NN47251-107_07_01_CLI_Reference

ACLI Commands Reference for AvayaWLAN 8100

Release 3.0NN47251-107

Issue 07.01June 2014

2014 Avaya Inc.All Rights Reserved.NoticeWhile reasonable efforts have been made to ensure that theinformation in this document is complete and accurate at the time ofprinting, Avaya assumes no liability for any errors. Avaya reservesthe right to make changes and corrections to the information in thisdocument without the obligation to notify any person or organizationof such changes.Documentation disclaimerDocumentation means information published by Avaya in varyingmediums which may include product information, operatinginstructions and performance specifications that Avaya may generallymake available to users of its products and Hosted Services.Documentation does not include marketing materials. Avaya shall notbe responsible for any modifications, additions, or deletions to theoriginal published version of documentation unless suchmodifications, additions, or deletions were performed by Avaya. EndUser agrees to indemnify and hold harmless Avaya, Avaya's agents,servants and employees against all claims, lawsuits, demands andjudgments arising out of, or in connection with, subsequentmodifications, additions or deletions to this documentation, to theextent made by End User.Link disclaimerAvaya is not responsible for the contents or reliability of any linkedwebsites referenced within this site or documentation provided byAvaya. Avaya is not responsible for the accuracy of any information,statement or content provided on these sites and does notnecessarily endorse the products, services, or information describedor offered within them. Avaya does not guarantee that these links willwork all the time and has no control over the availability of the linkedpages.WarrantyAvaya provides a limited warranty on Avaya hardware and software.Refer to your sales agreement to establish the terms of the limitedwarranty. In addition, Avayas standard warranty language, as well asinformation regarding support for this product while under warranty isavailable to Avaya customers and other parties through the AvayaSupport website: http://support.avaya.com or such successor site asdesignated by Avaya. Please note that if you acquired the product(s)from an authorized Avaya Channel Partner outside of the UnitedStates and Canada, the warranty is provided to you by said AvayaChannel Partner and not by Avaya.LicensesTHE SOFTWARE LICENSE TERMS AVAILABLE ON THE AVAYAWEBSITE, HTTP://SUPPORT.AVAYA.COM/LICENSEINFO ORSUCH SUCCESSOR SITE AS DESIGNATED BY AVAYA, AREAPPLICABLE TO ANYONE WHO DOWNLOADS, USES AND/ORINSTALLS AVAYA SOFTWARE, PURCHASED FROM AVAYA INC.,ANY AVAYA AFFILIATE, OR AN AVAYA CHANNEL PARTNER (ASAPPLICABLE) UNDER A COMMERCIAL AGREEMENT WITHAVAYA OR AN AVAYA CHANNEL PARTNER. UNLESSOTHERWISE AGREED TO BY AVAYA IN WRITING, AVAYA DOESNOT EXTEND THIS LICENSE IF THE SOFTWARE WASOBTAINED FROM ANYONE OTHER THAN AVAYA, AN AVAYAAFFILIATE OR AN AVAYA CHANNEL PARTNER; AVAYARESERVES THE RIGHT TO TAKE LEGAL ACTION AGAINST YOUAND ANYONE ELSE USING OR SELLING THE SOFTWAREWITHOUT A LICENSE. BY INSTALLING, DOWNLOADING ORUSING THE SOFTWARE, OR AUTHORIZING OTHERS TO DO SO,YOU, ON BEHALF OF YOURSELF AND THE ENTITY FOR WHOMYOU ARE INSTALLING, DOWNLOADING OR USING THESOFTWARE (HEREINAFTER REFERRED TOINTERCHANGEABLY AS YOU AND END USER), AGREE TOTHESE TERMS AND CONDITIONS AND CREATE A BINDINGCONTRACT BETWEEN YOU AND AVAYA INC. OR THEAPPLICABLE AVAYA AFFILIATE (AVAYA).Avaya grants you a license within the scope of the license typesdescribed below, with the exception of Heritage Nortel Software, forwhich the scope of the license is detailed below. Where the orderdocumentation does not expressly identify a license type, theapplicable license will be a Designated System License. The

applicable number of licenses and units of capacity for which thelicense is granted will be one (1), unless a different number oflicenses or units of capacity is specified in the documentation or othermaterials available to you. Software means Avayas computerprograms in object code, provided by Avaya or an Avaya ChannelPartner, whether as stand-alone products, pre-installed , or remotelyaccessed on hardware products, and any upgrades, updates, bugfixes, or modified versions thereto. Designated Processor means asingle stand-alone computing device. Server means a DesignatedProcessor that hosts a software application to be accessed bymultiple users. Instance means a single copy of the Softwareexecuting at a particular time: (i) on one physical machine; or (ii) onone deployed software virtual machine (VM) or similar deployment.License typesDesignated System(s) License (DS). End User may install and useeach copy of the Software only on a number of DesignatedProcessors up to the number indicated in the order. Avaya mayrequire the Designated Processor(s) to be identified in the order bytype, serial number, feature key, location or other specificdesignation, or to be provided by End User to Avaya throughelectronic means established by Avaya specifically for this purpose.CPU License (CP). End User may install and use each copy of theSoftware on a number of Servers up to the number indicated in theorder provided that the performance capacity of the Server(s) doesnot exceed the performance capacity specified for the Software. EndUser may not re-install or operate the Software on Server(s) with alarger performance capacity without Avayas prior consent andpayment of an upgrade fee.Heritage Nortel SoftwareHeritage Nortel Software means the software that was acquired byAvaya as part of its purchase of the Nortel Enterprise SolutionsBusiness in December 2009. The Heritage Nortel Software currentlyavailable for license from Avaya is the software contained within thelist of Heritage Nortel Products located at http://support.avaya.com/licenseinfo under the link Heritage Nortel Products. For HeritageNortel Software, Avaya grants Customer a license to use HeritageNortel Software provided hereunder solely to the extent of theauthorized activation or authorized usage level, solely for the purposespecified in the Documentation, and solely as embedded in, forexecution on, or (in the event the applicable Documentation permitsinstallation on non-Avaya equipment) for communication with Avayaequipment. Charges for Heritage Nortel Software may be based onextent of activation or use authorized as specified in an order orinvoice.CopyrightExcept where expressly stated otherwise, no use should be made ofmaterials on this site, the Documentation, Software, Hosted Service,or hardware provided by Avaya. All content on this site, thedocumentation, Hosted Service, and the Product provided by Avayaincluding the selection, arrangement and design of the content isowned either by Avaya or its licensors and is protected by copyrightand other intellectual property laws including the sui generis rightsrelating to the protection of databases. You may not modify, copy,reproduce, republish, upload, post, transmit or distribute in any wayany content, in whole or in part, including any code and softwareunless expressly authorized by Avaya. Unauthorized reproduction,transmission, dissemination, storage, and or use without the expresswritten consent of Avaya can be a criminal, as well as a civil offenseunder the applicable law.Third Party ComponentsThird Party Components mean certain software programs orportions thereof included in the Software or Hosted Service maycontain software (including open source software) distributed underthird party agreements (Third Party Components), which containterms regarding the rights to use certain portions of the Software(Third Party Terms). As required, information regarding distributedLinux OS source code (for those Products that have distributed LinuxOS source code) and identifying the copyright holders of the ThirdParty Components and the Third Party Terms that apply is availablein the Documentation or on Avayas website at: http://support.avaya.com/Copyright or such successor site as designatedby Avaya. You agree to the Third Party Terms for any such ThirdParty Components

Preventing Toll FraudToll Fraud is the unauthorized use of your telecommunicationssystem by an unauthorized party (for example, a person who is not acorporate employee, agent, subcontractor, or is not working on yourcompany's behalf). Be aware that there can be a risk of Toll Fraudassociated with your system and that, if Toll Fraud occurs, it canresult in substantial additional charges for your telecommunicationsservices.Avaya Toll Fraud InterventionIf you suspect that you are being victimized by Toll Fraud and youneed technical assistance or support, call Technical Service CenterToll Fraud Intervention Hotline at +1-800-643-2353 for the UnitedStates and Canada. For additional support telephone numbers, seethe Avaya Support Website: http://support.avaya.com/. Suspectedsecurity vulnerabilities with Avaya products should be reported toAvaya by sending mail to: [email protected] trademarks, logos and service marks (Marks) displayed in thissite, the Documentation, Hosted Service(s), and Product(s) providedby Avaya are the registered or unregistered Marks of Avaya, itsaffiliates, or other third parties. Users are not permitted to use suchMarks without prior written consent from Avaya or such third partywhich may own the Mark. Nothing contained in this site, theDocumentation, Hosted Service(s) and Product(s) should beconstrued as granting, by implication, estoppel, or otherwise, anylicense or right in and to the Marks without the express writtenpermission of Avaya or the applicable third party.Avaya is a registered trademark of Avaya Inc.All non-Avaya trademarks are the property of their respective owners.Linux is the registered trademark of Linus Torvalds in the U.S. andother countries.Downloading DocumentationFor the most current versions of Documentation, see the AvayaSupport website: http://support.avaya.com, or such successor site asdesignated by Avaya.Contact Avaya SupportSee the Avaya Support website: http://support.avaya.com for Productor Hosted Service notices and articles, or to report a problem withyour Avaya Product or Hosted Service. For a list of support telephonenumbers and contact addresses, go to the Avaya Support website: http://support.avaya.com (or such successor site as designated byAvaya), scroll to the bottom of the page, and select Contact AvayaSupport.

