topic RE: Change config of RFS6000 in ExtremeWireless (WiNG)

Change config of RFS6000

DW76 — Thu, 13 Sep 2018 21:08:00 GMT

I need to change the DNS IP address in my config. I can access the RFS6000 via IP address, web interface and see the running config. How can I edit this? Please advise. Thank you!

RE: Change config of RFS6000

ckelly — Thu, 13 Sep 2018 21:17:00 GMT

You can enter the name server addresses either in the controller profile itself or as a controller override. In either case though, the actual CLI syntax you would use is: ip name-server X.X.X.X

Example, to enter an address as an override:
1) Login
2) enable
3) self
4) ip name-server 8.8.8.8
5) commit write

You can enter multiple DNS entries this way.

From the UI:

1) Configuration Tab
2) Devices
3) Select the RFS6000
4) In center column, expand "Profile Overrides"
5) Expand "Network"
6) Select DNS
7) Over to the right, you should see where you can enter DNS server entries
 Remember to "Commit and Save" in the top right corner when done

RE: Change config of RFS6000

DW76 — Thu, 13 Sep 2018 21:44:00 GMT

Thank you Chris--however when I browse to the network settings via UI, there are no existing DNS entries shown. Does that make sense? Tried accessing the device via CLI using Putty/SSH but the password I use to access via UI does not work there. Not real familiar with this device as it was set up by a vendor. Trying to avoid having to buy a 4 hour block of time for a 2 min change. Any thoughts? If I change in the UI, will it override the existing running config?

RE: Change config of RFS6000

ckelly — Thu, 13 Sep 2018 21:55:00 GMT

Is it possible that there currently are no DNS entries that have been setup?

Another possibility is that if there *are* DNS entries, they've been entered at the controller's Profile level. In case you're not aware, the Profile settings are where you want to keep as many settings as possible. The override section will *override* a setting that exist in the main Profile. Normal use of the override section is for things like static IP addresses, hostnames, etc. Things that are unique to a device...and therefore not appropriate to enter into a common Profile.

In the UI, to get to the controller's Profile:
1) Configuration
2) Profiles
3) Double-Click on the Profile that is assigned to your RFS6000
4) Center column, expand Network and choose DNS.

If you don't see any DNS entries there either, then it would seem that the controller does not have any DNS entries. Does the controller need one? Or....are you really looking to assign DNS entries for the adopted APs?

Not sure why the password isn't working to access the CLI but works for the GUI. Maybe the management profile is configured to disallow CLI access?

RE: Change config of RFS6000

DW76 — Fri, 14 Sep 2018 00:05:00 GMT

Hi,

I've managed to make an SSH connection. The following CLI shows the DNS entry:

dhcp-server-policy default
dhcp-pool EmployeeGuest
network 192.168.0.0/24
address range 192.168.0.2 192.168.0.254
default-router 192.168.0.1
dns-server 10.0.70.2

Can you explain how I change this? Will it require a restart or anything? Thank you.

RE: Change config of RFS6000

ckelly — Fri, 14 Sep 2018 00:15:00 GMT

Okay...so this is showing that you have a DHCP service created on the RFS6000. But, it doesn't necessarily show that it's *used* (It is simply a policy that is created and *can* be used).

If we assume though that this DHCP service Policy is used by the controller, then you can change the DNS entry this way.

1) Log in
2) enable
3) config
4) dhcp-server-policy default
5) dhcp-pool EmployeeGuest
6) no dns-server (This gets rid of the existing entry)
7) dns-server
 commit wr

You can then verify things at the level you're at now (you are currently in the dhcp-pool settings). Issue the command: show context

This will show you all of the settings that currently exist at the dhcp-pool level of the config.
You can use that same command at any level so that you can see the current config settings for a section that you are in. Very handy command.

RE: Change config of RFS6000

DW76 — Fri, 14 Sep 2018 00:24:00 GMT

Thank you! I will make these changes after hours this afternoon. One other question, while examining the config, I notice this entry:

use radius-server-policy default
interface me1
ip address 10.1.1.100/24

Not sure what this is as we have no IP scheme in our network that is 10.1.1.x. Any thoughts?

