3Com Video Game Controller 6046 User Manual

WIRELESS LAN SWITCH AND CONTROLLER  
MSS VERSION 6.0.4.6 RELEASE NOTES  
Related Documentation  
What’s New in MSS Version 6.0  
MSS Version 6.0 contains the following enhancements:  
New AP3150 and AP3850 support  
Please use these notes in conjunction with the following:  
Wireless LAN Switch and Controller Quick Start Guide  
Wireless LAN Switch and Controller Hardware  
802.1x Client Diagnostic Enhancement (additional  
Installation Guide  
debug information)  
Wireless LAN Switch and Controller  
SNMP/3ND Support  
Configuration Guide  
AP/DAP Unification  
Wireless LAN Switch and Controller Command Reference  
Wireless Switch Manager User’s Guide  
New Web View interface  
AeroScout RFID tag support  
Wireless Switch Manager Reference Manual  
3Com Mobility System Antenna Guide  
Newbury Networks Location appliance support  
Persistent VLAN assignment for roaming clients  
Simplified Web-Portal and last-resort configuration  
RF Auto-Tuning enhancements  
You can obtain the latest technical information for  
these products, including a list of known problems and  
solutions, from the 3Com Knowledgebase:  
Unscheduled Automatic Powersave Delivery  
(U-APSD) support  
DHCP server enhancements  
Software License Agreement  
RADIUS accounting enhancements  
Before you use these products, please ensure that you  
read the license agreement text. You can find the  
license.txt file on the CD-ROM that accompanies your  
product, or in the self-extracting exe that you have  
downloaded from the 3Com Web site.  
Support for special characters in SNMP community  
names  
Increased life span of new self-signed certificates  
CLI commands to specify location and contact infor-  
mation for MAPs  
Part No. 10016430 Rev. AA  
Published November 2007  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Points to Note When Using the WXR100, WX1200, WX4400, or WX2200  
3
backup, refer to the section titled “Backing Up and  
Restoring the System” on page 613 of the MSS con-  
figuration guide. For details on the procedure for  
3WXM, refer to the section titled “Upgrading  
3WXM” of the 3WXM Reference Manual.  
all Network changes before attempting to deploy any  
Local changes.  
7 After Network changes have been accepted and the  
switch status has been refreshed, carefully examine  
any remaining Local changes in 3WXM before decid-  
ing whether to deploy them to the wireless switch.  
2 Upgrade 3WXM before upgrading the wireless switch  
(MSS). Newer versions of 3WXM are designed to  
handle older versions of MSS and will change their  
configuration model for switches that are running  
older versions of MSS. For example, 3WXM 6.0 can  
handle switches running 4.0.x, 4.1.x, 4.2.x, 5.0.x, or  
6.0.x. However, older versions of 3WXM are not  
designed to manage newer versions of MSS. For  
example, 3WXM 4.2 is not designed to manage a  
wireless switch running 6.0.  
8 If you need to downgrade to an older version of MSS,  
the system will provide the option to use an automat-  
ically archived configuration file that was created  
when the system was upgraded. To apply a configura-  
tion that is compatible with the older version of MSS,  
you may choose to apply this archived configuration  
file.  
Best Practice When Powering Down a Switch  
3 After completing a successful upgrade of 3WXM,  
upgrade the wireless switch to the same major soft-  
ware version. 3Com recommends always running the  
same major version of 3WXM and MSS in a produc-  
tion environment. For example, 6.0.x.  
If a WXR100 or WX1200 is connected to Power Sourc-  
ing Equipment (PSE), it is possible for the switch to  
remain powered on even when the power cord is  
unplugged. PSE can be a dedicated PoE injector or even  
another networking switch such as the WX that is capa-  
ble of supplying PoE. To ensure that the switch is pow-  
ered off, unplug the power cord, then unplug all  
Ethernet cables that are connected to other PoE devices.  
4 If the CLI of the wireless switch indicates unsaved  
configuration changes after completing the upgrade  
(indicated with a * in front of the system name on the  
CLI), save the configuration using the 'save configura-  
tion' command.  
System Configuration Best Practices  
5 When upgrading several switches, upgrade one at a  
time. After the upgrade has been completed on each  
switch, verify that it is operating properly before pro-  
ceeding on to the next switch.  
3Com strongly recommends that you use 3Com  
Wireless Switch Manager (3WXM) for archiving and  
version control of network-wide wireless LAN switch  
configurations. 3Com also recommends that you  
archive the CLI-based configuration files of individual  
WX switches by copying the configurations to a  
server.  
6 After the MSS upgrade has been completed, refresh  
the switch status in 3WXM. If Network changes are  
detected, they should be reviewed carefully before  
deciding whether to accept them into 3WXM. Accept  
Download from Www.Somanuals.com. All Manuals Search And Download.  
4
WIRELESS LAN SWITCH AND CONTROLLER MSS VERSION 6.0.4.6 RELEASE NOTES  
Client and AAA Best Practices  
Protocol  
Advantages  
Disadvantages  
EAP-TTLS  
Does not require  
client certificates  
Requires third-party  
802.1X client software  
Follow these best-practice recommendations during  
configuration and implementation to avoid or solve  
issues you might experience.  
Broadest compatibil- Username/pass-  
ity with user directo-  
ries  
word-based access  
might not be as  
strong as certifi-  
cate-based access  
Get Clients and AAA Working First  
The greatest majority of installation issues are related  
to clients and AAA server (authentication, authoriza-  
tion, and accounting) operation. 3Com recommends  
first establishing a baseline of proper operation with a  
sampling of wireless clients and the AAA server you  
plan to use. Working out client and AAA configura-  
tion methods first provides valuable information as  
you scale the deployment.  
EAP-TLS  
Strongest authenti- Client-side certifi-  
cation using X.509  
certificates.  
cates require full PKI  
infrastructure and  
management over-  
head  
Native support in  
Windows XP and  
2000  
Broad support in all  
802.1X clients  
PEAP-TLS  
Strongest authenti- Client-side certifi-  
The selection of client and AAA server software will  
depend heavily on the requirements of your deploy-  
ment. First, decide which EAP Protocol you will be using  
as that will restrict the available clients and servers. Each  
protocol has different advantages and disadvantages,  
which you will need to consider in your deployment. For  
most enterprise deployments, 3Com recommends using  
PEAP-MS-CHAP-V2 as the 802.1X protocol. The follow-  
ing table compares the EAP protocols.  
cation using X.509  
certificates.  
cates require full PKI  
infrastructure and  
management over-  
head  
Native support in Win-  
dows XP and 2000  
Minimal advantage  
over EAP-TLS  
Broad support in all  
802.1X clients  
Although LEAP uses the same ethertype as 802.1X  
(0x888e), the LEAP protocol is proprietary and does  
not conform to the IEEE 802.1X standard. Addition-  
ally, the LEAP protocol has serious security flaws. For  
example, LEAP-authenticated networks can be  
breached using a simple dictionary attack.  
Protocol  
Advantages  
Disadvantages  
PEAP-MS-CHAP-V2  
Does not require  
client certificates  
Username/pass-  
word-based access  
might not be as  
strong as certifi-  
cate-based access  
Compatible with  
MSS EAP offload  
When testing and evaluating MSS, enterprises using  
primarily Microsoft platforms are recommended to use  
Windows XP clients running PEAP-MS-CHAP-V2 with a  
Windows 2000 or 2003 server running Internet  
Native support in  
Microsoft Windows  
XP and 2000  
Authentication Service (IAS) as the RADIUS back end.  
This provides a test environment that is quick to set up  
and does not require additional third-party software.  
Broad support in  
802.1X clients  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Points to Note When Using the WXR100, WX1200, WX4400, or WX2200  
5
Wireless NICs  
As new drivers are released by the manufacturers,  
3Com expects general compatibility to improve.  
Most wireless NICs available now support 802.1X  
authentication. The following table lists the NICs that  
have been used successfully with MSS. The majority  
were tested using recently available drivers using the  
Microsoft native 802.1X client and a Microsoft IAS  
RADIUS server. 3Com has not experienced any com-  
patibility problems with NICs being unable to support  
specific EAP protocols or specific RADIUS servers, so  
we have only documented the differences in encryp-  
tion type. Entries that have both Windows 2000 and  
Windows XP listed together have the same results for  
both operating systems. A result of Pass indicates suc-  
cessful authentication and roaming with the listed  
model and operating system. A result of Fail indicates  
an inability to successfully complete authentication. A  
result of NA (Not Applicable) indicates that the NIC  
does not support the listed encryption type. A result  
of NT (Not Tested) indicates that the combination has  
not been tested yet.  
Mfgr  
Model, Driver,  
OS  
WEP  
Mixed TKIP  
TKIP/  
CCMP Web  
and Driver Date  
WEP  
3Com  
3CRPAG175B  
1.1.0.21,  
10/4/05  
XP  
Pass  
Pass  
Pass  
Pass  
Pass  
Pass  
Pass  
Pass  
Pass  
Pass  
Pass  
Pass  
Pass  
3Com  
3Com  
3CRBAG675B  
1.1.0.21,  
09/19/05  
XP  
XP  
Pass  
Pass  
3CRPAG175  
SL-3040 AA  
5.1.2535.0,  
7/1/2001  
3Com  
3CRDAG675  
SL-3045 AA  
1.0.0.25,  
8/1/2003  
XP  
Pass  
Pass  
Pass  
Pass  
Pass  
3Com  
3Com  
3CRWE154A72  
3CRXJK10075  
3.3.0.156,  
12/26/04  
XP  
XP  
Pass  
Pass  
Pass  
Pass  
Pass  
Pass  
Not  
Pass  
Not  
Not  
Tested  
Tested Tested  
Currently, WPA/CCMP (AES) encryption is supported  
only when configured as the only cryptographic type  
in service profile. Enabling dynamic WEP or WPA/TKIP  
with AES on the same SSID can cause severe connec-  
tivity issues as some manufacturers’ drivers do not  
work properly when both encryption types are  
enabled. 3Com recommends that you set up a sepa-  
rate service profile for WPA/CCMP with a different  
SSID for compatibility. If you are migrating from  
Dynamic WEP to WPA/TKIP, 3Com recommends creat-  
ing separate service profiles for each encryption type  
and migrating users from one SSID to the other when  
they are configured to use TKIP.  