Contents

Chapter 1: Introduction............................................................................................................ 6Purpose..................................................................................................................................6Related Resources.................................................................................................................. 6

Documentation..................................................................................................................6Training............................................................................................................................ 6Viewing Avaya Mentor videos.............................................................................................7

Support.................................................................................................................................. 7Chapter 2: New in this release.................................................................................................8

Features................................................................................................................................. 8Other changes........................................................................................................................ 9

Chapter 3: Overview of WLAN deployment solutions.........................................................10Chapter 4: ACLI reference for Wireless LAN (WLAN) 8100................................................ 11

ACLI reference for the Wireless LAN (WLAN) 8100..................................................................11Performing controller configuration using the WC 8180 Quick Configuration utility................ 12Viewing WLAN 8100 current configuration.........................................................................14Configuring and managing Link Layer Discovery Protocol...................................................15Configuring and managing Remote Packet Capture........................................................... 19Configuring and managing Client Band Steering and Client load balancing.......................... 28Configuring and managing Captive Portals........................................................................ 29Configuring and managing External Captive Portals........................................................... 41Configuring and managing RADIUS.................................................................................. 48Auto-RF..........................................................................................................................59Configuring and viewing the Tunnel Path MTU.................................................................. 68DiffServ.......................................................................................................................... 69AeroScout.......................................................................................................................79Station Isolation.............................................................................................................. 81Ekahau RTLS support..................................................................................................... 83Wi-Fi Zoning................................................................................................................... 86Bonjour Gateway Support................................................................................................ 93Domain AP configuration............................................................................................... 100Wireless security WIDS-WIPS configuration and management..................................... 111Configuring a MAC filter blacklist.................................................................................... 122Wireless Security Client MAC validation......................................................................123Load Balancing of APs and WSPs.................................................................................. 130Commonly used configuration procedures ...................................................................... 140

Chapter 5: ACLI Reference for wired networks................................................................. 153ACLI reference for wired networks........................................................................................ 153

Configuring system options............................................................................................ 153Configuring system security........................................................................................... 202

4 ACLI Commands Reference for Avaya WLAN 8100 June 2014Comments? [email protected]

Configuring VLANs and Link Aggregation........................................................................244Configuring IP routing.................................................................................................... 274Configuring Access Lists................................................................................................ 305Configuring Elements, Classifiers, and Classifier Blocks................................................... 308Configuring wired Quality of Service................................................................................314Configuring Serviceability...............................................................................................345Configuring diagnostics and graphing............................................................................. 354

Appendix A: Supported Country Codes............................................................................. 367

Contents

June 2014 ACLI Commands Reference for Avaya WLAN 8100 5Comments? [email protected]

Chapter 1: Introduction

PurposeThis document is an Avaya Command Line Interface (CLI) Commands Reference guide for theconfiguration and management of the Avaya Wireless LAN (WLAN) 8100 solution.The ACLI commands reference is organized into two parts:

ACLI reference for Wireless LAN (WLAN) 8100This chapter describe the major WLAN 8100 features for release 3.0 and the typical ACLIcommands for their configuration and management.

ACLI reference for wired networksThis chapter describes typical ACLI commands for wired network configuration.

For further information on the features of the Wireless LAN 8100 solution, see Feature Overview forAvaya WLAN 8100, NN47251-102.

Related Resources

DocumentationFor a list of the documentation for this product, see Documentation Reference for Avaya WLAN8100, NN47251-100.

TrainingOngoing product training is available. For more information or to register, see http://avaya-learning.com/.Enter the course code in the Search field and click Go to search for the course.Course Code Course Title6769X Avaya Wireless LAN 8100 Implementation and Management


Course Code Course Title4D00045V Avaya VENA Unified Access ImplementationWireless LAN 8100 AIPS credential 7D00060A Wireless LAN 8100 Implementation Assessment (online test)

Viewing Avaya Mentor videosAvaya Mentor videos provide technical content on how to install, configure, and troubleshoot Avayaproducts.About this taskVideos are available on the Avaya Support website, listed under the video document type, and onthe Avaya-run channel on YouTube.Procedure

To find videos on the Avaya Support website, go to support.avaya.com and perform one of thefollowing actions: In Search, type Avaya Mentor Videos to see a list of the available videos. In Search, type the product name. On the Search Results page, select Video in the

Content Type column on the left. To find the Avaya Mentor videos on YouTube, go to www.youtube.com/AvayaMentor and

perform one of the following actions: Enter a key word or key words in the Search Channel to search for a specific product or

topic. Scroll down Playlists, and click the name of a topic to see the available list of videos posted

on the website.Note:Videos are not available for all products.

SupportGo to the Avaya Support website at http://support.avaya.com for the most up-to-datedocumentation, product notices, and knowledge articles. You can also search for release notes,downloads, and resolutions to issues. Use the online service request system to create a servicerequest. Chat with live agents to get answers to questions, or request an agent to connect you to asupport team if an issue requires additional expertise.

Support


Chapter 2: New in this release

The following sections detail what's new in the ACLI Commands Reference for Avaya WLAN 8100,NN47251-107 for release 3.0.

Related LinksFeatures on page 8Other changes on page 9

FeaturesSee the following sections for information about the feature changes:

Support for External Captive Portal on page 8 Support for Link Layer Discovery Protocol (LLDP) on page 8 Bonjour Gateway support on page 9

For information on the WMS enhancements and on Avaya Command Line Interface (CLI)commands, see Using WMS and EDM on Avaya WLAN 8100, NN47251-108 and ACLI CommandsReference for Avaya WLAN 8100, NN47251-107 respectively.For more information on feature fundamentals, see Feature Overview for Avaya WLAN 8100,NN47251-102.Support for External Captive PortalWireless LAN Cotroller 8100 can support external captive portal with patented floating CPIPmapping method and RFC 5176 Change of Authorization (CoA) to achieve a linearly scalingstandalone external captive portal solution that is designed for both large and small deployment.WLAN 8100 users can provide their own external captive portal based on design guideline fromAvaya.The WLAN controller leverages RFC 5176 CoA (Change of Authorization) to support small, medium,and large scale deployments.Support for Link Layer Discovery Protocol (LLDP)The Link Layer Discovery Protocol (LLDP) is a data link layer protocol in the Internet Protocol Suiteused by network devices for neighbor identity and capability discovery. Avaya AP advertises itsstatus to the neighbors and relays the information and status about the LLDP neighbors to itsmanaging wireless controller.


LLDP support on AP can advertise its status, capabilities, and process information from other LLDPneighbors. Eg. PoE switches.Bonjour Gateway supportBonjour is a service discovery protocol of Apple. Bonjour locates devices such as printers, othercomputers, and the services that those devices offer on a local network using multicast domainname system (mDNS) service records. Bonjour can be extended across subnets by using AvayaWLAN 8100 Bonjour Gateway feature, which selectively relays service discovery packets acrossnetworks without using external gateway or custom router configuration.

Related LinksNew in this release on page 8

Other changesThere are no other changes to this document for release 3.0.

Related LinksNew in this release on page 8

Other changes


Chapter 3: Overview of WLAN deploymentsolutions

The current release of Avaya WLAN supports the following deployment models. WLAN Overlay

In the Overlay deployment, the Wireless Controller (WC) 8180 controls/manages AccessPoints (AP) over a control channel and data is tunneled between the APs and the controllerover an access tunnel. Two or more WCs in the domain form a cluster, with a mesh of controlchannels and data tunnels between each other.

