JadeOS User Manual SK-A2960-182 03
Copyright © 2013 Skspruce, Inc. All rights reserved. No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without prior, express and written permission from Skspruce, Inc. Skspruce, Inc. reserves the right to revise this documentation and to make changes in content from time to time without obligation on the part of Skspruce, Inc. to provide notification of such revision or changes. Skspruce, Inc.
This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) this device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation.
Important Notice on Product Safety Elevated voltages are inevitably present at specific points in this electrical equipment. Some of the parts may also have elevated operating temperatures. Non-observance of these conditions and the safety instructions can result in personal injury or in property damage. Therefore, only trained and qualified personnel may install and maintain the system. All equipment connected has to comply with the applicable safety standards.
WOA5200 Wi-Fi Dual-band 802.11n Outdoor Access Point New Generation2.4G/5GHz Concurrent 802.11n Wireless Access Point The SKSpruce WOA5200 outdoor access point is an carrier-class 802.11n access point designed specifically to meet the rising demand of bandwidth for mobile network operators. The WOA5200 is a unified, flexible platform which is featured with Product Advantage Robust Outdoor Wi-Fi Performance The WOA5200 delivers wireless data rates up to 300Mbps with concurrent dual-band 802.
Content Content..........................................................................................................................1 Chapter 1 Preface ........................................................................................................1 1.1 Intended Audience ...............................................................................................1 1.2 Structure of this Document ..................................................................................1 1.
3.4.3 Reset JadeOS ..............................................................................................14 3.4.4 Files Import/Export.....................................................................................14 3.5 System Update ...................................................................................................15 3.6 File Operations...................................................................................................16 3.6.1 Basic Operations ...................
5.1.2 Configuring Bridge .....................................................................................28 5.1.3 Dynamic Table ............................................................................................28 5.1.4 Bridge Aging...............................................................................................29 5.1.5 Static Table..................................................................................................29 5.2 Port Mirror .................................
6.7.6 OSPF Point-to-point Configuration Example.............................................42 6.8 Configuring IPv6 ...............................................................................................44 6.8.1 Address Configuration ................................................................................44 6.8.2 Routing Configuration ................................................................................44 6.8.3 Ping6 ................................................................
9.4.2 Configuring role..........................................................................................58 9.4.3 Configuring Radius Server Group ..............................................................59 9.4.4 Configuring Authentication Way ................................................................59 9.4.5 Configuring AAA Profile............................................................................60 9.4.6 Binding VLAN................................................................
10.1.6 Authentication Mode.................................................................................74 10.1.7 STATION Management ............................................................................74 10.2 Forwarding Mode.............................................................................................74 10.3 Configuring Power...........................................................................................75 10.4 Configuring Radio ..........................................
Chapter 1 Preface This preface describes the audience, structure, conventions and history of changes of JadeOS User Manual. It also provides important information about safety instructions for the JadeOS. 1.1 Intended Audience This document is intended to the experienced network administrators who need to configure and maintain JadeOS Multi-Service Gateway. 1.2 Structure of this Document Chapter Title Subject This chapter provides an introduction to this docu- Chapter 1 Preface ment.
Chapter 2 System Overview 2.1 System Introductions SKG10000 Plus is a gateway equipment of telecommunication level that integrated with the functions of routing, switching and WLAN controller and so on. Based on the multi-core and multi-thread processor and designed with telecom grade ATCA standard, SKG10000 Plus is with powerful and extensible performance. With centralized management and configuration, it gives the ability of deployment for a large network with hundreds of gateways.
Security and AAA (Authentication, Authorization, Accounting) z z z z z z z z Access Control List (Interface/Standard/Session ACL) Role-Based User Policy Web Portal/802.
z Scalable performance and throughout - Optimized database By keeping lease information in a memory-resident database, DHCP server offers fast response times for lease assignments and renewals. - Multi-threaded architecture JadeOS uses a multi-threaded architecture to deliver consistent throughput. - Carrier level big address pool JadeOS supports up to 1,320,000 addresses per chassis.
JadeOS.
Chapter 3 CLI and System Management JadeOS uses the command Line Interface (CLI) to implement the interaction between users and the operating system. Users can complete a range of system configuration and realize the management functions through the CLI. This chapter describes CLI and system operations. 3.1 CLI Access The console port on the equipment is Rj45 interface and located on the front panel of each line card.