RE: Change config of RFS6000

ckelly — Fri, 14 Sep 2018 01:09:00 GMT

The me1 interface is normally used for an out of band management port. If you don't have any network cables plugged into it, then it's not accessible on the network, so no concerns there.

RE: Change config of RFS6000

DW76 — Fri, 14 Sep 2018 01:12:00 GMT

Hi again,
An opportunity presented itself so I made the changes. I'm able to verify that the DNS server IP has been changed for both startup and running configs--however wifi clients are not able to browse by URL, but the settings on my phone show the new DNS IP address. Any thoughts--did I miss something? I see this still exists in the config and it should be changed to the new IP. Can you send syntax to change this:

permit ip 192.168.0.0/24 host 10.0.70.2 rule-precedence 140

As always, thanks again!

RE: Change config of RFS6000

ckelly — Fri, 14 Sep 2018 01:21:00 GMT

Can you also include the parent level of this entry? I can't tell exactly where this rule originates

RE: Change config of RFS6000

DW76 — Fri, 14 Sep 2018 01:23:00 GMT

ip access-list ABCEmployee2018
permit udp any range 67 68 any range 67 68 rule-precedence 1
permit udp any any eq dns rule-precedence 2
deny ip any 10.0.70.0/23 rule-precedence 3
permit ip 192.168.0.1/24 any rule-precedence 4

ip access-list ABCEmployees
permit udp any eq 68 any eq dhcps rule-precedence 10
permit udp any any eq dns rule-precedence 20
permit tcp any any eq www rule-precedence 30
permit tcp any any eq https rule-precedence 40
permit tcp any any eq smtp rule-precedence 50
permit tcp any any eq imaps rule-precedence 60
permit tcp any any eq 587 rule-precedence 70
permit tcp any any eq pop3 rule-precedence 80
permit tcp any eq 443 any eq https rule-precedence 90
permit tcp any any eq 1723 rule-precedence 100
permit udp any any eq 500 rule-precedence 110
permit udp any any eq 4500 rule-precedence 115
permit ip 192.168.0.0/24 host 10.0.70.2 rule-precedence 140 ***(IP address needs to change)
deny ip 192.168.0.0/24 host 192.168.0.1 rule-precedence 145
deny ip any host 10.0.70.20 rule-precedence 150

RE: Change config of RFS6000

ckelly — Fri, 14 Sep 2018 01:32:00 GMT

Okay...an IP access list rule.
To get to the section to change it:

1) Login
2) enable
3) config
4) ip access-list ABCEmployees
5) permit ip 192.168.0.0/24 host 10.0.70.2 rule-precedence 140 (change the IP address to what you want in this command. Since the rule-precedence level remains the same, the new entry will simply overwrite what is already there. If you want to actually add NEW entries, just make sure that they don't duplicate the rule-precedence values of any of the existing entries)
6) commit write

RE: Change config of RFS6000

DW76 — Fri, 14 Sep 2018 02:04:00 GMT

Ok, was able to change that too, however wifi clients are still not getting online. Any ideas... not seeing any other references in the config for the old IP address.

RE: Change config of RFS6000

ckelly — Fri, 14 Sep 2018 04:05:00 GMT

So is this client able to PING an Internet IP address? Is this just a resolution issue?
You say that the client does show that it has a DNS server as part of its DHCP lease info?

RE: Change config of RFS6000

DW76 — Fri, 14 Sep 2018 04:38:00 GMT

Chris-My apologies, I am out of the office now. I will test this again and report back tomorrow. The config on phones does show the new DNS IP. I am attaching the full config if that helps at all.