WLAN Unified AccessIn the Avaya VENA Unified Access deployment, the wireless controller deploys in the control-plane mode of operation of the 8180 platform. This device then hosts only the wireless controlfunction and is called a wireless control point (WCP). A switch such as the Avaya ERS8600/8800 introduced into the network, tunnels traffic (data) and is known as the wirelessswitching point (WSP). The APs and WSPs tunnel traffic between each other over an accesstunnel and the WSPs tunnel traffic between each other over a mobility tunnel.Avaya implemented this solution by combining the functionality of the Avaya WC 8100 with theAvaya Ethernet Routing Switch 8800/8600 (ERS 8800/8600).


Chapter 4: ACLI reference for Wireless LAN(WLAN) 8100

ACLI reference for the Wireless LAN (WLAN) 8100The following sections describe the major WLAN 8100 features and the typical Avaya CommandLine Interface (ACLI) commands for their configuration and management.

Related LinksPerforming controller configuration using the WC 8180 Quick Configuration utility on page 12Viewing WLAN 8100 current configuration on page 14Configuring and managing Link Layer Discovery Protocol on page 15Configuring and managing Remote Packet Capture on page 19Configuring and managing Client Band Steering and Client load balancing on page 28Configuring and managing Captive Portals on page 29Configuring and managing External Captive Portals on page 41Configuring and managing RADIUS on page 48Auto-RF on page 59Configuring and viewing the Tunnel Path MTU on page 68DiffServ on page 69AeroScout on page 79Station Isolation on page 81Ekahau RTLS support on page 83Wi-Fi Zoning on page 86Bonjour Gateway Support on page 93Domain AP configuration on page 100Wireless security WIDS-WIPS configuration and management on page 111Configuring a MAC filter blacklist on page 122Wireless Security Client MAC validation on page 123Load Balancing of APs and WSPs on page 130Commonly used configuration procedures on page 140


Performing controller configuration using the WC 8180 QuickConfiguration utility

The WC 8180 Quick Configuration utility allows you to perform a quick configuration of the WLAN8100 controller. This utility is run from the Avaya CLI and consists of a series of prompts that areused to set up the required configuration on the controller. If the controller is reset with default-settings, the install utility automatically runs on boot up.

Important:The WC 8180 Quick Configuration utility is supported in only the Overlay deployment.

The WC 8180 Quick Configuration utility guides you through steps to configure the following: Management interface and Wireless or System interface Basic SNMP-v2 Trap-host configuration SNTP telnet Wireless client interfaces Mobility VLANs Mobility domains Network profile, AP profile, Radio Profile and Captive Portal profile configuration Wireless RADIUS server configuration License download

Before you begin Remove the WC 8180 device from its packaging. Ensure you have the following hardware

components and materials:- Wireless Controller (WC) 8180 device- console cable

Procedure1. Power on the WC 8180.2. When the WC 8180 is up, connect the console cable.3. Verify that the baud rate and other console parameters are properly configured. You can

view console parameters using the PuTTY application.a. Open a PuTTY session.b. On the left-hand-side tree view, click Serial.c. Verify that the parameters are configured as follows:

ACLI reference for Wireless LAN (WLAN) 8100


Figure 1: Console configuration4. Press Ctrl+Y to start.5. On the MENU screen, select Command Line Interface to go to the CLI.6. Initiate the WC 8180 setup utility:

WC8180>enWC8180#WC8180#install

Related LinksACLI reference for the Wireless LAN (WLAN) 8100 on page 11Verifying controller configuration on page 13

Verifying controller configurationUse this procedure to verify the configuration after running the WC 8180 Quick Configuration utility.Procedure

1. Verify controller configuration:WC8180#show wireless Operation Mode : WC Status : Enabled Interface IP : 192.168.34.4 TCP/UDP base port : 61000 Base MAC Address : 58:16:26:FD:FE:00 Tunnel Path MTU : 1492

2. Verify controller domain membership:WC8180#show wireless controller domain-membership Domain Name : Avaya Domain Role : Active MDC

ACLI reference for the Wireless LAN (WLAN) 8100


Domain Action Status : Join Success Action Failure Reason : None

3. Verify domain configuration using the following command:WC8180#show running-config module wireless

For more information on this command, see Viewing WLAN 8100 current configuration onpage 14.

Related LinksPerforming controller configuration using the WC 8180 Quick Configuration utility on page 12

Viewing WLAN 8100 current configurationYou can view the current configuration of the WLAN 8100 system using the show running-config command.

Note:You can run this command from any controller in the domain.

Procedure1. Enter the command show running-config to view the current configuration on the WLAN

8100 system.Note:The command show running-config displays the entire WLAN 8100 systemconfiguration. Only configuration that is different from the default configuration isdisplayed.

Command options of the show running-config command:WC8180#show running-config ? module Display configuration of an application verbose Display entire configuration (defaults and non-defaults)

Command options of the show running-config module command:WC8180#show running-config module ? 802.1ab Display 802.1ab configuration aaur Display AAUR configuration adac Display ADAC configuration arp-inspection Display ARP Inspection configuration asset-id Display Asset ID configuration aur Display AUR configuration banner Display Custom Banner configuration core Display Core configuration default-cmd-interface Display Default Command Interface configuration dhcp-relay Display DHCP Relay configuration dhcp-snooping Display DHCP Snooping configuration interface Display Interface configuration ip Display IP configuration ip-source-guard Display IP Source Guard configuration ipfix Display IPFIX configuration ipmc Display IPMC configuration



ipmgr Display IP Manager configuration ipv6 Display IPV6 configuration l3 Display L3 configuration l3-protocols Display L3 Protocols configuration lacp Display LACP configuration logging Display System Logging configuration mac-security Display MAC Security configuration mlt Display MLT configuration nsna Display NSNA configuration pim Display PIM configuration port-mirroring Display Port Mirroring configuration qos Display QoS configuration rate-limit Display Rate Limiting configuration rmon Display RMON configuration rtc Display RTC configuration slpp Display SLPP configuration smlt Display SMLT configuration snmp Display SNMP configuration ssh Display SSH configuration sshc Display SSHC configuration ssl Display SSL configuration stack Display Stack configuration stkmon Display Stack Monitor configuration stp Display STP configuration unicast-storm-control Display Unicast Storm Control configuration vlacp Display VLACP configuration vlan Display VLAN configuration wireless Display wireless configuration

2. Use one of the following command options to view the current wireless configuration:WC8180#show running-config module wireless ? ap-profile Display wireless ap profile configs. auto-rf Display auto-rf configs captive-portal Display wireless captive-portal configs capture-profile Display wireless capture-profile configs. crypto Display wireless crypto configs diffserv Display wireless diffserv configs. domain Display wireless domian config domain-ap Display domain ap configs domain-ap-image-external-download Display wireless domain-ap-image-external-download configs domain-load-balance Display domain load balance configs domain-wsp Display domain wsp configs network-profile Display wireless network-profile configs. radio-profile Display wireless radio-profile configs. security Display wireless security config system Display wireless system configs vlan-map Display wireless valn-map configs

Related LinksACLI reference for the Wireless LAN (WLAN) 8100 on page 11

Configuring and managing Link Layer Discovery ProtocolLink Layer Discovery Protocol (LLDP) allows the Avaya AP to announce its presence on thenetwork, allowing it to be found by other devices. It also allows the AP to discover how and where it



is connected to the network, and to report that information back to its managing Wireless Controller.This information makes it easier to trace, locate, and debug installation issues.The only configurable option for LLDP on the AP is the operation mode when the AP is managed. Itcan be configured for:

Tx-Rx (Default mode): AP sends advertisements to neighbors and relays neighboradvertisements to WC.

Tx-Only: AP sends advertisements to neighbors and drops neighbor advertisements. Rx-Only: AP does not send advertisements to neighbors, but relays neighbor advertisements

to WC. Off: AP does not send advertisements to neighbors and drops neighbor advertisements.Note:In unmanaged mode, the AP is always in Tx-Rx mode; no configuration is possible.

