Fortress Mesh Point Software CLI Guide www.gdc4s.com © 2015 General Dynamics C4 Systems, Inc.
Fortress ES-Series CLI Guide Fortress Mesh Point Version 5.4.5 Software CLI Guide 009-00036–00v5.4.5 Copyright © 2015 General Dynamics C4 Systems, Inc. All rights reserved. This document contains proprietary information protected by copyright.
Fortress ES-Series CLI Guide This product uses Dynamic Host Control Protocol, Copyright © 2004–2010 by Internet Software Consortium, Inc. Copyright © 1995–2003 by Internet Software Consortium. All rights reserved. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/) Copyright © 1998-2011 The OpenSSL Project. All rights reserved.
Fortress ES-Series CLI Guide IMPORTANT; PLEASE READ THIS END USER LICENSE AGREEMENT CAREFULLY. DOWNLOADING, INSTALLING OR USING GENERAL DYNAMICS C4 SYSTEMS’ SOFTWARE CONSTITUTES ACCEPTANCE OF THIS AGREEMENT. GENERAL DYNAMICS C4 SYSTEMS, INC., WILL LICENSE ITS SOFTWARE TO YOU THE CUSTOMER (END USER) ONLY UPON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS CONTAINED IN THIS END USER LICENSE AGREEMENT.
Fortress ES-Series CLI Guide iv. Di v. sclose, provide, or otherwise make available trade secrets contained within the Software and Documentation in any form to any third party without the prior written consent of Fortress. Customer shall implement reasonable security measures to protect such trade secrets.
Fortress ES-Series CLI Guide For U.S.
Fortress ES-Series CLI Guide installed, operated, repaired or maintained in accordance with instructions provided by Fortress. The warranty is voided by removing any tamper evidence security sticker or marking except as performed by a Fortress authorized service technician. Fortress does not warrant uninterrupted or error-free operation of any Products or third party software, including public domain software which may have been incorporated into the Fortress Product.
Fortress ES-Series CLI Guide Limitation of Liability Circumstances may arise where, because of a default on Fortress’ part or other liability, Customer is entitled to recover damages from Fortress.
Fortress ES-Series CLI Guide use. User agrees to indemnify and hold harmless General Dynamics C4 Systems, Inc. from any fines, costs or expenses resulting from or associated with unauthorized use of this frequency range. This EULA Addendum does not apply to Fortress products that do not contain 4.4 GHz radios.
Fortress ES-Series CLI Guide: Table of Contents Table of Contents 1 Introduction 1 This Document. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1 Related Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Network Security Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 Fortress Security Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 Fortress Hardware Devices . . . . .
Fortress ES-Series CLI Guide: Table of Contents 3 Networking and Radio Configuration 27 Network Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Network Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Bridging Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 FastPath Mesh Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Fortress ES-Series CLI Guide: Table of Contents BSS Fortress Security Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . FastPath Mesh BSS Cost Offset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . BSS Multicast Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Bridging MTU and Beacon Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Fortress ES-Series CLI Guide: Table of Contents 4 Network Security, Authentication and Auditing 109 Fortress Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109 Operating Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 FIPS Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 MSP Encryption Algorithm. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Fortress ES-Series CLI Guide: Table of Contents Global User and Device Authentication Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .146 Local 802.1X Authentication Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .147 OCSP Authentication Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .148 OCSP Cache Settings and Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Fortress ES-Series CLI Guide: Table of Contents 6 System and Network Monitoring 185 Viewing System Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .185 Viewing the Mesh Point Device ID. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 Viewing System Uptime. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186 Monitoring Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .186 Viewing AP Associations . . . . . .
Fortress ES-Series CLI Guide: Introduction Chapter 1 Introduction 1.1 This Document This user guide covers configuring, managing and monitoring any current-model Fortress Mesh Point through the commandline interface (CLI). Fortress Mesh Point user guidance is intended for professional system and network administrators and assumes that its users have a level of technical expertise consistent with these roles.
Fortress ES-Series CLI Guide: Introduction 1.2 Network Security Overview Network security measures take a variety of forms; key components include: Confidentiality or privacy implementations prevent information from being derived from intercepted traffic. Integrity checking guards against deliberate or accidental changes to data transmitted on the network.
Fortress ES-Series CLI Guide: Introduction authenticating and encrypting Wireless Distribution System (WDS) links. Table 1.1 shows the various hardware configurations and capabilities of current Fortress hardware devices. Table 1.1 Radios and Ethernet Ports in Fortress Hardware Devices Fortress model # of radios 4 ES2440 2 standard equipment Radio 1 802.11a/g/n no Radio 2– Radio 4 802.11a/n yes Radio 1 802.11a/g/n no Radio 2 802.11a/n yes 0 ES820 2 ES520 2 ES210 1 4.
Fortress ES-Series CLI Guide: Introduction DeviceIP: 192.168.4.9 Gui: On Ssh: On Snmp(V3): Off Firmware version: 1.14.52 Time till reboot: not set Figure 1.1 ES-Series Product Model Number Explication The Platform identifier for Fortress's first generation ES-series Mesh Points is three digits, as shown in Figure 1.1. The number “2” prefixed to the ES2440’s platform number identifies the High-Capacity Infrastructure Mesh Point as a next generation ES-series Fortress platform.
Fortress ES-Series CLI Guide: Introduction Mesh Point GUI The graphical user interface for Fortress Mesh Points is a browser-based management tool that provides administration and monitoring functions in a menu- and dialog-driven format. It is accessed over the network via the Mesh Point’s IP address. The Mesh Point GUI supports Microsoft® Internet Explorer and Mozilla Firefox™. Using the Mesh Point GUI is covered in Fortress Mesh Point Software GUI Guide.
Fortress ES-Series CLI Guide: Introduction 6
Fortress ES-Series CLI Guide: Mesh Point CLI and Administrative Access Chapter 2 Mesh Point CLI and Administrative Access 2.1 Mesh Point CLI The Fortress Mesh Point’s command-line interface provides a complete set of commands for managing the Fortress Mesh Point and the network it secures, through a direct connection to the Mesh Point’s serial console port or remotely, through the Mesh Point’s encrypted or clear zone, using Secure Shell (SSH).
Fortress ES-Series CLI Guide: Mesh Point CLI and Administrative Access 2.1.1 Accessing the Mesh Point CLI via the Serial Console Port 1 2 2.1.2 Using a null modem cable, connect the Fortress Mesh Point’s Console port to a serial port on a computer.
Fortress ES-Series CLI Guide: Mesh Point CLI and Administrative Access If the administrative account you are logging on to requires the password to be changed, you must do so before you can proceed and then log on again with the new password to gain access through the account. As shown, if the first password entry fails the complexity check, the Mesh Point CLI automatically displays the password requirements in effect on the Mesh Point.
Fortress ES-Series CLI Guide: Mesh Point CLI and Administrative Access To log off the Mesh Point CLI, use exit or its synonyms: > exit > quit > q The Mesh Point CLI will time out and exit after a specified period of inactivity (10 minutes, by default), and you must log back in to regain access. This behavior is configurable (refer to Section 2.2.1). 2.1.4 Accessing Mesh Point CLI Help Use the help command (or its synonym, ?) without arguments to obtain a list of valid commands.
Fortress ES-Series CLI Guide: Mesh Point CLI and Administrative Access Obtain a usage example of command options for interactive commands—and list the option’s valid switches and arguments with a brief explanation of each—by entering help (or its synonym, ?) after the command option: # set network ? Description: Sets network configuration Usage: set network [-enable ][-h hostname][-ip IP][-nm netmask][-gw defaultGW] -enable y|n: to enable IPv4 -h hostname: name (will be shown in prompt) -ip IP: a vali
Fortress ES-Series CLI Guide: Mesh Point CLI and Administrative Access Angle brackets: indicate variable, user-supplied inputs (parameters and variable arguments), which are also italicized (ex., , ). The absence of angle brackets and italics indicates literal (or fixed) user-supplied input (ex., y|n). Pipes are placed between mutually exclusive arguments (ex., y|n). An ellipse indicates than the argument can include more entries of the same kind (ex.
Fortress ES-Series CLI Guide: Mesh Point CLI and Administrative Access session per administrative account is supported, regardless of Role. You can update administrator accounts, add new accounts and delete any account except for the three preconfigured accounts and (if different) the only remaining account with a Role of administrator (refer to Section 2.2.3). You can reconfigure the Role of any administrative account, including the preconfigured accounts.
Fortress ES-Series CLI Guide: Mesh Point CLI and Administrative Access Failures: --------Password changes rejected for history: 0 Password changes rejected for complexity: 0 Password changes rejected for uniqueness: 0 2.2.1.1 Password Complexity and Expiration History Depth specifies how many new passwords must be created for administrator accounts before previously used passwords can be reused.
Fortress ES-Series CLI Guide: Mesh Point CLI and Administrative Access indicates the amount of time to wait before allowing a login after any failed login attempt. Locally authenticating administrators are permitted a maximum of three failed logon attempts by default, but since permanent lockout and lockout duration are both disabled by default, administrators who exceed the maximum are not locked out. Maximum failed logon attempts (MaxAttempts) can be set from 1 to 9.
Fortress ES-Series CLI Guide: Mesh Point CLI and Administrative Access To use the internal Fortress RADIUS Server to authenticate administrators: You must execute the commands below in the order given. 1 Enable the internal authentication server to provide local authentication: # set localauth EnableLocalAuth[N] (Y|N to enable|disable local authentication server): y Port[1812] (Port number to communicate): SharedKey (Authentication key): authkey Priority (Local server priority [0..
