User Guide Dell Networking W-Series Instant 6.4.0.2-4.
Copyright © 2014 Aruba Networks, Inc. Aruba Networks trademarks include , Aruba Networks®, Aruba Wireless Networks®, the registered Aruba the Mobile Edge Company logo, and Aruba Mobility Management System®. Dell™, the DELL™ logo, and PowerConnect™ are trademarks of Dell Inc. All rights reserved. Specifications in this manual are subject to change without notice. Originated in the USA. All other trademarks are the property of their respective owners.
Contents Contents 3 About this Guide 28 Intended Audience 28 Related Documents 28 Conventions 28 Contacting Dell 29 About Instant Instant Overview 30 30 Supported Devices 30 Instant UI 31 Instant CLI 31 What is New in Instant 6.4.0.2-4.
Instant User Interface Login Screen 44 Logging into the Instant UI 44 Viewing Connectivity Summary 44 Language 44 Main Window 45 Banner 45 Search 45 Tabs 45 Networks Tab 46 Access Points Tab 46 Clients Tab 47 Links 4 | Contents 44 47 New Version Available 47 System 48 RF 49 Security 50 Maintenance 51 More 52 VPN 52 IDS 53 Wired 54 Services 54 DHCP Server 55 Support 56 Help 57 Logout 57 Monitoring 57 Info 57 RF Dashboard 59 RF Trends 60 Usage Tren
Client Match 66 AppRF 67 Spectrum 67 Alerts 67 IDS 71 AirGroup 72 Configuration 72 W-AirWave Setup 73 Pause/Resume 73 Views Initial Configuration Tasks Basic Configuration Tasks Modifying the W-IAP Name 73 74 74 74 In the Instant UI 75 In the CLI 75 Updating Location Details of a W-IAP 75 In the Instant UI 75 In the CLI 75 Configuring a Preferred Band 75 In the Instant UI 75 In the CLI 75 Configuring Virtual Controller IP Address 76 In the Instant UI 76 In the CLI
In the Instant UI 77 In the CLI 77 Additional Configuration Tasks Configuring Virtual Controller VLAN 78 In the Instant UI 79 In the CLI 79 Configuring Auto Join Mode Enabling or Disabling Auto Join Mode 79 79 In the Instant UI 79 In the CLI 79 Configuring Terminal Access 80 In the Instant UI 80 In the CLI 80 Configuring Console Access 80 In the Instant UI 80 In the CLI 80 Configuring LED Display 81 In the Instant UI 81 In the CLI 81 Configuring Additional WLAN SSIDs Enabli
Customizing W-IAP Settings 84 Modifying the W-IAP Hostname 84 In the Instant UI 84 In the CLI 84 Configuring Zone Settings on a W-IAP 84 In the Instant UI 85 In the CLI 85 Specifying a Method for Obtaining IP Address 85 In the Instant UI 85 In the CLI 86 Configuring External Antenna 86 EIRP and Antenna Gain 86 Example Configuring Antenna Gain 86 86 In the Instant UI 86 In the CLI 87 Configuring Radio Profiles for a W-IAP 87 Configuring ARM Assigned Radio Profiles for a W-IAP
Adding a W-IAP to the Network 91 Removing a W-IAP from the Network 91 VLAN Configuration 92 VLAN Pooling 92 Uplink VLAN Monitoring and Detection on Upstream Devices 92 Wireless Network Profiles 93 Configuring Wireless Network Profiles 93 Network Types 93 Configuring WLAN Settings for an SSID Profile 93 In the Instant UI 94 In the CLI 96 Configuring VLAN Settings for a WLAN SSID Profile 97 In the Instant UI 97 In the CLI 98 Configuring Security Settings for a WLAN SSID Profile 99
Beacon Report Requests and Probe Responses 109 Configuring a WLAN SSID for 802.11k Support 109 In the Instant UI 109 In the CLI 109 Example 109 BSS Transition Management (802.11v) Configuring a WLAN SSID for 802.
Editing a Wired Profile 117 Deleting a Wired Profile 118 Link Aggregation Control Protocol for W-IAP220 Series 118 Understanding Hierarchical Deployment 119 Captive Portal for Guest Access 120 Understanding Captive Portal 120 Types of Captive Portal 120 Walled Garden 121 Configuring a WLAN SSID for Guest Access 121 In the Instant UI 121 In the CLI 124 Configuring Wired Profile for Guest Access 125 In the Instant UI 125 In the CLI 126 Configuring Internal Captive Portal for Guest
Configuring Captive Portal Roles for an SSID 135 In the Instant UI 135 In the CLI 137 Configuring Walled Garden Access 138 In the Instant UI 138 In the CLI 138 Disabling Captive Portal Authentication 138 Authentication and User Management 140 Managing W-IAP Users Configuring Authentication Parameters for Management Users Configuring a TACACS+ Server Profile for Management User Authentication 140 141 141 In the Instant UI 141 In the CLI 142 Configuring Administrator Credentials for the
802.
In the CLI Configuring 802.1X Authentication for Wired Profiles 164 164 In the Instant UI 165 In the CLI 165 Configuring MAC Authentication for a Network Profile Configuring MAC Authentication for Wireless Network Profiles 165 165 In the Instant UI 165 In the CLI 166 Configuring MAC Authentication for Wired Profiles 166 In the Instant UI 166 In the CLI 167 Configuring MAC Authentication with 802.1X Authentication Configuring MAC and 802.
Session Firewall Based Blacklisting 172 Configuring Blacklist Duration 172 In the Instant UI 172 In the CLI 172 Uploading Certificates 173 Loading Certificates through Instant UI 173 Loading Certificates through Instant CLI 174 Loading Certificates through W-AirWave 174 Roles and Policies 176 Firewall Policies 176 Access Control List Rules 176 Configuring Access Rules for Network Services 177 In the Instant UI 177 In the CLI 178 Example 178 Configuring Network Address Translati
Example Configuring Management Subnets 185 185 In the Instant UI 185 In the CLI 186 Configuring Restricted Access to Corporate Network 186 In the Instant UI 186 In the CLI 186 Content Filtering Enabling Content Filtering Enabling Content Filtering for a Wireless Profile 186 187 187 In the Instant UI 187 In the CLI 187 Enabling Content Filtering for a Wired Profile 187 In the Instant UI 187 In the CLI 188 Configuring Enterprise Domains 188 In the Instant UI 188 In the CLI 188
Understanding Role Assignment Rule 192 RADIUS VSA Attributes 192 MAC-Address Attribute 192 Roles Based on Client Authentication 193 DHCP Option and DHCP Fingerprinting 193 Creating a Role Derivation Rule 193 In the Instant UI 193 In the CLI 194 Example 194 Understanding VLAN Assignment 194 Vendor Specific Attributes 195 VLAN Assignment Based on Derivation Rules 196 User Role 196 VLANs Created for an SSID 196 Configuring VLAN Derivation Rules 196 In the Instant UI 196 In the C
In the CLI Configuring Local and Local,L3 DHCP Scopes 205 206 In the Instant UI 206 In the CLI 207 Configuring the Default DHCP Scope for Client IP Assignment 208 In the Instant UI 208 In the CLI 209 VPN Configuration 210 Understanding VPN Features 210 Configuring a Tunnel from a W-IAP to Dell Networking W-Series Mobility Controller 210 Configuring an IPSec Tunnel 210 In the Instant UI 210 In the CLI 211 Example 212 Enabling Automatic Configuration of GRE Tunnel 212 In the Instan
L2 Switching Mode 224 Distributed L2 Mode 224 Centralized L2 Mode 224 L3 Routing Mode Distributed L3 mode 225 Centralized L3 Mode 225 Configuring W-IAP and Controller for IAP-VPN Operations 225 Configuring a W-IAP network for IAP-VPN operations 225 Defining the VPN host settings 225 Configuring Routing Profiles 226 Configuring DHCP Profiles 226 Configuring an SSID or Wired Port 226 Enabling Dynamic RADIUS Proxy 227 Configuring Enterprise Domains 227 Configuring a Controller for IAP
In the Instant UI 233 In the CLI 233 Airtime Fairness Mode 233 In the Instant UI 234 In the CLI 234 Client Match 234 In the Instant UI 235 In the CLI 236 Access Point Control 236 In the Instant UI 236 In the CLI 237 Verifying ARM Configuration Configuring Radio Settings for a W-IAP In the Instant UI In the CLI Deep Packet Inspection and Application Visibility 237 238 238 239 241 Deep Packet Inspection 241 Enabling Application Visibility 241 In the Instant UI 241 In the CLI 2
Example 250 Voice and Video 251 Wi-Fi Multimedia Traffic Management 251 Configuring WMM for Wireless Clients 251 In the Instant UI 252 In the CLI 252 Configuring WMM-DSCP Mapping 252 In the Instant UI 253 In the CLI 253 QoS for Microsoft Office OCS and Apple Facetime 253 Microsoft OCS 253 Apple Facetime 253 Services 255 AirGroup Configuration 255 Multicast DNS and Bonjour® Services 256 DLNA UPnP Support 257 AirGroup Features 258 AirGroup Services 259 AirGroup Components
ALE with Instant 265 Enabling ALE Support on a W-IAP 265 In the Instant UI 265 In the CLI 266 Verifying ALE Configuration on a W-IAP 266 Configuring OpenDNS Credentials 266 In the Instant UI 266 In the CLI 267 Integrating a W-IAP with Palo Alto Networks Firewall 267 Integration with Instant 267 Configuring a W-IAP for PAN integration 267 In the Instant UI 267 In the CLI 268 Integrating a W-IAP with an XML API interface 268 Integration with Instant 269 Configuring a W-IAP for XM
W-IAP Management and Monitoring 275 Managing a W-IAP from W-AirWave Image Management 275 W-IAP and Client Monitoring 275 Template-based Configuration 275 Trending Reports 276 Intrusion Detection System 276 Wireless Intrusion Detection System (WIDS) Event Reporting to W-AirWave 276 RF Visualization Support for Instant 276 PSK-based and Certificate-based Authentication 277 Configurable Port for W-IAP and W-AirWave Management Server Communication 277 Configuring Organization String 277 Sh
Enforcing Uplinks 292 In the Instant UI 292 In the CLI 293 Setting an Uplink Priority 293 In the Instant UI 293 In the CLI 293 Enabling Uplink Preemption 293 In the Instant UI 293 In the CLI 293 Switching Uplinks Based on VPN and Internet Availability 294 Switching Uplinks Based on VPN Status 294 Switching Uplinks Based on Internet Availability 294 In the Instant UI 294 In the CLI 295 Viewing Uplink Status and Configuration Intrusion Detection 295 296 Detecting and Classifyin
Home Agent Load Balancing 307 Configuring a Mobility Domain for Instant 307 In the Instant UI 307 In the CLI 308 Spectrum Monitor 309 Understanding Spectrum Data Device List 309 Non Wi-Fi Interferers 310 Channel Details 312 Channel Metrics 313 Spectrum Alerts 314 Configuring Spectrum Monitors and Hybrid W-IAPs Converting a W-IAP to a Hybrid W-IAP 314 314 In the Instant UI 315 In the CLI 315 Converting a W-IAP to a Spectrum Monitor 315 In the Instant UI 315 In the CLI 315 W-IA
Restoring Configuration Converting a W-IAP to a Remote AP and Campus AP 320 320 Regulatory Domain Restrictions for W-IAP to RAP or CAP Conversion 320 Converting a W-IAP to a Remote AP 322 Converting a W-IAP to a Campus AP 323 Converting a W-IAP to Standalone Mode 324 Converting a W-IAP using CLI 325 Resetting a Remote AP or Campus AP to a W-IAP 325 Rebooting the W-IAP 325 Monitoring Devices and Logs Configuring SNMP 327 327 SNMP Parameters for W-IAP 327 Configuring SNMP 328 Creating co
Information Elements (IEs) and Management Frames 339 NAI Realm List 339 Configuring Hotspot Profiles 339 Creating Advertisement Profiles for Hotspot Configuration 340 Configuring an NAI Realm Profile 340 Configuring a Venue Name Profile 342 Configuring a Network Authentication Profile 343 Configuring a Roaming Consortium Profile 344 Configuring a 3GPP Profile 344 Configuring an IP Address Availability Profile 344 Configuring a Domain Profile 344 Configuring an Operator-friendly Profile
Datacenter Configuration 363 Scenario 3 - IPSec: Multiple Datacenter Deployment with Primary and Backup Controllers for Redundancy 364 Topology 364 AP Configuration 365 AP Connected Switch Configuration 368 Datacenter Configuration 368 Scenario 4 - GRE: Single Datacenter Deployment with No Redundancy 369 Topology 369 AP Configuration 369 AP Connected Switch Configuration 371 Datacenter Configuration 371 Terminology 373 Acronyms and Abbreviations 373 Glossary 374 Dell Networking W-S
Chapter 1 About this Guide This User Guide describes the features supported by Dell Networking W-Series Instant Access Point (W-IAP) and provides detailed instructions for setting up and configuring the Instant network. Intended Audience This guide is intended for customers who configure and use W-IAPs.
The following informational icons are used throughout this guide: Indicates helpful suggestions, pertinent information, and important things to remember. Indicates a risk of damage to your hardware or loss of data. Indicates a risk of personal injury or death. Contacting Dell Table 2: Support Information Support Main Website dell.com Contact Information dell.com/contactdell Support Website dell.com/support Documentation Website dell.
Chapter 2 About Instant This chapter provides the following information: l Instant Overview l What is New in Instant 6.4.0.2-4.1 Instant Overview Instant virtualizes Dell Networking W-Series Mobility Controller capabilities on 802.11 access points (APs), creating a feature-rich enterprise-grade wireless LAN (WLAN) that combines affordability and configuration simplicity. Instant is a simple, easy to deploy turn-key WLAN solution consisting of one or more APs.
The following table provides the variants supported for each IAP model: Table 3: Supported W-IAP Variants W-IAP Model (Reg Domain) W-IAP-###-US (US only) W-IAP-### W-IAP-###-RW W-IAP-###-JP (Japan only) (Worldwide except US) (Worldwide except US and Japan) W-IAP103 Yes No Yes No W-IAP104/ 105 Yes Yes No Yes W-IAP114/115 Yes No Yes No W-IAP134/135 Yes Yes No Yes IAP-175P/175AC Yes Yes No Yes W-IAP3WN/3WNP Yes Yes No Yes W-IAP108/109 Yes Yes No Yes W-IAP155/155P Yes
SSH access requires that you configure an IP address and a default gateway on the W-IAP and connect the W-IAP to your network. This is typically performed when the Instant network on a W-IAP is set up. Dell Networking W-Series Instant 6.4.0.2-4.
What is New in Instant 6.4.0.2-4.1 The following features are added in the Instant 6.4.0.2-4.1 release: Table 4: New Features in 6.4.0.2-4.1 Feature Description Support for AppRF In this release, Instant supports AppRF comprising of two feature sets: On-board Deep Packet Inspection (DPI) and Web Policy Enforcement (WPE).
Table 4: New Features in 6.4.0.2-4.1 Feature Description XML API Integration The Instant UI allows users to integrate an XML API Interface with a W-IAP. The users can use the XML API interface to add, delete, authenticate, or query a user or a client. Support for inbound firewall rules configuration You can configure firewall rules based on the source subnet for the inbound traffic coming through the uplink ports of a W-IAP.
Chapter 3 Setting up a W-IAP This chapter describes the following procedures: l Setting up Instant Network on page 35 l Logging in to the Instant UI on page 37 l Accessing the Instant CLI on page 41 Setting up Instant Network Before installing a W-IAP: l Ensure that you have an Ethernet cable of the required length to connect a W-IAP to the home router. l Ensure that you have one of the following power sources: n IEEE 802.3af/at-compliant Power over Ethernet (PoE) source.
Assigning a Static IP To assign a static IP to a W-IAP: 1. Connect a terminal, PC, or workstation running a terminal emulation program to the Console port on the W-IAP. 2. Power on the W-IAP. An autoboot countdown prompt that allows you to interrupt the normal startup process and access apboot is displayed. 3. Click Enter before the timer expires. The W-IAP goes into the apboot mode. 4. In the apboot mode, use the following commands to assign a static IP to the W-IAP.
Disabling the Provisioning Wi-Fi Network The provisioning network is enabled by default. Instant provides the option to disable the provisioning network through the console port. Use this option only when you do not want the default SSID instant to be broadcast in your network. To disable the provisioning network: 1. Connect a terminal or PC/workstation running a terminal emulation program to the Console port on the W-IAP. 2.
When you use a provisioning Wi-Fi network to connect to the Internet, all browser requests are directed to the Instant UI. For example, if you enter example.com in the address field, you are directed to the Instant UI. You can change the default login credentials after the first login. Regulatory Domains The IEEE 802.11/b/g/n Wi-Fi networks operate in the 2.4 GHz spectrum and IEEE 802.11a/n operates in the 5.0 GHz spectrum. The spectrum is divided into channels. The 2.
Code Country Name CS Serbia and Montenegro CY Cyprus CZ Czech Republic DE Germany DK Denmark DO Dominican Republic DZ Algeria EC Ecuador EE Estonia EG Egypt ES Spain FI Finland FR France GB United Kingdom GR Greece GT Guatemala HK Hong Kong HN Honduras ID Indonesia IE Ireland IN India IS Iceland IT Italy JM Jamaica JO Jordan JP Japan KE Kenya KR Republic of Korea (South Korea) Dell Networking W-Series Instant 6.4.0.2-4.
Code Country Name KW Kuwait LB Lebanon LI Liechtenstein LI Liechtenstein LK Sri Lanka LT Lithuania LU Luxembourg MA Morocco MU Mauritius MX Mexico NL Netherlands NO Norway NZ New Zealand OM Oman PA Panama PE Peru PH Philippines PK Islamic Republic of Pakistan PL Poland PR Puerto Rico PT Portugal QA Qatar RO Romania RU Russia SA Saudi Arabia SG Singapore SI Slovenia SK Slovak Republic 40 | Setting up a W-IAP Dell Networking W-Series Instant 6.4.0.
