user

group, the display aaa command shows that the

user group is gone. However, the user profiles for the

users still list them as members of the deleted groups.

This issue does not affect the CLI. In the CLI, you can

generate a self-signed certificate with only the

common name specified. Use the CLI to generate the

certificate or use the additional fields in WebView.

Use the clear user group and clear mac-user group

commands in addition to the clear usergroup and

clear mac-usergroup commands to explicitly remove

individual users or MAC users from a group.

If you are running Linux Redhat 9 and use

Firefox 2.0 to open WebView, the browser may

become unresponsive. (40676)

This behavior is noted on the WX2200 and WX4400.

CLI allows set authentication dot1x command

with invalid combination of pass-through and

local options. (15562)

AAA and RADIUS Issues

The CLI allows you to enter a command such as the

following:

Default 802.1X retransmit interval is too short

for manual login. (18032)

set authentication dot1x ssid any * pass-through

local

The default 802.1X retransmit interval is 5 seconds.

Although this interval is adequate for clients that are

Download from Www.Somanuals.com. All Manuals Search And Download.

WIRELESS LAN SWITCH AND CONTROLLER MSS VERSION 6.0.4.6 RELEASE NOTES

The pass-through and local AAA methods are mutually

exclusive. Even if a server group named local exists,

MSS does not use the group. In either case, the EAP

session fails and the 802.11 session is deauthenticated

CAUTION: Changes to 802.1X parameters affect all

SSIDs managed by the WX switch.

WebAAA Issues

when the client responds to the first identity request.

WebAAA using a Windows client and a WX

switch that has a self-signed certificate can

intermittently fail if Windows is configured to

update root certificates. (18597)

Do not name a server group local and do not attempt

to mix mutually exclusive authentication methods in

the same command.

If the WX switch uses a self-signed certificate (as

opposed to a CA-issued certificate), and the Microsoft

OS on the WebAAA client is configured to update

root certificates (the default setting), Windows tries to

contact microsoft.com to get updated certificates.

Incorrect zero value for Acct-Authentic appears

in accounting statistics. (14851)

In the output of the display accounting statistics

command, the Acct-Authentic field in accounting

records always displays 0 (zero) to indicate the loca-

tion where a user was authenticated for the session.

The correct value is 1 (one) if RADIUS performed

authentication or 2 if authentication took place in the

local WX database.

This causes a 15-second delay, after which IE displays

a popup dialog asking whether the user wants to

accept the untrusted certificate from the WX.

Even when the user selects Yes, IE sometimes does

not display the WebAAA Login page served by the

WX switch.

Ignore the Acct-Authentic value in display account-

ing statistics output.

Clients using Intel 3945ABG wireless NIC were

unable to connect reliably to network. (28863)

This issue occurs intermittently. If the issue occurs,

reattempt the login.

Some client laptops using the Intel 3945ABG adapter

card were not able to connect reliably to the network

because the client ignored the initial GKHS message

sent by the WX switch, timed out, and deassociated

before the switch could retransmit the GKHS mes-

sage.

IPv6 clients cannot authenticate using Web

Portal. (26291)

The web-portal ACL does not work on IPv6 traffic.

IPv6 clients will not be able to authenticate using Web

Portal unless the clients also run IPv4.

To work around this problem, set the 802.1X suppli-

cant timeout to 1 second. To do this, use the set

dot1x timeout supplicant command.

This issue affects Web-Portal authentication only. The

other authentication types (802.1X, MAC, and Last

Resort) can be used with IPv6 clients.

Download from Www.Somanuals.com. All Manuals Search And Download.

Known Problems

The Unicast bytes fields in display sessions

network sessions-id output can show a negative

number. (18174)

ACL Issues

ACE names that begin with CLI keywords are not

supported. (17521)

IGMP Snooping and IP Multicast Issues

When configuring an access control entry (ACE), if

the name you specify for the ACE begins with a word

that is also a keyword used by the CLI, the CLI rejects

the ACE name. In the following examples, the ACE

names that begin with port and vlan are rejected, but

the ACE name that starts with abc, which is not a CLI

keyword, is accepted:

IP multicast streams can stop for all receivers on

a MAP if IGMP snooping is disabled. (15971)

If you disable IGMP snooping, all clients that are

receiving a multicast group stream through a MAP

stop receiving the stream if one of the clients leaves

the group.

