-
User Guide Dell Networking W-Series ArubaOS 6.4.
-
Copyright Information © 2015 Aruba Networks, Inc. Aruba Networks trademarks include , Aruba Networks®, Aruba ® Wireless Networks , the registered Aruba the Mobile Edge Company logo, and Aruba Mobility Management System®. Dell™, the DELL™ logo, and PowerConnect™ are trademarks of Dell Inc. All rights reserved. Specifications in this manual are subject to change without notice. Originated in the USA. All other trademarks are the property of their respective owners.
-
Contents Contents About this Guide What's New In ArubaOS 6.4.x 3 83 83 Features Introduced in ArubaOS 6.4.3.0 83 Features Introduced in ArubaOS 6.4.2.5 89 Features Introduced in ArubaOS 6.4.2.4 89 Features Introduced in ArubaOS 6.4.2.3 90 Features Introduced in ArubaOS 6.4.2.0 90 Features Introduced in ArubaOS 6.4.1.0 92 Features Introduced in ArubaOS 6.4.0.
-
New Port Numbering Scheme 105 W-7200 Series Controllers Individual Port Behavior 106 Using the LCD Screen 106 Using the LCD and USB Drive 108 Upgrading an Image 108 Uploading a Pre-saved Configuration 108 Disabling LCD Menu Functions 109 Configuring a VLAN to Connect to the Network Creating, Updating, and Viewing VLANs and Associated IDs 110 Creating, Updating, and Deleting VLAN Pools 110 Assigning and Configuring the Trunk Port 110 In the WebUI 110 In the CLI 111 Configuring the Def
-
Back Up the Flash File System 115 In the WebUI 115 In the CLI 115 Stage the New Controller 115 Add Licenses to the New Controller 116 Backup Newly Installed Licenses 116 Import and Restore Flash Backup 116 In the WebUI 117 In the CLI 117 Restore Licenses 117 Reboot the Controller 117 Modify the Host Name 118 Modify Topology Settings 118 Save your Configuration 119 Remove the Existing Controller 119 Control Plane Security 120 Control Plane Security Overview 120 Configuring C
-
Revoking an AP from the Campus AP Whitelist 129 In the WebUI 129 In the CLI 129 Deleting an AP from the Campus AP Whitelist 129 In the WebUI 129 In the CLI 130 Purging a Campus AP Whitelist 130 In the WebUI 130 In the CLI 130 Offloading a Controller Whitelist to ClearPass Policy Manager In the WebUI 130 In the CLI 131 Managing Whitelists on Master and Local Controllers 131 Campus AP Whitelist Synchronization 132 Viewing the Master or Local Controller Whitelists 133 In the WebUI
-
Replacing a Controller on a Multi-Controller Network 138 Replacing Controllers in a Single Master Network 138 Replacing a Local Controller 138 Replacing a Master Controller with No Backup 139 Replacing a Redundant Master Controller 140 Replacing Controllers in a Multi-Master Network 140 Replacing a Local Controller in a Multi-Master Network 140 Replacing a Cluster Member Controller with no Backup 140 Replacing a Redundant Cluster Member Controller 141 Replacing a Cluster Root Controller wi
-
Failover Behaviors 153 Client is Unreachable 154 Server is Unreachable 154 Configuring Centralized Licensing Pre-configuration Setup in an All-Master Deployment 154 Preconfiguration Setup in a Master/Local Topology 155 Enabling Centralized Licensing 155 Monitoring and Managing Centralized Licenses 8 | Contents 154 156 License server Table 156 License Client Table 156 License Client(s) Usage Table 157 Aggregate License Table 158 License Heartbeat Table 158 Using Licenses 158 Under
-
Network Configuration Parameters Configuring VLANs Creating and Updating VLANs 164 164 164 In the WebUI 164 In the CLI 165 Creating Bulk VLANs In the WebUI 165 In the CLI 165 Creating a Named VLAN 165 In the WebUI 165 Distinguishing Between Even and Hash Assignment Types 166 Updating a Named VLAN 166 Deleting a Named VLAN 166 Creating a Named VLAN Using the CLI 167 Viewing and Adding VLAN IDs Using the CLI 167 Role Derivation for Named VLAN Pools 167 In the CLI 167 In the WebUI
-
Configuring Trusted and Untrusted Ports and VLANs in Trunk Mode In the WebUI 171 In the CLI 171 Understanding VLAN Assignments 171 VLAN Derivation Priorities for VLAN types 172 How a VLAN Obtains an IP Address 173 Assigning a Static Address to a VLAN 173 In the WebUI 173 In the CLI 173 Configuring a VLAN to Receive a Dynamic Address 173 Configuring Multiple Wired Uplink Interfaces (Active-Standby) 173 Enabling the DHCP Client 174 In the WebUI 174 In the CLI 174 Enabling the PPPoE C
-
In the CLI Inter-VLAN Routing 177 178 In the WebUI 178 In the CLI 179 Configuring Static Routes 179 In the WebUI 179 In the CLI 179 Configuring the Loopback IP Address 179 In the WebUI 179 In the CLI 180 Configuring the Controller IP Address 180 In the WebUI 180 In the CLI 181 Configuring GRE Tunnels About Layer-2 GRE Tunnels 181 181 Layer-2 GRE Tunnel Network Diagram 181 Layer-2 Traffic Flow 181 About Layer-3 GRE Tunnels 182 IPv4 Layer-3 GRE Tunnel Network Diagram 182 IPv6
-
In the CLI 189 Limitations for Static IPv6 Layer-3 Tunnels 190 Directing Traffic into the Tunnel 190 About Configuring Static Routes 190 Configuring a Firewall Policy Rule 190 Configuring Tunnel Keepalives 192 Configuring GRE Tunnel Groups 193 About GRE Tunnel Groups 193 Tunnel Group Order 193 Tunnel Failover 193 Preemption 194 Enabling a Tunnel Group 194 Points to Remember 194 Regarding Layer-2 Tunnel Groups 194 Configuring a Layer-2 or Layer-3 Tunnel Group Using the CLI Example