Step 4 Enter the global mode using the following command: (JadeOS) > enable Password: enable When you are in enable mode, the > prompt changes to a pound sign (#): (JadeOS) # Step 5 Enter the configuration mode using the following command: (JadeOS) # configure terminal When you are in the configuration mode, ‘config’ appears before the # prompt: (JadeOS) (config) # 3.1.2 CLI Access via a Remote Console Users can access JadeOS remotely using TELNET from a TCP/IP network.
3.2.1 Command mode The CLI is divided into many different modes. The commands available to you at any given time depend on the mode that you are currently in. Entering a question mark (?) at the CLI prompt allows you to obtain a list of commands available for each command mode. When you log in to the CLI, you are in user mode. User mode contains only a limited subset of commands. To have access to all commands, you must enter enable mode normally by using a password.
mand. For example: (JadeOS) > ? enable Turn on Privileged commands exit Exit this session. Any unsaved changes are lost. help Help on CLI command line processing and a Description of the interactive help system logout Exit this session. Any unsaved changes are lost. ping Send ICMP echo packets to specified ip address. traceroute Trace route to the specified ip address. When typed at the end of a possible command or abbreviation, the question mark lists the commands that match (if any).
in for you automatically. If the abbreviation is too vague (too few characters), the cursor does not advance and you must type more characters or use the help feature to list the matching commands. 3.2.4 Deleting Configuration Settings Use the no command to delete or negate previously-entered configurations or parameters. To view a list of no commands, type no at the enable or ‘config’ prompt followed by the question mark. (JadeOS) (config) # no? 3.2.
For example, we configure a route to administrator subnet 192.168.0.0/24 through next hop 192.168.1.1. (JadeOS)(config)#ip route 192.168.0.0/24 192.168.1.1 3.4 Configuring Management 3.4.1 Inquire Configuration To view present configuration, use the command: (JadeOS) # show running-config 3.4.2 Saving Configuration Changes When you make configuration changes via the CLI, those changes affect the current running configuration only.
You can save configuration files into JadeOS and copy to an external server. copy startup-config flash: copy startup-config tftp: copy running-config flash: copy running-config ftp: [] copy running-config startup-config copy running-config tftp: 3.5 System Update The system image file is stored in the Compact Flash (CF) on each line card.
(JadeOS) #show image version ---------------------------------Partition : 0:0 (/dev/sda1) Software Version : JadeOS 2.3.2.0 Built on : SMP Thu Dec 19 18:01:40 CST 2013 ---------------------------------Partition : 0:1 (/dev/sda2) Software Version : JadeOS 2.2.6.0 Built on : SMP Mon Nov 18 14:58:24 CST 2013 3.6 File Operations 3.6.
Log files • You can use the following protocols to transfer files between JadeOS and external server or host: • File Transfer Protocol (FTP) • Trivial File Transfer Protocol (TFTP) Sever Type Configuration Trivial File Transfer Proto- IP address of the server col(TFTP) Filename IP address of the server Username and password to log into server File Transfer Protocol(FTP) Filename Table 3- 3 Parameters of TFTP and FTP Configuration 3.6.
(JadeOS) #who vty[0] connected from 192.168.16.21 vty[1] connected from 192.168.16.22 vty[2] connected from 192.168.16.19 vty[3] connected from 192.168.16.19 3.8 Configuring System Settings 3.8.1 Setting Hostname The factory default hostname is JadeOS. You can change the hostname using the following command: hostname For example: (JadeOS) (config) #hostname Gate (Gate) (config) # 3.8.
¾ Setting the System Clock Manually To set the date and time, enter the following command in privileged mode: clock set To set the time zone and daylight savings time adjustment, enter the following commands in configure mode: clock timezone<-23 - 23> clock summer-time [recurring] <1-4> first last <1-4> first
(JadeOS)(config)#ntp trusted-key (JadeOS)(config)#ntp server iburst Example of configuring NTP authentication: (JadeOS)(config)#ntp authenticate (JadeOS)(config)#ntp authentication-key 1 md5 123 (JadeOS)(config)#ntp trusted-key 1 (JadeOS)(config)#ntp server 1.1.1.1 iburst 3.9 Ping and Traceroute Command ping and traceroute can help to diagnose network connection status. Command format: ping A.B.C.D traceroute A.B.C.
