User Guide Dell Networking W-Series ArubaOS 6.4.
Copyright Information © 2014 Aruba Networks, Inc. Aruba Networks trademarks include , Aruba Networks®, Aruba ® Wireless Networks , the registered Aruba the Mobile Edge Company logo, and Aruba Mobility Management System®. Dell™, the DELL™ logo, and PowerConnect™ are trademarks of Dell Inc. All rights reserved. Specifications in this manual are subject to change without notice. Originated in the USA. All other trademarks are the property of their respective owners.
Contents Contents About this Guide 3 85 What's New In ArubaOS 6.4.x 85 What’s New In ArubaOS 6.4.0.
Disabling LCD Menu Functions 101 Configuring a VLAN to Connect to the Network Creating, Updating, and Viewing VLANs and Associated IDs 102 Creating, Updating, and Deleting VLAN Pools 103 Assigning and Configuring the Trunk Port 103 In the WebUI 103 In the CLI 103 Configuring the Default Gateway 103 In the WebUI 103 In the CLI 104 Configuring the Loopback IP Address for the Controller 104 In the WebUI 104 In the CLI 105 Configuring the System Clock 105 Installing Licenses 105 Conn
Deleting an AP Entry from the Campus AP Whitelist 115 Purging the Campus AP Whitelist 115 OffLoading a Controller RAP Whitelist to ClearPass Policy Manager 116 In the WebUI 116 In the CLI 117 Managing Whitelists on Master and Local Controllers 117 Campus AP Whitelist Synchronization 118 Viewing and Managing the Master or Local Controller Whitelists 118 Viewing the Master or Local Controller Whitelist 118 Deleting an Entry from the Master or Local Controller Whitelist 119 Purging the Mast
Troubleshooting Control Plane Security 128 Identifying Certificate Problems 128 Verifying Certificates 128 Disabling Control Plane Security 128 Verifying Whitelist Synchronization 129 Rogue APs 129 Software Licenses Understanding License Terminology 130 Working with Licenses 131 Centralized Licensing in a Multi-Controller Network 132 Primary and Backup Licensing Servers 133 Communication between the License Server and License Clients 133 Supported Topologies 135 Unsupported Topologie
Aggregate License Table 141 License Heartbeat Table 142 Using Licenses 142 Understanding License Interaction 143 License Installation Best Practices and Exceptions 144 Installing a License 144 Enabling a new license on your controller 145 Requesting a Software License in Email 145 Locating the System Serial Number 145 Obtaining a Software License Key 145 Creating a Software License Key 146 Applying the Software License Key in the WebUI 146 Applying the Software License Key in the Lic
Creating a VLAN Pool Using the CLI 151 Viewing and Adding VLAN IDs Using the CLI 151 Role Derivation for Named VLAN Pools 152 In the CLI 152 In the WebUI 152 Creating a Named VLAN not in a Pool 153 In the WebUI 153 In the CLI 153 Adding a Bandwidth Contract to the VLAN 154 Optimizing VLAN Broadcast and Multicast Traffic 154 Using the CLI 154 Using the WebUI 155 Configuring Ports 155 Classifying Traffic as Trusted or Untrusted 155 About Trusted and Untrusted Physical Ports 155 A
Configuring Multiple Wired Uplink Interfaces (Active-Standby) 159 Enabling the DHCP Client 160 In the WebUI 160 In the CLI 160 Enabling the PPPoE Client 161 In the WebUI 161 In the CLI 161 Default Gateway from DHCP/PPPoE 161 In the WebUI 161 In the CLI 161 Configuring DNS/WINS Server from DHPC/PPPoE 161 In the WebUI 161 In the CLI 162 Configuring Source NAT to Dynamic VLAN Address 162 In the WebUI 162 In the CLI 162 Configuring Source NAT for VLAN Interfaces 163 Example Con
Configuring the Controller IP Address Using the CLI Configuring GRE Tunnels 167 167 Important Points to Remember 167 Limitations 167 Creating a Tunnel Interface 167 In the WebUI 168 In the CLI 168 Directing Traffic into the Tunnel 169 Static Routes 169 Firewall Policy 169 In the WebUI 169 In the CLI 169 Tunnel Keepalives 169 In the WebUI 169 In the CLI 170 Configuring GRE Tunnel Group Creating a Tunnel Group 170 170 In the WebUI 170 In the CLI 170 Jumbo Frame Support 171
Enabling IPv6 176 Enabling IPv6 Support for Controller and APs 176 Configuring IPv6 Addresses In the WebUI 178 178 To Configure Link Local Address 178 To Configure Global Unicast Address 179 To Configure Loopback Interface Address 179 In the CLI Configuring IPv6 Static Neighbors 179 179 In the WebUI 179 In the CLI 180 Configuring IPv6 Default Gateway and Static IPv6 Routes In the WebUI 180 180 To Configure IPv6 Default Gateway 180 To Configure Static IPv6 Routes 180 In the CLI Managi
In the WebUI 183 In the CLI 183 Provisioning an IPv6 AP 183 In the WebUI 183 In the CLI 184 Enhancements to IPv6 Support on AP 184 Filtering an IPv6 Extension Header (EH) 184 Configuring a Captive Portal over IPv6 184 Working with IPv6 Router Advertisements (RAs) 184 Configuring an IPv6 RA on a VLAN 185 Using WebUI 186 Using CLI 186 Configuring Optional Parameters for RAs 186 In the WebUI 187 In the CLI 187 RADIUS Over IPv6 188 In the CLI 188 In the WebUI 189 TACACS Over
Understanding the Network Connection Sequence for Windows IPv6 Clients 193 Understanding ArubaOS Authentication and Firewall Features that Support IPv6 193 Understanding Authentication 194 Working with Firewall Features 194 Understanding Firewall Policies 196 Creating an IPv6 Firewall Policy 197 Assigning an IPv6 Policy to a User Role 198 Understanding DHCPv6 Passthrough/Relay 198 Managing IPv6 User Addresses 198 Viewing or Deleting User Entries 198 Understanding User Roles 199 Viewing
Exporting VPN Client Addresses to OSPF 210 In the WebUI 210 In the CLI 210 Sample Topology and Configuration 210 Remote Branch 1 211 Remote Branch 2 212 W-3200 Central Office Controller—Active 213 W-3200 Central Office Controller—Backup 214 Topology 216 Observation 216 Configuring W-3600-UP Controller 216 Configuring W-3600-DOWN Controller 218 Viewing the Status of Instant AP VPN 219 RAPNG AP-1 219 RAPNG AP-3 220 Tunneled Nodes 222 Understanding Tunneled Node Configuration 2
RADIUS Server VSAs 228 RADIUS Server Authentication Codes 231 RADIUS Server Fully Qualified Domain Names 231 DNS Query Intervals 231 Using the WebUI 232 Using the CLI 232 Configuring an RFC-3576 RADIUS Server 232 Using the WebUI 232 Using the CLI 232 Configuring an LDAP Server 232 Using the WebUI 233 Using the CLI 234 Configuring a TACACS+ Server 234 Using the WebUI 234 Using the CLI 234 Configuring a Windows Server 235 Using the WebUI 235 Using the CLI 235 Managing the I
Configuring Server Groups 238 Configuring Server Groups 238 Using the WebUI 238 Using the CLI 238 Configuring Server List Order and Fail-Through 238 Using the WebUI 239 Using the CLI 239 Configuring Dynamic Server Selection 239 Using the WebUI 240 Using the CLI 241 Configuring Match FQDN Option 241 Using the WebUI 241 Using the CLI 241 Trimming Domain Information from Requests 241 Using the WebUI 242 Using the CLI 242 Configuring Server-Derivation Rules 242 Using the WebUI
Using the WebUI 247 Using the CLI 247 RADIUS Accounting on Multiple Servers 247 Using the CLI: 247 Using the WebUI: 247 TACACS+ Accounting 247 Configuring Authentication Timers 248 Setting an Authentication Timer 248 Using the WebUI 248 Using the CLI 248 Authentication Server Load Balancing Enabling Authentication Server Load Balancing Functionality MAC-based Authentication Configuring MAC-Based Authentication Configuring the MAC Authentication Profile 249 249 250 250 250 Using the W
In the WebUI 262 In the CLI 262 Configuring User and Machine Authentication 262 Working with Role Assignment with Machine Authentication Enabled 262 Enabling 802.1x Supplicant Support on an AP 264 Prerequisites 264 Provisioning an AP as an 802.1X Supplicant 264 In the WebUI 264 In the CLI 265 Sample Configurations 265 Configuring Authentication with an 802.
Configuring 802.
Configuring the Non-Guest WLANs In the WebUI 280 In the CLI 280 Configuring Mixed Authentication Modes In the CLI Performing Advanced Configuration Options for 802.
Configuring Stateful NTLM Authentication 287 In the WebUI 287 In the CLI 288 Configuring Stateful Kerberos Authentication 288 In the WebUI 288 In the CLI 289 Configuring WISPr Authentication 289 In the WebUI 289 In the CLI 290 Certificate Revocation Understanding OCSP and CRL 292 292 Configuring a Controller as OCSP and CRL Clients 292 Configuring an OCSP Controller as a Responder 293 Configuring the Controller as an OCSP Client 293 In the WebUI 293 In the CLI 295 Configuring t
In the WebUI 298 In the CLI 298 Removing the SSH Pubkey User 298 In the WebUI 298 In the CLI 298 Captive Portal Authentication 299 Understanding Captive Portal Policy Enforcement Firewall Next Generation (PEFNG) License 299 Controller Server Certificate 300 Configuring Captive Portal in the Base Operating System 300 In the WebUI 301 In the CLI 302 Using Captive Portal with a PEFNG License 302 Configuring Captive Portal in the WebUI 303 Configuring Captive Portal in the CLI 305 Sa
Creating Aliases 310 Creating a Guest-Logon-Access Policy 311 Creating an Auth-Guest-Access Policy 311 Creating a Block-Internal-Access Policy 311 Creating a Drop-and-Log Policy 311 Creating a Guest-Logon Role 311 Creating an Auth-Guest Role 311 Configuring Guest VLANs 311 In the WebUI 312 In the CLI 312 Configuring Captive Portal Authentication Profiles 312 Modifying the Initial User Role 313 Configuring the AAA Profile 313 Configuring the WLAN 314 Managing User Accounts 314 C
Installing a New Captive Portal Page 325 Displaying Authentication Error Messages 325 Reverting to the Default Captive Portal 326 Configuring Localization 326 Customizing the Welcome Page 329 Customizing the Pop-Up box 330 Customizing the Logged Out Box 331 Creating Walled Garden Access 332 In the WebUI 332 In the CLI 332 Enabling Captive Portal Enhancements 333 Configuring the Redirect-URL 333 Configuring the Login URL 333 Defining Netdestination Descriptions 333 Configuring a W
Working with Certificate Groups 340 Working with VPN Authentication Profiles 340 Configuring a Basic VPN for L2TP/IPsec in the WebUI 342 Defining Authentication Method and Server Addresses 342 Defining Address Pools 343 RADIUS Framed-IP-Address for VPN Clients 343 Enabling Source NAT 343 Selecting Certificates 343 Defining IKEv1 Shared Keys 344 Configuring IKE Policies 344 Setting the IPsec Dynamic Map 345 Finalizing WebUI changes 346 Configuring a Basic L2TP VPN in the CLI Configur
Configuring Remote Access VPNs for XAuth 353 Configuring VPNs for XAuth Clients using Smart Cards 353 Configuring a VPN for XAuth Clients Using a Username and Password 354 Working with Remote Access VPNs for PPTP 355 In the WebUI 355 In the CLI 355 Working with Site-to-Site VPNs 355 Working with Third-Party Devices 356 Working with Site-to-Site VPNs with Dynamic IP Addresses 356 Understanding VPN Topologies 356 Configuring Site-to-Site VPNs 357 In the WebUI 357 In the CLI 358 Detec
In the CLI Creating a Network Service Alias 368 368 In the WebUI 368 In the CLI 369 Creating an ACL White List 369 In the WebUI 369 Configuring the ACL White List in the WebUI 369 Configuring the White List Bandwidth Contract in the CLI 369 Configuring the ACL White List in the CLI 370 User Roles 370 In the WebUI 370 In the CLI 372 Assigning User Roles Assigning User Roles in AAA Profiles 372 372 In the WebUI 372 In the CLI 372 Working with User-Derived VLANs 373 Understanding
Enabling Deep Packet Inspection (DPI) In the WebUI 381 In the CLI 381 Show Command Output 382 Configuring Policies for AppRF 2.0 382 How ACL Works with AppRF 382 Global Session ACL 382 Role Default Session ACL 382 Session ACL Examples 383 In the WebUI 384 In the CLI 384 Configuring Bandwidth Contracts for AppRF 2.
Adding Enforcement Policy 390 Adding Services 392 Controller Configuration 393 Configuring CPPM Server on Controller 393 Configuring Server Group to include CPPM Server 394 Configuring 802.
Configuring Radio Resource Management Information Elements In the WebUI 406 In the CLI 407 Configuring Beacon Report Requests 408 In the WebUI 408 In the CLI 409 Configuring Traffic Stream Measurement Report Requests 409 In the WebUI 409 In the CLI 411 BSS Transition Management (802.11v) 411 Frame Types 411 802.11k and 802.11v clients 412 Fast BSS Transition ( 802.
High-Throughput Virtual APs Configuring the High-Throughput Radio Profile 424 424 In the WebUI 424 In the CLI 425 Configuring the High-Throughput SSID Profile In the WebUI 425 425 In the CLI 428 Guest WLANs 428 Configuring a Guest VLAN 429 In the WebUI 429 In the CLI 429 Configuring a Guest Role 429 In the WebUI 429 In the CLI 430 Configuring a Guest Virtual AP 430 In the WebUI 430 In the CLI 431 Adaptive Radio Management (ARM) 432 ARM Feature Overviews 432 Configuring ARM
ARM Coverage and Interference Metrics 435 Configuring ARM Profiles 435 Creating and Configuring a New ARM Profile 436 In the WebUI 436 In the CLI 442 Modifying an Existing Profile 443 Copying an Existing Profile 443 Deleting a Profile 443 Assigning an ARM Profile to an AP Group 443 In the WebUI 444 In the CLI 444 Using Multi-Band ARM for 802.11a/802.