-
IPv6 Support 198 Understanding IPv6 Notation 198 Understanding IPv6 Topology 198 Enabling IPv6 199 Enabling IPv6 Support for Controller and APs 199 Configuring IPv6 Addresses 201 In the WebUI 202 In the CLI 202 Configuring IPv6 Static Neighbors 202 In the WebUI 203 In the CLI 203 Configuring IPv6 Default Gateway and Static IPv6 Routes 203 In the WebUI 203 In the CLI 203 Managing Controller IP Addresses 203 In the WebUI 203 In the CLI 204 Configuring Multicast Listener Disco
-
In the WebUI 207 In the CLI 207 Enhancements to IPv6 Support on AP 207 Filtering an IPv6 Extension Header (EH) 207 Configuring a Captive Portal over IPv6 207 Working with IPv6 Router Advertisements (RAs) 208 Configuring an IPv6 RA on a VLAN 208 Using WebUI 209 Using CLI 209 Configuring Optional Parameters for RAs 209 In the WebUI 210 In the CLI 211 RADIUS Over IPv6 211 In the CLI 211 In the WebUI 212 TACACS Over IPv6 212 In the CLI 212 In the WebUI 213 DHCPv6 Server 213
-
Working with Firewall Features 217 Understanding Firewall Policies 219 Creating an IPv6 Firewall Policy 221 Assigning an IPv6 Policy to a User Role 222 Understanding DHCPv6 Passthrough/Relay 222 Managing IPv6 User Addresses 222 Viewing or Deleting User Entries 222 Understanding User Roles 223 Viewing Datapath Statistics for IPv6 Sessions 223 Understanding IPv6 Exceptions and Best Practices 223 Link Aggregation Control Protocol 225 Understanding LACP Best Practices and Exceptions 225
-
Sample Topology and Configuration 234 Remote Branch 1 235 Remote Branch 2 236 W-3200 Central Office Controller—Active 237 W-3200 Central Office Controller—Backup 238 Topology 240 Observation 240 Configuring W-3600-UP Controller 240 Configuring W-3600-DOWN Controller 242 Viewing the Status of Instant AP VPN 243 RAPNG AP-1 243 RAPNG AP-3 244 Tunneled Nodes 246 Understanding Tunneled Node Configuration 246 Configuring a Wired Tunneled Node Client 247 Configuring an Access Port as
-
RADIUS Server VSAs 254 RADIUS Server Authentication Codes 257 RADIUS Server Fully Qualified Domain Names 258 DNS Query Intervals 258 Configuring Username and Password for CPPM Authentication 258 In the WebUI: 258 In the CLI: 259 Configuring an RFC-3576 RADIUS Server 259 Using the WebUI 259 Using the CLI 259 Configuring an RFC-3576 RADIUS Server with Radsec 260 Using the WebUI 260 Using the CLI 260 Configuring an LDAP Server 260 Using the WebUI 261 Using the CLI 261 Configurin
-
Exporting and Importing Files in the CLI 265 Working with Internal Database Utilities 265 Deleting All Users 265 Repairing the Internal Database 265 Configuring Server Groups 266 Configuring Server Groups 266 Using the WebUI 266 Using the CLI 266 Configuring Server List Order and Fail-Through 266 Using the WebUI 267 Using the CLI 267 Configuring Dynamic Server Selection 267 Using the WebUI 268 Using the CLI 269 Configuring Match FQDN Option 269 Using the WebUI 269 Using the C
-
Using the WebUI 273 Using the CLI 273 Accounting 273 RADIUS Accounting 273 RADIUS Accounting on Multiple Servers 276 TACACS+ Accounting 276 Configuring Authentication Timers 276 Setting an Authentication Timer 277 Using the WebUI 277 Using the CLI 278 Authentication Server Load Balancing Enabling Authentication Server Load Balancing Functionality MAC-based Authentication Configuring MAC-Based Authentication Configuring the MAC Authentication Profile 278 278 279 279 279 In the WebUI
-
Configuring the Survival Server Certificate 286 Configuring the Lifetime of the Authentication Survivability Cache 286 User Credential and Key Reply Attributes Are Saved Automatically 286 Expired User Credential and Key Reply Attributes Are Purged Automatically 286 About the Survival Server 286 Trigger Conditions for Critical Actions 286 Storing User Access Credential and Key Reply Attributes to Survival Cache 286 Picking Up the Survival Server for Authentication 287 Access Credential Data S
-
Zero-Touch Provisioning 296 Before you Begin 296 Provisioning Modes for branch deployments 297 Automatically Provisioning a Branch Controller 297 DHCP Options 298 DHCP Server Provisioning 298 Using Smart Config to create a Branch Config Group Config Group Management Settings 298 299 Address Pools 299 Static vs Dynamic IP Management 299 System Configuration 305 Networking Configuration 307 Routing Configuration 309 Configuring Routing for a Branch Config Group 309 VPN Configuration
-
802.1X Authentication 326 Understanding 802.1X Authentication 326 Supported EAP Types 326 Configuring Authentication with a RADIUS Server 327 Configuring Authentication Terminated on Controller 328 Configuring 802.1X Authentication 329 In the WebUI 329 In the CLI 335 Configuring and Using Certificates with AAA FastConnect In the WebUI 335 In the CLI 335 Configuring User and Machine Authentication 335 Working with Role Assignment with Machine Authentication Enabled 336 Enabling 802.
-
In the WebUI 343 In the CLI 344 Configuring 802.
-
In the CLI Configuring the Non-Guest WLANs 352 In the WebUI 353 In the CLI 353 Configuring Mixed Authentication Modes In the CLI Performing Advanced Configuration Options for 802.
