Avaya Solution & Interoperability Test Lab

Sample Configuration for Juniper Networks Secure Services

Gateway 5 to support Avaya 3631 Wireless Telephone
registering with Avaya Distributed Office – Issue 1.0

Abstract

These Application Notes describe the steps for configuring Juniper Networks Secure Services
Gateway 5 (SSG 5) to support Avaya 3631 Wireless Telephone registering with Avaya
Distributed Office using WiFi Protected Access 2 with Pre-Shared Key (WPA2-PSK)
encryption.

AL; Reviewed: Solution & Interoperability Test Lab Application Notes 1 of 15

SPOC 1/22/2008 ©2008 Avaya Inc. All Rights Reserved. DO-SSG5w-3631
1. Introduction
These Application Notes describe a solution for configuring the Juniper Networks Secure
Services Gateway 5 (SSG 5) to support Avaya 3631 Wireless Telephones registering with Avaya
Distributed Office using WiFi Protected Access 2 with Pre-Shared Key (WPA2-PSK) for
encryption.

Avaya Distributed Office is a small office solution capable of supporting both Avaya H.323 IP
Telephones and Avaya SIP IP Telephones simultaneously. The Avaya Distributed Office
solution used in the sample network depicts a single office scenario where all in-bound and out-
bound calls are routed through a local Public Switch Telephone Network (PSTN) connection. A
Juniper Networks SSG 5 with integrated wireless support is used to serve as the router for the
data network traffic as well as the wireless access point for Avaya 3631 Wireless IP Telephones.

2. Configuration
Figure 1 illustrates the configuration used in these Application Notes. All IP addresses are
administered via Dynamic Host Configuration Protocol (DHCP) from Avaya Distributed Office.
All interfaces shown on the SSG 5 are in the Trust zone.

Corporate
Internal network

Juniper Networks
SSG5
ethernet0/0 10/100
wireless0/0 (Trust)
SSG 5

SSID: ssg
TX/RX LINK TX/RX LINK TX/RX LINK TX/RX LINK TX/RX LINK TX/RX LINK TX/RX LINK

192.168.101.254/24 POWER

STATUS
802.11a

b/g

WLAN AUX CONSOLE 0/0 0/1 0/2 0/3 0/4 0/5 0/6

(Trust) ethernet0/1 encryption: WPA2-PSK

(Trust)
Bridge group: bgroup0
192.45.109.1/24

Avaya
Distributed Office i40
192.168.109.10

192.45.109.0/24

Avaya 1608 Avaya 1608 Avaya 9630 IP Avaya 3631

IP Telephone Avaya
IP Telephone Telephone (H.323)
(H.323) 4621SW IP
(H.323) (SIP) Ext: 205
Ext: 203 Telephone
Ext: 202 Ext: 200
(H.323)
Ext: 201

Figure 1: Sample Network Configuration

AL; Reviewed: Solution & Interoperability Test Lab Application Notes 2 of 15

SPOC 1/22/2008 ©2008 Avaya Inc. All Rights Reserved. DO-SSG5w-3631
3. Equipment and Software Validated
The following equipment and software/firmware were used for the sample configuration:

DEVICE DESCRIPTION VERSION TESTED

Avaya Distributed Office i40 1.1.1_41.03
Avaya 1608 1.0
Avaya 4621SW IP Telephone (H.323) 2.8
Avaya 9630 IP Telephone (SIP) 2.0
Avaya 3631 Telephone (H.323) 1.3.0
Juniper Networks SSG5 (wireless) ScreenOS 6.0R3

4. Configure Juniper Networks SSG 5

This section describes the configuration for the SSG 5 in Figure 1. It is assumed that basic
configuration has been performed to allow for IP and WebUI connectivity into the SSG 5. All
steps in this section are performed using the web interface of the SSG 5. The equivalent
command line configuration is shown in Section 6 for reference.

1. Access the Web interface of the SSG 5 by entering its IP address into a Web browser
address field. Enter the appropriate Admin Name: and Password: to log in.

AL; Reviewed: Solution & Interoperability Test Lab Application Notes 3 of 15

SPOC 1/22/2008 ©2008 Avaya Inc. All Rights Reserved. DO-SSG5w-3631
 2. This step is optional. Configure the wireless radio setting by selecting Wireless Æ
General Settings from the left panel menu. Enable XR Support and Super-G Mode as
shown.

Note: By default, the Channel selection is auto and the Transmit Data Rate is Full.
Both of these fields were changed to accommodate the sample network environment for
testing.

AL; Reviewed: Solution & Interoperability Test Lab Application Notes 4 of 15

SPOC 1/22/2008 ©2008 Avaya Inc. All Rights Reserved. DO-SSG5w-3631
 3. Enable Wmm for WLAN0(2.4G) by selecting Wireless Æ Wmm Settings from the left
panel menu and clicking on the Enable radio button for the WLAN0 (2.4G)

Note: The sample configuration only enabled the WLAN0(2.4G) interface because
Avaya 3631 Wireless Telephone operate with the b/g radio which is WLAN0(2.4G).