Wireless Clients Report a Low Signal Level 451 Transmission Power Levels Change Too Often 451 APs Detect Errors but Do Not Change Channels 451 APs Don’t Change Channels Due to Channel Noise 451 Wireless Intrusion Prevention Working with the Reusable Wizard 452 452 Understanding Wizard Intrusion Detection 453 Understanding Wizard Intrusion Protection 454 Protecting Your Infrastructure 454 Protecting Your Clients 454 Monitoring the Dashboard 455 Detecting Rogue APs 456 Understanding Clas
Detecting an Ad hoc Network Using a Valid SSID 464 Detecting an AP Flood Attack 464 Detecting AP Impersonation 464 Detecting AP Spoofing 464 Detecting Bad WEP Initialization 464 Detecting a Beacon Frame Spoofing Attack 464 Detecting a Client Flood Attack 464 Detecting a CTS Rate Anomaly 465 Detecting an RTS Rate Anomaly 465 Detecting Devices with an Invalid MAC OUI 465 Detecting an Invalid Address Combination 465 Detecting an Overflow EAPOL Key 465 Detecting Overflow IE Tags 465 De
Detecting an EAP Rate Anomaly 469 Detecting a FATA-Jack Attack Structure 469 Detecting a Hotspotter Attack 470 Detecting a Meiners Power Save DoS Attack 470 Detecting an Omerta Attack 470 Detecting Rate Anomalies 470 Detecting a TKIP Replay Attack 470 Detecting Unencrypted Valid Clients 470 Detecting a Valid Client Misassociation 470 Detecting an AirJack Attack 471 Detecting ASLEAP 471 Detecting a Null Probe Response 471 Configuring Intrusion Protection Understanding Infrastructure I
In the CLI 476 Configuring Local WMS Settings 476 Managing the WMS Database 476 Understanding Client Blacklisting 476 Methods of Blacklisting 477 Blacklisting Manually 477 Blacklisting by Authentication Failure 477 Enabling Attack Blacklisting 478 Setting Blacklist Duration 479 Removing a Client from Blacklisting 479 Working with WIP Advanced Features 479 Configuring TotalWatch 480 Understanding TotalWatch Channel Types and Qualifiers 480 Understanding TotalWatch Monitoring Feature
Naming and Grouping APs 486 Creating an AP group 487 In the WebUI 487 In the CLI 487 Assigning APs to an AP Group 488 In the WebUI 488 In the CLI 488 Understanding AP Configuration Profiles 488 AP Profiles 489 RF Management Profiles 489 Wireless LAN Profiles 490 Mesh Profiles 493 QoS Profiles 493 IDS Profiles 494 HA Group profiles 494 Other Profiles 494 Profile Hierarchy 494 Viewing Profile Errors 495 Before you Deploy an AP 495 Mesh AP Preconfiguration 495 Remote AP
Defining an AP Provisioning Profile 497 Assigning Provisioning Profiles 499 Configuring Installed APs Configuring an AP using the Provisioning Wizard 500 Configuring a AP using the WebUI 500 Configuring a Remote AP 501 Remote Authentication 501 RAP Configuration 502 Configuring a Mesh AP 502 Verifying the Configuration 502 Optional AP Configuration Settings 503 AP Installation Mode 503 Using the WebUI 503 Using the CLI 504 AP Name 504 Using the WebU 504 Using the CLI 504 Span
Using the CLI 507 Energy Efficient Ethernet 507 Using the WebUI 507 Using the CLI 508 AP LEDs 508 Using the WebUI 508 Using the CLI 509 RF Management 509 802.11a and 802.11g RF Management Profiles 509 VHT Support on W-AP200 Series, W-AP210 Series, W-AP220 Series, and W-AP270 Series Access Points 510 Managing 802.11a/802.11g Profiles Using the WebUI 511 Creating or Editing a Profile 511 Assigning an 802.11a/802.
Configuring the Bootstrap Threshold 522 Prioritizing AP heartbeats 525 526 Configuring AP Channel Assignments 526 Using the WebUI 526 Using the CLI 527 Channel Switch Announcement (CSA) 527 Using the WebUI 528 Using the CLI 528 Automatic Channel and Transmit Power Selection 528 Managing AP Console Settings 528 Link Aggregation Support on W-AP220 Series and W-AP270 Series 529 Configuring LACP 530 Using the WebUI, in ArubaOS 6.4.2.x and later 530 Using the CLI, in ArubaOS 6.4.2.
Mesh Clusters Understanding Mesh Links 535 535 Link Metrics 536 Optimizing Links 537 Understanding Mesh Profiles 537 Mesh Cluster Profiles 537 Mesh Radio Profiles 538 RF Management (802.11a and 802.
Configuring Mesh Cluster Profiles 547 Managing Mesh Cluster Profiles in the WebUI 547 Creating a Profile 547 Associating a Mesh Cluster Profile to Mesh APs 549 Editing a Mesh Cluster Profile 549 Deleting a Mesh Cluster Profile 550 Managing Mesh Cluster Profiles in the CLI 550 Viewing Mesh Cluster Profile Settings 550 Associating Mesh Cluster Profiles 550 Excluding a Mesh Cluster Profile from a Mesh Node 551 Deleting a Mesh Cluster Profile 551 Creating and Editing Mesh Radio Profiles 5
Deleting a Profile Configuring Ethernet Ports for Mesh 561 561 Configuring Bridging on the Ethernet Port 561 Configuring Ethernet Ports for Secure Jack Operation 562 In the WebUI 562 In the CLI 563 Extending the Life of a Mesh Network 563 In the WebUI 563 In the CLI 563 Provisioning Mesh Nodes 564 Provisioning Caveats 564 Provisioning Mesh Nodes 565 In the WebUI 565 In the CLI 565 Verifying Your Mesh Network 566 Verification Checklist 566 CLI Examples 566 Configuring Remote M
Increasing Network Uptime Through Redundancy and VRRP High Availability 570 Pre-Deployment Information 570 Configuration Procedures 570 VRRP-Based Redundancy 570 High Availability Deployment Models 571 Active/Active Deployment Model 571 1:1 Active/Standby Deployment Model 571 N:1 Active/Standby Deployment Model 572 Master-Redundancy Deployment Model 572 AP Communication with Controllers 573 Client State Synchronization 573 Feature Guidelines and Limitations 574 High Availability Inte
Before you Begin 580 Configuring the Local Controller for Redundancy 580 In the WebUI 580 In the CLI 581 Configuring the LMS IP 582 In the WebUI 582 In the CLI 582 Configuring the Master Controller for Redundancy 582 Configuring Database Synchronization 584 In the WebUI 584 In the CLI 584 Enabling Incremental Configuration Synchronization (CLI Only) 584 Configuring Master-Local Controller Redundancy 585 RSTP 587 Understanding RSTP Migration and Interoperability 587 Working with
LLDP Overview Default LLDP Configuration 596 Configuring LLDP 596 Monitoring LLDP Configuration 596 Display LLDP Interface 596 Display LLDP Interface 596 Display LLDP Neighbor 597 Display LLDP Neighbor Interface Detail 597 Display LLDP Statistics 598 Display LLDP Statistics Interface 598 IP Mobility 599 Understanding Dell Mobility Architecture 599 Configuring Mobility Domains 600 Configuring a Mobility Domain 601 Using the WebUI 601 Using the CLI 601 Joining a Mobil
Mobile Client Roaming Locations 605 In the WebUI 605 In the CLI 605 HA Discovery on Association Setting up Mobility Association using the CLI Configuring Advanced Mobility Functions 605 605 606 In the WebUI 606 In the CLI 608 Proxy Mobile IP 608 Revocations 608 IPv6 L3 Mobility 609 Multicast Mobility Important Points to Remember Example Configuration 609 609 611 Understanding Bridge Mode Mobility Deployments 615 Enabling Mobility Multicast 616 Working with Proxy IGMP and Proxy Remote
User-ID Support 621 Device-Type Based Policy Support 621 Configuring PAN Firewall Integration 622 Creating PAN Profiles 622 Using the WebUI 623 Using the CLI 623 Activating a PAN Profile 623 Using the WebUI 624 Using the CLI 624 Enabling PAN Firewall Integration 624 Using the WebUI 624 Using the CLI 624 Enabling PAN Firewall Integration for VIA Clients 624 Using the WebUI 624 Using the CLI 624 Enabling PAN Firewall Integration for VPN Clients 624 Using the WebUI 625 Using t
Configuring the Secure Remote Access Point Service 631 Configure a Public IP Address for the Controller 631 Using the WebUI to create a DMZ address 631 Using CLI 631 Configure the NAT Device Configure the VPN Server 632 632 Using the WebUI 632 Using CLI 632 CHAP Authentication Support over PPPoE 632 Using the WebUI to configure CHAP 632 Using the CLI to configure the CHAP 633 Configuring Certificate RAP 633 Using WebUI 633 Using CLI 633 Creating a Remote AP Whitelist 633 Config
Multihoming on remote AP (RAP) 640 Seamless failover from backup link to primary link on RAP 640 Remote AP Connectivity 641 Remote AP Diagnostics 641 Enabling Remote AP Advanced Configuration Options 641 Understanding Remote AP Modes of Operation 642 Working in Fallback Mode 644 Backup Configuration Behavior for Wired Ports 645 Configuring Fallback Mode 645 Configuring the AAA Profile for Fallback Mode in the WebUI 645 Configuring the AAA Profile for Fallback Mode in the CLI 646 Config
In the WebUI 654 In the CLI 654 Enabling RAP Local Network Access 654 In the WebUI 654 In the CLI 655 Configuring Remote AP Authorization Profiles In the WebUI Adding or Editing a Remote AP Authorization Profile In the CLI Working with Access Control Lists and Firewall Policies Understanding Split Tunneling 655 655 655 656 656 656 Configuring Split Tunneling 657 Configuring the Session ACL Allowing Tunneling 657 Using the WebUI 657 Using the CLI 658 Configuring an ACL to Restrict Local
Configuring the Session ACL 663 Using the WebUI 663 Using the CLI 665 Configuring the AAA Profile for Bridge 665 In the WebUI 665 In the CLI 665 Configuring Virtual AP Profile 666 In the WebUI 666 In the CLI 666 Provisioning Wi-Fi Multimedia 667 Reserving Uplink Bandwidth 667 Understanding Bandwidth Reservation for Uplink Voice Traffic 667 Configuring Bandwidth Reservation 667 In the WebUI 667 In the CLI 668 Provisioning 4G USB Modems on Remote Access Points 4G USB Modem Provis
Using the CLI Converting an IAP to RAP or CAP 674 674 Converting IAP to RAP 675 Converting an IAP to CAP 675 Enabling Bandwidth Contract Support for RAPs 676 Configuring Bandwidth Contracts for RAP 676 Defining Bandwidth Contracts 676 Applying Contracts 676 Applying Contracts Per-Role 676 Applying Contracts Per-User 676 Verifying Contracts on AP 676 Verifying Contracts Applied to Users 677 Verifying Bandwidth Contracts During Data Transfer 678 Virtual Intranet Access Understanding VI
Suite B Cryptography Support 683 802.
Diagnostic Tab 699 Settings Tab 699 Troubleshooting 699 Spectrum Analysis 700 Understanding Spectrum Analysis 700 Spectrum Analysis Clients 703 Hybrid AP Channel Changes 704 Hybrid APs Using Mode-Aware ARM 704 Creating Spectrum Monitors and Hybrid APs Converting APs to Hybrid APs 705 705 In the WebUI 705 In the CLI 705 Converting an Individual AP to a Spectrum Monitor 706 In the WebUI 706 In the CLI 706 Converting a Group of APs to Spectrum Monitors 706 In the WebUI 707 In th
Spectrum Analysis Graph Configuration Options 714 Active Devices 714 Active Devices Table 715 Active Devices Trend 718 Channel Metrics 719 Channel Metrics Trend 721 Channel Summary Table 723 Device Duty Cycle 724 Channel Utilization Trend 726 Devices vs Channel 727 FFT Duty Cycle 729 Interference Power 731 Quality Spectrogram 733 Real-Time FFT 734 Swept Spectrogram 736 Working with Non-Wi-Fi Interferers 739 Understanding the Spectrum Analysis Session Log 741 Viewing Spectru
Troubleshooting Issues with Adobe Flash Player 10.
Block/Unblock, Throttle, and QoS Action Buttons 762 Block/Unblock 763 Throttle 765 QoS 765 Web Content Classification 766 Web Content Filters 769 WebCC Configuration in the WebUI 770 Block / Unblock: 770 Throttle 771 QoS 772 WebCC Configuration in the CLI 772 Enabling WebCC 772 New policy configuration 772 WebCC Bandwidth Contract Configuration 773 AirGroup 774 UCC 775 Chart View 776 Details View 776 Management Access 778 Configuring Certificate Authentication for WebUI
Configuring RADIUS Server Authentication with VSA 781 Configuring RADIUS Server Authentication with Server Derivation Rule 781 In the WebUI 781 In the CLI 782 Configuring a set-value server-derivation rule 782 In the WebUI 782 In the CLI 783 Disabling Authentication of Local Management User Accounts 783 In the WebUI 783 In the CLI 783 Verifying the configuration 784 Resetting the Admin or Enable Password 784 Bypassing the Enable Password Prompt 785 Setting an Administrator Session
Configuring AP Image Preload 790 Enable and Configure AP Image Preload 790 In the WebUI 791 In the CLI 791 View AP Preload Status 792 Configuring Centralized Image Upgrades 792 Configuring Centralized Image Upgrades 793 Using the WebUI 793 In the CLI 794 Viewing Controller Upgrade Statistics 794 Managing Certificates 795 About Digital Certificates 796 Obtaining a Server Certificate 796 In the WebUI 796 In the CLI 797 Obtaining a Client Certificate 797 Importing Certificates
In the WebUI 802 In the CLI 802 Enabling Capacity Alerts 802 In the WebUI 803 In the CLI 803 Examples 803 Configuring Logging 804 In the WebUI 805 In the CLI 806 Enabling Guest Provisioning Configuring the Guest Provisioning Page In the WebUI 806 806 806 Configuring the Guest Fields 807 Configuring the Page Design 809 Configuring Email Messages 809 Configuring the SMTP Server and Port in the WebUI 810 Configuring an SMTP server and port in the CLI 810 Creating Email Messages in
Importing Multiple Guest Entries 815 Creating Multiple Guest Entries in a CSV File 815 Importing the CSV File into the Database 816 Printing Guest Account Information 819 Optional Configurations 820 Restricting one Captive Portal Session for each Guest 820 Using the CLI to restrict one Captive Portal session for each guest Setting the Maximum Time for Guest Accounts 820 Using the WebUI to set the maximum time for guest accounts 821 Using the CLI to set the maximum time for guest accounts 8
Clock Synchronization 825 In the WebUI 825 In the CLI 825 Configuring NTP Authentication 825 In the WebUI 825 In the CLI 826 Timestamps in CLI Output 826 ClearPass Profiling with IF-MAP 826 In the WebUI 826 In the CLI 826 Whitelist Synchronization 827 In the WebUI 827 In the CLI 827 Downloadable Regulatory Table 828 Important Points to Remember 828 Copying the Regulatory-Cert 828 In the WebUI 829 In the CLI 829 Activating the Regulatory-Cert 829 In the WebUI 829 In th
Hotspot Profile Types 832 Configuring Hotspot 2.0 Profiles 834 In the WebUI 834 In the CLI 838 Configuring Hotspot Advertisement Profiles 839 Configuring an Advertisement Profile 839 In the WebUI 839 In the CLI 840 Associating the Advertisement Profile to a Hotspot 2.
In the CLI Configuring ANQP 3GPP Cellular Network Profiles 849 849 In the WebUI 849 In the CLI 850 Configuring H2QP Connection Capability Profiles 850 In the WebUI 850 In the CLI 851 Configuring H2QP Operator Friendly Name Profiles 852 In the WebUI 852 In the CLI 852 Configuring H2QP Operating Class Indication Profiles 853 In the WebUI 853 In the CLI 853 Configuring H2QP WAN Metrics Profiles 853 In the WebUI 853 In the CLI 854 Adding Local Controllers 857 Configuring Local Co
Configuring a Preshared Key 860 Using the WebUI to configure a Local Controller PSK 860 Using the WebUI to configure a Master Controller PSK 861 Using the CLI to configure a PSK 861 Master Controller 861 Local Controller 861 Configuring a Controller Certificate 861 Using the CLI to configure a Local Controller Certificate 861 Using the CLI to configure the Master Controller Certificate 862 Advanced Security 863 Securing Client Traffic 863 Securing Wireless Clients 864 In the WebUI 8
In the CLI Configuring the Odyssey Client on Client Machines Installing the Odyssey Client Voice and Video 871 871 871 878 Voice and Video License Requirements 878 Configuring Voice and Video 878 Voice ALG and Network Address Translation 878 Setting up Net Services 878 Using Default Net Services 878 Creating Custom Net Services 879 Configuring User Roles 879 Using the Default User Role 879 Creating or Modifying Voice User Roles 880 Using the WebUI to configure user roles 880 Using th
Understanding VoIP Call Admission Control Profile 891 In the WebUI 891 In the CLI 892 Understanding Wi-Fi Multimedia 893 Enabling WMM 893 In the WebUI 893 In the CLI 893 Configuring WMM AC Mapping 894 Using the WebUI to map between WMM AC and DSCP 894 Using the CLI to map between WMM AC and DSCP 895 Configuring DSCP Priorities 895 Configuring Dynamic WMM Queue Management 896 Enhanced Distributed Channel Access 896 Using the WebUI to configure EDCA parameters 897 Using the CLI to
Viewing Call Detail Record for Lync Calls 906 Viewing Call Quality for Lync Calls 906 Viewing Lync Call Trace Buffer 906 Viewing Lync ALG Statistics Using the WebUI 906 Viewing Voice Status 906 Viewing Call Performance Report 906 Viewing Call Density Report 906 Viewing Call Detail Report 907 Viewing Voice Client Call Statistics 907 Viewing Voice Client HandOff Information 907 Viewing Voice Client Troubleshooting Information 907 Troubleshooting Lync ALG Issues 907 Enabling Lync ALG De
Understanding Extended Voice and Video Features 915 Understanding QoS for Microsoft Lync and Apple Facetime Microsoft Lync 915 Microsoft Lync Support for Mobile Devices 915 Apple Facetime 916 In the WebUI 916 Enabling WPA Fast Handover 917 In the WebUI 917 In the CLI 918 Enabling Mobile IP Home Agent Assignment 918 Scanning for VoIP-Aware ARM 918 In the WebUI 918 In the CLI 918 Disabling Voice-Aware 802.