WX1200# set security acl ip port_abc deny

0.0.0.0 255.255.255.255

Do not disable IGMP snooping. (The feature is

enabled by default.)

error: Wrong ACL name input = port_abc

WX1200# set security acl ip vlan_abc deny

0.0.0.0 255.255.255.255

Invalid IP multicast forwarded. (12784)

error: Wrong ACL name input = vlan_abc

IGMP multicast streams with an invalid source IP

address (for example, 0.0.0.0) are forwarded by the

WX switch.

WX1200# set security acl ip abc_port deny

0.0.0.0 255.255.255.255

Do not use a CLI keyword in the beginning of an ACE

name.

AP Issues

APs that are part of the Mobility System are

identified as Rogues. (44686)

Session Issues

In some cases, valid APs that are part of the 3Com

Mobility System may appear as rogue APs. This condi-

tion may be safely ignored.

The display session network wired command

does not list wired authentication sessions.

(17829)

If you use the wired option with the display ses-

sions network command, no sessions are listed.

AP3850 times out with high traffic on Bridge

link. (45538)

Use the display sessions network command, with-

out the wired option. In this case, the wired authen-

tication sessions are included in the output.

The AP3850 may time out and reboot when in bridg-

ing mode if a high level of traffic is sent across the

bridge.

Download from Www.Somanuals.com. All Manuals Search And Download.

WIRELESS LAN SWITCH AND CONTROLLER MSS VERSION 6.0.4.6 RELEASE NOTES

Microsoft’s directions on how to change the default

behavior of the Vista wireless client:

Local Switching Issues

In some instances, an error message containing

Connecting to non-broadcast wireless networks in

Windows Vista:

“SSR setup failed.mac” and a multicast address

can be ignored. (44605)

http://support.microsoft.com/kb/929661

Windows VISTA Issues

IE 7 issues with self-signed web-portal

certificates

Windows Vista clients cannot connect to

“hidden” SSIDs.

Microsoft has introduced more strict client security in

Internet Explorer 7.0 which makes the use of

self-signed certificates more confusing for end-users.

When the WX attempts to process a client’s web-

portal login request, a screen displays this notice:

“There is a problem with this website’s security certifi-

cate” every time a client attempts to authenticate if

the WX is using a self-signed certificate. While it is

possible to choose the “Continue to this website”

option, the user is discouraged from doing so for

security reasons. This situation may lead to a notice-

able increase in support calls from confused

end-users.

In its default configuration, Windows Vista does not

connect to hidden “non-broadcast” SSIDs. Microsoft

has changed this behavior in both Vista and the latest

Windows client update for XP (KB# 917021) as part

of an effort to increase security on wireless clients. For

more information, please check the following URLS

on Microsoft’s website:

Non-broadcast Wireless Networks with Microsoft

Windows:

http://www.microsoft.com/technet/

network/wifi/hiddennet.mspx

Description of the Wireless Client Update for Win-

dows XP with Service Pack 2:

3Com recommends that you do not use self-signed

certificates for Web-Portal. In addition to the security

issues with using an unverified certificate, the user

experience is severely affected for IE 7 users. Use Veri-

sign or another less expensive certificate authority to

purchase a third-party verified certificate. If you are

not using one of the major Internet certificate author-

ities (CA), verify that the CA’s public certificate is

included with all of the web browsers that you sup-

port on your network.

http://support.microsoft.com/?kbid=917021

3Com recommends that, if you do not have direct

control over the configuration of the wireless clients

accessing your network, do not configure your service

profiles with hidden SSIDs.

If you do have direct control over client configuration,

you can change the default behavior. Here is a link to

Download from Www.Somanuals.com. All Manuals Search And Download.

Upgrading MSS

If you choose not to purchase a signed certificate

from a third-party CA, you may choose to install the

self-signed certificate into the trusted certificate store

on every client that uses Web-Portal. IE 7 must be run

with administrative privileges to perform this change,

and it must be performed on each client who will use

Web-Portal.

3WXM support in Windows Vista

3WXM does not officially support Windows Vista yet,

so there may be some interoperability issues. Official

support will be included in an upcoming release of

3WXM. Known issues include installer issues for the

standalone client and the server, as well as intermit-

tent failures to launch the Webstart Client.

Wildcard Certificates in Web portal not working

with IE 7

3Com recommends that you do not run the 3WXM

server on Windows Vista or Longhorn; use Windows

Server 2003 instead. For clients accessing a 3WXM

server who have no other choice of OS, run the Java

Webstart client or use Microsoft’s “Remote Desktop”

client to connect to a Windows XP computer and run

the client from there.