-
In the CLI Configuring Stateful NTLM Authentication 360 360 In the WebUI 360 In the CLI 361 Configuring Stateful Kerberos Authentication 361 In the WebUI 361 In the CLI 362 Configuring WISPr Authentication 362 In the WebUI 362 In the CLI 363 Certificate Revocation Understanding OCSP and CRL 365 365 Configuring a Controller as OCSP and CRL Clients 365 Configuring an OCSP Controller as a Responder 366 Configuring the Controller as an OCSP Client 366 In the WebUI 366 In the CLI 368
-
Configuring the SSH Pubkey User with RCP 371 In the WebUI 371 In the CLI 371 Removing the SSH Pubkey User 371 In the WebUI 371 In the CLI 371 372 Captive Portal Authentication Understanding Captive Portal Policy Enforcement Firewall Next Generation (PEFNG) License 372 Controller Server Certificate 373 Configuring Captive Portal in the Base Operating System 373 In the WebUI 374 In the CLI 375 Using Captive Portal with a PEFNG License 375 Configuring Captive Portal in the WebUI 376
-
Defining a Time Range 383 Creating Aliases 383 Creating a Guest-Logon-Access Policy 384 Creating an Auth-Guest-Access Policy 384 Creating a Block-Internal-Access Policy 384 Creating a Drop-and-Log Policy 384 Creating a Guest-Logon Role 384 Creating an Auth-Guest Role 384 Configuring Guest VLANs 384 In the WebUI 385 In the CLI 385 Configuring Captive Portal Authentication Profiles 385 Modifying the Initial User Role 386 Configuring the AAA Profile 386 Configuring the WLAN 387 Ma
-
Basic HTML Example 398 Installing a New Captive Portal Page 398 Displaying Authentication Error Messages 398 Reverting to the Default Captive Portal 399 Configuring Localization 399 Customizing the Welcome Page 402 Customizing the Pop-Up box 403 Customizing the Logged Out Box 404 Creating Walled Garden Access 405 In the WebUI 405 In the CLI 406 Enabling Captive Portal Enhancements 406 Configuring the Redirect-URL 406 Configuring the Login URL 407 Defining Netdestination Descripti
-
Working with IKEv2 Clients 413 Understanding Supported VPN AAA Deployments 413 Working with Certificate Groups 414 Working with VPN Authentication Profiles 414 Configuring a Basic VPN for L2TP/IPsec in the WebUI 416 Defining Authentication Method and Server Addresses 417 Defining Address Pools 417 Enabling Source NAT 417 Selecting Certificates 418 Defining IKEv1 Shared Keys 418 Configuring IKE Policies 418 Setting the IPsec Dynamic Map 419 Finalizing WebUI changes 420 Configuring a
-
Configuring a VPN for XAuth Clients Using a Username and Password Working with Remote Access VPNs for PPTP 428 428 In the WebUI 429 In the CLI 429 Working with Site-to-Site VPNs 429 Working with Third-Party Devices 429 Working with Site-to-Site VPNs with Dynamic IP Addresses 430 Understanding VPN Topologies 430 Configuring Site-to-Site VPNs 430 In the WebUI 430 In the CLI 432 Detecting Dead Peers 434 About Default IKE Policies 434 Working with VPN Dialer Configuring VPN Dialer 435 4
-
In the WebUI 443 In the CLI 443 Creating an ACL White List 444 Creating a Bandwidth Contract in the WebUI 444 Configuring the ACL White List in the WebUI 444 Creating a Bandwidth Contract in the CLI 444 Configuring the ACL White List in the CLI 444 User Roles 445 In the WebUI 445 In the CLI 447 Assigning User Roles Assigning User Roles in AAA Profiles 447 447 In the WebUI 447 In the CLI 448 Working with User-Derived VLANs 448 Understanding Device Identification 449 Configuring
-
In the CLI Configuring Policies for AppRF 2.0 458 How ACL Works with AppRF 458 Global Session ACL 459 Role Default Session ACL 459 Example 459 Configuring Bandwidth Contracts for AppRF 2.
-
Virtual APs Virtual AP Configuration Workflow 472 472 Using the WebUI 472 Using the CLI 473 Virtual AP Profiles 473 Configuring the Virtual AP Profile 474 Creating and Configuring a Profile 474 Selective Multicast Stream 479 Associating Other Profiles to the Virtual AP 479 Configuring a Virtual AP in the CLI 480 Associating a Virtual AP Profile to an AP or AP Group 480 In the WebUI 480 In the CLI 481 Excluding a Virtual AP Profile 481 In the WebUI 481 In the CLI 481 Changing a
-
In the WebUI 488 In the CLI 489 BSS Transition Management (802.11v) Frame Types 489 802.11k and 802.11v clients 490 Enabling 802.11v BSS Transition Management 490 Fast BSS Transition ( 802.
-
In the CLI 506 Guest WLANs 506 Configuring a Guest VLAN 507 In the WebUI 507 In the CLI 507 Configuring a Guest Role 507 In the WebUI 507 In the CLI 508 Configuring a Guest Virtual AP 508 In the WebUI 508 In the CLI 508 Changing a Virtual AP Forwarding Mode Adaptive Radio Management 509 510 ARM Feature Overviews 510 Configuring ARM Settings 510 ARM Troubleshooting 510 Understanding ARM 510 ARM Support for 802.
-
Configuring ARM Profiles 514 Creating and Configuring a New ARM Profile 514 In the WebUI 515 In the CLI 522 Modifying an Existing Profile 523 Copying an Existing Profile 523 Deleting a Profile 524 Assigning an ARM Profile to an AP Group 524 In the WebUI 524 In the CLI 525 Using Multi-Band ARM for 802.11a/802.
-
Transmission Power Levels Change Too Often 531 APs Detect Errors but Do Not Change Channels 531 APs Don’t Change Channels Due to Channel Noise 531 Wireless Intrusion Prevention Working with the Reusable Wizard 532 532 Understanding Wizard Intrusion Detection 533 Understanding Wizard Intrusion Protection 534 Protecting Your Infrastructure 534 Protecting Your Clients 534 Monitoring the Dashboard 535 Detecting Rogue APs 536 Understanding Classification Terminology 536 Understanding Classi
-
Detecting an AP Flood Attack 544 Detecting AP Impersonation 544 Detecting AP Spoofing 544 Detecting Bad WEP Initialization 544 Detecting a Beacon Frame Spoofing Attack 544 Detecting a Client Flood Attack 544 Detecting a CTS Rate Anomaly 545 Detecting an RTS Rate Anomaly 545 Detecting Devices with an Invalid MAC OUI 545 Detecting an Invalid Address Combination 545 Detecting an Overflow EAPOL Key 545 Detecting Overflow IE Tags 545 Detecting a Malformed Frame-Assoc Request 545 Detecti
-
Detecting a FATA-Jack Attack Structure 549 Detecting a Hotspotter Attack 550 Detecting a Meiners Power Save DoS Attack 550 Detecting an Omerta Attack 550 Detecting Rate Anomalies 550 Detecting a TKIP Replay Attack 550 Detecting Unencrypted Valid Clients 550 Detecting a Valid Client Misassociation 550 Detecting an AirJack Attack 551 Detecting ASLEAP 551 Detecting a Null Probe Response 551 Configuring Intrusion Protection Understanding Infrastructure Intrusion Protection 551 551 Protec
-
In the CLI 557 Configuring Local WMS Settings 557 Managing the WMS Database 557 Understanding Client Blacklisting 558 Methods of Blacklisting 558 Blacklisting Manually 558 Blacklisting by Authentication Failure 559 Enabling Attack Blacklisting 559 Setting Blacklist Duration 560 Removing a Client from Blacklisting 560 Working with WIP Advanced Features 560 Configuring TotalWatch 561 Understanding TotalWatch Channel Types and Qualifiers 561 Understanding TotalWatch Monitoring Feature
-
Naming and Grouping APs 567 Creating an AP group 568 In the WebUI 568 In the CLI 569 Assigning APs to an AP Group 569 In the WebUI 569 In the CLI 569 Understanding AP Configuration Profiles 569 AP Profiles 570 RF Management Profiles 571 Wireless LAN Profiles 571 Mesh Profiles 574 QoS Profiles 574 IDS Profiles 575 HA Group profiles 575 Other Profiles 575 Profile Hierarchy 576 Viewing Profile Errors 576 Before you Deploy an AP 576 Mesh AP Preconfiguration 576 Remote AP
-
Defining an AP Provisioning Profile 579 Assigning Provisioning Profiles 581 Configuring Installed APs Configuring an AP using the Provisioning Wizard 582 Configuring a AP using the WebUI 582 Configuring a Remote AP 583 Remote Authentication 583 RAP Configuration 583 Configuring a Mesh AP 584 Verifying the Configuration 584 Optional AP Configuration Settings Changing the AP Installation Mode 584 585 In the WebUI 585 In the CLI 585 Renaming an AP 586 In the WebUI 586 In the CLI 58
-
In the CLI 589 AP Maintenance Mode 589 In the WebUI 589 In the CLI 590 Energy Efficient Ethernet 590 In the WebUI 590 In the CLI 591 AP LEDs 591 In the WebUI 591 In the CLI 591 592 Suppressing Client Probe Requests In the WebUI 592 In the CLI 593 RF Management 593 802.11a and 802.11g RF Management Profiles 593 VHT Support on W-AP200 Series, W-AP210 Series, W-AP220 Series, and W-AP270 Series Access Points 594 Managing 802.11a/802.