3Com  
Belkin  
3CRUSB10075  
6.3.3.2,  
06/05/06  
XP  
XP  
Pass  
Pass  
Pass  
Pass  
Pass  
Pass  
Pass  
Pass  
Pass  
F5D8010 1000  
1.2.0.80,  
9/21/2004  
Pass*  
Buffalo WLI-CP-G54  
XP  
XP  
Pass  
Pass  
Not  
Tested  
Pass  
NA  
Pass  
Pass  
Not  
Tested  
Cisco  
Cisco  
Aironet MPI350  
3.8.26.0,  
5/4/2004  
Pass  
Pass  
Aironet  
AIR-CB20A  
3.9.16.0,  
9/20/2004  
XP  
Pass  
Not  
Tested  
Not  
Not  
Not  
Tested Tested Tested  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
6
WIRELESS LAN SWITCH AND CONTROLLER MSS VERSION 6.0.4.6 RELEASE NOTES  
Mfgr  
Model, Driver,  
and Driver Date  
OS  
WEP  
Mixed TKIP  
TKIP/  
WEP  
CCMP Web  
Mfgr  
Model, Driver,  
and Driver Date  
OS  
WEP  
Mixed TKIP  
TKIP/  
WEP  
CCMP Web  
Cisco  
Dell  
Aironet 350  
XP  
Pass  
Fail  
Pass  
Fail  
Not  
Not  
Not  
Linksys  
WPC54G 1.0  
3.60.7.0,  
3/22/2004  
XP  
Pass  
Pass  
Pass  
Pass  
Pass  
Pass  
Pass  
Pass  
Tested Tested Tested  
TrueMobile1150XP  
A00  
7.43.0.9  
NA  
NA  
Pass  
Linksys  
Linksys  
WPC54GS  
3.50.21.10,  
1/23/2004  
XP  
Pass  
Pass  
Dell  
Dell  
Dell  
Dell  
TrueMobile 1150XP  
Pass  
Pass  
Pass  
Pass  
Fail  
Not  
Tested  
NA  
Not  
Tested  
WPC54G  
version 2  
XP  
XP  
Fail  
Fail  
Fail  
Fail  
Not  
Tested  
TrueMobile 1300 XP  
TrueMobile 1400 XP  
TrueMobile 1450 XP  
Not  
Tested  
Not  
Not  
Not  
Tested Tested Tested  
Netgear WG-511 1.0  
Pass  
Pass  
Pass  
Pass  
Fail‡‡  
2.1.25.0,  
9/6/2004  
Pass  
Pass  
Pass  
Not  
Tested  
Netgear WAG-511 0.1  
XP  
Pass  
Pass  
Pass  
Pass  
Fail6  
Pass  
Pass  
Pass  
Pass  
3.1.1.754,  
11/2/2004  
3.100.35.0,  
11/27/2004  
Proxim  
Proxim  
Orinoco Gold  
8410  
XP  
XP  
Pass  
Pass  
Pass  
Pass  
NA  
NA  
Not  
D-link  
D-link  
DWLAG650  
XP  
XP  
Pass  
Pass  
Fail  
Pass  
Pass  
Pass  
Pass  
Not  
Tested  
Tested  
Orinoco Gold  
8460***  
3.1.2.19,  
8/5/2004  
Pass  
Pass  
Pass  
DWL-AG660  
A1,A2  
3.0.0.44,  
10/22/2003  
Pass  
Pass  
Pass  
Pass  
Pass  
Not  
Proxim  
Orinoco Gold  
8470-WD  
3.1.2.19,  
8/5/2004  
XP  
Pass  
Pass  
Pass  
Pass  
Pass  
Intel  
Intel  
Intel  
PRO/Wireless  
2200BG  
9.0.2.1,  
8/23/2005  
XP  
XP  
XP  
Pass  
Pass  
Pass  
Pass  
Pass  
Pass  
Pass  
Pass  
NA  
Pass  
Pass  
NA  
Proxim  
Proxim  
Orinoco Gold  
8480  
XP  
XP  
Pass  
Fail  
Pass  
Fail  
Pass  
NA  
NA  
NA  
Not  
Tested  
PRO/Wireless  
2915ABG  
9.0.2.1,  
8/23/2005  
Harmony 8450  
1.4.1.1, 8/1/2002  
Fail†††  
PRO/Wireless  
WCB5000  
1.0.1.33,  
6/4/2003  
SMC  
SMC2336A-AG  
XP  
Pass  
Pass  
Pass  
Pass  
Pass  
2.0  
(99-012084-221)  
2.4.1.32,  
9/29/2003  
Intel  
Pro2100(Cen-  
trino)**  
XP  
XP  
Pass  
Pass  
Pass††  
Pass  
Not  
Not  
Tested Tested Tested  
Linksys  
WUSB54GS  
Pass  
Pass  
Pass  
1.0.0.1,  
6/18/2004  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Points to Note When Using the WXR100, WX1200, WX4400, or WX2200  
7
Conversely, some adapters can associate only with a  
beaconed SSID. Determine whether to beacon the  
clear SSID based on the types of clients in the net-  
work.  
Mfgr  
Model, Driver,  
OS  
WEP  
Mixed TKIP  
TKIP/  
CCMP Web  
and Driver Date  
WEP  
SMC  
SMC2835W  
XP  
Pass  
Pass  
Pass  
NA  
Pass  
1.0  
(99-012084-163)  
Standby mode can prevent some clients from reasso-  
ciating. If a laptop PC whose wireless adapter is asso-  
ciated with a Managed Access Point (MAP) goes into  
standby (hibernate) mode, the operating system can  
either freeze or experience a Blue Screen of Death  
(BSOD) when the laptop comes out of standby mode  
and attempts to reassociate with the access point. To  
work around this behavior, disable standby mode.  
Alternatively, disable and reenable the wireless  
1.0.17.0,  
6/16/2003  
Symbol LA-4121-1020-US XP  
Pass  
Pass  
Pass  
NA  
Pass  
3.9.71.178,  
3/25/2004  
* Belkin Wireless Pre-N requires WPA/TKIP on a TKIP/WEP mixed SSID.  
† Dell TrueMobile 1150 drivers v7.86 and newer might not work with Dynamic  
WEP when you have WPA/TKIP enabled. If you experience problems such as an  
inability to associate with the MAP, install the previous revision of the driver,  
which is available from Dell’s support site.  
adapter after the client emerges from standby mode.  
‡ Requires a registry change to work properly; for more information, see “Win-  
dows 2000 Many enterprises have a large installed base of Windows 2000 lap-  
tops, making this a common choice of platform. Windows 2000 Service Pack 4  
includes a native 802.1X client. If you choose to use the 802.1X client built-in  
to Windows 2000, please note the following:” on page 9.  
** Intel Centrino based chipsets might not associate with the SSID when pow-  
er-save mode is enabled. Future drivers or laptop firmware might resolve this  
issue, but until then 3Com recommends disabling power-save mode complete-  
ly in the driver properties for the NIC.  
†† The Intel Centrino based chipset has not been tested with WPA yet, though  
Dynamic WEP does operate properly in a mixed TKIP and WEP configuration.  
‡‡ NetGear WG511/WAG511 doesn't associate properly to a WebAAA SSID.  
The NIC does not support DHCP.  
If a client passes authentication but fails authoriza-  
tion, the client might indicate that authentication has  
succeeded but the MAP nonetheless disassociates  
from the client. In this case, the client might indicate  
that the network is unavailable. For example, this situ-  
ation can occur if the certificate exchange is valid but  
the requested VLAN or ACL filter is not available, or a  
Mobility Profile™ denies service to the client. Once  
the MAP disassociates from the client, the network  
continues to be unavailable to the client through the  
MAP for the duration of the 802.1X quiet-period  
timer, which defaults to 60 seconds. An error mes-  
sage indicating that a client has failed authorization  
appears in the WX switchs system log.  
*** Use the 848x driver, not the 846x driver.  
††† Proxim Harmony 802.11a (8450) cannot associate properly.  
Driver Dependent Behavior  
Some clients prefer a beaconed clear SSID to their  
configured SSIDs. If you configure MSS to beacon a  
clear SSID, some client adapters prefer this beaconed  
SSID over the SSIDs they are configured to use.  
802.1X Clients  
Properly preparing your clients for wireless connectiv-  
ity is one of the most important things you can do to  
ensure an easy rollout. Here are some guidelines for  
preparing common 802.1X clients and platforms.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
8
WIRELESS LAN SWITCH AND CONTROLLER MSS VERSION 6.0.4.6 RELEASE NOTES  
Windows XP Windows XP is a popular platform for  
wireless clients because of its native support of 802.1X  
authentication and simplified configuration of wireless  
networks. If you choose to use the 802.1X client  
built-in to Windows XP, please note the following:  
Download current drivers for your NICs from the  
NIC vendor(s).  
