User Guide AOS-W Instant 6.3.1.1-4.
Copyright © 2013 Alcatel-Lucent. All rights reserved. Specifications in this manual are subject to change without notice. Originated in the USA.
Contents Contents 3 About this Guide 25 Intended Audience 25 Related Documents 25 Conventions 25 Contacting Support 26 About AOS-W Instant 27 AOS-W Instant Overview 27 Supported Devices 27 AOS-W Instant UI 28 AOS-W Instant CLI 28 What is New in AOS-W Instant 6.3.1.1-4.
Logging into the AOS-W Instant UI 38 Viewing Connectivity Summary 38 Language 38 Main Window 39 Banner 39 Search 39 Tabs 39 Networks Tab 40 Access Points Tab 40 Clients Tab 41 Links 4 | Contents 41 New Version Available 41 System 42 RF 43 Security 44 Maintenance 45 Help 46 More 46 VPN 46 IDS 47 Wired 48 Services 49 DHCP Server 50 Support 50 Logout 51 Monitoring 51 Info 51 RF Dashboard 53 RF Trends 54 Usage Trends 55 Mobility Trail 59 Spectrum 6
IDS 63 Configuration 64 AirGroup 65 OmniVista 3600 Setup 65 Pause/Resume 65 Views Initial Configuration Tasks Updating IP Address of an OAW-IAP 65 67 67 In the AOS-W Instant UI 67 In the CLI 68 Modifying the OAW-IAP Name 68 In the AOS-W Instant UI 68 In the CLI 69 Updating Location Details of an OAW-IAP 69 In the AOS-W Instant UI 69 In the CLI 69 Configuring External Antenna 69 EIRP and Antenna Gain 69 Configuring Antenna Gain 70 In the AOS-W Instant UI 70 In the CLI 7
In the AOS-W Instant UI 73 In the CLI 73 Enabling Auto Join Mode Disabling Auto Join Mode 74 Adding an OAW-IAP to the Network 74 Removing an OAW-IAP from the Network 74 Configuring a Preferred Band 74 In the AOS-W Instant UI 74 In the CLI 75 Configuring Radio Profiles for an OAW-IAP 75 Configuring ARM Assigned Radio Profiles for an OAW-IAP 75 Configuring Radio Profiles Manually for OAW-IAP 75 In the CLI 76 Configuring Inter-user Bridging and Local Routing 76 In the AOS-W Instant UI
Virtual Controller Configuration 82 Virtual Controller Overview 82 Master Election Protocol 82 Preference to an OAW-IAP with 3G/4G Card 82 Preference to an OAW-IAP with Non-Default IP 82 Manual Provisioning of Master OAW-IAP Provisioning an OAW-IAP as a Master OAW-IAP 82 83 In the AOS-W Instant UI 83 In the CLI 83 Virtual Controller IP Address Configuration Configuring IP Address for Virtual Controller 83 83 In the AOS-W Instant UI 84 In the CLI 84 Wireless Network Profiles Understandi
In the AOS-W Instant UI 97 In the CLI 98 Opportunistic Key Caching Configuring an OAW-IAP for OKC Roaming In the AOS-W Instant UI In the CLI Editing Status of a WLAN SSID Profile 99 99 99 99 In the AOS-W Instant UI 100 In the CLI 100 Configuring Additional WLAN SSIDs 100 Enabling the Extended SSID 100 In the AOS-W Instant UI 100 In the CLI 101 Editing a WLAN SSID Profile 101 Deleting a WLAN SSID Profile 101 Wired Profiles Configuring a Wired Profile 102 102 Configuring Wired Settin
In the AOS-W Instant UI 108 In the CLI 108 Assigning a Profile to Ethernet Ports 108 In the AOS-W Instant UI 108 In the CLI 108 Editing a Wired Profile 108 Deleting a Wired Profile 109 Captive Portal for Guest Access 110 Understanding Captive Portal 110 Types of Captive Portal 110 Walled Garden 111 Configuring a WLAN SSID for Guest Access 111 In the AOS-W Instant UI 111 In the CLI 113 Configuring Wired Profile for Guest Access 114 In the AOS-W Instant UI 114 In the CLI 115
In the AOS-W Instant UI 122 In the CLI 122 Configuring Captive Portal Roles for an SSID In the AOS-W Instant UI 124 In the CLI 125 Configuring Walled Garden Access 126 In the AOS-W Instant UI 126 In the CLI 126 Disabling Captive Portal Authentication User Management 126 128 OAW-IAP Users 128 Configuring Administrator Credentials for the Virtual Controller Interface 128 In the AOS-W Instant UI 128 In the CLI 129 Configuring Guest Management Interface Administrator Credentials 130
Understanding Encryption Types 141 WPA and WPA2 141 Recommended Authentication and Encryption Combinations 141 Understanding Authentication Survivability 142 Configuring Authentication Servers 144 Configuring an External Server for Authentication 144 In the AOS-W Instant UI 144 In the CLI 147 Configuring Dynamic RADIUS Proxy Parameters Enabling Dynamic RADIUS Proxy 148 148 In the AOS-W Instant UI 148 In the CLI 149 Configuring Dynamic RADIUS Proxy Parameters for Authentication Servers
In the AOS-W Instant UI 154 In the CLI 154 Configuring MAC Authentication with 802.1X Authentication Configuring MAC and 802.1X Authentication for a Wireless Network Profile 155 In the AOS-W Instant UI 155 In the CLI 155 Configuring MAC and 802.
Roles and Policies Firewall Configuration 164 164 Configuring ALG Protocols 164 In the AOS-W Instant UI 164 In the CLI 165 Configuring Firewall Settings for Protection from ARP Attacks 166 In the AOS-W Instant UI 166 In the CLI 166 Managing Inbound Traffic Configuring Management Subnets 167 167 In the AOS-W Instant UI 167 In the CLI 168 Configuring Restricted Access to Corporate Network 168 In the AOS-W Instant UI 168 In the CLI 168 Access Control List Rules Configuring Access Rule
Creating a User Role In the AOS-W Instant UI 175 In the CLI 176 Assigning Bandwidth Contracts to User Roles 176 Assigning Bandwidth Contracts in the AOS-W InstantUI 176 Assigning a bandwidth contract using AOS-W Instant CLI: 176 Configuring Machine and User Authentication Roles 177 In the AOS-W Instant UI 177 In the CLI 177 Configuring Derivation Rules Understanding Role Assignment Rule 178 178 RADIUS VSA Attributes 178 MAC-Address Attribute 178 Roles Based on Client Authentication 17
In the CLI Assigning User VLAN Roles to a Network Profile 185 185 In the AOS-W Instant UI 185 In the CLI 186 Uplink Configuration Uplink Interfaces Ethernet Uplink Configuring PPPoE Uplink Profile 187 187 188 189 In the AOS-W Instant UI 189 In the CLI 189 3G/4G Uplink 190 Types of Modems 190 Configuring Cellular Uplink Profiles 192 In the AOS-W Instant UI 192 In the CLI 193 Wi-Fi Uplink 194 Configuring a Wi-Fi Uplink Profile Uplink Preferences and Switching Enforcing Uplinks 194 1
Mobility and Client Management Layer-3 Mobility Overview 200 Configuring L3-Mobility 201 Home Agent Load Balancing 201 Configuring a Mobility Domain for AOS-W Instant 201 In the AOS-W Instant UI 201 In the CLI 202 Spectrum Monitor 203 Understanding Spectrum Data 203 Device List 203 Non Wi-Fi Interferers 204 Channel Details 206 Channel Metrics 207 Spectrum Alerts 208 Configuring Spectrum Monitors and Hybrid OAW-IAPs Converting an OAW-IAP to a Hybrid OAW-IAP 208 208 In the AOS-W In
Configuring ARM Features on an OAW-IAP 213 In the AOS-W Instant UI 213 In the CLI 216 Configuring Radio Settings for an OAW-IAP In the AOS-W Instant UI 218 218 In the CLI 219 Intrusion Detection 221 Detecting and Classifying Rogue APs 221 OS Fingerprinting 221 Configuring Wireless Intrusion Protection and Detection Levels 222 Containment Methods 226 Configuring IDS Using CLI 226 Content Filtering 228 Content Filtering 228 Enabling Content Filtering 228 Enabling Content Filtering
Configuring Centralized DHCP Scope In the AOS-W Instant UI 234 In the CLI 235 Configuring Local and Local,L3 DHCP Scopes 236 In the AOS-W Instant UI 236 In the CLI 237 Configuring DHCP Server for Client IP Assignment 238 In the AOS-W Instant UI 238 In the CLI 238 VPN Configuration 239 Understanding VPN Features 239 Configuring a Tunnel from an OAW-IAP to OmniAccess WLAN Switch 239 Configuring IPSec Tunnel 239 In the AOS-W Instant UI 239 In the CLI 240 Example 241 Enabling Autom
L2/L3 Forwarding Modes 252 IAP-VPN Scalability Limits 253 OSPF Configuration 253 VPN Configuration Whitelist Database Configuration 255 255 Switch Whitelist Database 255 External Whitelist Database 255 VPN Local Pool Configuration 255 Role Assignment for the Authenticated OAW-IAPs 255 VPN Profile Configuration 256 Viewing Branch Status Example Omnivista Integration and Management Omnivista Features 256 256 258 258 Image Management 258 OAW-IAP and Client Monitoring 258 Template-base
AirGroup Configuration AirGroup Overview 268 AirGroup with AOS-W Instant 269 AirGroup Solution 270 AirGroup Features 271 CPPM and ClearPass Guest Features 272 AirGroup Components 272 AirGroup Services 272 Configuring AirGroup and AirGroup Services on an OAW-IAP 273 In the AOS-W Instant UI 273 In the CLI 274 Configuring AirGroup and CPPM interface in AOS-W Instant 275 Creating a RADIUS Server 275 Assign a Server to AirGroup 275 Configure CPPM to Enforce Registration 275 Change of
Lawful Intercept and CALEA Integration CALEA Integration and Lawful Intercept Compliance CALEA Server Integration 281 281 281 Traffic Flow from IAP to CALEA Server 281 Traffic Flow from IAP to CALEA Server through VPN 282 Client Traffic Replication Configuring OAW-IAPs for CALEA Integration Creating a CALEA Profile 283 283 283 In the AOS-W Instant UI 284 In the CLI 284 Creating an Access Rule for CALEA 284 In the AOS-W Instant UI 284 In the CLI 284 Verifying the configuration 285 Example
Configuring a Connection Capability Profile 294 Configuring an Operating Class Profile 294 Configuring a WAN Metrics Profile 294 Creating a Hotspot Profile 295 Associating an Advertisement Profile to a Hotspot Profile 297 Creating a WLAN SSID and Associating Hotspot Profile 297 Sample Configuration Extended Voice and Video QoS for Microsoft Office OCS and Apple Facetime 301 301 Microsoft OCS 301 Apple Facetime 301 Dynamic CPU Management 302 Dynamic CPU Management 302 Configuring for D
Resetting a Remote AP or Campus AP to an OAW-IAP 309 Rebooting the OAW-IAP 309 Monitoring Devices and Logs Configuring SNMP 311 311 SNMP Parameters for OAW-IAP 311 Configuring SNMP 312 Creating community strings for SNMPv1 and SNMPv2 Using AOS-W Instant UI 312 Creating community strings for SNMPv3 Using AOS-W Instant UI 312 Configuring SNMP Community Strings in the CLI 313 Configuring SNMP Traps 314 In the AOS-W Instant UI 314 In the CLI 314 Configuring a Syslog Server 314 In the AOS
Chapter 1 About this Guide This User Guide describes the features supported by AOS-W Instant and provides detailed instructions for setting up and configuring AOS-W Instant network. Intended Audience This guide is intended for customers who configure and use AOS-W Instant. Related Documents In addition to this document, the AOS-W Instant product documentation includes the following: l AOS-W Instant Installation Guides l AOS-W Instant 6.3.1.1-4.0 Quick Start Guide l AOS-W Instant 6.3.1.1-4.
The following informational icons are used throughout this guide: Indicates helpful suggestions, pertinent information, and important things to remember. Indicates a risk of damage to your hardware or loss of data. Indicates a risk of personal injury or death. Contacting Support Table 2: Support Information Contact Center Online l Main Site http://www.alcatel-lucent.com/enterprise l Support Site https://service.esd.alcatel-lucent.com l Email esd.support@alcatel-lucent.
Chapter 2 About AOS-W Instant This chapter provides the following information: l AOS-W Instant Overview l What is New in AOS-W Instant 6.3.1.1-4.0 AOS-W Instant Overview AOS-W Instant virtualizes OmniAccess WLAN Switch capabilities on 802.11 access points (APs), creating a feature-rich enterprise-grade wireless LAN (WLAN) that combines affordability and configuration simplicity. AOS-W Instant is a simple, easy to deploy turn-key WLAN solution consisting of one or more APs.
All OAW-IAPs except OAW-IAP224, OAW-IAP225, OAW-IAP114, and OAW-IAP115 are available as the following variants: l OAW-IAP-US (United States) l OAW-IAP-JP (Japan) l OAW-IAP-IL (Israel) l OAW-IAP-RW (Rest of World) The OAW-IAP224, OAW-IAP225, OAW-IAP114, and OAW-IAP115 are available as the following variants: l OAW-IAP-US (United States) l OAW-IAP-RW. The RW variant also includes IL and JP variants.
Table 3: New Features in 6.3.1.1-4.0 Feature Description Bandwidth contract enhancements AOS-W Instant supports assigning bandwidth contracts to the user roles. The administrator can assign a bandwidth contract configured in Kbps to upstream (client to the OAW-IAP) or downstream (OAW-IAP to clients) traffic for a user role. All users in that role will be part of that bandwidth contract.
Table 3: New Features in 6.3.1.1-4.0 Feature Description Customizing Internal Captive Portal Certificate AOS-W Instant now supports uploading of customized internal Captive Portal server certificates to the OAW-IAP database. Provisioning an OAWIAP as a master OAWIAP AOS-W Instant now allows you to manually provision an OAW-IAP as a master OAW-IAP, based on network-specific parameters such as the physical location of the Virtual Controller.
OAW-IAP Platform OAWIAP114/115 Description The OAW-IAP114 and OAW-IAP115 are dual radio, dual-band wireless access points that support the IEEE 802.11n standard for high-performance WLAN. These APs use MIMO (Multiplein, Multipleout) technology and other high-throughput mode techniques to deliver high-performance, 802.11n 2.4 GHz and 5 GHz functionality while simultaneously supporting existing 802.11a/b/g wireless services. For more information about this product, visit .
Chapter 3 Setting up an OAW-IAP This chapter describes the following procedures: l Setting up AOS-W Instant Network on page 32 l Logging in to the AOS-W Instant UI on page 34 l Accessing the AOS-W Instant CLI on page 35 Setting up AOS-W Instant Network Before installing an OAW-IAP: l Ensure that you have an Ethernet cable of the required length to connect an OAW-IAP to the home router. l Ensure that you have one of the following power sources: n IEEE 802.
Assigning a Static IP To assign a static IP to an OAW-IAP: 1. Connect a terminal, PC, or workstation running a terminal emulation program to the Console port on the OAWIAP. 2. Power on the OAW-IAP. An autoboot countdown prompt that allows you to interrupt the normal startup process and access apboot is displayed. 3. Click Enter before the timer expires. The OAW-IAP goes into the apboot mode. 4. In the apboot mode, use the following commands to assign a static IP to the OAW-IAP.
Disabling the Provisioning Wi-Fi Network The provisioning network is enabled by default. AOS-W Instant provides the option to disable the provisioning network through the console port. Use this option only when you do not want the default SSID instant to be broadcast in your network. To disable the provisioning network: 1. Connect a terminal or PC/workstation running a terminal emulation program to the Console port on the OAWIAP. 2.
When you use a provisioning Wi-Fi network to connect to the Internet, all browser requests are directed to the AOSW Instant UI. For example, if you enter www.example.com in the address field, you are directed to the AOS-W Instant UI. You can change the default login credentials after the first login. Specifying Country Code This procedure is applicable to the OAW-IAP-ROW (Rest of World) variants only. Skip this step if you are installing OAW-IAP in the United States, Japan, or Israel.
The AOS-W Instant CLI allows CLI scripting in several other sub-command modes to allow the users to configure individual interfaces, SSIDs, access rules, and security settings. You can use the question mark (?) to view the commands available in a privileged mode, configuration mode, or submode. Although automatic completion is supported for some commands such as configure terminal, the complete exit and end commands must be entered at command prompt.