Fortress ES-Series CLI Guide: Mesh Point CLI and Administrative Access To use a remote Fortress RADIUS Server to authenticate administrators: To use a RADIUS server running on another Mesh Point on the network to authenticate administrators for the current Mesh Point, you must configure an entry for the remote server on the current Mesh Point (with the add auth command).
Fortress ES-Series CLI Guide: Mesh Point CLI and Administrative Access The Mesh Point CLI displays the configurable fields for set account one at a time. Enter a new value for the field—or leave the field blank and the setting unchanged—and strike Enter↵, to display the next field.
Fortress ES-Series CLI Guide: Mesh Point CLI and Administrative Access 2.2.
Fortress ES-Series CLI Guide: Mesh Point CLI and Administrative Access Audit: 2.2.3.
Fortress ES-Series CLI Guide: Mesh Point CLI and Administrative Access Audit setting of automatic causes the account to conform to the global audit logging settings (refer to Section 4.7).
Fortress ES-Series CLI Guide: Mesh Point CLI and Administrative Access Password requirement for locally authenticating administrative accounts are global and configurable (refer to Section 2.2.1). If the you are changing the password for the account you are currently logged on through, you will be returned to the Login prompt: re-enter the account username and enter the new password to re-access the Mesh Point CLI. 2.2.
Fortress ES-Series CLI Guide: Mesh Point CLI and Administrative Access or more permitted IP addresses (with optional descriptions) to the IP address access control list and enabling the function: # add ipacl -ip -desc [OK] # set ipacl -enable y [OK] You can add additional IP addresses to the permitted list at any time.
Fortress ES-Series CLI Guide: Mesh Point CLI and Administrative Access Audit Status: required SNMP is disabled on the Mesh Point by default. To configure SNMP: Configure the Mesh Point’s SNMP settings interactively with set snmp: # set snmp EnableV3SNMP[N] (Y|N to enable|disable Version 3 SNMP): y Contact[""] (Name of contact person):
Fortress ES-Series CLI Guide: Mesh Point CLI and Administrative Access Use the add and del (delete) commands to configure SNMP traps, as follows: # add snmptrap -ip -c “comment for display” configures Fortress Mesh Point SNMP traps to be sent to the SNMP management application on the server at the specified network address and, optionally, appends a comment to be displayed with the trap. Fortress’s MIB is available for download from: www.gdc4s.com.
Fortress ES-Series CLI Guide: Mesh Point CLI and Administrative Access 26
Fortress ES-Series CLI Guide: Networking and Radio Configuration Chapter 3 Networking and Radio Configuration 3.1 Network Interfaces Multiple Mesh Points can be connected through their wired and/or wireless interfaces to form fixed or mobile tactical mesh networks and to bridge or extend the reach and availability of conventional hierarchical networks. Different models of Fortress Mesh Point chassis feature varying numbers of user-configurable Ethernet ports.
Fortress ES-Series CLI Guide: Networking and Radio Configuration these are Radio 2. In a four-radio ES2440, Radio 2, Radio 3 and Radio 4 are all in this category. In Fortress Mesh Points equipped with any number of radios, the standard-equipment Radio 1 is a dual-band 802.11a/g (or 802.11a/g/n) radio. Radio 1’s 802.11g capability typically indicates its use to provide wireless access to devices within range.
Fortress ES-Series CLI Guide: Networking and Radio Configuration On certain model Mesh Points (ES820-35, ES2440-35, ES2440-3555, ES2440-3444 and ES2440-3444m), FastPath Mesh also permits multiple internal radios to be combined into a single virtual FastPath Mesh bridging radio using a common channel (refer to Section 3.3.5 for more detail). Supported FastPath Mesh and STP network topologies are illustrated and described in detail in the Introduction to the Fortress Mesh Point Software GUI Guide.
Fortress ES-Series CLI Guide: Networking and Radio Configuration If you are certain that connected Mesh Points are physically configured so that no possibility exists of a bridging loop forming, you can disable bridging link management by setting the bridging mode to off. # set bridging -mode off You must be logged on to an administrator-level account to change configuration settings (refer to Section 2.2). 3.2.
Fortress ES-Series CLI Guide: Networking and Radio Configuration The ULA is not configurable. You can use set bridging to enter a specific 16-bit hexadecimal subnet identifier. The default is 0x8895.
Fortress ES-Series CLI Guide: Networking and Radio Configuration # set bridging -cost-parameters -a -b 3.2.2.1 Multicast Snooping When the bridging mode is configured to be mesh, the Mesh Point automatically snoops IGMP and MLD multicast protocols in order to provide a better multicast experience for the NonMesh Points (NMPs) it supports. The Mesh Point may also be configured to subscribe to a multicast group on behalf of an NMP.
Fortress ES-Series CLI Guide: Networking and Radio Configuration You can change the multicast group subscriptions with the update mesh command: # update mesh -multicast-group -ip |-mac -interface |-bss -vlan -mode listener|talker|both You must be logged on to an administrator-level account to change configuration settings (refer to Section 2.2). 3.2.2.
Fortress ES-Series CLI Guide: Networking and Radio Configuration Multicast transmit mode Packet interval Transmit control Clamping of multicast video Mesh routing reactivity Packet time to live value Frame processor mode 3.2.3.1 Selecting the FastPath Mesh Multicast Transmit Mode The multicast transmit mode determines how multicast packets are transmitted over radio interfaces.
Fortress ES-Series CLI Guide: Networking and Radio Configuration 3.2.3.3 Setting the FastPath Mesh Transmit Control Level The FP Mesh transmit control setting determines the resiliency level used for the transmission of control packets. This setting balances the trade-off between the resiliency of the control packet versus the air time consumed to send the routing update.
Fortress ES-Series CLI Guide: Networking and Radio Configuration To determine where to set rssi and rate limits, consider the video stream’s bit rate, the number of streams, other traffic, and so on. For example, Fortress recommends an RSSI floor of -80 dBm and bit-rate floor of 12 Mbps for a single, 3-Mbps video stream sent to a cluster of four receivers. # set mesh –rssi -80 –rate 12 It is not necessary to continually change clamping mode values if RSSI is near the set limit.
Fortress ES-Series CLI Guide: Networking and Radio Configuration temporary transient routing loop. In those special deployments, the protocol can suppress the loop more quickly if the Mesh Time To Live (TTL) is set. The default for the TTL is four hops, which is optimal for a large full-connected mesh and acceptable for many other deployments.
Fortress ES-Series CLI Guide: Networking and Radio Configuration access points (APs) to connect compatibly configured wireless devices to a wireless LAN (WLAN). FastPath Mesh is the default bridging mode. In addition to enabling/disabling STP with the -mode switch, you can use -p to set the priority number at which the Mesh Point will be used as the root switch in the STP configuration. The Mesh Point with the lowest priority number on the network serves as STP root. The default is 49152.
Fortress ES-Series CLI Guide: Networking and Radio Configuration b. Channel Sharing, combining multiple radios in a virtual bridging radio, option available with FastPath Mesh. Compare your Mesh Point’s model number to Table 3.1 above to determine the number of and type of radio(s) with which the Mesh Point you are configuring is equipped. Use show device (refer to Section 6.1) to view the model number and other system information.
Fortress ES-Series CLI Guide: Networking and Radio Configuration strength of signals broadcast on particular frequencies according to different rules. If necessary, the Mesh Point filters options available for individual radio settings (Section 3.4) according to the requirements of the relevant regulatory domain as they apply to the Mesh Point’s internal radios.
Fortress ES-Series CLI Guide: Networking and Radio Configuration 3.3.3 Unit of Distance Measure Mesh Point radios are individually configured for the distance over which they transmit and receive (refer to Section 3.4). The unit used to measure the specified distance is itself a globally configured setting.
Fortress ES-Series CLI Guide: Networking and Radio Configuration 3.3.5 Channel Sharing On ES820-35, ES2440-35, ES2440-3555, ES2440-3444 and ES2440-3444m model Mesh Points that are enabled for FastPath Mesh bridging (described in Section 3.2.2), you can combine certain of their internal radios into a single virtual bridging radio by enabling channel sharing. In certain deployments, such virtual channel-sharing radios can provide superior coverage and/or mobility for network bridging links.
Fortress ES-Series CLI Guide: Networking and Radio Configuration Confirm: Reboot device now? [Y|N] y 3.4 Individual Radio Settings View the current settings for the Mesh Point’s radio(s) with show radio.
Fortress ES-Series CLI Guide: Networking and Radio Configuration As described for Channel Sharing (Section 3.3.5, above), multiple Mesh Point radios can be combined to form a single virtual radio. The settings of radios combined in this way are still shown separately in show radio output. The channel sharing state of Mesh Points that support is included in show radio output (Chan Sharing: Enabled), and radios that make up a channel-sharing virtual radio are shown to have identical settings.
Fortress ES-Series CLI Guide: Networking and Radio Configuration radios included in it: radio1 or radio2 on the ES820-35 and ES2440-35; radio2, radio3 or radio4 on the ES2440-3555, ES2440-3444 or ES2440-3444m. Configuration changes made to any of the combined radios will be propagated to all of the radios that make up the virtual radio. AdminState normally displays the radio’s actual operational state and corresponds with the configured value.
Fortress ES-Series CLI Guide: Networking and Radio Configuration TransmitPower (auto|1..
Fortress ES-Series CLI Guide: Networking and Radio Configuration RadioBand[802.11g](802.11b|802.11g|802.11nght20|802.11nght40plus|802.11nght40minus| 802.11a|802.11naht20|802.11naht40plus|802.11naht40minus to set band): ShortPreamble[enable] (enable|disable to set 802.11b short preamble): [...etc.] The short preamble is used by virtually all wireless devices currently being produced, so leaving the setting at its default enabled value is recommended for most network deployments.