If your wireless NIC’s driver includes the AEGIS pro-  
tocol manager for WPA support, 3Com recom-  
mends against installing it. Some drivers install this  
automatically if you run the setup.exe utility to  
install the driver. 3Com strongly recommends that  
you update the driver manually using the driver  
properties in the Network control panel instead of  
installing the client manager.  
Microsoft has extensive documentation on how to  
configure and use wireless 802.1X authentication  
in an Active Directory environment, published on  
their website. You can start with Microsoft’s Wi-Fi  
center at:  
technologies/networking/wifi/default.mspx  
If you use computer authentication with different  
VLANs for the Computer and User accounts and  
do not have the WPA hotfix rollup (KB826942) or  
Service Pack 2, you need to install Microsoft hotfix  
KB822596. Otherwise, DHCP will not operate cor-  
rectly after the user authenticates. You must con-  
tact Microsoft technical support for this hotfix. It is  
not available from their website. For more informa-  
tion on computer authentication, see “Computer  
Authentication”.  
Installing Windows XP Service Pack 2 is recom-  
mended for all wireless clients as it includes several  
important hotfixes.  
If you are not prepared to install Service Pack 2,  
3Com strongly recommends that all wireless clients  
use Service Pack 1a with the following hotfixes  
installed:  
KB826942—This is the WPA Hotfix Rollup and is  
available through Microsoft Update  
If MD5 challenge is configured on a Windows XP  
client for wired authentication, the quiet period  
must be set to 0 to guarantee successful authenti-  
cation. In addition, if the authentication is carried  
out manually, the timeout value must be set to no  
less than 30 seconds in order to allow the user  
ample time to enter their username and password.  
For example, to configure 802.1X on a WX switch  
to allow these users time to log in, type the follow-  
ing commands:  
KB834669—This corrects an 802.1X client issue  
which can cause system instability problems in  
Windows XP. You will need to contact Microsoft  
directly for this hotfix.  
If your network uses logon scripts, Active Directory  
group policies, or your users regularly share their  
laptops, you should enable computer authentica-  
tion (also known as machine authentication) to  
achieve full functionality over your wireless con-  
nection.  
WX1200# set dot1x quiet-period 0  
WX1200# set dot1x tx-period 30  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Points to Note When Using the WXR100, WX1200, WX4400, or WX2200  
9
Windows 2000 Many enterprises have a large  
installed base of Windows 2000 laptops, making this  
a common choice of platform. Windows 2000 Service  
Pack 4 includes a native 802.1X client. If you choose  
to use the 802.1X client built-in to Windows 2000,  
please note the following:  
Windows 2000 does not include a full implemen-  
tation of the Wireless Zero-Config service from  
Windows XP, so you will need to use the client  
manager software provided with your NIC to con-  
figure your SSID and enable WEP encryption.  
When using dynamic WEP in Windows 2000,  
select static WEP 128bit and enter any static WEP  
key as a placeholder. This temporary key config-  
ures the driver to use WEP to encrypt packets, and  
the Microsoft 802.1X client then overrides the  
static WEP key you entered with a dynamic key  
after you authenticate successfully.  
Microsoft has extensive documentation on how to  
configure and use wireless 802.1X authentication  
in an Active Directory environment, published on  
their website. Most of this documentation is  
geared towards Windows XP, but both operating  
systems have many similarities in the client. You  
can start with Microsoft’s Wi-Fi center at:  
If your wireless NIC’s driver includes the AEGIS pro-  
tocol manager for WPA support, 3Com recom-  
mends against installing it. Some drivers install this  
automatically if you run the setup.exe utility to  
install the driver. If you are unable to install the  
client manager without the AEGIS component,  
contact the driver manufacturer or download an  
earlier version that does not contain the AEGIS  
component.  
technologies/networking/wifi/default.mspx  
Installing Windows 2000 Service Pack 4 is required  
for all wireless clients.  
Some clients might experience system instability  
when using PEAP-MS-CHAP-V2 in an Active Direc-  
tory environment. The primary symptom of this is a  
message displayed after login informing the user  
that the service svchost.exe has stopped unexpect-  
edly. If you experience this problem, please contact  
Microsoft technical support and request hotfix  
KB833865.  
16-bit PCMCIA and built-in NICs (some 802.11b  
cards in Dell, Toshiba, and other manufacturers’  
laptop PCs) might require a registry setting to be  
changed before they will be able to associate with  
any SSID. Microsoft Knowledge Base article  
327947 documents the changes necessary to  
resolve the problem. Multi-band cards (A/B or  
A/B/G) are generally 32-bit and do not experience  
this problem.  
If your network uses logon scripts, Active Directory  
group policies, or your users regularly share their  
laptops, 3Com recommends that you enable com-  
puter authentication to achieve full functionality  
over your wireless connection.  
If you use computer authentication with different  
VLANs for the Computer and User accounts, you  
need to install Microsoft hotfix KB822596. Other-  
wise, DHCP will not operate correctly after the user  
Download current drivers for your NICs from the  
NIC vendor(s).  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
10  
WIRELESS LAN SWITCH AND CONTROLLER MSS VERSION 6.0.4.6 RELEASE NOTES  
authenticates. You must contact Microsoft techni-  
cal support for this hotfix. It is not available from  
their website. For more information on computer  
authentication, see “Computer Authentication”.  
The Panther client will only connect successfully to  
an SSID which is only dynamic WEP, or only  
WPA/TKIP. Any other configuration involving WEP  
with WPA enabled or AES is not supported by the  
current Panther client. If you need to run both  
WPA/TKIP and Dynamic WEP at the same time you  
must configured separate service profiles for each  
encryption type in order to maintain compatibility  
with Macintosh clients.  
If you experience a delay in receiving your DHCP IP  
address wirelessly while using 802.1X authentication,  
you might need to install Microsoft hotfix KB829116.  
You must contact Microsoft technical support for this  
hotfix. It is not available from their website.  
The Panther client requires you to specify the inner  
and outer PEAP-MS-CHAP-V2 usernames in sepa-  
rate areas. Depending on your AAA backend, both  
usernames might require a domain prefix in the  
form of DOMAIN\username.  
Funk Odyssey The Funk Odyssey client is required  
when you require WPA support on Windows 2000,  
or when you need to authenticate to an LDAP  
backend database that does not support  
MS-CHAP-V2 over LDAP. If you choose to use this  
client, please note the following:  
Computer Authentication  
Windows clients support 802.1X authentication of  
the computer itself. This is called computer authenti-  
cation (also known as machine authentication). Com-  
puter authentication is useful when you want your  
computer to be active on the domain even when no  
users are logged in to the computer.  
Download the latest version from Funk’s website  
Be sure to turn off Wireless Zero Config in Win-  
dows 2000 by disabling the service.  
If your wireless NIC’s driver includes the AEGIS pro-  
tocol manager for WPA support, 3Com recom-  
mends against installing it. Some drivers install this  
automatically if you run the setup.exe utility to  
install the driver. 3Com recommends that you  
update the driver manually using the driver proper-  
ties in the Network control panel instead of install-  
ing the client manager.  
Some features of Windows XP Professional and Win-  
dows 2000 Professional work correctly only with an  
active network connection to the domain controller  
enabled before a user is logged on to the PC. Using  
computer authentication ensures that this network  
connection is established during the boot sequence,  
providing a wire-like infrastructure that allows you to  
use the following features on a wireless network.  
Macintosh OS/X OS/X Version 10.3, also known  
as Panther, includes an 802.1X client that supports  
Dynamic WEP and WPA/TKIP. If you choose to use  
this client, please note the following:  
The following table lists Microsoft networking fea-  
tures that require computer authentication.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Points to Note When Using the WXR100, WX1200, WX4400, or WX2200  
tory domain. Microsoft Knowledgebase Article  
Scenario Requiring Computer Authentication  
11  
Feature  
KB313407 explains how to enable the automatic  
distribution of computer certificates through  
Active Directory.  
Active Directory computer  
Group Policy  
Computer–based Group Policy is applied during  
computer start up and at timed intervals—even  
when no on is logged in to windows.  
Network logon scripts  
Network logon scripts are run during initial user  
login.  
If the user and machine accounts use different  
VLANs, you must install hotfixes on the client PCs  
to enable them to DHCP for a new IP address  
when the user authentications. Windows XP  
requires either the WPA Rollup Hotfix (KB826942)  
or Hotfix KB822596. Windows 2000 requires  
hotfix KB822596.  
Systems management  
agents  
Systems management application agents such as  
those that come with Microsoft Systems Manage-  
ment Server (SMS) frequently need network  
access without user intervention.  
Remote Desktop Connec-  
tion  
Computers are accessible from Windows Remote  
Desktop Connection when no one is logged in to  
windows.  
Shared folders  
Files and folders shared from a computer are still  
available, even when no user is logged in.  
Using PEAP-MS-CHAP-V2 with computer authenti-  
cation will allow users who have never logged on  
to a PC authenticate wirelessly without having to  
login to the PC over a wired connection the first  
time. EAP-TLS still requires the user to connect to  
the network over a wired connection to generate a  
profile on the PC and a user certificate.  
Configuring computer authentication on the client is  
simple, though it requires the use of the Microsoft  
802.1X client built-in to Windows XP and Windows  
2000. Keep the following information in mind when  
configuring computer authentication on Microsoft  
clients:  
Enabling computer authentication also requires minor  
reconfiguration of Active Directory and IAS. Please  
note the following when configuring computer  
authentication on an active directory domain:  
To enable computer authentication, go to the  
Authentication tab where you normally select  
your 802.1X authentication method and enable  
the checkbox labeled Authenticate as computer  
when computer information is available.  