Table 6: Sequence-Sensitive Commands Sequence-Sensitive Command Corresponding no command opendns no opendns rule {permit |deny | src-nat | dst-nat { | }}[
Chapter 4 AOS-W Instant User Interface This chapter describes the following AOS-W Instant UI elements: l Login Screen l Main Window Login Screen The AOS-W Instant login page allows you to: l Log in to the AOS-W Instant UI.
You can also select the required language option from the Languages drop-down located at the bottom left corner of the AOS-W Instant main window. Main Window On logging into Instant, the Instant UI Main Window is displayed.
Each tab appears in a compressed view by default. The number of networks, OAW-IAPs, or clients in the network precedes the tab names. The individual tabs can be expanded or collapsed by clicking on the tabs. The list items in each tab can be sorted by clicking the triangle icon next to the heading labels. Networks Tab This tab displays a list of Wi-Fi networks that are configured in the Instant network. The network names are displayed as links.
An edit link is displayed on clicking the OAW-IAP name. For details about editing OAW-IAP settings see Initial Configuration Tasks on page 67. Clients Tab This tab displays a list of clients that are connected to the AOS-W Instant network. The client names are displayed as links. The expanded view displays the following information about each client: l Name — User name of the client or guest users if available. l IP Address — IP address of the client. l MAC Address — MAC address of the client.
System This link displays the System window. The System window consists of the following tabs: Use the Show/Hide Advanced option at the bottom of the System window to view or hide the advanced options. l General— Allows you to configure, view or edit the Name, IP address, NTP Server, and other OAW-IAP settings for the Virtual Controller. n For information about Virtual Controller configuration, see Virtual Controller Configuration on page 82.
Figure 5 System Window RF The RF link displays a window for configuring Adaptive Radio Management (ARM) and Radio features. l ARM — Allows you to view or configure channel and power settings for all the OAW-IAPs in the network. For information about ARM configuration, see ARM Overview on page 211. l Radio — Allows you to view or configure radio settings for 2.4 GHz and the 5 GHz radio profiles. For information about Radio, see Configuring Radio Settings for an OAW-IAP on page 218.
Figure 6 RF Window Security The Security link displays a window with the following tabs: l Authentication Servers— Use this window to configure an external RADIUS server for a wireless network. See Configuring an External Server for Authentication on page 144 for more information. l Users for Internal Server— Use this window to populate the system’s internal authentication server with users.
Figure 7 Security Window - Default View Maintenance The Maintenance link displays a window that allows you to maintain the Wi-Fi network. The Maintenance window consists of the following tabs: l About—Displays the name of the product, build time, OAW-IAP model name, the AOS-W Instant version, Website address of Alcatel-Lucent, and Copyright information. l Configuration— Displays the following details: n Current Configuration — Displays the current configuration details.
Figure 8 Maintenance Window - Default View Help The Help link allows you to view a short description or definition of selected terms and fields in the UI windows or dialogs. To activate the context-sensitive help: 1. Click the Help link at the top right corner of AOS-W Instant main window. 2. Click any text or term displayed in green italics to view its description or definition. 3. To disable the help mode, click Done.
Figure 9 VPN window for IPSec Configuration IDS The IDS window allows you to configure wireless intrusion detection and protection levels. The following figures show the IDS window: Figure 10 IDS Window: Intrusion Detection 47 | AOS-W Instant User Interface AOS-W Instant 6.3.1.1-4.
Figure 11 IDS Window: Intrusion Protection For more information on wireless intrusion detection and protection, see Detecting and Classifying Rogue APs on page 221. Wired The Wired window allows you to configure a wired network profile. See Wired Profiles on page 102 for more information. The following figure shows the Wired window: AOS-W Instant 6.3.1.1-4.
Figure 12 Wired Window Services The Services window allows you to configure services such as AirGroup, RTLS, and OpenDNS. The Services window consists of the following tabs: l AirGroup — Allows you to configure the AirGroup and AirGroup services. For more information, see AirGroup Configuration on page 268. l RTLS — Allows you to integrate OmniVista Management platform or third-party Real Time Location Server such as Aeroscout Real Time Location Server with AOS-W Instant.
Figure 13 Services Window: Default View DHCP Server The DHCP Servers window allows you to configure various DHCP modes. The following figure shows the contents of the DHCP Servers window: Figure 14 DHCP Servers Window For more information, see DHCP Configuration on page 231. Support The Support consists of the following fields: l Command— Allows you to select a support command for execution. l Target—Displays a list of OAW-IAPs in the network.
l Auto Run— Allows you to configure a schedule for automatic execution of a support command for a specific OAW-IAP or all OAW-IAPs. l Filter—Allows you to filter the contents of a command output. l Clear—Clears the command output displayed after a command is executed. l Save Results— Allows you to save the support command logs as an HTML or text file. For more information on support commands, see Running Debug Commands from the AOS-W Instant UI on page 317.
Table 7: Contents of the Info Section in the AOS-W Instant Main Window Name Description Info section in Virtual Controller view l Info section in Client view The Info section in the Virtual Controller view displays the following information: Name— Displays the Virtual Controller name. l System Location—Displays the system location. l Country Code— Displays the Country in which the Virtual Controller is operating. l Virtual Controller IP address— Displays the IP address of the Virtual Controller.
Table 7: Contents of the Info Section in the AOS-W Instant Main Window Name Description l l l l l l l Spectrum — Displays the status of the spectrum monitor. Clients — Number of clients associated with the OAW-IAP. Type — Displays the model number of the OAW-IAP. CPU Utilization — Displays the CPU utilization in percentage. Memory Free — Displays the memory availability of the OAW-IAP in MB. Serial number — Displays the serial number of the OAW-IAP.
Icon Name Description 3 Utilization icon Displays the radio utilization rate of the OAW-IAPs. Depending on the percentage of utilization, the color of the lines on the Utilization icon changes from Green > Orange > Red. l Green— Utilization is less than 50 percent. l Orange— Utilization is between 50-75 percent. l Red— Utilization is more than 75 percent. To view the utilization graph of an OAW-IAP, click the Utilization icon next to the OAW-IAP in the Utilization column.
Figure 18 Frames Graph Figure 19 Speed Graph Figure 20 Throughput Graph Usage Trends The Usage Trends displays the following graphs: l Clients — In the default view, the Clients graph displays the number of clients that were associated with the Virtual Controller in the last 15 minutes. In Network or Instant Access Points view, this graph displays the number of clients that were associated with the selected network or OAW-IAP in the last 15 minutes.
Figure 21 Usage Trends Section in the Monitoring Pane The following table describes the graphs displayed in the Network view: Table 9: Network View — Graphs and Monitoring Procedures Graph Name Description Monitoring Procedure Clients The Clients graph shows the number of clients associated with the network for the last 15 minutes. To see an enlarged view, click the graph.
Table 10: Access Point View — Usage Trends and Monitoring Procedures Graph Name Description Monitoring Procedure Neighboring APs The Neighboring APs graph shows the number of APs heard by the selected OAW-IAP: l Valid APs: An AP that is part of the enterprise providing WLAN service. l Interfering APs: An AP that is seen in the RF environment but is not connected to the network. l Rogue APs: An unauthorized AP that is plugged into the wired side of the network.
Table 10: Access Point View — Usage Trends and Monitoring Procedures Graph Name Description Monitoring Procedure Clients The Clients graph shows the number of clients associated with the selected OAWIAP for the last 15 minutes. To see an enlarged view, click the graph. The enlarged view provides Last, Minimum, Maximum, and Average statistics for the number of clients associated with the OAW-IAP for the last 15 minutes.
Table 11: Client View — RF Trends Graphs and Monitoring Procedures Graph Name Description Monitoring Procedure Frames The Frames Graph shows the In and Out frame rate per second of the client for the last 15 minutes. It also shows data for the Retry In and Retry Out frames. l Outgoing frames — Outgoing frame traffic is displayed in green. It is shown above the median line. l Incoming frames — Incoming frame traffic is displayed in blue. It is shown below the median line.
l Association Time— The time at which the selected client was associated with a particular OAW-IAP. The AOS-W Instant UI shows the client and OAW-IAP association over the last 15 minutes. l Access Point— The OAW-IAP name with which the client was associated. Mobility information about the client is reset each time it roams from one OAW-IAP to another.
The Alerts link displays the following types of alerts: l Client Alerts l Active Faults l Fault History Table 12: Types of Alerts Type of Alert Description Information Displayed Client Alerts The Client alerts occur when clients are connected to the AOS-W Instant network. A client alert displays the following fields: l Timestamp— Displays the time at which the client alert was recorded. l MAC address— Displays the MAC address of the client which caused the alert.
Figure 24 Fault History Figure 25 Active Faults The following table displays a list of alerts that are generated on the AOS-W Instant network: Table 13: Alerts list Type Code Description Details Corrective Actions 100101 Internal error The OAW-IAP has encountered an internal error for this client. Contact the Alcatel-Lucent customer support team.
Table 13: Alerts list Type Code Description Details Corrective Actions 100105 Maximum capacity reached on OAW-IAP The OAW-IAP has reached maximum capacity and cannot accommodate any more clients. Consider expanding capacity by installing additional OAW-IAPs or balance load by relocating OAW-IAPs. 100206 Invalid MAC Address The OAW-IAP cannot authenticate this client because the client's MAC address is not valid. This condition may be indicative of a misbehaving client.
l n Classification— Displays the classification of the foreign AP, for example, Interfering OAW-IAP or Rogue OAW-IAP. n Channel— Displays the channel in which the foreign AP is operating. n Type— Displays the Wi-Fi type of the foreign AP. n Last seen— Displays the time when the foreign AP was last detected in the network. n Where— Provides information about the OAW-IAP that detected the foreign AP. Click the pushpin icon to view the information.
AirGroup This AirGroup link provides an overall view of your AirGroup configuration. Click each field to view or edit the settings. l MAC — Displays the MAC address of the AirGroup servers. l IP — Displays the IP address of the AirGroup servers. l Host Name — Displays the machine name or hostname of the AirGroup servers. l Service— Displays the type of the services such as AirPlay or AirPrint. l VLAN— Displays VLAN details of the AirGroup servers.
l The following AOS-W Instant UI elements are available in this view: n Tabs— Networks, Access Points, and Clients. For detailed information about the tabs, see Tabs on page 39. n Links— Monitoring, Client Alerts, and IDS. The Spectrum link is visible if you have configured the OAW-IAP as a spectrum monitor. These links allow you to monitor the AOS-W Instant network. For more information about these links, see Monitoring on page 51, IDS on page 63, Alerts on page 60, and Spectrum Monitor on page 203.
Chapter 5 Initial Configuration Tasks This chapter describes the following basic OAW-IAP deployment methods and configuration tasks: l Updating IP Address of an OAW-IAP on page 67 l Modifying the OAW-IAP Name on page 68 l Updating Location Details of an OAW-IAP on page 69 l Configuring External Antenna on page 69 l Upgrading an OAW-IAP on page 70 l Adding an OAW-IAP to the Network on page 74 l Removing an OAW-IAP from the Network on page 74 l Enabling Terminal Access on page 73 l Enabling
Figure 29 Configuring OAW-IAP Settings 3. Select either the Get IP address from DHCP server or Specify statically option. If you have selected the Specify statically option, perform the following steps: a. Enter the new IP address for the OAW-IAP in the IP address text box. b. Enter the subnet mask of the network in the Netmask text box. c. Enter the IP address of the default gateway in the Default gateway text box. d. Enter the IP address of the DNS server in the DNS server text box. e.
In the CLI To change the name: (Instant Access Point)# hostname Updating Location Details of an OAW-IAP You can update the physical location details of an OAW-IAP by using the AOS-W Instant UI or CLI. The system location details are used for retrieving information through the SNMP sysLocation MIB object. In the AOS-W Instant UI To update location details: 1. In the AOS-W Instant main window, click the System link. The System window is displayed. 2.
The following table lists gain values supported by each type of antenna: Table 15: Antenna Types and Maximum Antenna Gains Frequency Band Type Gain (dBi) 2.4 GHz Dipole/Omni 6 Panel 12 Sector 12 Dipole/Omni 6 Panel 14 Sector 14 5 GHz For information on antenna gain recommended by the manufacturer, see . Configuring Antenna Gain You can configure antenna gain for APs with external connectors using AOS-W Instant UI or CLI. In the AOS-W Instant UI 1.
IAPs joining the network need to synchronize their software with the version running on the Virtual Controller, and if the new OAW-IAP belongs to a different class, the image file for the new OAW-IAP is provided by OmniVista. If Omnivista does not have the appropriate image file, the new AP will not be able to join the network. The Virtual Controller communicates with the OmniVista server if OmniVista is configured. If OmniVista is not configured on the OAW-IAP, the image is requested from the Image server.
2. Enter the HTTP proxy server's IP address and the port number. 3. If you do not want the HTTP proxy to be applied for a particular host, click New to enter that IP address or domain name of that host under exceptions list. In the CLI (Instant (Instant (Instant (Instant Access Access Access Access Point)(config)# proxy server 192.0.2.1 8080 Point)(config)# proxy exception 192.0.2.
n l For all other OAW-IAPs —AlcatelInstant_Orion_6.3.1.1-4.0.0.0_xxxx Select the Image URL option. Select this option to obtain an image file from a TFTP, FTP, or HTTP URL. n HTTP - http:///. For example, http:///AlcatelInstant_Orion_6.3.1.14.0.0.0_xxxx n TFTP - tftp:///. For example, tftp:///AlcatelInstant_Orion_6.3.1.14.0.0.0_xxxx n FTP - ftp:///. For example, ftp:///AlcatelInstant_Orion_6.3.
(Instant Access Point)(config) # telnet-server (Instant Access Point)(config)# end (Instant Access Point)# commit apply Enabling Auto Join Mode The Auto Join Mode feature allows OAW-IAPs to automatically discover the Virtual Controller and join the network. The Auto Join Mode feature is enabled by default. If the Auto Join Mode feature is disabled, a New link is displayed in the Access Points tab. Click this link to add OAW-IAPs to the network.
3. Click OK. Reboot the OAW-IAP after configuring the radio profile for the changes to affect. In the CLI To configure a preferred band: (Instant Access Point)(config)# rf-band (Instant Access Point)(config)# end (Instant Access Point)# commit apply Configuring Radio Profiles for an OAW-IAP You can configure a radio profile on an OAW-IAP either manually or by using the Adaptive Radio Management (ARM) feature. Adaptive Radio Management (ARM) is enabled on AOS-W Instant by default.
Table 16: OAW-IAP Radio Modes Mode Description and clients. Spectrum Monitor In Spectrum Monitor mode, the AP functions as a dedicated full-spectrum RF monitor, scanning all channels to detect interference, whether from the neighboring APs or from non-WiFi devices such as microwaves and cordless phones. In the Monitor and Spectrum Monitor modes, the APs do not provide access services to clients. 5. Select Administrator assigned in 2.4 GHz and 5 GHz band sections. 6.
Configuring Uplink VLAN for an OAW-IAP Instant supports a management VLAN for the uplink traffic on an OAW-IAP. After an OAW-IAP is provisioned with the uplink management VLAN, all management traffic sent from the OAW-IAP is tagged with the management VLAN. You can configure the uplink management VLAN on an OAW-IAP by using the AOS-W Instant UI or CLI. In the AOS-W Instant UI To configure uplink management VLAN: 1. In the Access Points tab, click the OAW-IAP to modify. The edit link is displayed. 2.
3. Select a time zone from the Timezone drop-down list. The time zone indicates the time returned by the NTP server. You can enable daylight saving time (DST) on OAW-IAPs if the time zone you selected supports the daylight saving time. If the Time Zone selected does not support DST, the Daylight Saving Time option is not displayed. When enabled, the Daylight saving time ensures that the OAW-IAPs reflect the seasonal time changes in the region they serve. 4.
Chapter 6 Mesh OAW-IAP Configuration This chapter provides the following information: l Mesh Network Overview on page 79 l Setting up AOS-W Instant Mesh Network on page 80 Mesh Network Overview The AOS-W Instant secure enterprise mesh solution is an effective way to expand network coverage for outdoor and indoor enterprise environments without any wires. As traffic traverses across mesh OAW-IAPs, the mesh network automatically reconfigures around broken or blocked paths.