Code Country Name SV El Salvador TH Thailand TN Tunisia TR Turkey TT Trinidad and Tobago TW Taiwan UA Ukraine US United States UY Uruguay VE Venezuela VN Vietnam ZA South Africa Specifying Country Code This procedure is applicable to the W-IAP-RW (Rest of World) variants only. Skip this step if you are installing WIAP in the United States and Japan. The Country Code window is displayed for the W-IAP-RW (Rest of World) variants when you log in to the UI for the first time.
Connecting to a CLI Session On connecting to a CLI session, the system displays its host name followed by the login prompt. Use the administrator credentials to start a CLI session. For example: (Instant AP) User: admin If the login is successful, the privileged command mode is enabled and a command prompt is displayed. For example: (Instant AP)# The privileged mode provides access to show, clear, ping, traceroute, and commit commands. The configuration commands are available in config mode.
(Instant AP)# show uncommitted-config rf dot11a-radio-profile no legacy-mode beacon-interval 200 no dot11h interference-immunity 3 csa-count 1 no spectrum-monitor Instant Access Point# commit apply Using Sequence Sensitive Commands The Instant CLI does not support positioning or precedence of sequence-sensitive commands. Therefore, it is recommended that you remove the existing configuration before adding or modifying the configuration details for sequence-sensitive commands.
Chapter 4 Instant User Interface This chapter describes the following Instant UI elements: l Login Screen l Main Window Login Screen The Instant login page allows you to: l Log in to the Instant UI. l View Instant Network Connectivity summary l View the Instant UI in a specific language Logging into the Instant UI To log in to the Instant UI, enter the following credentials: l Username— admin l Password— admin The Instant UI main window is displayed.
You can also select the required language option from the Languages drop-down located at the bottom left corner of the Instant main window. Main Window On logging into Instant, the Instant UI Main Window is displayed. The following figure shows the Instant main window: Figure 4 Instant Main Window The main window consists of the following elements: l Banner l Search l Tabs l Links l Views Banner The banner is a horizontal rectangle that appears at the top left corner of the Instant main window.
Networks Tab This tab displays a list of Wi-Fi networks that are configured in the Instant network. The network names are displayed as links. The expanded view displays the following information about each WLAN SSID: l Name (SSID) — Name of the network. l Clients — Number of clients that are connected to the network. l Type — Type of network type such as Employee, Guest, or Voice. l Band — Band in which the network is broadcast: 2.4 GHz band, 5 GHz band, or both.
Clients Tab This tab displays a list of clients that are connected to the Instant network. The client names are displayed as links. The expanded view displays the following information about each client: l Name — User name of the client or guest users if available. l IP Address — IP address of the client. l MAC Address — MAC address of the client. l OS — Operating system that runs on the client. l Network — The network to which the client is connected.
System This link displays the System window. The System window consists of the following tabs: Use the Show/Hide Advanced option at the bottom of the System window to view or hide the advanced options. l General— Allows you to configure, view or edit the Name, IP address, NTP Server, and other W-IAP settings for the Virtual Controller.
Figure 5 System Window RF The RF link displays a window for configuring Adaptive Radio Management (ARM) and Radio features. l ARM — Allows you to view or configure channel and power settings for all the W-IAPs in the network. For information about ARM configuration, see ARM Overview on page 232. l Radio — Allows you to view or configure radio settings for 2.4 GHz and the 5 GHz radio profiles. For information about Radio, see Configuring Radio Settings for a W-IAP on page 238.
Figure 6 RF Window Security The Security link displays a window with the following tabs: l Authentication Servers— Use this tab to configure an external RADIUS server for a wireless network. For more information, see Configuring an External Server for Authentication on page 157. l Users for Internal Server— Use this tab to populate the system’s internal authentication server with users.
Figure 7 Security Window - Default View Maintenance The Maintenance link displays a window that allows you to maintain the Wi-Fi network. The Maintenance window consists of the following tabs: l About—Displays the name of the product, build time, W-IAP model name, the Instant version, website address of Dell, and Copyright information. l Configuration— Displays the following details: n Current Configuration — Displays the current configuration details.
Figure 8 Maintenance Window - Default View More The More link allows you to select the following options: l VPN l IDS l Wired l Services l DHCP Server l Support VPN The VPN window allows you to define communication settings with a remote Controller. See VPN Configuration on page 210 for more information. The following figure shows an example of the IPSec configuration options available in the VPN window: Dell Networking W-Series Instant 6.4.0.2-4.
Figure 9 VPN window for IPSec Configuration IDS The IDS window allows you to configure wireless intrusion detection and protection levels. The following figures show the IDS window: Figure 10 IDS Window: Intrusion Detection 53 | Instant User Interface Dell Networking W-Series Instant 6.4.0.2-4.
Figure 11 IDS Window: Intrusion Protection For more information on wireless intrusion detection and protection, see Detecting and Classifying Rogue APs on page 296. Wired The Wired window allows you to configure a wired network profile. See Wired Profiles on page 112 for more information. The following figure shows the Wired window: Figure 12 Wired Window Services The Services window allows you to configure services such as AirGroup, RTLS, and OpenDNS.
l RTLS — Allows you to integrate W-AirWave Management platform or third-party Real Time Location Server such as Aeroscout Real Time Location Server with Instant. For more information, see Configuring a W-IAP for RTLS Support on page 263. The RTLS tab also allows you to integrate W-IAP with the Analytics and Location Engine (ALE). For more information about configuring a W-IAP for ALE integration, see Configuring a W-IAP for Analytics and Location Engine Support on page 265.
Figure 14 DHCP Servers Window For more information, see DHCP Configuration on page 201. Support The Support consists of the following fields: l Command— Allows you to select a support command for execution. l Target—Displays a list of W-IAPs in the network. l Run— Allows you to execute the selected command for a specific W-IAP or all W-IAPs and view logs. l Auto Run— Allows you to configure a schedule for automatic execution of a support command for a specific WIAP or all W-IAPs.
Figure 15 Support Window Help The Help link allows you to view a short description or definition of selected terms and fields in the UI windows or dialogs. To activate the context-sensitive help: 1. Click the Help link at the top right corner of Instant main window. 2. Click any text or term displayed in green italics to view its description or definition. 3. To disable the help mode, click Done. Logout The Logout link allows you to log out of the Instant UI.
Table 9: Contents of the Info Section in the Instant Main Window Name Description Info section in Virtual Controller view The Info section in the Virtual Controller view displays the following information: l Name— Displays the Virtual Controller name. l Country Code— Displays the Country in which the Virtual Controller is operating. l Virtual Controller IP address— Displays the IP address of the Virtual Controller. l Management: Indicates if the W-IAP is managed locally or through W-AirWave.
Table 9: Contents of the Info Section in the Instant Main Window Name Description l l l l l l l l IP Address— Displays IP address of the client. MAC Address— Displays MAC Address of the client. OS— Displays the Operating System that is running on the client. Network— Indicates the network to which the client is connected. Access Point— Indicates the W-IAP to which the client is connected. Channel— Indicates the channel that is currently used by the client.
Table 10: RF Dashboard Icons Icon Name Description 1 Signal Icon Displays the signal strength of the client. Depending on the signal strength of the client, the color of the lines on the Signal bar changes from Green > Orange > Red. l Green— Signal strength is more than 20 decibels. l Orange— Signal strength is between 15-20 decibels. l Red— Signal strength is less than 15 decibels. To view the signal graph for a client, click on the signal icon next to the client in the Signal column.
Figure 18 RF Trends for Clients Usage Trends The Usage Trends displays the following graphs: l Clients — In the default view, the Clients graph displays the number of clients that were associated with the Virtual Controller in the last 15 minutes. In Network or Access Points view, this graph displays the number of clients that were associated with the selected network or W-IAP in the last 15 minutes.
The following table describes the graphs displayed in the Network view: Table 11: Network View — Graphs and Monitoring Procedures Graph Name Description Monitoring Procedure Clients The Clients graph shows the number of clients associated with the network for the last 15 minutes. To see an enlarged view, click the graph. l The enlarged view provides Last, Minimum, Maximum, and Average statistics for the number of clients associated with the Virtual Controller for the last 15 minutes.
The following table describes the graphs displayed in the Access Point view: Table 12: Access Point View — Usage Trends and Monitoring Procedures Graph Name Description Monitoring Procedure Neighboring APs The Neighboring APs graph shows the number of APs heard by the selected WIAP: l Valid APs: An AP that is part of the enterprise providing WLAN service. l Interfering APs: An AP that is seen in the RF environment but is not connected to the network.
Table 12: Access Point View — Usage Trends and Monitoring Procedures Graph Name Description Monitoring Procedure Memory free (MB) The memory free graph displays the memory availability of the W-IAP in MB. To see the free memory of the W-IAP, move the cursor over the graph line. To check the free memory of the W-IAP for the last 15 minutes, 1. Log in to the Instant UI. The Virtual Controller view is displayed. This is the default view. 2.
The following table describes the RF trends graphs available in the client view: Table 13: Client View — RF Trends Graphs and Monitoring Procedures Graph Name Description Monitoring Procedure Signal The Signal graph shows the signal strength of the client for the last 15 minutes. It is measured in decibels. To see an enlarged view, click the graph. The enlarged view provides Last, Minimum, Maximum, and Average signal statistics of the client for the last 15 minutes.
Table 13: Client View — RF Trends Graphs and Monitoring Procedures Graph Name Description incoming traffic is displayed in blue. Incoming traffic is shown below the median line. To see an enlarged view, click the graph. The enlarged view shows Last, Minimum, Maximum, and Average statistics for the incoming and outgoing traffic throughput of the client for the last 15 minutes. To see the exact throughput at a particular time, move the cursor over the graph line.
The following figure shows the client view heatmap for an AP radio: Figure 21 Channel Availability Map for Clients AppRF The AppRF link displays the application traffic summary for W-IAPs and client devices. The AppRF link in the activity panel is displayed only if AppRF visibility is enabled in the System window. For more information on application visibility and AppRF charts, see Application Visibility on page 242.
Figure 22 Alerts Link The Alerts link displays the following types of alerts: l Client Alerts l Active Faults l Fault History Table 14: Types of Alerts Type of Alert Description Information Displayed Client Alerts The Client alerts occur when clients are connected to the Instant network. A client alert displays the following fields: l Timestamp— Displays the time at which the client alert was recorded. l MAC address— Displays the MAC address of the client that caused the alert.
Figure 23 Client Alerts Figure 24 Fault History Figure 25 Active Faults The following table displays a list of alerts that are generated in the W-IAP network: 69 | Instant User Interface Dell Networking W-Series Instant 6.4.0.2-4.
Table 15: Alerts list Type Code Description Details Corrective Actions 100101 Internal error The W-IAP has encountered an internal error for this client. Contact the Dell customer support team. 100102 Unknown SSID in association request The W-IAP cannot allow this client to associate, because the association request received contains an unknown SSID. Identify the client and check its Wi-Fi driver and manager software.
Table 15: Alerts list Type Code Description Details Corrective Actions 100309 RADIUS server authentication failure The W-IAP cannot authenticate this client using 802.1X , because the RADIUS server rejected the authentication credentials (password and so on) provided by the client. Ascertain the correct authentication credentials and log in again.
Figure 26 Intrusion Detection For more information on the intrusion detection feature, see Intrusion Detection on page 296. AirGroup This AirGroup link provides an overall view of your AirGroup configuration. Click each field to view or edit the settings. l MAC — Displays the MAC address of the AirGroup servers. l IP — Displays the IP address of the AirGroup servers. l Host Name — Displays the machine name or hostname of the AirGroup servers.
W-AirWave Setup W-AirWave is a solution for managing rapidly changing wireless networks. When enabled, W-AirWave allows you to manage the Instant network. For more information on W-AirWave, see Managing a W-IAP from W-AirWave on page 275. The W-AirWave status is displayed at the bottom of the Instant main window. If the W-AirWave status is Not Set Up, click the Set Up Now link to configure W-AirWave. The System window is displayed with Admin tab selected.
Chapter 5 Initial Configuration Tasks This chapter describes the general configuration tasks to perform when a W-IAP is set up.
In the Instant UI 1. Navigate to System>General. 2. Specify the name of W-IAP in the Name text box. 3. Click OK. In the CLI To change the name: (Instant AP)# name Updating Location Details of a W-IAP You can update the physical location details of a W-IAP by using the Instant UI or CLI. The system location details are used for retrieving information through the SNMP sysLocation MIB object. In the Instant UI To update location details: 1. Navigate to System>General. 2.
Configuring Virtual Controller IP Address You can specify a single static IP address that can be used to manage a multi-AP Instant network. This IP address is automatically provisioned on a shadow interface on the W-IAP that takes the role of a Virtual Controller. When a W-IAP becomes a Virtual Controller, it sends three Address Resolution Protocol (ARP) messages with the static IP address and its MAC address to update the network ARP cache.
l Maintain accurate time for billing services and similar. The Network Time Protocol (NTP) helps obtain the precise time from a server and regulate the local time in each network element. Connectivity to a valid NTP server is required to synchronize the W-IAP clock to set the correct time. If NTP server is not configured in the W-IAP network, a W-IAP reboot may lead to variation in time data. By default, the W-IAP tries to connect to pool.ntp.org to synchronize time.
Additional Configuration Tasks This section describes the following additional tasks that can be performed after a W-IAP is set up: l Configuring Virtual Controller VLAN on page 78 l Configuring Auto Join Mode on page 79 l Configuring Terminal Access on page 80 l Configuring Console Access on page 80 l Configuring LED Display on page 81 l Configuring Additional WLAN SSIDs on page 81 l Preventing Inter-user Bridging on page 82 l Preventing Local Routing between Clients on page 82 l Enabling
In the Instant UI 1. Navigate to System>General> Show advanced options. The advanced options are displayed. 2. Enter subnet mask details in Virtual Controller Netmask. 3. Enter a gateway address in Virtual Controller Gateway. 4. Enter Virtual Controller VLAN in Virtual Controller VLAN. Ensure that Virtual Controller VLAN is not the same as native VLAN of the W-IAP. 5. Click OK.
(Instant AP)(config)# end (Instant AP)# commit apply Configuring Terminal Access When terminal access is enabled, you can access the Instant CLI through SSH or Telnet server. The terminal access is enabled by default. You can enable or disable terminal access to a W-IAP by using the Instant UI or CLI. In the Instant UI 1. Navigate to System>General>Show advanced options. 2. Select Disabled or Enabled from the Terminal access drop-down list. 3.
Configuring LED Display The LED display is always in the Enabled mode during the a W-IAP reboot. You can enable or disable LED Display for a W-IAP using the Instant UI or CLI. In the Instant UI To enable or disable LED display for all W-IAPs in a cluster, perform the following steps: 1. Navigate to System > General > Show advanced options. 2. From the LED Display drop-down list, select Enabled to enable LED display or Disabled to turn off the LED display. 3. Click OK.
4. Reboot the W-IAP to apply the changes. After you enable the option and reboot the W-IAP, the Wi-Fi and mesh links are disabled automatically. In the CLI To enable the extended SSIDs: (Instant AP)(config)# extended-ssid (Instant AP)(config)# end (Instant AP)# commit apply Preventing Inter-user Bridging If you have security and traffic management policies defined in upstream devices, you can disable bridging traffic between two clients connected to the same AP on the same VLAN.
In the CLI To disable local routing: (Instant AP)(config)# deny-local-routing (Instant AP)(config)# end (Instant AP)# commit apply To deny local routing for the WLAN SSID clients: (Instant (Instant (Instant (Instant AP)(config)# wlan ssid-profile AP) (SSID Profile )# deny-local-routing AP) (SSID Profile )# end AP)# commit apply Enabling Dynamic CPU Management W-IAPs perform various functions such as wireless client connectivity and traffic flows, wired client co
Chapter 6 Customizing W-IAP Settings This chapter describes the procedures for configuring settings that are specific to a W-IAP in the cluster.
In the Instant UI 1. In the Access Points tab, click the W-IAP for which you want to set the zone. The edit link is displayed. 2. Click the edit link. The edit window for modifying W-IAP details is displayed. 3. Specify the AP zone in Zone. 4. Click OK. In the CLI To change the name: (Instant AP)# zone Specifying a Method for Obtaining IP Address You can either specify a static IP address or allow the W-IAP to obtain an IP address from the DHCP server.
In the CLI To configure a static IP address: (Instant AP)# ip-address Configuring External Antenna If your W-IAP has external antenna connectors, you need to configure the transmit power of the system. The configuration must ensure that the system’s Equivalent Isotropically Radiated Power (EIRP) is in compliance with the limit specified by the regulatory authority of the country in which the W-IAP is deployed.
2. In the Edit Access Point window, select External Antenna to configure the antenna gain value. This option is available only for access points that support external antennas, for example, W-IAP134. 3. Enter the antenna gain values in dBm for the 2.4GHz and 5GHz bands. 4. Click OK.
Table 18: W-IAP Radio Modes Mode Description Access In Access mode, the AP serves clients, while also monitoring for rogue APs in the background. If the Access mode is selected, perform the following actions: 1. Select Administrator assigned in 2.4 GHz and 5 GHz band sections. 2. Select appropriate channel number from the Channel drop-down list for both 2.4 GHz and 5 GHz band sections. 3. Enter appropriate transmit power value in the Transmit power text box in 2.4 GHz and 5 GHz band sections.
2. Click the edit link. The edit window for modifying W-IAP details is displayed. 3. Click the Uplink tab. 4. Specify the VLAN in the Uplink Management VLAN field. 5. Click OK. 6. Reboot the W-IAP.
Preference to a W-IAP with Non-Default IP The Master Election Protocol prefers a W-IAP with non-default IP, when electing a Virtual Controller for the Instant network during initial startup. If there are more than one W-IAP with non-default IPs in the network, all W-IAPs with default IP will automatically reboot and the DHCP process is used to assign new IP addresses.