In the CLI 923 Working with Dial Plan for SIP Calls 923 Understanding Dial Plan Format 923 Configuring Dial Plans 924 In the WebUI 924 In the CLI 926 Enabling Enhanced 911 Support 926 Working with Voice over Remote Access Point 927 Understanding Battery Boost 928 In the WebUI 928 In the CLI 928 Enabling LLDP 929 In the WebUI 929 In the CLI 932 Advanced Voice Troubleshooting Viewing Troubleshooting Details on Voice Client Status 933 933 In the WebUI 934 In the CLI 934 Viewin
In the CLI AirGroup 940 Zero Configuration Networking 940 AirGroup Solution 940 AirGroup Services 941 AirGroup Solution Components 942 AirGroup and ClearPass Policy Manager 942 AirGroup Deployment Models 944 Integrated Deployment Model 944 AirGroup with ClearPass Policy Manager 945 Features Supported in AirGroup Multi-Controller AirGroup Cluster Multi-Controller AirGroup Cluster—Terminologies 945 945 945 AirGroup Domain 945 AirGroup Cluster 945 Active-Domain 946 Sample AirGroup Cl
Dashboard Monitoring Enhancements 949 ClearPass Policy Manager and ClearPass Guest Features 950 Best Practices and Limitations 950 Apple iTunes Wi-Fi Synchronization and File Sharing 950 Firewall Configuration 950 Disable Inter-User Firewall Settings 950 ValidUser ACL Configuration 950 Allow GRE and UDP 5353 950 Recommended Ports 951 Ports for AirPlay Service 951 Ports for AirPrint Service 951 AirGroup Services for Large Deployments 951 AirGroup Scalability Limits 952 Memory Utiliz
Using the CLI Enabling the allowall Service 959 Using the WebUI 959 Using the CLI 959 Enabling or Disabling an AirGroup Service 959 Using the WebUI 959 Using the CLI 960 Viewing AirGroup Service Status 960 Using the WebUI 960 Using the CLI 960 Viewing Blocked Services Using the CLI Viewing AirGroup Service Details 960 960 960 Using the WebUI 960 Using the CLI 960 Configuring an AirGroup Domain 960 Using the WebUI 961 Using the CLI 961 Viewing an AirGroup Domain 961 Using t
Using the CLI 962 Controller Dashboard Monitoring 962 Configuring the AirGroup-CPPM Interface 965 Configuring the CPPM Query Interval 965 Using the WebUI 965 Using the CLI 966 Viewing the CPPM Query Interval 966 Using the WebUI 966 Using the CLI 966 Defining a CPPM and RFC3576 Server Configuring a CPPM Server 966 967 Using the WebUI 968 Using the CLI 968 Configuring the CPPM Server Group 968 Using the WebUI 968 Using the CLI 968 Configuring an RFC 3576 Server 968 Using the We
Group Based Device Sharing Example AirGroup mDNS Static Records 972 973 Important Points to Remember 973 Creating mDNS Static Records on a Controller 973 Group mDNS Static Records 973 Creating a PTR Record 973 Creating an SRV Record 974 Creating an A Record 974 Creating an AAAA Record 974 Creating a TEXT Record 974 Individual Static mDNS Records 974 Creating an Individual SRV Record 974 Creating an Individual TEXT Record 974 Creating an Individual A Record 974 Creating an Individ
Instant AP VPN Support Overview 978 978 Improved DHCP Pool Management 978 Termination of Instant AP VPN Tunnels 978 Termination of IAP GRE Tunnels 978 L2/L3 Network Mode Support 979 Instant AP VPN Scalability Limits 979 Instant AP VPN OSPF Scaling 979 Branch-ID Allocation 981 Centralized BID Allocation VPN Configuration 981 982 Whitelist DB Configuration 982 Controller Whitelist DB 982 External Whitelist DB 982 VPN Local Pool Configuration 982 Role Assignment for the Authenticated
Configuring a New USB Modem Configuring the Profile and Modem Driver 989 Configuring the TTY Port 989 Testing the TTY Port 990 Selecting the Dialer Profile 991 Linux Support 991 External Services Interface 992 Sample ESI Topology 992 Understanding the ESI Syslog Parser 994 ESI Parser Domains 994 Peer Controllers 995 Syslog Parser Rules 996 Condition Pattern Matching 996 User Pattern Matching 996 Configuring ESI Configuring Health-Check Method, Groups, and Servers 996 997 In the W
Managing Syslog Parser Domains in the WebUI 1000 Adding a new syslog parser domain 1000 Deleting an existing syslog parser domain 1001 Editing an existing syslog parser domain 1001 Managing Syslog Parser Domains in the CLI 1001 Adding a new syslog parser domain 1001 Showing ESI syslog parser domain information 1001 Deleting an existing syslog parser domain 1001 Editing an existing syslog parser domain 1001 Managing Syslog Parser Rules 1002 In the WebUI 1002 Adding a new parser rule 10
Defining the Ping Health-Check Method 1006 In the WebUI 1006 In the CLI 1006 Defining the ESI Server 1006 In the WebUI 1006 In the CLI 1007 Defining the ESI Server Group 1007 In the WebUI 1007 In the CLI 1007 Redirection Policies and User Role 1008 In the WebUI 1008 In the CLI 1008 Syslog Parser Domain and Rules 1009 Add a New Syslog Parser Domain in the WebUI 1009 Adding a New Parser Rule in the WebUI 1009 In the CLI 1010 Sample NAT-mode ESI Topology 1010 ESI server config
CLI Configuration Example 1 1015 CLI Configuration Example 2 1015 Understanding Basic Regular Expression (BRE) Syntax 1016 Character-Matching Operators 1016 Regular Expression Repetition Operators 1016 Regular Expression Anchors 1017 References 1017 External User Management Overview Before you Begin 1019 1019 1019 Working with the ArubaOS XML API Works 1019 Creating an XML Request 1019 Adding a User 1020 Deleting a User 1020 Authenticating a User 1020 Blacklisting a User 1021 Que
Sample Code Using XML API in C Language 1029 Understanding Request and Response 1032 Understanding XML API Request Parameters 1032 Understanding XMl API Response 1033 Adding a Client 1033 Response from the controller 1034 View the updated details of the client on the controller 1034 Deleting a Client Response from the controller Authenticating a Client 1034 1034 1035 Status of the client before authentication 1035 Sending the authentication command 1035 Response from the controller 10
DHCP with Vendor-Specific Options 1055 Configuring a Windows-Based DHCP Server 1055 Configuring Option 60 To configure option 60 on the Windows DHCP server Configuring Option 43 To configure option 43 on the Windows DHCP server: Enabling DHCP Relay Agent Information Option (Option 82) Configuring Option 82 1055 1055 1056 1056 1058 1058 In the WebUI 1058 In the CLI 1058 Enabling Linux DHCP Servers 802.
About this Guide This User Guide describes the features supported by Dell Networking W-Series ArubaOS 6.4.x and provides instructions and examples for configuring Dell mobility controllers and access points (APs). This guide is intended for system administrators responsible for configuring and maintaining wireless networks and assumes administrator knowledge in Layer 2 and Layer 3 networking technologies. This chapter covers the following topics: l What's New In ArubaOS 6.4.
Table 2: New Hardware Platforms in ArubaOS 6.4.2.0 Check with your local Dell sales representative on new controllers and access points availability in your country. Hardware Description W-AP210 Series The Dell W-AP210 Series (W-AP214 and W-AP215) wireless access points support the IEEE 802.11ac standard for high-performance WLAN. These access points use MIMO (Multiple-Input, Multiple-Output) technology and other high-throughput mode techniques to deliver high-performance, 802.11ac 2.4 GHz and 802.
Table 3: New Features/Enhancements in ArubaOS 6.4.1.0 Feature Description DHCP Lease Limit This section outlines the maximum number of DHCP leases supported for the new W-7000 Series controller platform. Downloadable Regulatory Table The downloadable regulatory table features allows new regulatory approvals to be distributed without waiting for a new software patch and upgrade.
Table 4: New Hardware Platforms in ArubaOS 6.4.1.0 Check with your local Dell sales representative on new controllers and access points availability in your country. Hardware Description W-7000 Series Controllers The Dell W-7000 Series controllers is an integrated controller platform. The platform acts as a software services platform targeting small to medium branch offices and enterprise networks. The W-7000 Series controllers include three models that provide varying levels of scalability.
What’s New In ArubaOS 6.4.0.0 The following features are introduced in ArubaOS 6.4.0.0: Table 5: New Features in ArubaOS 6.4.0.0 Feature Description W-AP270 Series Access Points The DellW-AP270 Series (W-AP274 and W-AP275) wireless access points are environmentally hardened, outdoor rated, dual-radio IEEE 802.11ac wireless access points. These access points use MIMO (Multiple-Input, Multiple-Output) technology and other high-throughput mode techniques to deliver high-performance, 802.11ac 2.
Table 5: New Features in ArubaOS 6.4.0.0 Feature Description Multicast Listener Discovery The Source Specific Multicast (SSM) option supports delivery of multicast packets that originate only from a specific source address requested by the receiver. Hotspot 2.0 Hotspot 2.0 is a Wi-Fi Alliance Passpoint specification based upon the 802.
Table 5: New Features in ArubaOS 6.4.0.0 Feature Description RADIUS Accounting on Multiple Servers ArubaOS provides support for the controllers to send RADIUS accounting to multiple RADIUS servers. The controller notifies all the RADIUS servers to track the status of authenticated users. Accounting messages are sent to all the servers configured in the server group in a sequential order. Unified Communication and Collaboration The following new features are introduced in ArubaOS 6.
l commands are not case sensitive l the space bar will complete your partial keyword l the backspace key will erase your entry one letter at a time l the question mark ( ? ) will list available commands and options Related Documents The following guides are part of the complete documentation for the Dell user-centric network: l Dell Networking W-Series Controller Installation Guides l Dell Networking W-Series Access Point Installation Guides l Dell Networking W-Series ArubaOS Quick Start Guide
Indicates a risk of personal injury or death. Contacting Dell Table 7: Contact Information Web Site Support Main Website dell.com Contact Information dell.com/contactdell Support Website dell.com/support Documentation Website dell.com/support/manuals Dell Networking W-Series ArubaOS 6.4.
Chapter 1 The Basic User-Centric Networks This chapter describes how to connect a Dell controller and Dell AP to your wired network. After completing the tasks described in this chapter, see Access Points (APs) on page 485 for information on configuring APs.
Deployment Scenario #2: APs All on One Subnet Different from Controller Subnet Figure 2 APs All on One Subnet Different from Controller Subnets In this deployment scenario, the APs and the controller are on different subnetworks and the APs are on multiple subnetworks. The controller acts as a router for the wireless subnetworks (the controller is the default gateway for the wireless clients).
4. Configure VLANs for the wireless subnetworks on the controller. 5. Configure SSIDs with the VLANs assigned for each wireless subnetwork. Each wireless client VLAN must be configured on the controller with an IP address. On the uplink switch or router, you must configure static routes for each client VLAN, with the controller’s VLAN 1 IP address as the next hop.
This deployment scenario does not use VLAN 1 to connect to the layer-2 switch or router through the trunk port. The initial setup prompts you for the IP address and default gateway for VLAN 1; use the default values. In later steps, you configure the appropriate VLAN to connect to the switch or router as well as the default gateway. For this scenario, you must perform the following tasks: 1. Run the initial setup. l Use the default IP address for VLAN 1.
Do not connect the controller to your network when running the initial setup. The factory-default controller boots up with a default IP address and both DHCP server and spanning tree functions are not enabled. Once you have completed the initial setup, you can use either the CLI or WebUI for further configuration before connecting the controller to your network.
instead. It is important to consider this when migrating an older controller to the W-7200 Series. If you load a configuration from a non-W-7200 controller, that controller will not have network connectivity because any interface configuration will not be recognized. For information about migrating to a W-7200 Series controller, see the Dell Networking W-Series ArubaOS 6.2 Release Notes.
Table 10: LCD Panel Mode: Status Function/Menu Options Displays ArubaOS Version ArubaOS X.X.X.X PSU Status Displays status of the power supply unit. PSU 0: [OK | FAILED | MISSING] PSU 1: [OK | FAILED | MISSING] Fan Tray Displays fan tray status.
Upgrading an Image 1. Copy a new controller image onto your USB drive into a directory named /Dellimage. 2. Insert your USB drive into the controller’s USB slot. Wait for 30 seconds for the controller to mount the USB. 3. Navigate to Upgrage Image in the LCD’s Maintenance menu. Select partition and confirm the upgrade (Y/N) and then wait for controller to copy the image from USB to the system partition. 4. Execute a system reboot either from the LCD menu or from the command line to complete the upgrade.
Configuring a VLAN to Connect to the Network You must follow the instructions in this section only if you need to configure a trunk port between the controller and another layer-2 switch (shown in Deployment Scenario #3: APs on Multiple Different Subnets from Controllers on page 96). This section shows how to use both the WebUI and CLI for the following configurations (subsequent steps show how to use the WebUI only): l Create a VLAN on the controller and assign it an IP address.
Creating, Updating, and Deleting VLAN Pools VLAN pooling should not be used with static IP addresses. You can create, update, and delete a VLAN pool using the WebUI or the CLI. See Creating a VLAN Pool on page 149. Use the CLI to add existing VLAN IDS to a pool. (host) #configure terminal Enter Configuration commands, one per line.
2. To add a new static gateway, click the Add button below the static IP address list. a. In the IP Address field, enter an IP address in dotted-decimal format. b. In the Cost field, enter a value for the path cost. c. Click Add. 3. You can define a dynamic gateway using DHCP, PPPOE or a cell uplink interface. In the Dynamic section, click the DHCP, PPPoE or Cellular checkboxes to select one or more dynamic gateway options.
7. Click Continue. In the CLI interface loopback ip address 10.3.22.220 no spanning-tree write memory reload The controller returns the following messages: Do you really want to reset the system(y/n): Enter y to reboot the controller or n to cancel. System will now restart! ... Restarting system. To verify that the controller is accessible on the network, ping the loopback address from a workstation on the network.
User Guide describe how to build upon this basic deployment to configure user roles, firewall policies, authentication, authentication servers, and other wireless features. Configuring Your User-Centric Network Configuring your controller and AP is done through either the Web User Interface (WebUI) or the command line interface (CLI). l WebUI is accessible through a standard Web browser from a remote management console or workstation.