Advertisements are sent every 30 seconds with a time to live of 120 seconds. The content of theLLDP advertisement is not configurable and is reproduced here for reference.Transmitted (Advertised) Values:

Value Unmanaged ManagedChassis ID AP Ethernet MAC Address AP Ethernet MAC AddressPort ID AP Ethernet MAC Address AP Ethernet MAC AddressSystem Name AP Model Type AP Label from Configuration

ProfileManagement Address 0.0.0.0 before dhcp address is

assignedA.B.C.D after dhcp address isassigned

A.B.C.D, DHCP assignedaddress

System Capabilities WLAN/Bridge CapabilityWLAN/Bridge Not Enabled

WLAN/Bridge CapabilityWLAN/Bridge Enabled

System Description Avaya Wireless AP, Model{model}, HW Ver: Rxx, FWVer: 3.0.0.0

Avaya Wireless AP, Model{model}, HW Ver: Rxx, FWVer: 3.0.0.x

Port Description eth0 before dhcp address isobtained,eth0, IP: A.B.C.D after dhcpis obtained

eth0, IP: A.B.C.D

Related LinksACLI reference for the Wireless LAN (WLAN) 8100 on page 11Configuring LLDP operation on an AP on page 17



Configuring LLDP operation on an APBefore you beginEnsure that you are in the wireless configuration mode on the Avaya CLI. Use the followingcommands:WC8180#conf tWC8180(config)#wirelessWC8180(config-wireless)#

About this taskUse this procedure to configure LLDP operation on an AP.Procedure

1. Enter into the ap-profile configuration mode:WC8180(config-wireless)#ap-profile 1

2. Enter the following commands to configure LLDP on the AP:To enable LLDP on AP:WC8180(config-ap-profile)#lldp-status ? rxOnly Enable receive only txAndRx Enable transmit and receive txOnly Enable transmit onlyWC8180(config-ap-profile)#lldp-status rxOnly

To disable LLDP on AP:WC8180(config-ap-profile)#no lldp status

To set the value to default:WC8180(config-ap-profile)#default lldp status

3. Use the following commands to verify the LLDP status:LLDP is enabled:WC8180(config-ap-profile)#show wireless ap-profile 1 detailAP Profile Id: 1 Name : Default Country Code : US AP Model : Avaya APs (AP8120/AP8120-E) Is Default Profile? : No AE Protocol Support : Disable Ekahau Tag Blink Mode : Disable Ekahau Server IP : 0.0.0.0 Ekahau Server UDP Port : 8569 LLDP status : rxOnly Status : Configured

LLDP is disabled:WC8180(config-ap-profile)#show wireless ap-profile 1 detailAP Profile Id: 1 Name : Default Country Code : US AP Model : Avaya APs (AP8120/AP8120-E) Is Default Profile? : No AE Protocol Support : Disable Ekahau Tag Blink Mode : Disable



Ekahau Server IP : 0.0.0.0 Ekahau Server UDP Port : 8569 LLDP status : Disabled Status : Configured

4. Apply the new LLDP configuration on the managed AP:WC8180#wireless controller config-sync

5. View the status of LLDP configuration on the managed AP in detail:WC8180# show wireless ap status 00:1B:4F:69:DF:E0 detailTotal APs: 1, Managed APs: 1, Failed APs: 0-------------------------------------------------------AP (MAC=00:1B:4F:69:DF:E0)IP Address : 10.250.8.230Status : Managed---------AP LED Status : LED-ONLLDP status : Disabled | rxOnly | txOnly| rxAndTx|N/ALLDP Neighbor Count : 1

6. Use the following command to view the LLDP status received by an AP from its neighbors:WC8180#show wireless ap lldp-neighbor -------------------------------------------------------------------------------AP MAC Neighbor MAC Mgmt IP Port Description ----------------- ------------------ --------------- -----------------------00:02:6F:B8:58:C0 6C:FA:58:7B:38:00 1.1.1.20 Port 24 00:1B:4F:6A:59:20 00:14:C7:30:6C:00 1.1.1.10 Port 22 58:16:26:AC:75:60 00:14:C7:30:6C:00 1.1.1.10 Port 21 B0:AD:AA:52:C8:E0 6C:FA:58:7B:38:00 1.1.1.20 Port 23 -------------------------------------------------------------------------------

7. Use the following command to view the details of LLDP neighbors:WC8180#show wireless ap lldp-neighbor 58:16:26:AC:75:60 detail

-------------------------------------------------------------------------------AP : 58:16:26:AC:75:60

------------------------------------------------------------------------------- Neighbor : 00:14:C7:30:6C:00 Age : 0d:01:36:19 PVID : 70 Chassis Chassis ID : mac 00:14:C7:30:6C:00 System Name : System Description: Ethernet Routing Switch 5520-24T-PWR HW:02 FW:6.0.0.18 SW:v6.3.3.040 Port Port id : mac 00:14:C7:30:6C:15 Port Description : Port 21 System Capabilities Supported : Bridge Router Enabled : Bridge Router Management Address Address : ipv4 1.1.1.10 Interface Number : 0 Interface Subtype : Unknown (1) Vlan VLAN ID : 1 Name: VLAN #1



VLAN ID : 70 Name: cherish2

-------------------------------------------------------------------------------8. Use the following command to clear failed APs and associated LLDP neighbors:

WC8180#clear wireless ap failedRelated Links

Configuring and managing Link Layer Discovery Protocol on page 15

Configuring and managing Remote Packet CaptureRemote packet capture enables live debugging to troubleshoot client related issues. It can also beused to monitor traffic in a wireless network.Remote packet capture enables you to capture packets on wireless interfaces on any AP in themobility domain. You can use this capability to troubleshoot wireless connectivity issues and identifythe nature of the wireless traffic at different locations in the deployment. You can monitor wirelesstraffic in general.To enable remote packet capture, you typically configure a capture profile on the AMDC of themobility domain and then apply this profile to specific APs in the mobility domain. Each captureprofile supports multiple configuration parameters that specify the behavior of the capture. You canconfigure up to four capture profiles on the AMDC.A single stream of packet capture between the remote capture device and observer host is called acapture instance. A remote capture device can have one capture instance per capture profile with amaximum of 4 capture instances.A capture instance is started when a capture profile is applied to a AP using a start action.A capture instance cannot be started when the configuration profiles are not synchronized in themobility domain.A capture instance that is not active can be restarted using a restart action. A capture instance thatis active can be stopped using a stop actionBefore starting the capture instance, you must install Wireshark on the observer host to captureframes on the observer host IP of the capture instance.Wireshark is a packet analyzer with extensive capabilities to analyze various protocols and is freelyavailable for download from the internet. Wireshark version 1.6 or higher support decoding ofCAPWAP encapsulated data.After you install Wireshark, start the capture stream for the capture instance. Wireshark displaysreceived packets from the capture stream on the configured UDP port for the capture instance.Wireshark can be configured to decode all packets received on the UDP port of the capture streamas CAPWAP data packets.The UDP port that is used for CAPWAP capture stream to the observer host is configured in thecapture profile.



Before you beginBefore you start a packet capture, ensure that you do the following on the Observer host PC.

Download the Netcat application from http://netcat.sourceforge.net/download.php to a locationon the PC.

Open a UDP port for listening.Important:If you do not open the UDP port on the observer host then the capture device receives theICMP port unreachable error for every capture packet in the capture stream. Thisseverely impacts the performance.

Launch Netcat.On a Windows machine, execute the following command at the location of installation ofNetcat. In the following example, 172.16.9.10 is the IP address of the Observer host PC andthe observer port is 37008.D:\RPC\NetCat>nc -l -u -p 37008 -s 172.16.9.10 -vlistening on [172.16.9.10] 37008 ...

On a Linux machine, execute the command nc l u . Launch Wireshark to capture frames.

- In Wireshark, ensure that you configure the CAPWAP UDP data port correctly. To decodethe information packets correctly, this port must be the same as that opened for listening onthe observer host PC. On Wireshark, navigate to Edit, Preferences, CAPWAP. Update thefield CAPWAP data UDP port.

- Also ensure that you deselect Swap Frame Control.



Figure 2: Configuration of the CAPWAP UDP port on WiresharkProcedure

1. Create a capture profile on the AMDC using the following command.WC8180(config-wireless)#capture-profile ? Capture Profile ID

Note:You can configure a maximum of 4 capture profiles on the AMDC.

2. Configure the capture profile parameters using the following commands.Important:After you complete the configuration, ensure that you synchronize configuration acrossall controllers in the mobility domain.