Chapter 4 Interface Configuration This chapter will describe how to configure interface. 4.1 Naming Ethernet Port GigabitEthernet is GE port, and parameter ‘word’ format is . ‘slot’ means slot number, ‘port’ means port number. Both start with value 0 and range depends on the real number of Ethernet. For example, gigabitEthernet 1/0, gigabitEthernet 1/1 and gigabitethernet 1/2 means the first Ethernet port, the second Ethernet port and the third Ethernet port of the first slot.
Command Description Vlan 2 Create vlan 2 vlan 3 name "VLAN3" No vlan 2 Create vlan 3,and name as“vlan 3” delete vlan 2 Table 4-1 command descriptions 4.3 Adding Ethernet Port into VLAN The Ethernet port can be set in access mode or trunk mode, and then added into a VLAN. The Ethernet port is in access mode by default. If it is set in trunk mode, the port can carry data of multi VLAN Tag. The port channel can be set in access mode or trunk mode.
For example,add gigabitethernet 1/2 into access vlan 2 (JadeOS)(config) #interface gigabitethernet 1/2 (JadeOS)(config-if)#switchport mode trunk (JadeOS)(config-if)#switchport trunk native vlan 4 (JadeOS)(config-if)#switchport trunk allowed vlan add 5-10,11,12 4.4 Configuring VLAN Interface Command to configure VLAN Interface: interface vlan <1-4094> Note: you need to create VLAN first before configuring Vlan Interface. For example: (JadeOS) (config)#interface vlan 2 (JadeOS) (config-if)#ip address 10.
Inquire LAG by using show Interface port-channel command: (JadeOS)#show interface port-channel 2 Port-Channel 2 is administratively up Hardware is Port-Channel, address is 04:8B:42:10:0D:0B (bia 04:8B:42:10:0D:0B) Description: Link Aggregate (LACP) Spanning Tree is disabled VLAN membership: 190 Switchport priority: 0 Member port: GE 4/3, Admin is up, line protocol is up GE 4/4, Admin is up, line protocol is up link status last changed 0 day 0 hr 16 min 46 sec 106198 packets input, 21374111 bytes Rece
4.6 Configuring QinQ 4.6.1 Configuring QinQ Defined in IEEE802.1Q, VLAN Tag domain only uses 12 bytes to indicate VLAN ID, so equipment can support up to 4094 VLANs. Some scenarios, especially in metropolitan area network, require a separate VLAN for customers. Therefore, 4094 VLAN cannot meet the requirement. The 802.1QinQ expands VLAN space by using a VLAN-in-VLAN hierarchy and tagging the tagged packets. At the same time, QinQ makes SP use one VLAN supports the entire customer's VLANs.
Tag will be encapsulated when sending data. You can configure different services (for example, different authentication policies or bandwidth control policies) on different inner tag when data received in QinQ sub-interface. 4.
27 Gi 12/14 unassigned / unassigned down down Gi 12/16 unassigned / unassigned down down Gi 12/18 unassigned / unassigned down down JadeOS User Manual
Chapter 5 Layer-2 Network Service JadeOS provides layer-2 network service. This chapter will describe bridge forwarding and port mirror. 5.1 Bridge Forwarding 5.1.1 Bridge Description Bridge is used for the interconnection among two or more Layer-2 network and data frame forwarding based on MAC address of Layer-2 network. Bridge supports MAC address learning. Bridge will create one bridge table based on source MAC address when one data frame from one MAC address first going through bridge.
Datapath Bridge Table Entries ----------------------------Flags: P - Permanent, D - Deny, M - Mobile, L - Local MAC -------------- VLAN ---- ------------- Assigned VLAN Destination --------- ----- Flags Aging-time ------- 04:8B:42:12:00:81 5 5 Local PL 04:8B:42:12:0A:81 85 85 Local PL 04:8B:42:12:0A:A1 86 86 Local PL 04:8B:42:12:0A:C1 87 87 Local PL 04:8B:42:12:0A:E1 88 88 Local PL 5.1.4 Bridge Aging The bridge aging time is 15 minutes by default.
Chapter 6 Layer-3 Network Service JadeOS provides layer-3 network service. This chapter will describe how to configure IP address, static routing, GRE tunnel, DHCP, OSPF, and IPv6 and so on. 6.1 Configuring IP Address 6.1.1 Configuring IP Address Use the following commands to assign a static IP address to a port on JadeOS: interface gigabitethernet / no switchport ip address 6.1.