!
! Configuration of RFS6000 version 5.8.6.7-002R
!
!
version 2.5
!
!
ip access-list ABCEmployeeGuest
permit ip 192.168.0.0/24 any rule-precedence 10
!
ip access-list Hotspot
permit udp any eq 68 any eq dhcps rule-precedence 10
permit udp any any eq dns rule-precedence 20
permit tcp any any eq www rule-precedence 30
permit tcp any any eq https rule-precedence 40
permit tcp any any eq snpp rule-precedence 50
deny ip any host 10.0.70.20 rule-precedence 60
!
ip access-list ABCEmployee2018
permit udp any range 67 68 any range 67 68 rule-precedence 1
permit udp any any eq dns rule-precedence 2
deny ip any 10.0.70.0/23 rule-precedence 3

permit ip 192.168.0.1/24 any rule-precedence 4

ip access-list ABCEmployees
permit udp any eq 68 any eq dhcps rule-precedence 10
permit udp any any eq dns rule-precedence 20
permit tcp any any eq www rule-precedence 30
permit tcp any any eq https rule-precedence 40
permit tcp any any eq smtp rule-precedence 50
permit tcp any any eq imaps rule-precedence 60
permit tcp any any eq 587 rule-precedence 70
permit tcp any any eq pop3 rule-precedence 80
permit tcp any eq 443 any eq https rule-precedence 90
permit tcp any any eq 1723 rule-precedence 100
permit udp any any eq 500 rule-precedence 110
permit udp any any eq 4500 rule-precedence 115
permit ip 192.168.0.0/24 host 10.0.70.9 rule-precedence 140
deny ip 192.168.0.0/24 host 192.168.0.1 rule-precedence 145
deny ip any host 10.0.70.20 rule-precedence 150
!
firewall-policy default
no ip dos smurf
no ip dos twinge
no ip dos invalid-protocol
no ip dos router-advt
no ip dos router-solicit
no ip dos option-route
no ip dos ascend
no ip dos chargen
no ip dos fraggle
no ip dos snork
no ip dos ftp-bounce
no ip dos tcp-intercept
no ip dos broadcast-multicast-icmp
no ip dos land
no ip dos tcp-xmas-scan
no ip dos tcp-null-scan
no ip dos winnuke
no ip dos tcp-fin-scan
no ip dos udp-short-hdr
no ip dos tcp-post-syn
no ip dos tcphdrfrag
no ip dos ip-ttl-zero
no ip dos ipspoof
no ip dos tcp-bad-sequence
no ip dos tcp-sequence-past-window
no ip-mac conflict
no ip-mac routing conflict
dhcp-offer-convert
no ipv6 strict-ext-hdr-check
no ipv6 unknown-options
no ipv6 duplicate-options
no ipv6 option strict-hao-opt-check
no ipv6 option strict-padding
no stateful-packet-inspection-l2
alg sip
no ipv6-mac conflict
no ipv6-mac routing conflict
!
!
mint-policy global-default
!
wlan-qos-policy CBTest
qos trust dscp
qos trust wmm
!
wlan-qos-policy default
qos trust dscp
qos trust wmm
!
radio-qos-policy default
!
aaa-policy AAA_POLICY_wlan_2
authentication server 1 onboard controller
!
captive-portal CaptivePortal2
server host CaptivePortal2.com
server mode centralized-controller
simultaneous-users 200
webpage internal login footer Please contact reception or I.T. if you do not have a User Name and Password
webpage internal login header ABC Guest Network Login
webpage internal welcome description You now have network access.
Please have this window open to display your remaining session time.