The mesh portal reboots after 5 minutes when it loses its uplink connectivity to a wired network. Mesh Points The mesh point establishes an all-wireless path to the mesh portal. The mesh point provides traditional WLAN services such as client connectivity, intrusion detection system (IDS) capabilities, user role association, and Quality of Service (QoS) for LAN-to-mesh communication to clients and performs mesh backhaul/network connectivity. Mesh point also supports LAN bridging.
Chapter 7 VLAN Configuration VLAN configuration is required for networks with more devices and broadcast traffic on a WLAN SSID or wired profile. Based on the network type and its requirements, you can configure the VLANs for a WLAN SSID or wired port profile. For more information on VLAN configuration for a WLAN SSID and wired port profile, see Configuring VLAN Settings for a WLAN SSID Profile on page 89 and Configuring VLAN for a Wired Profile on page 103.
Chapter 8 Virtual Controller Configuration This chapter provides the following information: l Virtual Controller Overview l Virtual Controller IP Address Configuration Virtual Controller Overview AOS-W Instant does not require an external to regulate and manage the Wi-Fi network. Instead, one OAW-IAP in every network assumes the role of Virtual Controller. It coordinates, stores, and distributes the settings required to provide a centralized functionality to regulate and manage the Wi-Fi network.
VLAN. When the Virtual Controller goes down, a new Virtual Controller is elected. Provisioning an OAW-IAP as a Master OAW-IAP You can provision an OAW-IAP as a master OAW-IAP by using the AOS-W Instant UI or CLI. In the AOS-W Instant UI 1. In the Access Points tab, click the OAW-IAP to modify. The edit link is displayed. 2. Click the edit link. The edit window for modifying OAW-IAP details is displayed. 3. Select Enabled from Preferred master drop-down. This option is disabled by default.
In the AOS-W Instant UI 1. Click the System link at top right corner of the AOS-W Instant main window. The System window is displayed. 2. Click the Show advanced options link. The advanced options are displayed. 3. In the General tab, enter the appropriate IP address in the Virtual Controller IP text box. The IP configured for the Virtual Controller can be in the same subnet as OAW-IAP or can be in a different subnet.
Chapter 9 Wireless Network Profiles This chapter provides the following information: l Understanding Wireless Network Profiles on page 85 l Configuring WLAN Settings for an SSID Profile on page 86 l Configuring VLAN Settings for a WLAN SSID Profile on page 89 l Configuring Security Settings for a WLAN SSID Profile on page 90 l Configuring Access Rules for a WLAN SSID Profile on page 95 l Configuring Support for Fast Roaming of Clients on page 97 l Editing Status of a WLAN SSID Profile on page
Configuring WLAN Settings for an SSID Profile You can configure WLAN settings using AOS-W Instant UI or CLI. In the AOS-W Instant UI To configure WLAN settings: 1. In the Networks tab of the AOS-W Instant main window, click the New link. The New WLAN window is displayed. The following figure shows the contents of WLAN Settings tab: Figure 32 WLAN Settings Tab 2. Enter a name that uniquely identifies a wireless network in the Name (SSID) text box. 3.
Table 17: WLAN Configuration Parameters Parameter Description l directly to the associated client. Disabled— When set to Disabled, all broadcast and multicast traffic is forwarded. DTIM interval The DTIM interval indicates the delivery traffic indication message (DTIM) period in beacons, which can be configured for every WLAN SSID profile. The DTIM interval determines how often the OAW-IAP should deliver the buffered broadcast and multicast frames to associated clients in the powersave mode.
Table 17: WLAN Configuration Parameters Parameter Description In a non-WMM or hybrid environment, where some clients are not WMM-capable, you can allocate higher values for Best effort WMM share and Voice WMM share to allocate a higher bandwidth to clients transmitting best effort and voice traffic. Content filtering Select Enabled to route all DNS requests for the non-corporate domains to OpenDNS on this network. Band Select a value to specify the band at which the network transmits radio signals.
(Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant Access Access Access Access Access Access Access Access Point)(SSID Profile )# Point)(SSID Profile )# Point)(SSID Profile )# Point)(SSID Profile )# Point)(SSID Profile )# Point)(SSID Profile )# Point)(SSID Profile )# Point)# commit apply content-filtering hide-ssid inactivity-timeout work-without-uplink local-probe-req-thresh max-clients-threshold en
l Default— On selecting this option, the client obtains the IP address in the same subnet as the OAW-IAPs. By default, the client VLAN is assigned to the native VLAN on the wired network. l Static— On selecting this option, you need to specify a single VLAN, a comma separated list of VLANS, or a range of VLANs for all clients on this network. Select this option for configuring VLAN pooling.
In the AOS-W Instant UI To configure security settings for an employee or voice network: 1. In the Security tab, specify any of the following types of security levels by moving the slider to a desired level: l Enterprise—On selecting enterprise security level, the authentication options applicable to the enterprise network are displayed. l Personal — On selecting personal security level, the authentication options applicable to the personalized network are displayed.
Figure 36 Security Tab: Open 2. Based on the security level specified, specify the following parameters: Table 18: Configuration Parameters for WLAN Security Settings Security Level Type Parameter Description Key Management For Enterprise security level, select any of the following options from the Key management drop-down list: l WPA-2 Enterprise l Both (WPA-2 & WPA) l WPA Enterprise l Dynamic WEP with 802.
Table 18: Configuration Parameters for WLAN Security Settings Parameter Security Level Type Description 1. Select an appropriate value for WEP key size from the WEP key size drop-down list. You can specify 64-bit or 128-bit . 2. Select an appropriate value for Tx key from the Tx Key drop-down list. You can specify 1, 2, 3, or 4. 3. Enter an appropriate WEP key and reconfirm. 802.11r roaming To enable 802.11r roaming, select Enabled from the 802.11r roaming dropdown.
Table 18: Configuration Parameters for WLAN Security Settings Parameter Description Security Level Type Accounting To enable accounting, select Enabled from the Accounting drop-down list. On setting this option to Enabled, APs post accounting information to the RADIUS server at the specified Accounting interval. Enterprise, Personal, and Open security levels. Authentication survivability To enable authentication survivability, set Authentication survivability to Enabled.
(Instant Access (Instant Access (Instant Access (Instant Access (Instant Access (Instant Access (Instant Access (Instant Access association} (Instant Access (Instant Access (Instant Access (Instant Access (Instant Access (Instant Access (Instant Access Point)(SSID Point)(SSID Point)(SSID Point)(SSID Point)(SSID Point)(SSID Point)(SSID Point)(SSID Profile Profile Profile Profile Profile Profile Profile Profile )# )# )# )# )# )# )# )# external-server server-
You can configure up to 64 access rules for an employee, voice , or guest network using the AOS-W Instant UI or CLI. In the AOS-W Instant UI To configure access rules for an employee or voice network: 1. In the Access Rules tab, set slider to any of the following types of access control: l Unrestricted— Select this to set unrestricted access to the network. l Network-based— Set the slider to Network-based to set common rules for all users in a network.
(Instant Access Point)(SSID Profile )# set-role-machine-auth (Instant Access Point)(SSID Profile )# end (Instant Access Point)# commit apply To configure unrestricted access: (Instant (Instant (Instant (Instant Access Access Access Access Point)(config)# wlan ssid-profile Point)(SSID Profile )# set-role-unrestricted Point)(SSID Profile )# end Point)# commit apply Configuring Support for Fast Roaming of Clients AOS-W
Figure 37 WLAN Security Settings—Enterprise Tab 4. Set 802.11r roaming to Enabled. 802.11r roaming can also be enabled for Personal and Open security levels. 5. Click Next and then click Finish. In the CLI To enable 802.
Configuring an OAW-IAP for OKC Roaming You can enable OKC roaming for WLAN SSID by using AOS-W Instant UI or CLI. In the AOS-W Instant UI 1. Navigate to the WLAN wizard (click Network>New or Network> Select the WLAN SSID>edit). 2. Click the Security tab. 3. Slide to Enterprise security level. On selecting a security level, the authentication options applicable to Enterprise network are displayed. 4. Select the WPA-2 Enterprise or Both (WPA-2 & WPA) option from the Key management drop-down list.
In the AOS-W Instant UI To modify the status of a WLAN SSID profile: 1. In the Networks tab, select the network that you want to edit. The edit link is displayed. 2. Click the edit link. The Edit network window is displayed. 3. Select or clear the Disable SSID check box to disable or enable the SSID. The SSID is enabled by default. 4. Click Next or the tab name to move to the next tab. 5. Click Finish to save the modifications.
In the CLI To enable the extended SSIDs: (Instant Access Point)(config)# extended-ssid (Instant Access Point)(config)# end (Instant Access Point)# commit apply Editing a WLAN SSID Profile To edit a WLAN SSID profile: 1. In the Networks tab, select the network that you want to edit. The edit link is displayed. 2. Click the edit link. The Edit network window is displayed. 3. Modify the required settings. Click Next to move to the next tab. 4. Click Finish to save the modifications.
Chapter 10 Wired Profiles This chapter describes the following procedures: l Configuring a Wired Profile on page 102 l Assigning a Profile to Ethernet Ports on page 108 l Understanding Hierarchical Deployment on page 107 l Configuring Wired Bridging on Ethernet 0 on page 107 l Editing a Wired Profile on page 108 l Deleting a Wired Profile on page 109 Configuring a Wired Profile The wired profile configuration for employee network involves the following procedures: 1.
a. Name— Specify a name for the profile. b. Primary Usage — Select Employee or Guest. c. Speed/Duplex — Ensure that appropriate values are selected for Speed/Duplex. Contact your network administrator if you need to assign speed and duplex parameters. d. POE — Set POE to Enabled to enable Power over Ethernet. The E2 port on OAW-RAP3WNP supports Power Sourcing Equipment (PSE) to supply power to any compliant 802.3af powered (class 0-4) device. OAW-RAP155P supports PSE for 802.
l Access — Select this mode to allow the port to carry a single VLAN specified as the native VLAN. l Trunk — Select this mode to allow the port to carry packets for multiple VLANs specified as allowed VLANs. b. Specify any of the following values for Client IP Assignment: l Virtual Controller Assigned: Select this option to allow the Virtual Controller to assign IP addresses to the wired clients.
In the AOS-W Instant UI To configure security parameters for an employee network: 1. Configure the following parameters in the Security tab. l MAC authentication — To enable MAC authentication, select Enabled. The MAC authentication is disabled by default. l 802.1X authentication — To enable 802.1X authentication, select Enabled. l MAC authentication fail-thru — To enable authentication fail-thru, select Enabled. When this feature is enabled, 802.
l Role-based— Allows the users to obtain access based on the roles assigned to them. l Unrestricted— Allows the users to obtain unrestricted access on the port. l Network-based— Allows the users to be authenticated based on access rules specified for a network. b. If the Role-based access control is selected, perform the following steps: Under Roles, select an existing role for which you want apply the access rules, or click New and add the required role.
To configure unrestricted access: (Instant (Instant (Instant (Instant Access Access Access Access Point)(config)# wired-port-profile Point)(wired ap profile )# set-role-unrestricted Point)(wired ap profile )# end Point)# commit apply Understanding Hierarchical Deployment An OAW-IAP Series or OAW-RAP3WN (with more than one wired port) can be connected to the downlink wired port of another OAW-IAP (ethX).
Enabling wired bridging on this port of an OAW-IAP makes the port available as a downlink wired bridge and allows client access through the port. You can also use the port to connect a wired device when a 3G uplink is used. You can configure support for wired bridging on the Ethernet 0 port of an OAW-IAP using AOS-W Instant UI or CLI. In the AOS-W Instant UI To configure Ethernet bridging: 1. In the Access Points tab, click the OAW-IAP to modify. The edit link is displayed. 2. Click the edit link.
1. Click the Wired link under More at the top right corner of the AOS-W Instant main window. The Wired window is displayed. 2. In the Wired window, select the wired profile to modify. 3. Click Edit. The Edit Wired Network window is displayed. 4. Modify the required settings. 5. Click Finish to save the modifications. Deleting a Wired Profile To delete a wired profile: 1. Click the Wired link under More at the top right corner of the AOS-W Instant main window. The Wired window is displayed. 2.
Chapter 11 Captive Portal for Guest Access This chapter provides the following information: l Understanding Captive Portal on page 110 l Configuring a WLAN SSID for Guest Access on page 111 l Configuring Wired Profile for Guest Access on page 114 l Configuring Internal Captive Portal for Guest Network on page 116 l Configuring External Captive Portal for a Guest Network on page 118 l Configuring External Captive Portal Authentication Using ClearPass Guest on page 121 l Configuring Guest Logon
Walled Garden The administrators can also control the resources that the guest users can access and the amount of bandwidth or air time they can use at any given time. When an external Captive portal is used, the administrators can configure a walled garden, which determines access to the URLs requested by the guest users. For example, a hotel environment where the unauthenticated users are allowed to navigate to a designated login page (for example, a hotel website) and all its contents.
Parameters Description DMO channel utilization threshold Specify a value to set a threshold for DMO channel utilization. With DMO, the OAW-IAP converts multicast streams into unicast streams as long as the channel utilization does not exceed this threshold. The default value is 90% and the maximum threshold value is 100%. When the threshold is reached or exceeds the maximum value, the OAW-IAP sends multicast traffic over the wireless link.
Parameters Description Disable SSID Select to the checkbox to disable the SSID. On selecting this check box, the SSID is disabled, but not removed from the network. By default, all SSIDs are enabled. Can be used without Uplink Select the checkbox if you do not want the SSID users to use uplink. Max clients threshold Specify the maximum number of clients that can be configured for each BSSID on a WLAN in the text box. You can specify a value within the range of 0 to 255. The default value is 64.
(Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant Access Access Access Access Access Access Access Access Access Access Access Access Access Access Access Access Access Access Access Access Access Access Access Point)(SSID Point)(SSID Point)(SSID Point)(SSID Point)(SSID Point)(SSID Point)(SSID Point)(SSID Point)(SSID Point)(SSID Point)(SSID Point)(SSI
f. Content Filtering— To ensure that all DNS requests to non-corporate domains on this wired network are sent to OpenDNS, select Enabled for Content Filtering. g. Uplink — Select Enabled to configure uplink on this wired profile. If Uplink is set to Enabled and this network profile is assigned to a specific port, the port will be enabled as Uplink port. For more information on assigning a wired network profile to a port, see Assigning a Profile to Ethernet Ports on page 108. 4. Click Next.
(Instant Access Point)(config)# wired-port-profile (Instant Access Point)(wired ap profile )# set-vlan {equals| not-equals| star ts-with| ends-with| contains| matches-regular-expression} | value-of} Configuring Internal Captive Portal for Guest Network In the Internal Captive Portal type, an internal server is used for hosting the Captive portal service.
Parameter Description Accounting mode (Applicable for WLAN SSIDs only.) Select an accounting mode from Accounting mode for posting accounting information at the specified Accounting interval. When the accounting mode is set to Authentication, the accounting starts only after client authentication is successful and stops when the client logs out of the network.
(Instant (Instant (Instant (Instant Access Access Access Access Point) (wired ap profile "")# auth-server Point) (wired ap profile "")# radius-reauth-interval Point) (wired ap profile "")# end Point)# commit apply To customize internal captive portal splash page: (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant Access Access Access Access Access Access Access Access Access Access Access Point)(config)# wlan captive-
Table 21: Captive Portal Profile Configuration Parameters Parameter Description Name Enter a name for the profile. Type Select any one of the following types of authentication: l l Radius Authentication - Select this option to enable user authentication against a RADIUS server. Authentication Text - Select this option to specify an authentication text. The specified text will be returned by the external server after a successful user authentication.
Configuring an SSID or Wired Profile to Use External Captive Portal Authentication You can configure external captive portal authentication for a network profile when adding or editing a guest network using AOS-W Instant UI or CLI. In the AOS-W Instant UI 1. Navigate to the WLAN wizard or Wired window. l To configure external Captive portal authentication for a WLAN SSID, in the Network tab, click New to create a new network profile or edit to modify an existing profile.