-
Using the WebUI 603 Using the CLI 603 RF Event Configuration 604 Using the WebUI 604 Using the CLI 605 Optimizing APs Over Low-Speed Links 606 Configuring the Bootstrap Threshold 606 Prioritizing AP heartbeats 611 AP Scanning Optimization 611 Channel Types and Priority 611 612 In the CLI Scanning Optimizations 612 Unconventional (direction) Scans 612 Modifications in Scan Frequency 613 Channel Group Scanning 613 Channel Group Scanning 613 Configuring AP Channel Assignments 613
-
Using the WebUI, in ArubaOS 6.4.2.x and later 619 Using the CLI, in ArubaOS 6.4.2.x and later 619 Using the WebUI in ArubaOS 6.3.1.x-6.4.1.x 619 Using the CLI in ArubaOS 6.3.1.x-6.4.1.
-
Understanding Remote Mesh Portals (RMPs) 630 Understanding the AP Boot Sequence 631 Booting the Mesh Portal 632 Booting the Mesh Point 632 Air Monitoring and Mesh 632 Mesh Deployment Solutions 632 Thin AP Services with Wireless Backhaul Deployment 633 Point-to-Point Deployment 633 Point-to-Multipoint Deployment 633 High-Availability Deployment 634 Mesh Deployment Planning Pre-Deployment Considerations 635 Outdoor-Specific Deployment Considerations 635 Configuration Considerations 63
-
Creating or Editing a Mesh Radio Profile 641 Assigning a Mesh Radio Profile to a Mesh AP or AP Group 644 Managing Mesh Radio Profiles in the CLI 645 Creating or Modifying a Mesh Radio Profile 645 Assigning a Mesh Radio Profile to a Mesh AP or AP Group 645 Deleting Mesh Radio Profiles Creating and Editing Mesh High-Throughput SSID Profiles Managing Mesh High-Throughput SSID Profiles in the WebUI 646 646 646 Creating a Profile 646 Assigning a Profile to an AP Group 650 Editing a Profile 651
-
In the CLI 656 Verifying Your Mesh Network 657 Verification Checklist 657 CLI Examples 658 Configuring Remote Mesh Portals (RMPs) 659 Creating a Remote Mesh Portal In the WebUI 659 Step 1: Provision the AP 659 Step 2: Define the Mesh Private VLAN in the Mesh Radio Profile 659 Step 3: Assign the Mesh Radio Profile to a Remote Mesh AP 660 Step 4: Assign an RF Management Profile to a Remote Mesh AP 660 Step 5: Assign a Mesh Cluster Profile 660 Step 6: Configuring a DHCP Pool 660 Step 7:
-
High Availability Extended Controller Capacity 665 Feature Requirements 666 Standby Controller Capacity 666 AP Failover 667 Configuring High Availability 667 Pre-Deployment Information 667 Configuring High Availability 667 In the WebUI 667 In the CLI 668 Migrating from VRRP or Backup-LMS Redundancy Configuring a Master Controller for Redundancy and High Availability 669 669 Migrating from VRRP Redundancy 670 Migrating from Backup-LMS Redundancy 670 Configuring VRRP Redundancy 670 B
-
RSTP 678 Understanding RSTP Migration and Interoperability 678 Working with Rapid Convergence 678 Edge Port and Point-to-Point 679 Configuring RSTP 679 In the WebUI 680 In the CLI 681 Monitoring RSTP 681 Troubleshooting RSTP 681 PVST+ Understanding PVST+ Interoperability and Best Practices 683 Enabling PVST+ in the CLI 683 Enabling PVST+ in the WebUI 684 Link Layer Discovery Protocol 685 Important Points to Remember 685 LLDP Overview 685 Default LLDP Configuration 686 Configu
-
Configuring a Mobility Domain 691 In the WebUI 691 In the CLI 692 Joining a Mobility Domain 692 In the WebUI 692 In the CLI 692 In the WebUI 693 In the CLI Tracking Mobile Users Mobile Client Roaming Status 694 694 694 In the WebUI 694 In the CLI 694 Viewing User Roaming Status using the CLI 695 In the CLI 696 Mobile Client Roaming Locations 696 In the WebUI 696 In the CLI 696 HA Discovery on Association In the CLI Configuring Advanced Mobility Functions 696 696 696 In the We
-
Enabling Mobility Multicast 706 Working with Proxy IGMP and Proxy Remote Subscription 707 IGMPv3 Support 707 Configuring SSM Range 707 Working with Inter Controller Mobility 708 Configuring Mobility Multicast 709 In the WebUI 709 In the CLI 709 711 External Firewall Configuration Understanding Firewall Port Configuration Among Dell Devices Communication Between Controllers 711 Communication Between APs and the Controller 711 Communication Between Remote APs and the Controller 712 Enab
-
Enabling PAN Firewall Integration 718 Using the WebUI 718 Using the CLI 718 Enabling PAN Firewall Integration for VIA Clients 718 Using the WebUI 718 Using the CLI 718 Enabling PAN Firewall Integration for VPN Clients 718 Using the WebUI 719 Using the CLI 719 Remote Access Points 720 About Remote Access Points 720 Configuring the Secure Remote Access Point Service 722 Configure a Public IP Address for the Controller 722 In the WebUI 722 In the CLI 722 Configure the NAT Device
-
Add the user to the internal database 725 RAP Static Inner IP Address 725 In the WebUI 726 In the CLI 726 Provision the AP 726 Deploying a Branch/Home Office Solution Provisioning the Branch AP 728 Configuring the Branch AP 728 Troubleshooting Remote AP 728 Local Debugging 728 Remote AP Summary 729 Multihoming on remote AP (RAP) 732 Seamless failover from backup link to primary link on RAP 733 Remote AP Connectivity 733 Remote AP Diagnostics 733 Enabling Remote AP Advanced Config
-
Backup Controller List Configuring the LMS and backup LMS IP addresses Configuring Remote AP Failback 745 746 746 In the WebUI 746 In the CLI 747 Enabling RAP Local Network Access 747 In the WebUI 747 In the CLI 747 Configuring Remote AP Authorization Profiles 748 In the WebUI 748 In the CLI 748 Working with Access Control Lists and Firewall Policies Understanding Split Tunneling 748 749 Configuring Split Tunneling 749 Configuring the Session ACL Allowing Tunneling 750 In the WebUI