Overview of the capture profile configuration commands.WC8180(config-capture-profile)#?Capture Profile Configuration Commands default Set a command to its default values direction Filter capture by flow direction duration Stop after elapsed duration in seconds end End wireless capture configuration mode exit Exit from wireless capture configuration mode filters Set filters for the packet capture profile interface Specify the capture interface(s) for the packet capture no Disable capture profile parameters observer-ip IP address of the observer host observer-port L4 port on the observer host



profile-name Name of the profile promisc-mode Enable promiscuous capture on selected interfaces snap-length Truncate capture to a specified length (in bytes)

Configure the direction of the capture.WC8180(config-capture-profile)#direction ? both Transmit and receive downlink Transmit only uplink Receive only

Configure the duration of the capture.WC8180(config-capture-profile)#duration ? Enter capture duration in seconds

Configure filters for the capture.WC8180(config-capture-profile)#filters ?Set filters for the packet capture profile client-mac Filter capture by client-mac include-beacons Include 802.11 beacons in capture data include-control Include 802.11 control frames in capture data include-data Include 802.11 data in capture data include-mgmt Include 802.11 mgmt frames other than probes/beacons in the capture data include-probes Include 802.11 probes in capture data ssid Filter capture by ssid

Configure radio interfaces for the capture.WC8180(config-capture-profile)#interface ? a-radio 5.0 GHz radio interface only all All radio interfaces b-radio 2.4 GHz radio interface only

Configure the IP address of the observer host PC.WC8180(config-capture-profile)#observer-ip ? ipaddr IP address of Observer machine

Configure the observer port.WC8180(config-capture-profile)#observer-port ? Enter a UDP port number

Configure the profile name.WC8180(config-capture-profile)#profile-name ? WORD Enter a name (1-32 characters)

Configure the snap length.WC8180(config-capture-profile)#snap-length ? Enter snap-length in bytes

Important:In Wireshark, when the packet length exceeds the configured snap length in the captureprofile, the captured packets are displayed as Malformed. The default value of the snaplength is 128 and the value can be modified between 32 and 1024.Adjust the snap length to prevent malformed packets.

3. Verify details of the configured capture profile(s) using the following commands.



For an overview of all configured capture profiles, use:WC8180# show wireless capture-profile

To view details of a selected capture-profile, use:WC8180# show wireless capture-profile detail

A sample output is as follows:WC8180(config-capture-profile)#show wireless capture-profile 1 detailCapture Profile ID: 1 Name : Default Observer IP Address : Observer UDP Port : 37008 Filter Promiscous mode : Disabled Filter Interfaces : All Radios Filter Flow direction : Transmit and Receive Filter SSID : Filter Client MAC : 00:00:00:00:00:00 Filter 802.11 : data Filter Duration : 300 Filter SNAP Length : 128

4. Manage packet capture instances using the following commands.CLI Reference:WC8180#wireless capture-instance ?Packet capture instances delete Delete capture instance restart Restart capture instance start Start capture instance stop Stop capture instance

Start packet capture instances:WC8180# wireless capture-instance start ap profile

Stop packet capture instances:WC8180#wireless capture-instance stop ? all All instances ap AP MAC Address profile Capture profile

Stop all capture-instance(s) for a profile-id.WC8180# wireless capture-instance stop profile

Stop all capture-instance(s) for an AP.WC8180# wireless capture-instance stop ap

Stop all capture instances.WC8180# wireless capture-instance stop all

Restart packet capture instances:WCP8180#wireless capture-instance restart ? all All instances ap AP MAC Address profile Capture profile



Restart all capture instances.WC8180#wireless capture-instance restart all

Restart all capture-instance(s) for a specific AP.WCP8180# wireless capture-instance restart ap

Restart all capture-instance(s) for a specific profile.WC8180# wireless capture-instance restart profile

Delete packet capture instances:WCP8180#wireless capture-instance stop ? all All instances ap AP MAC Address profile Capture profile

Delete all capture instances.WC8180#wireless capture-instance delete all

Delete all capture-instance(s) for a specific AP.WCP8180# wireless capture-instance delete ap

Delete all capture-instance(s) for a specific capture profile.WC8180# wireless capture-instance delete profile

Delete a specific capture instance.WC8180# wireless capture-instance delete ap profile

View packet capture instances:To view capture-instances for specific AP, use:WC8180# show wireless capture-instance ap

To view capture-instances for a specific profile, use:WC8180# show wireless capture-instance profile

To view all capture instances, use:WC8180# show wireless capture-instance

5. Use the following command to view wireless capture profile configuration:WC8180#show running-config module wireless capture-profile

Related LinksACLI reference for the Wireless LAN (WLAN) 8100 on page 11Configuration scenarios on page 24CLI commands reference for remote packet capture on page 25

Configuration scenariosThe following section describes special configuration scenarios and their behavior.



Important:When the SSID filter is set, you must not enable the promiscous mode.

Scenario 1 include-beacon + ssid: Observation: No packets are captured.Reason: In the Remote packet capture driver, ssid is converted to bssid. This bssid is comparedwith the one from the beacon, which never matches and therefore no packet is captured.Scenario 2 include-probe + ssid: Observation: The probe request packets are observed but with a different ssid (the ssid filter did notwork)Reason: When the probe request has a broadcast bssid, the comparison does not happen. Henceall probe requests are captured with a different ssid.The following section describes configuration settings and the corresponding output.

no promisc-mode + include-beacon you see beacons from all APs. promisc-mode + include-beacon you see beacons from all APs. no promisc-mode + include-probe you see probe requests/responses from all APs. promisc-mode + include-probe you see probe requests/responses from all APs. no promisc-mode + include-beacon + include-probe you see beacons/probes from all APs. promisc-mode + include-beacon + include-probe you see beacons/probes from all APs. no promisc-mode + include-data you see data to/from only your AP. promisc-mode + include-data you see data to/from all APs. promisc-mode + no frame-types you do not see any packets. promisc-mode + include-data + include-beacon + include-probe you see data, beacon and

probes from all APs. no promisc-mode + include-data + include-beacon + include-probe you see beacons and

probes from all APs, but data only from your AP.CLI commands reference for remote packet capture

Commands to configure a capture profileUse the following parameters to define a capture profile on a managed Access Point (AP).Command Parameters Descriptiondefault none Sets the command to its default values.direction Specifies the capture flow direction.

The direction is specified with respect to the MU.Uplink and Downlink are valid directions. By default,



Command Parameters Descriptionboth directions are enabled. Uplink indicates receivefor an AP and downlink indicates transmit for the AP.

both Specifies both transmit and receive.downlink Specifies transmit only.uplink Specifies receive only.

duration Range is 0 to 86400 seconds.Specifies the duration for which capture should continue.Packet capture stops after the time duration elapses.Use a default value of 5 minutes. A value of 0 meansinfinite duration.

end End wireless capture configuration mode.exit Exit from wireless capture configuration mode.filters client-mac Traffic is captured only from/to specific client MAC

address. To exclude this filter, set the value to emptystring.This setting is ignored on promiscuous mode. This filteris not applicable to beacons.By default, the client MAC address is null.

include-beacons Include 802.11 beacons frames from captures on radiointerfaces. This filter is disabled by default. When astation MAC filter is set, it is not applied for selection ofbeacon frames

include-control Include 802.11 control frames from captures on radiointerfaces. This filter is disabled by default.

include-data Include 802.11 data in capture data. This filter is enabledby default.

include-mgmt Include 802.11 management frames other than probes/beacons in the capture data. This filter is disabled bydefault.

include-probes Include 802.11 probe frames in capture data. This filteris disabled by default.

ssid Traffic is captured only on specifies SSID. To excludefiltering on SSID, set this value to empty string. Anempty string is also the default value. This setting isignored on promiscuous mode.An AP checks the validity of the SSID when packetcapture is started.

interface a-radio Specifies 5.0 GHz radio interface only.all Specifies all radio interfaces.b-radio Specifies 2.4 GHz radio interface only.

no Disables capture profile parameters.



Command Parameters Descriptionobserver-ip ipaddr IP address of the observer host to which to send the

captured traffic.observer-port Specifies the destination UDP port for sending the

captured traffic. This is the L4 port that observer PC islistens on.

Important:Ensure the observer host on the UDP port is open.If you do not open the UDP port on the observerhost then the capture device receives the ICMPport unreachable error for every capturepacket in the capture stream. This severely impactsperformance.

profile-name WORD Specifies the name of the profile.By default, a capture profile is created with the profilename capture_profile_00n.

promisc-mode Enable/Disable: When promiscuous mode is disabled,only traffic directed to the AP is captured. Note thatenabling promiscuous mode can result in multiple APsreporting copies of the same packets.Promiscuous capture is disabled by default.For more information on the promiscous mode ofoperation, see the Feature Overview for Avaya WLAN8100, NN47251-102.

snap-length Specifies the file size of the packet capture, after whichthe capture is truncated.The range is 32 to 1024 bytes. The default snap-lengthis 128 bytes.An AP forwards CAPWAP encapsulated wirelesspackets to the observer PC. Snap-length is the size ofthe wireless packet including the 802.11 headers.You may notice malformed packets in Wireshark whenuse a lower sized snap-length.