Table 22: External Captive Portal Configuration Parameters Parameter Description is Encryption Select Enabled to configure encryption settings and specify the encryption parameters. 5. Click Next to continue and then click Finish to apply the changes.
a. Enter the IP address of the ClearPass Guest server in the IP or hostname field. Obtain the ClearPass Guest IP address from your system administrator. b. Enter /page_name.php in the URL field. This URL must correspond to the Page Name configured in the ClearPass Guest RADIUS Web Login page. For example, if the Page Name is Alcatel-Lucent, the URL should be /Alcatel-Lucent.php in the AOS-W Instant UI. c. Enter the Port number (generally should be 80).
(Instant Access Point)(Access Rule )# rule {permit |deny | src-nat | dst-nat { | }}[] (Instant Access Point)(Access Rule )# end (Instant Access Point)# commit apply To configure access control based on the SSID: (Instant (Instant (Instant (Instant Access Access Access Access Point)(config)# wlan ssid-profile Point)(SSID Profile # set-role-by-ssid Point)(SSID Profile # end Poi
In the AOS-W Instant UI To create a Captive portal role: 1. Select an SSID profile from the Networks tab. The Edit window is displayed. 2. In the Access tab, slide to Role-based access control by using the scroll bar. 3. Select a role or create a new if required. 4. Click New to add a new rule. The New Rule window is displayed. 5. In the New Rule window, specify the following parameters.
Field Description l l l l l l External page that would be displayed to users connecting to the network. The initial page asks for user credentials or email, depending on the splash page type configured To change the color of the splash page, click the Splash page rectangle and select the required color from the Background Color palette. To change the welcome text, click the first square box in the splash page, type the required text in the Welcome text box, and click OK.
(Instant Access Point)(Access Rule )# end (Instant Access Point)# commit apply Configuring Walled Garden Access On the Internet, a walled garden typically controls access to web content and services. The Walled garden access is required when an external Captive portal is used. For example, a hotel environment where the unauthenticated users are allowed to navigate to a designated login page (for example, a hotel website) and all its contents.
You can also customize splash page design in the Security tab of New WLAN and New Wired Network windows when configuring a new profile. 2. Navigate to the Security tab. 3. Select None from the Splash page type drop-down list. 4. Click Next and then click Finish to apply the changes. 127 | Captive Portal for Guest Access AOS-W Instant 6.3.1.1-4.
Chapter 12 User Management This chapter provides the following information: l OAW-IAP Users on page 128 l Configuring Administrator Credentials for the Virtual Controller Interface on page 128 l Configuring Guest Management Interface Administrator Credentials on page 130 l Configuring Users for Internal Database of an OAW-IAP on page 130 l Configuring the Read-Only Administrator Credentials on page 132 l Adding Guest Users through the Guest Management Interface on page 132 OAW-IAP Users The OAW
2. Click the Admin tab. The Admin tab details are displayed. The following figure shows the contents of the Admin tab: Figure 42 Admin Tab: Management Authentication Parameters 3. Under Local, select any of the following options from the Authentication drop-down list: l Internal— Select this option to specify a single set of user credentials. Enter the Username and Password for accessing the Virtual Controller Management User Interface. a. Specify a Username and Password. b.
(Instant Access Point)# commit apply Configuring Guest Management Interface Administrator Credentials You can configure guest administrator credentials in the AOS-W Instant UI or CLI. In the AOS-W Instant UI 1. Click the System link at top right corner of the AOS-W Instant main window. The System window is displayed. 2. Click the Admin tab. The Admin tab details are displayed. 3. Under Guest Registration Only: a. Specify a Username and Password. b. Retype the password to confirm. 4. Click OK.
Figure 43 Adding a User 3. Enter the username in the Username text box. 4. Enter the password in the Password text box and reconfirm. 5. Select a type of network from the Type drop-down list. 6. Click Add and click OK. The users are listed in the Users list. 7. To edit user settings: a. Select the user to modify under Users b. Click Edit to modify user settings. c. Click OK. 8. To delete a user: a. In the Users section, select the username to delete b. Click Delete. c. Click OK. 9.
To configure a guest user: (Instant Access Point)(config)# user (Instant Access Point)(config)# end (Instant Access Point)# commit apply portal Configuring the Read-Only Administrator Credentials You can assign the read-only privilege to an admin user by using the AOS-W Instant UI or CLI. In the AOS-W Instant UI 1. Click the System link at top right corner of the AOS-W Instant main window. The System window is displayed. 2. Click the Admin tab. The Admin tab details are displayed.
2. To add a user, click New. The New Guest User pop-up window is displayed. 3. Specify a Username and Password. 4. Retype the password to confirm. 5. Click OK. 133 | User Management AOS-W Instant 6.3.1.1-4.
Chapter 13 Authentication This chapter provides the following information: l Understanding Authentication Methods on page 134 l Supported Authentication Servers on page 135 l Understanding Encryption Types on page 141 l Understanding Authentication Survivability on page 142 l Configuring Authentication Servers on page 144 l Configuring Authentication Parameters for Virtual Controller Management Interface on page 150 l Configuring 802.
successful, the mac-auth-only role is overwritten by the final role. The mac-auth-only role is primarily used for wired clients. n L2 authentication fall-through - Allows you to enable the l2-authentication-fallthrough mode. When this option is enabled, the 802.1X authentication is allowed even if the MAC authentication fails. If this option is disabled, 802.1X authentication is not allowed. The l2-authentication-fallthrough mode is disabled by default.
External RADIUS Server In the external RADIUS server, the IP address of the Virtual Controller is configured as the NAS IP address. AOS-W Instant RADIUS is implemented on the Virtual Controller, and this eliminates the need to configure multiple NAS clients for every OAW-IAP on the RADIUS server for client authentication. AOS-W Instant RADIUS dynamically forwards all the authentication requests from a NAS to a remote RADIUS server.
Alcatel-Lucent does not recommend the use of LEAP authentication method, because it does not provide any resistance to network attacks. Authentication Termination on OAW-IAP AOS-W Instant allows Extensible Authentication Protocol (EAP) termination for Protected Extensible Authentication Protocol (PEAP)-Generic Token Card (PEAP-GTC) and Protected Extensible Authentication Protocol-Microsoft Challenge Authentication Protocol version 2 (PEAP-MSCHAV2).
l Aruba-AP-Name l Aruba-AS-Credential-Hash l Aruba-AS-User-Name l Aruba-Admin-Role l Aruba-AirGroup-Device-Type l Aruba-AirGroup-Shared-Role l Aruba-AirGroup-Shared-User l Aruba-AirGroup-User-Name l Aruba-Auth-Survivability l Aruba-CPPM-Role l Aruba-Device-Type l Aruba-Essid-Name l Aruba-Framed-IPv6-Address l Aruba-Location-Id l Aruba-Mdps-Device-Iccid l Aruba-Mdps-Device-Imei l Aruba-Mdps-Device-Name l Aruba-Mdps-Device-Product l Aruba-Mdps-Device-Serial l Aruba-Mdps-
l Digest-Response l Domain-Name l EAP-Message l Error-Cause l Event-Timestamp l Exec-Program l Exec-Program-Wait l Expiration l Fall-Through l Filter-Id l Framed-AppleTalk-Link l Framed-AppleTalk-Network l Framed-AppleTalk-Zone l Framed-Compression l Framed-IP-Address l Framed-IP-Netmask l Framed-IPX-Network l Framed-IPv6-Pool l Framed-IPv6-Prefix l Framed-IPv6-Route l Framed-Interface-Id l Framed-MTU l Framed-Protocol l Framed-Route l Framed-Routing l Full
l Message-Auth l NAS-IPv6-Address l NAS-Port-Type l Operator-Name l Password l Password-Retry l Port-Limit l Prefix l Prompt l Rad-Authenticator l Rad-Code l Rad-Id l Rad-Length l Reply-Message l Requested-Location-Info l Revoke-Text l Server-Group l Server-Name l Service-Type l Session-Timeout l Simultaneous-Use l State l Strip-User-Name l Suffix l Termination-Action l Termination-Menu l Tunnel-Assignment-Id l Tunnel-Client-Auth-Id l Tunnel-Client-En
Understanding Encryption Types Encryption is the process of converting data into a cryptic format or code when it is transmitted on a network. Encryption prevents unauthorized use of the data. AOS-W Instant supports the following types of encryption: l WEP —Wired Equivalent Privacy (WEP) is an authentication method where all users share the same key. WEP is not secure as other encryption types such as TKIP. l TKIP —Temporal Key Integrity Protocol (TKIP) uses the same encryption algorithm as WEP.
Table 26: Recommended Authentication and Encryption Combinations Network Type Authentication Encryption Employee 802.1X AES Guest Network Captive Portal None Voice Network or Handheld devices 802.1X or PSK as supported by the device AES if possible, TKIP or WEP if necessary (combine with security settings assigned for a user role).
If both the OAW-IAP to which the client was associated and the CPPM are not available, the client will be not be able to reauthenticate until the CPPM server is available again. Figure 46 802.1X Authentication using cached credentials The following figure illustrates a scenario where the CPPM link is available again. The OAW-IAP sends the RADIUS-Request message to the CPPM server directly for client authentication. 143 | Authentication AOS-W Instant 6.3.1.1-4.
Figure 47 802.1X Authentication when CPPM is reachable again You can enable authentication survivability for a wireless network profile when configuring enterprise security parameters. For more information, see Configuring Security Settings for a WLAN SSID Profile on page 90.
Figure 48 New Authentication Server Window 3. Configure any of the following types of server: l RADIUS Server — To configure a RADIUS server, specify the attributes described in the following table: Table 27: RADIUS Server Configuration Parameters Parameter Description Name Enter the name of the new external RADIUS server. IP address Enter the IP address of the external RADIUS server. Auth port Enter the authorization port number of the external RADIUS server. The default port number is 1812.
Parameter Description RFC 3576 Select Enabled to allow the APs to process RFC 3576-compliant Change of Authorization (CoA) and disconnect messages from the RADIUS server. Disconnect messages cause a user session to be terminated immediately, whereas the CoA messages modify session authorization attributes such as data filters. NAS IP address Enter the Virtual Controller IP address. The NAS IP address is the Virtual Controller IP address that is sent in data packets.
Parameter Description Directory, the value is sAMAccountName l Timeout Enter a value between 1 and 30 seconds. The default value is 5. Retry count Enter a value between 1 and 5. The default value is 3. CPPM Server for AirGroup CoA — To configure a CPPM server used for AirGroup CoA (Change of Authorization), select the CoA only check box. The RADIUS server is automatically selected.
To configure an LDAP server: (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant Access Access Access Access Access Access Access Access Access Access Access Access Point)(config)# wlan ldap-server Point)(LDAP Server )# ip Point)(LDAP Server )# port Point)(LDAP Server )# admin-dn Point)(LDAP Server )# admin-password Point)(LDAP Server
Controller for communication with external RADIUS servers. Ensure that the Virtual Controller IP Address is set as a NAS IP when configuring RADIUS server attributes with dynamic RADIUS proxy enabled. For more information on configuring RADIUS server attributes, see Configuring an External Server for Authentication on page 144.
5. From the Authentication Server 1 drop-down, select the server name on which dynamic RADIUS proxy parameters are enabled. You can also create a new server with RADIUS and RADIUS proxy parameters by selecting New. 6. Click Next and then click Finish. 7. To assign the RADIUS authentication server to a network profile, select the newly added server when configuring security settings for a wireless or wired network profile.
Figure 49 Admin Tab: Management Authentication Parameters 3. Under Local, select any of the following options from the Authentication drop-down list: l Internal— Select this option to specify a single set of user credentials. Enter the Username and Password for accessing the Virtual Controller Management User Interface. l RADIUS Server— Specify one or two RADIUS servers to authenticate clients. If two servers are configured, users can use them in primary or backup mode or load balancing mode.
The steps involved in 802.1X authentication are as follows: 1. The NAS requests authentication credentials from a wireless client. 2. The wireless client sends authentication credentials to the NAS. 3. The NAS sends these credentials to a RADIUS server. 4. The RADIUS server checks the user identity and authenticates the client if the user details are available in its database. The RADIUS server sends an Access-Accept message to the NAS.
(Instant ic-wep} (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant Access Point)(SSID Profile )# opmode {wpa2-aes|wpa-tkip|wpa-tkip,wpa2-aes|dynam Access Access Access Access Access Access Access Access Access Access Point)(SSID Profile )# leap-use-session-key Point)(SSID Profile )# termination Point)(SSID Profile )# external-server Point)(SSID Profile )# auth-server Point)(SSID Profile )# radius-reauth-interval
Configuring MAC Authentication for Wireless Network Profiles You can configure MAC authentication for a wired profile in the AOS-W Instant UI or CLI. In the AOS-W Instant UI To enable MAC Authentication for a wireless network: 1. In the Network tab, click New to create a new network profile or select an existing profile for which you want to enable MAC authentication and click edit. 2.
(Instant (Instant (Instant (Instant (Instant (Instant Access Access Access Access Access Access Point)(wired ap profile Point)(wired ap profile Point)(wired ap profile Point)(wired ap profile Point)(wired ap profile Point)# commit apply )# )# )# )# )# auth-server auth-server server-load-balancing radius-reauth-interval end Configuring MAC Authentication with 802.
1. Click the Wired link under More at the top right corner of the AOS-W Instant main window. The Wired window is displayed. 2. Click New under Wired Networks to create a new network or select an existing profile for which for which you want to enable MAC authentication and then click Edit. 3. In the New Wired Network or the Edit Wired Network window, ensure that all the required Wired and VLAN attributes are defined, and then click Next. 4.
2. In the Access tab, specify the following parameters for a network with Role-Based rules: a. Select the Enforce Machine Authentication check box when MAC authentication is enabled for Captive Portal. If the MAC authentication fails, the Captive Portal authentication role is assigned to the client. b. For wireless network profile, select Enforce MAC Auth Only Role check box when MAC authentication is enabled for Captive Portal.
3. Click WISPr tab. The WISPr tab contents are displayed. The following figure shows the WISPr tab contents: Figure 50 Configuring WISPr Authentication 4. Enter the ISO Country Code for the WISPr Location ID in the ISO Country Code text box. 5. Enter the E.164 Area Code for the WISPr Location ID in the E.164 Area Code text box. 6. Enter the operator name of the Hotspot in the Operator Name text box. 7. Enter the E.164 Country Code for the WISPr Location ID in the E.164 Country Code text box. 8.
Blacklisting Clients Manually Manual blacklisting adds the MAC address of a client to the blacklist. These clients are added into a permanent blacklist. These clients are not allowed to connect to the network unless they are removed from the blacklist. Adding a Client to the Blacklist You can add a client to the blacklist manually using AOS-W Instant UI or CLI. In the AOS-W Instant UI 1. Click the Security link from the top right corner of the AOS-W Instant main window. 2. Click the Blacklisting tab. 3.
3. Under Dynamic Blacklisting: 4. For Auth failure blacklist time, duration in seconds after which the clients that exceed the authentication failure threshold must be blacklisted. 5. For PEF rule blacklisted time, enter the duration in seconds after which the clients can be blacklisted due to an ACL rule trigger. You can configure a maximum number of authentication failures by the clients, after which a client must be blacklisted.
Loading Certificates using AOS-W Instant UI To load a certificate in the AOS-W Instant UI: 1. Click the Maintenance link at the top right corner of the AOS-W Instant main window. 2. Click the Certificates tab. The Certificates tab contents are displayed. The following figure shows the Certificates window: Figure 51 Maintenance Window: Certificates Tab 3. To upload a certificate, click Upload New Certificate. The New Certificate window is displayed. 4. Browse and select the file to upload. 5.
1. Navigate to Device Setup > Certificate and then click Add to add a new certificate. The Certificate window is displayed. 2. Enter the certificate Name, and click Choose File to browse and upload the certificate. Figure 52 Loading Certificate via Omnivista 3. Select the appropriate Format that matches the certificate file name. Select Server Cert for certificate Type, and provide the passphrase if you want to upload a Server certificate.
Figure 54 Selecting the Group The Virtual Controller Certificate section displays the certificates (CA cert and Server). 5. Click Save to apply the changes only to Omnivista. Click Save and Apply to apply the changes to the OAWIAP. 6. To clear the certificate options, click Revert. 163 | Authentication AOS-W Instant 6.3.1.1-4.
Chapter 14 Roles and Policies This chapter describes the procedures for configuring user roles, role assignment, and firewall policies.