Iap_master:1 Adding a W-IAP to the Network To add a W-IAP to the Instant network, assign an IP address. For more information, see Assigning an IP address to the W-IAP on page 35. After a W-IAP is connected to the network, if the Auto Join Mode feature is enabled, the W-IAP inherits the configuration from the Virtual Controller and is listed in the Access Points tab. If the Auto Join Mode is disabled, perform the following steps to add a W-IAP to the network: 1. In the Access Points tab, click the New link.
Chapter 7 VLAN Configuration VLAN configuration is required for networks with more devices and broadcast traffic on a WLAN SSID or wired profile. Based on the network type and its requirements, you can configure the VLANs for a WLAN SSID or wired port profile. For more information on VLAN configuration for a WLAN SSID and wired port profile, see Configuring VLAN Settings for a WLAN SSID Profile on page 97 and Configuring VLAN for a Wired Profile on page 114.
Chapter 8 Wireless Network Profiles This chapter provides the following information: l Configuring Wireless Network Profiles on page 93 l Configuring Fast Roaming for Wireless Clients on page 106 l Editing Status of a WLAN SSID Profile on page 110 l Editing a WLAN SSID Profile on page 110 l Deleting a WLAN SSID Profile on page 111 Configuring Wireless Network Profiles During start up, a wireless client searches for radio signals or beacon frames that originate from the nearest W-IAP.
In the Instant UI To configure WLAN settings: 1. In the Networks tab of the Instant main window, click the New link. The New WLAN window is displayed. The following figure shows the contents of the WLAN Settings tab: Figure 33 WLAN Settings Tab 2. Enter a name that uniquely identifies a wireless network in the Name (SSID) text box. The SSID Name may contain any special character except for ' and ". 3.
Table 19: WLAN Configuration Parameters Parameter Broadcast filtering Description Select any of the following values: All—When set to All, the W-IAP drops all broadcast and multicast frames except DHCP and ARP. l ARP—When set to ARP, the W-IAP converts ARP requests to unicast and send frames directly to the associated client. l Disabled— When set to Disabled, all broadcast and multicast traffic is forwarded.
Table 19: WLAN Configuration Parameters Parameter Description Wi-Fi Multimedia (WMM) traffic management Configure the following options for WMM traffic management. WMM supports voice, video, best effort, and background access categories. To allocate bandwidth for the following types of traffic, specify a percentage value under Share. To configure DSCP mapping, specify a value under DSCP Mapping. l Background WMM: For background traffic such as file downloads or print jobs.
(Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant AP)(SSID Profile )# AP)(SSID Profile )# AP)(SSID Profile )# AP)(SSID Profile )# AP)(SSID Profile )# AP)(SSID Profile )# AP)(SSID Profile )# AP)(SSID Profile )# AP)(SSID Profile )# AP)(SSID Profile )# AP)(SSID Profile )# AP)(SSID Profile )# AP)(SSID P
2. Select any for the following options for Client IP assignment: l Virtual Controller assigned—On selecting this option, the client obtains the IP address from the Virtual Controller. l Network assigned—On selecting this option, the IP address is obtained from the network. 3.
(Instant AP)# commit apply To create a new VLAN assignment rule: (Instant AP)(config)# wlan ssid-profile (Instant AP)(SSID Profile )# set-vlan {{contains|ends-with|equals|matchesregular-expression|not-equals|starts-with} |value-of} (Instant AP)(SSID Profile )# end (Instant AP)# commit apply Configuring Security Settings for a WLAN SSID Profile The following procedures are described in this section: l Configuring Security Settings for an Employee or Voice Net
Figure 36 Security Tab: Personal Figure 37 Security Tab: Open 2. Based on the security level specified, specify the following parameters: 100 | Wireless Network Profiles Dell Networking W-Series Instant 6.4.0.2-4.
Table 21: Configuration Parameters for WLAN Security Settings in an Employee or Voice Network Security Level Type Parameter Description Key Management For Enterprise security level, select any of the following options from the Key management drop-down list: l WPA-2 Enterprise l Both (WPA-2 & WPA) l WPA Enterprise l Dynamic WEP with 802.1X — If you do not want to use a session key from the RADIUS Server to derive pair wise unicast keys, set Session Key for LEAP to Enabled.
Table 21: Configuration Parameters for WLAN Security Settings in an Employee or Voice Network Parameter Security Level Type Description l l l RADIUS Server LDAP Server CPPM Server for AirGroup CoA For information on configuring external servers, see Configuring an External Server for Authentication on page 157. l To use an internal server, select Internal server and add the clients that are required to authenticate with the internal RADIUS server. Click the Users link to add the users.
Table 21: Configuration Parameters for WLAN Security Settings in an Employee or Voice Network Security Level Type Parameter Description Delimiter character Specify a character ( for example, colon or dash) as a delimiter for the MAC address string. When configured, the W-IAP will use the delimiter in the MAC authentication request. For example, if you specify the colon as a delimiter, MAC addresses in the xx:xx:xx:xx:xx:xx format are used.
(Instant AP)(SSID Profile )# blacklist (Instant AP)(SSID Profile )# mac-authentication (Instant AP)(SSID Profile )# l2-auth-failthrough (Instant AP)(SSID Profile )# auth-survivability (Instant AP)(SSID Profile )# radius-accounting (Instant AP)(SSID Profile )# radius-accounting-mode {user-association| userauthentication} (Instant AP)(SSID Profile )# radius-interim-accounting-interval (Instant AP)(SSID Profile )# radius-reauth-interval (Insta
before defining access rules. For more information, see Configuring WLAN Settings for an SSID Profile on page 93, Configuring VLAN Settings for a WLAN SSID Profile on page 97, and Configuring Security Settings for a WLAN SSID Profile on page 99. You can configure up to 128 access rules for an employee, voice , or guest network using the Instant UI or CLI. In the Instant UI To configure access rules for an employee or voice network: 1.
(Instant AP)(SSID Profile )# end (Instant AP)# commit apply To configure machine and user authentication roles (Instant AP)(config)# wlan ssid-profile (Instant AP)(SSID Profile )# set-role-machine-auth (Instant AP)(SSID Profile )# end (Instant AP)# commit apply To configure unrestricted access: (Instant (Instant (Instant (Instant AP)(config)# wlan ssid-profile AP)(SSID Profile )# set-role-unrestricted AP)(SSID P
Configuring a W-IAP for OKC Roaming You can enable OKC roaming for WLAN SSID by using Instant UI or CLI. In the Instant UI 1. Navigate to the WLAN wizard (click Network>New or Network> Select the WLAN SSID>edit). 2. Click the Security tab. 3. Slide to Enterprise security level. On selecting a security level, the authentication options applicable to Enterprise network are displayed. 4. Select the WPA-2 Enterprise or Both (WPA-2 & WPA) option from the Key management drop-down list.
As part of the 802.11r implementation, Instant supports the Fast BSS Transition protocol. The Fast BSS Transition mechanism reduces client roaming delay when a client transitions from one BSS to another within the same cluster. This minimizes the time required to resume data connectivity when a BSS transition happens. Fast BSS Transition is operational only if the wireless client supports 802.11r standard. If the client does not support 802.
l Extended Capabilities IE - The extended capabilities IE carries information about the capabilities of an IEEE 802.11 station. Beacon Report Requests and Probe Responses The beacon request frame is sent by an AP to request a client to report the list of beacons heard by the client on all channels. l The beacon request is sent using the radio measurement request action frame. l It is sent only to those clients that have the capability to generate beacon reports.
Configuring a WLAN SSID for 802.11v Support You can enable 802.11v support on a WLAN SSID by using the Instant UI or CLI. In the Instant UI 1. Navigate to the WLAN wizard (click Network>New or Network> Select the WLAN SSID>edit). 2. Click the Security tab. 3. Under Fast Roaming, Select the 802.11v checkbox. 4. Click Next and then click Finish. In the CLI To enable 802.
2. Click the edit link. The Edit network window is displayed. 3. Modify the required settings. Click Next to move to the next tab. 4. Click Finish to save the modifications. Deleting a WLAN SSID Profile To delete a WLAN SSID profile: 1. In the Networks tab, click the network that you want to delete. A x link is displayed against the network to be deleted. 2. Click x. A delete confirmation window is displayed. 3. Click Delete Now. Dell Networking W-Series Instant 6.4.0.2-4.
Chapter 9 Wired Profiles This chapter describes the following procedures: l Configuring a Wired Profile on page 112 l Assigning a Profile to Ethernet Ports on page 117 l Editing a Wired Profile on page 117 l Deleting a Wired Profile on page 118 l Link Aggregation Control Protocol for W-IAP220 Series on page 118 l Understanding Hierarchical Deployment on page 119 Configuring a Wired Profile The Ethernet ports allow third-party devices such as VoIP phones or printers (which support only wired con
Figure 38 New Wired Network Window: Wired Settings Window 3. Click the Wired Settings tab and enter the following information: a. Name— Specify a name for the profile. b. Primary Usage — Select Employee or Guest. c. Speed/Duplex — Ensure that appropriate values are selected for Speed/Duplex. Contact your network administrator if you need to assign speed and duplex parameters. d. POE — Set POE to Enabled to enable Power over Ethernet.
(Instant (Instant (Instant (Instant (Instant AP)(wired ap profile AP)(wired ap profile AP)(wired ap profile AP)(wired ap profile AP)# commit apply )# )# )# )# uplink-enable content-filtering spanning-tree end Configuring VLAN for a Wired Profile If you are creating a new wired profile, complete the Wired Settings procedure before configuring VLAN. For more information, see Configuring Wired Settings on page 112. You can configure VLAN using the Instant UI or CLI.
(Instant AP)# commit apply To configure a new VLAN assignment rule: (Instant AP)(config)# wired-port-profile (Instant AP)(wired ap profile )# set-vlan {equals| not-equals| starts-with| ends-with| contains| matches-regular-expression} | value-of} (Instant AP)(wired ap profile )# end (Instant AP)# commit apply Configuring Security Settings for a Wired Profile If you are creating a new wired profile, complete the Wired Settings and VLAN procedures before spec
Configuring Access Rules for a Wired Profile The Ethernet ports allow third-party devices such as VoIP phones or printers (that support only wired connections) to connect to the wireless network. You can also configure an Access Control List (ACL) for additional security on the Ethernet downlink. If you are creating a new wired profile, complete the Wired Settings and configure VLAN and security parameters, before defining access rules.
(Instant AP)(config)# wired-port-profile (Instant AP)(wired ap profile )# set-role {{equals| not-equal| starts-with| ends-with| contains| matches-regular-expression} | value-of} (Instant AP)(wired ap profile )# end (Instant AP)# commit apply To configure a pre-authentication role: (Instant (Instant (Instant (Instant AP)(config)# wired-port-profile AP)(wired ap profile )# set-role-pre-auth AP)(wired ap profile )# end
1. Click the Wired link under More at the top right corner of the Instant main window. The Wired window is displayed. 2. In the Wired window, select the wired profile to modify. 3. Click Edit. The Edit Wired Network window is displayed. 4. Modify the required settings. 5. Click Finish to save the modifications. Deleting a Wired Profile To delete a wired profile: 1. Click the Wired link under More at the top right corner of the Instant main window. The Wired window is displayed. 2.
-------------------------Radio Num Enet 0 Tx Count Enet 1 Tx Count --------- --------------- --------------0 0 0 1 0 0 non-wifi 2 17 Understanding Hierarchical Deployment A W-IAP130 Series or W-IAP3WN (with more than one wired port) can be connected to the downlink wired port of another W-IAP (ethX). A W-IAP with a single Ethernet port (like W-IAP90 or W-IAP100 series devices) can be provisioned to use Ethernet bridging, so that Ethernet 0 port is converted to a downlink wired port.
Chapter 10 Captive Portal for Guest Access This chapter provides the following information: l Understanding Captive Portal on page 120 l Configuring a WLAN SSID for Guest Access on page 121 l Configuring Wired Profile for Guest Access on page 125 l Configuring Internal Captive Portal for Guest Network on page 126 l Configuring External Captive Portal for a Guest Network on page 129 l Configuring External Captive Portal Authentication Using ClearPass Guest on page 132 l Configuring Guest Logon
l External captive portal— For external captive portal authentication, an external portal on the cloud or on a server outside the enterprise network is used. Walled Garden The administrators can also control the resources that the guest users can access and the amount of bandwidth or air time they can use at any given time. When an external captive portal is used, the administrators can configure a walled garden, which determines access to the URLs requested by the guest users.
Parameters Description Dynamic multicast optimization Select Enabled to allow W-IAP to convert multicast streams into unicast streams over the wireless link. Enabling Dynamic Multicast Optimization (DMO) enhances the quality and reliability of streaming video, while preserving the bandwidth available to the non-video clients. DMO channel utilization threshold Specify a value to set a threshold for DMO channel utilization.
Parameters Description Band Select a value to specify the band at which the network transmits radio signals. You can set the band to 2.4 GHz, 5 GHz, or All. The All option is selected by default. Inactivity timeout Specify a timeout interval. If a client session is inactive for the specified duration, the session expires and the users are required to log in again. The minimum value is set to 60 seconds and the default value is 1000 seconds.
Table 23: IP and VLAN Assignment for WLAN SSID Clients Client IP Assignment Client VLAN Assignment Virtual Controller assigned If the Virtual Controller assigned is selected for client IP assignment, the Virtual Controller creates a private subnet and VLAN on the W-IAP for the wireless clients. The network address translation for all client traffic that goes out of this interface is carried out at the source.
(Instant (Instant (Instant (Instant (Instant (Instant (Instant AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID Profile Profile Profile Profile Profile Profile Profile )# )# )# )# )# )# )# rf-band {<2.4>|<5.
l Trunk — Select this mode to allow the port to carry packets for multiple VLANs specified as allowed VLANs. b. Specify any of the following values for Client IP Assignment: l Virtual Controller Assigned: Select this option to allow the Virtual Controller to assign IP addresses to the wired clients. When the Virtual Controller assignment is used, the source IP address is translated for all client traffic that goes through this interface.
In the Instant UI 1. Navigate to the WLAN wizard or Wired window. l To configure internal captive portal authentication for a WLAN SSID, in the Network tab, click New to create a new network profile or edit to modify an existing profile. l To configure internal captive portal authentication for a wired profile, click More>Wired. In the Wired window, click New under Wired Networks to create a new network, or click Edit to select an existing profile. 2.
Parameter Description Disable if uplink type is To exclude uplink, select an uplink type. Encryption Select Enabled to configure encryption parameters. (Applicable for WLAN SSIDs only.) Splash Page Design Under Splash Page Visuals, use the editor to specify text and colors for the initial page that will be displayed to the users connecting to the network.
(Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant AP)(config)# wlan captive-portal AP)(Captive Portal)# authenticated AP)(Captive Portal)# background-color AP)(Captive Portal)# banner-color AP)(Captive Portal)# banner-text AP)(Captive Portal)# decoded-texts AP)(Captive Portal)# redirect-url AP)(Captive Portal)# terms-of-use AP)(Captive Portal)# use-policy AP)(Captive Portal)# end AP)# comm
Table 25: Captive Portal Profile Configuration Parameters Parameter Description Name Enter a name for the profile. Type Select any one of the following types of authentication: l l Radius Authentication - Select this option to enable user authentication against a RADIUS server. Authentication Text - Select this option to specify an authentication text. The specified text will be returned by the external server after a successful user authentication.
Configuring an SSID or Wired Profile to Use External Captive Portal Authentication You can configure external captive portal authentication for a network profile when adding or editing a guest network using the Instant UI or CLI. In the Instant UI 1. Navigate to the WLAN wizard or Wired window. l To configure external captive portal authentication for a WLAN SSID, in the Network tab, click New to create a new network profile or edit to modify an existing profile.
Table 26: External Captive Portal Configuration Parameters Parameter Description Walled garden Click the link to open the Walled Garden window. The walled garden configuration determines access to the websites. For more information, see Configuring Walled Garden Access on page 138. Disable if uplink type is Select the type of the uplink to exclude. Encryption Select Enabled to configure encryption settings and specify the encryption parameters. 5.
Creating a Web Login page in ClearPass Guest The ClearPass Guest Visitor Management Appliance provides a simple and personalized user interface through which operational staff can quickly and securely manage visitor network access. With ClearPass Guest, the users can have a controlled access to a dedicated visitor management user database. Through a customizable Web portal, the administrators can easily create an account, reset a password or set an expiry time for visitors.
1. In the Access Rules tab, set the slider to any of the following types of access control: l Unrestricted— Select this to set unrestricted access to the network. l Network-based— Set the slider to Network-based to set common rules for all users in a network. The Allow any to all destinations access rule is enabled by default. This rule allows traffic to all destinations. To define an access rule: a. Click New. b. Select appropriate options in the New Rule window. c. Click OK.
(Instant AP)(SSID Profile # end (Instant AP)# commit apply To configure unrestricted access: (Instant (Instant (Instant (Instant AP)(config)# wlan ssid-profile AP)(SSID Profile # set-role-unrestricted AP)(SSID Profile # end AP)# commit apply Example The following example configures access rules for the wireless network: (Instant AP)(config)# wlan access-rule WirelessRule (Instant AP)(Access Rule "WirelessRule")# rule 192.0.2.2 255.255.255.
4. Click New to add a new rule. The New Rule window is displayed. 5. In the New Rule window, specify the following parameters. The following figures show the parameters for Captive Portal role configuration: Figure 40 Captive Portal Rule for Internal Acknowledged Splash Page Figure 41 Captive Portal Rule for External Captive portal profile Table 27: New Access Rule Configuration Parameters Field Description Rule type Select Captive Portal from the drop-down list.
Field Description l l l l To change the policy text, click the second square in the splash page, type the required text in the Policy text box, and click OK. Ensure that the policy text does not exceed 255 characters. Specify the URL to which you want to redirect the guest users. To upload a custom logo, click Upload your own custom logo Image, browse the image file, and click upload image. Click Preview to preview the Captive Portal page.