Note:In Wireshark, when the packet length exceeds theconfigured snap length in the capture profile, thecaptured packets show as Malformed. The defaultvalue of the snap length is 128 and the value canbe modified between 32 and 1024.

Commands to configure Capture Instances



Configure capture instanceCommand Parameters Descriptionstart ap Specifies the AP MAC address to start the wireless

capture instance.profile Specifies the capture profile.

stop all Stops all wireless capture instances.ap Specifies the AP MAC address to stop the wireless

capture instance.profile Specifies the capture profile to stop.

delete all Deletes all the wireless capture instances.ap Specifies the AP MAC address to delete the wireless

capture instance.profile Specifies the capture profile to delete.

restart all Restarts all the wireless capture instances.ap Specifies the AP MAC address to restart the wireless

capture instance.profile Specifies the capture profile to restart.

Related LinksConfiguring and managing Remote Packet Capture on page 19

Configuring and managing Client Band Steering and Client loadbalancing

Client Band Steering is a technique used to increase the overall capacity of a dual-band wirelessnetwork composed of multiple APs that use both the 2.4 GHz and 5.0 GHz radios.You typically enable Client Band Steering and Client Load Balancing when you configure Accessradio profiles.Client stations predominantly support 2.4GHz. Many modern client stations have dual-band supportyet tend to favor connection to 2.4GHz networks (although some popular modern clients still onlysupport 2.4GHz, e.g. the Apple iPhone 4). As a result, dual-band networks have the 2.4GHz bandheavily utilized, and the 5GHz band under utilized. The objective of Client Band Steering is toencourage 5GHz capable client stations to use the 5GHz radio instead of the 2.4GHz radio, leavingthe 2.4GHz radio for stations that only support 2.4GHz.As part of Client load-balancing configuration, you enable/disable the Load balancing. After youenable load balancing, you configure the following parameters:

utilization-start (%) Utilization level at which client association load balancing begins utilization-cutoff (%) Client association load balancing cutoff. If this threshold is exceeded,

all further client associations are refused.



Important:This cutoff is useful so that controller CPU utilization is maintained at an optimum level. IfCPU utilization goes beyond 100%, it causes the controller to restart which in turn resultsin an unprecedented controller outage.

About this taskUse this procedure to configure client band steering and client load balancing in access radioprofiles.Procedure

1. Create an Access Radio profile.Configure A-N and BG-N radio profiles to support different radio frequencies. The followingexamples shows the creation of A-N and BG-N radio profiles with the country code specifiedas US and the AP model specified as ap8120/E. For an outdoor AP, specify the AP modelas ap8120O in the command.WC8180(config-wireless)#radio-profile 3 country-code US ap-model ap8120/Eaccess-wids a-nCreating a radio-profile (id = 3) with country-code = US and ap-modelAP8120/E...WC8180(config-radio-profile)#profile-name A-NWC8180(config-radio-profile)#exitWC8180(config-wireless)#radio-profile 4 country-code US ap-model ap8120/Eaccess-wids bg-nCreating a radio-profile (id = 4) with country-code = US and ap-modelAP8120/E...WC8180(config-radio-profile)#profile-name BG-NWC8180(config-radio-profile)#exit

2. Enable client band steering and load balancing using the following commands.WC8180(config-wireless)#radio-profile 3Entering radio-profile (id = 3) configuration mode...WC8180(config-radio-profile)#band-steering enableWC8180(config-radio-profile)#load-balance enableWC8180(config-radio-profile)#load-balance utilization-start 30WC8180(config-radio-profile)#load-balance utilization-cutoff 60WC8180(config-wireless)#radio-profile 4Entering radio-profile (id = 3) configuration mode...WC8180(config-radio-profile)#band-steering enableWC8180(config-radio-profile)#load-balance enableWC8180(config-radio-profile)#load-balance utilization-start 30WC8180(config-radio-profile)#load-balance utilization-cutoff 60


Configuring and managing Captive PortalsThe following sections describe the configuration and management of Captive Portals using theACLI.



Note:The current release of WLAN 8100 supports certificate mapping to either a RADIUS applicationor a Captive Portal. For more information, see Mapping a certificate on page 55.

Related LinksACLI reference for the Wireless LAN (WLAN) 8100 on page 11Configuring Captive Portal general settings on page 30Configuring Captive Portal profiles on page 31Redirecting the URL for Captive Portals on page 35Configuring the Web hostname in Captive Portals on page 36Customizing Captive Portals updating Captive Portal locale on page 36Customizing Captive Portal using static HTML pages on page 38Managing Captive Portals on page 40Viewing Captive Portal network status on page 41Viewing current Captive Portal configuration on page 41

Configuring Captive Portal general settingsAbout this taskUse the following commands to configure Captive Portal general settings.CLI reference:WCP8180(config-wireless)#captive-portal ?Parameters: auth-timeout Authentication session timeout period enable Enable captive portal feature on the system http-port Configure additional HTTP port https-port Configure additional HTTPS port stats-report-interval Interval between statistics reports to peer controller tftp-server Set TFTP server IP address for Captive Portal Image customizationSub-Commands/Groups: profile Create/Modify a specific captive portal profileWCP8180(config-wireless)#captive-portal

Procedure1. Enter the wireless configuration mode of the ACLI.2. Use the command captive-portal enable to enable Captive Portal service.3. Use the command captive-portal auth-timeout to set the

authentication timeout value in seconds.4. Use the command captive-portal http-port to configure the Captive

Portal HTTP port.5. Use the command captive-portal https-portal to configure the

Captive Portal HTTPS port.6. Use the command captive-portal stats-report-interval to

configure the statistics reporting interval in seconds.



7. Use the command captive-portal tftp-server toconfigure the TFTP server IP address for Captive Portal customization. Captive Portalcustomization files (such as Captive Portal messages, logo image, background image andfont-set) for a customized guest user login experience, are typically stored on a TFTP server.The controller when configured with the TFTP server IP address can access the server andupload the customization files.

Configuring Captive Portal profilesA Captive Portal profile is an instance of a specific Captive Portal configuration set. It specifiesglobal attributes to customize Captive Portal interfaces, session timeout (for example, authenticationsession timeout) and usage limits for users. You can store image files for customizing the CaptivePortal login page on a TFTP server, and specify the TFTP server IP address in a Captive Portalprofile. The controller (WC 8180) provides a way to protect the wireless system IP address fromguest user access using Captive Portal profiles.The Captive Portal IP address is used for Captive Portal user access. All Captive Portal user clientssend HTTP/HTTPS GET requests to this IP address which is then mapped to a Web host nameinternally. The client HTTP/HTTPS GET requests are load-balanced based on the client MACaddress.

Note:The Captive Portal IP address must be an active VLAN interface IP on any controller in thedomain, except the Management VLAN IP, the System VLAN IP, or the wireless interface IP ofthat controller. The Captive Portal IP must exist physically in one of the domain controllers.Note:The current release of WLAN 8100 allows you to configure up to 8 Captive Portal IP addressesfor a single Captive Portal profile. Avaya recommends that you configure as many CaptivePortal IP addresses for a Captive Portal profile as there are controllers in the domain. Forexample, if there are 8 controllers in the domain, configure up to 8 Captive Portal IP addressesfor a single Captive Portal profile.

CLI Reference:WCP8180(config-wireless)#captive-portal profile 1Entering captive-portal-profile (id = 1) ...

WCP8180(config-cp-profile)#ip ? A.B.C.D IPv4 Address

Procedure1. Enter the wireless configuration mode of the CLI.2. Use the command captive-portal profile to configure a Captive

Portal. Use a profile ID, for example 3.WCP8180(config-wireless)#captive-portal profile ? Captive portal profile ID



WCP8180(config-wireless)#captive-portal profile 3Entering captive-portal-profile (id = 3) ...WCP8180(config-cp-profile)#?Captive Portal Profile Configuration Commands block Block traffic for this profile color Set Captive-portal color scheme default Set captive portal parameters to default settings end End configuration mode exit Exit out of captive portal profile configuration mode idle-timeout Configure session idle timeout ip Captive-portal IP addresses locale Configure captive portal locale settings max-bandwidth Configure max bandwidth limit for transmit or receive max-octets Configure max octets available per session no Disable captive portal profile settings profile-name Set captive portal profile name protocol-mode Set captive portal protocol mode redirect Enable HTTP redirect mode after authetication redirect-url Configure redirected URL session-timeout Set session timeout. user-logout Enable user-logout mode for captive portal users walled-garden Captive-portal Walled Garden hostname configuration mode web-hostname Configure web hostname for Captive-PortalWCP8180(config-cp-profile)#

3. Use the command show wireless captive-portal profile detail to showdetails of the Captive Portal profile details for a specific Captive Portal profile.