-
Understanding Bridge 755 Configuring Bridge 755 Configuring the Session ACL 756 In the WebUI 756 In the CLI 757 Configuring the AAA Profile for Bridge 757 In the WebUI 757 In the CLI 758 Configuring Virtual AP Profile 758 In the WebUI 758 In the CLI 758 Provisioning Wi-Fi Multimedia 759 Reserving Uplink Bandwidth 759 Understanding Bandwidth Reservation for Uplink Voice Traffic 759 Configuring Bandwidth Reservation 759 In the WebUI 759 In the CLI 760 Provisioning 4G USB Mode
-
Configuring W-IAP3WN and W-IAP3WNP Access Points 766 In the WebUI 766 In the CLI 766 Converting an IAP to RAP or CAP 766 Converting IAP to RAP 767 Converting an IAP to CAP 767 Enabling Bandwidth Contract Support for RAPs 767 Configuring Bandwidth Contracts for RAP 768 Defining Bandwidth Contracts 768 Applying Contracts 768 Verifying Contracts on AP 768 Verifying Contracts Applied to Users 769 Verifying Bandwidth Contracts During Data Transfer 770 Virtual Intranet Access 771 Spect
-
In the CLI 780 Connecting Spectrum Devices to the Spectrum Analysis Client View Connected Spectrum Analysis Devices 781 Disconnecting a Spectrum Device 782 Configuring the Spectrum Analysis Dashboards 783 Selecting a Spectrum Monitor 783 Changing Graphs within a Spectrum View 784 Renaming a Spectrum Analysis Dashboard View 785 Saving a Dashboard View 785 Resizing an Individual Graph 786 Customizing Spectrum Analysis Graphs Spectrum Analysis Graph Configuration Options 58 | Contents 780
-
Recording Spectrum Analysis Data 820 Creating a Spectrum Analysis Record 820 Saving the Recording 821 Playing a Spectrum Analysis Recording 821 Playing a Recording in the Spectrum Dashboard 821 Playing a Recording Using the RFPlayback Tool 822 Troubleshooting Spectrum Analysis 823 Verifying Spectrum Monitors Support for One Client per Radio 823 Converting a Spectrum Monitor Back to an AP or Air Monitor 823 Troubleshooting Browser Issues 823 Loading a Spectrum View 823 Troubleshooting I
-
Web Content Classification Web Content Filters 841 WebCC Configuration in the WebUI 841 WebCC Configuration in the CLI 844 AirGroup 846 Security 847 UCC 847 Chart View 848 Details View 849 Controller 850 Details View 850 Info Panel 850 Gauges Panel 850 Ports Panel 851 Controller Events 60 | Contents 837 851 WLANs 851 Access Points 852 Clients 853 Firewall 854 In the WebUI 854 In the CLI 854 Element View 854 Details View 856 Element Tab 856 Element Summary View
-
Management Access Configuring Certificate Authentication for WebUI Access 860 860 In the WebUI 860 In the CLI 861 Secure Shell (SSH) 861 Enabling Public Key Authentication 861 In the WebUI 862 In the CLI 862 Enabling RADIUS Server Authentication Configuring RADIUS Server Username and Password Authentication 862 862 In the WebUI 862 In the CLI 863 Configuring RADIUS Server Authentication with VSA 863 Configuring RADIUS Server Authentication with Server Derivation Rule 863 In the WebUI
-
Connecting to an W-AirWave Server AMON Message Size Changes on the Controller Custom Certificate Support for RAP Suite-B Support for ECDSA Certificate 868 869 869 Setting the Default Server Certificate 869 Generating a CSR 870 Uploading the Certificate 870 Storing CSR and Private Key Files in a USB 870 AP Boot Prompt 870 In the WebUI 870 In the CLI 870 RAP Console 871 Implementing a Specific Management Password Policy Defining a Management Password Policy 871 871 In the WebUI 871 In th
-
Obtaining a Server Certificate 879 In the WebUI 879 In the CLI 880 Obtaining a Client Certificate 881 Importing Certificates 881 In the WebUI 881 In the CLI 881 Viewing Certificate Information 882 Imported Certificate Locations 882 Checking CRLs 882 Certificate Expiration Alert 883 Chained Certificates on the RAP Support for Certificates on USB Flash Drives 883 883 Marking the USB Device Connected as a Storage Device 884 RAP Configuration Requirements 884 Configuring SNMP SNMP Pa
-
Configuring an SMTP server and port in the CLI 894 Creating Email Messages in the WebUI 894 Configuring a Guest Provisioning User In the WebUI 895 In the CLI 896 Customizing the Guest Access Pass 897 Creating Guest Accounts 897 Guest Provisioning User Tasks 898 Importing Multiple Guest Entries 900 Optional Configurations 905 Restricting one Captive Portal Session for each Guest 905 Setting the Maximum Time for Guest Accounts 905 Managing Files on the Controller Transferring ArubaOS Ima
-
In the WebUI 909 In the CLI 910 Clock Synchronization 910 In the WebUI 910 In the CLI 910 Configuring NTP Authentication 910 In the WebUI 910 In the CLI 911 Timestamps in CLI Output 911 ClearPass Profiling with IF-MAP 911 In the WebUI 911 In the CLI 912 Whitelist Synchronization 912 In the WebUI 912 In the CLI 913 Downloadable Regulatory Table 913 Important Points to Remember 913 Copying the Regulatory-Cert 914 In the WebUI 914 In the CLI 914 Activating the Regulatory
-
Generic Advertisement Service (GAS) Queries 916 ANQP Information Elements 917 Hotspot Profile Types 917 Configuring Hotspot 2.0 Profiles 919 In the WebUI 919 In the CLI 924 Configuring Hotspot Advertisement Profiles 925 Configuring an Advertisement Profile 925 In the WebUI 925 In the CLI 926 Associating the Advertisement Profile to a Hotspot 2.