Click the disconnect link below to end this session.
webpage internal fail description Either the username and password are invalid, or service is unavailable at this time.
webpage internal agreement description Guest users agree to ABC web use policies.
webpage internal agreement header Terms of Use
use aaa-policy AAA_POLICY_wlan_2
webpage internal registration field city type text enable label "City" placeholder "Enter City"
webpage internal registration field street type text enable label "Address" placeholder "123 Any Street"
webpage internal registration field name type text enable label "Full Name" placeholder "Enter First Name, Last Name"
webpage internal registration field zip type number enable label "Zip" placeholder "Zip"
webpage internal registration field via-sms type checkbox enable title "SMS Preferred"
webpage internal registration field mobile type number enable label "Mobile" placeholder "Mobile Number with Country code"
webpage internal registration field age-range type dropdown-menu enable label "Age Range" title "Age Range"
webpage internal registration field email type e-address enable mandatory label "Email" placeholder "you@domain.com"
webpage internal registration field via-email type checkbox enable title "Email Preferred"
!
wlan 1
description Corporate Wireless
ssid ABC_Wireless
vlan 1
bridging-mode tunnel
encryption-type ccmp
authentication-type none
wpa-wpa2 psk 0 xxxxx
!
wlan 2
description Hot Spot
shutdown
ssid ABC_Guest
vlan 1
bridging-mode tunnel
encryption-type none
authentication-type none
use aaa-policy AAA_POLICY_wlan_2
use captive-portal CaptivePortal2
captive-portal-enforcement
ip arp trust
ip dhcp trust
acl exceed-rate wireless-client-denied-traffic 1000000 disassociate
use ip-access-list in Hotspot
!
wlan 3
description Employee Wireless
ssid ABC_Employee
vlan 100
bridging-mode tunnel
encryption-type tkip-ccmp
authentication-type none
wpa-wpa2 psk 0 xxxxx
use ip-access-list in ABCEmployee2018
!
wlan 4
description IT Dept Test Network
shutdown
ssid ABC_ITDept
vlan 1
bridging-mode tunnel
encryption-type none
authentication-type none
wpa-wpa2 psk 0 xxxxx
wep64 key 1 hex 0 1273c26cbe
wep64 key 2 hex 0 5944e563a3
wep64 key 3 hex 0 e848578b45
wep64 key 4 hex 0 a23a40a20c
!
wlan 5
description Guest Network
ssid ABC_Visitor
vlan 100
bridging-mode tunnel
encryption-type tkip-ccmp
authentication-type none
wpa-wpa2 psk 0 Visitor@xxx
use ip-access-list in ABCEmployee2018
!
wlan test2
shutdown
ssid test2
vlan 100
bridging-mode tunnel
encryption-type ccmp
authentication-type none
wpa-wpa2 psk 0 testtest
use ip-access-list in ABCEmployee2018
!
smart-rf-policy default
!
radius-group ABCGuestGroup
guest
policy vlan 1
policy ssid ABC_Guest
!
radius-user-pool-policy Guest
user Guest password 0 guest@ABC group ABCGuestGroup guest expiry-time 16:15 expiry-date 12/21/2019 start-time 16:15 start-date 12/20/2010
!
radius-server-policy default
use radius-user-pool-policy Guest
!
dhcp-server-policy default
dhcp-pool EmployeeGuest
network 192.168.0.0/24
address range 192.168.0.2 192.168.0.254
default-router 192.168.0.1
dns-server 10.0.70.9
!
!
management-policy default
no telnet
http server
no https server
no ftp
ssh
user admin password 1 871c077c9bc6d6eb7396e2056a1b0ff36a0ca882cc1e73f1089b1864746b47d2 role superuser access all
user cB password 1 cd93f6b1ec3aae6ae9a29d3138a90bf92b90e2d4 role superuser access all
user webadmin password 1 8893186442be830c7a8bea38184e4189239c55af role web-user-admin
snmp-server user snmpoperator v3 encrypted des auth md5 0 0xdd7f8e6f3a8f541942acb4158d31bbf5
snmp-server user snmptrap v3 encrypted des auth md5 0 0xcadb481610695a440a262f01636b317f
snmp-server user snmpmanager v3 encrypted des auth md5 0 0xcadb481610695a440a262f01636b317f
!
ex3500-management-policy default
snmp-server community public ro
snmp-server community private rw
snmp-server notify-filter 1 remote 127.0.0.1
snmp-server view defaultview 1 included
!
profile rfs6000 default-rfs6000
no autoinstall configuration
no autoinstall firmware
crypto ikev1 policy ikev1-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ikev2 policy ikev2-default
-- isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
crypto ikev1 remote-vpn
crypto ikev2 remote-vpn
crypto auto-ipsec-secure
crypto remote-vpn-client
interface me1
interface up1
interface ge1
interface ge2
interface ge3
interface ge4
interface ge5
interface ge6
interface ge7
interface ge8
interface wwan1
interface pppoe1
use firewall-policy default
service pm sys-restart
router ospf
router bgp
!
profile ap650 default-ap650
no autoinstall configuration
no autoinstall firmware
crypto ikev1 policy ikev1-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ikev2 policy ikev2-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
crypto ikev1 remote-vpn
crypto ikev2 remote-vpn
crypto auto-ipsec-secure
crypto load-management
crypto remote-vpn-client
interface radio1
interface radio2
interface ge1
interface pppoe1
use firewall-policy default
service pm sys-restart
!
rf-domain default
country-code us
use smart-rf-policy default
!
rfs6000 5C-0E-8B-18-36-71
use profile default-rfs6000
use rf-domain default
hostname rfs6000-183671
license AP 1c4dc8ec8275e6c0d4914bb989c9f0da93bef016f88782847ede9b04e8f141e270a146ddbb479b59
location ABC
contact CB
timezone America/Chicago
country-code us
mac-name BC-85-56-34-D9-25 LCONF-WIN7
mac-name 00-23-68-AF-7B-9E ABCScan5
mac-name 60-D8-19-42-14-69 TSCREEN-win7
mac-name 24-77-03-D7-DD-E0 FS-win7lap
mac-name 00-23-68-AF-7C-EA ABCScan3
mac-name 00-23-68-AF-7C-76 ABCScan6
mac-name 00-23-68-AF-7A-B0 ABCScan4
mac-name BC-85-56-34-D8-CD UCONF-WIN7
mac-name 00-23-68-AF-7B-9F ABCScan2
mac-name 00-23-68-AF-7B-97 ABCScan1
spanning-tree mst cisco-interoperability enable
area "Server Room"
ip default-gateway 10.0.70.1
use radius-server-policy default
interface me1
ip address 10.1.1.100/24
interface up1
switchport mode trunk
switchport trunk native vlan 1
no switchport trunk native tagged
switchport trunk allowed vlan 1
ip dhcp trust
interface ge1
switchport mode access
switchport access vlan 1
ip dhcp trust
interface ge2
switchport mode access
switchport access vlan 1
ip dhcp trust
interface ge3
switchport mode access
switchport access vlan 1
ip dhcp trust
interface ge4
switchport mode access
switchport access vlan 1
ip dhcp trust
interface ge5
switchport mode access
switchport access vlan 1
ip dhcp trust
interface ge6
switchport mode access
switchport access vlan 1
ip dhcp trust
interface ge7
switchport mode access
switchport access vlan 1
ip dhcp trust
interface ge8
switchport mode acce