To inquiry system routing table, including direct routing and static configuring routing, use show ip route command. (JadeOS) #show ip route Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default S 10.2.20.0/24 [1/0] via 192.168.20.1, mgmt 1 S 18.0.0.
To view ARP table, use show arp command: (JadeOS) #show arp Address HWaddress Interface Type 192.168.20.1 00:13:1A:A5:CC:80 mgmt 1 Dynamic 192.168.20.15 00:15:C5:F3:35:B2 mgmt 1 Dynamic 192.168.20.152 00:14:22:19:FC:C4 mgmt 1 Dynamic 119.6.100.1 C4:64:13:D1:9A:EA 192.168.20.226 172.50.3.2 Gi 12/0 Dynamic 04:8B:42:10:6C:1C mgmt 1 Dynamic 04:8B:42:20:00:F5 Gi 12/2 Dynamic 6.3.2 Configuring ARP Proxy Proxy ARP includes local proxy ARP and proxy ARP.
1440 respectively: (JadeOS) (config)#interface gigabitethernet 10/1 (JadeOS) (config-if)#mtu 1460 (JadeOS) (config-if)#tcp4mss 1440 6.5 Configuring GRE Tunnel GRE (Generic Routing Encapsulation) specifies a protocol for encapsulation of an arbitrary protocol over another arbitrary network layer protocol. GRE defined in RFC 2784 and updated by RFC 2890.
DHCP protocol. It still has high standard on the scale of address pool and address distribution rate in SP environment. 6.6.1 Configuring DHCP Server To configure DHCP server, use following command: Step 1 Create one or more DHCP address pool: ip dhcp pool Step 2 Specify the gateway of DHCP client default-router A.B.C.D Step 3 Specify the DNS server of DHCP client dns-server A.B.C.
Network Name 13.0.0.0/16 Total leases 65533 Free leases 64532 Active leases 1001 Abandoned leases Reserved leases 3 0 0 Inquire DHCP lease information (JadeOS) #show ip dhcp binding lease 13.0.6.202 { starts Mon Dec 23 10:41:30 2013 ends Mon Dec 23 10:42:30 2013 binding state active; next binding state free; hardware ethernet 00:50:ba:50:73:2b; uid "\001\000P\272Ps+"; } lease 13.0.6.
4 Inquire DHCP Server running status (JadeOS) #show ip dhcp server statistics Dhcp Server Packet Statistics: Receive packet: Discover 0 Request 0 Release 0 Decline 0 Inform 0 Leasequery 0 Unkown 0 Send packet: Offer 0 Ack 0 Nak 0 Other packet: Bootp 0 Boopreply 0 Speed: Offer Speed 0 client/sec 6.6.3 Configuring DHCP Relay JadeOS provides DHCP Relay function that enhances the DHCP function. A DHCP relay agent is any host that forwards DHCP packets between clients and servers.
Step 3 Specify the IP address of DHCP Server (JadeOS)(config-dhcp-relay)# server address A.B.C.D Step 4 Specify the interface of DHCP Server (JadeOS)(config-dhcp-relay)# server-interface Step 5 Enable Relay (JadeOS)(config-dhcp-relay)# enable 6.6.4 DHCP Snooping DHCP Snooping acts as the firewall between untrust host and DHCP server, which avoid interfere and attack to the legal user. Through DHCP snooping, you can view the filtered illegal DHCP message.
00:50:ba:50:77:06 13.0.7.20 300 D Gi 6/10 00:50:ba:50:76:DA 13.0.6.242 300 D Gi 6/10 00:50:ba:50:76:D8 13.0.6.237 300 D Gi 6/10 00:50:ba:50:76:D4 13.0.6.227 300 D Gi 6/10 Security Check Through binding table, DHCP snooping module determine whether the DHCP message sent by user is legal or not, and then reject illegal DHCP request if illegal.
(JadeOS) (config-if)#arp authorized Note: ARP learning will be disabled after enabling ARP with DHCP. ¾ Disable ARP with DHCP function: Step 1 To save client ARP information, use no update arp command to disable ARP function: (JadeOS) (config)#ip dhcp pool ABC (JadeOS) (config-dhcp)#no update arp Step 2 Enable ARP learning function (JadeOS) (config)#interface vlan 6 (JadeOS) (config-if)#no arp authorized You can inquiry client ARP information by show arp command. 6.