Fortress ES-Series CLI Guide: Networking and Radio Configuration 3.4.2 Channel Selection The ChannelToUse setting selects the portion of the radio spectrum the radio will to use to transmit and receive—in order to provide wireless LAN access or to establish the initial connections in a mesh network. The channels available for user selection are determined by the frequency band the radio uses, subject to the relevant regulatory domain rules.
Fortress ES-Series CLI Guide: Networking and Radio Configuration Table 3.2 shows radio channel-to-frequency mappings for radios using the 802.11b/g/n bands. Table 3.2 Mapping 802.11b/g/n Radio Channels to Frequencies, in MHz Setting Center 802.11 b/g or 802.11n ht20 802.11n ht40 Plus 802.
Fortress ES-Series CLI Guide: Networking and Radio Configuration Table 3.3 Mapping 802.11a/n Radio Channels to Frequencies, in MHz Setting Center 802.11a or 802.11n ht20 802.11n ht40 Plus 802.11n ht40 Minus Low High Low High Low High Channel 161 5805 5795 5815 ~ ~ 5775 5815 Channel 165 5825 5815 5835 ~ ~ ~ ~ Table 3.4 shows the channels available for selection when the Mesh Point is licensed for United States Public Safety operation, with the corresponding frequency.
Fortress ES-Series CLI Guide: Networking and Radio Configuration Table 3.5 shows the channels available for selection on 4.4 GHz Mesh Point radios, with their corresponding center frequencies and nominal frequency ranges. Channels in the shaded cells are available only on the 4.4 GHz radios installed in the ES2440-3444m and ES2440-34m Table 3.5 Mapping 4.
Fortress ES-Series CLI Guide: Networking and Radio Configuration The virtual radio that can be created by combining radios on select model Mesh Points through channel sharing (as described in Section 3.3.5) is limited to 5 GHz-band UNII-3 channels: 149 (the default) –165 (when the virtual radio is not comprised of 4.4 GHz radios). Table 3.6 Mapping 4.4 GHz Radio Channels to Frequencies 10 MHz Nominal Channel Width 3.4.
Fortress ES-Series CLI Guide: Networking and Radio Configuration The Fortress BeaconInterval default of 100 milliseconds is optimal for almost all network deployments and recommended for bridging operation. Configure the interval in milliseconds between 25 and 1000—only when necessary (as required by an unusual network deployment) and only on radios using nonDFS channels. CAUTION: Radios using DFS channels (Section 3.4.8) must use the default 100 ms BeaconInterval. The NoiseImmunity setting allows 802.
Fortress ES-Series CLI Guide: Networking and Radio Configuration Other Fortress platform models, with or without 4.4 GHz-radio options, do not. MIMO can be enabled only when the radio is configured to use one of the 802.11n frequency Band options. MIMO is disabled by default on all radios that support it. In order to take advantage of MIMO, both radios forming a given link must be configured for it.
Fortress ES-Series CLI Guide: Networking and Radio Configuration 3.4.7 Channel Lock and Other Channel Selection Features When ChannelLock is set to enable (default is disable) and at least one BSS is configured, the radio will not switch from the currently configured channel, regardless of settings or activity that would ordinarily trigger a channel switch. The Mesh Point ignores WDS-related channel scanning and remote WDS peer channel change requests.
Fortress ES-Series CLI Guide: Networking and Radio Configuration determines the scan interval, between 60–86400 seconds (the default is 300). Lonely Node operates under the following conditions: Channel Lock is disabled Channel Scanning is enabled A WDS BSS is enabled No FP Mesh peer connections exist on the bridging radio The same settings are output interactively regardless of the specified radio.
Fortress ES-Series CLI Guide: Networking and Radio Configuration 3.4.8.2 3.4.8.3 Licensed TDWR Channels In order to satisfy the FCC requirement for a 30 MHz guard band around Terminal Doppler Weather Radar (TDWR) operating within 35 km, UNII 2 extended channels 116, 132 and 136 are available for selection only when a Channel license is installed on the Mesh Point (refer to Section 5.6).
Fortress ES-Series CLI Guide: Networking and Radio Configuration Add channels to the Static Exclusion List with add xchannel: # add xchannel -radio radio1|radio2 -channel <#> Delete channels from the exclusion list with del xchannel: NOTE: You must specify the ES210 Mesh Point’s radio by name: radio1. # del xchannel -radio radio1|radio2 -channel <#> -all You must be logged on to an administrator-level account to change configuration settings (refer to Section 2.2). 3.4.
Fortress ES-Series CLI Guide: Networking and Radio Configuration WMM: FragThreshold: RtsThreshold: DtimPeriod: VlanId: SwitchingMode: VlanAllowAll: VlanActiveTable: Zone: UcostOffset: Description: 802.
Fortress ES-Series CLI Guide: Networking and Radio Configuration 3.4.9.2 WDS Bridging or AP Infrastructure Configuration Enabling WDS (Wireless Distribution System) functionality (EnableWds y) enables the Mesh Point radio on which the BSS is configured for bridging: The BSS can be used to connect as a node in a network of Mesh Points. NOTE: BSSs with WDS enabled are always in the Mesh Point’s encrypted zone.
Fortress ES-Series CLI Guide: Networking and Radio Configuration You can configure BSSs on Radio 1 to accept connections only from 802.11g devices (Only11g y), instead of also accepting 802.11b device connections (Only11g n, the default). 3.4.9.
Fortress ES-Series CLI Guide: Networking and Radio Configuration Mbps. On a radio using any of the 5 GHz 802.11a settings, including 802.11na options, the default MinRate is 6 Mbps. 3.4.9.5.1 Actual Unicast Transmission Rates If the Band setting is 802.11a or 802.11g, the fixed unicast transmission rate you can expect is exactly the MaxRate you have entered. However, if the Band setting is one of the 802.
Fortress ES-Series CLI Guide: Networking and Radio Configuration Table 3.8 Fixed Unicast Transmission Rate By MaxRate For 802.11 Max Rate Setting Actual Radio Setting (FORCE STBC = ON and MIMO = ON) or SISO or NOT MIMO CAPABLE FORCE STBC = OFF and MIMO = ON MCS 10MHz 20MHz 40MHz MCS 10MHz 20MHz 40MHz 6.5 8 6.5 13 27 0 3.25 6.5 13.5 13 9 13 26 54 1 6.5 13 27 19.5 10 19.5 39 81 2 9.75 19.5 40.5 26 11 26 52 108 3 13 26 54 39 12 39 78 162 4 19.
Fortress ES-Series CLI Guide: Networking and Radio Configuration acknowledgement is sent for each frame received, and if no acknowledgement is sent the frame is retransmitted. FragThreshold is set in bytes: 256–2345, or the function can be turned off (the default).
Fortress ES-Series CLI Guide: Networking and Radio Configuration 3.4.9.9 BSS VLANs Settings VlanId assigns a VLAN ID between 1 and 4094 to the BSS. By default all interfaces are assigned VLAN ID 1. If the VLAN ID you enter is not already present in the Active VLAN Table (Section 3.11.1), it will be automatically added. A new VLAN ID configured in this way will not yet be associated with an IPv4 address. Refer to Section 3.11.1 for instructions on associating a new VLAN with an IP address.
Fortress ES-Series CLI Guide: Networking and Radio Configuration 3.4.9.12 BSS Multicast Settings McastRate specifies the lowest bit rate at which a BSS configured to act as a network AP (EnableWds n) will send multicast frames, in megabits per second. BSSs on a radio that is fixed on the 5 GHz 802.11a band, or configured by default to use the 5 GHz 802.11a band, have a default McastRate of 6 Mbps, which is appropriate for a BSS using the 5 GHz frequency band. Fortress recommends leaving BSSs in the 802.
Fortress ES-Series CLI Guide: Networking and Radio Configuration -ucost 0–4294967295 -mcastRate 1|2|5.5|11|6|9|12|18|24|36|48|54 -enhancedmcast y|n -wdsmtu wifi|ether -beaconencrypt enable|disable -desc <“descriptive string”> -1X11i none|wpa|wpapsk|wpa2|wpa2psk| wpa2mixed|wpa2mixedpsk -keytype hex|ascii -wpakey -wpakeyconfirm -rekeyperiod 0—2147483647 -gmkrekeyperiod 0—2147483647 -radiusperiod 0—2147483647 -strictrekey y|n -reauthperiod 0—2147483647 -preauth y|n 3.4.9.
Fortress ES-Series CLI Guide: Networking and Radio Configuration radiusperiod (RadiusRetryInterval) specifies the number of seconds (0—2147483647) between retries of the primary authentication server. The default is 0 (zero), which disables the function: If the primary Wi-Fi authentication server cannot be reached on the initial attempt, it is not retried until all configured network servers (secondary, tertiary, etc.) have been tried in turn and also failed.
Fortress ES-Series CLI Guide: Networking and Radio Configuration 3.4.10 Antenna Tracking / Rate Monitoring Administrative and Maintenance users have the ability to monitor the data rate and RSSI of a specific WDS link between two Fortress Mesh Points using the show command: # show tracking -mac -radio -interval -samples -format macAddr is the MAC address of the specific radio of the Fortress Mesh Point to which this FMP is connected.