Figure 55 Firewall Settings—ALG Protocols 3. Select Enabled from the corresponding drop-down lists to enable SIP, VOCERA, Alcatel NOE, and Cisco skinny protocols. 4. Click OK. When the protocols for ALG are Disabled the changes do not take effect affect until the existing user sessions are expired. Reboot the OAW-IAP and the client, or wait for few minutes for changes to affect.
Configuring Firewall Settings for Protection from ARP Attacks You can configure firewall settings to protect the network against attacks using AOS-W Instant using AOS-W Instant UI or CLI. In the AOS-W Instant UI To configure firewall settings: 1. Click the Security link at the top right corner of AOS-W Instant main window. 2. Click the Firewall Settings tab. The Firewall Settings tab contents are displayed. 3.
fix-dhcp poison-check Enabled Enabled To view the attack statistics (Instant Access Point)# show attack stats attack counters -------------------------------------Counter ------arp packet counter drop bad arp packet counter dhcp response packet counter fixed bad dhcp packet counter send arp attack alert counter send dhcp attack alert counter arp poison check counter garp send check counter Value ------0 0 0 0 0 0 0 0 Managing Inbound Traffic Instant now supports enhanced inbound firewall by allowing the
Figure 57 Firewall Settings—Management Subnets 2. To add a new management subnet: l Enter the subnet address in Subnet. l Enter the subnet mask in Mask. l Click Add. 3. To add multiple subnets, repeat step 2. 4. Click OK.
Access Control List Rules You can use Access Control List (ACL) rules to either permit or deny data packets passing through the OAW-IAP. You can also limit packets or bandwidth available to a set of user roles by defining access rules. By adding custom rules, you can block or allow access based on the service or application, source or destination IP addresses. You can create access rules to allow or block data packets that match the criteria defined in an access rule.
Table 30: Access Rule Configuration Parameters Field Description l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l Destination AOS-W Instant 6.3.1.1-4.0 | User Guide bootp— Bootstrap Protocol cfgm-tcp— cups—Common UNIX Printing System dhcp—Dynamic Host Configuration Protocol dns—Domain Name Server esp—Encapsulating Security Payload ftp—File Transfer Protocol gre—Generic Routing Encapsulation h323-tcp—H.323-Transmission Control Protocol h323-udp— H.
Table 30: Access Rule Configuration Parameters Field Description l l l To a network—Access is allowed or denied to a network. After selecting this option, specify the IP address and netmask for the destination network. Except to a network—Access is allowed or denied to networks other than the specified network. After selecting this option, specify the IP address and netmask of the destination network. To domain name—Access is allowed or denied to the specified domains.
Configuring a Source NAT Access Rule The source NAT action in access rules allows the user to override the routing profile entries. For example, when a routing profile is configured to use 0.0.0.0/0 , the client traffic on an SSID in L3 mode access to the corporate network is sent to the tunnel. When an access rule is configured with Source NAT action, the users can specify the service, protocol, or destination to which the source NAT is applied.
3. Create an access rule for the SSID profile with Source NAT action as described in Configuring Source-Based Routing on page 172. The source NAT pool is configured and source based routing entry is created. Configuring a Destination NAT Access Rule Instant supports configuration of the destination NAT rule, which can be used to redirect traffic to the specified IP address and destination port. Destination-NAT configuration is supported only in the bridge mode without VPN.
Allow POP3 Service to a Particular Server To configure POP3 service to a particular server: 1. Select an existing wireless or wired profile. Depending on the network profile selected, the Edit or Edit Wired Network window is displayed. You can also configure access rules in the Access tab of the New WLAN and New Wired Network windows when configuring a new profile. 2. In the Access tab, slide to Network-based using the scroll bar to specify access rules for the network. 3.
3. Click New to add a new rule. The New Rule window is displayed. a. Select Deny from the Action drop-down list. b. Select ftp from the Service drop-down list. c. Select except to a particular server from the Destination drop-down list and enter appropriate IP address in the IP text box. d. Click OK. 4. Click Finish. Deny bootp Service except to a Particular Network To define deny bootp service access rule except to a network: 1. Select an existing wireless or wired profile.
You can also create a user role when configuring wireless or wired network profiles.
(Instant Access Point)(config)# wlan access-rule (Instant Access Point) (Access Rule )# bandwidth-limit {downstream | upstream | peruser { downstream | upstream }} (Instant Access Point) (Access Rule )# end (Instant Access Point) # commit apply To associate the access rule to a wired profile: (Instant (Instant (Instant (Instant Access Access Access Access Point)(config)# Point)(wired ap Point)(wired ap Point) # commit wired-port-profile profile )#
Configuring Derivation Rules AOS-W Instant allows you to configure role and VLAN derivation-rules. You can configure these rules to assign a user role or VLAN to the clients connecting to an SSID or a wired profile. Understanding Role Assignment Rule When an SSID or wired profile is created, a default role for the clients connecting this SSID or wired profile is assigned. You can assign a user role to the clients connecting to an SSID by any of the following methods.
Device DHCP Option DHCP Fingerprint Windows XP(SP3, Home, Professional) Option 55 37010f03062c2e2f1f21f92b Windows Mobile Option 60 3c4d6963726f736f66742057696e646f777320434500 Windows 7 Phone Option 55 370103060f2c2e2f Apple Mac OSX Option 55 370103060f775ffc2c2e2f Creating a Role Derivation Rule You can configure rules for determining the role that is assigned for each authenticated client.
When Enforce Machine Authentication is enabled, both the device and the user must be authenticated for the role assignment rule to apply.
Figure 58 RADIUS Access-Accept packets with VSA Figure 59 Configure VSA on a RADIUS Server VLAN Assignment Based on Derivation Rules When an external RADIUS server is used for authentication, the RADIUS server may return a reply message for authentication. If the RADIUS server supports return attributes, and sets an attribute value to the reply message, the OAW-IAP can analyze the return message and match attributes with a user pre-defined VLAN derivation rule.
Figure 60 Configuring RADIUS Attributes on the RADIUS Server User Role If the VSA and VLAN derivation rules are not matching, then the user VLAN can be derived by a user role. VLANs Created for an SSID If the VSA and VLAN derivation rules are not matching, and the User Role does not contain a VLAN, the user VLAN can be derived by VLANs configured for an SSID or Ethernet port profile.
Figure 61 VLAN Assignment Rule Window 3. Select the attribute from the Attribute drop-down list. The list of supported attributes includes RADIUS attributes, dhcp-option, dot1x-authentication-type, mac-address, and mac-address-and-dhcp-options. For information on a list of RADIUS attributes, see RADIUS Server Authentication with VSA on page 136. 4. Select the operator from the Operator drop-down list.
(Instant Access Point)(SSID Profile "Profile1")# set-vlan mac-address-and-dhcp-options matche s-regular-expression ..link 100 (Instant Access Point)(SSID Profile "Profile1")# end (Instant Access Point)# commit apply Using Advanced Expressions in Role and VLAN Derivation Rules For complex policies of role and VLAN derivation using device DHCP fingerprints, you can use a regular expression to match against the combined string of the MAC address and the DHCP options.
Operator Description \> Matches the end of the word. For example, \>list matches blacklist, whitelist, and so on. {n} Where n is an integer" Matches the declared element exactly the n times. For example, {2}link matches uplink, but not downlink. {n,} Where n is an integer" Matches the declared element at n times. For example, {2,}ink matches downlink, but not uplink.
3. Click New under the New Role Assignment and configure the following parameters: a. Select the attribute from the Attribute drop-down list. b. Select the operator to match from the Operator drop-down list. c. Enter the string to match in the String text box. d. Select the role to be assigned from the Role text box. The following figure shows an example for the VLAN role assignment: Figure 62 User VLAN Role Assignment 4. Click OK.
Chapter 15 Uplink Configuration This chapter provides the following information: l Uplink Interfaces on page 187 l Ethernet Uplink on page 188 l 3G/4G Uplink on page 190 l Wi-Fi Uplink on page 194 l Uplink Preferences and Switching on page 196 Uplink Interfaces AOS-W Instant network supports Ethernet, 3G and 4G USB modems, and the Wi-Fi uplink to provide access to the corporate Instant network.
Ethernet Uplink The Ethernet 0 port on an OAW-IAP is enabled as an uplink port by default. You can view the type of uplink and the status of the uplink in the AOS-W Instant in the Info tab. Figure 64 Uplink Status Ethernet uplink supports the following types of configuration in this Instant release. n PPPoE n DHCP n Static IP 188 | Uplink Configuration AOS-W Instant 6.3.1.1-4.
You can use PPPoE for your uplink connectivity in both OAW-IAP and IAP-VPN deployments. PPPoE is supported only in a single AP deployment. Uplink redundancy with the PPPoE link is not supported. When the Ethernet link is up, it is used as a PPPoE or DHCP uplink. After the PPPoE settings are configured, PPPoE has the highest priority for the uplink connections.
(Instant Access Point)(pppoe-uplink-profile)# pppoe-unnumbered-local-l3-dhcp-profile (Instant Access Point)(pppoe-uplink-profile)# end (Instant Access Point)# commit apply To view the PPPoE configuration: (Instant Access Point)# show pppoe config PPPoE Configuration ------------------Type ---User Password Service name CHAP secret Unnumbered dhcp profile Value ----testUser 3c28ec1b82d3eef0e65371da2f39c4d49803e5b2bc88be0c internet03 8e87644deda9364100719e017f88ebce dhcpProfile1 To view the
Table 32: List of Supported 3G Modems Modem Type Supported 3G Modems l l l l l l l l l l l l l l l l l l l l l l l l l l l Auto-detect + ISP/country l l l l l l l l l l l l l l l l l l l l l l l l l l l AOS-W Instant 6.3.1.1-4.
Table 32: List of Supported 3G Modems Modem Type Supported 3G Modems l l l l l l l l l l l l l l No auto-detect l l Huawei E1731 (Airtel-3G (India)) Huawei E3765 (Vodafone (Aus)) Huawei E3765 (T-Mobile (Germany) Huawei E1552 (SingTel) Huawei E1750 (T-Mobile (Germany)) UGM 1831 (TMobile) Huawei D33HW (EMOBILE(Japan)) Huawei GD01 (EMOBILE(Japan)) Huawei EC150 (Reliance NetConnect+ (India)) KDDI DATA07(Huawei) (KDDI (Japan)) Huawei E353 (China Unicom) Huawei EC167 (China Telecom) Huawei E367 (Vodafone (UK)
l For 4G — Enter the type of 4G modem in the 4G USB type text box. c. Enter the device ID of modem in the USB dev text box. d. Enter the TTY port of the modem in the USB tty text box. e. Enter the parameter to initialize the modem in the USB init text box. f. Enter the parameter to dial the cell tower in the USB dial text box. g. Enter the username used to dial the ISP in the USB user text box. h. Enter the password used to dial the ISP in the USB password text box. i.
(Instant (Instant (Instant (Instant Access Access Access Access Point)(cellular-uplink-profile)# usb-init Point)(cellular-uplink-profile)# usb-dial Point)(cellular-uplink-profile)# end Point)# commit apply To view the cellular configuration: (Instant Access Point)# show cellular config USB Plugged in: Vendor_ID=0 Product_ID=0 cellular configure -----------------Type Value -------4g-usb-type pantech-lte usb-type usb-dev test usb-tty usb-init usb-user usb-passwd
l If the Wi-Fi uplink is used on the 5 GHz band, mesh is disabled. The two links are mutually exclusive. l For OAW-IAPs to connect to an AOS-W Instant based WLAN using Wi-Fi uplink, the mobilityswitch must run AOS-W Instant 6.2.1.0 or later. To provision an OAW-IAP with the Wi-Fi Uplink, complete the following steps: 1. If you are configuring a Wi-Fi uplink after restoring factory settings on an OAW-IAP, connect the OAW-IAP to an Ethernet cable to allow the OAW-IAP to get the IP address.
Uplink Preferences and Switching This topic describes the following procedures: l Enforcing Uplinks on page 196 l Setting an Uplink Priority on page 196 l Enabling Uplink Preemption on page 197 l Switching Uplinks Based on VPN and Internet Availability on page 197 l Viewing Uplink Status and Configuration on page 199 Enforcing Uplinks The following configuration conditions apply to the uplink enforcement: l When an uplink is enforced, the OAW-IAP uses the specified uplink regardless of uplink pre
In the CLI To set an uplink priority: (Instant Access Point)(config)# uplink (Instant Access Point)(uplink)# uplink-priority {cellular | ethernet |[po rt ]|wifi } (Instant Access Point)(uplink)# end (Instant Access Point)# commit apply For example, to set a priority for Ethernet uplink: (Instant Access Point)(uplink)# uplink-priority ethernet port 0 1 (Instant Access Point)(uplink)# end (Instant Access Point)# commit apply Enabling Uplink Preempt
l If the current uplink is 3G or Wi-Fi, and Ethernet has a physical link, the OAW-IAP periodically suspends user traffic to try and connect to the VPN on the Ethernet. If the OAW-IAP succeeds, the OAW-IAP switches to Ethernet. If the OAW-IAP does not succeed, it restores the VPN connection to the current uplink. Uplink switching based on VPN status is automatically enabled if VPN is configured on the OAW-IAP. However, you can specify the duration in VPN failover timeout field to wait for an uplink switch.
Viewing Uplink Status and Configuration To view the uplink status and configuration in the CLI: Instant Access Point# show uplink status Uplink preemption :enable Uplink enforce :none Ethernet uplink bond0 :DHCP Uplink Table -----------Type State Priority In Use -------- -------- -----eth0 UP 0 Yes Wifi-sta LOAD 6 No 3G/4G INIT 7 No Internet failover :disable Max allowed test packet loss:10 Secs between test packets :30 VPN failover timeout (secs) :180 ICMP pkt sent :0 ICMP pkt lost :0 Continuous pkt lost :
Chapter 16 Mobility and Client Management This chapter provides the following information: l Layer-3 Mobility Overview on page 200 l Configuring L3-Mobility on page 201 Layer-3 Mobility Overview OAW-IAPs form a single AOS-W Instant network when they are in the same Layer-2 (L2) domain. As the number of clients increase, multiple subnets are required to avoid broadcast overhead.
Each foreign AP has only one home AP per AOS-W Instant network to avoid duplication of broadcast traffic. Separate GRE tunnels are created for each foreign AP / home AP pair. If a peer AP is a foreign AP for one client and a home AP for another, two separate GRE tunnels are used to handle L3 roaming traffic between these APs. If client subnet discovery fails on association due to some reason, the foreign AP identifies its subnet when it sends out the first L3 packet.
Figure 66 L3 Mobility Window 1. Select Enabled from the Home agent load balancing drop-down list. By default, home agent load balancing is disabled. 2. Click New in the Virtual Controller IP Addresses section, add the IP address of a Virtual Controller that is part of the mobility domain, and click OK. 3. Repeat Step 2 to add the IP addresses of all Virtual Controllers that form the L3 mobility domain. 4. Click New in the Subnets section and specify the following: a.
Chapter 17 Spectrum Monitor This chapter provides the following information: l Understanding Spectrum Data on page 203 l Configuring Spectrum Monitors and Hybrid OAW-IAPs on page 208 Understanding Spectrum Data Wireless networks operate in environments with electrical and radio frequency devices that can interfere with network communications. Microwave ovens, cordless phones, and even adjacent Wi-Fi networks are all potential sources of continuous or intermittent interference.
Figure 67 Device List Device Summary and Channel Information shows the details of the information that is displayed: Table 34: Device Summary and Channel Information Column Description Type Device type.
Table 35: Non Wi-Fi Interferer Types Non Wi-Fi Interferer Description Bluetooth Any device that uses the Bluetooth protocol to communicate in the 2.4 GHz band is classified as a Bluetooth device. Bluetooth uses a frequency hopping protocol. Fixed Frequency (Audio) Some audio devices such as wireless speakers and microphones also use fixed frequency to continuously transmit audio. These devices are classified as Fixed Frequency (Audio).
Non Wi-Fi Interferer Generic Interferer Description Any non-frequency hopping device that does not fall into one of the other categories described in this table is classified as a Generic Interferer. For example a Microwave-like device that does not operate in the known operating frequencies used by the Microwave ovens may be classified as a Generic Interferer. Similarly wide-band interfering devices may be classified as Generic Interferers.
Column Description Max Interference (dBm) Signal strength of the non Wi-Fi device that has the highest signal strength. SNIR (db) The ratio of signal strength to the combined levels of interference and noise on that channel. This value is calculated by determining the maximum noise-floor and interference-signal levels, and then calculating how strong the desired signal is above this maximum.