Enabling OSPF requires that you create an OSPF router ID which is the only identifier in an AS system and area ID which specify the range of routing process. If the router ID is not configured, the loopback interface IP will be taken as router ID. If there is no loopback interface, system will select a maximum IP address from all of interface IPs.
transmit a link state update packet on an OSPF interface. Table 6-1 OSPF Interface Parameter 6.7.4 Configuring OSPF Area JadeOS OSPF supports the following types of area: z Stub area Stub areas are areas in to which information on external routes is not sent. Instead, there is a default external route generated by the area border router, into the stub area for destinations outside the autonomous system.
6.7.5 Configuring OSPF Network Type JadeOS supports the following types of OSPF network: • Point-to-point networks(HDLC, Token Ring, FDDI) One point-to-point links such as HDLC and PPP, OSPF runs as a point-to-point network type. To configure an OSPF point-to-point network on JadeOS, use the following command: (JadeOS)(config-if)#ip ospf network point-to-point Broadcast networks (Ethernet, Token Ring, FDDI) On the broadcast medium such as Ethernet and Token Ring, OSPF runs as a broadcast network type.
Figure 6-1 OSPF configuration example Step 1 Create VLAN and add interfaces to VLAN (Refer to chapter 4 for VLAN configuration) Step 2 Configure OSPF on JadeOS A (JadeOS-A) (config) #router ospf (JadeOS-A) (config-router) #ospf router-id 1.1.1.1 (JadeOS-A) (config-router) #network 192.168.10.0/24 area 0 (JadeOS-A) (config-router) #network 192.168.20.0/24 area 1 (JadeOS-A) (config) #interface vlan 10 (JadeOS-A) (config-if) #ip address 192.168.10.
(JadeOS-B) (config-if) #ip address 192.168.10.2/24 (JadeOS-A) (config-if) #ip ospf network point-to-point (JadeOS-B) (config) #interface vlan 30 (JadeOS-B) (config-if) #ip address 192.168.30.1/24 (JadeOS-A) (config-if) #ip ospf network point-to-point Step 4 Configure OSPF on JadeOS C (JadeOS-C) (config) #router ospf (JadeOS-C) (config-router) #ospf router-id 1.1.1.3 (JadeOS-C) (config-router) #network 192.168.20.
To configure IPv6 routing, use following command: ipv6 route / 6.8.
Chapter 7 Network Security JadeOS is always deployed in gateway, which much data goes through it. The network environment of equipment is very complex and faces network security threat. This chapter will describe JadeOS network security and how to configure it. 7.1 Access Control List (ACL) Access Control List (ACL) defines the network access.ACL is the combination of rules; each rule can specify one matched rule and one operation.
Step 2 Deny tcp traffic from 60.0.0.0/255.255.255.0 to 192.168.10.0/255.255.255.0 with port range 1-1023. (JadeOS) (config-std-test-extended)# deny tcp 60.0.0.0 255.255.255.0 192.168.10.0 255.255.255.0 range 1 1023 Step 3 Permit all the tcp port 80 traffic to 192.168.10.0/255.255.255.0. (JadeOS) (config-std-test-extended)# permit tcp any 192.168.10.0 255.255.255.0 eq 7.1.
To inquire the number of present session, use show datapath session counters command.
before packets are forwarded to another network. As part of this capability, NAT can be configured to advertise only one address for the entire network to the outside world. This provides additional security by effectively hiding the entire internal network behind that address. NAT offers the dual functions of security and address conservation and is typically implemented in remote-access environments.
Step 3 Configure user role and apply ACl (JadeOS)(config)#user-role trole (JadeOS)(config-trole)#access-list session tacl Step 4 Configure AAA Profile, and specify user role (JadeOS)(config)#aaa profile test (JadeOS)(AAA profile “test”)#initial-role trole Step 5 Apply AAA profile to VLAN 100 (JadeOS)(config)#vlan 100 aaa profile test 7.3.
Step 4 Apply AAA profile to VLAN 100 (JadeOS) (config) #vlan 100 aaa profile test 7.4 Configuring DoS Anti-attack The main function of DoS anti-attack is to protect the operation system of control plane, which can make JadeOS work normally in malicious attack. DoS anti-attack will classify based on protocol first, and then limit the rate of each protocol according to the configuration.