Fortress ES-Series CLI Guide: Networking and Radio Configuration 3.4.11 ES210 Mesh Point STA Settings and Operation Configuring a station (sta or STA) interface on the ES210 Mesh Point radio causes the Mesh Point to act as a dedicated WLAN client device, or station, rather than as an AP or a wireless bridge (or FastPath Mesh Point). An ES210 configured with such an interface is in station mode.
Fortress ES-Series CLI Guide: Networking and Radio Configuration WMM: FragThreshold: RtsThreshold: Zone: Description: 802.1X/11i Security: RateMode: MaxRate: MinRate: McastRate: StaId: enable off off clear Operational Status: Access Point: up 00:00:00:00:00:00 none auto 54 1 1 00:14:8c:2a:0c:90 You can use update sta to overwrite these parameters, or delete this STA configuration entirely and add a new one with the necessary parameters. 3.4.11.
Fortress ES-Series CLI Guide: Networking and Radio Configuration Except for the Zone and the final lines of output (beginning with StaId, which displays the STA’s MAC address), each of the settings shown above can be configured with add sta: # add sta -radio radio1 RadioName[radio1] (radio1 name of radio interface): radio1 StaName (string for identity): Ssid (string(32 chars max)): NewStationSSID Bssid (MAC address of AP): AdminState (enable|disable to set STA administrative state): RateMode (
Fortress ES-Series CLI Guide: Networking and Radio Configuration between the configured MaxRate and MinRate—to provide the optimal data rate for the connection. At a RateMode setting of fixed, the interface will use the configured MaxRate for all unicast transmissions and ignore the configured MinRate. Transmission rates are set in megabits per second (Mbps).
Fortress ES-Series CLI Guide: Networking and Radio Configuration 3.4.11.6 STA Fragmentation and RTS Thresholds The fragmentation and RTS protocol thresholds are set in bytes: 256–2345 for FragThreshold and 1–2345 for RtsThreshold—or these functions can be turned off (the default for both). The Delivery Traffic Indication Message (-dtim) beacon countdown can be set in whole values 1–255, inclusive (the default is 1). 3.4.11.7 STA Multicast Rate Please refer to Section 3.4.9.
Fortress ES-Series CLI Guide: Networking and Radio Configuration tlscipher - specifies the list of supported cipher suites, the sets of encryption and integrity algorithms, that the Mesh Point will send to the 802.
Fortress ES-Series CLI Guide: Networking and Radio Configuration These additional settings apply to WPA-PSK, WPA2-PSK and WPA2Mixed-PSK selections: PtkRekeyInterval (-rekeyperiod) - specifies the interval at which new keys are negotiated. Specify a new interval in whole seconds between 1 and 2147483647, inclusive, or 0 (zero), to permit the same key to be used for the duration of the session.
Fortress ES-Series CLI Guide: Networking and Radio Configuration Point radio must also be enabled before you can scan for a network to connect to. Scan for available networks using show scan. Use more to break the list after a page of output.
Fortress ES-Series CLI Guide: Networking and Radio Configuration 3.4.11.12 ES210 Station Access Control Lists When the STA Interface is using WPA, WPA2 and WPA2-Mixed Security, an additional level of security can be provided via an Access Control List (ACL). The Station ACL function is enabled when any ACL entry is administered. Once the ACL is enabled, the Mesh Point compares the X.509 digital certificates of 802.
Fortress ES-Series CLI Guide: Networking and Radio Configuration 3.5.1 Hostname and IPv4 Settings View basic network properties with the show network command: > show network Current IP values: IPv4 Enabled:y Hostname:hostname IP:192.168.1.9 Netmask:255.255.255.0 DefaultGateway:192.168.1.1 Configured IP values: IP:192.168.1.9 Mask:255.255.255.0 Gateway:192.168.1.1 Current IP values are those actually in use on the IPv4 network.
Fortress ES-Series CLI Guide: Networking and Radio Configuration displays only when you have entered a value into at least one of the fields presented.
Fortress ES-Series CLI Guide: Networking and Radio Configuration Change the Mesh Point’s IPv6 network settings with set networkv6 with valid switches and arguments in any order and combination: # set networkv6 -auto y|n -ip -pl -gw -gm When automatic addressing is at its default of enabled (-auto y), and there is an IPv6 router on the network configured to provide the global prefix, the Mesh Point will automatically configure a compatibl
Fortress ES-Series CLI Guide: Networking and Radio Configuration View the current DNS client configuration with show: > show dns-client Domain: ftimesh.local Preferred DNS server: Unknown Alternate DNS server: Unknown Configure DNS settings with set, which can be used interactively: # set dns-client Domain: Preferred IP: Alternate IP: NOTE: Mesh Point software also includes a standard DNS service (Section 3.
Fortress ES-Series CLI Guide: Networking and Radio Configuration The set clock command returns the Mesh Point’s current date and time values, which you can edit and re-enter: use the left/ right arrow keys to navigate displayed fields, backspace over current values or overwrite them. When you finish typing in new values, strike Enter↵ to save them. The Mesh Point CLI returns [OK] when settings are successfully changed.
Fortress ES-Series CLI Guide: Networking and Radio Configuration > show ntp ServerName: IPorHostname: Active: AuthEnabled: AuthKeyIndex: primary 192.168.10.9 Y N 0 (not valid) ServerName: IPorHostname: Active: AuthEnabled: AuthKeyIndex: secondary ServerName: IPorHostname: Active: AuthEnabled: AuthKeyIndex: tertiary N N 0 N N 0 (not valid) (not valid) No NTP servers are configured by default.
Fortress ES-Series CLI Guide: Networking and Radio Configuration A Mesh Point enabled to authenticate NTP packets must additionally be configured, using add ntp-key, with the key(s) (and indices) that will be used to authenticate configured NTP server(s). NOTE: The -ip flag with empty double quotation marks deletes a configured server.
Fortress ES-Series CLI Guide: Networking and Radio Configuration 3.7 GPS and Location Configuration Only the ES2440 and ES210 Mesh Points are equipped with an internal GPS receiver that, when enabled and connected to a GPS antenna, permits the Mesh Point to use the signals of GPS satellites in range to triangulate its exact position on the globe. The internal GPS is disabled by default. The ES820 and ES520 Mesh Points can be equipped with external GPS receivers.
Fortress ES-Series CLI Guide: Networking and Radio Configuration The Latitude, Longitude, and Altitude show the Mesh Point’s current location. The Speed indicates the speed at which the Mesh Point is currently moving, if at all. Satellites shows the number of GPS satellites within range of the Mesh Point at the time of the Last Fix.
Fortress ES-Series CLI Guide: Networking and Radio Configuration DHCP clients. Both internal DHCP servers are disabled by default. View the current DHCP server settings with the show dhcpserver command: # show dhcp-server DHCPv4 Server State ------------------Mode : server Min IPv4 range: 172.30.16.1 Max IPv4 range: 172.30.16.255 Max Lease Time: 60 DHCPv6 Server State ------------------Mode : server IPv6 range : auto Max Lease Time: 60 You can use the set dhcp-server command to enable either DHCP server.
Fortress ES-Series CLI Guide: Networking and Radio Configuration [ Active DHCP LEASES ] Mac leaseExpiry hostname ----------------- ---------------------------- --------------------------00:0c:29:8e:ac:0a Wed Mar 24 19:34:49 2010 UTC 00:0c:29:8e:ac:14 Wed Mar 24 19:25:07 2010 UTC vmclient12.gdfortress.com ipAddress gateway ------------- --------------------FD00:0:8895:8895:20C:29FF:FE8E:AC0A 172.30.50.204 172.30.50.
Fortress ES-Series CLI Guide: Networking and Radio Configuration 3.8.3 Enabling Multicast DNS Multicast DNS (mDNS) enables plug-and-play or zero configuration networking, which allows a link-local IP network to be created automatically without manual configuration or special configuration servers (such as DHCP or DNS). A set of hosts on the same link, all implementing zeroconfiguration networking, can immediately start to communicate via IP without any external configuration.
Fortress ES-Series CLI Guide: Networking and Radio Configuration View the current configuration of the Mesh Point’s Ethernet interfaces (followed by status information and statistics not shown in this example) with show interface. The output for this command varies based on the number and type of interfaces on the Mesh Point (refer to Table 1.
Fortress ES-Series CLI Guide: Networking and Radio Configuration Three settings configure the port’s FastPath Mesh attributes and apply only when FastPath Mesh is enabled on the Mesh Point: MeshIf (-meshif, a.k.a., FastPath Mesh Interface Mode) - establishes the port’s role in the FP Mesh network. core interfaces connect to other FastPath Mesh network nodes. When VLANs are used in FastPath Mesh bridging deployments, all FP Mesh core interfaces must be configured as VLAN trunk ports (described below).
Fortress ES-Series CLI Guide: Networking and Radio Configuration VlanId assigns a VLAN ID between 1 and 4094 to the port. By default all ports are assigned VLAN ID 1. If the VLAN ID you enter is not already present in the Active VLAN Table (Section 3.11.1), it will be automatically added.
Fortress ES-Series CLI Guide: Networking and Radio Configuration AutoNegotiation is enabled (y) by default on all ports. If you disable AutoNegotiation, specify the Duplex mode and negotiation Speed. Duplex determines whether the port will allow only Full duplex communication or only Half duplex communication. Speed determines the speed at which the port will transmit and receive data 10 Mbps or 100 Mbps.
Fortress ES-Series CLI Guide: Networking and Radio Configuration low - packets in the low queue are delivered after packets in all other QoS queues; the low priority queue is intended for network background traffic. The Mesh Point’s implementation of DiffServ and the earlier IP precedence traffic prioritization standards are mutually compatible. QoS prioritization information will be derived from Incoming packet headers in any of the supported standard formats.