Column Description Quality(%) Current relative quality of selected channels in the 2.4 GHz or 5 GHz radio bands, as determined by the percentage of packet retries, the current noise floor, and the duty cycle for non Wi-Fi devices on that channel. Availability(%) The percentage of the channel currently available for use. Utilization(%) The percentage of the channel being used. WiFi Util(%) The percentage of the channel currently being used by Wi-Fi devices.
To configure 5 GHz radio settings: (Instant Access Point)(config)# rf dot11a-radio-profile (Instant Access Point)(RF dot11a Radio Profile)# spectrum-monitor Converting an OAW-IAP to a Spectrum Monitor In spectrum mode, spectrum monitoring is performed on entire bands. However for the 5 GHz radio, spectrum monitoring is performed on only one of the three bands: l 5 GHz - lower l 5 GHz - middle l 5 GHz - higher By default, spectrum monitoring is performed on a higher band of the 5 GHz radio.
5.0 GHz: Legacy Mode:disable Beacon Interval:100 802.11d/802.11h:disable Interference Immunity Level:2 Channel Switch Announcement Count:0 Channel Reuse Type:disable Channel Reuse Threshold:0 Background Spectrum Monitor:disable Standalone Spectrum Band:5ghz-upper 210 | Spectrum Monitor AOS-W Instant 6.3.1.1-4.
Chapter 18 Adaptive Radio Management This chapter provides the following information: l ARM Overview on page 211 l Configuring ARM Features on an OAW-IAP on page 213 l Configuring Radio Settings for an OAW-IAP on page 218 ARM Overview Adaptive Radio Management (ARM) is a radio frequency management technology that optimizes WLAN performance even in the networks with highest traffic by dynamically and intelligently choosing the best 802.
Legacy 802.11a/b/g access points do not support the client match feature. When client match is enabled on 802.11n capable access points, the client match feature overrides any settings configured for the legacy bandsteering, station handoff assist or load balancing features. 802.11ac-capable access points do not support the legacy bandsteering, station hand off or load balancing settings, so these access points must be managed using client match.
configured on an AP is not supported by the AP model, this value is reduced to the highest supported power setting. The default value is for minimum transmit power is 18 dBm. l Maximum Transmit Power — This indicates the maximum Effective Isotropic Radiated Power (EIRP) from 3 to 33 dBm in 3 dBm increments. Higher power level settings may be constrained by local regulatory requirements and AP capabilities.
Figure 71 RF Window - ARM Tab 3. Configure the following parameters for Band steering mode: Table 38: Band Steering Mode - Configuration Parameters Parameter Description Prefer 5 GHz Select this option to use band steering in 5 GHz mode. On selecting this, the OAWIAP steers the client to 5 GHz band (if the client is 5 GHz capable), but allows the client connection on the 2.4 GHz band if the client persistently attempts for 2.4 GHz association.
4. For Airtime fairness mode, specify any of the following values: Table 39: Airtime Fairness Mode - Configuration Parameters Parameter Description Default Access Select this option to provide access based on client requests. When Air Time Fairness is set to default access, per user and per SSID bandwidth limits are not enforced. Fair Access Select this option to allocate Airtime evenly across all the clients.
Table 41: Access Point Control - Configuration Parameters Parameter Description Customize Valid Channels Select this check box to customize valid channels for 2,4 GHz and 5 GHz. By default, the AP uses valid channels as defined by the Country Code (regulatory domain). On selecting the Customize Valid Channels check box, a list of valid channels for both 2.4.GHz and 5 GHz are displayed. The valid channel customization feature is disabled by default.
(Instant Access red Access>} (Instant Access (Instant Access (Instant Access (Instant Access (Instant Access (Instant Access (Instant Access (Instant Access (Instant Access (Instant Access Point)(ARM)# air-time-fairness-mode {| | |<2GHz>||} Point)(ARM)# scanning Point)(ARM)# client-match calc-interval Point)(ARM)# client-match calc-threshold Point)(ARM)# client-match nb-matching <
40 44 48 52 56 60 64 149 153 157 161 165 36+ 44+ 52+ 60+ 149+ 157+ 36E 52E 149E enable enable enable enable enable enable enable enable enable enable enable enable enable enable disable disable enable enable enable enable enable Configuring Radio Settings for an OAW-IAP You can configure 2.4 GHz and 5 GHz radio settings for an OAW-IAP either using AOS-W Instant UI or CLI. In the AOS-W Instant UI To configure radio settings: 1. Click the RF link at the top right corner of the AOS-W Instant main window. 2.
Parameter Description Level 2— Noise and spur immunity. This level also controls the detection of OFDM packets, and is the default setting for the Noise Immunity feature. l Level 3— Level 2 settings and weak OFDM immunity. This level minimizes false detects on the radio due to interference, but may also reduce radio sensitivity. This level is recommended for environments with a high-level of interference related to 2.4 GHz appliances such as cordless phones. l Level 4— Level 3 settings, and FIR immunity.
802.11d/802.11h:enable Interference Immunity Level:2 Channel Switch Announcement Count:0 MAX Distance:600 Channel Reuse Type:disable Channel Reuse Threshold:0 Background Spectrum Monitor:disable 5.0 GHz: Legacy Mode:enable Beacon Interval:100 802.11d/802.
Chapter 19 Intrusion Detection The Intrusion Detection System (IDS) is a feature that monitors the network for the presence of unauthorized OAWIAPs and clients. It also logs information about the unauthorized OAW-IAPs and clients, and generates reports based on the logged information. The IDS feature in the AOS-W Instant network enables you to detect rogue APs, interfering APs, and other devices that can potentially disrupt network operations.
l Windows Server l Windows XP l Windows ME l OS-X l iPhone l iOS l Android l Blackberry l Linux Configuring Wireless Intrusion Protection and Detection Levels WIP offers a wide selection of intrusion detection and protection features to protect the network against wireless threats. Like most other security-related features of the Alcatel-Lucent network, the WIP can be configured on the OAW-IAP.
Figure 73 Wireless Intrusion Detection The following table describes the detection policies enabled in the Infrastructure Detection Custom settings field. Table 43: Infrastructure Detection Policies Detection Level Detection Policy Off Rogue Classification Low l l l l Medium l l High l l l l l l l l l l l l AOS-W Instant 6.3.1.1-4.
Table 43: Infrastructure Detection Policies Detection Level Detection Policy l l l l l l l Detect Malformed Frame— HT IE Detect Malformed Frame— Association Request Detect Malformed Frame— Auth Detect Overflow IE Detect Overflow EAPOL Key Detect Beacon Wrong Channel Detect devices with invalid MAC OUI The following table describes the detection policies enabled in the Client Detection Custom settings field.
Figure 74 Wireless Intrusion Protection The following table describes the protection policies that are enabled in the Infrastructure Protection Custom settings field.
Containment Methods You can enable wired and wireless containments to prevent unauthorized stations from connecting to your AOS-W Instant network. AOS-W Instant supports the following types of containment mechanisms: l Wired containment— When enabled, AOS-W Instant Access Points generate ARP packets on the wired network to contain wireless attacks.
(Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant Access Access Access Access Access Access Access Access Access Access
Chapter 20 Content Filtering This chapter provides the following information: l Content Filtering on page 228 l Enabling Content Filtering on page 228 l Configuring Enterprise Domains on page 229 l Configuring OpenDNS Credentials on page 229 Content Filtering The Content Filtering feature allows you to create Internet access policies that allow or deny user access to Websites based on Website categories and security ratings.
(Instant Access Point)(SSID Profile )# end (Instant Access Point)# commit apply Enabling Content Filtering for a Wired Profile To enable content filtering for a wired profile, perform the following steps: In the AOS-W Instant UI 1. Click the Wired link under More at the top right corner of the AOS-W Instant main window. The Wired window is displayed. 2. In the Wired window, select the wired profile to modify. 3. Click Edit. The Edit Wired Network window is displayed. 4.
In the AOS-W Instant UI To configure OpenDNS credentials: 1. Click More> Services>OpenDNS. The OpenDNS tab contents are displayed. 2. Enter the Username and Password to enable access to OpenDNS. 3. Click OK to apply the changes. In the CLI To configure OpenDNS credentials: (Instant Access Point)(config)# opendns (Instant Access Point)(config)# end (Instant Access Point)# commit apply AOS-W Instant 6.3.1.1-4.
Chapter 21 DHCP Configuration This chapter provides the following information: l Configuring DHCP Scopes on page 231 l Configuring DHCP Server for Client IP Assignment on page 238 Configuring DHCP Scopes The Virtual Controller supports different modes of DHCP address assignment. With each DHCP address assignment mode, various client traffic forwarding modes are associated. For more information client traffic forwarding modes for IAP-VPN, see L2/L3 Forwarding Modes on page 252.
Figure 76 New DHCP Scope: Distributed DHCP Mode 3. Based on type of distributed DHCP scope, configure the following parameters: Table 47: Distributed DHCP Mode: Configuration Parameters Name Description Name Enter a name for the DHCP scope. Type Select any of the following options: Distributed, L2— On selecting Distributed, L2, the Virtual Controller acts as the DHCP Server but the default gateway is in the data center. Traffic is bridged into VPN tunnel.
Table 47: Distributed DHCP Mode: Configuration Parameters Name Description l performed to ensure that the specified ranges of IP address are in the same subnet as the default router and subnet mask. The configured IP range is divided into blocks based on the configured client count. For Distributed,L3 mode, you can configure any discontiguous IP ranges. The configured IP range is divided into multiple IP subnets that are sufficient to accommodate the configured client count.
(Instant (Instant (Instant (Instant (Instant Access Access Access Access Access Point)(DHCP Profile )# ip-range Point)(DHCP Profile )# reserve {first | last} Point)(DHCP Profile )# option Point)(DHCP Profile )# end Point))# commit apply Configuring Centralized DHCP Scope The Centralized DHCP scope supports L2 and L3 clients.
Table 48: DHCP Mode: Configuration Parameters Name Description DHCP requests. Helper address Enter the IP address of the DHCP server. VLAN IP Specify the VLAN IP address of the DHCP relay server. VLAN Mask Specify the VLAN subnet mask of the DHCP relay server. Option82 This option is available only if Centralized is selected. Select Alcatel to enable DHCP Option 82 to allow clients to send DHCP packets with the Option 82 string. The Option 82 string is available only in the Alcatel (ALU) format.
(Instant Access Point))# commit apply Configuring Local and Local,L3 DHCP Scopes You can configure Local and Local,L3 DHCP scopes by using the AOS-W Instant UI or CLI. l Local — In this mode, the Virtual Controller acts as both the DHCP Server and the default gateway. The configured subnet and the corresponding DHCP scope are independent of subnets configured in other OAW-IAP clusters.
Table 50: DHCP Mode: Configuration Parameters Name Description VLAN Specify a VLAN ID. To use this subnet, ensure that the VLAN ID specified here is assigned to an SSID profile. For more information on SSID profile configuration, see Configuring VLAN Settings for a WLAN SSID Profile on page 89 and Configuring VLAN for a Wired Profile on page 103 Network Specify the network to use. Net Mask If Local or Local,L3 is selected, specify the subnet mask.
Configuring DHCP Server for Client IP Assignment The DHCP server is a built-in server, used for networks in which clients are assigned IP address by the Virtual Controller. You can customize the DHCP pool subnet and address range to provide simultaneous access to more number of clients. The largest address pool supported is 2048. The default size of the IP address pool is 512.
Chapter 22 VPN Configuration This chapter describes the following VPN configuration procedures: l Understanding VPN Features on page 239 l Configuring a Tunnel from an OAW-IAP to OmniAccess WLAN Switch on page 239 l Configuring Routing Profiles on page 250 Understanding VPN Features As OAW-IAPs use a Virtual Controller architecture, the OAW-IAP network does not require a physical controller to provide the configured WLAN services.
3. Enter the IP address or fully qualified domain name (FQDN) for the main VPN/IPSec endpoint in the Primary host field. 4. Enter the IP address or FQDN for the backup VPN/IPSec endpoint in the Backup host field. This entry is optional. When you specify the primary and backup host details, the other fields are displayed 5. Specify the following parameters. A sample configuration is shown in Figure 79. a.
(Instant (Instant (Instant (Instant Access Access Access Access Point)(config)# vpn reconnect-user-on-failover Point)(config)# vpn reconnect-time-on-failover Point)(config)# end Point)# commit apply (Instant (Instant (Instant (Instant Access Access Access Access Point)(config)# Point)(config)# Point)(config)# Point)(config)# (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant Access Access Access Access Access Access Access Access Access Access Point
a. To allow the VPN tunnel to switch back to the primary host when it becomes available again, select Enabled from the Preemption drop-down list. This step is optional. b. If Preemption is enabled, specify a value in seconds for Hold time. When preemption is enabled and the primary host comes up, the VPN tunnel switches to the primary host after the specified hold time. The default value for Hold time is 600 seconds. c.
In the CLI To enable automatic configuration of the GRE tunnel: (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant Access Access Access Access Access Access Access Access Access Access Access Access Point)(config)# vpn gre-outside Point)(config)# vpn primary Point)(config)# vpn backup <> Point)(config)# vpn fast-failover Point)(config)# vpn hold-time Point)(config)# vpn preemption Point)(config)# vpn moni
Figure 81 Manual GRE Configuration 4. Click Next to continue. When the GRE tunnel configuration is completed on both the OAW-IAP and Switch, the packets sent from and received by an OAW-IAP are encapsulated, but not encrypted.
n OAW-RAP109 n OAW-IAP135 You can configure an L2TPv3 tunnel from Virtual Controller using AOS-W Instant UI or CLI. In the AOS-W Instant UI 1. Click the More>VPN link at the top right corner of the AOS-W Instant UI. The Tunneling window is displayed. Figure 82 L3TPv3 Tunneling 2. Select L2TPv3 from the Protocol drop-down list. 3. Configure the tunnel profile: a. Enter the tunnel name to be used for tunnel creation. Figure 83 Tunnel Configuration b. Enter the primary server IP address. c.
f. Select the message digest as MD5 or SHA used for message authentication. g. Enter a shared key for the message digest. This key should match with the tunnel end point shared key. h. If required, select the failover mode as Primary or Backup (when backup server is available). i. Specify a value for tunnel MTU value if required. The default value is 1460. j. Click OK. 4. Configure the session profile: a. Enter the session name to be used for session creation. Figure 84 Session Configuration b.
(Instant Access Point) (L2TPv3 Tunnel Profile )# secret-key (Instant Access Point)(config)# end (Instant Access Point)# commit apply To configure a L2TPv3 session: (Instant Access Point)(config)# l2tpv3 session (Instant Access Point) (L2TPv3 Tunnel Profile <2tpv3_session_profile>)# cookie len value (Instant Access Point) (L2TPv3 Tunnel Profile <2tpv3_session_profile>)# l2tpv3 tunnel
To view L2TPv3 global configuration: (Instant Access Point)# show l2tpv3 global parameter L2TPV3 Global configuration --------------------------Host Name ---------Instant-C4:42:98 To view L2TPV3 session status: (Instant Access Point)# show l2tpv3 session status Session 1821009927 on tunnel 858508253:type: LAC Incoming Call, state: ESTABLISHED created at: Jul 2 04:58:45 2013 administrative name: 'test_session' (primary) created by admin: YES, peer session id: 12382 session profile name: test_session_primary
data rx packets: 0, rx bytes: 0, rx errors: 0 data tx packets: 6, tx bytes: 588, tx errors: 0 establish retries: 0 To view L2TPv3 tunnel config: (Instant Access Point)# show l2tpv3 tunnel config Tunnel profile test_tunnel_primary l2tp host name: Instant-C4:42:98 local UDP port: 1701 peer IP address: 10.0.0.
SCCRP SCCCN STOPCCN RESERVED1 HELLO OCRQ OCRP OCCN ICRQ ICRP ICCN RESERVED2 CDN WEN SLI 1 0 0 0 95 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 95 0 0 0 1 0 1 0 0 0 0 Configuring Routing Profiles AOS-W Instant can terminate a single VPN connection on an OmniAccess WLAN Switch. The Routing profile defines the corporate subnets which need to be tunneled through IPSec. You can configure routing profiles to specify a policy based on routing into the VPN tunnel using AOS-W Instant UI or CLI.