Configuring Walled Garden Access On the Internet, a walled garden typically controls access to Web content and services. The Walled garden access is required when an external captive portal is used. For example, a hotel environment where the unauthenticated users are allowed to navigate to a designated login page (for example, a hotel website) and all its contents. The users who do not sign up for the Internet service can view the “allowed” websites (typically hotel property websites).
2. Navigate to the Security tab. 3. Select None from the Splash page type drop-down list. 4. Click Next and then click Finish to apply the changes. 139 | Captive Portal for Guest Access Dell Networking W-Series Instant 6.4.0.2-4.
Chapter 11 Authentication and User Management This chapter provides the following information: l Managing W-IAP Users on page 140 l Understanding Authentication Methods on page 147 l Supported Authentication Servers on page 149 l Understanding Encryption Types on page 154 l Support for Authentication Survivability on page 155 l Configuring Authentication Servers on page 157 l Configuring 802.
Configuring Authentication Parameters for Management Users Instant now allows you to configure a TACACS+ Server as the authentication server to support authentication and accounting privileges for management users. TACACS+ server allows a remote access server to communicate with an authentication server to determine if the user has access to the network. In Instant, the users can create several TACACS+ server profiles, out of which one or two of the servers can be specified to authenticate management users.
Table 29: TACACS+ Server Configuration Parameters Parameter Description IP address Enter the IP address of the TACACS+ server. Auth Port Enter the TCP IP port used by the server. The default port number is 49. Shared Key Enter the secret key of your choice to authenticate communication between the TACACS+ client and server. Retype Key Re-enter the secret key you have specified as the Shared Key. Timeout Enter a number between 1 and 30 seconds to indicate the timeout period for TACACS+ requests.
Figure 43 Admin Tab: Management Authentication Parameters 3. Under Local, select any of the following options from the Authentication drop-down list: l Internal— Select this option to specify a single set of user credentials. Enter the Username and Password for accessing the Virtual Controller Management User Interface. l Authentication Server— Specify one or two authentication servers to authenticate clients.
(Instant (Instant (Instant (Instant (Instant AP)(config)# mgmt-auth-server AP)(config)# mgmt-auth-server-load-balancing AP)(config)# mgmt-auth-server-local-backup AP)(config)# end AP)# commit apply To configure management authentication settings: (Instant (Instant (Instant (Instant (Instant (Instant AP)(config)# mgmt-auth-server AP)(config)# mgmt-auth-server AP)(config)# mgmt-auth-server-load-balancing AP)(config)# mgmt-auth-server-local-backup AP)(config)# en
2. Click Users for Internal Server. The following figure shows the contents of the Users for Internal Server tab. Figure 44 Adding a User 3. Enter the username in the Username text box. 4. Enter the password in the Password text box and reconfirm. 5. Select a type of network from the Type drop-down list. 6. Click Add and click OK. The users are listed in the Users list. 7. To edit user settings: a. Select the user to modify under Users b. Click Edit to modify user settings. c. Click OK. 8.
(Instant AP)# commit apply To configure a guest user: (Instant AP)(config)# user portal (Instant AP)(config)# end (Instant AP)# commit apply Configuring the Read-Only Administrator Credentials You can assign the read-only privilege to an admin user by using the Instant UI or CLI. In the Instant UI 1. Click the System link at top right corner of the Instant main window. The System window is displayed. 2. Click the Admin tab. The Admin tab details are displayed. 3. Under View Only: a.
Understanding Authentication Methods Authentication is a process of identifying a user by through a valid username and password or based on their MAC addresses. The following authentication methods are supported in Instant: l 802.1X authentication l MAC authentication l MAC authentication with 802.1X authentication l Captive Portal Authentication l MAC authentication with Captive Portal authentication l 802.1X authentication with Captive Portal Role l WISPr authentication 802.
l L2 authentication fall-through - Allows you to enable the l2-authentication-fallthrough mode. When this option is enabled, the 802.1X authentication is allowed even if the MAC authentication fails. If this option is disabled, 802.1X authentication is not allowed. The l2-authentication-fallthrough mode is disabled by default. For more information on configuring a W-IAP to use MAC + 802.1X Authentication, see Configuring MAC Authentication with 802.1X Authentication on page 167.
Controller (the client certificate must be signed by a known CA), before the username is verified on the authentication server. l EAP-TTLS (MSCHAPv2)— The Extensible Authentication Protocol-Tunneled Transport Layer Security (EAPTTLS) method uses server-side certificates to set up authentication between clients and servers. However, the actual authentication is performed using passwords. l EAP-PEAP (MSCHAPv2)— EAP-PEAP is an 802.
Internal RADIUS Server Each W-IAP has an instance of free RADIUS server operating locally. When you enable the internal RADIUS server option for the network, the client on the W-IAP sends a RADIUS packet to the local IP address. The internal RADIUS server listens and replies to the RADIUS packet. Instant itself serves as a RADIUS server for 802.1X authentication. However, the internal RADIUS server can also be configured as a backup RADIUS server for an external RADIUS server.
l Acct-Output-Packets l Acct-Session-Id l Acct-Session-Time l Acct-Status-Type l Acct-Terminate-Cause l Acct-Tunnel-Packets-Lost l Add-Port-To-IP-Address l Aruba-AP-Group l Aruba-AP-IP-Address l Aruba-AS-Credential-Hash l Aruba-AS-User-Name l Aruba-Admin-Role l Aruba-AirGroup-Device-Type l Aruba-AirGroup-Shared-Group l Aruba-AirGroup-Shared-Role l Aruba-AirGroup-Shared-User l Aruba-AirGroup-User-Name l Aruba-AirGroup-Version l Aruba-Auth-Survivability l Aruba-CPPM-Role
l Aruba-User-Vlan l Aruba-WorkSpace-App-Name l Authentication-Sub-Type l Authentication-Type l CHAP-Challenge l Callback-Id l Callback-Number l Chargeable-User-Identity l Class l Connect-Info l Connect-Rate l Crypt-Password l DB-Entry-State l Digest-Response l Domain-Name l EAP-Message l Error-Cause l Event-Timestamp l Exec-Program l Exec-Program-Wait l Expiration l Fall-Through l Filter-Id l Framed-AppleTalk-Link l Framed-AppleTalk-Network l Framed-AppleTa
l Huntgroup-Name l Idle-Timeout l Location-Capable l Location-Data l Location-Information l Login-IP-Host l Login-IPv6-Host l Login-LAT-Node l Login-LAT-Port l Login-LAT-Service l Login-Service l Login-TCP-Port l Menu l Message-Auth l NAS-IPv6-Address l NAS-Port-Type l Operator-Name l Password l Password-Retry l Port-Limit l Prefix l Prompt l Rad-Authenticator l Rad-Code l Rad-Id l Rad-Length l Reply-Message l Requested-Location-Info l Revoke-Text l
l Tunnel-Connection-Id l Tunnel-Medium-Type l Tunnel-Preference l Tunnel-Private-Group-Id l Tunnel-Server-Auth-Id l Tunnel-Server-Endpoint l Tunnel-Type l User-Category l User-Name l User-Vlan l Vendor-Specific Dynamic Load Balancing between Two Authentication Servers You can configure two authentication servers to serve as a primary and backup RADIUS server and enable load balancing between these servers.
Table 30: WPA and WPA2 Features Certification Authentication WPA l l WPA2 l l Encryption PSK IEEE 802.1X with Extensible Authentication Protocol (EAP) TKIP with message integrity check (MIC) PSK IEEE 802.1X with EAP AES -- Counter Mode with Cipher Block Chaining Message Authentication Code (AESCCMP) WPA and WPA2 can be further classified as follows: l Personal — Personal is also called Pre-Shared Key (PSK). In this type, a unique key is shared with each client in the network.
When the authentication survivability feature is enabled, the following authentication process is used: 1. The client associates to a W-IAP and authenticates to the external authentication server. The external authentication server can be either CPPM (for EAP-PEAP) or RADIUS server (EAP-TLS). 2. Upon successful authentication, the associated W-IAP caches the authentication credentials of the connected users for the configured duration.
(Instant AP)(config)# auth-survivability cache-time-out (Instant AP)(config)# end (Instant AP)# commit apply To view the cache expiry duration: (Instant AP)# show auth-survivability time-out To view the information cached by the W-IAP: (Instant AP)# show auth-survivability cached-info To view logs for debugging: (Instant AP)# show auth-survivability debug-log Configuring Authentication Servers This section describes the following procedures: l Configuring an External Server for Authentication o
Figure 46 New Authentication Server Window 3. Configure any of the following types of server: l RADIUS Server — To configure a RADIUS server, specify the attributes described in the following table: Table 32: RADIUS Server Configuration Parameters Parameter Description Name Enter the name of the new external RADIUS server. IP address Enter the IP address of the external RADIUS server. Auth port Enter the authorization port number of the external RADIUS server. The default port number is 1812.
Parameter Description Retry count Specify a number between 1 and 5. Indicates the maximum number of authentication requests that are sent to the server group, and the default value is 3 requests. RFC 3576 Select Enabled to allow the APs to process RFC 3576-compliant Change of Authorization (CoA) and disconnect messages from the RADIUS server. Disconnect messages cause a user session to be terminated immediately, whereas the CoA messages modify session authorization attributes such as data filters.
Parameter Description Filter Specify the filter to apply when searching for a user in the LDAP database. The default filter string is (objectclass=*). Key Attribute Specify the attribute to use as a key while searching for the LDAP server. For Active Directory, the value is sAMAccountName Timeout Enter a value between 1 and 30 seconds. The default value is 5. Retry count Enter a value between 1 and 5. The default value is 3.
(Instant AP)(Auth Server )# (Instant AP)(Auth Server )# (Instant AP)(Auth Server )# (Instant AP)(Auth Server )# (Instant AP)(Auth Server )# (Instant AP)(Auth Server )# (Instant AP)(Auth Server )# )# (Instant AP)# commit apply (Instant AP)# commit apply nas-id nas-ip timeout retry-count rfc3576 deadtime
1. In the Instant main window, click the System link. The System window is displayed. 2. In the General tab of System window, select Enabled from the Dynamic RADIUS Proxy drop-down list. 3. Click OK. When dynamic RADIUS proxy is enabled, ensure that a static Virtual Controller IP is configured. For more information on configuring Virtual Controller IP address, see Configuring Virtual Controller IP Address on page 76.
l To open the WLAN wizard, select an existing SSID in the Network tab, and click edit. l To open the wired settings window, click More > Wired. In the Wired window, select a profile and click Edit. You can also associate the authentication servers when creating a new WLAN or wired profile. 2. Click the Security tab. 3. If you are configuring the authentication server for a WLAN SSID, under Security tab, slide to Enterprise security level. 4. Ensure that an authentication type is enabled. 5.
Configuring 802.1X Authentication for a Wireless Network Profile You can configure 802.1X authentication for a wireless network profile in the Instant UI or CLI. In the Instant UI To enable 802.1X authentication for a wireless network: 1. In the Network tab, click New to create a new network profile or select an existing profile for which you want to enable 802.1X authentication and click edit. 2.
In the Instant UI To enable 802.1X authentication for a wired profile: 1. Click the Wired link under More at the top right corner of the main window. The Wired window is displayed. 2. Click New under Wired Networks to create a new network or select an existing profile for which you want to enable 802.1X authentication and then click Edit. 3. In the New Wired Network or the Edit Wired Network window, ensure that all the required Wired and VLAN attributes are defined, and then click Next. 4.
5. If the internal authentication server is used, perform the following steps to allow MAC address based authentication: a. Click the Users link against the Internal server field. The Users window is displayed. b. Specify the client MAC address as the user name and password. c. Specify the type of the user (employee or guest). d. Click Add. e. Repeat the steps to add more users. f. Click OK. 6.
6. If the internal authentication server is used, perform the following steps to allow MAC address based authentication: a. Click the Users link against the Internal server field. The Users window is displayed. b. Specify the client MAC address as the user name and password. c. Specify the type of the user (employee or guest). d. Click Add. e. Repeat the steps to add more users. f. Click OK. 7. Configure other parameters as required. 8.
5. Select the checkbox MAC authentication fail-thru to use 802.1X authentication even when the MAC authentication fails. 6. Click Next and then click Finish to apply the changes. In the CLI To configure both MAC and 802.
Configuring MAC Authentication with Captive Portal Authentication This authentication method has the following features: l If the captive portal splash page type is Internal-Authenticated or External-RADIUS Server, MAC authentication reuses the server configurations. l If the captive portal splash page type is Internal-Acknowledged or External-Authentication Text and MAC authentication is enabled, a server configuration page is displayed.
(Instant AP)# commit apply Configuring WISPr Authentication Instant supports the following smart clients: n iPass n Boingo These smart clients enable client authentication and roaming between hotspots by embedding iPass Generic Interface Specification (GIS) redirect, authentication, and logoff messages within HTML messages that are sent to the W-IAP. WISPr authentication is supported only for the Internal - Authenticated and External - RADIUS Server captive portal authentication.
(Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant AP)(WISPr)# AP)(WISPr)# AP)(WISPr)# AP)(WISPr)# AP)(WISPr)# AP)(WISPr)# AP)(WISPr)# AP)# commit wispr-location-id-ac wispr-location-id-cc wispr-location-id-isocc wispr-location-id-network wispr-location-name-location wispr-location-name-operator-name end apply Blacklisting Clients The client blacklisting denies connection to the blacklisted clients.
Blacklisting Users Dynamically The clients can be blacklisted dynamically when they exceed the authentication failure threshold or when a blacklisting rule is triggered as part of the authentication process. Authentication Failure Blacklisting When a client takes time to authenticate and exceeds the configured failure threshold, it is automatically blacklisted by a W-IAP.
Uploading Certificates A certificate is a digital file that certifies the identity of the organization or products of the organization. It is also used to establish your credentials for any Web transactions. It contains the organization name, a serial number, expiration date, a copy of the certificate-holder's public key, and the digital signature of the certificate-issuing authority so that a recipient can ensure that the certificate is real.
8. Click Browse and select the appropriate certificate file, and click Upload Certificate. The Certificate Successfully Installed message is displayed. Loading Certificates through Instant CLI To upload a certificate: (Instant AP)# copy tftp { cpserver cert format {p12|pem} |system {1xca [format {der|pem}]|1xcert [format {p12|pem}]} Loading Certificates through W-AirWave You can manage certificates using the W-AirWave.
Figure 50 Server Certificate 4. After you upload the certificate, navigate to Groups, click the Instant Group and then select Basic. The Group name is displayed only if you have entered the Organization name in the Instant UI. For more information, see Configuring Organization String on page 277 for further information. Figure 51 Selecting the Group The Virtual Controller Certificate section displays the certificates (CA cert and Server). 5. Click Save to apply the changes only to W-AirWave.
Chapter 12 Roles and Policies This chapter describes the procedures for configuring user roles, role assignment, and firewall policies. l Firewall Policies on page 176 l Content Filtering on page 186 l Configuring User Roles on page 190 l Configuring Derivation Rules on page 192 Firewall Policies Instant firewall provides identity-based controls to enforce application-layer security, prioritization, traffic forwarding, and network performance policies for wired and wireless networks.
l Configuring Web Policy Enforcement on page 249 Configuring Access Rules for Network Services This section describes the procedure for configuring ACLs to control access to network services. For information on: l Configuring access rules based on application and application categories, see Configuring Access Rules for Application and Application Categories on page 246. l Configuring access rules based on web categories and web reputation, see Configuring Web Policy Enforcement on page 249.
Table 35: Access Rule Configuration Parameters Service Category Description l l the IP address and netmask for the destination network. except to a network—Access is allowed or denied to networks other than the specified network. After selecting this option, specify the IP address and netmask of the destination network. to domain name—Access is allowed or denied to the specified domains. After selecting this option, specify the domain name in the Domain Name text box.
Configuring Network Address Translation Rules Network Address Translation (NAT) is the process of modifying network address information when packets pass through a routing device. The routing device acts as an agent between the public (the Internet) and private (local network), which allows translation of private network IP addresses to a public address space.
Configuring Source-Based Routing To allow different forwarding policies for different SSIDs, you can configure source-based routing. The source-based routing configuration overrides the routing profile configuration and allows any destination or service to be configured to have direct access to the Internet (bypassing VPN tunnel) based on the ACL rule definition. When source-based routing is enabled, the Virtual Controller performs source NAT by using its uplink IP address.
Configuring ALG Protocols You can enable or disable protocols for Application Layer Gateway (ALG) using the Instant UI or CLI. In the Instant UI To configure protocols for ALG: 1. Click the Security link at the top right corner of Instant main window. 2. Click the Firewall Settings tab. The Firewall Settings tab contents are displayed. The following figure shows the contents of the Firewall Settings tab: Figure 52 Firewall Settings—ALG Protocols 3.
In the Instant UI To configure firewall settings: 1. Click the Security link at the top right corner of Instant main window. 2. Click the Firewall Settings tab. The Firewall Settings tab contents are displayed. 3. To configure protection against security attacks, select the following checkboxes: l Select Drop bad ARP to enable the W-IAP to drop the fake ARP packets. l Select Fix malformed DHCP to the W-IAP to fix the malformed DHCP packets.
Managing Inbound Traffic Instant now supports an enhanced inbound firewall by allowing the configuration of firewall rules and management subnets, and restricting corporate access through an uplink switch.
Table 36: Inbound Firewall Rule Configuration Parameters Parameter Action Description Select any of following actions: Select Allow to allow access users based on the access rule. l Select Deny to deny access to users based on the access rule. l Select Destination-NAT to allow changes to destination IP address. l Select Source-NAT to allow changes to the source IP address. The destination-nat and source-nat actions apply only to the network services rules.
Table 36: Inbound Firewall Rule Configuration Parameters Parameter Description l Voice: Priority 6 (Internetwork Control) Disable scanning Select Disable scanning checkbox to disable ARM scanning when this rule is triggered. The selection of the Disable scanning applies only if ARM scanning is enabled, For more information, see Configuring Radio Settings for a W-IAP on page 238. DSCP tag Select the DSCP tag checkbox to specify a DSCP value to prioritize traffic when this rule is triggered.