Fortress ES-Series CLI Guide: Networking and Radio Configuration high critical 50 58 26 34 51 59 28 36 52 53 54 55 56 57 60 61 62 63 30 38 46 The example output above shows the Mesh Point’s default QoS configuration. You can restore the default QoS Tags and DSCP mappings with the set qos command: # set qos -resetdefaults The -resetdefaults switch takes no arguments and should only be used by itself, without any other set qos switches. 3.10.0.0.
Fortress ES-Series CLI Guide: Networking and Radio Configuration 3.10.0.0.2 DiffServ QoS and DSCP Mapping DiffServ increases the number of definable priority levels over the earlier IP precedence tagging standards, permitting greater granularity in traffic QoS sorting. DiffServ QoS information is conveyed in the six most significant bits—the Differentiated Services Codepoint, or DSCP—in the packet header’s DS field. You can reconfigure the DSCP-to-TrafficClass map with set qos: # set qos -dscp 0,1,2...
Fortress ES-Series CLI Guide: Networking and Radio Configuration Table 3.
Fortress ES-Series CLI Guide: Networking and Radio Configuration the VLAN used for multicast traffic by subscribed FPMPs (described in Section 3.2.2). 5 Enable VLANs on the Mesh Point. When FastPath Mesh is used for bridging, the Mesh Point can support up to eight VLANs, in Enabled VLAN Mode. When BridgingMode is Off, the Mesh Point can support up to 48 VLANs, in Enabled VLAN Mode. 3.11.0.0.2 Translate VLAN Mode You can set VLAN Mode to Translate only when the Mesh Point’s global bridging Mode is Off.
Fortress ES-Series CLI Guide: Networking and Radio Configuration table (although it can be used twice in the same map, as noted above). Observe the currently configured VLAN maps with show vlanmap: # show vlanmap Map Name vlan12 vlan11 vlan10 Clear Vlan ID Encrypted Vlan ID 12 2012 11 2011 10 10 Before you create VLAN translation maps, add the VLAN IDs you will include in those maps to the Mesh Point’s Active VLAN Table, as described in Section 3.11.1, below.
Fortress ES-Series CLI Guide: Networking and Radio Configuration mismatch between the IPv4 address associated with the Management VLAN ID and that of the Mesh Point’s management interface, you can restore remote management access to the Mesh Point only by reconfiguring it via a direct physical connection to its Console port. Additionally, when VLANs are enabled, the Mesh Point’s internal DHCP and DNS services (described in Section 3.8) are accessible only in the management VLAN.
Fortress ES-Series CLI Guide: Networking and Radio Configuration You can also have a new VLAN automatically added to the table by specifying a VLAN ID not yet present on the table for one of the Mesh Point’s Ethernet ports or radio BSSs (refer to Section 3.11.2 below). VLAN IDs can be associated with IPv4 addresses, however, only through the Active VLAN Table controls. Changes to the Active VLAN Table take effect immediately.
Fortress ES-Series CLI Guide: Networking and Radio Configuration 3.11.3.0.2 FP Mesh Core interfaces must be VLAN trunk ports. The requirement that only VLAN trunk ports can serve as FP Mesh Core interfaces is enforced for wireless interfaces: The same setting that configures a radio BSS to provide wireless bridging also controls whether it will serve as an FP Mesh Core or Access interface. Bridging interfaces are FP Mesh Core interfaces by definition.
Fortress ES-Series CLI Guide: Networking and Radio Configuration 3.12.1 Configuring the Serial Port Enabling the serial sensor disables the serial port for Mesh Point CLI access. The Mesh Point CLI remains accessible by a terminal emulation application over an SSH2 (Secure Shell 2) network connection, provided SSH access is on (the default; refer to Section 4.1.13). NOTE: You must reboot the Mesh Point in order to change the function of the ES210 serial port.
Fortress ES-Series CLI Guide: Networking and Radio Configuration Restoring the ES210 Mesh Point’s factory default configuration restores the serial port to the default Mesh Point CLI Console function (refer to Section 5.5). 3.12.2 Resetting the Serial Port When the ES210 Mesh Point is enabled for and connected to an external serial device, you can manually restart the serial port’s TCP session with reset sensor.
Fortress ES-Series CLI Guide: Networking and Radio Configuration The -udpport switch chooses the UDP port out which the Mesh Point will send its MVP packets to the MVP Listener Mesh Point within the mesh network, or to the Mesh Viewer itself, if the Mesh Viewer is directly connected to a mesh network access interface.
Fortress ES-Series CLI Guide: Networking and Radio Configuration 107
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing Chapter 4 Network Security, Authentication and Auditing 4.1 Fortress Security Settings The CLI provides controls for various aspects of the Mesh Point’s overall network security provisions: Fortress MSP (Mobile Security Protocol) functions including key establishment, data encryption and network Access ID; FIPS operation; global session timeouts; and several additional management and network access settings.
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing FIPS operating mode in the current version of Mesh Point software may still be in the process of being validated as compliant with FIPS 140-2 Security Level 2. These Federal standards enforce security measures beyond those of Normal operating mode, the most significant of which include: Only a designated Crypto Officer, as defined by FIPS, may perform administrative functions on the Mesh Point and its Secure Clients.
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing OK - has no meaning with regard to FIPS tests, which are run regardless of the FIPS State, but can fail without affecting the reported FIPS Status. When FIPS is Off, the Mesh Point will continue to pass traffic regardless of FIPS test results, and the FIPS Status is always OK. FIPS operating mode, which complies with Federal Information Processing Standards 140-2, is the default mode of operation.
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing BypassBroadcastFailCT:0 BypassUnknownDAFailCT:0 BypassHostToGuestFailCT:0 BypassHostToClientFailCT:0 BypassRcvClrFromClientFailCT:0 BypassCCMPSecureFailCT:0 BypassCCMPNonSecureFailCT:0 PktEncryptTimeoutCT:0 PktDecryptTimeoutCT:0 BadPktDecryptTimeoutCT:0 SuiteBPktEncryptTimeoutCT:0 SuiteBPktDecryptTimeoutCT:0 SuiteBBadPktDecryptTimeoutCT:0 CCMPPktEncryptTimeoutCT:0 CCMPPktDecryptTimeoutCT:0 CCMPBadPktDecryptTimeoutCT:0 BypassGuestCr
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing As required by FIPS 140-2, if a FIPS test fails, the failure persists—through reboots and software upgrades—until the Mesh Point again passes the full battery of FIPS tests. In FIPS operating mode, If the Mesh Point fails a FIPS test, it automatically reboots. If the failure persists through the boot cycle, the Mesh Point continues to reboot until the test passes or the Mesh Point is taken out of service.
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing Select the encryption algorithm that the Mesh Point will allow Secure Clients and other Fortress controller to use with set crypto: # set crypto -e AES128|AES192|AES256 For information on setting encryption algorithms on Secure Clients, refer to the Fortress Secure Client User Guide. The default encryption algorithm is AES256.
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing A Secure Client logging on to the Mesh Point must use a key establishment setting present in the Mesh Point’s configuration. For information on configuring key establishment on Secure Clients, refer to the Fortress Secure Client User Guide. The Mesh Point CLI returns OK when settings are successfully changed. 4.1.6 NOTE: Secure Cli- ent versions earlier than 3.1 support only DH-512 key establishment.
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing 4.1.9 Encrypted Zone Cleartext Traffic By default, the Mesh Point does not allow cleartext traffic to pass on encrypted interfaces. In order for configured cleartext devices (access points and/or Trusted Devices) to be permitted access on an encrypted interface, cleartext must be turned on.
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing Client management is enabled (on) by default. If encrypted interface client management is disabled (off), you will be able to manage the Mesh Point only through a clear interface (or through the serial Console port).
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing You can turn off GUI access to the Mesh Point altogether by disabling the user interface. The Mesh Point GUI is enabled by default.
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing The Mesh Point CLI returns OK when settings are successfully changed. You must be logged on to an administrator-level account to change configuration settings (refer to Section 2.2). 4.1.13 SSH Access to the Mesh Point CLI SSH2 (Secure Shell protocol 2) is enabled on the Mesh Point by default. The Mesh Point does not support SSH1.
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing # del sshkey -all To delete a specific SSH public key: # del sshkey -name You must be logged on to an administrator-level account to change configuration settings (refer to Section 2.2). 4.1.14 Blackout Mode The Blackout Mode setting on the Fortress Mesh Point globally turns all chassis LEDs on and off.
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing 4.1.16 Fortress Access ID The Access ID is a 16- or 32-digit hexadecimal ID that provides network authentication for the Fortress Security System.
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing The -subject option is defined as X.
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing Append more to any show certificate command to scroll through the output one page at a time, using Enter↵ or the space bar to page down. When more is omitted, use Ctrl-C to truncate multiple-screen command output. View only a specific certificate with the -name switch: # show certificate -name CACERT00000002 Name : CACERT00000002 Subject : C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DoD JITC Root CA 2 Issuer : C=US, O=U.S.
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing Trusted OCSP Responder certificates are certificates (or certificate chains of multiple certificates of one or more trusted OCSP responders) associated with OCSP responders from which the Mesh Point always accepts signed OCSP responses. You must specify a trusted OCSP responder certificate, with -ocsp.
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing Because Mesh Points used as wireless Clients must be dedicated to the function, the EAP-TLS certificate will only be used for one of these applications. Use set gui to assign a certificate to the GUI function: # set gui -key Enter the name of the certificate with -key. Use the -nokey switch to clear the encryption key currently in use.