Internet Explorer’s handling of wildcard certificates

changes between IE 6 and IE 7, and for older versions

of MSS, wildcard SSL certificates will not work in IE 7

with Web-Portal. A wildcard certificate is one that

includes an asterisk as the hostname portion of the

certificate’s common name. For example, a wildcard

certificate for 3Com Corporation would have a

common name of “*.3com.com”.

Vista Client interoperability issues

Vista client PCs have an interoperability problem with

a Windows 2003 certificate server. The Windows

2003 certificate server must be patched with some

files from a Windows Longhorn server. This URL gives

the details:

3Com recommends that you upgrade to MSS

5.0.11.4 or later. The Web Portal feature now handles

wildcard certificates in a manner that is compatible

with both IE 6 and IE 7.

http://support.microsoft.com/?kbid=922706

Windows Vista Driver interoperability issues

Windows Vista drivers are relatively new and have not

yet reached the maturity level of Windows XP drivers.

Upgrading MSS

Preparing the WX Switch for the Upgrade

3Com recommends that you use the most recent

Vista drivers available from the manufacturer’s web-

site. If that does not resolve the issue, you can try to

run the Windows XP drivers for your wireless NIC;

some of them may run under Vista and provide better

results.

CAUTION: Create a backup of your WX switch

files before you upgrade the switch. 3Com rec-

ommends that you make a backup of the switch

before you install the upgrade. If an error occurs

Download from Www.Somanuals.com. All Manuals Search And Download.

WIRELESS LAN SWITCH AND CONTROLLER MSS VERSION 6.0.4.6 RELEASE NOTES

during the upgrade, you can restore your switch

to its previous state.

You can copy the image file only into the boot parti-

tion that was not used for the most recent restart. For

example, if the currently running image was booted

from partition 0, you can copy the new image only

into partition 1.

Use this command to back up the switch’s files:

backup system [tftp://ip-addr/]filename

[all | critical]

4 Set the boot partition to the one with the upgrade

image for the next restart.

To restore a switch that has been backed up, use the

following command:

To verify that the new image file is installed, type dis-

play boot.

restore system [tftp://ip-addr/]filename

[all | critical] [force]

5 Reboot the software.

To restart a WX switch and reboot the software, type

the following command:

“Upgrade Scenario” on page 28 of these Release

Notes shows a sample use of the backup command.

For more information about these commands, see the

“Backing Up and Restoring the System” section in the

“Managing System Files” chapter of the Wireless LAN

Switch and Controller Configuration Guide.

reset system [force]

When you restart the WX switch, the switch boots

using the new MSS image. The switch also sends the

MAP version of the new boot image to MAPs and

restarts the MAPs. After a MAP restarts, it checks the

version of the new MAP boot image to make sure the

boot image is newer than the boot image currently

installed on the MAP. If the boot image is newer, the

MAP completes installation of its new boot image by

copying the boot image into the MAP’s flash memory,

which takes about 30 seconds, then restarts again.

The upgrade of the MAP is complete after the second

restart.

If you have made configuration changes but have not

saved the changes, use the save config command to

save the changes before you backup the switch.

If the switch is running an earlier version of MSS, use

the copy tftp command to copy files from the switch

onto a TFTP server.

Upgrading an Individual Switch Using the CLI

1 Back up the switch, using the backup system com-

mand. (See “Preparing the WX Switch for the

Upgrade” on page 27.)

Upgrade Scenario

To upgrade a switch (WX1200 used in this example)

type commands such as the following.

2 Copy the new system image onto a TFTP server.

3 Copy the new system image file from the TFTP server

This example copies the image file into boot

partition 1. On your switch, copy the image file into

the boot partition that was not used the last time the

to a boot partition in the switch’s nonvolatile storage.

Download from Www.Somanuals.com. All Manuals Search And Download.

Upgrading MSS

switch was restarted. For example, if the switch

booted from boot partition 1, copy the new image

into boot partition 0. To see boot partition informa-

tion, type the display boot command.

Command Changes During Upgrade

The following table lists the commands that are dep-

recated in MSS Version 4.2, and their replacements.

4.1 Command

4.2 Command

WX1200# save config

success: configuration saved.

set radio-profile wmm

set radio-profile long-retry

set radio-profile short-retry

set radio-profile qos-mode

set service-profile long-retry

set service-profile short-retry

WX1200# backup system tftp://10.1.1.107/sysa_bak

success: sent 28263 bytes in 0.324 seconds

[ 87231 bytes/sec]

WX1200# copy tftp://10.1.1.107/wb042302.rel

boot1:wb042302.rel

success: received 10266629 bytes in 92.427

seconds [ 111078 bytes/sec]

During upgrade, MSS makes the following changes to

commands in 4.1 configuration files:

■ set radio-profile name wmm enable is changed

to set radio-profile name qos-mode wmm

WX1200# set boot partition boot1

success: Boot partition set to

boot1:wb042302.rel (4.2.3.2.0).