AL; Reviewed: Solution & Interoperability Test Lab Application Notes 5 of 15

SPOC 1/22/2008 ©2008 Avaya Inc. All Rights Reserved. DO-SSG5w-3631
 4. Configure a new SSID by selecting Wireless Æ SSID from the left panel menu and click
on New (not shown). Below is the screen capture for the SSID “ssg” used in the sample
network. Select WPA2 Preshared Key from the drop down menu as the WPA Based
Authentication and Encryption Methods. The sample uses the string “AAAAAAAA”
for the Key by Password. This same Key must also be entered into Avaya 3631
Wireless Telephones as ASCII input for the WPA2-PSK key. Refer to [2] and [3] for
additional information.

AL; Reviewed: Solution & Interoperability Test Lab Application Notes 6 of 15

SPOC 1/22/2008 ©2008 Avaya Inc. All Rights Reserved. DO-SSG5w-3631
 5. The screen capture below shows the configuration for the interface ethernet0/0. Select
Network Æ Interfaces Æ List from the left panel menu, and select Edit (not shown) for
ethernet0/0 from the list to configure this interface. It is assumed that this interface has
been configured as part of the basic configuration, to allow for IP and WebUI
connectivity.

AL; Reviewed: Solution & Interoperability Test Lab Application Notes 7 of 15

SPOC 1/22/2008 ©2008 Avaya Inc. All Rights Reserved. DO-SSG5w-3631
 6. The screen capture below shows the configuration for the bridge group interface
bgroup0. Select Network Æ Interfaces Æ List from the left panel menu and select
Edit (not shown) for bgroup0 from the list to configure this interface. Upon completing
the configuration on this page, click on the Bind Port option in the Properties: menu at
the top of the page to continue.

Bind the ethernet0/1 and the wireless0/0 interface to bgroup0 by selecting the check
box under the Bind to Current Bgroup column next to these two interfaces.

Note: ethernet0/1 and wireless0/0 interfaces must belong to the null zone in order for
them to be listed in this screen for selection. Although not shown, the zone can be edited
by selecting Network Æ Interfaces Æ List from the left panel menu and click on Edit
for the interface which need to be configured.

AL; Reviewed: Solution & Interoperability Test Lab Application Notes 8 of 15

SPOC 1/22/2008 ©2008 Avaya Inc. All Rights Reserved. DO-SSG5w-3631
 7. The screen capture below summarizes the interface configurations.

AL; Reviewed: Solution & Interoperability Test Lab Application Notes 9 of 15

SPOC 1/22/2008 ©2008 Avaya Inc. All Rights Reserved. DO-SSG5w-3631
 8. Configure the firewall policy by selecting Policy Æ Policies from the left panel menu
and clicking on New after selecting the From and To zones via the drop down menu.
Since the ehternet0/0 and bgroup0 interfaces are in the Trust zone, the sample network
has a Trust Intra-zone policy (ID 13) that allow Any Source traffic to Any Destination for
Any service.

5. Configure Avaya Distributed Office

This section shows the steps for configuring Avaya Distributed Office that are relevant to Avaya
3631 Wireless Telephones. For detailed information on the installation, maintenance, and
configuration of Avaya Distributed Office, please consult references [1].

1. Log into Avaya Distributed Office by entering its IP address into the web browser, and
entering the appropriate log in credentials.

AL; Reviewed: Solution & Interoperability Test Lab Application Notes 10 of 15

SPOC 1/22/2008 ©2008 Avaya Inc. All Rights Reserved. DO-SSG5w-3631
 2. Configure the Call Control PHB and Audio PHB parameters by selecting General
under System Parameters from the left panel menu then selecting the VoIP Options tab
in the main panel. Change the value to 48 from 46 (default). This is the decimal value
used for DiffServ Code Point (DSCP) tagging of the VoIP packet. This DSCP value is
also mapped to the Voice WMM value for wireless communication between the SSG 5
and Avaya 3631 Wireless Telephone.

6. Conclusion
These Application Notes have described the administration steps required to configure the
Juniper Networks SSG 5 to support Avaya 3631 Wireless Telephone registering with Avaya
Distributed Office using WPA2-PSK encryption algorithm.

7. Appendix
The following are notes obtained during configuration.
1. Below is the command line configuration equivalent of Section 4 with relevant line in
bold.

set clock timezone 0

set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set alg h323 gate source-port-any