-
Configuring ANQP Roaming Consortium Profiles 935 In the WebUI 935 In the CLI 936 Configuring ANQP 3GPP Cellular Network Profiles 936 In the WebUI 936 In the CLI 937 Configuring H2QP Connection Capability Profiles 937 In the WebUI 938 In the CLI 939 Configuring H2QP Operator Friendly Name Profiles 939 In the WebUI 939 In the CLI 940 Configuring H2QP Operating Class Indication Profiles 940 In the WebUI 940 In the CLI 940 Configuring H2QP WAN Metrics Profiles 941 In the WebUI 9
-
In the WebUI 947 In the CLI 947 Configuring Layer-2/Layer-3 Settings 947 Configuring Trusted Ports 948 Configuring Local Controller Settings 948 Configuring APs 948 In the WebUI 948 In the CLI 949 Advanced Security 950 Securing Client Traffic 950 Securing Wireless Clients 951 In the WebUI 951 In the CLI 952 Securing Wired Clients 952 In the WebUI 953 In the CLI 954 Securing Wireless Clients Through Non-Dell APs 954 In the WebUI 954 In the CLI 955 Securing Clients on an
-
In the CLI Configuring the Odyssey Client on Client Machines Installing the Odyssey Client Voice and Video 958 959 959 965 Voice and Video License Requirements 965 Configuring Voice and Video 965 Voice ALG and Network Address Translation 965 Setting up Net Services 965 Using Default Net Services 965 Creating Custom Net Services 966 Configuring User Roles 966 Using the Default User Role 966 Creating or Modifying Voice User Roles 967 Using the User-Derivation Rules 969 Configuring Fire
-
Configuring WMM AC Mapping 978 Configuring DSCP Priorities 979 Configuring Dynamic WMM Queue Management 980 Enabling WMM Queue Content Enforcement 983 In the WebUI 983 In the CLI 983 Unified Communication and Collaboration 983 Microsoft® Lync Visibility and Granular QoS Prioritization Lync ALG Compatibility Matrix 985 Configuration Prerequisites 985 Lync SDN API 2.
-
UCC Limitations Understanding Extended Voice and Video Features Understanding QoS for Microsoft Lync and Apple Facetime 1001 1001 1002 Microsoft Lync 1002 Microsoft Lync Support for Mobile Devices 1003 Apple Facetime 1003 In the WebUI 1004 Enabling WPA Fast Handover 1005 In the WebUI 1005 In the CLI 1005 Enabling Mobile IP Home Agent Assignment 1005 Scanning for VoIP-Aware ARM 1006 In the WebUI 1006 In the CLI 1006 Disabling Voice-Aware 802.
-
In the CLI Working with Dial Plan for SIP Calls 1011 Understanding Dial Plan Format 1011 Configuring Dial Plans 1012 Enabling Enhanced 911 Support 1014 Working with Voice over Remote Access Point 1015 Understanding Battery Boost 1016 In the WebUI 1016 In the CLI 1016 Enabling LLDP 1017 In the WebUI 1017 In the CLI 1022 Advanced Voice Troubleshooting Viewing Troubleshooting Details on Voice Client Status 1022 1023 In the WebUI 1023 In the CLI 1023 Viewing Troubleshooting Details o
-
AirGroup 1029 Zero Configuration Networking 1029 AirGroup Solution 1029 AirGroup Services 1030 AirGroup Solution Components 1031 AirGroup and ClearPass Policy Manager 1031 AirGroup Deployment Models 1033 Integrated Deployment Model 1033 AirGroup with ClearPass Policy Manager 1034 Features Supported in AirGroup Multi-Controller AirGroup Cluster 1034 1034 Multi-Controller AirGroup Cluster—Terminologies 1034 Sample AirGroup Cluster Topology 1035 Master-Local Controller Synchronization
-
Configuring Shared Location 1040 Configuring Service Level-based Auto-association 1041 Best Practices and Limitations Apple iTunes Wi-Fi Synchronization and File Sharing 1041 Firewall Configuration 1041 Disable Inter-User Firewall Settings 1041 ValidUser ACL Configuration 1041 Allow GRE and UDP 5353 1041 Recommended Ports 1042 Ports for AirPlay Service 1042 Ports for AirPrint Service 1042 AirGroup Services for Large Deployments 1043 AirGroup Scalability Limits 1043 Memory Utilization
-
Viewing an AirGroup Domain 1053 Configuring an AirGroup active-domain 1053 Viewing an AirGroup active-domains 1053 Viewing AirGroup VLAN Table 1053 Viewing AirGroup Multi-Controller Table 1054 Controller Dashboard Monitoring 1054 Configuring the AirGroup-CPPM Interface 1057 Configuring the CPPM Query Interval 1057 Viewing the CPPM Query Interval 1057 Defining a CPPM and RFC3576 Server 1058 Configuring a CPPM Server 1059 Configuring the CPPM Server Group 1060 Configuring an RFC 3576 S
-
Individual Static mDNS Records mDNS AP VLAN Aggregation Configuring mDNS AP VLAN Aggregation 76 | Contents 1066 1066 1067 In the WebUI 1067 In the CLI 1067 In the WebUI 1068 In the CLI 1068 Disable AirGroup using WebUI 1068 Disable mDNS AP VLAN aggregation using WebUI 1068 Disable AirGroup using CLI 1068 Disable mDNS AP VLAN Aggregation using CLI 1068 mDNS Multicast Response Propagation 1069 Maximum Number of iChat Users 1069 Configuring mDNS Multicast Response Propagation 1070 In t
-
AirGroup Global Tokens 1072 Instant AP VPN Support 1074 Overview 1074 Improved DHCP Pool Management 1074 Termination of Instant AP VPN Tunnels 1074 Termination of IAP GRE Tunnels 1074 L2/L3 Network Mode Support 1074 Instant AP VPN Scalability Limits 1075 Instant AP VPN OSPF Scaling 1075 Branch-ID Allocation 1077 Centralized BID Allocation VPN Configuration 1077 1078 Whitelist DB Configuration 1078 Controller Whitelist DB 1078 External Whitelist DB 1078 VPN Local Pool Configuratio
-
Configuring a New USB Modem Configuring the Profile and Modem Driver 1083 Configuring the TTY Port 1084 Testing the TTY Port 1084 Selecting the Dialer Profile 1084 Linux Support 1085 External Services Interface 1086 Sample ESI Topology 1086 Understanding the ESI Syslog Parser 1088 ESI Parser Domains 1088 Peer Controllers 1089 Syslog Parser Rules 1090 Condition Pattern Matching 1090 User Pattern Matching 1090 Configuring ESI Configuring Health-Check Method, Groups, and Servers 1091
-
In the WebUI 1094 In the CLI 1094 Managing Syslog Parser Rules 1095 In the WebUI 1095 In the CLI 1097 Monitoring Syslog Parser Statistics 1097 In the WebUI 1097 In the CLI 1097 Sample Route-Mode ESI Topology 1098 ESI server configuration on controller 1098 IP routing configuration on Fortinet gateway 1098 Configuring the Example Routed ESI Topology 1098 Health-Check Method, Groups, and Servers 1099 Defining the Ping Health-Check Method 1099 In the WebUI 1099 In the CLI 1099 D
-
ESI server configuration on the controller Configuring the Example NAT-mode ESI Topology 1104 Configuring the NAT-mode ESI Example in the WebUI 1104 In the WebUI 1104 In the CLI 1106 Understanding Basic Regular Expression (BRE) Syntax 1107 Character-Matching Operators 1107 Regular Expression Repetition Operators 1108 Regular Expression Anchors 1108 References 1109 External User Management Overview Before you Begin 1110 1110 1110 Working with the ArubaOS XML API Works 1110 Creating an X
-
Associating the Captive Portal Profile to an Initial Role 1117 Creating an XML API Request 1117 Monitoring External Captive Portal Usage Statistics 1119 Sample Code Using XML API in C Language 1119 1119 Understanding Request and Response 1123 Understanding XML API Request Parameters 1123 Understanding XMl API Response 1124 Adding a Client 1124 Deleting a Client 1124 Authenticating a Client 1125 Querying for Client Details 1126 Blacklisting a Client 1127 Behavior and Defaults 1129 U
-
Enabling DHCP Relay Agent Information Option (Option 82) Configuring Option 82 1151 In the WebUI 1151 In the CLI 1151 Enabling Linux DHCP Servers 1152 802.