Chapter 2 Control Plane Security ArubaOS supports secure IPsec communications between a controller and campus or remote APs using publickey self-signed certificates created by each master controller. The controller certifies its APs by issuing them certificates. If the master controller has any associated local controllers, the master controller sends a certificate to each local controller, which in turn sends certificates to their own associated APs.
initial setup wizard. If you are confident that all APs currently on your network are valid APs, then you can use the initial setup wizard to configure automatic certificate provisioning to send certificates from the controller to each campus or remote AP, or to all campus and remote APs within specific ranges of IP addresses.
Table 12: Control Plane Security Parameters Parameter Description Control Plane Security Select enable or disable to turn the control plane security feature on or off. This feature is enabled by default. Auto Cert Provisioning When you enable the control plane security feature, you can select this checkbox to turn on automatic certificate provisioning. When you enable this feature, the controller attempts to send certificates to all associated campus APs.
In the CLI Use the commands below to configure control plane security via the command line interface on a standalone or master controller. Descriptions of the individual parameters are listed in Table 12, above. control-plane-security auto-cert-allow-all auto-cert-allowed-addrs auto-cert-prov cpsec-enable Example: (host)(config) # control-plane-security auto-cert-prov no auto-cert-allow-all auto-cert-allowed-addrs 10.21.18.10 10.21.10.
Figure 5 Control Plane Security Settings 4. Click Entries in the upper right corner of the whitelist status window. 5. Click New. 6. Define the following parameters for each AP you want to add to the whitelist. Table 13: AP Whitelist Parameters Parameter Description Campus AP whitelist configuration parameters AP MAC Address MAC address of a campus AP that supports secure communications to and from its controller. Description (Optional) A brief description of the campus AP.
Viewing Whitelist Status The WebUI can display either a table of entries in the selected whitelist, or a general nstatus summary for that whitelist. The whitelist status pages show the current status each entry in the whitelist, and, for controllers in a master/local controller topology, information for whitelist synchronization between controllers. This information is updated automatically as the status of each entry changes.
Table 15: Additional Campus AP Status Information Parameter Cert Type Description The type of certificate used by the AP. switch-cert: The AP is using a certificate signed by the controller. l factory-cert: The AP is using a factory-installed certificate. l State The Campus AP Whitelist reports one of the following states for each campus AP: l unapproved-no-cert: The AP has no certificate and is not approved. l unapproved-factory-cert: The AP has a preinstalled certificate that was not approved.
Table 16: View the Campus AP Whitelist via the CLI Command Description show whitelist-db cpsec [mac-address ] Shows detailed information for each AP in the whitelist, including the AP’s MAC address, approved state, certificate type, and description. Include the optional macaddress parameters to view data for a single entry.
state approved-ready-for-cert|certified-factory-cert Revoking an AP via the Campus AP Whitelist You can revoke an invalid or rogue AP either by opening the modify menu and modifying the AP’s revoke status (as described in the section above), or by selecting the AP in the campus whitelist and revoking its secure status directly, without modifying any other parameters or entering a description of why that AP was revoked.
creating a potential security risk. For additional information on adding a new local controller using control plane security to your network, see Replacing a Local Controller on page 123 To purge a controller’s campus AP whitelist via the WebUI: 1. Access the master controller WebUI, and navigate to Configuration > AP Installation. 2. Click the Campus AP Whitelist tab. 3. Click Purge.
1. Make sure that a CPPM server is configured on the controller. 2. Navigate to Configuration > All Profile Managment > Wireless LAN > VPN Authentication > default-iap > Server Group. 3. Select the CPPM server from the Server Group drop-down list. 4. Click Apply. In the CLI Configure a radius server with CPPM server as host address. In this example cppm-rad is the CPPM server name and cppm-sg is the server group name.
Figure 6 Local Controller Whitelist on a Master Controller If your deployment includes both master and local controllers, then the campus AP whitelist on every controller contains an entry for every secure AP on the network, regardless of the controller to which it is connected. The master controller also maintains a whitelist of local controllers using control plane security.
The master and local controller tables each include the following information: Table 18: Master and Local Controller Whitelist Information Data Column Description MAC-Address On a local controller whitelist: MAC address of the master controller. On a master controller whitelist: MAC address of a local controller. IP-Address On a local controller whitelist: IP address of the master controller. On a master controller whitelist: IP address of a local controller.
To delete an entry from the Master Controller Whitelist: In the Master Switch List For AP Whitelist Sync section, click Delete by each controller entry you want to remove. 4. Click Apply.
Configuring Networks with Clusters of Master Controllers If your network includes multiple master controllers each with their own hierarchy of APs and local controllers, you can allow APs from one hierarchy to failover to any other hierarchy by defining a cluster of master controllers. Each cluster has one master controller as its cluster root, and all other master controllers as cluster members.
8. Click Apply.
l If you are viewing the WebUI of a cluster root, the output of this command displays the IP address of the VLAN on the cluster member used to connect to the cluster root. l If you are viewing the WebUI of a cluster member, the output of this command displays the IP address of the VLAN on the cluster root used to connect to the cluster member. To view your current cluster configuration via the command-line interface, issue the CLI commands described in Table 19.
This step is very important; unused local controller entries in the local controller whitelist can significantly increase network traffic and reduce controller memory resources.
When you install a new backup master controller, you must add it as a lower priority controller than the existing primary controller. After you install the backup controller on the network, synchronize the database from the existing primary controller to the new backup controller to ensure that all certificates, keys, and whitelist entries required for control plane security are added to the new backup controller configuration.
8. If the new cluster member has any local controllers, reboot the local controllers associated with the new cluster member. The local controllers obtain a new certificate signed by the cluster member, and then pass that trust update to their associated APs. Replacing a Redundant Cluster Member Controller The control plane security feature requires you to synchronize databases from the primary controller to the backup controller at least once after the network is up and running.
When you install a new backup cluster root, you must add it as a lower priority controller than the existing primary controller. After you install the backup cluster root on the network, resynchronize the database from the existing primary controller to the new backup controller to ensure that all certificates, keys, and whitelist entries required for control plane security are added to the new backup controller configuration.
Troubleshooting Control Plane Security Identifying Certificate Problems If an AP has a problem with its certificate, check the state of the AP in the campus AP whitelist. If the AP is in either the certified-hold-factory-cert or certified-hold-switch-cert states, you may need to manually change the status of that AP before it can be certified.
Verifying Whitelist Synchronization To verify that a network of master and local controllers are correctly sharing their campus AP whitelists, check the sequence numbers on the master and local controller whitelists. l The sequence number value on a master controller should be the same as the remote sequence number on the local controller. l The sequence number value on a local controller should be the same as the remote sequence number on the master controller.
Chapter 3 Software Licenses ArubaOS base features include sophisticated authentication and encryption, protection against rogue wireless APs, seamless mobility with fast roaming, the origination and termination of IPsec/L2TP/PPTP tunnels between controllers, clients, and other VPN gateways, adaptive RF management and analysis tools, centralized configuration, and location tracking. Optional add-on licenses provide advanced feature such as Wireless Intrusion Protection and Policy Enforcement Firewall.
Working with Licenses Each license refers to specific functionality (or module) that supports unique features. The licenses are: l Base OS: base operating functions including VPN and VIA clients. l AP Capacity: capacity license for RAP indoor and outdoor Mesh APs. Campus, Remote, or Mesh APs can terminate on the controller without the need for a separate license. l Advanced Cryptography (ACR): this is required for the Suite B Cryptography in IPsec and 802.11 modes.
Figure 9 Alert Flag At the end of the 90-day period, you must apply for a permanent license to re-enable the features permanently on the controller. Evaluation software license keys are only available in electronic form and are emailed to you. When an evaluation period expires: l n The controller automatically backs up the startup configuration and reboots itself at midnight (according to the system clock). n All permanent licenses are unaffected.
l Replacing a Controller l Failover Behaviors l Configuring Centralized Licensing Primary and Backup Licensing Servers Centralized licensing allows the primary and backup licensing server controllers to share a single set of licenses. If you do not enable this feature, the master and backup master controller each require separate, identical license sets.
Client controllers do not share information about built-in licenses to the licensing server. A controller using the centralized licensing feature will use its built-in licenses before it consumes available licenses from the license pool. As a result, when a client controller sends the licensing server information about the licenses that a client is using, it only reports licenses taken from the licensing pool, and disregards any built-in licenses used.
Figure 12 License Pool Reflecting Used licenses Supported Topologies The following table describes the controller topologies supported by this feature. 135 | Software Licenses Dell Networking W-Series ArubaOS 6.4.
Table 21: Centralized Licensing Topologies Topology Example All controllers are master controllers. The master and standby licensing servers must be defined. A single master controller is connected to one or more local controllers. Only the master controller can be a license server. A local controller can only be license client, not a license server. A master and standby master are connected to one or more local controllers.
Figure 13 Topologies Not Supported by Centralized Licensing Adding and Deleting Licenses New licenses can be added to any controller managed by a centralized licensing system, although best practices recommend adding them to the primary licensing server for easier management and tracking of licenses across a wide network. Licenses can only be deleted from the controller on which the license is installed.
Although a client controller retains its licensing information for 30 days after it loses contact with the licensing server, if the client reboots at any time during this 30-day window, the window will restart, and the client will retain its information for another 30 days. APs that use centralized licensing in conjunction with a ArubaOS high availability feature behave differently than APs that do not use a high availability solution.
to-site VPN tunnels between the licensing server and client controllers. This step is not required, but if you do not create secure tunnels between the controllers, the controllers will exchange clear, unencrypted licensing information. This step is not required for a master-local topology. Preconfiguration Setup in a Master/Local Topology The master controller in a master-local topology is the primary licensing server by default.
have a redundant master controller but you want to define a backup server for the licensing feature, issue the following commands on the licensing server: (host)(License provisioning profile) #License server-redundancy (host)(License provisioning profile) #License-vrrp (host)(License provisioning profile) #Peer-ip-address If you are deploying centralized licensing on a cluster of master controllers, access the command-line interface of a licensing client controller, and issue the following comm
Column Description Used Licenses Total number of licenses of each license type used by the licensing client controller. Contributed Licenses Total number of licenses of each license type contributed by the licensing client controller. Remaining Licenses Total number of remaining licensing available on this controller. This number is also limited by the total license capacity of the controller platform.
Table 25: Aggregate License Table Data Column Description Hostname Name of the licensing client controller. IP Address IP address of the licensing client controller. AP Total number of AP licenses sent from licensing clients associated with this controller. PEF Total number of Policy Enforcement Firewall (PEF) licenses sent from licensing clients associated with this controller. RF Protect Total number of RFProtect licenses sent from licensing clients associated with this controller.
Table 27: Usage per License License Basis What Consumes One License PEFNG AP One operational AP xSec Session One active client termination RFprotect AP One operational AP AP AP One operational LAN-connected or mesh AP that is advertising at least one BSSID (virtual-AP) or RAP ACR Session One active client termination The controller licenses are variable-capacity (see Table 28). In Table 28, the Remote AP count is equal to the total AP count for all the controllers.
l If a Mesh node is also configured for client service (for example, it advertises a BSSID ), it consumes one AP license. l Remote APs consume licenses the same as campus APs. l ACR Interaction n On a platform that supports 2048 IPsec tunnels, the maximum number of Suite B IPsec tunnels supported is 2048, even if a larger capacity license is installed. n The ACR license is cumulative. If you want to support 2048 Suite B connections, install two ACR licenses (LIC-ACR-1024).
Enabling a new license on your controller The basic steps to installing and enabling a new license feature are listed below along with a reference to a section in this document with more detailed information. 1. Obtain a valid Dell software license from your sales account manager or authorized reseller (see Requesting a Software License in Email on page 145). 2. Locate the system serial number of your controller (see Locating the System Serial Number on page 145). 3.
l Transfer a certificate: Transfer a software license certificate ID from one controller to another (for example, transferring licenses to a spare system). l Import preloaded certificates: For controllers on which licenses are pre-installed at the factory. transfer all software license certificate IDs used on the sales order to this user account. l List your certificates: View all currently available and active software license certificates for your account.
Moving Licenses It may be necessary to move licenses from one controller to another or to delete a license for future use. To move licenses, delete the license from the chassis as described in Deleting a License on page 146. Then install the license key on the new controller as described in Applying the Software License Key in the WebUI on page 146.
Chapter 4 Network Configuration Parameters The following topics in this chapter describe some basic network configuration on the controller: l Configuring VLANs on page 148 l Configuring Ports on page 155 l Understanding VLAN Assignments on page 157 l Configuring Static Routes on page 165 l Configuring the Loopback IP Address on page 165 l Configuring the Controller IP Address on page 166 l Configuring GRE Tunnels on page 167 l Jumbo Frame Support on page 171 Configuring VLANs The controlle
6. If you selected Port in step 4, select the ports you want to associate with the VLAN from the Port Selection window. or If you selected Port-Channel in step 4, click the Port-Channel ID drop-down list, select the specific channel number you want to associate with the VLAN, then select the ports from the Port Selection window. 7. Click Apply.
The Even VLAN pool assignment type is only supported in tunnel and dtunnel modes. It is not supported in split or bridge modes. It is not allowed for VLAN pools that are configured directly under a virtual AP (VAP). It must only be used under named VLANs. L2 Mobility is not compatible with the existing implementation of the Even VLAN pool assignment type. 6. Check the Pool check box if you want the VLAN to be part of a pool. 7. In the List of VLAN IDs field, enter the VLAN IDs you want to add to this pool.
If a VLAN pool is given an Even assignment and is assigned to user roles, user rules, VSA, or server derivation rules, then while applying VLAN derivation for the client “on run time,” the Even assignment is ignored and the Hash assignment is applied with a message displaying this change. L2 Mobility is not compatible with the existing implementation of the Even VLAN pool assignment type. Updating a VLAN Pool 1. On the VLAN Pool window, click Modify next to the VLAN name you want to edit. 2.
(host)(config) # To confirm the VLAN pool status and mappings assignments, use the show vlan mapping command: (host)(config) #show vlan mapping Vlan Mapping Table -----------------VLAN Name Pool Status ------------------mygroup Enabled newpoolgroup Enabled vlannametest Enabled Assignment Type --------------Hash Even Even VLAN IDs -------62,94 62,1511 Role Derivation for Named VLAN Pools You can configure Named VLANs under user rule, server derivation, user derivation, and VSA in this release. .
To apply a named VLAN pool in a server derivation (server group), navigate to the WebUI page: Security > Authentication> Servers > Server Group > >Server Rules Creating a Named VLAN not in a Pool The following configuration assigns the name myvlan to the VLAN ID 94: In the WebUI 1. Navigate to Configuration > Network > VLANs. 2. Select the VLAN Pooltab to open the VLAN Pool window. 3. Click Add. 4. In the VLAN Name field, enter a name that identifies this VLAN. 5.
(host)(config) #ap wired-ap-profile default switchport trunk allowed vlan myallowedvlan Adding a Bandwidth Contract to the VLAN Bandwidth contracts on a VLAN can limit broadcast and multicast traffic. ArubaOS includes an internal exception list to allow broadcast and multicast traffic using the VRRP, LACP, OSPF, PVST, and STP protocols.
Internet address is 10.17.22.1 255.255.255.0 Routing interface is enable, Forwarding mode is enable Directed broadcast is disabled, BCMC Optimization enable Encapsulation 802, loopback not set MTU 1500 bytes Last clearing of "show interface" counters 12 day 1 hr 4 min 12 sec link status last changed 12 day 1 hr 2 min 21 sec Proxy Arp is disabled for the Interface Using the WebUI 1. Navigate to Configuration > Network > IP. 2.
VLAN have to be configured as trusted for traffic to be considered as trusted. If the traffic is classified as untrusted, then traffic must pass through the selected session access control list and firewall policies.
Configuring Trusted and Untrusted Ports and VLANs in Trunk Mode The following procedures configure a range of Ethernet ports as untrusted native trunks ports, assign VLANs and classify them as untrusted, and designate a policy through which VLAN traffic on the ports must pass. In the WebUI 1. Navigate to the Configuration > Network > Ports window. 2. In the Port Selection section, click the port you want to configure. 3. For Port Mode select Trunk. 4.