RE: Change config of RFS6000

ckelly — Fri, 14 Sep 2018 20:23:00 GMT

Side note: I don't see anywhere in the config that any of the ip-access-list you have created have been applied. The access-list exist, but they're not 'used' anywhere.

Regarding the DNS issue though, test a wireless client and see if it can PING something on the Internet like 8.8.8.8. If this is some sort of a resolution problem then this will work. But if you then try to PING a FQDN on the Internet like www.google.com, it won't work. But in the off chance that a client is not able to even PING an IP address on the Internet, then we're dealing with a completely different issue...not simply a DNS problem.

RE: Change config of RFS6000

DW76 — Fri, 14 Sep 2018 20:36:00 GMT

Chris, I didn't realize that I have to "apply" an access list. How do I do that?

RE: Change config of RFS6000

ckelly — Fri, 14 Sep 2018 20:47:00 GMT

*** It appears that when I searched your config listing, I fat-fingered the search term and that's why I wasn't seeing that you have in fact used the ACLs...but since you ask, I'll describe this anyway***

It begins with WHERE you want to apply the ACL. (note: this is a common theme when using WiNG-5. You create things like ACL policies, DHCP server policies, WLANs, etc - but then you have to select where you want them to be used - Example, you create WLANs...but then you have to indicated that you want to use one in the AP's Profile. Same thing with the ACL's you create)