For example: To configure the rate limit of session creation is 50000 per second: (JadeOS) (config)#firewall sp-bandwidth-contract session pps 50000 To configure the rate limit of new online user is 700 per second: (JadeOS) (config)#firewall sp-bandwidth-contract user pps 700 To configure the rate of receiving DHCP message is 2000 per second: (JadeOS) (config)#firewall cp-bandwidth-contract dhcp pps 2000 To configure the rate of receiving ARP message is 2000 per second: (JadeOS) (config)#firewall cp-band
Figure 6-4 Lawful interception To create Lawful interception gateway interface and rules on JadeOS, complete the following steps: Step 1 Enter the LI configuration mode. (JadeOS)(config) #li Step 2 Configure the LI gateway on JadeOS. (JadeOS)(config-li) #lig add test123 mirror gigabitethernet 2/1 Step 3 Configure the LI rule and enable the lawful intercept on JadeOS. (JadeOS)(config-li) #rule host-filter 1 gigabitethernet 2/1 10.1.10.
Chapter 8 Configuring HQoS With the rapid development of the computer network, services such as bandwidth, delay, jitter sensitive voice and video are transferred through IP network tunnel. JadeOS support HQoS (hierarchical QoS) technology which can classify the type of service traffic; it can also uniformly manage and hierarchically schedule the transfer objects, such as several users, multi-service, and several types of traffic and so on, which ensure the quality for different data service.
(JadeOS) (config-role)#bandwidth-contract BW-8M downstream (JadeOS) (config-role)#bandwidth-contract BW-2M upstream 55 JadeOS User Manual
Chapter 9 Configuring AAA This chapter describes AAA configuration, including user network access, bandwidth control policy and so on. 9.1 The Attribute of Trust and Untrust Interface means the inside interface of data packet; when the interface is the attribute of trust, JadeOS will disable authentication function in this interface; when the interface is the attribute of untrust, JadeOS will enable authentication function in this interface.
user table. 9.2.2 User Role and ACL User role defines the network access. JadeOS specifies the network access of user by ACL. To create a user role in JadeOS, you need to create a session ACL, and then apply the ACL to the user role. To create user role, use the following steps: Step 1 Configure a session ACL named pre-auth-acl (JadeOS) (config) #ip access-list session pre-auth-acl Step 2 Configure network access.
(JadeOS) (config) #ip access-list session pre-auth-acl (JadeOS) (config-sess-pre-auth-acl)#any any udp 53 permit (JadeOS) (config-sess-pre-auth-acl)#any any tcp 0 65535 dst-nat ip 10.0.0.2 443 (JadeOS) (config-sess-pre-auth-acl)#any any ucp 0 65535 dst-nat ip 10.0.0.
Configuring AAA profile need to configure user role before authentication and after authentication. Please refer to chapter 9.3 for more information. 9.4.3 Configuring Radius Server Group Step 1 Configure Radius server RS1, including IP address of radius server, authentication key and local IP address: (JadeOS) (config)#aaa authentication-server radius RS1 (JadeOS) (RADIUS Server "RS1")#host 119.6.200.245 (JadeOS) (RADIUS Server "RS1")#key 123456 (JadeOS) (RADIUS Server "RS1")#ip 119.6.200.
and radius-proxy; usually the authentication way will specify default-role, which is the user role after successfully authentication. This chapter will describe the configuration for authentication way by using web portal as an example. In portal authentication, you need to define a rfc-3576-client, then a profile that at least include radius server group、default-role、rfc-3576-client. Please refer to chapter 9.7 for more information. For example: (JadeOS) (config)#aaa rfc-3576-client 119.6.200.
authentication-portal authentication-psk Configure Portal authentication profile Configure PSK authentication profile authentication-radius-proxy Configure radius proxy profile authentication-wep Configure WEP authentication profile Configure disconnect message client disconnect-message-client http-redir-url-id Configure http redirection url ID http-redirection Configure http-redirection initial-role post-auth Role that is assigned to a user before authentication takes place Post-auth Timer pre-auth
Step 2:Apply MAC authentication in AAA profile (JadeOS) (MAC Authentication Profile "mac1")#aaa profile aaa (JadeOS) (AAA profile "aaa")#authentication-mac mac1 9.6 802.1X Authentication Authentication Description 802.1 x authentication is an authentication policy based on port. The purpose of 802.1x authentication is to decide whether a port is available; if successfully authenticate, the port will allow all the message; if unsuccessfully authenticate, the port only allow 802.1x message.