4. Click OK. 5. Click Finish. In the CLI (Instant (Instant (Instant (Instant Access Access Access Access Point)(config)# routing-profile Point)(Routing-profile)# route Point)(Routing-profile)# end Point)# commit apply AOS-W Instant 6.3.1.1-4.
Chapter 23 IAP-VPN Configuration Alcatel-Lucent switches provide an ability to terminate the IPSec and GRE VPN tunnels from the OAW-IAP and provide corporate connectivity to the branch network. This section describes the following topics: l Overview on page 252 l VPN Configuration on page 255 l Viewing Branch Status on page 256 Overview This section provides a brief summary of the features supported by the switches to allow VPN termination from an OAW-IAP.
IAP-VPN Scalability Limits AOS-W Instant provides enhancements to the scalability limits for the IAP-VPN branches terminating on the switch.
To verify the details of configured aggregated route, use the following command: (host) # show ip ospf rapng-vpn aggregated-routes (host) #show ip ospf rapng-vpn aggregate-routes 100.100.2.0 255.255.255.0 Contributing routes of RAPNG VPN aggregate route -----------------------------------------------Prefix Mask Next-Hop Cost ------ ---- -------- ---100.100.2.64 255.255.255.224 5.5.0.
VPN Configuration The following VPN configuration steps on the switch, enable OAW-IAPs to terminate their VPN connection on the switch: Whitelist Database Configuration The whitelist database is a list of the MAC addresses of the OAW-IAPs that are allowed to establish VPN connections with the Mobility Switch. This list can be either stored in the Mobility Switch or on an external server.
(host) (host) (host) (host) (host) (config-sess-iaprole)#any host any src-nat (config-sess-iaprole)#any any any permit (config-sess-iaprole)#! (config) #user-role iaprole (config-role) #session-acl iaprole VPN Profile Configuration The VPN profile configuration defines the server used to authenticate the OAW-IAP (internal or an external server) and the role assigned to the IAP after successful authentication.
Parameter Description VC MAC Address Displays the MAC address of the Virtual Controller of the branch. Status Displays the current status of the branch (UP/DOWN). Inner IP Displays the internal VPN IP of the branch. Assigned Subnet Displays the subnet mask assigned to the branch. Assigned Vlan Displays the VLAN ID assigned to the branch. Key Displays the key for the branch, which is unique to each branch. Bid(Subnet Nam e) Displays the Branch ID (BID) of the subnet.
Chapter 24 Omnivista Integration and Management This chapter provides the following information: l Omnivista Features on page 258 l Configuring Omnivista on page 260 Omnivista Features Omnivista is a powerful tool and easy-to-use network operations system that manages Alcatel-Lucent wireless, wired, and remote access networks, as well as wired and wireless infrastructures from a wide range of third-party manufacturers.
Figure 86 Template-based Configuration Trending Reports Omnivista saves up to 14 months of actionable information, including network performance data and user roaming patterns, so you can analyze how network usage and performance trends have changed over time. It also provides detailed capacity reports with which you can plan the capacity and appropriate strategies for your organization. Intrusion Detection System Omnivista provides advanced, rules-based rogue classification.
Figure 87 Adding an OAW-IAP in VisualRF PSK-based and Certificate-based Authentication On the DHCP server, two formats for option 43 are supported: l ,,— If you choose this format, the OAW-IAP authenticates the OmniVista Management Platform server using the Pre-Shared Key (PSK) login process.
l Folder— "Org" (under the Top folder in AMP) l Configuration Group— "Org" You can also assign additional strings to create a hierarchy of sub folders under the folder named "Org". For example: n subfolder1 for a folder under the "Org" folder n subfolder2 for a folder under subfolder1 Shared Key The Shared Secret key is an optional field used by the administrator to manually authorize the first Virtual Controller for an organization. Any string is acceptable.
In the CLI To configure Omnivista information in AOS-W Instant: (Instant (Instant (Instant (Instant (Instant (Instant Access Access Access Access Access Access Point)(config)# organization Point)(config)# ams-ip Point)(config)# ams-backup-ip Point)(config)# ams-key Point)(config)# end Point)# commit apply Configuring for OmniVista Discovery through DHCP The Omnivista can be discovered through DHCP server.
3. Select DHCP Standard Options in the Option class drop-down list and then click Add. 4. Enter the following information: n Name— AOS-W Instant n Data Type— String n Code—60 n Description—AOS-W Instant AP Figure 90 AOS-W Instant and DHCP options for Omnivista: Predefined Options and Values 5. Navigate to Server Manager and select Server Options in the IPv4 window. (This sets the value globally. Use options on a per-scope basis to override the global options.) 6.
Figure 91 AOS-W Instant and DHCP options for Omnivista: Server Options 7. Select 060 Alcatel-Lucent Instant AP in the Server Options window and enter Alcatel-LucentInstantAP in the String Value. Figure 92 AOS-W Instant and DHCP options for Omnivista—060 OAW-IAP in Server Options 8. Select 043 Vendor Specific Info and enter a value for either of the following in ASCII field: l l airwave-orgn, airwave-ip, airwave-key; for example: Alcatel-Lucent,192.0.2.
Figure 93 AOS-W Instant and DHCP options for Omnivista— 043 Vendor Specific Info This creates a DHCP option 60 and 43 on a global basis. You can do the same on a per-scope basis. The per-scope option overrides the global option.
the DHCP clients information about certain services such as PXE. In such an environment, the standard DHCP options 60 and 43 cannot be used for Alcatel-Lucent APs. This method describes how to set up a DHCP server to send option 43 with Omnivista information to AOS-W Instant OAW-IAP. This section assumes that option 43 is sent per scope, because option 60 is being shared by other devices as well.
Figure 96 Omnivista — New Group Figure 97 Omnivista —Monitor 267 | Omnivista Integration and Management AOS-W Instant 6.3.1.1-4.
Chapter 25 AirGroup Configuration This chapter provides the following information: l AirGroup Overview on page 268 l AirGroup with AOS-W Instant on page 269 l Configuring AirGroup and AirGroup Services on an OAW-IAP on page 273 l Configuring AirGroup and CPPM interface in AOS-W Instant on page 275 AirGroup Overview AirGroup is a unique enterprise-class capability that leverages zero configuration networking to enable Bonjour® services such as Apple® AirPrint and AirPlay from mobile devices in an ef
Figure 98 - AirGroup Architecture AirGroup is not supported on a 3G uplink. AirGroup with AOS-W Instant AirGroup capabilities are available as a feature in Alcatel-Lucent WLANs where Wi-Fi data is distributed among AOS-W Instant APs. When an Alcatel-Lucent WLAN is powered by AOS-W Instant and CPPM, AirGroup begins to function. An AirGroup device can be registered by an administrator or a guest user. 1.
Figure 99 AirGroup Enables Personal Device Sharing AirGroup Solution In large universities and enterprise networks, it is common for Bonjour-capable devices to connect to the network across VLANs. As a result, user devices such as an iPad on a specific VLAN cannot discover an Apple TV that resides on another VLAN. As the addresses used by the protocol are link-scope multicast addresses, each query or advertisement can only be forwarded on its respective VLAN, but not across different VLANs.
Table 53: AirGroup Filtering Options Features AOS-W Instant Deployment Models Device owner based policy enforcement No Yes Location based policy enforcement No Yes Shared user list based policy enforcement No Yes Shared role list based policy enforcement No Yes AirGroup also enables context awareness for services across the network: l AirGroup is aware of personal devices. For example, an Apple TV in a dorm room can be associated with the student who owns it.
l Allow or block mDNS services based on user roles. l Allow or block mDNS services based on VLANs. l Match users’ devices, such as iPads, to their closest Bonjour devices, such as printers. This requires CPPM support. CPPM and ClearPass Guest Features CPPM and ClearPass Guest support the following features: l Registration portal for WLAN users to register their personal devices such as Apple TVs and printers.
Configuring AirGroup and AirGroup Services on an OAW-IAP You can configure AirGroup services, using AOS-W Instant UI or CLI. In the AOS-W Instant UI To enable AirGroup and its services: 1. Click the More>Services link at the top right corner of the AOS-W Instant main window. 2. Click Air Group tab. The Air Group tab details are displayed. 3. Select the Enable Air Group check box. The AirGroup configuration parameters are displayed. Figure 101 AirGroup Configuration 4.
l To select block user roles from accessing an AirGroup service, click the corresponding edit link and select the user roles for which you want to restrict access. By default, an AirGroup service is accessible by all user roles configured in your OAW-IAP cluster. l To select VLANs from allowing access to an AirGroup service, click the corresponding edit link and select the VLANs to exclude.
CPPM Server dead time 100 Seconds AirGroup Service Information ---------------------------Service Status -----------airplay Enabled airprint Disabled itunes Disabled remotemgmt Enabled sharing Disabled chat Enabled allowall Disabled Configuring AirGroup and CPPM interface in AOS-W Instant Configure the AOS-W Instant and CPPM interface to allow an AirGroup OAW-IAP and CPPM to exchange information regarding device sharing, and location.
Chapter 26 Integration with Security and Location Services Applications This chapter describes the following procedures: l Configuring an OAW-IAP for Analytics and Location Engine Support on page 276 l Integrating an OAW-IAP with Palo Alto Networks Firewall on page 278 l Configuring an OAW-IAP for RTLS Support on page 277 Configuring an OAW-IAP for Analytics and Location Engine Support The Analytics and Location Engine (ALE) is designed to gather client information from the network, process it and sh
Figure 102 Services Window —ALE Integration 4. Specify the ALE server name or IP address. 5. Specify the reporting interval within the range of 6–60 seconds. The OAW-IAP sends messages to the ALE server at the specified interval. The default interval is 30 seconds. 6. Click OK.
2. Click the RTLS tab. The following figure shows the contents of the RTLS tab. 3. Under Aruba, select the RTLS check box to integrate AOS-W Instant with Omnivista or Ekahau Real Time Location Server. Figure 103 RTLS Window 4. Specify the IP address and port to which the location reports must be sent. 5. Specify the shared secret key in the Passphrase text box. 6. Specify the frequency at which the Virtual Controller can send updates to the server.
security required for enterprises to secure their networks. In the context of businesses using social networking sites, legacy firewalls are not able to differentiate valid authorized users from casual social networking users. The Palo Alto next-generation firewall is based on user ID, which provides many methods for connecting to sources of identity information and associating them with firewall policy rules.
Figure 104 Services Window - Network Integration Tab 3. Select the Enable checkbox to enable PAN firewall. 4. Specify the user name and password. Ensure that you provide user credentials of the PAN firewall administrator. 5. Enter the PAN firewall IP address. 6. Enter the port number within the range of 1—65535. The default port is 443. 7. Click OK.
Chapter 27 Lawful Intercept and CALEA Integration This chapter provides the following information: l CALEA Integration and Lawful Intercept Compliance on page 281 l Configuring OAW-IAPs for CALEA Integration on page 283 CALEA Integration and Lawful Intercept Compliance Lawful Intercept (LI) allows the Law Enforcement Agencies (LEA) to perform an authorized electronic surveillance. Depending on the country of operation, the service providers (SPs) are required to support LI in their respective networks.
Figure 105 IAP to CALEA Server Traffic Flow from IAP to CALEA Server through VPN You can also deploy CALEA server with Switch and configure an additional IPSec tunnel for corporate access. When CALEA server is configured with Switch, the client traffic is replicated by the slave OAW-IAP and client data is encapsulated by GRE on slave, and routed to the master IAP. The master IAP sends the IPsec client traffic to Switch. Switch handles the IPSec client traffic while GRE data is routed to the CALEA server.
Figure 106 IAP to CALEA Server through VPN Ensure that IPSec tunnel is configured if the client data has to be routed to the ISP or CALEA server through VPN. For more information on configuring IPSec, see Configuring IPSec Tunnel on page 239. Client Traffic Replication Client traffic is replicated in the following ways: l Through RADIUS VSA— In this method, the client traffic is replicated by using RADIUS VSA to assign clients to a CALEA related user role.
In the AOS-W Instant UI To configure a CALEA profile: 1. Click More>Services at the top right corner of the AOS-W Instant main window. 2. Click CALEA. The CALEA tab details are displayed. 3. Specify the following parameters: l IP address— Specify the IP address of the CALEA server. l Encapsulation type— Specify the encapsulation type. The current release of AOS-W Instant supports GRE only. l GRE type— Specify the GRE type.
(Instant Access Point)(SSID Profile # set-role {{equals|not-equals|starts-wit h|ends-with|contains}|value-of} (Instant Access Point)(SSID Profile # end (Instant Access Point)(SSID Profile # commit apply To associate the access rule with a wired profile: (Instant (Instant (Instant (Instant Access Access Access Access Point)(config)# wired-port-profile Point)(Wired ap profile )# access-rule-name Point)(Wired ap profile )# end Point)# co
ip mtu : 150 (Instant Access Point)# show calea statistics Rt resolve fail : Dst resolve fail: Alloc failure : Fragged packets : Jumbo packets : Total Tx fail : Total Tx ok : 0 0 0 0 263 0 263 286 | Lawful Intercept and CALEA Integration AOS-W Instant 6.3.1.1-4.
Chapter 28 Hotspot Profiles This chapter describes the following procedures: l Understanding Hotspot Profiles on page 287 l Configuring Hotspot Profiles on page 288 l Sample Configuration on page 298 In the current release, AOS-W Instant supports the hotspot profile configuration only through the CLI. Understanding Hotspot Profiles Hotspot 2.0 is a Wi-Fi Alliance specification based on the 802.
Access Network Query Protocol (ANQP) ANQP provides a range of information, such as IP address type and availability, roaming partners accessible through a hotspot, and the Extensible Authentication Protocol (EAP) method supported for authentication, for a query and response protocol. The ANQP Information Elements (IEs) provide additional data that can be sent from an OAW-IAP to the client to identify the OAW-IAP's network and service provider.
3. Associate the required ANQP and H2QP advertisement profiles created in step 1 to the hotspot profile created in step 2. 4. Create a SSID Profile with enterprise security and WPA2 encryption settings and associate the SSID with the hotspot profile created in step 2. Creating Advertisement Profiles for Hotspot Configuration A hotspot profile contains one or several advertisement profiles.
l eap-ttls—To use EAP-Tunneled Transport Layer Security. The associated numeric value is 21. l peap—To use protected Extensible Authentication Protocol. The associated numeric value is 25. l crypto-card— To use crypto card authentication. The associated numeric value is 28. l peapmschapv2— To use PEAP with Microsoft Challenge Handshake Authentication Protocol version 2 (MSCHAPV2). The associated numeric value is 29. l eap-aka—To use EAP for UMTS Authentication and Key Agreement.
Configuring a Venue Name Profile You configure venue name profile to send venue information as an ANQP IE in a GAS query response.
Venue Group Associated Venue Type Value The associated numeric value is 5. l l l l mercantile l The associated numeric value is 6. l l l l l residential l The associated numeric value is 7. l l l l long-term-care—The associated numeric value is 2. alc-drug-rehab—The associated numeric value is 3. group-home—The associated numeric value is 4. prison-or-jail—The associated numeric value is 5. unspecified—The associated numeric value is 0. retail-store—The associated numeric value is 1.
l http-redirect—When configured, additional information on the network is provided through HTTP/HTTPS redirection. l dns-redirect—When configured, additional information on the network is provided through DNS redirection. This option requires you to specify a redirection URL string as an IP address, FQDN, or URL. Configuring a Roaming Consortium Profile You can configure a roaming consortium profile to send the roaming consortium information as an ANQP IE in a GAS query response.
(Instant Access Point)(domain-name )# end (Instant Access Point)# commit apply Configuring an Operator-friendly Profile You can configure the operator-friendly name profile to define the identify the operator.
l Downlink load— Indicates the percentage of the WAN downlink currently utilized. The default value of 0 indicates that the downlink speed is unknown or unspecified. l Downlink speed —Indicates the WAN downlink speed in Kbps. l Uplink load—Indicates the percentage of the WAN uplink currently utilized. The default value of 0 to indicates that the downlink speed is unknown or unspecified. l Uplink speed—Indicates the WAN uplink speed in Kbps.
Table 57: Hotspot Configuration Parameters Parameter Description l l l l personal-device — This network is accessible for personal devices. For example, a laptop or camera configured with a printer for the purpose of printing. The corresponding integer value for this network type is 4. emergency-services —This network is limited to accessing emergency services only. The corresponding integer value for this network type is 5. test — This network is used for test purposes only.