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing 4.2.2.3 Managing the Certificate Revocation List The global Certificate Revocation List (CRL) function is enabled by default, as it must be in order for per-function CRL options to take effect when they are enabled.
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing 4.3 Access Control Entries An Access Control Entry (ACE) is a filter applied to the X.509 digital certificates used to authenticate connections over a network. An ordered set of Access Control Entries, each with an associated allow/deny action, comprises an Access Control List (ACL), as used by three possible Mesh Point functions: IPsec - as described in Section 4.4.5 internal RADIUS - as described in Section 4.5.2.
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing /O=Fortress* - matches any string beginning with “Fortress”. /O=*Tech* - matches any string containing “Tech” in the middle of the string.
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing Key Usage: digital signature, key agreement Extended Key Usage: (not set) Name: test2 Pattern: /O=* Key Usage: (not set) Extended Key Usage: (not set) You cannot change the Name of an existing ACE, but you can edit and/or add to the filter criteria it specifies with update ace.
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing is sent and received, according to the ESP protocol, using the specified encryption standard(s). Security Policy Database (SPD) entries determine how IPsec is applied to traffic on the Mesh Point. SPD entries are configured—per interface—to apply a specified action to traffic based on its source and destination subnets.
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing Legacy - AES-128-CBC, AES-256-CBC Specify a time- and/or data-limited lifespan at the end of which a new IKE transaction must be negotiated to establish new IPsec SAs for the connection and/or a time-limited lifespan for Phase 1 ISAKMP-authenticated SAs: IPsec SA lifetime in minutes (-salifeMinutes) from 1 to 71,582,788 to determine how long the SA will be used before it expires, or specify 0 (zero) to impose no time l
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing 4.4.2 Interface Security Policy Database Entries When IPsec is globally enabled and configured (refer to Section 4.4.1), the Mesh Point configuration can include up to 100 SPD entries, each associated with one of the Mesh Point’s network interfaces. An interface with at least one SPD configured for it is enabled to process IPsec traffic. An interface with no SPD configured for it is disabled for IPsec traffic.
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing Action (bypass|drop|apply): bypass Priority (1..100): 10 Provide a Name for SPD entry, and associate the SPD entry with an Ethernet or wireless Interface on the Mesh Point. Interface name must match the name of the Ethernet port or currently configured BSS on the Mesh Point. You can specify only a single Ethernet or wireless interface.
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing 2 SPD entries registered Use show with the -name flag to display only the specified SPD entry, or with -all to show the complete list of configured SPDs. The -dynamicpeers flag permits you to display only IPsec peers connected through dynamic endpoint SPDs (refer to Section 4.4.3, below).
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing 4.4.3.1 Dynamic Endpoints for FastPath Mesh Networks When FastPath Mesh is enabled and L2TP is disabled, networked Mesh Points can be configured to use dynamic SPD rules to transparently provide IPsec SAs over the flexible bridging links comprising the FastPath Mesh WDS (wireless distribution system). NOTE: Mesh Points must be correctly configured for FastPath Mesh, as described in Section 3.2.
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing Dynamically created VPN client rules are always generated with a remote mask of 255.255.255.255. Dynamic IPsec SAs are created for VPN clients only when the remote partner has a 32-bit traffic selector for the client and requests that an IPsec SA be established. Typically, a dynamic endpoint SPD rule with a Peer Address of 0.0.0.
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing Action: Apply Peer Address: 0.0.0.0 ...can replace the multiple SPD entries that would need to be configured with static IP addresses for multiple VPN clients connecting from the 192.168.10.0/255.255.255.0 subnet: policy name: clientFT-1 Priority: 1 Interface: lan7 Local: 0.0.0.0/0.0.0.0 Remote: 192.168.10.101/255.255.255.255 Action: Apply Peer Address: 10.1.101.
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing The Mesh Point at the other end of the IPsec SA would transparently and dynamically expand the SPD rule in the example for dynamic client IP addresses, above, into: Policy Name: VPPNclients Priority: 94 Interface: eth2 Local: 10.0.0.0/255.0.0.0 Remote: 10.10.10.46/255.255.255.255 Action: Apply Peer Address: 4.1.1.50 Policy Name: VPPNclients Priority: 94 Interface: eth2 Local: 10.0.0.0/255.0.0.0 Remote: 0.
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing For -length, optionally specify the number of bytes to comprise the key, from 16 to 128. If you omit this value, the default key length is 32 bytes. The -generate switch always results in a hex key. Record the resulting PSK. You must also configure a matching key on the specified IPsec peer.
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing numbers take precedence over those with higher priority numbers. Access determines whether the Mesh Point will Allow (the default) or Deny access to an authentication server whose X.509 certificate matches the criteria specified in the ACL entry.
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing To establish a connection over an L2TP/IPsec tunnel, both the LNS device and the LAC device must be configured.
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing Mode: lac LAC Setting: LNS connect address: 0.0.0.0 User auth key/cert: Not set Use the -sessions switch to view any active L2TP sessions, including Tunnel ID and Session ID: # show l2tp -sessions Current L2TP Settings: Enabled: Y Mode: lns LNS Setting: Local address: 192.168.1.1 LAC IP range min: 192.168.1.2 LAC IP range max: 192.168.2.254 User auth key/cert: l2tp Tunnel and session information: Tunnel Id Peer IP 15144 172.26.58.
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing 8021X 192.168.1.22 active ADMIN 0.0.0.0 inactive USER_DEVICE 192.168.1.22 active thirdParty thirdParty No authentication servers are configured by default. The Mesh Point can actively use up to three authentication servers at a time. You can configure the same authentication server to provide more than one supported authentication type.
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing server on the priority list (MaxRetries). You can configure 1 to 10 maximum connection attempts; the default is 3. You can determine whether a server is active or inactive (AdminState). Configured servers are active by default. Optionally, you can add a descriptive string of up to 32 characters for the server. If you want to include spaces in the Description, enclose it in quotation marks.
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing 4.5.2 Internal Authentication Server The users and Secure Client devices you add to the Mesh Point’s local authentication configuration apply only when the internal authentication, or RADIUS, server is enabled (below).
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing TLSCipherSuite (all|legacy|suite-b to set supported cipher suite for EAP-TLS): Enabling the internal authentication server causes an entry to be automatically added to the authentication server list output by the show auth command (refer to Section 4.5.1). This entry is automatically removed if the internal authentication server is disabled. 4.5.2.1 4.5.2.
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing The maximum number of authentication retries (DefaultMaxRetries) and idle and session timeout settings (DefaultIdleTimeout and DefaultSessionTimeout) configured on the internal authentication server are applied globally to all authenticating devices and users.
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing Enable802.1XAuth turns the service on (y) and off (n, the default). Use EnableEAP-MD5 to enable (y) or disable (n) support for the EAP-MD5 protocol. EnableEAP-TLS enables or disables support for EAP-TLS. EnableCRLCheck applies only to EAP-TLS, and determines whether certificates used to authenticate 802.1X supplicants are checked against the lists of certificates that have been revoked by their issuing authorities.
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing The Mesh Point's internal RADIUS server can optionally be configured to check the revocation status of certificates using OCSP. In this configuration, the internal RADIUS server acts as an OCSP client. The OCSP client function is disabled by default. When the OCSP client function is enabled, the internal RADIUS server determines the current revocation status of an X.
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing OCSP Cache Learning The OCSP cache learning function (AutoLearningEnabled: Y) can be used to limit which certificates will be considered for validation, as follows: When OCSP cache learning is enabled, every certificate presented to the internal authentication server for validation will be processed.
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing OCSP cache learning is enabled by default (AutoLearningEnabled: Y), which configures the internal RADIUS server to save information learned from OCSP responses to the OCSP cache. If a response pertains to an existing cache entry, the entry is updated or refreshed. If a response pertains to a new certificate, an entry is created for the certificate in the OCSP cache.
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing 4.5.2.7 Internal Authentication Server Access Control Lists When the internal RADIUS server is used for 802.1X EAP-TLS authentication (refer to Section 4.5.2.4), an additional level of security can be provided via an Access Control List (ACL). The internal RADIUS ACL function is enabled when any ACL entry is administered. Once the ACL is enabled, the Mesh Point compares the X.509 digital certificates of 802.
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing 4.5.3 User Authentication NOTE: The Mesh Users for whom you create authentication accounts will be one of two types: Secure Client users connect to the Mesh Point’s encrypted interfaces via devices running the Fortress Secure Client; Admin users are using the Mesh Point’s local user authentication database to gain administrative access to the Mesh Point’s management interface.
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing Set individual users’ session timeouts in minutes, from 1 to 200 (inclusive). Set individual users’ idle timeouts in minutes from 1 to 720 (inclusive). User accounts are active by default. To disable a user’s account set -admin to inactive. User accounts have no administrative privileges on any Mesh Point by default, as configured by an -adminauth value of none.
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing Attempts made by auto-populating Client device to connect to the Mesh Point-protected network are treated according to the default device state (DefaultDeviceState) configured on the internal authentication server (Section 4.5.2.1).
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing authentication for the device you specify.
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing command, option and parameter, without switches or arguments: # set idletimeout Set the timeout value for all clients (devices on the encrypted side of the network running the Fortress Secure Client) with: # set idletimeout -c all Set the timeout value for all hosts (devices in communication with the Mesh Point on the clear side of the network) with: # set idletimeout -h all To configure the idle timeout value
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing 00:14:8c:3a:aa:40 b4:a4:e3:d1:0a:87 Configure ACL filtering with set maclist: # set maclist -m enabled|disabled -f Use the -m switch to configure whether the ACL whitelist filtering mode is enabled, which explicitly allows network access to the listed devices. You can clear (i.e., flush) the ACL with set maclist by entering the -f switch without arguments.