2. Before client authentication, the VLAN can be derived from rules based on client attributes (SSID, BSSID, client MAC, location, and encryption type). A rule that derives a specific VLAN takes precedence over a rule that derives a user role that may have a VLAN configured for it. 3. After client authentication, the VLAN can be configured for a default role for an authentication method, such as 802.1x or VPN. 4.
Use the following command to display user VLAN derivation related debug information: (host) #show aaa debug vlan user [ip | ipv6 | mac] How a VLAN Obtains an IP Address A VLAN on the controller obtains its IP address in one of the following ways: l You can manually configure it. This is the default method and is described in Assigning a Static Address to a VLAN on page 159. At least one VLAN on the controller must be assigned a static IP address.
l You can enable the DHCP/PPPoE client multiple uplink VLAN interfaces (up to four) on the controller; these VLANs cannot be VLAN 1. l Only one port in the VLAN can be connected to the modem or uplink switch. l At least one interface in the VLAN must be in the up state before the DHCP/PPPoE client requests an IP address from the server. Enabling the DHCP Client The DHCP server assigns an IP address for a specified amount of time called a lease.
Enabling the PPPoE Client To authenticate the BRAS and request a dynamic IP address, the controller must have the following configured: l PPPoE user name and password to connect to the DSL network l PPPoE service name: either an ISP name or a class of service configured on the PPPoE server When you shut down the VLAN, the PPPoE session terminates. In the WebUI 1. Navigate to the Configuration > Network > IP > IP Interfaces page. 2. Click Edit for a previously-created VLAN. 3.
2. Select Enable DCHP Server. 3. Under Pool Configuration, select Add. 4. For Pool Name, enter employee-pool. 5. For Default Router, enter 10.1.1.254. 6. For DNS Servers, select Import from DHCP/PPPoE. 7. For WINS Servers, select Import from DHCP/PPPoE. 8. For Network, enter 10.1.1.0 for IP Address and 255.255.255.0 for Netmask. 9. Click Done. In the CLI Use the following commands: (host)(config) #ip dhcp pool employee-pool d>efault-router 10.1.1.
Configuring Source NAT for VLAN Interfaces The example configuration in the previous section illustrates how to configure source NAT using a policy that is applied to a user role. You can also enable source NAT for a VLAN interface to perform NAT on the source address for all traffic that exits the VLAN.
(host)(config) #interface vlan 1 ip address 66.1.131.5 255.255.255.0 (host)(config) #interface vlan 6 (host)(config) #ip address 192.168.2.1 255.255.255.0 ip nat inside ip default-gateway 66.1.131.1 Inter-VLAN Routing On the controller, you can map a VLAN to a layer-3 subnetwork by assigning a static IP address and a netmask, or by configuring a DHCP or PPPoE server to provide a dynamic IP address and netmask to the VLAN interface.
interface vlan ip address { |dhcp-client|pppoe} no ip routing Configuring Static Routes To configure a static route (such as a default route) on the controller, do the following: In the WebUI 1. Navigate to the Configuration > Network > IP > IP Routes page. 2. Click Add to add a static route to a destination network or host. Enter the destination IP address and network mask (255.255.255.255 for a host route) and the next hop IP address. 3. Click Done to add the entry.
7. The controller boots up with the changed loopback IP address. In the CLI Use the following commands: (host)(config) #interface loopback ip address
(host)(config) #write memory Enter the following command in Enable mode to reboot the controller : (host) #reload Configuring the Controller IP Address The Controller IP address is used by the controller to communicate with external devices such as APs. IP addresses used by the controller is not limited to the controller IP address.8. The controller boots up with the changed controller IP address. of the selected VLAN ID. Using the CLI (host)(config) #controller-ip [loopback|vlan ] Configuring GRE Tunnels A controller supports generic routing encapsulation (GRE) tunnels between the controller and APs. An AP opens a GRE tunnel to the controller for each radio interface.
l IP address and netmask for the tunnel. l Tunnel source: the local endpoint for the tunnel on the controller. This can be one of the following: l n Loopback address of the controller n A specified IP address n A specified VLAN n Controller-IP n IP Address Tunnel destination: the IP address of the remote endpoint of the tunnel on the other GRE device.
Directing Traffic into the Tunnel You can direct traffic into the tunnel by configuring one of the following: l Static route, which redirects traffic to the IP address of the tunnel While redirecting traffic through L3 GRE Tunnel the controller's tunnel IP address should be used as the nexthop,instead of providing the destination IP address.
5. Click Apply. In the CLI Use the following commands: (host)(config) #interface tunnel id tunnel keepalive [ ] Configuring GRE Tunnel Group ArubaOS provides redundancy for L3 generic routing encapsulation (GRE) tunnels. This feature enables automatic redirection of the user traffic to a standby tunnel when the primary tunnel goes down. To enable this functionality, you must: l configure a tunnel-group to group a set of tunnels.
Execute the following command to enable pre-emption: (host)(config-tunnel-group)#preemptive-failover Following is a sample configuration: (host)(config) #tunnel-group tgroup1 (host)(config-tunnel-group)# tunnel 10 (host)(config-tunnel-group)# tunnel 20 (host)(config-tunnel-group)#preemptive-failover Execute the following command to view the operational status of a tunnel-group and its members: (host)(config-tunnel-group)#show tunnel-group tgroup1 Tunnel-Group Table Entries -------------------------Tunnel
l Wi-Fi tunnel: A Wi-Fi tunnel can support an AMSDU jumbo frame for an AP (The maximum MTU supported is up to 9216 bytes). Limitations for Jumbo Frame Support This release of ArubaOS does not support the jumbo frames for the following scenarios: l IPsec, IPIP, and xSec. l IPv6 fragmentation/reassembly. Configuring Jumbo Frame Support You can use the WebUI or CLI to configure the jumbo frame support. Using the WebUI To enable jumbo frame support globally: 1.
Viewing the Jumbo Frame Support Status Execute the following command to view the global status of the jumbo frame support: (host)#show firewall Global firewall policies -----------------------Policy -----Enforce TCP handshake before allowing data Prohibit RST replay attack Deny all IP fragments Prohibit IP Spoofing Monitor ping attack Monitor TCP SYN attack Monitor IP sessions attack Deny inter user bridging Log all received ICMP errors Per-packet logging Blacklist Grat ARP attack client Session mirror dest
Example: (host)# show interface gigabitethernet 0/0/0 GE 0/0/0 is up, line protocol is up Hardware is Gigabit Ethernet, address is 00:1A:1E:00:0D:09 (bia 00:1A:1E:00:0D:09) Description: GE0/0/0 (RJ45 Connector) Encapsulation ARPA, loopback not set Configured: Duplex ( AUTO ), speed ( AUTO ) Negotiated: Duplex (Full), speed (1000 Mbps) Jumbo Support is enabled on this interface MTU 9216 Last clearing of "show interface" counters 1 day 20 hr 32 min 38 sec link status last changed 1 day 19 hr 37 min 57 sec 120
Chapter 5 IPv6 Support This chapter describes ArubaOS support for IPv6 features: l Understanding IPv6 Notation on page 175 l Understanding IPv6 Topology on page 175 l Enabling IPv6 on page 176 l Enabling IPv6 Support for Controller and APs on page 176 l Filtering an IPv6 Extension Header (EH) on page 184 l Configuring a Captive Portal over IPv6 on page 184 l Working with IPv6 Router Advertisements (RAs) on page 184 l RADIUS Over IPv6 on page 188 l TACACS Over IPv6 on page 189 l DHCPv6 Se
default gateway in most deployments. However, the controller can be the default gateway by using static routes. The master-local communication always occurs in IPv4. The following image illustrates how IPv6 clients, APs, and controllers communicate with each other in an IPv6 network: Figure 21 IPv6 Topology l The IPv6 controller (MC2) terminates both V4 AP (IPv4 AP) and V6 AP (IPv6 AP). l Client 1 (IPv4 client) terminates to V6 AP and Client 2 (IPv6 client) terminates to V4 AP.
terminate on the IPv6 controller. You can provision an IPv6 AP in the network only if the controller interface is configured with an IPv6 address. An IPv6 AP can serve both IPv4 and IPv6 clients. You must manually configure an IPv6 address on the controller interface to enable IPv6 support.
Features Supported on IPv6 APs? AP Type - Mesh Node No IPSEC No CPSec No Wired-AP/Secure-Jack No Fragmentation/Reassembly Yes MTU Discovery Yes Provisioning through Static IPv6 Addresses Yes Provisioning through IPv6 FQDN Master Name Yes Provisioning from WebUI Yes AP boot by Flash Yes AP boot by TFTP No WMM QoS No AP Debug and Syslog Yes ARM & AM Yes WIDS Yes (Limited) CLI support for users & datapath Yes Configuring IPv6 Addresses You can configure IPv6 addresses for the
2. Edit a VLAN # and select IP version as IPv6. 3. Enter the link local address in the Link Local Address field. 4. Click Apply. To Configure Global Unicast Address 1. Navigate to the Configuration > Network > IP page and select the IP Interfaces tab. 2. Edit a VLAN # and select IP version as IPv6. 3. Enter the global unicast address and the prefix-length in the IP Address/Prefix-length field. 4. (Optional) Select the EUI64 Format check box, if applicable. 5.
3. Click Done to apply the configuration. In the CLI To configure a static neighbor on a VLAN interface: (host)(config)#ipv6 neighbor vlan Configuring IPv6 Default Gateway and Static IPv6 Routes You can configure IPv6 default gateway and static IPv6 routes using the WebUI or CLI. In the WebUI To Configure IPv6 Default Gateway 1. Navigate to the Configuration > Network > IP page and select the IP Routes tab. 2. Under the Default Gateway section, click Add. 3.
To enable logging over IPv6: (host)(config)#logging Configuring Multicast Listener Discovery (MLD) You can enable the IPv6 multicast snooping on the controller by using the WebUI or CLI and configure MLD parameters such as query interval, query response interval, robustness variable, and ssm-range. The Source Specific Multicast (SSM) supports delivery of multicast packets that originate only from a specific source address requested by the receiver.
To view the MLD Group information: (host)(config) #show ipv6 mld group To modify IPv6 MLD parameters: (host)(config) #ipv6 mld (host)(config-mld) # query-interval
Debugging an IPv6 Controller ArubaOS provides the following debug commands for IPv6: l show ipv6 global — displays if IPv6 is enabled globally or not l show ipv6 interface — displays the configured IPv6 address, and any duplicate addresses l show ipv6 route/show datapath route ipv6 — displays the IPv6 routing information l show ipv6 ra status — displays the Router Advertisement status l show Datapath session ipv6 — displays the IPv6 sessions created, and the sessions that are allowed l show datap
Ensure that CPSEC is disabled before rebooting the AP. 5. Click Apply and Reboot to bring the IPv6 AP up.
communicate between the nodes attached to the same link. The IPv6 stateless autoconfiguration mechanism allows the host to generate its own addresses using a combination of locally available information and information advertised by the routers. The host sends a router solicitation multicast request for its configuration parameters in the IPv6 network.
You can use the WebUI or CLI to configure the IPv6 RA on a VLAN. Using WebUI 1. Navigate to the Configuration > Network > IP page and select the IP Interfaces tab. 2. Edit a VLAN # and select IP version as IPv6. 3. To configure an IPv6 global unicast address, follow the steps below: a. Under Details, enter the IPv6 address and the prefix-length in the IP Address/Prefix-length field. b. (Optional) Select the EUI64 Format check box, if applicable. c. Click Add to add the address to the global address list.
l RA maximum transmission unit (MTU) – the maximum transmission unit that all the nodes on a link use. l RA other configuration flag (Enable DHCP for other information – a flag that indicates that the hosts can use the administered (stateful) protocol for autoconfiguration of other (non-address) information. l RA preference – the preference associated with the default router. You can use the WebUI or CLI to configure these options.
To configure neighbor discovery reachable time: (host)(config) #interface vlan (host)(config-subif)#ipv6 nd reachable-time To configure neighbor discovery retransmit time: (host)(config-subif)#ipv6 nd retransmit-time To configure IPv6 recursive DNS server: (host)(config-subif)#ipv6 nd ra dns X:X:X:X::X To configure RA hop-limit: (host)(config-subif)#ipv6 nd ra hop-limit To configure RA interval: (host) (config-subif)#ipv6 nd ra interval To configure
To resolve FQDN, you must configure the DNS server name using the ip name-server command.
In the WebUI 1. Navigate to the Configuration > Security > Authentication > Servers page. 2. SelectTACACS Server to display the Server List. 3. Select the required server from the list to go to the TACACS server page. 4. To configure an IPv6 host for the selected server, specify an IPv6 address in the Host field. 5. Click Apply. DHCPv6 Server The DHCPv6 server enables network administrators to configure stateful/stateless options and manage dynamic IPv6 users connecting to a network.
Platform Maximum number of DHCP Leases Supported W-3600 512 W-7005 512 W-7010 1024 W-7030 2048 W-7210 5120 W-7220 10240 W-7240 15360 Configuring DHCPv6 Server You must enable the global DHCPv6 knob for the DHCPv6 functionality to be operational. You can enable and configure DHCPv6 server using the WebUI or CLI. In the WebUI 1. Navigate to Configuration > Network > IP page and select the DHCP Server tab. 2. Select the IPv6 DHCP Server check box to enable DHCPv6 globally. 3.
a. Specify the option code in Option. b. Select IP or text from the IP/Text drop-down list. c. Enter a value in Value. If you selected IP in step b, then you must enter a valid IPv6 address in this field. d. Click Add. 12.Click Apply.
(host)(config) #show ip dhcp statistics To view the DHCPv6 active pools, use the following command: (host) #show ipv6 dhcp active-pools Understanding ArubaOS Supported Network Configuration for IPv6 Clients ArubaOS provides wired or wireless clients using IPv6 addresses with services such as firewall functionality, layer-2 authentication, and, with the installation of the Policy Enforcement Firewall Next Generation (PEFNG), identity-based security.
Understanding Authentication This release of ArubaOS only supports 802.1x authentication for IPv6 clients. You cannot configure layer-3 authentications to authenticate IPv6 clients. Table 32: IPv6 Client Authentication Authentication Method Supported for IPv6 Clients? 802.1x Yes Stateful 802.1x (with non-Dell APs) Yes Local database Yes Captive Portal Yes VPN No xSec No (not tested) MAC-based Yes You configure 802.
Table 33: IPv6 Firewall Parameters Parameter Description Default: No default Deny Inter User Bridging Prevents the forwarding of Layer-2 traffic between wired or wireless users. You can configure user role policies that prevent Layer-3 traffic between users or networks but this does not block Layer-2 traffic. This option can be used to prevent traffic, such as Appletalk or IPX, from being forwarded. Default: Disabled Deny All IP Fragments Drops all IP fragments.
l For Session Idle Timeout, enter 60 3. Click Apply. To configure firewall functions using the command line interface, issue the following commands in config mode: ipv6 firewall attack-rate ping 15 ipv6 firewall attack-rate session 25 ipv6 firewall session-idle-timeout 60 Understanding Firewall Policies A user role, which determines a client’s network privileges, is defined by one or more firewall policies.
Table 34: IPv6 Firewall Policy Rule Parameters Field Description permit: Permits traffic matching this rule. drop: Drops packets matching this rule without any notification. NOTE: The only actions for IPv6 policy rules are permit or deny; in this release, the controller cannot perform network address translation (NAT) or redirection on IPv6 packets. You can specify options such as logging, mirroring, or blacklisting (described below). l l Log (optional) Logs a match to this rule.
g. Click Add. 6. Click Add to add a rule that allows HTTPS traffic. a. Under IP Version column, select IPv6. b. Under Source, select network from the drop-down list. c. For Host IP, enter 2002:d81f:f9f0:1000::. d. For Mask, enter 64 as the prefix-length. e. Under Service, select service from the drop-down list. f. Select svc-https from the scrolling list. g. Click Add. . Rules can be reordered using the up and down arrow buttons provided for each rule. 7. Click Apply.