With ACLs, where you indicate that it should be used depends on how you constructed the ACL. In your case, it appears that you have ACLs created to control traffic originating at the wireless clients when attempting to reach somewhere after the AP, right?
In this case, the best way to do this is to create an ACL based on the understanding that you want to control that traffic when it comes in to the AP radio - from the wireless user. So you create your rules. Once you have that ACL, you then want to apply it to the applicable WLAN (so this is applied in the actual WLAN configuration). Here's what one of yours looks like:

wlan 5
description Guest Network
ssid ABC_Visitor
vlan 100
bridging-mode tunnel
encryption-type tkip-ccmp
authentication-type none
wpa-wpa2 psk 0 Visitor@xxx
use ip-access-list in ABCEmployee2018

Notice the last line there. The 'use' syntax is how you will normally specify that a device (controller, AP) should actually use something that you created. In this case, you've specified that the WLAN setup should 'use' the ip-access-list name "ABCEmployee2018" and apply those rules to traffic coming from wireless users and entering the AP. That's where the rules will then be processed.
You can also create ACLs and then apply them to Ethernet interfaces on APs or controllers. Just FYI.

RE: Change config of RFS6000

DW76 — Fri, 14 Sep 2018 21:15:00 GMT

Thank you for explaining that. As I'm reviewing this config, something that doesn't make sense to me: ACL "ABCEmployees" specifies permit for the host IP of 10.0.70.9, while ACL "ABCEmployee2018" does not reference a host IP at all. I see where the ACL ABCEmployee2018 is "used" for WLAN EmployeeWireless but not defined for Corporate Wireless. Oddly, this does not seem to be an issue when using the old host IP, but could it be a problem with the new? DNS for wired clients is fine so I'm hesitant to think this is a DNS issue, but is there something needed in DNS to allow Wifi traffic? This is a new DNS server but was AD Integrated so should be a carbon copy of the old server config...

RE: Change config of RFS6000

ckelly — Fri, 14 Sep 2018 23:13:00 GMT

The ABCEmployees ACL has the entry:
permit ip 192.168.0.0/24 host 10.0.70.9 rule-precedence 140

This specifies that traffic is permitted if: It's ANY type protocol, originating from a device on the 192.168.0.0/24 subnet, and is destined for the single host address 10.0.70.9.

Than again...the ABCEmployees ACL also has several other 'permit' statements that are not contained in the 2018 version ACL. The 2018 ACL is structured such that the only traffic allowed is:
- UDP traffic from any IP address, destined to ANY IP address as long as the destination is port range 67-68. So this is so clients can get their DHCP lease.

- UDP traffic from any IP address, destined to ANY IP address as long as the destination is port equals "dns" (in this case, dns is a built in alias that equals port 53

- DENY traffic from ANY IP address that is destined to the 10.0.70.0/23 subnet

So I'm assuming that the WLANs that have the 2018 ACL applied to it (These below) are correct - that wireless users on those ESSIDs should NOT be able to communicate with the 10.0.70.0/23 subnet.

wlan 3
description Employee Wireless
ssid ABC_Employee
vlan 100

wlan 5
description Guest Network
ssid ABC_Visitor
vlan 100

wlan test2
shutdown
ssid test2
vlan 100

If you also want this sort of restriction applied to the Corporate Wireless, you can simply make the configuration change.
- Go into wlan1 and issue the statement to 'use ip-access-list in ABCEmployee2018'
(Can also be done in the GUI, in the WLAN, look in the center column for the "Firewall" section. Use the drop-down selector for the "Inbound Firewall Rules" option and choose the ABCEmployee2018 ACL)

To allow DNS traffic in an ACL, you just need to have that same single statement in any ACL you 'use', which is:
permit udp any any eq dns rule-precedence (appropriate precedence number)

(TIP) name your WLANs the same as the SSID they use. This makes it much easier when you are mapping them in the radio interfaces. In that section, it only shows you the WLAN 'name' and not the actual SSID contained within that WLAN name...so you might find yourself asking...what SSID is wlan3 using? ...and you have to jump back over to the WLANs section to check and see. If the WLAN name is the same as the SSID, this won't happen.