Figure 55 Firewall Settings—Management Subnets 2. To add a new management subnet: l Enter the subnet address in Subnet. l Enter the subnet mask in Mask. l Click Add. 3. To add multiple subnets, repeat step 2. 4. Click OK.
With content filter, you can: l Allow all DNS requests to the non-corporate domains on a wireless or wired network to be sent to the open DNS server. When the OpenDNS credentials are configured, the W-IAP uses these credentials to access OpenDNS to provide enterprise-level content filtering. For more information, see Configuring OpenDNS Credentials on page 266 l Block certain categories of websites based on your organization policy.
3. Click Edit. The Edit Wired Network window is displayed. 4. In the Wired Settings tab, select Enabled from the Content Filtering drop-down list and click Next to continue.
Figure 56 b. Select the categories to which you want to deny or allow access. You can also search for a web category and select the required option. c. From the Action drop-down, select Allow or Deny as required. d. Click OK. 5. To filter access based on the security ratings of the website: a. Select Web reputation under Services. b. Move the slider to the required security rating level. c. From the Action drop-down, select Allow or Deny as required. 6.
Configuring User Roles Every client in the Instant network is associated with a user role, which determines the client’s network privileges, the frequency of reauthentication, and the applicable bandwidth contracts. Instant allows you to configuration of up to 32 user roles. If the number of roles exceed 32, an error message is displayed.
In the Instant UI 1. Click the Security at the top right corner of Instant main window. The Security window is displayed. 2. Click the Roles tab. The Roles tab contents are displayed. 3. Create a new role or select an existing role. 4. Under Access Rules, click New. The New Rule window is displayed. 5. Select Bandwidth Contract from the Rule Type drop-down list. 6. Specify the downstream and upstream rates in Kbps. If the assignment is specific for each user, select the Peruser checkbox. 7. Click OK. 8.
1. In the Access tab of the WLAN (New WLAN or Edit ) or Wired Network configuration (New Wired Network or Edit Wired Network) window, under Roles, create Machine auth only and User auth only roles. 2. Configure access rules for these roles by selecting the role, and applying the rule. For more information on configuring access rules, see Configuring Access Rules for Network Services on page 177. 3. Select Enforce Machine Authentication and select the Machine auth only and User auth only roles.
Roles Based on Client Authentication The user role can be the default user role configured for an authentication method, such as 802.1x authentication. For each authentication method, you can configure a default role for clients who are successfully authenticated using that method. DHCP Option and DHCP Fingerprinting The DHCP fingerprinting allows you to identify the operating system of a device by looking at the options in the DHCP frame.
4. Select the attribute from the Attribute drop-down list that the rule it matches against. The list of supported attributes includes RADIUS attributes, dhcp-option, dot1x-authentication-type, mac-address, and mac-addressand-dhcp-options. For information on a list of RADIUS attributes, see RADIUS Server Authentication with VSA on page 150. 5. Select the operator from the Operator drop-down list.
l The user VLANs can be derived from the default roles configured for 802.1X authentication or MAC authentication. l After client authentication, the VLAN can be derived from Vendor Specific Attributes (VSA) for RADIUS server authentication. l The DHCP-based VLANs can be derived for Captive Portal authentication. Instant supports role derivation based on the DHCP option for Captive Portal authentication.
VLAN Assignment Based on Derivation Rules When an external RADIUS server is used for authentication, the RADIUS server may return a reply message for authentication. If the RADIUS server supports return attributes, and sets an attribute value to the reply message, the W-IAP can analyze the return message and match attributes with a user pre-defined VLAN derivation rule. If the rule is matched, the VLAN value defined by the rule is assigned to the user.
l To configure VLAN derivation rule for a WLAN SSID profile, Click Network > New > New WLAN > VLAN or Network > edit > Edit > VLAN. Select the Dynamic option under the Client VLAN assignment. l To configure VLAN derivation rule for a wired network profile, click Wired > New > New Wired Network > VLAN or Wired > Edit > Edit Wired Network > VLAN. 2. Click New to create a VLAN assignment rule. The New VLAN Assignment Rule window is displayed.
To configure a VLAN assignment rule for a wired profile: (Instant AP)(config)# wired-port-profile (Instant AP)(wired ap profile )# set-vlan {equals|not-equals|startswith|ends-with|contains}|value-of} (Instant AP)(wired ap profile )# end (Instant AP)# commit apply Example (Instant AP)(config)# wlan ssid-profile Profile1 (Instant AP)(SSID Profile "Profile1")# set-vlan mac-address-and-dhcp-options matches-regularexpression ..
Operator Description + Matches the declared element one or more times. For example, aa+ matches occurrences of aa and aaa. () Matches nested characters. For example, (192)* matches any number of the character string 192. | Matches the character patterns on either side of the vertical bar. You can use this expression to construct a series of options. \< Matches the beginning of the word. For example, \ Matches the end of the word.
Assigning User VLAN Roles to a Network Profile You can configure user VLAN roles for a network profile using Instant UI or CLI. In the Instant UI To assign a user VLAN role: 1. Click Network > New > New WLAN > Access or Network > edit > Edit > Access. 2. Ensure that the slider is at the Role-based option. 3. Click New under the New Role Assignment and configure the following parameters: a. Select the attribute from the Attribute drop-down list. b.
Chapter 13 DHCP Configuration This chapter provides the following information: l Configuring DHCP Scopes on page 201 l Configuring the Default DHCP Scope for Client IP Assignment on page 208 Configuring DHCP Scopes The virtual controller supports different modes of DHCP address assignment. With each DHCP address assignment mode, various client traffic forwarding modes are associated. For more information on client traffic forwarding modes for IAP-VPN, see IAP-VPN Forwarding Modes on page 224.
Figure 62 New DHCP Scope: Distributed DHCP Mode 3. Based on the type of distributed DHCP scope, configure the following parameters: Table 38: Distributed DHCP Mode: Configuration Parameters Name Description Name Enter a name for the DHCP scope. Type Select any of the following options: Distributed, L2— On selecting Distributed, L2, the Virtual Controller acts as the DHCP Server but the default gateway is in the data center. Traffic is bridged into VPN tunnel.
Table 38: Distributed DHCP Mode: Configuration Parameters Name Description Lease Time Specify a lease time for the client in minutes. IP Address Range Specify a range of IP addresses to use. To add another range, click the + icon. You can specify up to four different ranges of IP addresses. l For Distributed, L2 mode, ensure that all IP ranges are in the same subnet as the default router.
(Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant AP)(DHCP Profile )# AP)(DHCP Profile )# AP)(DHCP Profile )# AP)(DHCP Profile )# AP)(DHCP Profile )# AP)(DHCP Profile )# AP)(DHCP Profile )# AP)(DHCP Profile )# AP)(DHCP Profile )# AP)# commit apply server-vlan client-count dns-server domain-name lease-ti
Table 39: Centralized DHCP Mode: Configuration Parameters Name Description Enabling split tunnel allows a VPN user to access a public network and a local LAN or WAN network at the same time through the same physical network connection. For example, a user can use a remote access VPN software client connecting to a corporate network using a home wireless network.
(Instant (Instant (Instant (Instant (Instant AP)(DHCP Profile )# AP)(DHCP Profile )# AP)(DHCP Profile )# AP)(DHCP Profile )# AP)# commit apply server-vlan option82 alu disable-split-tunnel end To configure a centralized,L3 DHCP profile: (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant AP)(config)# ip dhcp AP)(DHCP Profile )# server-type AP)(DHCP Profile )# ser
Table 41: DHCP Mode: Configuration Parameters Name Description Name Enter a name for the DHCP scope. Select any of the following options: Local— On selecting Local, the DHCP server for local branch network is used for keeping the scope of the subnet local to the W-IAP. In the NAT mode, the traffic is forwarded through the IPSec tunnel or the uplink. l Local, L3—On selecting Local, L3, the Virtual Controller acts as a DHCP server and gateway.
(Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant AP)(DHCP Profile )# AP)(DHCP Profile )# AP)(DHCP Profile )# AP)(DHCP Profile )# AP)(DHCP Profile )# AP)(DHCP Profile )# AP)(DHCP Profile )# AP)(DHCP Profile )# AP)# commit apply subnet subnet-mask exclude-address dns-server domain-name lease-time
4. Enter the duration of the DHCP lease in the Lease time text box. 5. Select Minutes, Hours, or Days for the lease time from the drop-down list next to Lease time. The default lease time is 0. 6. Enter the network range for the client IP addresses in the Network field. The system generates a network range automatically that is sufficient for 254 addresses. If you want to provide simultaneous access to more number of clients, specify a larger range. 7.
Chapter 14 VPN Configuration This chapter describes the following VPN configuration procedures: l Understanding VPN Features on page 210 l Configuring a Tunnel from a W-IAP to Dell Networking W-Series Mobility Controller on page 210 l Configuring Routing Profiles on page 221 Understanding VPN Features As W-IAPs use a Virtual Controller architecture, the W-IAP network does not require a physical controller to provide the configured WLAN services.
2. Select Aruba IPSec from the Protocol drop-down list. 3. Enter the IP address or fully qualified domain name (FQDN) for the primary VPN/IPSec endpoint in the Primary host field. 4. Enter the IP address or FQDN for the backup VPN/IPSec endpoint in the Backup host field. This entry is optional. When you specify the primary and backup host details, the other fields are displayed. 5. Specify the following parameters. A sample configuration is shown in Figure 64. a.
(Instant (Instant (Instant (Instant (Instant AP)(config)# vpn monitor-pkt-lost-cnt AP)(config)# vpn reconnect-user-on-failover AP)(config)# vpn reconnect-time-on-failover AP)(config)# end AP)# commit apply Example (Instant (Instant (Instant (Instant AP)(config)# AP)(config)# AP)(config)# AP)(config)# vpn vpn vpn vpn primary 192.0.2.18 backup 192.0.2.
a. To allow the VPN tunnel to switch back to the primary host when it becomes available again, select Enabled from the Preemption drop-down list. This step is optional. b. If Preemption is enabled, specify a value in seconds for Hold time. When preemption is enabled and the primary host comes up, the VPN tunnel switches to the primary host after the specified hold time. The default value for Hold time is 600 seconds. c.
In the CLI To enable automatic configuration of the GRE tunnel: (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant AP)(config)# vpn gre-outside AP)(config)# vpn primary AP)(config)# vpn backup <> AP)(config)# vpn fast-failover AP)(config)# vpn hold-time AP)(config)# vpn preemption AP)(config)# vpn monitor-pkt-send-freq AP)(config)# vpn monitor-pkt-lost-cnt AP)(config)# vpn reconnect-use
Figure 66 Manual GRE Configuration 4. Click Next to continue. When the GRE tunnel configuration is completed on both the W-IAP and Controller, the packets sent from and received by a W-IAP are encapsulated, but not encrypted.
l n Preemptive: In this mode, if the primary comes up when the backup is active, the backup tunnel is deleted and the primary tunnel resumes as an active tunnel. If you configure the tunnel to be preemptive, and when the primary tunnel goes down, it starts the persistence timer which tries to bring up the primary tunnel. n Non-Preemptive: In this mode, when the back tunnel is established after the primary tunnel goes down, it does not make the primary tunnel active again.
Figure 68 Tunnel Configuration b. Enter the primary server IP address. c. Enter the remote end backup tunnel IP address. This is an optional field and is required only when backup server is configured. d. Enter the remote end UDP port number. The default value is 1701. e. Enter the interval at which the hello packets are sent through the tunnel. The default value is 60 seconds. f. Select the message digest as MD5 or SHA used for message authentication. g. Enter a shared key for the message digest.
d. Select the cookie length and enter a cookie value corresponding to the length. By default, the cookie length is not set. e. Specify the remote end ID. f. If required, enable default l2 specific sublayer in the L2TP session. g. Click OK. 5. Click Next to continue.
(Instant (Instant (Instant (Instant 5 (Instant (Instant AP)(config) # l2tpv3 session test_session AP)(L2TPv3 Session Profile "test_session")# cookie len 4 value 12345678 AP)(L2TPv3 Session Profile "test_session")# l2tpv3 tunnel test_tunnel AP)(L2TPv3 Session Profile "test_session")# tunnel-ip 1.1.1.1 mask 255.255.255.
administrative name: 'test_tunnel' (primary) created by admin: YES, tunnel mode: LAC, persist: YES local host name: Instant-C4:42:98 peer tunnel id: 1842732147, host name: aruba1600pop636635.hsbtst2.
use tiebreaker: OFF peer profile: NOT SET session profile: NOT SET trace flags: PROTOCOL FSM API AVPDATA FUNC XPRT DATA SYSTEM CLI To view L2TPv3 system statistics: (Instant AP)# show l2tpv3 system statistics L2TP counters:Total messages sent: 99, received: 194, retransmitted: 0 illegal: 0, unsupported: 0, ignored AVPs: 0, vendor AVPs: 0 Setup failures: tunnels: 0, sessions: 0 Resource failures: control frames: 0, peers: 0 tunnels: 0, sessions: 0 Limit exceeded errors: tunnels: 0, sessions: 0 Frame errors:
Figure 70 Tunneling— Routing 3. Update the following parameters: l Destination— Specify the destination network that is reachable through the VPN tunnel. This defines the IP or subnet that must reach through the IPsec tunnel. Traffic to the IP or subnet defined here will be forwarded through the IPsec tunnel. l Netmask— Specify the subnet mask to the destination defined for Destination. l Gateway— Specify the gateway to which traffic must be routed.
Chapter 15 IAP-VPN Deployment This section provides the following information: l Understanding IAP-VPN Architecture on page 223 l Configuring W-IAP and Controller for IAP-VPN Operations on page 225 Understanding IAP-VPN Architecture The IAP-VPN architecture includes the following two components: l W-IAPs at branch sites l Controller at the datacenter The master W-IAP at the branch acts as the VPN endpoint and the controller at the datacenter acts as the VPN concentrator.
l L3 mode and NAT mode users—The number of trusted users supported on the controller. There is no scale impact on the controller. They are limited only by the number of clients supported per W-IAP. l L2 mode users—The number of L2 mode users are limited to 128000 for W-7220/W-7240 and 64000 across all platforms. IAP-VPN Forwarding Modes The following forwarding modes are supported in the IAP-VPN scenario.
DHCP server and not the DHCP server on the controller. Client traffic destined to datacenter resources is forwarded by the master W-IAP (through the IPsec tunnel) to the client's default gateway in the datacenter. L3 Routing Mode In this mode, the traffic destined for the corporate network is routed through the VPN tunnel to the controller. The traffic destined for the non-corporate network is translated using the IP address of the W-IAP and is forwarded through the uplink.
l IPSec l Aruba GRE l Manual GRE Configuring Routing Profiles The routing profile on the W-IAP determines whether the traffic destined to a subnet must be tunneled through IPSec or bridged locally. If the routing profile is empty, the client traffic will always be bridged locally. For example, if the routing profile is configured to tunnel 10.0.0.0 /8, traffic destined to 10.0.0.0 /8 will be forwarded through the IPsec tunnel and the traffic to all other destinations is bridged locally.
configured in the DHCP profiles, the IAP-VPN operations are affected. For example, if a local DHCP profile is configured with a VLAN ID of 200, the VLAN configuration on the SSID must be set to a static VLAN ID 200. For information on how to configure an SSID or wired port profile, seeWireless Network Profiles on page 93 and Configuring a Wired Profile on page 112 respectively. Enabling Dynamic RADIUS Proxy The RADIUS server can be deployed at different locations and VLANs.
To redistribute IAP-VPN routes into the OSPF process, use the following command : (host)(config) # router ospf redistribute rapng-vpn To verify if the redistribution of the IAP-VPN is enabled, use following command: (host) #show ip ospf redistribute Redistribute RAPNG To configure aggregate route for IAP-VPN routes, use the following command: (host) (config) # router ospf aggregate-route rapng-vpn To view the aggregated routes for IAP-VPN routes, use the following command: (host) #show ip ospf rapng-vpn
V V V V V V V C C C C C C C 12.12.2.0/24 [10/0] ipsec map 12.12.12.0/25 [10/0] ipsec map 12.12.12.32/27 [10/0] ipsec map 50.40.40.0/24 [10/0] ipsec map 51.41.41.128/25 [10/0] ipsec map 53.43.43.32/27 [10/0] ipsec map 54.44.44.16/28 [10/0] ipsec map 9.9.9.0/24 is directly connected, VLAN9 10.15.148.0/24 is directly connected, VLAN1 43.43.43.0/24 is directly connected, VLAN132 42.42.42.0/24 is directly connected, VLAN123 44.44.44.0/24 is directly connected, VLAN125 182.82.82.12/32 is an ipsec map 10.15.149.
VPN Local Pool Configuration The VPN local pool is used to assign an IP Address to the W-IAP after successful XAUTH VPN. (host) # ip local pool "rapngpool" Role Assignment for the Authenticated W-IAPs Define a role that includes a src-nat rule to allow connections to the RADIUS server and for the Dynamic Radius Proxy in the W-IAP to work. This role is assigned to W-IAPs after successful authentication.
Key Bid(Subnet Name) --- ---------------b3c65c... b3c65c... b3c65c... 2(10.15.205.0-10.15.205.250,5),1(10.15.206.1-10.15.206.252,5) a2a65c... 0 b3c65c... 7(10.15.205.0-10.15.205.250,5),8(10.15.206.1-10.15.206.252,5) b3c65c... b3c65c... 1(10.15.205.0-10.15.205.250,5),2(10.15.206.1-10.15.206.252,5) b3c65c... 14(10.15.205.0-10.15.205.250,5),15(10.15.206.1-10.15.206.
Chapter 16 Adaptive Radio Management This chapter provides the following information: l ARM Overview on page 232 l Configuring ARM Features on a W-IAP on page 233 l Configuring Radio Settings for a W-IAP on page 238 ARM Overview Adaptive Radio Management (ARM) is a radio frequency management technology that optimizes WLAN performance even in the networks with highest traffic by dynamically and intelligently choosing the best 802.