■ set radio-profile name wmm disable is changed

to set radio-profile name qos-mode svp

WX1200# display boot

■ set radio-profile name long-retry and set

radio-profile name short-retry are removed. The

retry counts are reset to their default values and must

be reconfigured manually, in the service profiles.

Configured boot version:

4.2.3.2.0

Configured boot image:

boot1:wb042302.rel

Configured boot configuration:

file:configuration

In addition, MSS automatically adds a new option,

encrypted, to set radius and set radius server com-

mands that use the key option. The encrypted option

encrypts the key string displayed in the configuration.

Backup boot configuration:

Booted version:

file:backup.cfg

4.1.5.1

Booted image:

boot1:wx040105.020

The option encrypts display of the string but does not

encrypt the actual string sent to RADIUS servers.

RADIUS servers still receive the string that was entered

with the set radius or set radius server command in

MSS Version 4.0.

Booted configuration:

file:configuration

Product model:

WX1200

WX1200# reset system force

...... rebooting ......

To ensure that the command change is saved after you

upgrade, after you load the new image and restart the

Download from Www.Somanuals.com. All Manuals Search And Download.

WIRELESS LAN SWITCH AND CONTROLLER MSS VERSION 6.0.4.6 RELEASE NOTES

2003 reserved.

Build Information: (build#67) TOP

switch, enter the save config command as soon the

switch finishes restarting.

Model:

Hardware

Mainboard: version 24 ; revision

PoE board: version 1 ; FPGA

Serial number 1234567890

Flash: 4.1.0.14 - md0a

For complete syntax information about the new com-

mands and options, see the Wireless Switch Manager

Command Reference.

Installing Upgrade Activation Keys on a

WX4400 or WX2200

Kernal: 3.0.0#20: Fri May

BootLoader: 4.10 / 4.1.0

3 Install the license using the following command:

The WX4400 and WX2200 can boot and manage up

to 24 MAPs by default. You can increase the MAP

support up to 120 MAPs, by installing activation keys.

set license

The following example shows how to install an

upgrade license and activation key:

To obtain an activation key, access the 3Com web site

(www.3Com.com). Each license and activation key

pair allows the switch to actively manage an addi-

tional 24 MAPs. You can install up to four upgrade

license and activation key pairs, to actively manage up

to 120 MAPs.

WX4400# set license WXL-076E-93E9-62DA-54D8

WXA-3E04-4CC2-43OD-B508

Serial Number: 1234567890

License Number: 245

License Key: WXL-076E-93E9-62DA-54D8

Activation Key: WXA-3E04-4CC2-43OD-B508

Feature: 24 additional ports

Expires: Never

To upgrade a WX license:

48 ports are enabled

success: license was installed

1 Obtain a license coupon for the upgrade from 3Com

or your reseller.

2 Establish a management session with the WX switch

to display the switch’s serial number.

Unless otherwise indicated, 3Com registered trademarks are registered in the

United States and may or may not be registered in other countries.

To use the CLI to display the serial number, type the

following command:

3Com and the 3Com logo are registered trademarks of 3Com Corporation.

Mobility Domain, Mobility Point, Mobility Profile, Mobility System, Mobility System

Software, MP, MSS, and SentrySweep are trademarks of Trapeze Networks,

Inc.Intel and Pentium are registered trademarks of Intel Corporation. Microsoft,

MS-DOS, Windows, Windows XP, and Windows NT are registered trademarks of

Microsoft Corporation.

display version

In the following example, the switch serial number is

1234567890:

All other company and product names may be trademarks of the respective

companies with which they are associated.

WX1200> display version

Download from Www.Somanuals.com. All Manuals Search And Download.

Acer Computer Monitor P221W User Manual
Acer Laptop TravelMate 4050 User Manual
Acnodes Car Video System RM 6193 User Manual
Alliance Laundry Systems Washer Dryer H242I User Manual
Alto Shaam Microwave Oven MN 29249RU User Manual
Amana Refrigerator Bottom Freezer Refrigerator User Manual
American Audio Mouse WM 16HH User Manual
Apple Network Router U10C012 User Manual
Axis Communications Security Camera Q1931E PT User Manual
Behringer Stereo Amplifier HA4700 HA8000 User Manual