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing # add dest-maclist -mac |-ciscoprot Use the -ciscoprot switch to add the destination addresses for the most common Cisco protocols to the destination MAC address filter list.
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing Name: a unique packet filter rule name of 1 to 200 characters. Action: whether to permit the packet or deny it. Denied packets are dropped without further processing. Log: whether or not to log when a packet matches this rule. The FMP will write out audit logs reporting what packets have matched the rule.
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing the destination port is not specified, the filter will be applied no matter what the packet's destination port is. NOT ALLOWED: Source Address, Source Prefix Length, Destination Address, Destination Prefix Length, and Protocol. Adding rules to an interface does not automatically cause those rules to be applied to packets entering and exiting that interface.
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing 2 rules registered You can restrict the show output by specifying an interface name, which will show only rules for that interface, or by specifying a filter name, which will show only that filter. Showing all rules is the default. However, please observe that the automatically generated rule which drops all non-matching packets is NOT shown in the display. Use the more option to page through the output, with Ctrl-C to exit.
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing 4.6.3.1 Packet Filtering on Ingress and Egress When a packet enters any interface, the FMP checks whether packet filtering is enabled on that interface. If it is, the FMP compares the packet's information to each configured rule in priority order. The FMP takes the action specified by the first matching rule; e.g. if the action is permit, the FMP continues to process the packet.
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing global default authentication state (Default Auth State) for controllers.
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing You can delete a specified controller device, or all controllers from authentication with the del command: # del controllerauth -deviceID |all You must be logged on to an administrator-level account to change configuration settings (refer to Section 2.2). 4.6.
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing it to the Mesh Point configuration. You must also assign either any or at least one port. You can leave out the -state, -passall, and -2way arguments, if the defaults suit your needs. APs are enabled for Fortress Mesh Point management by default, and two-way communication on APs is enabled. Use the update command to change AP settings, as follows: # update ap north # update ap north -name north -ip 192.167.1.
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing in which TDname is a descriptive identifier for the Trusted Device, MACaddr is the MAC address of the Trusted Device, and IPaddr either configures the Trusted Device to take any IP address or specifies its network address. The -state switch enables/disables access for the Trusted Device.
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing 4.7 Remote Audit Logging When remote audit logging is enabled, the Mesh Point sends audit log messages of the specified severity level (and higher) to the configured external syslog server (Section 4.7.1). Auditlogged administrative and device activity can then be separately filtered by a number of additional parameters (Sections 4.7.2 and 4.7.4). 4.7.
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing 4.7.3). An individual account or MAC address auditing setting of required or prohibited overrides global audit logging settings.
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing Configure global audit logging of administrative activity interactively with set audit: # set audit Login[enable] (enable|disable to enable or disable auditing of logins): Security[enable] (enable|disable to enable or disable auditing of security events): Configuration[enable] (enable|disable to enable or disable auditing of configuration events): GUI[required] (required | prohibited | automatic to enable or disable auditing of eve
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing When more than one MAC address has been added for audit logging, you can view the individual settings for that MAC address by specifying it: # show macaudit -mac 1a2b3c4d5e6f Add a MAC address for audit logging of associated administrative activity with add macaudit: # add macaudit -mac -desc -gui required|prohibited|automatic -ssh required|prohibited|automatic -snmp required|prohibi
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing You can delete a specified MAC address or all MAC addresses currently configured for administrator audit logging with the del command: # del macaudit -mac |all You must be logged on to an administrator-level account to configure audit logging (refer to Section 2.2). 4.7.4 Filtering Audited Learned-Device Activity When remote audit logging is enabled (Section 4.7.
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing Configure audit logging of learned-device activity interactively in the last four fields of set audit: # set audit Login[enable] (enable|disable to enable or disable auditing of logins): Security[enable] (enable|disable to enable or disable auditing of security events): configuration[enable] (enable|disable to enable or disable auditing of configuration events): GUI[required] (required | prohibited | automatic to enable or disable
Fortress ES-Series CLI Guide: Network Security, Authentication and Auditing Update the wireless schedule with the update command: # update wifischedule -adminstate -days startTime -endTime You must be logged on to an administrator-level account to change configuration settings (refer to Section 2.2).
Fortress ES-Series CLI Guide: System Options, Maintenance and Licensing Chapter 5 System Options, Maintenance and Licensing 5.
Fortress ES-Series CLI Guide: System Options, Maintenance and Licensing 5.2 Rebooting the Mesh Point Restart the Fortress Mesh Point with reboot, confirming your intention at the query, as follows: # reboot Confirm: Reboot device now? [Y|N] y You can reboot the system after a specified amount of time with -delay. The system automatically reboots after the number of minutes indicated, between 1–1440. A value of 0 (zero) cancels any pending reboot.
Fortress ES-Series CLI Guide: System Options, Maintenance and Licensing View which of the two software images on the Mesh Point is currently running and which is selected for the next time the Fortress Mesh Point is booted with show bootimage: > show bootimage Image1: 5.4.3.1058 Image2: 5.4.3.
Fortress ES-Series CLI Guide: System Options, Maintenance and Licensing You must specify a path to an FTP server with an anonymous user account in order to successfully execute the upgrade command, or the Mesh Point returns the error: [Error] file must be an FTP url, for example "ftp://ftp.server.com/path/to/gw.pkg" To begin the basic upgrade process, use the upgrade command to specify the location of the upgrade file and its password: # upgrade -f
Fortress ES-Series CLI Guide: System Options, Maintenance and Licensing # upgrade -e -ramdisk y|n The -e switch is used to upgrade Mesh Point software using an upgrade file stored in this way, (as opposed to an upgrade file stored on an FTP server). As shown, you can use the -e switch with the -ramdisk option (described above), while -ratelimit and -noresume are not intended for use with locally stored files.
Fortress ES-Series CLI Guide: System Options, Maintenance and Licensing United States - is the default area license, allowing Mesh Points with standard-equipment radios to operate in the United States in the 5 GHz and the 2.4 GHz frequency bands, as regulated by the Federal Communication Commission (FCC). Mesh Points with one or more 4.4 GHz - 4.
Fortress ES-Series CLI Guide: System Options, Maintenance and Licensing > show license Feature Status -------- ------------advradio Installed area United States channel Not installed mesh Installed suite-b Installed Fortress supplies license keys at the time feature licenses are purchased. If you purchased a feature license with the Mesh Point, the license key is included in your shipment.
Fortress ES-Series CLI Guide: System Options, Maintenance and Licensing The FastPath Mesh license also requires the Mesh Point to be rebooted before you can enable the feature. After it has been licensed, Suite B can be immediately enabled. You must be logged on to an administrator-level account to change configuration settings (refer to Section 2.2). 5.7 Pinging a Device You can ping a device on the clear side of the Fortress Mesh Point, i.
Fortress ES-Series CLI Guide: System Options, Maintenance and Licensing Hop 1 Hop 2 Hop 3 Total 00:14:8c:32:41:40 00:14:8c:31:be:40 00:10:60:17:53:bc cost = 14814Total (FD00:0:8895:8895:214:8CFF:FE32:4140 - Car2-MAC-4140-IP-20) 1072ms cost=7407 (MESH2) (FD00:0:8895:8895:214:8CFF:FE31:BE40 - Car1-MAC-BE40-IP-10) 4167ms cost=7407 (MESH2) (*) 4168ms cost=0 (Ethernet2) cost = 3400 The results are similar to traceroute, except that traceroute uses OSI Layer 3, and meshpath uses OSI Layer 2.
Fortress ES-Series CLI Guide: System Options, Maintenance and Licensing different Mesh Point without overwriting its existing network settings. To view the resulting configuration file, use show runningconfig. You must also supply the encryption key with the show command. # show running-config -encKey To install the configuration file on the target Mesh Point(s), use copy running-config again, providing different values for the -to and -from. switches.
Fortress ES-Series CLI Guide: System and Network Monitoring Chapter 6 System and Network Monitoring 6.1 Viewing System Information Obtain a basic overview of the Mesh Point configuration— including software and firmware versions, serial number, network address, and GUI, SSH, and SNMP settings—with show device. The output from this command varies based on the model, number and type of radios, and power sources: > show device Model: ES520-35 Version: 5.4.5.2057 SerialNumber: 108470035 Radio 1: 802.
Fortress ES-Series CLI Guide: System and Network Monitoring You must be logged on to an administrator-level account (refer to Section 2.2) to display the Fortress Mesh Point’s Device ID in the Mesh Point CLI: # show deviceid 333300148c081079 6.1.2 Viewing System Uptime The show uptime command displays the number of days, hours and minutes that the Fortress Mesh Point has been operating since its last boot: > show uptime 18 days 1 hr 27 min 6.2 6.2.
Fortress ES-Series CLI Guide: System and Network Monitoring 6.2.2 Viewing Bridging Links Bridge Links are not relevant to Mesh Point models that do not contain radios. NOTE: On Mesh Points equipped with one or more radios (refer to Table 1.
Fortress ES-Series CLI Guide: System and Network Monitoring 6.2.