Configuring ARM Features on a W-IAP This section describes the following procedures for configuring ARM features: l Band Steering on page 233 l Airtime Fairness Mode on page 233 l Client Match on page 234 l Access Point Control on page 236 Band Steering The band steering feature assigns the dual-band capable clients to the 5 GHz band on dual-band W-IAPs.
In the Instant UI 1. For Airtime fairness mode configuration, specify any of the following values in the RF > ARM >Show advanced options tab: Table 45: Airtime Fairness Mode - Configuration Parameters Parameter Description Default Access Select this option to provide access based on client requests. When Air Time Fairness is set to default access, per user and per SSID bandwidth limits are not enforced. Fair Access Select this option to allocate Airtime evenly across all the clients.
l Band Steering: W-IAPs using the client match feature monitor the RSSI for clients that advertise a dual-band capability. If a client is currently associated to a 2.4 GHz radio and the AP detects that the client has a good RSSI from the 5 GHz radio, the W-IAP steers the client to the 5 GHz radio, as long as the 5 GHz RSSI is not significantly worse than the 2.4 GHz RSSI, and the W-IAP retains a suitable distribution of clients on each of its radios.
In the CLI (Instant (Instant (Instant (Instant (Instant (Instant (Instant AP)(config)# arm AP)(ARM)# client-match AP)(ARM)# client-match AP)(ARM)# client-match AP)(ARM)# client-match AP)(ARM)# end AP)# commit apply calc-interval calc-threshold nb-matching slb-mode 1 Access Point Control You can configure access point control parameters through the Instant UI or CLI. In the Instant UI 1.
Parameter Description Scanning Select Enabled so that the W-IAP dynamically scans all 802.11 channels within its 802.11 regulatory domain at regular intervals and reports to the W-IAP. This scanning report includes WLAN coverage, interference, and intrusion detection data. NOTE: For client match configuration, ensure that scanning is enabled. Wide Channel Bands Select a band to allow the APs to be placed in 40Mhz (wide band) channels.
---------------Channel Status ------- -----1 enable 2 disable 3 disable 4 disable 5 disable 6 enable 7 disable 8 disable 9 disable 10 disable 11 enable 12 disable 13 disable 1+ enable 2+ disable 3+ disable 4+ disable 5+ disable 6+ disable 7+ enable 5.
3. Click the Radio tab. 4. Under the channel 2.4.GHz or 5GHz or both, configure the following parameters. Table 48: Radio Configuration Parameters Parameter Description Legacy only Select Enabled to run the radio in non-802.11n mode. This option is set to Disabled by default. 802.11d / 802.11h Select Enabled to allow the radio to advertise its 802.11d (Country Information) and 802.11h (Transmit Power Control) capabilities. This option is set to Disabled by default.
(Instant AP)# commit apply To configure 5 GHz radio settings: (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant AP)(config)# rf dot11a-radio-profile AP)(RF dot11a Radio Profile)# beacon-interval AP)(RF dot11a Radio Profile)# legacy-mode AP)(RF dot11a Radio Profile)# spectrum-monitor AP)(RF dot11a Radio Profile)# spectrum-band AP)(RF dot11a Radio Profile)# dot11h AP)(RF dot11a Radio Profile)# interference-immunity AP)(RF dot11a
Chapter 17 Deep Packet Inspection and Application Visibility This chapter provides the following information: l Deep Packet Inspection on page 241 l Enabling Application Visibility on page 241 l Application Visibility on page 242 l Configuring Access Rules for Application and Application Categories on page 246 l Configuring Web Policy Enforcement on page 249 Deep Packet Inspection AppRF is Dell's custom built Layer 7 firewall capability.
Application Visibility The AppRF graphs are based on Deep Packet Inspection (DPI) application and Web Policy Enforcement service, which provides application traffic summary for the client devices associated with a W-IAP. The AppRF link above the activity panel of the dashboard is displayed only if AppRF visibility is enabled in the System window.
Figure 73 Application Categories List - Client View Figure 74 Application Category Chart - AP View Application Charts The application chart displays details on the client traffic towards the applications. On clicking in the rectangle area, you can view the following graphs and toggle between the chart and list views. Dell Networking W-Series Instant 6.4.0.2-4.
Figure 75 Application Chart - Client View Figure 76 Application List - Client View Figure 77 Application Chart - AP View 244 | Deep Packet Inspection and Application Visibility Dell Networking W-Series Instant 6.4.0.2-4.
Web Categories Charts The web categories chart displays details about the client traffic to the web categories. On clicking in the rectangle area, you can view the following graphs and toggle between the chart and list views. Figure 78 Web Categories Chart - Client View Figure 79 Web Categories List - Client View Figure 80 Web Categories Chart - AP View Web Reputation Charts The web reputation chart displays details about the client traffic to the URLs with that are assigned a security score.
Figure 81 Web Reputation Chart - Client View Figure 82 Web Reputation List - Client View Figure 83 Web Reputation Chart - AP View Configuring Access Rules for Application and Application Categories This section describes the procedure for configuring access rules based on application and application categories. The Application and Application rules utilize the on-board DPI engine.
1. Navigate to Security > Roles tab. The Roles tab contents are displayed. You can also configure access rules for a wired or wireless client through the WLAN wizard (Network tab>WLAN SSID> Edit>Edit WLAN > Access ) or the Wired profile (More > Wired>Edit> Edit Wired Network> Access) window. 2. Select the role for which you want to configure access rules. 3. In Access rules section, click New to add a new rule. The New Rule window is displayed. 4. Ensure that the rule type is set to Access Control 5.
Table 49: Access Rule Configuration Parameters Service Category Description 1. Select the Application Throttling checkbox. 2. Specify the downstream and upstream rates in Kbps. Action Select any of following actions: Select Allow to allow access users based on the access rule. l Select Deny to deny access to users based on the access rule. l Select Destination-NAT to allow changes to destination IP address. l Select Source-NAT to allow changes to the source IP address.
(Instant AP)# commit apply Example (Instant AP)(config)# wlan access-rule employee (Instant AP)(Access Rule "employee")# rule any any match app deny throttle-downstream 256 throttle-up 256 (Instant AP)(Access Rule "employee")# rule any any match appcategory collaboration permit (Instant AP)(Access Rule "employee")# end (Instant AP)# commit apply Configuring Web Policy Enforcement You can configure Web Policy Enforcement on a W-IAP to block certain categories of websites based on your organization specific
n Low risk - These are benign sites and may not expose the user to security risks. There is a low probability that the user will be exposed to malicious links or payloads. n Moderate risk - These are generally benign sites, but may pose a security risk. There is some probability that the user will be exposed to malicious links or payloads. n Suspicious - These are suspicious sites. There is a higher than average probability that the user will be exposed to malicious links or payloads.
Chapter 18 Voice and Video This chapter the steps required to configure voice and video services on a W-IAP for Voice over IP (VoIP) devices, including Session Initiation Protocol (SIP), Spectralink Voice Priority (SVP), H323, SCCP, Vocera, and Alcatel NOE phones, clients running Microsoft OCS, and Apple devices running the Facetime application.
In the Instant UI 1. Navigate to the WLAN wizard (click Network>New or Network> Select the WLAN SSID>edit). 2. Click Show advanced options under WLAN Settings. 3. Specify a percentage value for the following WMM access categories in the corresponding Share field. You can allocate a higher bandwidth for voice and video traffic than other types of traffic based on the network profile. l Background WMM — Allocates bandwidth for background traffic such as file downloads or print jobs.
By customizing WMM AC mappings, all packets received are matched against the entries in the mapping table and prioritized accordingly. The mapping table contains information for upstream (client to W-IAP) and downstream (WIAP to client) traffic. You can configure different WMM to DSCP mapping values for each WMM AC when configuring an SSID profile either in the Instant UI or CLI. In the Instant UI 1. Navigate to the WLAN wizard (click Network>New or Network> Select the WLAN SSID>edit). 2.
The following table lists the ports used by Apple Facetime. Facetime users need to be assigned a role where traffic is allowed on these ports. Table 52: Ports Used by the Apple Facetime Application Port Packet Type 53 TCP/UDP 443 TCP 3478-3497 UDP 5223 TCP 16384-16387 UDP 16393-16402 UDP 254 | Voice and Video Dell Networking W-Series Instant 6.4.0.2-4.
Chapter 19 Services This chapter provides information on how to configure following services on a W-IAP: l AirGroup l Real Time Location Server (RTLS) l Analytics and Location Engine (ALE) l OpenDNS l Communications Assistance for Law Enforcement Act (CALEA) l Palo Alto Network Firewall l XML-API Server AirGroup Configuration AirGroup provides a unique enterprise-class capability that leverages zero configuration networking to enable AirGroup services from mobile devices in an efficient manne
The following figure illustrates how AirGroup enables personal sharing of Apple devices: Figure 85 AirGroup Enables Personal Device Sharing AirGroup is not supported on a 3G and PPPoE uplinks. Multicast DNS and Bonjour® Services Bonjour is the trade name for the zero configuration implementation introduced by Apple. It is supported by most of the Apple product lines, including the Mac OS X operating system, iPhone, iPod Touch, iPad, Apple TV, and AirPort Express.
Figure 86 Bonjour Services and AirGroup Architecture For a list of supported Bonjour services, see AirGroup Services on page 259. DLNA UPnP Support In addition to the mDNS protocol, W-IAPs now support Universal Plug and Play (UPnP) and DLNA (Digital Living Network Alliance) enabled devices. DLNA is a network standard derived from UPnP, which enables devices to discover the services available in a network. DLNA also provides the ability to share data between the Windows or Android based multimedia devices.
Figure 87 DLNA UPnP Services and AirGroup Architecture For a list of supported DLNA services, see AirGroup Services on page 259. AirGroup Features AirGroup supports the following features: l Sends unicast responses to mDNS or DLNA queries and reduces the traffic footprint. l Ensures cross-VLAN visibility and availability of AirGroup devices and services. l Allows or blocks AirGroup services for all users. l Allows or blocks AirGroup services based on user roles.
Figure 88 AirGroup in a Higher-Education Environment When AirGroup discovers a new device, it interacts with CPPM to obtain the shared attributes such as shared location and role. However, the current versions of W-IAPs do not support the enforcement of shared location policy. AirGroup Services AirGroup supports zero configuration services. The services are pre-configured and are available as part of the factory default configuration.
AirGroup Components AirGroup leverages key elements of the Dell solution portfolio including operating system software for Instant, CPPM, and the VLAN-based or role-based filtering options offered by the AirGroup services. The components that make up the AirGroup solution include the Instant, CPPM, and ClearPass Guest.
Configuring AirGroup and AirGroup Services on a W-IAP You can configure AirGroup services, using the Instant UI or CLI. In the Instant UI To enable AirGroup and its services: 1. Click the More > Services link at the top right corner of the Instant main window. 2. Click the Air Group tab. The Air Group tab details are displayed. Figure 89 AirGroup Configuration 3. To enable support for Bonjour services, select the Enable Bonjour checkbox and select the AirGroup services related to Bonjour as required. 4.
marked as disallowed are prevented from accessing the corresponding AirGroup service. You can create a list of disallowed user roles and VLANs for all AirGroup services configured on the W-IAP. For example, If the AirPlay service is selected, the edit links for the airplay disallowed roles and airplay disallowed vlans are displayed. Similarly, if sharing service is selected, the edit links for the sharing disallowed roles and sharing disallowed vlans are displayed.
Configuring AirGroup and CPPM interface in Instant Configure the Instant and CPPM interface to allow an AirGroup W-IAP and CPPM to exchange information regarding device sharing, and location. The configuration options define the RADIUS server that is used by the AirGroup RADIUS client. The AirGroup configuration with CPPM involves the following steps: 1. Create a RADIUS service 2. Assign a Server to AirGroup 3.
2. Click the RTLS tab. The following figure shows the contents of the RTLS tab. 3. Under Aruba, select the RTLS check-box to integrate Instant with the W-AirWave Management Platform or Ekahau Real Time Location Server. Figure 90 RTLS Window 4. Specify the IP address and port to which the location reports must be sent. 5. Specify the shared secret key in the Passphrase text box. 6. Specify the frequency at which the Virtual Controller can send updates to the server.
Configuring a W-IAP for Analytics and Location Engine Support The Analytics and Location Engine (ALE) is designed to gather client information from the network, process it and share it through a standard API. The client information gathered by ALE can be used for analyzing a client’s internet behavior for business such as shopping preferences. ALE includes a location engine that calculates the associated and unassociated device location every 30 seconds by default.
Figure 91 Services Window —ALE Integration 4. Specify the ALE server name or IP address. 5. Specify the reporting interval within the range of 6–60 seconds. The W-IAP sends messages to the ALE server at the specified interval. The default interval is 30 seconds. 6. Click OK.
In the CLI To configure OpenDNS credentials: (Instant AP)(config)# opendns (Instant AP)(config)# end (Instant AP)# commit apply Integrating a W-IAP with Palo Alto Networks Firewall Palo Alto Networks (PAN) next-generation firewall offers contextual security for all users for safe enabling of applications. A simple firewall beyond basic IP address or TCP port numbers only provides a subset of the enhanced security required for enterprises to secure their networks.
Figure 92 Services Window - Network Integration Tab 3. Select the Enable checkbox to enable PAN firewall. 4. Specify the user name and password. Ensure that you provide user credentials of the PAN firewall administrator. 5. Enter the PAN firewall IP address. 6. Enter the port number within the range of 1—65535. The default port is 443. 7. Click OK.
Integration with Instant The XML API interface allows users to send specific XML commands to a W-IAP from an external server. These XML commands can be used to customize W-IAP client entries. You can use the XML API interface to add, delete, authenticate, query, or blacklist a user or a client. The user authentication is supported only for users authenticated by Captive Portal authentication and not for the dot1x-authentication users.
CALEA Integration and Lawful Intercept Compliance Lawful Intercept (LI) allows the Law Enforcement Agencies (LEA) to perform an authorized electronic surveillance. Depending on the country of operation, the service providers (SPs) are required to support LI in their respective networks. In the United States, SPs are required to ensure LI compliance based on Communications Assistance for Law Enforcement Act (CALEA) specifications.
Traffic Flow from IAP to CALEA Server through VPN You can also deploy the CALEA server with the controller and configure an additional IPSec tunnel for corporate access. When CALEA server is configured with the controller, the client traffic is replicated by the slave W-IAP and client data is encapsulated by GRE on slave, and routed to the master W-IAP. The master IAP sends the IPsec client traffic to the controller.
2. If a replication role must be assigned through the RADIUS VSA, create an access rule and assign the access rule to a WLAN SSID or wired profile. 3. Verify the configuration. Creating a CALEA Profile You can create a CALEA profile by using the Instant UI or CLI. In the Instant UI To configure a CALEA profile: 1. Click More > Services at the top right corner of the Instant main window. 2. Click CALEA. The CALEA tab details are displayed. 3.
1. To add the CALEA access rule to an existing profile, select an existing wireless (Networks tab > edit) or wired (More > Wired > Edit) profile. To add the access rule to a new profile, click New under Network tab and create a WLAN profile, or click More>Wired>New and create a wired port profile. 2. In the Access tab, select the role for which you want create the access rule. 3. Under Access Rules, click New. The New Rule window is displayed. 4. Select CALEA. 5. Click OK. 6.
(Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID Profile"Calea-Test")# Profile"Calea-Test")# Profile"Calea-Test")# Profile"Calea-Test")# Profile"Calea-Test")# Profile"Calea-Test")# Profile"Calea-Test")# Profile"Calea-Test")# Profile"Calea-Test")# Profile"Calea-Test")# Pr
Chapter 20 W-IAP Management and Monitoring This chapter provides information on W-IAP management and monitoring from: l W-AirWave management server Managing a W-IAP from W-AirWave W-AirWave is a powerful tool and easy-to-use network operations system that manages Dell wireless, wired, and remote access networks, as well as wired and wireless infrastructures from a wide range of third-party manufacturers.
Figure 96 Template-based Configuration Trending Reports W-AirWave saves up to 14 months of actionable information, including network performance data and user roaming patterns, so you can analyze how network usage and performance trends have changed over time. It also provides detailed capacity reports with which you can plan the capacity and appropriate strategies for your organization. Intrusion Detection System W-AirWave provides advanced, rules-based rogue classification.
Figure 97 Adding a W-IAP in VisualRF PSK-based and Certificate-based Authentication On the DHCP server, two formats for option 43 are supported: l ,,— If you choose this format, the W-IAP authenticates the W-AirWave Management Platform server using the Pre-Shared Key (PSK) login process.
Shared Key The Shared Secret key is an optional field used by the administrator to manually authorize the first Virtual Controller for an organization. Any string is acceptable. Configuring W-AirWave Information You can configure W-AirWave information using the Instant UI or CLI. In the Instant UI 1. Click the W-AirWave Set Up Now link in the bottom-middle region of the main window. The System window is displayed with the W-AirWave parameters in the Admin tab. Figure 98 Configuring W-AirWave 2.
Configuring for W-AirWave Discovery through DHCP The W-AirWave can be discovered through DHCP server. You can configure this only if W-AirWave was not configured earlier or if you have deleted the precedent configuration. On the DHCP server, the format for option 60 is “ InstantAP“, and the two formats for option 43 are “,,” and “,” .
Figure 100 Instant and DHCP options for W-AirWave: Predefined Options and Values 5. Navigate to Server Manager and select Server Options in the IPv4 window. (This sets the value globally. Use options on a per-scope basis to override the global options.) 6. Right-click Server Options and select the configuration options. 280 | W-IAP Management and Monitoring Dell Networking W-Series Instant 6.4.0.2-4.