4. Use the command captive portal profile block to blockprofile traffic.

5. Use the command captive portal profile color to set theCaptive Portal color scheme.Command options:WCP8180(config-cp-profile)#color ? background Set background color foreground Set foreground color separator Set separator color

6. Use the command captive portal profile default to setCaptive Portal profile parameters to default settings.

7. Use the command captive portal profile idle-timeout toset the Captive Portal session idle timeout value. Enter the time in seconds. The range is 0to 2100000000 seconds.

8. Use the command captive portal profile ip to configure aCaptive Portal IP interface. Use the command, no ip < ip-address> to remove thecaptive portal IP interface.

9. Use the command captive portal profile locale to set theCaptive Portal locale settings.For more information, see Customizing Captive Portals updating captive portal locale onpage 36.



10. Use the command captive portal profile max-bandwidthto configure the maximum transmit and receive bandwidth limits.Command options:WCP8180(config-cp-profile)#max-bandwidth ? down Set receive bandwidth limit up Set transmit bandwidth limitWCP8180(config-cp-profile)#max-bandwidth down ? Bandwidth in bits per secondWCP8180(config-cp-profile)#max-bandwidth up ? Bandwidth in bits per second

11. Use the command captive portal profile max-octets toconfigure the maximum session octets.Command options:WCP8180(config-cp-profile)#max-octets ? input Set max input octets per session output Set max output octets per session total Set max total octets per sessionWCP8180(config-cp-profile)#max-octets input ? Enter max allowed in bytes

12. Use the command captive portal profile profile-name toset the profile name.

13. Use the command captive portal profile protocol-modeto set the protocol mode.Command options:WCP8180(config-cp-profile)#protocol-mode ? http HTTP mode https HTTPS mode

14. Use the command captive portal profile redirect enableHTTP redirect mode after authentication.

15. Use the command captive portal profile redirect-url toconfigure the redirect URL.For more information, see Redirecting the URL for captive portals on page 35.

16. Use the command captive portal profile session-timeout to set the session timeout value. Enter a time in seconds. The range is 0 to2100000000.

17. Use the command captive portal profile user-logout toenable user logout.

18. Use the command walled-garden to enter the Captive Portal Walled Garden host-nameconfiguration mode.Sometimes, a Captive Portal user may need to access network resources in the intranet orpublic Web sites from an enterprise network, without requiring to first undergo Captive Portal



authentication. To support these user requirements, the WLAN 8100 allows configuration ofthe IP addresses of Web hosts in a Captive Portal profile so that the user can access thesehosts without the need for authentication. This is the Captive Portal Walled Garden feature.The Walled Garden feature also enables you to configure access to certain Web hosts withinthe network for unauthenticated users. After you configure the host IP address of the Webhost, the users will have access to all Web pages hosted on that server. This is especiallyuseful when you want to open up specific information, policy or guest registration Web sitesfor unauthenticated clients or guest users.

Note:You can configure up to 8 Captive Portal walled-garden hosts in a single Captive Portalprofile.

Use the following command options to configure the host name and host type. Currently onlyIP address is supported as a host type.WC8180(config-cp-profile)#walled-garden ? hostname Walled garden hostname or IP addressWC8180(config-cp-profile)#walled-garden hostname ?WORD IP address (1-255 characters)WC8180(config-cp-profile)#walled-garden hostname 10.1.1.2 ?type Walled garden hostname TypeWC8180(config-cp-profile)#walled-garden hostname 10.1.1.2 type ?ip-addr IP address type

Example: Use the following command to configure a Walled Garden host IP address.WC8180(config-cp-profile)#walled-garden hostname 10.1.1.2 type ip-addr

Verify the configuration.WC8180#show wireless captive-portal profile 1 detailCaptive Portal Profile ID: 1........ Web Hostname : xyz.com Foreground Color : #6F7B82 Background Color : #6F7B82 Separator Color : #CC0000 Walled Garden Hostname : 10.10.10.20 Walled Garden Hostname : 10.10.10.30 CP IP Address : 10.1.2.2 CP IP Address : 10.1.2.3........

19. Use the command captive portal profile web-hostname toconfigure the Web host name for Captive Portal.WCP8180(config-cp-profile)#web-hostname ? WORD DNS name (1-255 characters)

ExampleView a sample Captive Portal profile configuration using the command show running-configmodule wireless captive-portal.WC8180(config-cp-profile)#show running-config module wireless captive-portal! Embedded ASCII Configuration Generator Script



! Model = Wireless LAN Controller WC8180! Operation Mode = WC! Software version = v2.1.0.015!! Displaying only parameters different to default!================================================

...

captive-portal enablecaptive-portal profile 1profile-name Defaultno user-logoutsession-timeout 28800color background #6F7B82color foreground #6F7B82color separator #CC0000walled-garden hostname 10.10.10.20 type ip-addrwalled-garden hostname 10.10.10.30 type ip-addrwalled-garden hostname 10.10.10.40 type ip-addrlocalesuccess-msg browser-title 004300610070007400690076006500200050006F007200740061006C0020002D0020004C006F00670067006500640020004F00750074exitexit

...

Redirecting the URL for Captive PortalsAfter authentication of a guest user, by default, the Captive Portal welcome page is displayed to theuser. Use the Captive Portal redirect command to specify a Web page URL (different from that ofthe default welcome page), to redirect a Captive Portal guest user request to, after authentication.For this, you must first enable redirect on the Captive Portal.The behavior of the Captive Portal redirect command is as follows:

If redirect is enabled but no redirect-url is configured, user requests are redirected to thepreviously requested URL.

If redirect is enabled and a redirect-url is configured, user requests are redirected to thespecified Web page URL. The URL can be that of a corporate portal, guest portal or any Website reachable by the wireless clients.

If redirect is disabled, then, after user authentication the default Captive Portal welcome pagedisplays.

Use the following commands to configure the redirect URL in a Captive Portal:1. Enter the wireless configuration mode of the ACLI.2. Enter Captive Portal profile configuration.3. Use the command captive portal profile redirect enable

HTTP redirect mode after authentication.4. Use the command captive portal profile redirect-url to

configure the redirect-URL.WCP8180(config-cp-profile)#redirect-url ? WORD Redirect HTTP URL (1-255 characters)



Note:The supported characters in the redirect-URL are the underscore (_), dash (-), period (.),percentage (%), colon (:), forward slash (/), question mark (?) and the equal sign (=).Note:To enter the question mark (?) character in CLI, use the escape character which is theback slash (\), before the question mark character.For example, if the redirct-URL is http://www.google.com?test=ag, you mustenter http://www.google.com\?test=ag.

5. Use the command captive portal profile no redirect todisable redirection.

6. Use the command default redirect-url to reset the redirect-url to the defaultvalue.

Configuring the Web hostname in Captive PortalsYou can configure a Web host-name to mask a Captive Portal IP address, from guest users. A Webhost-name helps restrict exposure of the WLAN 8100 system IP addresses to a guest user.

Note:The default Web host-name is .cp-login.com.1. Enter the wireless configuration mode of the ACLI.2. Enter Captive Portal configuration.3. Use the command captive-portal profile to go to the captive portal profile.4. Use the command web-hostname to change the Web hostname.5. Use the command default web-hostname to reset the Web hostname to the default

value.Customizing Captive Portals updating Captive Portal locale

Configure Captive Portal locales for Captive Portal service presentation. Here you can defineCaptive Portal messages, logo image, background image and font-set. You can download acustomized Captive Portal locale file from the TFTP server. For each Captive Portal profile there canbe only one locale. The locale also has localization configuration.About this taskCLI reference:Procedure

1. Enter the Captive Portal configuration in the CLI.2. Use the command captive-portal profile to go to the Captive Portal profile.

WCP8180(config-wireless)#captive-portal profile 1Entering captive-portal-profile (id = 1) ...