2. Click the IPv6 tab to display IPv6 clients. 3. To delete an entry in the IPv6 client display, click the radio button to the left of the client and then click Disconnect. To view user entries for IPv6 clients using the command line interface, use the show user-table command in enable mode. To delete a user entry for an IPv6 client, access the CLI in config mode and use the aaa ipv6 user delete command.
number of matching bits with the destination address, the kernel selects that source address that is most recently configured on the system. It is essential that the administrator/user configures the network appropriately, if a particular VLAN interface needs to be selected as the source. For example, in case of Dot1x authentication the administrator/user can configure the source interface appropriately so that it is selected for authentication process.
Chapter 6 Link Aggregation Control Protocol (LACP) The ArubaOS implementation of Link Aggregation Control Protocol (LACP) is based on the standards specified in 802.3ad. LACP provides a standardized means for exchanging information, with partner systems, to form a link aggregation group (LAG). LACP avoids port channel misconfiguration. Two devices (actor and partner) exchange LACP data units (DUs) when forming a LAG.
partner state; passive mode devices respond only to the incoming DUs sent by the partner device. Hence, to form a LAG group between two devices, one device must be an active participant. For detailed information on the LACP commands, see the Command-Line Interface Reference Guide. In the CLI LACPDUs exchange their corresponding system identifier/priority along with their port’s key/priority. This information determines the LAG of a given port.
---FE 1/1 FE 1/2 ----SA SA ---- -------1 0x1 1 0x1 -------- ----- ---- ------0x1 0x45 0x2 DOWN 0x1 0x45 0x3 UP In the WebUI Access LACP from the Configuration >Network >Port tabs. Use the drop-down list to enter the LACP values. l LACP Group— the link aggregation group (LAG) number; the range is 0 to 7. l Mode— active negotiation state or not in an active negotiation state indicated by the passive option. l Priority—the port priority value; the range is 1-65535 and the default is 255.
trusted vlan 1-4094 lacp timeout short lacp group 0 mode active ! interface fastethernet 1/2 description "FE1/2" trusted vlan 1-4094 lacp group 0 mode passive ! 204 | Link Aggregation Control Protocol (LACP) Dell Networking W-Series ArubaOS 6.4.
Chapter 7 OSPFv2 OSPFv2 (Open Shortest Path First) is a dynamic Interior Gateway routing Protocol (IGP) based on IETF RFC 2328. The OSPF uses the shortest or fastest routing path. Dell’s implementation of OSPFv2 allows Dell controllers to deploy effectively in a Layer 3 topology. Dell controllers can act as default gateway for all clients and forward user packets to the upstream router.
Platform Branches Routes W-7220 16K 16K W-7240 32K 32K Below are some guidelines regarding deployment and topology for this release of OSPFv2. l In the WLAN scenario, configure the Dell controller and all upstream routers in totally stub area; in the Branch Office scenario, configure as stub area so that the Branch Office controller can receive corporate subnets. l In the WLAN scenario upstream router, only configure the interface connected to the controller in the same area as the controller.
Codes: C - connected, O - OSPF, R - RIP, S - static M - mgmt, U - route usable, * - candidate default Below is the routing table for Router 1: (router1) #show ip route O O C 10.1.1.0/24 [1/0] via 4.1.1.1 12.1.1.0/24 [1/0] via 4.1.1.1 4.1.1.0 is directly connected, VLAN4 Below is the routing table for Router 2: (router2) #show ip route O O C 10.1.1.0/24 [2/0] via 5.1.1.1 12.1.1.0/24 [2/0] via 5.1.1.1 5.1.1.
In Figure 22, the branch office controller is configured using VLAN 14 and VLAN 15. Layer 3 GRE tunnel is configured with IP address 20.1.1.1/24 and OSPF is enabled on the tunnel interface. In the Central office controller, OSPF is enabled on VLAN interfaces 4, 5, and the Layer 3 GRE tunnel interface (configured with IP address 20.1.1.2/24). OSPF interface cost on VLAN 4 is configured lower than VLAN 5.
Figure 23 General OSPF Configuration 2. Click Add to add an area (see Figure 24). Figure 24 Add an OSPF Area 3. Configure the OSPF interface settings in the Configuration screen (Figure 25). If OSPF is enabled, the parameters contain the correct default values. You can edit the OSPF values only when you enable OSPF on the interface. Dell Networking W-Series ArubaOS 6.4.
Figure 25 Edit OSPF VLAN Settings OSPF monitoring is available from an IP Routing sub-section (Controller > IP Routing > Routing). Both Static and OSPF routes are available in table format. OSPF Interfaces and Neighboring information is available from the OSPF tab. The Interface information includes transmit (TX) and receive (RX) statistics. Exporting VPN Client Addresses to OSPF You can configure VPN client addresses so that they can be exported to OSPF and be advertised as host routes (/32).
Figure 26 Sample OSPF Topology Remote Branch 1 controller-ip vlan 30 vlan 16 vlan 30 vlan 31 vlan 32 interface gigabitethernet 1/0 description "GE1/0" trusted switchport access vlan 16 ! interface gigabitethernet 1/1 description "GE1/1" trusted switchport access vlan 30 ! interface gigabitethernet 1/2 description "GE1/2" trusted switchport access vlan 31 ! interface gigabitethernet 1/3 description "GE1/3" trusted switchport access vlan 32 ! interface vlan 16 ip address 192.168.16.251 255.255.255.
! interface vlan 30 ip address 192.168.30.1 255.255.255.0 ! interface vlan 31 ip address 192.168.31.1 255.255.255.0 ! interface vlan 32 ip address 192.168.32.1 255.255.255.0 ! uplink wired priority 202 uplink cellular priority 201 uplink wired vlan 16 interface tunnel 2003 description "Tunnel Interface" ip address 2.0.0.3 255.0.0.0 tunnel source 192.168.30.1 tunnel destination 192.168.68.217 trusted ip ospf area 10.10.10.10 ! ip default-gateway 192.168.16.254 ip route 192.168.0.0 255.255.0.
ip address 192.168.50.1 255.255.255.0 ! interface vlan 51 ip address 192.168.51.1 255.255.255.0 ! interface vlan 52 ip address 192.168.52.1 255.255.255.0 ! uplink wired priority 206 uplink cellular priority 205 uplink wired vlan 20 interface tunnel 2005 description "Tunnel Interface" ip address 2.0.0.5 255.0.0.0 tunnel source 192.168.50.1 tunnel destination 192.168.68.217 trusted ip ospf area 10.10.10.10 ! ip default-gateway 192.168.20.254 ip route 192.168.0.0 255.255.0.
tunnel source 192.168.225.2 tunnel destination 192.168.30.1 trusted ip ospf area 10.10.10.10 ! interface tunnel 2005 description "Tunnel Interface" ip address 2.1.0.5 255.0.0.0 tunnel source 192.168.225.2 tunnel destination 192.168.50.1 trusted ip ospf area 10.10.10.10 ! master-redundancy master-vrrp 2 peer-ip-address 192.168.68.221 ipsec password123 ! vrrp 1 priority 120 authentication password123 ip address 192.168.68.
interface gigabitethernet 1/2 description "GE1/2" trusted switchport access vlan 68 ! interface vlan 68 ip address 192.168.68.221 255.255.255.224 ! interface vlan 100 ip address 192.168.100.5 255.255.255.0 ! interface vlan 225 ip address 192.168.225.1 255.255.255.0 ! interface tunnel 2003 description "Tunnel Interface" ip address 2.1.0.3 255.0.0.0 tunnel source 192.168.225.1 tunnel destination 192.168.30.1 trusted ip ospf area 10.10.10.10 ! interface tunnel 2005 description "Tunnel Interface" ip address 2.
The following figure displays how the controller is configured for Instant AP VPN for different OSPF cases. Topology l Area-10 is NSSA (Not-So-Stubby Area) l Area-11 is Normal area. l RAPNG AP-1 is configured to have a 3600-UP controller as its primary controller and a 3600-DOWN as secondary controller. l RAPNG AP-2 is configured to have a 3600-DOWN as its primary controller and a 3600-UP as secondary controller. l RAPNG AP-1 is configured to have a 201.201.203.0/24 L3-distributed network.
The following commands displays the configuration and run time protocol details on W-3600-UP Controller: (host)#show ip route Codes: C - connected, O - OSPF, R - RIP, S - static M - mgmt, U - route usable, * - candidate default, V - RAPNG VPN Gateway of last resort is Imported from DHCP to network 0.0.0.0 at cost 10 Gateway of last resort is Imported from CELL to network 0.0.0.0 at cost 10 Gateway of last resort is Imported from PPPOE to network 0.0.0.0 at cost 10 Gateway of last resort is 10.15.231.
N/A N/A N/A AS_EXTERNAL AS_EXTERNAL AS_EXTERNAL 201.201.203.0 201.201.203.0 202.202.202.0 (host) #show ip ospf neighbor OSPF Neighbor Table ------------------Neighbor ID Pri State Address ----------- --- ----------21.21.21.1 1 FULL/DR 21.21.21.1 10.15.231.186 192.100.2.3 25.25.25.1 3600 1104 268 0x80000001 0x80000002 0x80000003 0x6690 0xe4a2 0x4385 Interface --------Vlan Configuring W-3600-DOWN Controller interface vlan 22 ip address 22.22.22.2 255.255.255.0 ip ospf area 0.0.0.
0.0.0.10 0.0.0.10 0.0.0.10 0.0.0.10 0.0.0.10 N/A N/A NSSA NSSA NSSA NSSA NSSA AS_EXTERNAL AS_EXTERNAL 0.0.0.0 10.15.228.0 12.12.12.0 25.25.25.0 202.202.202.0 12.12.12.0 202.202.202.0 25.25.25.1 25.25.25.1 192.100.2.2 25.25.25.1 192.100.2.2 192.100.2.2 192.100.2.
5.5.0.2 00:24:6C:C9:27:A3 10.15.149.30 00:24:6C:C9:27:A3 10.15.149.25 00:0B:86:40:93:00 (host)# show clients Client List ----------Name IP Address MAC Address Signal Speed (mbps) ---- -----------------------------------201.201.203.8 00:26:c6:52:6b:14 (good) 6(poor) Info timestamp :80259 1 1 1 LP LP A OS Network Access Point Channel Type Role -- ------- ------------ ------- ---- ---- 149.30 00:24:6c:c9:27:a3 48- AN 149.
192.100.2.2 192.168.10.1 201.201.203.8 10.1.1.50 192.168.11.7 4.4.0.2 10.13.6.110 10.15.149.38 10.15.149.35 10.15.149.33 00:00:00:00:00:00 00:24:6C:C0:41:F2 00:00:00:00:00:00 00:00:00:00:00:00 00:26:C6:52:6B:14 00:24:6C:C0:41:F2 00:00:00:00:00:00 00:24:6C:C9:27:CC 00:24:6C:C0:41:F2 00:0B:86:40:93:00 (host)# show clients Client List ----------Name IP Address MAC Address Signal Speed (mbps) ---- -----------------------------------202.202.202.
Chapter 8 Tunneled Nodes This chapter describes how to configure a Dell tunneled node, also known as a wired tunneled node. Dell tunneled nodes provide access and security using an overlay architecture.
Figure 27 Tunneled Node Configuration Operation Configuring a Wired Tunneled Node Client ArubaOS does not allow a tunneled-node client and tunneled-node server to co-exist on the same controller at the same time. The controller must be configured as either a tunneled-node client or a tunneled-node server. By default, the controller behaves as a tunneled-node server. However, once tunneled-node-server xxx.xxx.xxx.xxx is configured on the controller, the controller becomes a tunneled-node client.
d. Enter the IP address of the controller in the Wired Access Concentrator Server IP field. e. To enable tunnel loop prevention, click the Enable Wired Access Concentrator Loop Prevention checkbox. f. Click Apply. 3. Access each interface that you want to use, and assign it as a tunneled node port. (host (config) # interface fastethernet n/m (host (config-if) # tunneled-node port 4. Verify the configuration.
Chapter 9 Authentication Servers The ArubaOS software allows you to use an external authentication server or the controller internal user database to authenticate clients who need to access the wireless network.
the list is used. You can configure servers of different types in one group. For example, you can include the internal database as a backup to a RADIUS server. Figure 28 graphically represents a server group named “Radii” that consists of two RADIUS servers, Radius-1 and Radius-2. The server group is assigned to the server group for 802.1x authentication. Figure 28 Server Group Server names are unique. You can configure the same server in multiple server groups.
2. Select Radius Server to display the Radius Server List. 3. To configure a RADIUS server, enter the name for the server and click Add. 4. Select the name to configure server parameters. Enter parameters as described in Table 36. Select the Mode checkbox to activate the authentication server. 5. Click Apply. The configuration does not take effect until you perform this step.
Parameter Description l If you do not associate the Source Interface with a configured server (leave the field blank), the IP address of the global Source Interface is used. Use MD5 Use MD5 hash of cleartext password. Default: Disabled Mode Enables or disables the server.
VSA Type Value Description Aruba-NamedUser-Vlan String 9 This VSA returns a VLAN name for a user. This VLAN name on a controller could be mapped to user-defined name or or multiple VLAN IDs. Aruba-AP-Group String 10 String that identifies the name of a Dell AP Group. Aruba-FramedIPv6-Address String 11 This attribute is used for RADIUS accounting for IPv6 users. Aruba-DeviceType String 12 String that identifies a Dell device on the network.
VSA Type Value Description Aruba-MdpsDevice-Version String 21 The device version is used as input attribute by the Onboard application while performing the device authorization to the internal RADIUS server within the CPPM. Device Version checks against role mappings or enforcement policies to determine if the device is authorized to be onboarded.
VSA Type Value Description ArubaWorkSpace-AppName String 31 This VSA identifies an application supported by Dell WorkSpace. Aruba-Mdps-Provisioning-Settings String 32 Used as part of the ClearPass Onboard technology, this attribute allows the CPPM to signal back to the onboard process the context of the device provisioning settings that should be applied to the device based on applied role mappings.
Using the WebUI 1. Navigate to the Configuration > Security > Authentication > Advanced page. 2. In the DNS Query Interval (min) field, enter a new DNS query interval, from 1-1440 minutes, inclusive. 3. Click Apply.
Table 39: LDAP Server Configuration Parameters Parameter Description Host IP address of the LDAP server. Default: N/A Admin-DN Distinguished name for the admin user who has read/search privileges across all the entries in the LDAP database (the user does need write privileges, but will be able to search the database, and read attributes of other users in the database). Admin Password Password for the admin user.
Using the CLI (host)(config) #aaa authentication-server ldap host (enter parameters as described in Table 39) enable Configuring a TACACS+ Server Table 40 defines the TACACS+ server parameters. Table 40: TACACS+ Server Configuration Parameters Parameter Description Host IP address of the server. Default: N/A Key Shared secret to authenticate communication between the TACACS+ client and server. Default: N/A TCP Port TCP port used by server.
session-authorization Configuring a Windows Server Table 41 defines parameters for a Windows server used for stateful NTLM authentication. Table 41: Windows Server Configuration Parameters Parameter Description Host IP address of the server. Default: N/A Mode Enables or disables the server. Default: enabled Windows Domain Name of the Windows Domain assigned to the server. Using the WebUI 1. Navigate to the Configuration > Security > Authentication > Servers page. 2.