• • • User input user name and password; browser will transfer it to the web portal (authentication module in JadeOS), and then web portal send authentication request to the radius server JadeOS will decide whether authenticate successfully through user database in radius server; if successfully authenticate, radius server will inform JadeOS, at the same time, JadeOS inform portal server Portal server pops up welcome page; the user authentication is over 9.7.
Disconnect message (DM) is user disconnect message. The AAA Service Framework uses CoA messages to dynamically modify active subscriber sessions. For example RADIUS attributes in CoA messages might instruct the framework to create modify or terminate a subscriber service. CoA Messages Dynamic request support enables the router to receive and process unsolicited CoA messages from external RADIUS servers.
White-list and black-list authentication is a group of URL.
is RP (JadeOS) (AAA profile "AAA")#authentication-radius-proxy RP Step 3 Specify the aaa profile in config mode (JadeOS) (AAA profile "AAA")#aaa radius-proxy aaa profile AAA Step 4 Enable Radius proxy in config mode (JadeOS) (AAA profile "AAA")#aaa radius-proxy enable 9.8.2 Configuring EAP-SIM EAP-SIM is one of the EAP authentication protocol based on 2G SIM card through which users access to WLAN network.
(JadeOS) (RADIUS Server "r1") #ip 10.1.1.10 (JadeOS) (config) #aaa server-group sg (JadeOS) (Server Group "sg")#auth-server r1 Step 2 Configure 802.1x authentication profile (JadeOS) (config)#aaa authentication dot1x dot1x (JadeOS) (802.1X Authentication Profile "dot1x")#default-role postauth (JadeOS) (802.
9.
(JadeOS) (config-subif)#end Step 2 Create DHCP Server (JadeOS) (config) #ip dhcp pool 119 (JadeOS) (config-dhcp)#network 119.6.200.0 255.255.255.0 (JadeOS) (config-dhcp)#default-router 119.6.200.1 (JadeOS) (config-dhcp)#dns-server 119.6.6.6 (JadeOS) (config-dhcp)#exit (JadeOS) (config) #ip dhcp excluded-address 119.6.200.1 119.6.200.115 (JadeOS) (config) #ip dhcp excluded-address 119.6.200.117 119.6.200.
(JadeOS) (RADIUS Server "r1") #source-interface vlan 30 (JadeOS) (config) #aaa server-group g1 (JadeOS) (Server Group "g1") #auth-server r1 Step 8 Configure aaa profile (JadeOS) (config) #aaa profile ABC (JadeOS) (AAA Profile "ABC") #web-auth-server-group g1 (JadeOS) (AAA Profile "ABC") #rfc-3576-client 210.151.12.
S - Src NAT with VLAN IP, E - L2 Enforced, F - IPIP Force Delete, O - VOIP user IP --------------- MAC ----------------- ------- ACLs --------- -------- Contract Location Sessions Flags --------- ----- (JadeOS) #show datapath user coun (JadeOS) #show datapath user counters Datapath User Table Count is: 0 71 JadeOS User Manual
72 JadeOS User Manual
Chapter 10 WLAN Management JadeOS provides solutions of wireless controller and FIT AP. Wireless controller uniformly configure, manage and maintain a large quantity of APs, which greatly reduces the maintenance of wireless network. JadeOS supports AP without configuration, which is convenient to expand FIT AP and wireless network. JadeOS also supports centralized authentication, which is convenient to uniformly access and authenticate.
maintenance. 10.1.3 CAPWAP Data Channel After configuration request by AP, AC will consult with AP to enable data channel. In centralized forwarding mode, up-link message will be encapsulated with CAPWAP in AP, decapsulated in AC, and then forwarding; down-link message will be encapsulated with CAPWAP in AC, and then arrive AP through CAPWAP tunnel; the down-link message will be decapsulated in AP, and then arrive user terminals through 802.11 protocols. 10.1.
centralized forwarding, AC authentication local forwarding and local authentication local forwarding. 10.3 Configuring Power You can configure to automatically choose the power of AP and station in AC, the configuring command is as follows: transmit-power 0 Configuring Radio Frequency You can manually configure radio frequency of AP, at the same time, AP can keep the original radio frequency information when AP online again after AP offline normally.