You must grant dial-in access for the computer  
accounts in Active Directory that you wish to enable  
computer authentication on. If the tab to configure  
dial-in access does not appear, follow the directions  
in Microsoft Knowledgebase article KB306260.  
The authentication protocol that is configured for  
your user accounts will also be used for the com-  
puter account.  
If the EAP protocol you are using requires client  
certificates, you must use the Microsoft Enterprise  
Certificate Authority built-in to Windows 2000  
Server and Windows Server 2003 to generate  
Computer certificates for PCs on your active direc-  
Review your remote access policies in IAS to insure  
that the computer accounts have appropriate  
group membership to allow them to match the  
proper policy.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
12  
WIRELESS LAN SWITCH AND CONTROLLER MSS VERSION 6.0.4.6 RELEASE NOTES  
Computer authentication also requires specific con-  
figuration considerations on the WX switch:  
ture. A result of NT (Not Tested) indicates that the fea-  
ture was not tested.  
The username of a computer authentication connection  
will be in the form of host/fully-qualified-domain-name,  
for example host/bob-laptop.3Com.com or  
RADIUS Servers Tested  
Win  
Win  
Funk  
Cisco  
ACS  
Free-  
Configuration  
2000 IAS 2003 IAS Steel  
Radius  
(Linux)  
host/tac1-laptop.support.3Com.com. This username is  
the same regardless of the configured protocol  
(PEAP-MS-CHAP-V2 or EAP-TLS). An appropriate user-  
glob would be host/*.domain.com where domain.com  
is the Active Directory domain name. Alternatively, in a  
smaller deployment you could use a userglob of ** and  
have both user and computer authentication go to the  
same RADIUS server.  
Belted  
Radius  
PEAP-MS-CHAP-V2 Pass  
Pass  
Pass  
Pass  
Pass  
Pass  
Pass  
Pass  
Pass  
PEAP-MS-CHAP-V2 Pass  
Offload  
EAP-TLS  
Pass  
NA  
Pass  
NA  
Pass  
Pass  
Pass  
NT  
Pass  
NT  
EAP-TTLS  
NA  
Pass  
Single-Sign-On  
Active Directory &  
PEAP-MS-CHAP-V2  
Pass  
Pass  
NA  
PEAP-MS-CHAP-V2 offload mode is not supported  
with computer authentication. You must use  
pass-through 802.1X authentication policies with  
computer authentication.  
Single-Sign-On  
LDAP & EAP-TTLS  
NA  
NA  
Pass  
NT  
NT  
3Com VSAs  
Pass  
Pass  
Pass  
Pass  
Pass  
Pass  
Pass  
Pass  
Pass  
Pass  
MAC-based  
authentication  
AAA  
The following table lists the AAA servers and configu-  
rations that have been tested with MSS. Tests were  
performed to a local user database in most cases, and  
additionally to Microsoft Active Directory and LDAP  
with specific protocols as noted in the table. The tests  
were initially performed using Dynamic WEP, though  
subsequent testing has revealed no noticeable differ-  
ences in RADIUS compatibility when using WPA.  
Microsoft Active  
Directory computer  
authentication  
Pass  
Pass  
NA  
Pass  
NA  
Testing notes Single-Sign-On is defined as clients  
being able to use the same username and password  
for 802.1X authentication that they use to authenti-  
cate with network services and logon to their local PC.  
A Pass result for 3Com VSAs indicates that the  
VSAs were able to be added to the RADIUS server  
manually. Future versions of Steel Belted RADIUS  
and FreeRadius are planned to include standard  
definitions of the 3Com VSAs.  
A result of Pass indicates that the combination is sup-  
ported by MSS. A result of NA (Not Applicable) indi-  
cates that the RADIUS server tested does not support  
the feature. A result of Fail indicates that the RADIUS  
server does not interoperate with MSS for that fea-  
Funk Steel Belted Radius version used for testing is  
4.53  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Points to Note When Using the WXR100, WX1200, WX4400, or WX2200  
13  
Windows 2000 with Service Pack 4  
ent’s re-association attempt because the key infor-  
mation presented by the client is invalid.  
Cisco ACS 3.2 or later is required to support  
PEAP-MS-CHAP-V2  
If you experience this issue, clear the Session-Time-  
out attribute on the affected users.  
WPA  
The WX switch will not force a reauthentication of  
WPA/TKIP and WPA/CCMP users periodically like it  
does with dynamic WEP users.  
WPA compatibility testing was conducted with a vari-  
ety of NICs. See “Wireless NICs” for complete details  
of the results. If you choose to use WPA to secure  
your wireless network, please note the following:  
Do not use the set service-profile  
shared-key-auth command in a WPA configura-  
tion. This command does not enable PSK authenti-  
cation for WPA. To enable PSK for WPA, use the  
set service-profile auth-psk command.  
CCMP (AES 802.11i draft support) is supported only  
when it is the only encryption type enabled on that  
SSID. Enabling TKIP or Dynamic WEP on the same  
SSID with CCMP can cause serious connectivity  
issues as most clients do not properly support this  
configuration. 3Com recommends that you create a  
separate service profile and SSID for WPA/CCMP.  
Use one WPA authentication method per SSID,  
either 802.1X authentication or preshared key  
(PSK) authentication, but not both.  
Enabling TKIP and Dynamic WEP on the same SSID  
is not recommended. This configuration forces the  
group key (multicast/broadcast key) to use the  
lowest common encryption type, in this case  
Dynamic WEP. Additionally, compatibility with  
wireless NICs is reduced.  
Security — Best Practice When Mixing Encrypted  
Access and Clear Access  
It is possible to configure a RADIUS server or a WX  
switchs local authentication database so that a user  
with encrypted access and a user with unencrypted  
access are authorized to join the same VLAN from dif-  
ferent SSIDs. This configuration might allow a hacker  
to more quickly discover keys by listening to both the  
encrypted traffic and unencrypted traffic for compari-  
sons. You can either use the MSS SSID VSA or the  
encryption assignment VSA to prevent this problem.  
Downloading the latest drivers for your wireless  
NIC is strongly recommended. See “802.1X Cli-  
ents” for specific information on installing drivers  
for your operating system.  
When a session key is changed, Microsoft WPA cli-  
ents can sometimes incorrectly start using the new  
key before the end of the four-way handshake that  
is used to establish the key information. This issue  
can occur when the session timeout for the client  
session expires. As a result, the MAP rejects the cli-  
If you only have one VLAN that each MAC-auth client  
should connect to, add the SSID VSA to the account  
for the MAC-address (either local or RADIUS). This  
will force the WX switch to only allow that MAC  
address to connect to the specified SSID.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
14  
WIRELESS LAN SWITCH AND CONTROLLER MSS VERSION 6.0.4.6 RELEASE NOTES  
If you require the same MAC user to be able to con-  
nect to more than one SSID, you can use encryption  
assignment to enforce the type of encryption a user  
or group must have to access the network. When you  
assign the Encryption-Type attribute to a user or  
group, the encryption type or types are entered as an  
authorization attribute into the user or group record  
in the local WX switch database or on the RADIUS  
server. Encryption-Type is an MSS VSA. Clients who  
attempt to use an unauthorized encryption method  
are rejected. In this way, a client could connect to any  
WEP encrypted SSID, but not a clear SSID. (See the  
Wireless LAN Switch and Controller Configuration  
Guide for more information.)  
If you use a self-signed certificate, configure the cli-  
ents to not validate server certificates. If a client is  
configured to validate server certificates, the client  
will not be able to validate a self-signed certificate  
from the WX switch.  
Usernames  
3Com recommends that you do not create usernames  
that have the same spelling but use different case. For  
example, do not create both username dang and  
username DANG.  
Security Best Practices  
MSS and 3WXM provide robust options for securing  
Passwords  
management access, to WX switches and to the  
3WXM client and 3WXM monitoring service. To opti-  
mize security for management access, use the follow-  
ing best practices.  
The CLI, as well as 3WXM, can be secured using pass-  
words. By default, the following access types do not have  
passwords configured. Each uses a separate password.  
Console access to the CLI. To secure console  
access, configure a username and password in the  
WX switch’s local database, using the set user  
command. After you configure at least one user-  
name and password and an access rule to permit  
them, access to the CLI through the console  
requires a password. (Access through Telnet or SSH  
is not possible without a password, even on an  
unconfigured switch.)  
Certificates  
When anyone attempts to access a WX switch, the  
switch authenticates itself by presenting a signed cer-  
tificate to the management application that is  
requesting access. The switchs certificate can come  
from a certificate authority (CA) or it can be gener-  
ated and signed by the switch itself.  
3Com recommends that you use certificates assigned  
by a CA. Certificates from a trusted CA are more  
secure than self-signed certificates. Here are some  
trusted CAs:  
Access to the enable (configuration) level of the  
CLI, through the console, or through Telnet or SSH.  
To secure enable access, configure the enable  
password using the set enablepass command.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Points to Note When Using the WXR100, WX1200, WX4400, or WX2200  
15  
Access to 3WXM. To secure access, configure user  
Configure a username and password, so that MSS  
requires login even for console access. Usernames  
and their passwords are not specific to the type of  
management access. You can use the same username  
and password for access through the console, Telnet,  
or SSH.  
accounts within 3WXM.  
Access to the 3WXM monitoring service. To secure  
access, configure user accounts within the moni-  
toring service.  
Do not use passwords that are easy to guess, such  
as vehicle registration plates, family birthdays and  
names, or common words. Use combinations of  
uppercase and lowercase letters as well as num-  
bers in all passwords.  