Table 42: Internal Database Configuration Parameters Parameters Description User Name (Required) Enter a user name or select Generate to automatically generate a user name. An entered user name can be up to 64 characters in length. Password (Required) Enter a password or select Generate to automatically generate a password string. An entered password must be a minimum of 6 characters and can be up to 128 characters in length. Role Role for the client.
were created during the export process. Note that importing a file into the internal database overwrite and removes all existing entries. Exporting Files in the WebUI 1. Navigate to the Configuration > Security > Authentication > Servers page. 2. Select Internal DB. 3. Click Export in the Internal DB Maintenance section. A popup window opens. 4. Enter the name of the file you want to export 5. Click OK. Importing Files in the WebUI 1.
Configuring Server Groups You can create groups of servers for specific types of authentication – for example, you can specify one or more RADIUS servers to be used for 802.1x authentication. You can configure servers of different types in one group. For example, you can include the internal database as a backup to a RADIUS server. Configuring Server Groups Server names are unique. You can configure the same server in more than one server group.
In the following example, you create a server group "corp-serv" with two LDAP servers (ldap-1 and ldap-2), each of which contains a subset of the usernames and passwords used in the network. When you enable failthrough authentication, users that fail authentication on the first server in the server list will be authenticated with the second server. Using the WebUI 1. Navigate to the Configuration > Security > Authentication > Servers page. 2. Select LDAP Server to display the LDAP Server List. 3.
You can configure multiple match rules for the same server. The controller compares the client/user information with the match rules configured for each server, starting with the first server in the server group. If a match is found, the controller sends the authentication request to the server with the matching rule. If no match is found before the end of the server list is reached, an error is returned and no authentication request for the client/user is sent.
d. Click Add Rule >>. e. Scroll to the right and click Add Server. The last server you added to the server group (radius-2) automatically appears as the first server in the list. In this example, the order of servers is not important. If you need to reorder the server list, scroll to the right and click the up or down arrow for the appropriate server. 7. Click Apply.
This option does not support client information sent in the format host/. Using the WebUI 1. Navigate to the Configuration > Security > Authentication > Servers page. 2. Select Server Group to display the Server Group list. 3. Enter the name of the new server group and click Add. 4. Select the name to configure the server group. 5. Under Servers, click Edit for a configured server or click New to add a server to the group.
Parameter Description l l l l starts with the string in parameter Operand. ends-with : The rule is applied if and only if the attribute value returned ends with the string in parameter Operand. equals : The rule is applied if and only if the attribute value returned equals the string in parameter Operand. not-equals : The rule is applied if and only if the attribute value returned is not equal to the string in parameter Operand. value-of : This is a special condition.
to the authenticated client, you must configure a server derivation rule as shown in the following sections: Using the WebUI 1. Navigate to the Configuration > Security > Authentication > Servers page. 2. Select Server Group to display the Server Group list. 3. Select the internal server group. 4. Under Server Rules, click New to add a server derivation rule. a. For Condition, enter Role. b. Select value-of from the drop-down list. c. Select Set Role from the drop-down list. d. Click Add. 5. Click Apply.
Using the WebUI 1. Navigate to the Configuration > Management > Administration page. 2. Under the Management Authentication Servers section, select the following: l Enable checkbox l Server Group 3. Click Apply. Using the CLI (host)(config) #aaa authentication mgmt server-group enable Accounting You can configure accounting for RADIUS and TACACS+ server groups. RADIUS or TACACS+ accounting is only supported when RADIUS or TACACS+ is used for authentication.
l NAS-Port: Physical or virtual port (tunnel) number through which the user traffic is entering the controller. l NAS-Port-Type: Type of port used in the connection. This is set to one of the following: n 5: admin login n 15: wired user type n 19: wireless user l Framed-IP-Address: IP address of the user. l Calling-Station-ID: MAC address of the user. l Called-station-ID: MAC address of the controller.
Remote APs in split-tunnel mode now support RADIUS accounting. If you enable RADIUS accounting in a splittunnel Remote AP’s AAA profile, the controller sends a RADIUS accounting start record to the RADIUS server when a user associates with the remote AP, and sends a stop record when the user logs out or is deleted from the user database. If interim accounting is enabled, the controller sends updates at regular intervals.
Configuring Authentication Timers Table 45 describes the timers you can configure that apply to all clients and servers. These timers can be left at their default values for most implementations. Table 45: Authentication Timers Timer Description User Idle Timeout Maximum period after which a client is considered idle if there is no wireless traffic from the client.The timeout period is reset if there is wireless traffic. If there is no wireless traffic in the timeout period, the client is aged out.
idle-timeout
Chapter 10 MAC-based Authentication This chapter describes how to configure MAC-based authentication on the Dell controller using the WebUI. Use MAC-based authentication to authenticate devices based on their physical media access control (MAC) address. While not the most secure and scalable method, MAC-based authentication implicitly provides an addition layer of security authentication devices.
Table 46: MAC Authentication Profile Configuration Parameters Parameter Description Delimiter Delimiter used in the MAC string: l colon specifies the format Xx:XX:XX:XX:XX:XX l dash specifies the format XX-XX-XX-XX-XX-XX l none specifies the format XXXXXXXXXXXX l oui-nic specifies the format XXXXXX:XXXXXX Default: none NOTE: This parameter is available for the aaa authentication-server radius command. Case The case (upper or lower) used in the MAC string.
4. For User Name and Password, enter the MAC address for the client. Use the format specified by the Delimiter parameter in the MAC Authentication profile. For example, if the MAC Authentication profile specifies the default delimiter (none), enter MAC addresses in the format xxxxxxxxxxxx. 5. Click Enabled to activate this entry on creation. 6. Click Apply. The configuration does not take effect until you perform this step.
Chapter 11 802.1X Authentication 802.1X is an Institute of Electrical and Electronics Engineers (IEEE) standard that provides an authentication framework for WLANs. 802.1x uses the Extensible Authentication Protocol (EAP) to exchange messages during the authentication process. The authentication protocols that operate inside the 802.1X framework that are suitable for wireless networks include EAP-Transport Layer Security (EAP-TLS), Protected EAP (PEAP), and EAPTunneled TLS (EAP-TTLS).
Supported EAP Types Following is the list of supported EAP types: l PEAP—Protected EAP (PEAP) is an 802.1X authentication method that uses server-side public key certificates to authenticate clients with the server. The PEAP authentication creates an encrypted SSL / TLS tunnel between the client and the authentication server. The exchange of information is encrypted and stored in the tunnel to ensure that the user credentials are kept secure.
The supplicant and the authentication server must be configured to use the same EAP type. The controller does not need to know the EAP type used between the supplicant and authentication server. For the controller to communicate with the authentication server, you must configure the IP address, authentication port, and accounting port of the server on the controller. The authentication server must be configured with the IP address of the RADIUS client, which is the controller in this case.
Configuring 802.1X Authentication On the controller, use the following steps to configure a wireless network that uses 802.1x authentication: 1. Configure the VLANs to which the authenticated users will be assigned. See Network Configuration Parameters on page 148. 2. Configure policies and roles. You can specify a default role for users who are successfully authenticated using 802.1X.
Table 47: 802.1x Authentication Profile Basic WebUI Parameters Parameter Description Basic 802.1x Authentication Settings Max authentication failures Number of times a user can try to log in with wrong credentials after which the user is blacklisted as a security threat. Set to 0 to disable blacklisting, otherwise enter a non-zero integer to blacklist the user after the specified number of failures. Range: 0-5 failures. Default: 0 failure. NOTE: This option may require a license.
Table 47: 802.1x Authentication Profile Basic WebUI Parameters Parameter Description Machine Authentication Cache Timeout The timeout, in hours, for machine authentication. The allowed range of values is 1-1000 hours, and the default value is 24 hours. Blacklist on Machine Authentication Failure Select the Blacklist on Machine Authentication Failure checkbox to blacklist a client if machine authentication fails. This setting is disabled by default.
Table 47: 802.1x Authentication Profile Basic WebUI Parameters Parameter Description (This parameter is applicable when 802.1X authentication is terminated on the controller, also known as AAA FastConnect.) The allowed range of values for this parameter is 0-3 failures, and the default value is 0. Dynamic WEP Key Message Retry Count Set the Number of times WPA/WPA2 Key Messages are retried. Range: 1-5 retries. Default: 3 retries.
Table 47: 802.1x Authentication Profile Basic WebUI Parameters Parameter Description Use Session Key Select the Use Session Key option to use the RADIUS session key as the unicast WEP key. This option is disabled by default. Use Static Key Select the Use Static Key option to use a static key as the unicast/multicast WEP key. This option is disabled by default. xSec MTU Set the maximum transmission unit (MTU) for frames using the xSec protocol. Range: 1024-1500 bytes. Default: 1300 bytes.
In the CLI The following command configures settings for an 802.1X authentication profiles. Individual parameters are described in the previous table.
authentication for AAA FastConnect, you need to import the following certificates into the controller (see Importing Certificates on page 798): n Controller’s server certificate n CA certificate for the CA that signed the client certificates In the WebUI 1. Navigate to the Configuration > Security > Authentication > L2 Authentication page. 2. In the Profiles list, select 802.1x Authentication Profile. 3. Select the default 802.
Table 48: Role Assignment for User and Machine Authentication Machine Auth Status User Auth Status Failed Description Role Assigned Failed Both machine authentication and user authentication failed. L2 authentication failed. No role assigned. No access to the network allowed. Failed Passed Machine authentication failed (for example, the machine information is not present on the server) and user authentication succeeded. Serverderived roles do not apply.
Table 49: VLAN Assignment for User and Machine Authentication Machine Auth Status User Auth Status Failed Description VLAN Assigned Failed Both machine authentication and user authentication failed. L2 authentication failed. No VLAN. Failed Passed Machine authentication failed (for example, the machine information is not present on the server) and user authentication succeeded. VLAN configured in the virtual AP profile.
2. Select the AP you want to provision. 3. Click Provision. The provisioning window opens. 4. Select the 802.1x Parameters using PEAP checkbox and enter the following credentials: a. User Name: Enter the username of the AP in the User Name field. b. Password: Enter the password of the AP in the Password field. 5. Enter the password again in the Confirm Password field and reconfirm it. 6. Click Apply and Reboot (at the bottom of the page). In the CLI To provision an AP as a 802.
to all communications with the Dell controller. l The authentication type is WPA. From the 802.1X authentication exchange, the client and the controller derive dynamic keys to encrypt data transmitted on the wireless network. l 802.1x authentication based on PEAP with MS-CHAPv2 provides both computer and user authentication. If a user attempts to log in without the computer being authenticated first, the user is placed into a more limited “guest” user role.
g. Click Add. 5. Under Rules, click Add. a. Under Source, select user. b. Under Destination, select alias and then select Internal Network. c. Under Service, select service. In the Service scrolling list, select svc-pop3. d. Under Action, select drop. e. Click Add. 6. Repeat steps 4A-E to create rules for the following services: svc-ftp, svc-smtp, svc-snmp, and svc-ssh. 7. Click Apply. 8. Click the User Roles tab. Click Add to create the student role. 9. For Role Name, enter student. 10.
7. For Role Name, enter faculty. 8. Under Firewall Policies, click Add. In Choose from Configured Policies, select the faculty policy you previously created. Click Done.
d. Under Action, select drop. e. Click Add. To create rules to permit HTTP and HTTPS access during working hours: a. Under Source, select user. b. Under Destination, select any. c. Under Service, select service. In the Services scrolling list, select svc-http. d. Under Action, select permit. e. Under Time Range, select working-hours. f. Click Add. g. Repeat steps A-F for the svc-https service. To create a rule that denies the user access to all destinations and all services: a. Under Source, select user. b.
4. Click Apply. In the CLI (host)(config) #user-role sysadmin session-acl allowall Using the WebUI to create the computer role 1. Navigate to Configuration > Security > Access Control > User Roles page. Click Add to create the computer role. 2. For Role Name, enter computer. 3. Under Firewall Policies, click Add. In Choose from Configured Policies, select the predefined allowall policy. Click Done. 4. Click Apply.
d. Click Add. 5. Click Apply. In the CLI Use the following commands to configure the RADIUS authentication server: (host)(config) #aaa authentication-server radius IAS1 host 10.1.1.21 key |*a^t%183923! (host)(config) #aaa server-group IAS auth-server IAS1 set role condition Class value-of Configuring 802.1X Authentication An AAA profile specifies the 802.1X authentication profile and 802.1x server group to be used for authenticating clients for a WLAN.
(host)(config) #aaa authentication dot1x dot1x machine-authentication enable machine-authentication machine-default-role computer machine-authentication user-default-role guest (host)(config) #aaa profile aaa_dot1x d>ot1x-default-role faculty mac-default-role computer authentication-dot1x dot1x d>ot1x-server-group IAS Configuring VLANs In this example, wireless clients are assigned to either VLAN 60 or 61 while guest users are assigned to VLAN 63.
(host)(config) #vlan 60 (host)(config) #interface vlan 60 ip address 10.1.60.1 255.255.255.0 ip helper-address 10.1.1.25 (host)(config) #vlan 61 (host)(config) #interface vlan 61 ip address 10.1.61.1 255.255.255.0 ip helper-address 10.1.1.25 (host)(config) #vlan 63 (host)(config) #interface vlan 63 ip address 10.1.63.1 255.255.255.0 ip helper-address 10.1.1.25 (host)(config) #ip default-gateway 10.1.1.
b. For VLAN, select 63. c. Click Apply. 6. Navigate to the Configuration > Wireless > AP Configuration page. 7. In the AP Group list, click Edit for the second-floor. 8. In the Profiles list, select Wireless LAN and then Virtual AP. 9. Select guest from the Add a profile drop-down list. Click Add. 10.Click Apply.
a. Ensurer that you select Virtual AP enable. b. For VLAN, select 60. c. Click Apply. 6. Navigate to the Configuration > Wireless > AP Configuration page. 7. In the AP Group list, click Edit for the second-floor. 8. In the Profiles list, select Wireless LAN and then Virtual AP. 9. To configure the WLAN-01_second-floor virtual AP: a. Select NEW from the Add a profile drop-down list. Enter WLAN-second-floor, and click Add. b.
group, configure a server derivation rule that assigns the role to the authenticated client. In the WebUI 1. Navigate to the Configuration > Security > Authentication > Servers page. 2. In the Servers list, select Internal DB. 3. Under Users, click Add User to add users. 4. For each user, enter a username and password. 5. Select a role for each user (if a role is not specified, the default role is guest). 6. Select the expiration time for the user account in the internal database. 7. Click Apply.
The defaults for EAP Method and Inner EAP Method are EAP-PEAP and EAP-MSCHAPv2, respectively. d. Click Apply. 2. Select the AAA Profiles tab. a. In the AAA Profiles Summary, click Add to add a new profile. b. Enter aaa_dot1x, then click Add. c. Select the aaa_dot1x profile you just created. d. For 802.1x Authentication Default Role, select faculty. e. Click Apply. 3. In the Profiles list (under the aaa_dot1x profile you just created), select 802.1x Authentication Profile. a.
d. Under DHCP Helper Address, click Add. Enter 10.1.1.25 and click Add. e. Click Apply. 3. In the IP Interfaces page, click Edit for VLAN 61. a. For IP Address, enter 10.1.61.1. b. For Net Mask, enter 255.255.255.0. c. Under DHCP Helper Address, click Add. Enter 10.1.1.25 and click Add. d. Click Apply. 4. In the IP Interfaces page, click Edit for VLAN 63. a. For IP Address, enter 10.1.63.1. b. For Net Mask, enter 255.255.255.0. c. Under DHCP Helper Address, click Add. Enter 10.1.1.25 and click Add. d.