Table 57: Hotspot Configuration Parameters Parameter Description l l l l l l l l factory-and-industrial institutional mercantile outdoor residential storage utility-and-misc vehicular By default, the business venue group is used. venue-type Specify a venue type to be advertised in the ANQP IEs from OAW-IAPs associated with this hotspot profile. For more information about the supported venue types for each venue group, see Table 56.
(Instant Access Point)(SSID Profile # vlan (Instant Access Point)(SSID Profile # set-vlan {equals|not-equals| starts-wit h| ends-with| contains} | value-of} (Instant Access Point)(SSID Profile # opmode {wpa2-aes|wpa-tkip,wpa2-aes} (Instant Access Point)(SSID Profile # blacklist (Instant Access Point)(SSID Profile # mac-authentication (Instant Access Point)(SSID Profile # l2-auth-failthrough (Instant Access Point)(SSID Profile
(Instant Access Point)(config)# hotspot anqp-domain-name-profile dn1 (Instant Access Point)(domain-name "dn1")# domain-name DomainName (Instant Access Point)(domain-name "dn1")# exit (Instant (Instant (Instant (Instant Access Access Access Access Point)(config)# hotspot h2qp-oper-name-profile on1 Point)(operator-friendly-name"on1")# op-lang-code eng Point) operator-friendly-name"on1")# op-fr-name OperatorFriendlyName Point) (operator-friendly-name"on1")# exit Step 2: Creating a hotspot profile (Instant (
(Instant (Instant (Instant (Instant (Instant (Instant 300 | Hotspot Profiles Access Access Access Access Access Access Point)(SSID Profile "ssidProfile1")# Point)(SSID Profile "ssidProfile1")# Point)(SSID Profile "ssidProfile1")# Point)(SSID Profile "ssidProfile1")# Point)(SSID Profile "ssidProfile1")# Point)# commit apply radius-reauth-interval 20 max-authentication-failures 2 set-role-by-ssid hotspot-profile hs1 end AOS-W Instant 6.3.1.1-4.
Chapter 29 Extended Voice and Video AOS-W Instant has the added ability to identify and prioritize voice and video traffic from applications such as Microsoft Office Communications Server (OCS) and Apple Facetime. QoS for Microsoft Office OCS and Apple Facetime Voice and video devices use a signaling protocol to establish, control, and terminate voice and video calls. These control or signaling sessions are usually permitted using pre-defined ACLs.
Chapter 30 Dynamic CPU Management This chapter provides the following information: l Dynamic CPU Management on page 302 l Configuring for Dynamic CPU Management on page 302 Dynamic CPU Management OAW-IAPs perform various functions such as wireless client connectivity and traffic flows, wired client connectivity and traffic flows, wireless security, network management, and location tracking. Like with any network element, an OAW-IAP can be subject to heavy loads.
Chapter 31 Link Aggregation Control Protocol for OAW-IAP220 Series OAW-IAP220 Series supports the IEEE 802.11ac standard for high-performance WLAN. To support maximum traffic, port aggregation is required as it increases throughput and enhances reliability. To support port aggregation, AOS-W Instant supports Link Aggregation Control Protocol (LACP) based on the IEEE 802.3ad standard. 802.
Chapter 32 OAW-IAP Management This section provides information on the following procedures: l Configuring LED Display on page 304 l Backing up and Restoring OAW-IAP Configuration Data on page 304 l Converting an OAW-IAP to a Remote AP and Campus AP on page 305 l Resetting a Remote AP or Campus AP to an OAW-IAP on page 309 l Rebooting the OAW-IAP on page 309 Configuring LED Display The LED display is always in the Enabled mode during the an OAW-IAP reboot.
1. Navigate to the Maintenance > Configuration> page. 2. Click Backup Configuration. 3. Click Continue to confirm the backup. The instant.cfg containing the OAW-IAP configuration data is saved in your local file system. 4. To view the configuration that is backed up by the OAW-IAP, enter the following command at the command prompt: (Instant Access Point)# show backup-config Restoring Configuration To restore configuration: 1. Navigate to the Maintenance > Configuration>page. 2. Click Restore Configuration.
l For more information on firmware image cloud server, see Upgrading an OAW-IAP on page 70. A mesh point cannot be converted to Remote AP, because mesh access points do not support VPN connection. An OAW-IAP can be converted to a Campus AP and Remote AP only if the Switch is running AOS-W Instant 6.1.4 or later. The following table describes the supported OAW-IAP platforms and minimal AOS-W Instant version required for the Campus AP or Remote AP conversion.
Figure 107 - Maintenance — Convert Tab Figure 108 - Convert options 3. Select Remote APs managed by a Mobility Controller from the drop-down list. 4. Enter the hostname (fully qualified domain name) or the IP address of the Switch in the Hostname or IP Address of Mobility Controller text box. Contact your local network administrator to obtain the IP address. Ensure that the mobility Switch IP Address is reachable by the an OAW-IAPs. 5. Click Convert Now to complete the conversion.
Converting an OAW-IAP to Campus AP To convert an OAW-IAP to Campus AP, do the following: 1. Click the Maintenance link in the AOS-W Instant main window. 2. Click the Convert tab. The Convert tab is displayed. Figure 109 - Converting an OAW-IAP to Campus AP 3. Select Campus APs managed by a Mobility Controller from the drop-down list. 4. Enter the hostname, Fully Qualified Domain Name (FQDN), or the IP address of the Switch in the Hostname or IP Address of Mobility Controller text box.
3. Select Standalone AP from the drop-down list. 4. Select the Access Point from the drop-down list. 5. Click Convert Now to complete the conversion. The an OAW-IAP now operates in the standalone mode. Converting an OAW-IAP using CLI To convert an OAW-IAP (Instant Access Point)# convert-aos-ap Resetting a Remote AP or Campus AP to an OAW-IAP The reset button located on the rear of an OAW-IAP can be used to reset the OAW-IAP to factory default settings.
Figure 111 - Rebooting the OAW-IAP 3. In the OAW-IAP list, select the OAW-IAP that you want to reboot and click Reboot selected Access Point. To reboot all the OAW-IAPs in the network, click Reboot All. 4. The Confirm Reboot for AP message is displayed. Click Reboot Now to proceed. The Reboot in Progress message is displayed indicating that the reboot is in progress. The Reboot Successful message is displayed after the process is complete.
Chapter 33 Monitoring Devices and Logs This chapter provides the following information: l Configuring SNMP on page 311 l Configuring a Syslog Server on page 314 l Configuring TFTP Dump Server on page 316 l Running Debug Commands from the AOS-W Instant UI on page 317 Configuring SNMP This section provides the following information: l SNMP Parameters for OAW-IAP on page 311 l Configuring SNMP on page 312 l Configuring SNMP Traps on page 314 SNMP Parameters for OAW-IAP AOS-W Instant supports SNM
Configuring SNMP This section describes the procedure for configuring SNMPv1, SNMPv2, and SNMPv3 community strings using AOS-W Instant UI or CLI. Creating community strings for SNMPv1 and SNMPv2 Using AOS-W Instant UI To create community strings for SNMPv1 and SNMPv2: 1. Click System link at the top right corner of the AOS-W Instant main window. The system window is displayed. 2. Click the Monitoring tab. The following figure shows the SNMP configuration parameters displayed in the Monitoring tab.
Figure 113 SNMPv3 User 4. Enter the name of the user in the Name text box. 5. Select the type of authentication protocol from the Auth protocol drop-down list. 6. Enter the authentication password in the Password text box and retype the password in the Retype text box. 7. Select the type of privacy protocol from the Privacy protocol drop-down list. 8. Enter the privacy protocol password in the Password text box and retype the password in the Retype text box. 9. Click OK. 10.
Configuring SNMP Traps AOS-W Instant supports the configuration of external trap receivers. Only the OAW-IAP acting as the Virtual Controller generates traps. The OID of the traps is 1.3.6.1.4.1.14823.2.3.3.1.200.2.X. You can configure SNMP traps using AOS-W Instant UI or CLI. In the AOS-W Instant UI To configure an SNMP trap receiver: 1. Navigate to System>Show advanced options> Monitoring. The Monitoring window is displayed. 1. Under SNMP Traps, enter a name in the SNMP Engine ID text box.
Figure 114 Syslog Server 4. In the Syslog server text box, enter the IP address of the server to which you want to send system logs. 5. Select the required values to configure syslog facility levels. Syslog Facility is an information field associated with a syslog message. It is an application or operating system component that generates a log message. The following seven facilities are supported by Syslog: l AP-Debug— Detailed log about the AP device.
Logging Level Description Warning Warning messages. Notice Significant events of a non-critical and normal nature. The default value for all Syslog facilities. Informational Messages of general interest to system users. Debug Messages containing information useful for debugging. 6. Click OK.
Running Debug Commands from the AOS-W Instant UI To run the debugging commands from the AOS-W Instant UI: 1. Navigate to More>Support at the top right corner of the AOS-W Instant main window. The Support window is displayed. 2. Select the required option from the Command drop-down list. 3. Select All Access Points or Instant Access Point(VC) from the Target drop-down list. 4. Click Run.
l AP Crash Info— Displays crash log information (if it exists) for the OAW-IAP. The stored information is cleared from the flash after the AP reboots. l AP Current Time— Displays the current time configured on the OAW-IAP. l AP Current Timezone— Displays the current time zone configured on the OAW-IAP. l AP Datapath ACL Table Allocation— Displays ACL table allocation details for the OAW-IAP. l AP Datapath ACL Tables— Displays the list of ACL rules configured for the SSID and Ethernet port profiles.
l AP Log Sapd— Displays SAPd logs. l AP Log Security— Displays security logs of the OAW-IAP. l AP Log System— Displays system logs of the OAW-IAP. l AP Log Tunnel Status Management—Displays tunnel status. l AP Log Upgrade—Displays image download and upgrade details for the OAW-IAP. l AP Log User-Debug— Displays user-debug logs of the OAW-IAP. l AP Log User— Displays user logs of the OAW-IAP. l AP Log VPN Tunnel Log— Displays VPN tunnel status for the OAW-IAP.
l AP Shaping Table— Displays shaping information for clients associated with the OAW-IAP. l AP Sockets— Displays information sockets of the OAW-IAP. l AP STM Configuration— Displays STM configuration details for each SSID profile configured on the OAW-IAP. l AP System Status— Displays detailed system status information for the OAW-IAP. l AP System Summary— Displays the OAW-IAP configuration. l AP Swarm State—Displays details of the OAW-IAP cluster to which the AP is connected.
l VC L2TPv3 config —Displays the L2TPv3 configuration status. l VC L2TPv3 tunnel status—Displays the L2TPv3 tunnel status. l VC L2TPv3 tunnel configuration—Displays the L2TPv3 tunnel configuration status. l VC L2TPv3 session status—Displays the L2TPv3 session configuration status. l VC L2TPv3 system wide global statistics — Displays the L2TPv3 system statistics. l VC OpenDNS Configuration and Status— Displays configuration details and status of the OpenDNS server.
Chapter 34 Regulatory Domain The IEEE 802.11/b/g/n Wi-Fi networks operate in the 2.4 GHz spectrum and IEEE 802.11a/n operate in the 5.0 GHz spectrum. The spectrum is divided into channels. The 2.4 GHz spectrum is divided into 14 overlapping, staggered 20 MHz wireless carrier channels. These channels are spaced 5 MHz apart. The 5 GHz spectrum is divided into more channels. The channels that can be used in a particular country differ based on the regulations of that country.
Code Country Name CA Canada CH Switzerland CL Chile CN China CO Colombia CR Costa Rica CS Serbia and Montenegro CY Cyprus CZ Czech Republic DE Germany DK Denmark DO Dominican Republic DZ Algeria EC Ecuador EE Estonia EG Egypt ES Spain FI Finland FR France GB United Kingdom GR Greece GT Guatemala HK Hong Kong HN Honduras ID Indonesia IE Ireland IL Israel IN India 323 | Regulatory Domain AOS-W Instant 6.3.1.1-4.
Code Country Name IS Iceland IT Italy JM Jamaica JO Jordan JP Japan KE Kenya KR Republic of Korea (South Korea) KW Kuwait KW Kuwait LB Lebanon LI Liechtenstein LI Liechtenstein LK Sri Lanka LT Lithuania LT Lithuania LU Luxembourg MA Morocco MA Morocco MU Mauritius MX Mexico MX Mexico NL Netherlands NO Norway NZ New Zealand NZ New Zealand OM Oman PA Panama PA Panama AOS-W Instant 6.3.1.1-4.
Code Country Name PE Peru PH Philippines PK Islamic Republic of Pakistan PL Poland PL Poland PR Puerto Rico PR Puerto Rico PT Portugal QA Qatar RO Romania RU Russia RU Russia SA Saudi Arabia SG Singapore SI Slovenia SI Slovenia SK Slovak Republic SK Slovak Republic SV El Salvador TH Thailand TH Thailand TN Tunisia TR Turkey TT Trinidad and Tobago TW Taiwan UA Ukraine US United States UY Uruguay 325 | Regulatory Domain AOS-W Instant 6.3.1.1-4.
Code Country Name UY Uruguay VE Venezuela VN Vietnam ZA South Africa AOS-W Instant 6.3.1.1-4.
ClearPass Guest Setup To configure ClearPass Guest: 1. On ClearPass Guest, navigate to Administration > AirGroup Services. 2. Click Configure AirGroup Services. Figure 116 Configure AirGroup Services 3. Click Add a new controller. 4. Update the fields with the appropriate information. Ensure that the port configured matches the CoA port (RFC 3576) set on the OAW-IAP configuration. 5. Click Save Configuration.
Figure 118 Create an AirGroup Administrator 4. In this example, the password used is test123. Click Add. 5. Now click Add User, and create an AirGroup Operator. Figure 119 Create an AirGroup Operator 6. Click Add to save the user with an AirGroup Operator role. The AirGroup Administrator and AirGroup Operator IDs will be displayed in the Local Users UI screen. 328 | ClearPass Guest Setup AOS-W Instant 6.3.1.1-4.
Figure 120 Local Users UI Screen 7. Navigate to the ClearPass Guest UI and click Logout. The ClearPass Guest Login page is displayed. Use the AirGroup admin credentials to log in. 8. After logging in, click Create Device. Figure 121 Create a Device The following page is displayed. Figure 122 - Register Shared Device For this test, add your AppleTV device name and MAC address but leave all other fields empty. AOS-W Instant 6.3.1.1-4.
9. Click Register Shared Device. Testing To verify the setup: 1. Disconnect your AppleTV and OSX Mountain Lion/iOS 6 devices if they were previously connected to the wireless network. Remove their entries from the controller’s user table using these commands: n Find the MAC address— show user table n Delete the address from the table— aaa user delete mac 00:aa:22:bb:33:cc 2. Reconnect both devices.
Terminology Acronyms and Abbreviations The following table lists the abbreviations used in this user guide.
Table 65: List of abbreviations Abbreviation Expansion PEAP Protected Extensible Authentication Protocol PEM Privacy Enhanced Mail PoE Power over Ethernet RADIUS Remote Authentication Dial In User Service VC Virtual Controller VSA Vendor-Specific Attributes WLAN Wireless Local Area Network Glossary The following table lists the terms and their definitions used in this guide. Table 66: List of Terms Term Definition 802.
Table 66: List of Terms Term Definition AP An access point (AP) connects users to other users within the network and also can serve as the point of interconnection between the WLAN and a fixed wire network. The number of access points a WLAN needs is determined by the number of users and the size of the network. access point mapping The act of locating and possibly exploiting connections to WLANs while driving around a city or elsewhere.
Table 66: List of Terms Term Definition fixed wireless Wireless devices or systems in fixed locations such as homes and offices. Fixed wireless devices usually derive their electrical power from the utility mains, unlike mobile wireless or portable wireless which tend to be battery-powered. Although mobile and portable systems can be used in fixed locations, efficiency and bandwidth are compromised compared with fixed systems.
Table 66: List of Terms Term Definition Wi-Fi A term for certain types of WLANs. Wi-Fi can apply to products that use any 802.11 standard. Wi-Fi has gained acceptance in many businesses, agencies, schools, and homes as an alternative to a wired LAN. Many airports, hotels, and fast-food facilities offer public access to Wi-Fi networks. WEP Wired equivalent privacy (WEP) is a security protocol specified in 802.