Leave Telnet disabled unless you need it. Use SSH  
instead.  
Web Access  
WebView uses HTTPS for encrypted communications  
and certificate-based server authentication, and  
requires use of the enable password.  
SNMP  
SNMP is disabled by default. 3Com recommends that  
you leave SNMP disabled unless you are using 3Com  
Network Director or a similar product to manage your  
wired network. If you do need to use SNMP, do not  
use the well-known community strings public (com-  
monly used for read-only access) or private (com-  
monly used for read-write access.) By default, no  
SNMP community strings are configured. Use SNMP  
on an isolated management VLAN so that the clear  
text community strings are not visible on the public  
network.  
WebView access through HTTPS is disabled by  
default. Unless you need to use WebView, leave the  
HTTPS server on the WX switch disabled. (Even  
though 3WXM also uses HTTPS, disabling the HTTPS  
server does not disable access by 3WXM.)  
If you do need to use WebView, you can enable it  
using the set ip https server enable command. Use  
the following best practices to preserve or increase  
the security level related to Web access:  
To disable SNMP (if not already disabled), use the set  
ip snmp server disable command.  
Use an enable password that follows the password  
recommendations given above.  
To change the community strings, use the set snmp  
community command.  
Use a CA-signed certificate instead of a self-signed  
certificate on the WX switch.  
CLI Access  
If a user’s client does not trust the certificate, the user  
might experience an additional delay during login. To  
avoid the additional delay, use a certificate signed by  
your CA or an Internet CA.  
MSS allows CLI access through the console, through  
Telnet, and through SSH. Console and SSH access are  
enabled by default. Telnet is disabled by default.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
16  
WIRELESS LAN SWITCH AND CONTROLLER MSS VERSION 6.0.4.6 RELEASE NOTES  
3WXM  
mentation and its configuration requirements  
changed in MSS Version 4.0.  
By default, access to 3WXM and the 3WXM monitor-  
ing service do not require passwords. To secure  
access, configure user accounts within each instance  
of 3WXM and the monitoring service.  
Communication Between the WX Switch and 3WXM  
or WebView  
Administration certificate requirement (11974)  
The monitoring service uses a signed certificate for  
authentication. The service has a self-signed certifi-  
cate by default. For added security, used a certificate  
signed by a CA instead. To use a CA-signed certifi-  
cate, install the certificate in a key store file on the  
machine where the monitoring service is installed,  
and change the name of the key store file used by the  
monitoring service from its default to the one where  
you installed the certificate signed by the CA.  
Before the WX switch can communicate successfully  
with 3WXM, you must create an administrative  
encryption certificate on the WX switch. For details,  
see the Wireless LAN Switch and Controller Installa-  
tion and Basic Configuration Guide.  
Mobility Domain(Multiple WX Switch) Best Practices  
3Com recommends that you run the same MSS  
version on all WX switches in a Mobility Domain.  
Guest Access (unencrypted SSIDs)  
If you need to prevent all guest access (access to  
unencrypted SSIDs):  
Helpful commands  
Use the following commands to verify the proper  
operation of a Mobility Domain in support of features  
such as subnet roaming:  
Do not create any service profiles for SSID type  
clear.  
Delete any existing service profiles for a clear SSID.  
display mobility-domain status — In a func-  
tioning Mobility Domain, the output on every WX  
switch displays every WX switch in the Mobility  
Domain.  
WebAAA Best Practices  
If you plan to use WebAAA, see the “Configuring  
WebAAA” section in the “Configuring AAA for Net-  
work Users” chapter of the Wireless LAN Switch and  
Controller Configuration Guide. The section has con-  
figuration requirements and recommendations, in  
addition to an overview of the WebAAA process.  
display roaming vlan — In a functioning Mobility  
Domain, the output on every WX switch displays  
the network-attached VLAN of every other WX  
switch in the Mobility Domain.  
Other useful commands, documented in the Wireless  
LAN Switch and Controller Command Reference,  
include display tunnel and display roaming station.  
If you are upgrading from MSS Version 3.2, 3Com  
recommends that you read the manual even if the  
switch already uses WebAAA. The WebAAA imple-  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Points to Note When Using the WXR100, WX1200, WX4400, or WX2200  
17  
reports using a 0.0.0.0 source IP address. In this  
case, either assign an IP address to the VLAN inter-  
face on the WX switch or disable IGMP proxy  
reporting. To disable proxy reporting, use the  
command set igmp proxy-report disable.  
Distributed MAP Best Practice When Using STP  
A Distributed MAP is a leaf device. You need not  
enable STP on the port directly connected to the MAP.  
If Spanning Tree Protocol (STP) is enabled on the port  
that is directly connected to a Distributed MAP, you  
might need to change the STP configuration on the  
port to allow the MAP to boot.  
Disabling proxy reporting can increase IGMP over-  
head traffic to the multicast router.  
Enable the IGMP querier only if needed. The IGMP  
pseudo-querier function is disabled by default.  
Enable it only if the source of a multicast stream is  
on a subnet the WX switch is also connected to. If  
this is the case, you must assign an IP address to  
the VLAN interface. The IP address must be higher  
than the IP address of the querier multicast router  
on the same subnet. To enable the IGMP  
STP on a port directly connected to a Distributed MAP  
can prevent the MAP from booting.  
Use IGMP Snooping Effectively  
Using IGMP (11909, 12863, 12866)  
MSS supports the Internet Engineering Task Force  
(IETF) draft draft-ietf-magma-snoop for controlling  
the forwarding of IP multicast traffic by a Layer 2  
switch. The draft mandates the use of a 0.0.0.0  
source IP address if no IP address is available on the  
switch for the subnet. However, some multicast rout-  
ers and even other Layer 2 switches report errors in  
the presence of the 0.0.0.0 source IP address.  
pseudo-querier, use the command set igmp  
querier enable.  
Disable multicast router discovery. This multicast  
router solicitation protocol (part of  
draft-ietf-magma-snoop) is known to cause error  
messages with other IGMP snooping switches and  
multicast routers. To disable the protocol, use the  
command set igmp mrsol disable. (The protocol  
is disabled by default in the current software  
version.)  
Apply the following methods to use IGMP snooping  
effectively:  
Set IP addresses on all VLAN interfaces. This  
straightforward workaround prevents most known  
issues. If querier functionality might be needed,  
ensure that the IP address of the WX switch VLAN  
is higher than the address of any multicast router  
servicing the same subnet.  
User ACLs Require Explicit Source and Destination  
Addresses  
A user ACL is an ACL that is applied to a specific user-  
name. You can apply ACLs to a users inbound or out-  
bound wireless traffic. For a user ACL to take effect,  
you must explicitly set both the source and destina-  
tion addresses in the ACL.  
Consider disabling IGMP proxy reporting. The  
IGMP proxy reporting function is enabled by  
default, but some multicast routers do not accept  
Download from Www.Somanuals.com. All Manuals Search And Download.  
18  
WIRELESS LAN SWITCH AND CONTROLLER MSS VERSION 6.0.4.6 RELEASE NOTES  
Rogue Detection Active Scan Interval Is Longer  
During a SpectraLink SVP Call. (23317)  
System Parameter Support  
The following tables list the recommended or maxi-  
mum supported values for major system parameters.  
The active scan feature can be used during SVP calls.  
However, when a call is active, the interval at which  
active scan goes off-channel to look for rogues in-  
creases from once a second to once every 60 seconds.  
Mobility System Parameter  
Supported Value  
WX switches in a single Network  
Domain  
500  
Due to the longer interval between active scans, it can  
take longer for MSS to detect a rogue AP when an  
SVP call is active. Generally, detection of a rogue  
while a call is active can take from 3.5 to around 7.5  
minutes. To reduce the detection time, add more  
MAPs to the coverage area.  
WX switches in a single Mobility  
Domain  
32  
Roaming VLANs per WX switch  
300  
Does not include local statically config-  
ured VLANs  
VLANs per Mobility Domain  
400  
This number consists of 300 roaming  
VLANs plus 100 local statically config-  
ured VLANs.  
Active Scanning and the AP3850  
MAPs per WX  
WX4400:  
Active Scanning is not supported and must not be  
used with the AP3850 for the following countries:  
300 configured  
Up to 120 active, depending on  
the MAP type and licensing  
Argentina (AR)  
Australia (AU)  
Bolivia (BO)  
Brazil (BR)  
Canada (CA)  
Malaysia (MY)  
Mexico (MX)  
New Zealand (NZ)  
Panama (PA)  
Puerto Rico (PR)  
Singapore (SG)  
South Africa (ZA)  
Taiwan (TW)  
United States (US)  
Uruguay (UY)  
WX2200:  
320 configured  
Up to 120 active, depending on  
the MAP type and licensing  
China (CN)  
WX1200:  
Colombia (CO)  
Dominican Republic (DO)  
Guatemala (GT)  
Hong Kong (HK)  
30 configured  
12 active  
WXR100:  
8 configured  
3 active  
IPv6 Support  
Includes directly attached MAPs and  
Distributed MAPs. Inactive configura-  
tions are backups.  
MSS 6.0 can forward IPv6 traffic transparently, at  
Layer 2. IPv6 clients in the same subnet can communi-  
cate with one another through a WX switch. How-  
ever, MSS 6.0 does not support communication of  
IPv6 clients across subnets.  
Minimum link speed within a Mobility 128 Kbps  
Domain  
Download from Www.Somanuals.com. All Manuals Search And Download.  