(JadeOS) #copy ftp 1.2.3.4 user cert_file flash sc-file-1 (JadeOS) #Cert import pem serverCert sc-1 sc-file-1 10.6 Special SSID and SSID Control In EDU mode, in order to avoid AP disables all the SSIDs when AP disconnects with AC, AC will specify a special SSID when AP connects with AC; when CAPWAP is disconnected, AP will enable this SSID to ensure the normal service.
white-list based on MAC address.
(JadeOS) (config)#aaa profile aaa1 (JadeOS) (AAA profile "aaa1")#initial-role role1 (JadeOS) (AAA profile "aaa1")#exit (JadeOS) (config)#wlan virtual-ap default (JadeOS) (Virtual AP Profile "default")#aaa-profile aaa1 (JadeOS) (Virtual AP Profile "default")#exit 10.
The function of WLAN Dos is to prevent DoS attack. For example: (JadeOS) (config)#wids dos-profile default (JadeOS) (IDS DOS-Profile "default")#dos-prevention (JadeOS) (IDS DOS-Profile "default")#mgmt-frame-throttle-interval 10 (JadeOS) (IDS DOS-Profile "default")#mgmt-frame-throttle-limit 100 To display the attack in all the Aps, use show wlan dos command. To display the attack in specified MAC, use show wlan dos ap command.
Chapter 11 WEBUI 11.1 WEBUI Description JadeOS supports WEBUI configuration. 11.
Chapter 12 Configuring SNMP 12.1 Configuring SNMP Simple Network Management Protocol (SNMP) is an Internet-standard protocol for managing devices on IP networks. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention. JadeOS support versions 1, 2c, and 3 of SNMP.
Chapter 13 Maintanence and Diagnosis 13.1 Log System Log system is used to record system running status, which can be saved in local or remote log server. Log is classified to 8 levels from emerg to debug, and the default level is error. To set log level, use the following command in config mode: logging level [process app] logging [severity level] [type category] Note:log level: emerg , alert, crit, err, warning, notice, info, debug.
Figure 14- 1 Modules Diagram for the System Management When system powering up, a “master” system manager will be elected among all line cards existing in the chassis to control the whole equipment. The shelf manager control board sends/receives messages from the cards and modules over I2C bus. The elected “master” system manager on the line card get information from the shelf manager control board across the switch board by TCP/IP to control and monitor the whole system.
To inquire the CPU usage percentage, use the following command: show cpuload To inquire the CPU memory usage information, use the following command: show memory To inquire system log, use the following command: show log all To inquire the process status, use the following command: show process monitor statistics Alarm The hardware running status on JadeOS can be monitored and reported to system manager.
Abbrviations A AC ACC ACL AS ATCA AP Alternating Current Automatic Current Control Access Control List Autonomous System Advanced Telecom Computing Architecture Access Point B BCMC Broadcast and Multicast C CAPWAP CDP CE CLI Control And Provisioning of Wireless Access Points Cisco Discovery Protocol Communication Edge Command Line Interface D DES DHCP DNS DOS Data Encryption Standard Dynamic Host Configuration Protocol Domain Name Server Disk Operating System E EAP EAPOL ECN Enterprise Application
IETF IGP IP IPMB IPMC IPMI IPS Internet Engineering Task Force Interior Gateway Protocol Internet Protocol Intelligent Platform Management Bus Intelligent Platform Management Controller Intelligent Platform Management Interface Intrusion Prevention System L LACP LAG LDAP LED Link Aggregation Control Protocol Link Aggregation Group Lightweight Directory Access Protocol Light Emitting Diode M MAC MLVDS Multi-Access Computer Multipoint Low-Voltage Differential Signaling N NAT NTP Network Address Transla
RFC RSTP RTC RTM Request For Comments Rapid Spanning Tree Protocol Real Time Clock Rear Transmission Module S SAD SAP SHA SNMP SSID SSL SSH STP Shelf Alarm Display Shelf Alarm Panel Secure Hash Algorithm Simple Network Management Protocol Service Set Identifier Secure Sockets Layer Secure Shell Spanning Tree Protocol T TCA TCP/IP TFTP TKIP Telecommunications Computing Architecture Transmission Control Protocol / Internet Protocol Trivial File Transfer Protocol Temporal Key Integrity Protocol U UDP Us