Figure 101 Instant and DHCP options for W-AirWave: Server Options 7. Select 060 Dell Instant AP in the Server Options window and enter DellInstantAP in the String Value. Figure 102 Instant and DHCP options for W-AirWave—060 W-IAP in Server Options 8. Select 043 Vendor Specific Info and enter a value for either of the following in ASCII field: l l airwave-orgn, airwave-ip, airwave-key; for example: Dell,192.0.2.20, 12344567 airwave-orgn, airwave-domain; for example: Dell, dell.support.
Figure 103 Instant and DHCP options for W-AirWave— 043 Vendor Specific Info This creates a DHCP option 60 and 43 on a global basis. You can do the same on a per-scope basis. The per-scope option overrides the global option. Figure 104 Instant and DHCP options for W-AirWave: Scope Options 282 | W-IAP Management and Monitoring Dell Networking W-Series Instant 6.4.0.2-4.
Alternate Method for Defining Vendor-Specific DHCP Options This section describes how to add vendor-specific DHCP options for Instant APs in a network that already uses DHCP options 60 and 43 for other services. Some networks use DHCP standard options 60 and 43 to provide the DHCP clients information about certain services such as PXE. In such an environment, the standard DHCP options 60 and 43 cannot be used for W-IAPs.
Figure 106 W-AirWave — New Group Figure 107 W-AirWave —Monitor 284 | W-IAP Management and Monitoring Dell Networking W-Series Instant 6.4.0.2-4.
Chapter 21 Uplink Configuration This chapter provides the following information: l Uplink Interfaces on page 285 l Ethernet Uplink on page 285 l Cellular Uplink on page 287 l Wi-Fi Uplink on page 291 l Uplink Preferences and Switching on page 292 Uplink Interfaces Instant network supports Ethernet, 3G and 4G USB modems, and the Wi-Fi uplink to provide access to the corporate Instant network.
Figure 109 Uplink Status Ethernet uplink supports the following types of configuration in this Instant release. n PPPoE n DHCP n Static IP You can use PPPoE for your uplink connectivity in both W-IAP and IAP-VPN deployments. PPPoE is supported only in a single AP deployment. Uplink redundancy with the PPPoE link is not supported. When the Ethernet link is up, it is used as a PPPoE or DHCP uplink. After the PPPoE settings are configured, PPPoE has the highest priority for the uplink connections.
4. To set a local interface for the PPPoE uplink connections, select a value from the Local interface drop-down list. The selected DHCP scope will be used as a local interface on the PPPoE interface and the Local,L3 DHCP gateway IP address as its local IP address. When configured, the local interface acts as an unnumbered PPPoE interface and allows the entire Local,L3 DHCP subnet to be allocated to clients.
l Aircard 250U (Sierra) l USB 598 (Sierra) l U300 (Franklin wireless) l U301 (Franklin wireless) l USB U760 for Virgin (Novatel) l USB U720 (Novatel/Qualcomm) l UM175 (Pantech) l UM150 (Pantech) l UMW190(Pantech) l SXC-1080 (Qualcomm) l Globetrotter ICON 225 l UMG181 l NTT DoCoMo L-05A (LG FOMA L05A) l NTT DoCoMo L-02A l ZTE WCDMA Technologies MSM (MF668?) l Fivespot (ZTE) l c-motech CNU-600 l ZTE AC2736 l SEC-8089 (EpiValley) l Nokia CS-10 l NTT DoCoMo L-08C (LG) l
l Novatel MiFi 2200 (Verizon Mifi 2200) l Huawei E272, E170, E220 (ATT) l Huawei E169, E180,E220,E272 (Vodafone/SmarTone (HK)) l Huawei E160 (O2(UK)) l Huawei E160 (SFR (France)) l Huawei E220 (NZ and JP) l Huawei E176G (Telstra (Aus)) l Huawei E1553, E176 (3/HUTCH (Aus)) l Huawei K4505 (Vodafone/SmarTone (HK)) l Huawei K4505 (Vodafone (UK)) l ZTE MF656 (Netcom (norway)) l ZTE MF636 (HK CSL/1010) l ZTE MF633/MF636 (Telstra (Aus)) l ZTE MF637 (Orange in Israel) l Huawei E180, E16
l Huawei D33HW (EMOBILE(Japan)) l Huawei GD01 (EMOBILE(Japan)) l Huawei EC150 (Reliance NetConnect+ (India)) l KDDI DATA07(Huawei) (KDDI (Japan)) l Huawei E353 (China Unicom) l Huawei EC167 (China Telecom) l Huawei E367 (Vodafone (UK)) l Huawei E352s-5 (T-Mobile (Germany)) l Huawei D41HW l ZTE AC2726 The following table lists the supported 4G modems.
(Instant (Instant (Instant (Instant AP)(cellular-uplink-profile)# usb-dial AP)(cellular-uplink-profile)# usb-modeswitch AP)(cellular-uplink-profile)# end AP)# commit apply To switch a modem from the storage mode to modem mode: (Instant AP)(config)# cellular-uplink-profile (Instant AP)(cellular-uplink-profile)# usb-modeswitch To view the cellular configuration: (Instant AP)# show cellular config Wi-Fi Uplink The Wi-Fi uplink is supported for all the W-IAP models,
9. Enter a pre-shared key (PSK) passphrase in the Passphrase text box and click OK. You can view the W-Fi configuration and uplink status in the CLI.
4. Click OK. The selected uplink is enforced on the W-IAP. In the CLI To enforce an uplink: (Instant (Instant (Instant (Instant AP)(config)# uplink AP)(uplink)# enforce {cellular|ethernet|wifi|none} AP)(uplink)# end AP)# commit apply Setting an Uplink Priority You can set an uplink priority by using the Instant UI or CLI. In the Instant UI 1. Click the System > show advanced settings > Uplink. The Uplink tab contents are displayed. 2.
(Instant AP)(uplink)# end (Instant AP)# commit apply Switching Uplinks Based on VPN and Internet Availability The default priority for uplink switchover is Ethernet and then 3G/4G. The W-IAP can switch to the lower priority uplink if the current uplink is down. Switching Uplinks Based on VPN Status Instant supports switching uplinks based on the VPN status when deploying multiple uplinks (Ethernet, 3G/4G, and Wi-Fi).
n Secs between test packets— The frequency at which ICMP test packets are sent.You can specify a value within the range of 1—3600 seconds. n Internet check time— Internet check timeout is the duration for the test packet timeout. You can specify a value within the range of 0—3600 seconds and the default value is 10 seconds. c. Click OK. When Internet failover is enabled, the W-IAP ignores the VPN status, although uplink switching based on VPN status is enabled.
Chapter 22 Intrusion Detection The Intrusion Detection System (IDS) is a feature that monitors the network for the presence of unauthorized WIAPs and clients. It also logs information about the unauthorized W-IAPs and clients, and generates reports based on the logged information. The IDS feature in the Instant network enables you to detect rogue APs, interfering APs, and other devices that can potentially disrupt network operations.
l Windows Vista l Windows Server l Windows XP l Windows ME l OS-X l iPhone l iOS l Android l Blackberry l Linux Configuring Wireless Intrusion Protection and Detection Levels WIP offers a wide selection of intrusion detection and protection features to protect the network against wireless threats. Like most other security-related features of the Instant network, the WIP can be configured on the W-IAP.
Figure 111 Wireless Intrusion Detection The following table describes the detection policies enabled in the Infrastructure Detection Custom settings field. Table 55: Infrastructure Detection Policies Detection Level Detection Policy Off Rogue Classification Low l l l l Medium l l High l l l l l l l l l l l l Dell Networking W-Series Instant 6.4.0.2-4.
Table 55: Infrastructure Detection Policies Detection Level Detection Policy l l l l l l l Detect Malformed Frame— HT IE Detect Malformed Frame— Association Request Detect Malformed Frame— Auth Detect Overflow IE Detect Overflow EAPOL Key Detect Beacon Wrong Channel Detect devices with invalid MAC OUI The following table describes the detection policies enabled in the Client Detection Custom settings field.
Figure 112 Wireless Intrusion Protection The following table describes the protection policies that are enabled in the Infrastructure Protection Custom settings field.
Containment Methods You can enable wired and wireless containments to prevent unauthorized stations from connecting to your Instant network. Instant supports the following types of containment mechanisms: l Wired containment— When enabled, W-IAPs generate ARP packets on the wired network to contain wireless attacks. l Wireless containment— When enabled, the system attempts to disconnect all clients that are connected or attempting to connect to the identified Access Point.
(Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant AP)(IDS)# wireless-containment AP)(IDS)# wired-containment AP)(
Chapter 23 Mesh W-IAP Configuration This chapter provides the following information: l Mesh Network Overview on page 303 l Setting up Instant Mesh Network on page 304 l Configuring Wired Bridging on Ethernet 0 for Mesh Point on page 304 Mesh Network Overview The Dell Instant secure enterprise mesh solution is an effective way to expand network coverage for outdoor and indoor enterprise environments without any wires.
The mesh portal broadcasts a mesh services set identifier (MSSID/ mesh cluster name) to advertise the mesh network service to other mesh points in that Instant network. This is not configurable and is transparent to the user. The mesh points authenticate to the mesh portal and establish a link that is secured using Advanced Encryption Standard (AES) encryption. The mesh portal reboots after 5 minutes when it loses its uplink connectivity to a wired network.
In the Instant UI To configure Ethernet bridging: 1. In the Access Points tab, click the W-IAP to modify. The edit link is displayed. 2. Click the edit link. The edit window for modifying W-IAP details is displayed. 3. Click the Uplink tab. 4. Select Enable from the Eth0 Bridging drop-down list. 5. Click OK. 6. Reboot the W-IAP. In the CLI To configure Ethernet bridging: Instant Access Point# enet0-bridging Make the necessary changes to the wired-profile when eth0 is used as the downlink port.
Chapter 24 Mobility and Client Management This chapter provides the following information: l Layer-3 Mobility Overview on page 306 l Configuring L3-Mobility on page 307 Layer-3 Mobility Overview W-IAPs form a single Instant network when they are in the same Layer-2 (L2) domain. As the number of clients increase, multiple subnets are required to avoid broadcast overhead.
When a client first connects to an Instant network, a message is sent to all configured Virtual Controller IP addresses to see if this is an L3 roamed client. On receiving an acknowledgement from any of the configured Virtual Controller IP addresses, the client is identified as an L3 roamed client. If the AP has no GRE tunnel to this home network, a new tunnel is formed to an AP (home AP) from the client's home network.
Figure 115 L3 Mobility Window 4. Select Enabled from the Home agent load balancing drop-down list. By default, home agent load balancing is disabled. 5. Click New in the Virtual Controller IP Addresses section, add the IP address of a Virtual Controller that is part of the mobility domain, and click OK. 6. Repeat Step 2 to add the IP addresses of all Virtual Controllers that form the L3 mobility domain. 7. Click New in the Subnets section and specify the following: a.
Chapter 25 Spectrum Monitor This chapter provides the following information: l Understanding Spectrum Data on page 309 l Configuring Spectrum Monitors and Hybrid W-IAPs on page 314 Understanding Spectrum Data Wireless networks operate in environments with electrical and radio frequency devices that can interfere with network communications. Microwave ovens, cordless phones, and even adjacent Wi-Fi networks are all potential sources of continuous or intermittent interference.
Figure 116 Device List Device Summary and Channel Information shows the details of the information that is displayed: Table 59: Device Summary and Channel Information Column Description Type Device type.
Table 60: Non Wi-Fi Interferer Types Non Wi-Fi Interferer Description Bluetooth Any device that uses the Bluetooth protocol to communicate in the 2.4 GHz band is classified as a Bluetooth device. Bluetooth uses a frequency hopping protocol. Fixed Frequency (Audio) Some audio devices such as wireless speakers and microphones also use fixed frequency to continuously transmit audio. These devices are classified as Fixed Frequency (Audio).
Non Wi-Fi Interferer Description Microwave Common residential microwave ovens with a single magnetron are classified as a Microwave. These types of microwave ovens may be used in cafeterias, break rooms, dormitories and similar environments. Some industrial, healthcare or manufacturing environments may also have other equipment that behave like a microwave and may also be classified as a Microwave device.
Column Description Wi-Fi (%) The percentage of the channel currently being used by Wi-Fi devices. Type Device type. Total nonwifi (%) The percentage of the channel currently being used by non Wi-Fi devices. Known APs Number of valid APs identified on the radio channel. UnKnown APs Number of invalid or rogue APs identified on the radio channel. Channel Util (%) Percentage of the channel currently in use.
Figure 119 Channel Metrics for the 5 GHz Radio Channel Channel Metrics shows the information displayed in the channel metrics graph. Table 62: Channel Metrics Column Description Channel A 2.4 GHz or 5 GHz radio channel. Quality(%) Current relative quality of selected channels in the 2.4 GHz or 5 GHz radio bands, as determined by the percentage of packet retries, the current noise floor, and the duty cycle for non Wi-Fi devices on that channel.
In the Instant UI To convert a W-IAP to a hybrid W-IAP: 1. Click the RF link at the top right corner of the Instant UI. 2. Click Show advanced options to view the Radio tab. 3. To enable a spectrum monitor on the 802.11g radio band, in the 2.4 GHz radio profile, select Enabled from the Background Spectrum Monitoring drop-down list. 4. To enable a spectrum monitor on the 802.11a radio band, in the 5 GHz radio profile, select Enabled from the Background Spectrum Monitoring drop-down list. 5. Click OK.
(Instant AP)# wifi0-mode {||} (Instant AP)# wifi1-mode {||} To enable spectrum monitoring for any other band for the 5 GHz radio: (Instant AP)(config)# rf dot11a-radio-profile Instant Access Point (RF dot11a Radio Profile)# spectrum-band To view the radio configuration: Instant Access Point# show radio config 2.4 GHz: Legacy Mode:disable Beacon Interval:100 802.11d/802.
Chapter 26 W-IAP Maintenance This section provides information on the following procedures: l Upgrading a W-IAP on page 317 l Backing up and Restoring W-IAP Configuration Data on page 319 l Converting a W-IAP to a Remote AP and Campus AP on page 320 l Resetting a Remote AP or Campus AP to a W-IAP on page 325 l Rebooting the W-IAP on page 325 Upgrading a W-IAP While upgrading a W-IAP, you can use the image check feature to allow the W-IAP to find new software image versions available on a cloud-ba
Figure 120 Proxy Configuration Window 2. Enter the HTTP proxy server's IP address and the port number. 3. If you do not want the HTTP proxy to be applied for a particular host, click New to enter that IP address or domain name of that host under exceptions list. In the CLI (Instant (Instant (Instant (Instant AP)(config)# proxy server 192.0.2.1 8080 AP)(config)# proxy exception 192.0.2.
Upgrading to a New Version Manually If the automatic image check feature is disabled, you can use obtain an image file from a local file system or from a TFTP or HTTP URL. To manually check for a new firmware image version and obtain an image file: 1. Navigate to Maintenance>Firmware. The Firmware window is displayed. 2. Under Manual section, perform the following steps: l Select the Image file option. This method is only available for single-class W-IAPs.
l In the UI, navigate to Maintenance > Configuration > Current Configuration. l In the CLI, enter the following command at the command prompt: (Instant AP)# show running-config Backing up Configuration Data To back up the W-IAP configuration data: 1. Navigate to the Maintenance > Configuration> page. 2. Click Backup Configuration. 3. Click Continue to confirm the backup. The instant.cfg containing the W-IAP configuration data is saved in your local file system. 4.
The following table describes the regulatory domain restrictions that apply for the W-IAP to ArubaOS AP conversion: Table 63: W-IAP to ArubaOS AP Conversion ArubaOS version on Controller Controller Regulatory Domain IAP-22x IAP-27x W-IAP11x W-IAP103 All other W-IAPs US RW US RW US RW US RW US Unrestricted JP IL Versions lower US — — — — — — — — Valid X X X Unrestricted — — — — — — — — X Valid Valid for JP country code X IL — — — — — — — — X X X Valid
Converting a W-IAP to a Remote AP For Remote AP conversion, the Virtual Controller sends the Remote AP convert command to all the other W-IAPs. The Virtual Controller along with the other slave W-IAPs set up a VPN tunnel to the remote controller, and download the firmware through FTP. The Virtual Controller uses IPsec to communicate to the mobility controller over the Internet.
1. Click the Maintenance link in the Instant main window. 2. Click the Convert tab. The Convert tab is displayed. Figure 121 Maintenance — Convert Tab 3. Select Remote APs managed by a Mobility Controller from the drop-down list. 4. Enter the hostname (fully qualified domain name) or the IP address of the controller in the Hostname or IP Address of Mobility Controller text box. Contact your local network administrator to obtain the IP address.
Figure 122 Converting a W-IAP to Campus AP 3. Select Campus APs managed by a Mobility Controller from the drop-down list. 4. Enter the hostname, Fully Qualified Domain Name (FQDN), or the IP address of the controller in the Hostname or IP Address of Mobility Controller text box. Contact your local administrator to obtain these details. 5. Ensure that the W-IAPs access the mobility controller IP Address. 6. Click Convert Now to complete the conversion.
Converting a W-IAP using CLI To convert a W-IAP (Instant AP)# convert-aos-ap Resetting a Remote AP or Campus AP to a W-IAP The reset button located on the rear of a W-IAP can be used to reset the W-IAP to factory default settings. To reset a W-IAP, perform the following steps: 1. Power off the W-IAP. 2. Press and hold the reset button using a small and narrow object such as a paperclip. 3. Power on the W-IAP without releasing the reset button.
3. In the W-IAP list, select the W-IAP that you want to reboot and click Reboot selected Access Point. To reboot all the W-IAPs in the network, click Reboot All. 4. The Confirm Reboot for AP message is displayed. Click Reboot Now to proceed. The Reboot in Progress message is displayed indicating that the reboot is in progress. The Reboot Successful message is displayed after the process is complete.