System Parameter Support  
19  
Network Parameter  
Supported Value  
Management Parameter  
Supported Value  
Forwarding database entries  
WX4400: 16383  
WX2200: 16383  
WX1200: 8192  
WXR100: 8192  
Maximum instances of Wireless Switch  
Manager (3WXM) simultaneously  
managing a network  
3
Telnet management sessions  
WX4400: 8  
WX2200: 8  
WX1200: 4  
WXR100: 4  
The maximum combined number of  
management sessions for Telnet and  
SSH together is 8, in any combination.  
Statically configured VLANs  
100  
Virtual ports (sum of all statically con- 256  
figured VLAN physical port member-  
ships)  
Spanning trees (STP/PVST+ instances) 64  
SSHv2 management sessions  
WX4400: 8  
WX2200: 8  
WX1200: 4  
WXR100: 4  
ACLs and Location Policies  
ACEs per switch:  
WX4400: 2308  
WX2200: 2308  
WX1200: 700  
Telnet client sessions (client for remote WX4400: 8  
login)  
WXR100: 700  
ACEs per ACL:  
WX2200: 8  
WX1200: 4  
WXR100: 4  
WX4400: 267  
NTP servers  
3
8
4
WX2200: 267  
SNMP trap receivers  
Syslog servers  
RADIUS servers  
WX1200: 267  
WXR100: 25  
Location Policies per switch: 1  
100 configured on the switch  
10 in a server group  
4 server groups in a AAA rule  
The Location Policy can have up to 150  
rules.  
IGMP streams  
500  
Replication of a stream on multiple  
VLANs counts as a separate stream on  
each VLAN.  
Client and Session Parameter  
Supported Value  
Authenticated and associated clients  
per radio  
100  
Clients who are authenticated but not  
yet associated are included in the total.  
Active clients per radio  
50  
Total number of active clients simulta-  
neously sending or receiving data.  
Wired authentication users per port  
500  
Download from Www.Somanuals.com. All Manuals Search And Download.  
20  
WIRELESS LAN SWITCH AND CONTROLLER MSS VERSION 6.0.4.6 RELEASE NOTES  
When upgrading systems with large  
Client and Session Parameter  
Supported Value  
configurations, it may be necessary to save the  
configuration to a backup file. (41330)  
Active AAA sessions (clients trying to  
establish active connections) per WX  
switch  
WX4400: 2500  
WX2200: 3200  
WX1200: 300  
WXR100: 75  
These are the suggested maximums.  
The switch might be able to support  
even more sessions, but performance  
or system stability might be affected.  
When upgrading systems with very large configura-  
tions, for example, hundreds of APs or hundreds of  
users, it may be necessary to save the configuration to  
a backup file, generate a minimal configuration, per-  
form the update, load the backup configuration from  
the command line, and then save the configuration.  
AAA users configured in local data-  
base  
WX4400: 999  
WX2200: 999  
WX1200: 250  
WXR100: 250  
Time and date do not synchronize with an NTP  
server, if the switch's NTP client is enabled  
before the NTP service is started on the server.  
(20382)  
Known Problems  
Using set ap <apnum> boot configuration  
commands. (38517)  
System Configuration Issues  
The set ap <apnum> boot-configuration switch  
switch-ip cannot be set at the same time as set ap  
<apnum> boot-configuration switch name  
<switch-name> dns <ip addr>. The commands  
overwrite each other when used.  
Adding a static VLAN with the same name as a  
VLAN whose traffic is being tunneled through  
the switch can cause the switch to restart.  
(18367)  
MSS can tunnel traffic for a VLAN through a WX  
switch that does not have that VLAN statically config-  
ured. If you attempt to add a static VLAN to a switch  
that is already tunneling traffic for a VLAN with the  
same name, the switch can restart.  
The auto-config feature does not work properly  
if the 3WXM server is unreachable when the  
auto-config feature is enabled. (44477)  
To work around this issue, be sure that the 3WXM  
server is reachable from the wireless switch before  
you enable auto-config. If auto-config is enabled by  
default on the wireless switch, be sure that the  
3WXM server is reachable before you boot the wire-  
less switch.  
To create the VLAN, clear the Mobility Domain config-  
uration from the switch, create the VLAN, and then  
configure the Mobility Domain again.  
The default value for RADIUS “deadtime” shown  
in the CLI help is incorrect. (41689)  
The correct default value is 0.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Known Problems  
21  
Static IP settings do not work on the 8x50 or  
AP7250 Access Points. (28529)  
Mixing Autonegotiation with full-duplex mode  
on a link causes slow throughput and can cause  
a WX port to stop forwarding. (26276)  
The configuration of static settings including VLAN  
tag, WX IP, WX name, AP IP and AP IP mask are not  
supported on the AP8750, AP8250, or AP7250.  
3Com recommends that you do not configure the mode  
of a WX port so that one side of the link is set to autone-  
gotiation while the other side is set to full-duplex.  
Switching and Port Issues  
Although MSS allows this configuration, it can result  
in slow throughput on the link. The slow throughput  
occurs because the side that is configured for autone-  
gotiation falls back to half-duplex. A stream of large  
packets sent to a WX port in such a configuration can  
cause forwarding on the link to stop.  
Port Mirroring is not active after the switch is  
rebooted. (29684)  
Port mirroring configuration cannot be saved and is  
not retained through reboots of the WX switch.  
Router redundancy protocol on intermediary  
devices between WX switches in a Mobility  
Domain can interfere with communication  
among the switches. (16910)  
Antenna sensing has been deprecated from  
system software. The antenna configuration is  
the authoritative source to enabling external  
antenna operation on the AP, even if the  
external antenna isn't actually connected.  
(34904)  
If the Mobility Domain contains intermediary switches  
or routers that use a router redundancy protocol, WX  
switches that communicate through those intermedi-  
ary devices might lose communication with one other  
due to the way some router redundancy protocols  
handle MAC addresses. If this issue occurs, log mes-  
sages appear periodically on the seed WX switch indi-  
cating that member WX switches are entering or  
leaving the Mobility Domain.  
FDB entry is not cleared when tagging mode on  
a port changes. (44970)  
When the tagging mode on a port is changed,  
learned entries in the fdb are not cleared. As a result,  
connectivity may be lost. To work around this issue  
and restore connectivity, clear the fdb manually.  
Set the FDB timer (default 300 seconds) and the ARP  
timer (default 1200 seconds) to the same values on  
the WX switches. 3Com recommends using 300 sec-  
onds as the value for both timers. To set the FDB  
timer, use the set fdb agingtime command. To set  
the ARP timer, use the set arp agingtime command.  
Client connecting to local switched untethered  
AP causes Mesh APs to time out. (44982)  
In some configurations, a client connecting to a mesh  
AP that also has local switching enabled will cause  
other mesh APs in the network to time out and  
reboot.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
22  
WIRELESS LAN SWITCH AND CONTROLLER MSS VERSION 6.0.4.6 RELEASE NOTES  
A distributed AP may not successfully boot if  
Port 1 of the AP has an operational Ethernet  
link, but an WX is unreachable via this data link.  
(38807)  
Mesh Issues  
The Ethernet port is not brought up on the  
bridge link if it was not up when the mesh link is  
established. (46037)  
All other combinations of power and data connectiv-  
ity are fully supported.  
If the mesh AP is brought up without the Ethernet  
port connected, after the mesh link is established, the  
bridge link will not come up and no traffic will flow  
through the AP to the Ethernet port. To work around  
this issue and restore connectivity, reset the mesh AP  
ensuring that the Ethernet port is always up by con-  
necting a hub or switch to the mesh AP Ethernet port.  
Distributed MAP can change IP addresses during  
boot sequence in environments with multiple  
DHCP servers. (16499)  
To become fully active, a Distributed MAP does a full  
restart after downloading its software image. The first  
time the MAP is powered up, it sends a DHCP dis-  
cover for an IP address, uses DNS to find its config-  
ured WX switch, and then downloads its software  
image from that WX.  
MAP Issues  
Distributed MAPs and Link Autonegotiation (16726)  
The Ethernet interfaces on a MAP are configured to  
autonegotiate the link speed (10 Mbps or 100 Mbps)  
and mode (half duplex or full duplex). The setting  
cannot be changed. A common setting on third-party  
switches is 100 Mbps, with full duplex. If you connect  
a Distributed MAP to a port that is set for 100 Mbps  
with full duplex, the MAP operates at 100 Mbps with  
half duplex. This results in an unusable link. Configure  
the port on the other device to autonegotiate.  
After downloading the image, the MAP restarts itself  
with the downloaded image and sends a second  
DHCP discover to again obtain its IP address. In a net-  
work containing more than one DHCP server, it is pos-  
sible for the MAP to use one IP address when  
downloading the image, but end up with a second IP  
address after rebooting the second time. This can  
occur if the DHCP server that responds to the DHCP  
request after the second reboot is not the same server  
that responded to the first request.  
Wireless clients connected to directly attached  
APs may not display as connected in the show  
system output information. (41792)  
This issue does not prevent the MAP from operating  
normally but can make managing the MAP more diffi-  
cult if the address the MAP receives the second time is  
not predictable. To prevent the MAP from using more  
than one address, use static address assignment in  
your DHCP server.  
When connected to the network using an Intel  
2100 wireless network card, large file transfers  
may cause the wireless client to disconnect.  
(40721)  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Known Problems  
23  
configured to automatically use the users Windows  
login information as the network login information,  
the interval is too short for users who must manually  
enter their network login information.  
WebView Issues  
Unless otherwise noted, the workaround for Web-  
View issues is to use the CLI or 3WXM.  