-
About this Guide This User Guide describes the features supported in Dell Networking W-Series ArubaOS 6.4.x and provides instructions and examples to configure Dell controllers and access points (APs). This guide is intended for system administrators responsible for configuring and maintaining wireless networks and assumes administrator knowledge in Layer 2 and Layer 3 networking technologies. This chapter covers the following topics: l What's New In ArubaOS 6.4.
-
Table 1: New Features/Enhancements in ArubaOS 6.4.3.0 Feature Branch Controllers AMON Messages Size Changes on the Controller Description W-7000 Series controllers support distributed enterprises through the following features designed specifically for branch and remote offices: l Zero-touch provisioning l Authentication survivability, which allows controllers to provide authentication and authorization survivability when remote authentication servers are not accessible.
-
Feature Dashboard Monitoring Interface Bandwidth Contracts Description The following new pages are introduced as part of the Dashboard tab of the controller WebUI: l WAN l Controller Apply bandwidth contracts to limit traffic for individual applications (or categories of applications) or all traffic either sent from or received by a selected interface on a W-7000 Series or W-7200 Series controller.
-
Feature Description Mesh Support for 802.11ac Mesh support has been added for all 802.11ac-capable access points. A number of new parameters have been added to the mesh highthroughput ssid profile to support this functionality. Multi-Media Sync-Up The multi-media sync-up feature provides a tighter integration between Client Match and multiple media-aware ALGs to provide better call quality for programs like Lync and Facetime.
-
Feature Description AP Console Access Using a Backup ESSID This failover system allows users to access an AP console after the AP has disconnected from the controller. By advertising backup ESSID in either static or dynamic mode, the user is still able to access and debug the AP remotely through a virtual AP. WAN Health Check The WAN health check feature uses ping probes to measure WAN reachability and latency. Latency is calculated based on the round-trip time (RTT) of ping responses.
-
Table 2: New Hardware Platforms in ArubaOS 6.4.3.0 Check with your local Dell sales representative on new controllers and access points availability in your country. Hardware Description This device combines high-performance wireless mobility with Gigabit wired local access to deliver secure network access to dormitories, hotel rooms, classrooms, medical clinics, and multi-tenant environments. MIMO (Multiple-Input Multiple-Output) technology enables the WAP205H to provide wireless 2.4 GHz 802.
-
Table 2: New Hardware Platforms in ArubaOS 6.4.3.0 Check with your local Dell sales representative on new controllers and access points availability in your country. Hardware W-AP277 Description W-AP277 is an environmentally hardened, outdoor rated, dual-radio IEEE 802.11ac access point. This access point use MIMO (Multiple-In MultipleOut) technology and other high throughput mode techniques to deliver high-performance, 802.11ac 2.4 GHz and 5 GHz functionality while simultaneously supporting existing 802.
-
Table 4: New Features/Enhancements in ArubaOS 6.4.2.4 Feature USB Storage for CSR and Key Files Description ArubaOS 6.4.2.4 introduces an enhancement to the custom certificate support for remote AP (RAP) feature by supporting storing the Certificate Signing Request (CSR) and private key from the RAP in a USB. Table 5: Supported SFP/SFP+ Modules Module Description SFP-EX Aruba SFP, 1000BASE-EX, LC Connector; 1550 nm pluggable GbE optic; up to 40,000 meters over single-mode fiber.
-
Table 7: New Features/Enhancements in ArubaOS 6.4.2.0 Feature Description Enhanced LACP support on WAP220 Series and W-AP270 Series access points This enhanced LACP feature allows W-AP220 Series or W-AP270 Series access points to form a 802.11g radio tunnel to a backup controller in the event of a controller failover, even if the backup controller is in a different L3 network.
-
Table 8: New Hardware Platforms in ArubaOS 6.4.2.0 Check with your local Dell sales representative on new controllers and access points availability in your country. Hardware W-AP210 Series Description The Dell W-AP210 Series (W-AP214 and W-AP215) wireless access points support the IEEE 802.11ac standard for high-performance WLAN. These access points use MIMO (Multiple-Input, Multiple-Output) technology and other high-throughput mode techniques to deliver high-performance, 802.11ac 2.4 GHz and 802.
-
Table 9: New Features/Enhancements in ArubaOS 6.4.1.0 Feature Description DHCP Lease Limit This section outlines the maximum number of DHCP leases supported for the new W-7000 Series controller platform. Downloadable Regulatory Table The downloadable regulatory table features allows new regulatory approvals to be distributed without waiting for a new software patch and upgrade.
-
Table 10: New Hardware Platforms in ArubaOS 6.4.1.0 Check with your local Dell sales representative on new controllers and access points availability in your country. Hardware W-7000 Series Description The Dell ControllerW-7000 Series is an integrated controller platform. The platform acts as a software services platform targeting small to medium branch offices and enterprise networks. The W-7000 Seriescontroller includes three models that provide varying levels of scalability.
-
Table 10: New Hardware Platforms in ArubaOS 6.4.1.0 Check with your local Dell sales representative on new controllers and access points availability in your country. Hardware Description l IEEE 802.11a/b/g/n/ac operation as a wireless access point l IEEE 802.11a/b/g/n/ac operation as a wireless air monitor l Compatibility with IEEE 802.
-
Table 11: New Features in ArubaOS 6.4.0.0 Feature Description Application Single Sign-On Using Layer 2 Authentication Information This feature allows single sign-on for web-based applications using layer 2 authentication information. With single sign-on, a user does not need to provide authentication credentials before logging into each application. AppRF 2.
-
Table 11: New Features in ArubaOS 6.4.0.0 Feature Description Controller LLDP Support ArubaOS 6.4 provides support for Link Layer Discovery Protocol (LLDP) on the controllers to advertise identity information and capabilities to other nodes on the network, and store the information discovered about the neighbors. ClearPass Policy Manager Integration ArubaOS now supports downloadable roles.