3. Enable customization on the Captive Portal profile.WCP8180(config-cp-locale)# custom ?

4. Configure the Captive Portal locale using the following options:Important:When configuring Captive Portal locale using command options that require strings (text)as parameters, like for example, login-msg or error-msg, ensure that you providethe UTF 16 equivalent of those strings. These commands do not accept strings as is.

WCP8180(config-cp-profile)#localeWCP8180(config-cp-locale)#?Captive Portal Locale Configuration Commands code Set locale code(browser preferred language) custom Enable Captive-Portal customization mode custom-file Configure Captive-Portal Customization package filename default Set captive portal parameters to default settings end End configuration mode error-msg Configure captive portal locale error message exit Exit out of locale configuration mode font-list Set captive-portal HTML page font image Configure captive portal locale image name link Set locale link text for user identification. login-msg Configure captive portal locale login message logout-msg Configure captive portal locale logout message no Disable Captive-Portal Locale setting popup-msg Set text to remind user to allow popups from our web site script-msg Set text to notify user if their browser has javascript disabled success-msg Configure captive portal locale logout success message welcome-msg Configure captive portal locale welcome message wip-msg Set message indicating authentication in progressWCP8180(config-cp-locale)#

The following are the command options to configure images in Captive Portal locales:Important:Ensure that the image files satisfy the following criteria: The image file format is one of .jpg, .gif, .png, .tif or .bmp. The size of custom images (logo, background, logout image) must not exceed 1Mb

each. The image filename does not exceed 31 characters.

WC8180(config-cp-locale)#image ? account Set image name for accounting identification background Set image name for background appearence branding Set image name for branding appearence logout-background Set image name for logout background appearenceWC8180(config-cp-locale)#image

ExampleThe following is a sample usage of the command wip-msg to set a message indicating thatauthentication is in progress:WC8180(config-cp-locale)# wip-msg 0074006500730074



In the above example, 0074006500730074 is the UTF 16 equivalent of the word test.

Customizing Captive Portal using static HTML pagesUse this procedure to customize the Captive Portal user login experience using static HTML pages.Captive Portal customization using static HTML pages helps you update only those Web pages thatare displayed during the Captive Portal user login process (that is, during user authentication).After successful authentication, a standard HTML page is used to display a welcome message tothe user. You can however specify a redirect URL to redirect the user to, like a corporate portalpage or a service main page. For more information on configuring the redirect URL, see Redirectingthe URL for captive portals on page 35.Before you begin

You have configured the TFTP server IP address on the controller, using the followingcommand:In this example, 172.16.1.11 is a sample TFTP server IP address.WC8180#config tEnter configuration commands, one per line. End with CNTL/Z.WC8180(config)#wirelessWC8180(config-wireless)#captive-portal tftp-server 172.16.1.11

Procedure1. Create the constituent HTML files:

captive_portal_custom.html which Captive Portal users see on first time login. cp_custom_error.html which captive-portal users see when authentication error

happens. cp_custom_refresh.html which captive-portal users see when waiting for authentication

results.Note:Ensure that you retain the exact names of the HTML files. Otherwise the controllercannot recognize these files and the Captive Portal service will not work.

2. Create a package (.zip) file containing the HTML files. If you want to embed images in yourportal page, add appropriate HTML tags (for example,

Total package file size does must not exceed 4 Mb and each profile size must notexceed 8 Mb.

The zipped file must not contain any directory. All files must be in the same directory. The image file format is one of .jpg, .gif, .png, .tif and .bmp. The size of custom images (logo, background, logout image) must not exceed 1Mb

each. The image filename does not exceed 31 characters.

3. After creating the .zip file, copy the file to a TFTP server to upload it to the AMDC of thedomain.

Important:To enable the AMDC to upload the .zip file from the TFTP server, ensure that thecontroller is configured with the TFTP server IP address and the package filename (.zip)is specified when configuring the captive-portal locale.

4. If there are other controllers (for example, peers) in the domain, ensure that you run theconfig-sync command to push the AMDC configuration to all controllers in the domain.Verify that all controllers are synchronized.

5. Run the wireless captive-portal tftp-get command to upload the .zip file to thecontroller. This is one time action command.If you run the action command without any parameters, all controllers in the domain uploadall the customization files (including customization package and customization image files foraccount, brand, background and logout). If the controllers have multiple locales, thiscommand examines the current configuration and if the new configuration is different, itforces an upload.You can also specify the following parameters in the action command: Peer controller IP address Profile Id and locale Id File type (account, brand logo, background, logout background and package file) Action flag

After the customization package file is uploaded to your controller, it is not removed in theflash unless you run the default command or perform another upload. You can also usethe default command to reset the configuration and to remove the corresponding file.

6. Verify the status of the upload in the Captive Portal locale by running the show wirelesscaptive-portal locale command. The status can be one of the following: None the upload was not started Success the upload was successful In Progress the upload is in progress



Transfer Failure the upload failed because of network connectivity issues. Verification Failure the upload failed because of an incorrect .zip file or the file is

missing one of mandatory html files File Not Found there is no matching file in the TFTP server Internal Error the file size is too big or the flash file system is full File Max Size Exceeded the TFTP file exceeds the file size limit (For image, 1Mb. For

package, 4Mb) Profile Max Size Exceeded the Captive-portal profile disk usage exceeds the limit

(8Mb)Related Links

Configuring and managing Captive Portals on page 29

Managing Captive PortalsCLI reference:WC8180#wireless captive-portal ?Captive portal run time settings client-deauthenticate Deauthenticate a specific client tftp-get Execute TFTP client to get customization filesWC8180#wireless captive-portal client-deauthenticate ? all Deauthenticate all clients captive-portal-profile Deauthenticate the clients associated with captive-portal profile H.H.H Authenticated client MAC address network-profile Deauthenticate the clients associatd with network-profileWC8180#wireless captive-portal client-deauthenticate network-profile ? Network profile IDWC8180#wireless captive-portal client-deauthenticate captive-portal-profile ? Captive portal profile IDAMDC#wireless captive-portal tftp-get ? address Controller IP address

About this taskUse the following commands to manage Captive Portals.Procedure

1. Enter the wireless configuration mode of the CLI.2. Use the command wireless captive-portal client-deauthenticate all to

revoke authentication on all clients.3. Use the command wireless captive-portal client-deauthenticate captive-

portal-profile to revoke authentication on allclients associated with a particular Captive Portal profile.

4. Use the command wireless captive-portal client-deauthenticate to revoke authentication on a specific client.



5. Use the command wireless captive-portal client-deauthenticate networkprofile to revoke authentication from all clients associatedwith a particular network profile.

6. Use the command wireless captive-portal tftp-get to execute the TFTP client toget customization files.

Related LinksConfiguring and managing Captive Portals on page 29

Viewing Captive Portal network statusUse the following commands to verify Captive Portal network status.Procedure

1. Use one of the following commands to view the Captive Portal network status for a specificCaptive Portal profile Id and network profile Id.show wireless captive-portal network-status CP-profile network-profile show wireless captive-portal network-status network-profile CP-profile

2. Use the following command to view the Captive Portal network status.show wireless captive-portal network-status


Viewing current Captive Portal configurationView the current Captive Portal configuration.Procedure

Enter the following command to view the current Captive Portal configuration of the WLAN8100 system. This command only displays configuration that is different from the defaultconfiguration.WC8180#show running-config module wireless captive-portal


Configuring and managing External Captive PortalsThe following sections describe the configuration and management of Captive Portals using theACLI.




Configuring the External Captive Portal IP on page 42Switching Captive Portal Modes on page 44Creating a DAC Client Entry on page 45Show a DAC Client Entry on page 46Configuring the DAC RADIUS Shared Secret Key on page 46Configuring the DAC Timewindow on page 47

Configuring the External Captive Portal IPUse the following procedure to configure the IP addresses for the External IP address.About this taskExternal captive-portal IP configuration is subject to captive-portal profile configuration. Thecommand only accepts valid IPv4 addresses for both the controller and external captive-portalserver, and uses no other command line argument. Each controller on the domain uses a uniqueexternal captive-portal IP address. In order to accommodate this, each CP profile can have up to 32external IP addresses.Procedure

1. Use the command captive-portal profile to configure a CaptivePortal.WC8180(config-wireless)#captive-portal profile

2. Set the Captive Portal IP Address and

Date post:	28-Sep-2015
Category:	Documents
Upload:	juan-pablo-arias
View:	13 times
Download:	4 times

NN47251-107_07_01_CLI_Reference

Documents