WebView does not display more than 32 service  
profiles. (18374)  
If the network has clients that do not automatically  
use the Windows username and password as the net-  
work username and password, use the set dot1x  
tx-period command to increase the retransmit time.  
WebView allows configuration of duplicate SSID  
names in the same service profile. (18375)  
CAUTION: Changes to 802.1X parameters affect all  
SSIDs managed by the WX switch.  
In WebView, self-signed certificate for network  
user is not accepted with only a Common Name  
value. (15651)  
Deleting a user group or MAC user group does  
not delete membership from its members.  
(14833)  
If you use WebView to configure a self-signed certifi-  
cate for network users, the switch does not generate  
the certificate if you enter information only in the  
Common Name field and not in other fields.  
If you type the clear usergroup or clear mac-user-  
group command to delete a user group or MAC user  
group, the display aaa command shows that the  
user group is gone. However, the user profiles for the  
users still list them as members of the deleted groups.  
This issue does not affect the CLI. In the CLI, you can  
generate a self-signed certificate with only the  
common name specified. Use the CLI to generate the  
certificate or use the additional fields in WebView.  
Use the clear user group and clear mac-user group  
commands in addition to the clear usergroup and  
clear mac-usergroup commands to explicitly remove  
individual users or MAC users from a group.  
If you are running Linux Redhat 9 and use  
Firefox 2.0 to open WebView, the browser may  
become unresponsive. (40676)  
This behavior is noted on the WX2200 and WX4400.  
CLI allows set authentication dot1x command  
with invalid combination of pass-through and  
local options. (15562)  
AAA and RADIUS Issues  
The CLI allows you to enter a command such as the  
following:  
Default 802.1X retransmit interval is too short  
for manual login. (18032)  
set authentication dot1x ssid any * pass-through  
local  
The default 802.1X retransmit interval is 5 seconds.  
Although this interval is adequate for clients that are  
Download from Www.Somanuals.com. All Manuals Search And Download.  
24  
WIRELESS LAN SWITCH AND CONTROLLER MSS VERSION 6.0.4.6 RELEASE NOTES  
The pass-through and local AAA methods are mutually  
exclusive. Even if a server group named local exists,  
MSS does not use the group. In either case, the EAP  
session fails and the 802.11 session is deauthenticated  
CAUTION: Changes to 802.1X parameters affect all  
SSIDs managed by the WX switch.  
WebAAA Issues  
when the client responds to the first identity request.  
WebAAA using a Windows client and a WX  
switch that has a self-signed certificate can  
intermittently fail if Windows is configured to  
update root certificates. (18597)  
Do not name a server group local and do not attempt  
to mix mutually exclusive authentication methods in  
the same command.  
If the WX switch uses a self-signed certificate (as  
opposed to a CA-issued certificate), and the Microsoft  
OS on the WebAAA client is configured to update  
root certificates (the default setting), Windows tries to  
contact microsoft.com to get updated certificates.  
Incorrect zero value for Acct-Authentic appears  
in accounting statistics. (14851)  
In the output of the display accounting statistics  
command, the Acct-Authentic field in accounting  
records always displays 0 (zero) to indicate the loca-  
tion where a user was authenticated for the session.  
The correct value is 1 (one) if RADIUS performed  
authentication or 2 if authentication took place in the  
local WX database.  
This causes a 15-second delay, after which IE displays  
a popup dialog asking whether the user wants to  
accept the untrusted certificate from the WX.  
Even when the user selects Yes, IE sometimes does  
not display the WebAAA Login page served by the  
WX switch.  
Ignore the Acct-Authentic value in display account-  
ing statistics output.  
Clients using Intel 3945ABG wireless NIC were  
unable to connect reliably to network. (28863)  
This issue occurs intermittently. If the issue occurs,  
reattempt the login.  
Some client laptops using the Intel 3945ABG adapter  
card were not able to connect reliably to the network  
because the client ignored the initial GKHS message  
sent by the WX switch, timed out, and deassociated  
before the switch could retransmit the GKHS mes-  
sage.  
IPv6 clients cannot authenticate using Web  
Portal. (26291)  
The web-portal ACL does not work on IPv6 traffic.  
IPv6 clients will not be able to authenticate using Web  
Portal unless the clients also run IPv4.  
To work around this problem, set the 802.1X suppli-  
cant timeout to 1 second. To do this, use the set  
dot1x timeout supplicant command.  
This issue affects Web-Portal authentication only. The  
other authentication types (802.1X, MAC, and Last  
Resort) can be used with IPv6 clients.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Known Problems  
25  
The Unicast bytes fields in display sessions  
network sessions-id output can show a negative  
number. (18174)  
ACL Issues  
ACE names that begin with CLI keywords are not  
supported. (17521)  
IGMP Snooping and IP Multicast Issues  
When configuring an access control entry (ACE), if  
the name you specify for the ACE begins with a word  
that is also a keyword used by the CLI, the CLI rejects  
the ACE name. In the following examples, the ACE  
names that begin with port and vlan are rejected, but  
the ACE name that starts with abc, which is not a CLI  
keyword, is accepted:  
IP multicast streams can stop for all receivers on  
a MAP if IGMP snooping is disabled. (15971)  
If you disable IGMP snooping, all clients that are  
receiving a multicast group stream through a MAP  
stop receiving the stream if one of the clients leaves  
the group.  
WX1200# set security acl ip port_abc deny  
0.0.0.0 255.255.255.255  
Do not disable IGMP snooping. (The feature is  
enabled by default.)  
error: Wrong ACL name input = port_abc  
WX1200# set security acl ip vlan_abc deny  
0.0.0.0 255.255.255.255  
Invalid IP multicast forwarded. (12784)  
error: Wrong ACL name input = vlan_abc  
IGMP multicast streams with an invalid source IP  
address (for example, 0.0.0.0) are forwarded by the  
WX switch.  
WX1200# set security acl ip abc_port deny  
0.0.0.0 255.255.255.255  
Do not use a CLI keyword in the beginning of an ACE  
name.  
AP Issues  
APs that are part of the Mobility System are  
identified as Rogues. (44686)  
Session Issues  
In some cases, valid APs that are part of the 3Com  
Mobility System may appear as rogue APs. This condi-  
tion may be safely ignored.  
The display session network wired command  
does not list wired authentication sessions.  
(17829)  
If you use the wired option with the display ses-  
sions network command, no sessions are listed.  
AP3850 times out with high traffic on Bridge  
link. (45538)  
Use the display sessions network command, with-  
out the wired option. In this case, the wired authen-  
tication sessions are included in the output.  
The AP3850 may time out and reboot when in bridg-  
ing mode if a high level of traffic is sent across the  
bridge.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
26  
WIRELESS LAN SWITCH AND CONTROLLER MSS VERSION 6.0.4.6 RELEASE NOTES  
Microsofts directions on how to change the default  
behavior of the Vista wireless client:  
Local Switching Issues  
In some instances, an error message containing  
Connecting to non-broadcast wireless networks in  
Windows Vista:  
“SSR setup failed.mac” and a multicast address  
can be ignored. (44605)  
Windows VISTA Issues  
IE 7 issues with self-signed web-portal  
certificates  
Windows Vista clients cannot connect to  
“hidden” SSIDs.  
Microsoft has introduced more strict client security in  
Internet Explorer 7.0 which makes the use of  
self-signed certificates more confusing for end-users.  
When the WX attempts to process a clients web-  
portal login request, a screen displays this notice:  
“There is a problem with this websites security certifi-  
cate” every time a client attempts to authenticate if  
the WX is using a self-signed certificate. While it is  
possible to choose the “Continue to this website”  
option, the user is discouraged from doing so for  
security reasons. This situation may lead to a notice-  
able increase in support calls from confused  
end-users.  
In its default configuration, Windows Vista does not  
connect to hidden “non-broadcast” SSIDs. Microsoft  
has changed this behavior in both Vista and the latest  
Windows client update for XP (KB# 917021) as part  
of an effort to increase security on wireless clients. For  
more information, please check the following URLS  
on Microsofts website:  
Non-broadcast Wireless Networks with Microsoft  
Windows:  
network/wifi/hiddennet.mspx  
Description of the Wireless Client Update for Win-  
dows XP with Service Pack 2:  
3Com recommends that you do not use self-signed  
certificates for Web-Portal. In addition to the security  
issues with using an unverified certificate, the user  
experience is severely affected for IE 7 users. Use Veri-  
sign or another less expensive certificate authority to  
purchase a third-party verified certificate. If you are  
not using one of the major Internet certificate author-  
ities (CA), verify that the CAs public certificate is  
included with all of the web browsers that you sup-  
port on your network.  
3Com recommends that, if you do not have direct  
control over the configuration of the wireless clients  
accessing your network, do not configure your service  
profiles with hidden SSIDs.  
If you do have direct control over client configuration,  
you can change the default behavior. Here is a link to  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Upgrading MSS  
27  
If you choose not to purchase a signed certificate  
from a third-party CA, you may choose to install the  
self-signed certificate into the trusted certificate store  
on every client that uses Web-Portal. IE 7 must be run  
with administrative privileges to perform this change,  
and it must be performed on each client who will use  
Web-Portal.  
3WXM support in Windows Vista  
3WXM does not officially support Windows Vista yet,  
so there may be some interoperability issues. Official  
support will be included in an upcoming release of  
3WXM. Known issues include installer issues for the  
standalone client and the server, as well as intermit-  
tent failures to launch the Webstart Client.  