In the WebUI 1. Navigate to the Configuration > Wireless > AP Configuration page. 2. In the AP Group list, select first-floor. 3. In the Profiles list, select Wireless LAN and then Virtual AP. 4. To configure the guest virtual AP: a. Select NEW from the Add a profile drop-down list. Enter guest for the name of the virtual AP profile, and click Add. b. In the Profile Details entry for the guest virtual AP profile, select NEW from the SSID profile drop-down list.
other with VLAN 61 for the second-floor AP group. Each virtual AP profile references the SSID profile “WLAN01” and the previously-configured AAA profile “aaa_dot1x”. In the WebUI 1. Navigate to the Configuration > Wireless > AP Configuration page. 2. In the AP Group list, select first-floor. 3. In the Profiles list, select Wireless LAN, then select Virtual AP. 4. To configure the WLAN-01_first-floor virtual AP: a. Select NEW from the Add a profile drop-down list. Enter WLAN-01_first-floor, and click Add.
vlan 60 aaa-profile aaa_dot1x ssid-profile WLAN-01 (host)(config) #wlan virtual-ap WLAN-01_second-floor vlan 61 aaa-profile aaa_dot1x sid-profile WLAN-01 (host)(config) #ap-group first-floor virtual-ap WLAN-01_first-floor (host)(config) #ap-group second-floor virtual-ap WLAN-01_second-floor Configuring Mixed Authentication Modes Use l2-auth-fail-through command to perform mixed authentication which includes both MAC and 802.1x authentication.
Unicast key rotation depends upon both the AP/controller and wireless client behavior. It is known that some wireless NICs have issues with unicast key rotation.
Important Points to Remember l CPPM is the only supported IDP. l SSO occurs after 802.1x authentication. Therefore, SSO after captive portal authentication is not supported. Roles for captive portal and SSO are mutually exclusive and, therefore, a user in the captive portal role cannot perform SSO and vice-versa. l SSO with VIA is not supported. l There is a limit on the number of concurrent sessions that can be serviced at a given instant.
9. Click Apply when all URLs have been added. In the CLI sso idp-profile idp Applying an SSO Profile to a User Role The newly created SSO profile must be applied to any applicable user rules that require SSO. Apply the SSO profile be completing the steps below. In the WebUI 1. Navigate to Configuration > Security > Access Control. 2. Select the User Roles tab. 3. Select the User Role that the SSO profile will be linked to and click Edit. 4. Under Misc.
Chapter 12 Stateful and WISPr Authentication ArubaOS supports stateful 802.1X authentication, stateful NTLM authentication and authentication for Wireless Internet Service Provider roaming (WISPr). Stateful authentication differs from 802.
Working With WISPr Authentication WISPr authentication allows a “smart client” to authenticate on the network when they roam between Wireless Internet Service Providers, even if the wireless hotspot uses an ISP for which the client may not have an account.
1. Navigate to the Configuration > Security > Authentication > L2 Authentication window. 2. In the Profiles list, select Stateful 802.1X Authentication Profile. 3. Click the Default Role drop-down list, and select the role assigned to stateful 802.1X authenticated users. 4. Specify the timeout period for authentication requests, from1 to 20 seconds. The default value is 10 seconds. 5. Select the Mode checkbox to enable stateful 802.1X authentication.
To create and define settings for a Stateful NTLM Authentication profile, select an existing profile, then click Save As in the right window pane. Enter a name for the new profile in the entry field at the top of the right window pane. 4. Click the Default Role drop-down list, and select the role to be assigned to all users after they complete stateful NTLM authentication. 5. Specify the timeout period for authentication requests, from 1to 20 seconds. The default value is 10 seconds. 6.
To create and define settings for a new Stateful Kerberos Authentication profile, select an existing profile, then click Save As in the right window pane. Enter a name for the new profile in the entry field at the top of the right window pane. 4. Click the Default Role drop-down list, and select the role to be assigned to all users after they complete stateful Kerberos authentication. 5. Specify the timeout period for authentication requests, from 1-20 seconds. The default value is 10 seconds. 6.
To create and define settings for a new WISPr Authentication profile, select an existing profile, then click Save As in the right window pane. Enter a name for the new profile in the entry field. at the top of the right window pane. 4. Define values for the parameters below. Table 51: WISPr Authentication Profile Parameters Parameter Description Default Role Default role assigned to users that complete WISPr authentication.
host 172.4.77.
Chapter 13 Certificate Revocation The Certificate Revocation feature enables the controller to perform real-time certificate revocation checks using the Online Certificate Status Protocol (OCSP), or traditional certificate validation using the Certificate Revocation List (CRL) client.
Configuring an OCSP Controller as a Responder The controller can be configured to act as an OCSP responder (server) and respond to OCSP queries from clients that want to obtain revocation status of certificates. The OCSP responder on the controller is accessible over HTTP port 8084. You cannot configure this port. Although the OCSP responder accepts signed OCSP requests, it does not attempt to verify the signature before processing the request. Therefore, even unsigned OCSP requests are supported.
Figure 32 Upload a certificate 6. Click Upload. The certificate appears in the Certificate Lists pane. 7. For detailed information about an uploaded certificate, click View next to the certificate. Figure 33 View certificate details 8. Select the Revocation Checkpoint tab. Dell Networking W-Series ArubaOS 6.4.
9. In the Revocation Checkpoint pane, click Edit next to the revocation checkpoint that you want to configure. The Revocation Checkpoint pane displays. 10.In the Revocation Check field, select ocsp from the Method 1 drop-down list as the primary check method. 11.In the OCSP URL field, enter the URL of the OCSP responder. 12.In the OCSP Responder Cert field, select the OCSP certificate you want to configure from the drop-down menu. 13.Click Apply.
9. In the Revocation Checkpoint pane, click Edit next to the revocation checkpoint that you want to configure. The Revocation Checkpoint pane displays. 10.In the Revocation Check field, select crl from the Method 1 drop-down list. 11.In the CRL Location field, enter the CRL you want to use for this revocation checkpoint. The CRLs listed are files that have already been imported onto the controller. 12.Click Apply.
11.In the Revocation Checkpoint pane, click Edit next to the revocation checkpoint that you want to configure. The Revocation Checkpoint pane displays. 12.In the Revocation Check field, optionally select a check method from the Method 1 drop-down list. Optionally, select a backup check method from the Method 2 drop-down list. 13.Select Enable next to Enable OCSP Responder. 14.Select OCSP signer cert from the OCSP Signer Cert drop-down menu. 15.
(host)(config) #mgmt-user ssh-pubkey client-cert client1-rg test1 root rcp ca-rg In this example, a user is configured without the RCP: (host)(config) #mgmt-user ssh-pubkey client-cert client2-rg test2 root Displaying Revocation Checkpoint for the SSH Pubkey User The RCP checks the revocation status of the SSH user’s client certificate before permitting access. If the revocation check fails, the user is denied access using the ssh-pubkey authentication method.
Chapter 14 Captive Portal Authentication Captive portal is one of the methods of authentication supported by ArubaOS. A captive portal presents a web page which requires user action before network access is granted. The required action can be simply viewing and agreeing to an acceptable use policy, or entering a user ID and password which must be validated against a database of authorized users.
There are differences in how captive portal functions work and how you configure captive portal, depending on whether the license is installed. Other parts of this chapter describe how to configure captive portal in the base operating system (without the PEFNG license) and with the license installed. Controller Server Certificate The Dell controller is designed to provide secure services through the use of digital certificates.
The WLAN Wizard within the ArubaOS WebUI allows for basic captive portal configuration for WLANs associated with the “default” ap-group: Configuration > Wizards > WLAN Wizard. Follow the steps in the workflow pane within the wizard and refer to the help tab for assistance. What follows are the tasks for configuring captive portal in the base ArubaOS. The example server group and profile names appear inside quotation marks. l Create the Server Group name. In this example, the server group name is “cp-srv”.
c. For Initial Role, select the captive portal authentication profile (for example, c-portal) you created previously. The Initial Role must be exactly the same as the name of the captive portal authentication profile you created. d. Click Apply. 4. Navigate to the Configuration > Wireless > AP Configuration page. Select either the AP Group or AP Specific tab. Click Edit for the applicable AP group name or AP name. 5. Under Profiles, select Wireless LAN, then select Virtual AP. 6.
The captive portal authentication profile specifies the captive portal login page and other configurable parameters. The initial user role configuration must include the applicable captive portal authentication profile instance. MAC-based authentication, if enabled on the controller, takes precedence over captive portal authentication. The following are the basic tasks for configuring captive portal using role-based access provided by the Policy Enforcement Firewall software module.
a. In the Captive Portal Authentication Profile Instance list, enter the name of the profile (for example, cportal), then click Add. b. Select the captive portal authentication profile you just created. c. Select the default role (for example, employee) for captive portal users. d. Enable guest login and/or user login, as well as other parameters (refer to Table 52). e. Click Apply. 3.
Configuring Captive Portal in the CLI To configure captive portal with the PEFNG license via the command-line interface, access the CLI in config mode and issue the following commands: (host)(config) #aaa authentication captive-portal c-portal d>efault-role employee server-group cp-srv (host)(config) #user-role logon captive-portal c-portal (host)(config) #aaa profile aaa_c-portal initial-role logon (host)(config) #wlan ssid-profile ssid_c-portal essid c-portal-ap vlan 20 (host)(config) #wlan virtual-ap vp_
The guest-logon user role configuration needs to include the name of the captive portal authentication profile instance. You can modify the user role configuration after you create the captive portal authentication profile instance. Creating an Auth-guest User Role The auth-guest user role consists of the following ordered policies: l cplogout is a predefined policy that allows captive portal logout.
b. Under Destination, select any. c. Under Service, select udp. Enter 68. d. Under Action, select drop. e. Click Add. 6. Under Rules, click Add. a. Under Source, select any. b. Under Destination, select any. c. Under Service, select service. Select svc-dhcp. d. Under Action, select permit. e. Under Time Range, select working-hours. f. Click Add. Creating Aliases The following step defines an alias representing the public DNS server addresses.
5. Under Rules, select Add to add rules for the policy. a. Under Source, select user. b. Under Destination, select any. c. Under Service, select udp. Enter 68. d. Under Action, select drop. e. Click Add. 6. Under Rules, click Add. a. Under Source, select any. b. Under Destination, select any. c. Under Service, select service. Select svc-dhcp. d. Under Action, select permit. e. Under Time Range, select working-hours. f. Click Add. 7. Under Rules, click Add. a. Under Source, select user. b.
a. Under Source, select user. b. Under Destination, select alias. The following step defines an alias representing all internal network addresses. Once defined, you can use the alias for other rules and policies. c. Under the alias selection, click New. For Destination Name, enter “Internal Network”. Click Add to add a rule. For Rule Type, select network. For IP Address, enter 10.0.0.0. For Network Mask/Range, enter 255.0.0.0. Click Add to add the network range.
11.For Choose from Configured Policies, select block-internal-access from the drop-down menu. 12.Click Done. 13.Click Apply. Creating an Auth-Guest Role To create the guest-logon role via the WebUI: 1. Navigate to the Configuration > Security > Access Control > User Roles page. 2. Click Add. 3. For Role Name, enter auth-guest. 4. Under Firewall Policies, click Add. 5. For Choose from Configured Policies, select cplogout from the drop-down menu. 6. Click Done. 7. Under Firewall Policies, click Add. 8.
Creating a Guest-Logon-Access Policy To create a guest-logon-access policy via the command-line interface, access the CLI in config mode and issue the following commands: (host)(config) #ip access-list session guest-logon-access user any udp 68 deny any any svc-dhcp permit time-range working-hours user alias “Public DNS” svc-dns src-nat time-range working-hours Creating an Auth-Guest-Access Policy To create an auth-guest-access policy via the command-line interface, access the CLI in config mode and issue
In the WebUI 1. Navigate to the Configuration > Network > VLANs page. a. Select the VLAN ID tab. a. Click Add. b. For VLAN ID, enter 900. c. Click Apply. 2. Navigate to the Configuration > Network > IP > IP Interfaces page. a. Click the IP Interfaces tab. a. Click Edit for VLAN 900. b. For IP Address, enter 192.168.200.20. c. For Net Mask, enter 255.255.255.0. d. Click Apply. 3. Click the DHCP Server tab. a. Select Enable DHCP Server. b. Click Add under Pool Configuration. c.
e. Deselect (uncheck) Guest Login. f. Click Apply. 2. Select Server Group under the guestnet captive portal authentication profile you just created. a. Select internal from the Server Group drop-down menu. b. Click Apply.
Configuring the WLAN In this section, you create the guestnet virtual AP profile for the WLAN. The guestnet virtual AP profile contains the SSID profile guestnet (which configures opensystem for the SSID) and the AAA profile guestnet. To configure the guest WLAN via the WebUI: 1. Navigate to the Configuration > Wireless > AP Configuration page. 2. Select either AP Group or AP Specific tab. Click Edit for the AP group or AP name. 3.
Configuring Captive Portal Configuration Parameters Table 52 describes configuration parameters on the WebUI Captive Portal Authentication profile page. In the CLI, you configure these options with the aaa authentication captive-portal commands. Table 52: Captive Portal Authentication Profile Parameters Parameter Description Default Role Role assigned to the Captive Portal user upon login.
Parameter Description Default: Disabled Authentication Protocol Select the PAP, CHAP or MS-CHAPv2 authentication protocol. Logon Page URL of the page that appears before logon. This can be set to any URL. Default: /auth/index.html Welcome Page URL of the page that appears after logon and before redirection to the web URL. This can be set to any URL. Default: /auth/welcome.html Show Welcome Page Displays the configured welcome page before the user is redirected to their original URL.
Parameter Description User idle timeout The user idle timeout value for this profile. Specify the idle timeout value for the client in seconds. Valid range is 30-15300 in multiples of 30 seconds. Enabling this option overrides the global settings configured in the AAA timers. If this is disabled, the global settings are used. Redirect URL URL to which an authenticated user will be directed. This parameter must be an absolute URL that begins with either http:// or https://.
Table 53: Captive Portal login Pages Entity Engineering Business Faculty Captive portal login page /auth/eng-login.html /auth/bus-login.html /auth/fac-login.html Captive portal user role eng-user bus-user fac-user Captive portal authentication profile eng-cp (Specify /auth/englogin.html and eng-user) bus-cp (Specify /auth/buslogin.html and bus-user) fac-cp (Specify /auth/buslogin.
(For captive portal with role-based access only) (host)(config) #ip access-list session captiveportal no user alias mswitch svc-https dst-nat user alias mswitch svc-http dst-nat user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 Configuring Redirection to a Proxy Server You can configure captive portal to work with proxy Web servers. When proxy Web servers are used, browser proxy server settings for end users are configured for the proxy server’s IP address and TCP port.
For captive portal with role-based access: (host)(config) #ip access-list session captiveportal user alias mswitch svc-https permit user any tcp port dst-nat 8088 user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 Redirecting Clients on Different VLANs You can redirect wireless clients that are on different VLANs (from the controller’s IP address) to the captive portal on the controller. To do this: 1. Specify the redirect address for the captive portal. 2.
(host)(config) #ip access-list session captiveportal user alias mswitch svc-https permit user any tcp port dst-nat 8088 user host ipaddr svc-https permit user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 Personalizing the Captive Portal Page The following can be personalized on the default captive portal page: l Captive portal background l Page text l Acceptance Use Policy The background image and text should be visible to users with a browser window on a 1024 by 768 pixel screen.
c. Set the background color in the Custom page background color field. The color code must a hexadecimal value in the format #hhhhhh. d. To view the page background changes, click Submit at the bottom on the page and then click the View CaptivePortal link. The User Agreement Policy page appears and displays the Captive Portal page as it will be seen by users. 3. To customize the captive portal background text: a. Enter the text that needs to be displayed in the Page Text (in HTML format) message box. b.
Creating and Installing an Internal Captive Portal If you do not wish to customize the default captive portal page, you can use the following procedures to create and install a new internal captive portal page.
The form can use either the "get" or the "post" methods, but the "post" method is recommended. The form's action must absolutely or relatively reference https:///auth/index.html/u. You can construct an authentication form using the following HTML: A recommended option for the