AL; Reviewed: Solution & Interoperability Test Lab Application Notes 11 of 15

SPOC 1/22/2008 ©2008 Avaya Inc. All Rights Reserved. DO-SSG5w-3631
 set alg h323 app-screen unknown-message route permit
set alg h323 app-screen unknown-message nat permit
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn"
set admin auth timeout 0
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Trust"
set interface "ethernet0/1" zone "Null"
set interface "ethernet0/2" zone "Trust"
set interface "wireless0/0" zone "Null"
set interface "bgroup0" zone "Trust"
set interface bgroup0 port ethernet0/1
set interface bgroup0 port wireless0/0
unset interface vlan1 ip
set interface ethernet0/0 ip 192.168.101.254/24
set interface ethernet0/0 route
set interface bgroup0 ip 192.45.109.1/24
set interface bgroup0 route
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
unset interface bgroup0 ip manageable
unset interface ethernet0/0 manage snmp
unset interface ethernet0/2 manage ping
unset interface ethernet0/2 manage ssh
unset interface ethernet0/2 manage telnet
unset interface ethernet0/2 manage snmp
unset interface ethernet0/2 manage ssl
unset interface ethernet0/2 manage web
unset interface bgroup0 manage ping
unset interface bgroup0 manage ssh
unset interface bgroup0 manage telnet
unset interface bgroup0 manage snmp
unset interface bgroup0 manage ssl
unset interface bgroup0 manage web
set interface "serial0/0" modem settings "USR" init "AT&F"

AL; Reviewed: Solution & Interoperability Test Lab Application Notes 12 of 15

SPOC 1/22/2008 ©2008 Avaya Inc. All Rights Reserved. DO-SSG5w-3631
 set interface "serial0/0" modem settings "USR" active
set interface "serial0/0" modem speed 115200
set interface "serial0/0" modem retry 3
set interface "serial0/0" modem interval 10
set interface "serial0/0" modem idle-time 10
set interface wireless0/1 shutdown
set interface wireless0 wlan 0
set flow tcp-mss
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set url protocol websense
exit
set policy id 13 from "Trust" to "Trust" "Any" "Any" "ANY" permit log
set policy id 13
set log session-init
exit
set policy global id 16 from "Global" to "Global" "Any" "Any" "ANY" deny log
set policy id 16
set log session-init
exit
set policy id 17 from "Trust" to "Trust" "Any" "Any" "ANY" deny log
set policy id 17
set log session-init
exit
set log module system level emergency destination console
set log module system level alert destination console
set log module system level critical destination console
set log module system level error destination console
set log module system level warning destination console
set log module system level notification destination console
set log module system level information destination console
set log module system level debugging destination console
set firewall log-self
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
unset license-key auto-update
set wlan 0 xr
set wlan 1 xr
set wlan 0 channel 1
set wlan 1 channel 44
set wlan 1 transmit power eighth

AL; Reviewed: Solution & Interoperability Test Lab Application Notes 13 of 15

SPOC 1/22/2008 ©2008 Avaya Inc. All Rights Reserved. DO-SSG5w-3631
 set wlan 0 wmm enable
set wlan 0 super-g
set wlan 1 super-g
set ssid name ssg
set ssid ssg authentication wpa2-psk passphrase MJyPk7ENxQz43sLnwCCDIhGcunM/NMxzA==
encryption auto
set ssid ssg interface wireless0
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 172.28.0.0/16 interface ethernet0/0 gateway 192.168.101.1
set route 192.45.108.0/24 interface ethernet0/0 gateway 192.168.101.1 preference 20
permanent
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

8. Additional References
Product documentation for Avaya products may be found at http://support.avaya.com

[1] Avaya Distributed Office i120 Installation Quick Start, May 2007 Issue 1, Document
Number 03-602289
[2] 3631 Wireless Telephone Administrator Guide, March 2007 Issue 2, Document Number 16-
602203
[3] Avaya 3631 Wi-Fi Phone Wireless Security Configuration Note, Version 0.1

Product documentation for Juniper Networks products may be found at http://www.Juniper.net

[4] Concepts & Examples ScreenOS Reference Guide, Volumne 1: Overview, Release 6.0.0 Rev.
02, Part Number 530-017767-01, Revision 02
[5] Concepts & Examples ScreenOS Reference Guide, Volumne 2: Fundamentals, Release 6.0.0
Rev. 01, Part Number 530-017768-01, Revision 01
[6] Concepts & Examples ScreenOS Reference Guide, Volumne 3: Administration, Release 6.0.0
Rev. 01, Part Number 530-017769-01, Revision 01

AL; Reviewed: Solution & Interoperability Test Lab Application Notes 14 of 15

SPOC 1/22/2008 ©2008 Avaya Inc. All Rights Reserved. DO-SSG5w-3631
©2008 Avaya Inc. All Rights Reserved.
Avaya and the Avaya Logo are trademarks of Avaya Inc. All trademarks identified by ® and ™
are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are the
property of their respective owners. The information provided in these Application Notes is
subject to change without notice. The configurations, technical data, and recommendations
provided in these Application Notes are believed to be accurate and dependable, but are
presented without express or implied warranty. Users are responsible for their application of any
products specified in these Application Notes.

Please e-mail any questions or comments pertaining to these Application Notes along with the
full title name and filename, located in the lower right corner, directly to the Avaya Solution &
Interoperability Test Lab at interoplabnotes@list.avaya.com

AL; Reviewed: Solution & Interoperability Test Lab Application Notes 15 of 15

SPOC 1/22/2008 ©2008 Avaya Inc. All Rights Reserved. DO-SSG5w-3631