Wildcard Certificates in Web portal not working  
with IE 7  
3Com recommends that you do not run the 3WXM  
server on Windows Vista or Longhorn; use Windows  
Server 2003 instead. For clients accessing a 3WXM  
server who have no other choice of OS, run the Java  
Webstart client or use Microsofts Remote Desktop”  
client to connect to a Windows XP computer and run  
the client from there.  
Internet Explorers handling of wildcard certificates  
changes between IE 6 and IE 7, and for older versions  
of MSS, wildcard SSL certificates will not work in IE 7  
with Web-Portal. A wildcard certificate is one that  
includes an asterisk as the hostname portion of the  
certificates common name. For example, a wildcard  
certificate for 3Com Corporation would have a  
common name of “*.3com.com”.  
Vista Client interoperability issues  
Vista client PCs have an interoperability problem with  
a Windows 2003 certificate server. The Windows  
2003 certificate server must be patched with some  
files from a Windows Longhorn server. This URL gives  
the details:  
3Com recommends that you upgrade to MSS  
5.0.11.4 or later. The Web Portal feature now handles  
wildcard certificates in a manner that is compatible  
with both IE 6 and IE 7.  
Windows Vista Driver interoperability issues  
Windows Vista drivers are relatively new and have not  
yet reached the maturity level of Windows XP drivers.  
Upgrading MSS  
Preparing the WX Switch for the Upgrade  
3Com recommends that you use the most recent  
Vista drivers available from the manufacturers web-  
site. If that does not resolve the issue, you can try to  
run the Windows XP drivers for your wireless NIC;  
some of them may run under Vista and provide better  
results.  
CAUTION: Create a backup of your WX switch  
files before you upgrade the switch. 3Com rec-  
ommends that you make a backup of the switch  
before you install the upgrade. If an error occurs  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
28  
WIRELESS LAN SWITCH AND CONTROLLER MSS VERSION 6.0.4.6 RELEASE NOTES  
during the upgrade, you can restore your switch  
to its previous state.  
You can copy the image file only into the boot parti-  
tion that was not used for the most recent restart. For  
example, if the currently running image was booted  
from partition 0, you can copy the new image only  
into partition 1.  
Use this command to back up the switchs files:  
backup system [tftp://ip-addr/]filename  
[all | critical]  
4 Set the boot partition to the one with the upgrade  
image for the next restart.  
To restore a switch that has been backed up, use the  
following command:  
To verify that the new image file is installed, type dis-  
play boot.  
restore system [tftp://ip-addr/]filename  
[all | critical] [force]  
5 Reboot the software.  
To restart a WX switch and reboot the software, type  
the following command:  
“Upgrade Scenario” on page 28 of these Release  
Notes shows a sample use of the backup command.  
For more information about these commands, see the  
“Backing Up and Restoring the System” section in the  
“Managing System Files” chapter of the Wireless LAN  
Switch and Controller Configuration Guide.  
reset system [force]  
When you restart the WX switch, the switch boots  
using the new MSS image. The switch also sends the  
MAP version of the new boot image to MAPs and  
restarts the MAPs. After a MAP restarts, it checks the  
version of the new MAP boot image to make sure the  
boot image is newer than the boot image currently  
installed on the MAP. If the boot image is newer, the  
MAP completes installation of its new boot image by  
copying the boot image into the MAPs flash memory,  
which takes about 30 seconds, then restarts again.  
The upgrade of the MAP is complete after the second  
restart.  
If you have made configuration changes but have not  
saved the changes, use the save config command to  
save the changes before you backup the switch.  
If the switch is running an earlier version of MSS, use  
the copy tftp command to copy files from the switch  
onto a TFTP server.  
Upgrading an Individual Switch Using the CLI  
1 Back up the switch, using the backup system com-  
mand. (See “Preparing the WX Switch for the  
Upgrade” on page 27.)  
Upgrade Scenario  
To upgrade a switch (WX1200 used in this example)  
type commands such as the following.  
2 Copy the new system image onto a TFTP server.  
3 Copy the new system image file from the TFTP server  
This example copies the image file into boot  
partition 1. On your switch, copy the image file into  
the boot partition that was not used the last time the  
to a boot partition in the switchs nonvolatile storage.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Upgrading MSS  
29  
switch was restarted. For example, if the switch  
booted from boot partition 1, copy the new image  
into boot partition 0. To see boot partition informa-  
tion, type the display boot command.  
Command Changes During Upgrade  
The following table lists the commands that are dep-  
recated in MSS Version 4.2, and their replacements.  
4.1 Command  
4.2 Command  
WX1200# save config  
success: configuration saved.  
set radio-profile wmm  
set radio-profile long-retry  
set radio-profile short-retry  
set radio-profile qos-mode  
set service-profile long-retry  
set service-profile short-retry  
success: sent 28263 bytes in 0.324 seconds  
[ 87231 bytes/sec]  
boot1:wb042302.rel  
success: received 10266629 bytes in 92.427  
seconds [ 111078 bytes/sec]  
During upgrade, MSS makes the following changes to  
commands in 4.1 configuration files:  
set radio-profile name wmm enable is changed  
to set radio-profile name qos-mode wmm  
WX1200# set boot partition boot1  
success: Boot partition set to  
boot1:wb042302.rel (4.2.3.2.0).  
set radio-profile name wmm disable is changed  
to set radio-profile name qos-mode svp  
WX1200# display boot  
set radio-profile name long-retry and set  
radio-profile name short-retry are removed. The  
retry counts are reset to their default values and must  
be reconfigured manually, in the service profiles.  
Configured boot version:  
4.2.3.2.0  
Configured boot image:  
boot1:wb042302.rel  
Configured boot configuration:  
file:configuration  
In addition, MSS automatically adds a new option,  
encrypted, to set radius and set radius server com-  
mands that use the key option. The encrypted option  
encrypts the key string displayed in the configuration.  
Backup boot configuration:  
Booted version:  
file:backup.cfg  
4.1.5.1  
Booted image:  
boot1:wx040105.020  
The option encrypts display of the string but does not  
encrypt the actual string sent to RADIUS servers.  
RADIUS servers still receive the string that was entered  
with the set radius or set radius server command in  
MSS Version 4.0.  
Booted configuration:  
file:configuration  
Product model:  
WX1200  
WX1200# reset system force  
...... rebooting ......  
To ensure that the command change is saved after you  
upgrade, after you load the new image and restart the  
Download from Www.Somanuals.com. All Manuals Search And Download.  
30  
WIRELESS LAN SWITCH AND CONTROLLER MSS VERSION 6.0.4.6 RELEASE NOTES  
Mobility System Software Copyright (c) 2002,  
2003 reserved.  
Build Information: (build#67) TOP  
switch, enter the save config command as soon the  
switch finishes restarting.  
Model:  
Hardware  
Mainboard: version 24 ; revision  
PoE board: version 1 ; FPGA  
Serial number 1234567890  
Flash: 4.1.0.14 - md0a  
WX  
For complete syntax information about the new com-  
mands and options, see the Wireless Switch Manager  
Command Reference.  
Installing Upgrade Activation Keys on a  
WX4400 or WX2200  
Kernal: 3.0.0#20: Fri May  
BootLoader: 4.10 / 4.1.0  
3 Install the license using the following command:  
The WX4400 and WX2200 can boot and manage up  
to 24 MAPs by default. You can increase the MAP  
support up to 120 MAPs, by installing activation keys.  
set license  
The following example shows how to install an  
upgrade license and activation key:  
To obtain an activation key, access the 3Com web site  
pair allows the switch to actively manage an addi-  
tional 24 MAPs. You can install up to four upgrade  
license and activation key pairs, to actively manage up  
to 120 MAPs.  
WX4400# set license WXL-076E-93E9-62DA-54D8  
WXA-3E04-4CC2-43OD-B508  
Serial Number: 1234567890  
License Number: 245  
License Key: WXL-076E-93E9-62DA-54D8  
Activation Key: WXA-3E04-4CC2-43OD-B508  
Feature: 24 additional ports  
Expires: Never  
To upgrade a WX license:  
48 ports are enabled  
success: license was installed  
1 Obtain a license coupon for the upgrade from 3Com  
or your reseller.  
2 Establish a management session with the WX switch  
Copyright © 2007, 3Com Corporation. All rights reserved.  
to display the switchs serial number.  
Unless otherwise indicated, 3Com registered trademarks are registered in the  
United States and may or may not be registered in other countries.  
To use the CLI to display the serial number, type the  
following command:  
3Com and the 3Com logo are registered trademarks of 3Com Corporation.  
Mobility Domain, Mobility Point, Mobility Profile, Mobility System, Mobility System  
Software, MP, MSS, and SentrySweep are trademarks of Trapeze Networks,  
Inc.Intel and Pentium are registered trademarks of Intel Corporation. Microsoft,  
MS-DOS, Windows, Windows XP, and Windows NT are registered trademarks of  
Microsoft Corporation.  
display version  
In the following example, the switch serial number is  
1234567890:  
All other company and product names may be trademarks of the respective  
companies with which they are associated.  
WX1200> display version  
Download from Www.Somanuals.com. All Manuals Search And Download.  

Acer Computer Monitor P221W User Manual
Acer Laptop TravelMate 4050 User Manual
Acnodes Car Video System RM 6193 User Manual
Alliance Laundry Systems Washer Dryer H242I User Manual
Alto Shaam Microwave Oven MN 29249RU User Manual
Amana Refrigerator Bottom Freezer Refrigerator User Manual
American Audio Mouse WM 16HH User Manual
Apple Network Router U10C012 User Manual
Axis Communications Security Camera Q1931E PT User Manual
Behringer Stereo Amplifier HA4700 HA8000 User Manual