Chapter 27 Monitoring Devices and Logs This chapter provides the following information: l Configuring SNMP on page 327 l Configuring a Syslog Server on page 330 l Configuring TFTP Dump Server on page 332 l Running Debug Commands from the UI on page 333 Configuring SNMP This section provides the following information: l SNMP Parameters for W-IAP on page 327 l Configuring SNMP on page 328 l Configuring SNMP Traps on page 330 SNMP Parameters for W-IAP Instant supports SNMPv1, SNMPv2c, and SNMPv3
Configuring SNMP This section describes the procedure for configuring SNMPv1, SNMPv2, and SNMPv3 community strings using the Instant UI or CLI. Creating community strings for SNMPv1 and SNMPv2 Using Instant UI To create community strings for SNMPv1 and SNMPv2: 1. Click the System link at the top right corner of the Instant main window. The system window is displayed. 2. Click the Monitoring tab. The following figure shows the SNMP configuration parameters displayed in the Monitoring tab.
Figure 126 SNMPv3 User 4. Enter the name of the user in the Name text box. 5. Select the type of authentication protocol from the Auth protocol drop-down list. 6. Enter the authentication password in the Password text box and retype the password in the Retype text box. 7. Select the type of privacy protocol from the Privacy protocol drop-down list. 8. Enter the privacy protocol password in the Password text box and retype the password in the Retype text box. 9. Click OK. 10.
Configuring SNMP Traps Instant supports the configuration of external trap receivers. Only the W-IAP acting as the Virtual Controller generates traps. The traps for W-IAP cluster are generated with Virtual Controller IP as the source IP if Virtual Controller IP is configured. The OID of the traps is 1.3.6.1.4.1.14823.2.3.3.1.200.2.X. You can configure SNMP traps using the Instant UI or CLI. In the Instant UI To configure an SNMP trap receiver: 1. Navigate to System > Show advanced options > Monitoring.
Figure 127 Syslog Server 4. In the Syslog server text box, enter the IP address of the server to which you want to send system logs. 5. Select the required values to configure syslog facility levels. Syslog Facility is an information field associated with a syslog message. It is an application or operating system component that generates a log message. The following seven facilities are supported by Syslog: l AP-Debug— Detailed log about the AP device.
Logging Level Description Warning Warning messages. Notice Significant events of a non-critical and normal nature. The default value for all Syslog facilities. Informational Messages of general interest to system users. Debug Messages containing information useful for debugging. 6. Click OK.
Running Debug Commands from the UI To run the debugging commands from the UI: 1. Navigate to More>Support at the top right corner of the Instant main window. The Support window is displayed. 2. Select the required option from the Command drop-down list. 3. Select All Access Points or Instant Access Point(VC) from the Target drop-down list. 4. Click Run. When you run debug commands and click Save, the output of all the selected commands is displayed in a single page.
l AP Captive Portal Auto White List—Displays details about the automatic whitelist configured for a captive portal profile. l AP Checksum—Displays checksum details for a W-IAP. l AP Client Match Action—Displays details of the client match action. l AP Client Match Live— Displays the live details of the client match configuration on a W-IAP. l AP Client Match History— Displays the historical details of the client match configuration on a W-IAP.
l AP IAP-VPN Retry Counters—Displays IAP-VPN tunnel details. l AP Interface Counters— Displays information about the Ethernet interface packet counters for the W-IAP. l AP Interface Status— Displays the Ethernet port status for the W-IAP. l AP Internal DHCP Status—Displays details on DHCP allocation. l AP IP Interface—Displays a summary of all IP-related information for Ethernet interfaces configured on the WIAP. l AP IP Route Table— Displays information about IP routes for the W-IAP.
l AP Monitor Status— Displays the configuration and status of monitor information of the W-IAP. l AP Persistent Clients— Displays the list persistent clients for the W-IAP. l AP PMK Cache— Displays the PMK cache details for the clients associated with the W-IAP. l AP PPPoE uplink debug— Displays PPPoE debug logs. l AP PPPoE uplink status— Displays PPPoE uplink status. l AP Processes— Displays the processes running on the W-IAP.
l VC AMP Single Sign-on Key— Displays single sign-on key details for W-AirWave. l VC Application Services— Displays the details of application services, which includes protocol number, port number. l VC DHCP Option 43 Received— Displays information about the current activities for the DHCP scope with Option 43. l VC Global Alerts— Displays the list of alerts for all W-IAPs managed by the Virtual Controller.
Chapter 28 Hotspot Profiles This chapter describes the following procedures: l Understanding Hotspot Profiles on page 338 l Configuring Hotspot Profiles on page 339 l Sample Configuration on page 349 In the current release, Instant supports the hotspot profile configuration only through the CLI. Understanding Hotspot Profiles Hotspot 2.0 is a Wi-Fi Alliance specification based on the 802.
Access Network Query Protocol (ANQP) ANQP provides a range of information, such as IP address type and availability, roaming partners accessible through a hotspot, and the Extensible Authentication Protocol (EAP) method supported for authentication, for a query and response protocol. The ANQP Information Elements (IEs) provide additional data that can be sent from a W-IAP to the client to identify the W-IAP's network and service provider.
3. Associate the required ANQP and H2QP advertisement profiles created in step 1 to the hotspot profile created in step 2. 4. Create a SSID Profile with enterprise security and WPA2 encryption settings and associate the SSID with the hotspot profile created in step 2. Creating Advertisement Profiles for Hotspot Configuration A hotspot profile contains one or several advertisement profiles.
l eap-ttls—To use EAP-Tunneled Transport Layer Security. The associated numeric value is 21. l peap—To use protected Extensible Authentication Protocol. The associated numeric value is 25. l crypto-card— To use crypto card authentication. The associated numeric value is 28. l peapmschapv2— To use PEAP with Microsoft Challenge Handshake Authentication Protocol version 2 (MSCHAPV2). The associated numeric value is 29. l eap-aka—To use EAP for UMTS Authentication and Key Agreement.
Configuring a Venue Name Profile You configure a venue name profile to send venue information as an ANQP IE in a GAS query response.
Venue Group Associated Venue Type Value The associated numeric value is 5. l l l l mercantile The associated numeric value is 6. l l l l l l residential The associated numeric value is 7. l l l l l long-term-care—The associated numeric value is 2. alc-drug-rehab—The associated numeric value is 3. group-home—The associated numeric value is 4. prison-or-jail—The associated numeric value is 5. unspecified—The associated numeric value is 0. retail-store—The associated numeric value is 1.
l http-redirect—When configured, additional information on the network is provided through HTTP/HTTPS redirection. l dns-redirect—When configured, additional information on the network is provided through DNS redirection. This option requires you to specify a redirection URL string as an IP address, FQDN, or URL. Configuring a Roaming Consortium Profile You can configure a roaming consortium profile to send the roaming consortium information as an ANQP IE in a GAS query response.
(Instant AP)(domain-name )# end (Instant AP)# commit apply Configuring an Operator-friendly Profile You can configure the operator-friendly name profile to define the identify the operator.
l Downlink load— Indicates the percentage of the WAN downlink currently utilized. The default value of 0 indicates that the downlink speed is unknown or unspecified. l Downlink speed —Indicates the WAN downlink speed in Kbps. l Uplink load—Indicates the percentage of the WAN uplink currently utilized. The default value of 0 indicates that the downlink speed is unknown or unspecified. l Uplink speed—Indicates the WAN uplink speed in Kbps.
Table 69: Hotspot Configuration Parameters Parameter Description access-networktype Specify any of the following 802.11u network types. l private — This network is accessible for authorized users only. For example, home networks or enterprise networks that require user authentication. The corresponding integer value for this network type is 0. l private-with-guest — This network is accessible to guest users based on guest authentication methods.
Table 69: Hotspot Configuration Parameters Parameter Description queryresponselength-limit Specify this parameter to set the maximum length of the GAS query response, in octets. You can specify a value within the range of 1-127. The default value is 127. roam-cons-len1 roam-cons-len2 roam-cons-len3 Specify the length of the organization identifier. The value of the roam-cons-len-1, roam-conslen-2, or roam-cons-len-3.
Table 70: Advertisement Association Parameters Parameter Description advertisementprofile Specify the advertisement profile to associate with this hotspot profile. For information on advertisement profiles, see Creating Advertisement Profiles for Hotspot Configuration on page 340. advertisementprotocol Specify the advertisement protocol types as Access Network Query Protocol (ANQP) as anqp.
(Instant AP)(network-auth "na1")# nwk-auth-type accept-term-and-cond (Instant AP)(network-auth "na1")# url www.nwkauth.
(Instant (Instant (Instant (Instant AP)(Hotspot2.0 AP)(Hotspot2.0 AP)(Hotspot2.0 AP)(Hotspot2.
ClearPass Guest Setup To configure ClearPass Guest: 1. On ClearPass Guest, navigate to Administration > AirGroup Services. 2. Click Configure AirGroup Services. Figure 128 Configure AirGroup Services 3. Click Add a new controller. 4. Update the fields with the appropriate information. Ensure that the port configured matches the CoA port (RFC 3576) set on the W-IAP configuration. 5. Click Save Configuration.
Figure 130 Create an AirGroup Administrator 4. In this example, the password used is test123. Click Add. 5. Now click Add User, and create an AirGroup Operator. Figure 131 Create an AirGroup Operator 6. Click Add to save the user with an AirGroup Operator role. The AirGroup Administrator and AirGroup Operator IDs will be displayed in the Local Users UI screen. 353 | ClearPass Guest Setup Dell Networking W-Series Instant 6.4.0.2-4.
Figure 132 Local Users UI Screen 7. Navigate to the ClearPass Guest UI and click Logout. The ClearPass Guest Login page is displayed. Use the AirGroup admin credentials to log in. 8. After logging in, click Create Device. Figure 133 Create a Device The following page is displayed. Figure 134 - Register Shared Device For this test, add your AppleTV device name and MAC address but leave all other fields empty. Dell Networking W-Series Instant 6.4.0.2-4.
9. Click Register Shared Device. Testing To verify the setup: 1. Disconnect your AppleTV and OSX Mountain Lion/iOS 6 devices if they were previously connected to the wireless network. Remove their entries from the controller’s user table using these commands: n Find the MAC address— show user table n Delete the address from the table— aaa user delete mac 00:aa:22:bb:33:cc 2. Reconnect both devices.
IAP-VPN Deployment Scenarios This section describes the most common IAP-VPN deployments models and provides information to carry out the necessary configuration procedures. The examples in this section refer to more than one DHCP profile and wired port configuration in addition to wireless SSID configuration. All these are optional. In most networks, a single DHCP profile and wireless SSID configuration referring a DHCP profile is sufficient.
Scenario 1 - IPSec: Single Datacenter Deployment with No Redundancy This scenario includes the following configuration elements: 1. Single VPN primary configuration using IPSec 2. Split tunneling of client traffic 3. Split tunneling of DNS traffic from clients 4. Distributed L3 and Centralized L2 mode DHCP 5. RADIUS server within corporate network and authentication survivability for branch survivability 6. Wired and wireless users in L2 and L3 modes respectively 7.
Table 72: W-IAP Configuration for Scenario 1 - IPSec: Single Datacenter Deployment with No Redundancy Configuration Steps CLI Commands UI Procedure 1. Configure the primary host for VPN with the Public VRRP IP address of the controller. (ap)(config)# vpn primary See Configuring an IPSec Tunnel 2. Configure a routing profile to tunnel all 10.0.0.0/8 subnet traffic to controller. (ap)(config)# routing-profile (ap)(routing-profile)# route 10.0.0.0 255.0.0.
Table 72: W-IAP Configuration for Scenario 1 - IPSec: Single Datacenter Deployment with No Redundancy Configuration Steps above and enable authentication survivability.
Scenario 2 - IPSec: Single Datacenter with Multiple Controllers for Redundancy This scenario includes the following configuration elements: l A VRRP instance between the master/standby-master pair, which is configured as the primary VPN IP address. l Tunneling of all traffic to datacenter. l Exception route to bypass tunneling of RADIUS and W-AirWave traffic, which are locally reachable in the branch and the Internet respectively. l All client DNS queries are tunneled to the controller.
l 10.2.2.0/24 is a branch owned subnet, which needs to override global routing profile l 199.127.104.32 is used an example IP address of the W-AirWave server in the Internet AP Configuration The following table provides information on the configuration steps performed through the CLI with example values. For information on the UI procedures, see the topics referenced in the UI Navigation Details column.
Table 73: W-IAP Configuration for Scenario 2 - IPSec: Single Datacenter with Multiple controllers for Redundancy Configuration Steps CLI Commands UI Procedure NOTE: The IP range configuration on each branch will be the same. Each W-IAP will derive a smaller subnet based on the client count scope using the Branch ID (BID) allocated by controller. 6. Create authentication servers for user authentication. The example in the next column assumes 802.1x SSID.
Table 73: W-IAP Configuration for Scenario 2 - IPSec: Single Datacenter with Multiple controllers for Redundancy Configuration Steps CLI Commands UI Procedure 8. Create access rule for wired and wireless authentication. In this example, the rule permits all traffic.
Scenario 3 - IPSec: Multiple Datacenter Deployment with Primary and Backup Controllers for Redundancy This scenario includes the following configuration elements: l Multiple controller deployment model with controllers in different datacenters operating as primary/backup VPN with fast-failover and pre-emption enabled. l Split tunneling of traffic. l Split tunneling of client DNS traffic. l Two Distributed L3 mode DHCPs, one each for employee and contractors and one Local mode DHCP server.
l 172.16.20.0/24 subnet is used for NAT mode – used for wired network. l Client count in each branch is 200. l Contractors are only permitted to reach 10.16.0.0/16 network. AP Configuration This section provides information on configuration steps performed through the CLI or the UI. Table 74: W-IAP Configuration for Scenario 3 - IPSec: Multiple Datacenter Deployment Configuration Steps CLI Commands 1. Configure the primary IP address. This IP address is the Public IP address of the controller.
Table 74: W-IAP Configuration for Scenario 3 - IPSec: Multiple Datacenter Deployment Configuration Steps CLI Commands (ap)(config)# ip dhcp local (ap)(DHCP profile "local")# (ap)(DHCP profile "local")# (ap)(DHCP profile "local")# (ap)(DHCP profile "local")# 255.255.255.0 (ap)(DHCP profile "local")# (ap)(DHCP profile "local")# 10.1.1.30,10.1.1.50 (ap)(DHCP profile "local")# arubanetworks.com UI Procedure server-type Local server-vlan 20 subnet 172.16.20.
Table 74: W-IAP Configuration for Scenario 3 - IPSec: Multiple Datacenter Deployment Configuration Steps CLI Commands (ap)(SSID Profile ssid (ap)(SSID Profile (ap)(SSID Profile (ap)(SSID Profile server1 (ap)(SSID Profile server2 (ap)(SSID Profile survivability UI Procedure "wireless-ssid")# essid wireless"wireless-ssid")# opmode wpa2-aes "wireless-ssid")# vlan 30 "wireless-ssid")# auth-server "wireless-ssid")# auth-server "wireless-ssid")# auth- Configure a wireless SSID is configured to operate in L3 mo
AP Connected Switch Configuration Client VLANs defined in this example must be opened on the upstream switches in multiple AP deployments, as client traffic from slave to master is tagged with the client VLAN. Datacenter Configuration For information on controller configuration, see Configuring a Controller for IAP-VPN Operations on page 227. The following OSPF configuration is required on the controller to redistribute IAP-VPN routes to upstream routers.
Scenario 4 - GRE: Single Datacenter Deployment with No Redundancy This scenario includes the following configuration elements: l Single VPN primary configuration using GRE n Aruba GRE, does not require any configuration on the Dell Networking W-Series Mobility Controller that acts as a GRE endpoint. n Manual GRE, which requires GRE tunnels to be explicitly configured on the GRE-endpoint that can be a Dell Networking W-Series Mobility Controller or any device that supports GRE termination.
Table 75: W-IAP Configuration for Scenario Configuration Steps CLI Commands UI Procedure 1. Configure Aruba GRE or manual GRE l Aruba GRE uses an IPSec tunnel to facilitate controller configuration and requires VPN to be configured. This VPN tunnel is not used for any client traffic. l Manual GRE uses standard GRE tunnel configuration and requires controller configuration to complete the GRE tunnel.
Table 75: W-IAP Configuration for Scenario Configuration Steps and access rules, and enable authentication survivability.
(host)(config-tunnel)# (host)(config-tunnel)# (host)(config-tunnel)# (host)(config-tunnel)# (host)(config-tunnel)# (host)(config-tunnel)# description tunnel mode gre tunnel source tunnel destination trusted tunnel vlan Dell Networking W-Series Instant 6.4.0.2-4.
Terminology Acronyms and Abbreviations The following table lists the abbreviations used in this document.
Table 76: List of abbreviations Abbreviation Expansion PEAP Protected Extensible Authentication Protocol PEM Privacy Enhanced Mail PoE Power over Ethernet RADIUS Remote Authentication Dial In User Service VC Virtual Controller VSA Vendor-Specific Attributes WLAN Wireless Local Area Network Glossary The following table lists the terms and their definitions used in this document. Table 77: List of Terms Term Definition 802.
Table 77: List of Terms Term Definition AP An access point (AP) connects users to other users within the network and also can serve as the point of interconnection between the WLAN and a fixed wire network. The number of access points a WLAN needs is determined by the number of users and the size of the network. access point mapping The act of locating and possibly exploiting connections to WLANs while driving around a city or elsewhere.
Table 77: List of Terms Term Definition fixed wireless Wireless devices or systems in fixed locations such as homes and offices. Fixed wireless devices usually derive their electrical power from the utility mains, unlike mobile wireless or portable wireless which tend to be battery-powered. Although mobile and portable systems can be used in fixed locations, efficiency and bandwidth are compromised compared with fixed systems.
Table 77: List of Terms Term Definition W-CDMA Officially known as IMT-2000 direct spread; ITU standard derived from Code-Division Multiple Access (CDMA). Wideband code-division multiple access (W-CDMA) is a third-generation (3G) mobile wireless technology that promises much higher data speeds to mobile and portable wireless devices than commonly offered in today's market. Wi-Fi A term for certain types of WLANs. Wi-Fi can apply to products that use any 802.11 standard.