Fortress ES-Series CLI Guide: System and Network Monitoring Update Access ID - Access ID push in progress for the device AuthSt - the state of the device’s authentication transactions on the Mesh Point: Unknown - connected, not yet ready to proceed Initial - ready to proceed, waiting for device to respond Started - response received, authentication in process Success - authentication succeeded: network access permitted Locked - authentication failed: network access blocked DHKeyType
Fortress ES-Series CLI Guide: System and Network Monitoring Hosts are displayed by their MAC addresses. The idle timeout (the number of minutes the Mesh Point is configured to allow host connections to be unused before clearing their sessions) is shown for each. A count of currently connected hosts is shown below the list. 6.2.
Fortress ES-Series CLI Guide: System and Network Monitoring number and type of interfaces on the Mesh Point (refer to Table 1.
Fortress ES-Series CLI Guide: System and Network Monitoring Inbound SPI and Outbound SPI- the 32-bit Security Parameter Index included in an IPsec packet, together with the destination IP address and IPsec protocol, uniquely identifies the SA. SPIs are pseudorandomly derived during IKE transactions.
Fortress ES-Series CLI Guide: System and Network Monitoring 6.5 FastPath Mesh Monitoring When bridging is set to FastPath Mesh (Section 3.2.2), the Mesh Point CLI provides show mesh commands to view an array of information on the configuration, composition and operation of the FP Mesh network. 6.5.
Fortress ES-Series CLI Guide: System and Network Monitoring Table 6.1 Show Mesh Commands Show Mesh Commands Description show mesh -ip -ckip -mp -dupmp -nmp -dupnmp Displays a list of IP addresses or, with the -ckip option, a list of all MAC addresses associated with the specified IP address (useful for locating duplicates of a particular IP address).
Fortress ES-Series CLI Guide: System and Network Monitoring Table 6.1 Show Mesh Commands Show Mesh Commands Description show mesh -neighbors -brief -interface |-bss Displays the MPs directly connected to the current MP. show mesh -peer -mac |-ip |-name Displays the network information for a specific peer by MAC address, IP address, or node name.
Fortress ES-Series CLI Guide: System and Network Monitoring 10/06/2008 10/06/2008 10/06/2008 10/06/2008 -More- 09:14:04 09:14:04 09:14:03 09:14:03 Info Info Info Info System: System: System: System: vif_lan7 interface connected br0 interface connected br0 interface connected eth0 interface connected Three switches can be used with viewlog: # viewlog -all|-num <#events>|-fifo The -all switch displays the entire event log, 20 events at a time.
Fortress ES-Series CLI Guide: Supported Services Appendix A Supported Services The following table identifies the service names and port numbers supported and used by Fortress products: Service Name Port Number Transport Protocol Description SSH 22 TCP Secure Shell v2 - Fortress Command Line Interface (CLI) DNS 53 TCP Domain Name System DHCP 67 UDP Dynamic Host Configuration Protocol HTTP 80 TCP Hypertext Transfer Protocol - Fortress Graphical User Interface (GUI) SNMP 161 UDP Simp
Fortress ES-Series CLI Guide: Supported Services A-2
Fortress ES-Series CLI Guide: Index Index configuring Ethernet ports 93–94 configuring server(s) 143–144 administrator authentication 15–18 authentication servers 142–144 internal RADIUS OCSP 148–151 client device authentication 154–156 controller device authentication 158–165 user authentication 146, 153–154 WPA/WPA2 authentication 67, 74–76 Numerics 4.4 GHz radios 3–4, 27, 38, 40, 51 channels 48, 51 EULA addendum vii 4.9 GHz Public Safety radio channels 50 802.11i authentication 67–68 802.
Fortress ES-Series CLI Guide: Index add/del station-acl 78 add/del vlan 101–102 add/del xchannel 58 add/update ocspcache 151 add/update/del ace 127 add/update/del admin 20–22 add/update/del ap 165–166 add/update/del auth 143–144 add/update/del bss 59–68 add/update/del controllerauth 164– 165 add/update/del deviceauth 155–156 add/update/del dns-entry 89 add/update/del macaudit 171–172 add/update/del mesh 32–33 add/update/del snmptrap 25 add/update/del sta 71–76 add/update/del td 166–167 add/update/del user
Fortress ES-Series CLI Guide: Index show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show clock 82 controllerauth 164 country 40 crypto 109 device 181, 185 deviceauth 155 deviceid 186 dhcp-server 88 dhcp-server-leases 88 dns-client 82, 89 dns-entry 89 dns-server 89 eap-tls 125 environment 40 fips 110, 111 fp 3, 37 guests 190 gui 118, 125 hosts 189 idletimeout 15
Fortress ES-Series CLI Guide: Index distance setting 45 units 41 DNS client settings 81–82 DNS service 89 domain name 82 multicast DNS 90 domain name 82 dynamic IPsec endpoints 134–138 E EAP-TLS BSS WPA 67–68 encrypted interfaces 90 Ethernet 90 encrypted zone cleartext 116 encryption algorithm 113, 114 Ethernet ports 90–94 F FastPath Mesh 5, ??–37 interfaces 30 licensing 179–182 monitoring 193–195 tracing a mesh path 182 tuning performance 33–37 FIPS 109–113 bypass mode 110 indicators cleartext LED 110 r
Fortress ES-Series CLI Guide: Index multicast clamping 36 multicast DNS settings 90 multicast group subscription ??–33 multicast video performance 36 N network settings 79–81 DHCP services 87–89 DNS service 89 NTP 83–85 O OCSP 148–151 operating mode 109–113 default 109 P packet filters 159 passwords administrator passwords changing 21 defaults 8 configuring requirements 17–18 SNMP passphrases 24 user passwords 153 ping 182 PoE 3, 90 LAN switch PSE enabling per port 93 ports Console port 8 adapter 8 seri
Fortress ES-Series CLI Guide: Index resetting 175 timeout settings 156–157 set pktfilter 161 show pktfilter 161 show tracking 69 SNMP 5 configuring 23–25 MIB 25 software upgrades 177–179 software version upgrading 177–179 viewing 177 SSH 119 SSIDs 58, 71 statistics interface statistics 190–191 traffic statistics 190 STP 37–38 system clock 82 system log 195–196 WPA/WPA2 authentication 67, 74–76 Z zone configuring BSSs 65 configuring Ethernet ports 91 T time zone 83 timeout settings administrative timeout
Fortress ES-Series CLI Guide: Glossary Glossary 802.11 The IEEE standard that specifies technologies for wireless networks. 802.11i The amendment to the 802.11 standard that describes security for wireless networks, or Robust Security Networks. The IEEE standard for port-based network access control, providing authentication and 802.1X authorization to devices attached to a given port (or preventing access from that port if authentication fails).
Fortress ES-Series CLI Guide: Glossary Certificate Authority—an entity, often a trusted 3rd-party, that issues the X.509 digital CA certificates used to mutually verify the identities of organizations, servers or other entities connecting to one another over a public network. Common Access Card—a United States Department of Defense (DoD) smartcard issued CAC as standard identification for active duty military personnel, reserve personnel, civilian employees, and eligible contractor personnel.
Fortress ES-Series CLI Guide: Glossary DoD Department of Defense—the United States military. Extensible Authentication Protocol—defined by RFC 2284, a general protocol for user EAP authentication. EAP is implemented by a number of authentication services, including RADIUS. EAP-MD5 EAPoL An EAP security algorithm developed by RSA Security® that uses a 128-bit generated number string to verify the authenticity of data transfers. Extensible Authentication Protocol over LAN—IEEE 802.
Fortress ES-Series CLI Guide: Glossary gateway In IT, a node on a network, usually a router, that provides a connection to another network. GPS Global Positioning System groups An association of network objects (users, devices, etc.) typically used to allocate shared resources and apply access policies. GUI graphical user interface—a user interface in which the user manipulates various interactive objects (menu items, buttons, etc.) displayed on the monitor screen.
Fortress ES-Series CLI Guide: Glossary ITU-T International Telecommunications Union-Telecommunication, Geneva-based international organization for telecommunications standards, formerly CCITT. An transaction through which two parties with no prior knowledge of one another can key establishment agree upon a shared secret key for symmetric key encryption of data over an insecure channel. Sometimes, key exchange.
Fortress ES-Series CLI Guide: Glossary Multi-factor Authentication™ In Fortress products, the combination of network authentication (through the network Access ID), device authentication (through the Device ID), and user authentication (through user credentials), that guards the network against unwanted access. multiplexing The practice of transmitting multiple signals over a single connection.
Fortress ES-Series CLI Guide: Glossary Remote Authentication Dial-In User Service—an authentication service design that issues challenges to connecting users for their usernames and passwords and authentiRADIUS cates their responses against a database of valid usernames and passwords; described in RFC 2865. RAM Random Access Memory—data storage that permits data bytes to be accessed in random order.
Fortress ES-Series CLI Guide: Glossary STBC STP Suite B Space-Time Block Coding is a technique that helps improve error rates and reliability in a system that is experiencing poor transmission performance. Spanning Tree Protocol—a link management protocol, operating at OSI layer 2, that prevents bridging loops while permitting path redundancy in a bridged network. A set of cryptographic algorithms promulgated by the National Security Agency as part of its Cryptographic Modernization Program.
Fortress ES-Series CLI Guide: Glossary WDS Wireless Distribution System—a means for interconnecting multiple stations (STAs), access points or nodes in a wireless network. Wired Equivalent Privacy—a security protocol for wireless networks, defined in the IEEE WEP 802.11b amendment. WEP has been found to be vulnerable to attack, and WPA is intended to supplant it in current and future 802.11 standards. Wi-Fi® Wireless Fidelity—used generically to refer to any type of 802.11 network.
Fortress ES-Series CLI Guide: Glossary XXII