-
Table 11: New Features in ArubaOS 6.4.0.0 Feature Description RADIUS Accounting on Multiple Servers ArubaOS provides support for the controllers to send RADIUS accounting to multiple RADIUS servers. The controller notifies all the RADIUS servers to track the status of authenticated users. Accounting messages are sent to all the servers configured in the server group in a sequential order. Unified Communication and Collaboration The following new features are introduced in ArubaOS 6.4: 802.
-
CLI The CLI is a text-based interface accessible from a local console connected to the serial port on the controller or through a Telnet or Secure Shell (SSH) session. By default, you access the CLI from the serial port or from an SSH session. You must explicitly enable Telnet on your controller in order to access the CLI via a Telnet session.
-
Type Style Description In this example, you would type “send” at the system prompt exactly as shown, followed by the text of the message you wish to send. Do not type the angle brackets. [Optional] Command examples enclosed in brackets are optional. Do not type the brackets. {Item A | Item B} In the command examples, items within curled braces and separated by a vertical bar represent the available choices. Enter only one choice. Do not type the braces or bars.
-
Chapter 1 The Basic User-Centric Networks This chapter describes how to connect a Dell controller and Dell AP to your wired network. After completing the tasks described in this chapter, see Access Points on page 566 for information on configuring APs.
-
4. Configure the SSID(s) with VLAN 1 as the assigned VLAN for all users. Deployment Scenario #2: APs All on One Subnet Different from Controller Subnet Figure 2 APs All on One Subnet Different from Controller Subnets In this deployment scenario, the APs and the controller are on different subnetworks and the APs are on multiple subnetworks. The controller acts as a router for the wireless subnetworks (the controller is the default gateway for the wireless clients).
-
3. Deploy APs. The APs will use DNS or DHCP to locate the controller. 4. Configure VLANs for the wireless subnetworks on the controller. 5. Configure SSIDs with the VLANs assigned for each wireless subnetwork. Each wireless client VLAN must be configured on the controller with an IP address. On the uplink switch or router, you must configure static routes for each client VLAN, with the controller’s VLAN 1 IP address as the next hop.
-
This deployment scenario does not use VLAN 1 to connect to the layer-2 switch or router through the trunk port. The initial setup prompts you for the IP address and default gateway for VLAN 1; use the default values. In later steps, you configure the appropriate VLAN to connect to the switch or router as well as the default gateway. For this scenario, you must perform the following tasks: 1. Run the initial setup. l Use the default IP address for VLAN 1.
-
configuration access. Do not connect the controller to your network when running the initial setup. The factory-default controller boots up with a default IP address and both DHCP server and spanning tree functions are not enabled. Once you have completed the initial setup, you can use either the CLI or WebUI for further configuration before connecting the controller to your network.
-
7200 Series controllersuse slot/module/port instead. It is important to consider this when migrating an older controller to either the W-7000 Series or W-7200 Series. If you load a configuration from a non-W-7000 Series/W-7200 Series controller, that controller will not have network connectivity because any interface configuration will not be recognized. For information about migrating to W-7000 Series and W-7200 Series controllers, see the Dell Networking W-Series ArubaOS 6.2 Release Notes.
-
Table 15: LCD Panel Mode: Boot Function/Menu Options Displays boot status Displays "Booting ArubaOS... Table 16: LCD Panel Mode: LED Mode Function/Menu Options Displays Administrative LED MODE: ADM - displays whether the port is administratively enabled or disabled. Duplex LED MODE: DPX - displays the duplex mode of the port. Speed LED MODE: SPD - displays the speed of the port.
-
Table 18: LCD Panel Mode: Maintenance Function/Menu Options Upgrade Image Displays Upgrade the software image on the selected partition from a predefined location on the attached USB flash device. Partition [0 | 1] Upgrade Image [no | yes] Upload Config Uploads the controller’s current configuration to a predefined location on the attached USB flash device. Upload Config [no | yes] Factory Default Allows you to return the controller to the factory default settings.
-
4. Navigate to Upload Config in the LCD’s Maintenance menu. Confirm the upload (Y/N) and then wait for the upload to complete. 5. Execute a system reboot either from the LCD menu or from the command line to reload from the uploaded configuration. For detailed upgrade and upload instruction, see the Upgrade Chapter in the Release Notes.
-
VLAN pooling should not be used with static IP addresses. l Assign to the VLAN the ports that you will use to connect the controller to the network. (For example, the uplink ports connected to a router are usually Gigabit ports.) In the example configurations shown in this section, a controller is connected to the network through its Gigabit Ethernet port 1/25. l Configure the port as a trunk port. l Configure a default gateway for the controller.
-
In the CLI To configure a Gigabit Ethernet port: (host)(config) #interface gigabitethernet // (host)(config-if) #switchport mode trunk (host)(config-if) #switchport trunk native vlan To confirm the port assignments, use the show vlan command: (host) (config) #show vlan Configuring the Default Gateway The following configurations assign a default gateway for the controller. In the WebUI To configure the default gateway: 1. Navigate to Configuration > Network > IP > IP Routes. 2.
-
Spanning tree protocol (STP) is enabled by default on the controller. STP ensures a single active path between any two network nodes, thus avoiding bridge loops. Disable STP on the controller if you are not employing STP in your network. In the WebUI To configure a loopback IP address: 1. Navigate to Configuration > Network > Controller > System Settings. 2. Enter the IP address under Loopback Interface. 3. On this window, you can also turn off spanning tree. Click No for Spanning Tree Enabled. 4.
-
Guide for the controller for port LED and cable descriptions. In many deployment scenarios, an external firewall is situated between various Dell devices. External Firewall Configuration on page 711 describes the network ports that must be configured on the external firewall to allow proper operation of the network.
-
By default, you can only access the CLI from the serial port or from an SSH session. To use the CLI in a Telnet session, you must explicitly enable Telnet on the controller. Replacing a Controller The procedures below describe the steps to replace an existing standalone master controller and/or a redundant master controller. Best practices are to replace the backup master controller first, and replace the active master controller only after the new backup controller is operational on the network.
-
Change the VRRP Priorities for a Redundant Master Pair If your deployment uses VRRP to define the primary master in a pair of redundant master controllers, and you are replacing only the primary master controller, and you must change the VRRP priority levels of the controllers so the primary master controller has a lower priority than the backup master controller.
-
Are you sure that you want to stop auto-provisioning and start full setup dialog? (yes/no): yes Reading configuration from factory-default.cfg ***************** Welcome to the Dell W-7210 setup dialog ***************** This dialog will help you to set the basic configuration for the switch. These settings, except for the Country Code, can later be changed from the Command Line Interface or Graphical User Interface.
-
In the WebUI To import and restore a flash backup using the WebUI: 1. Access the new controller and navigate to Maintenance > File> Copy Files. 2. In the Source Selection section, choose any of the server options or select USB Drive if the flash backup is on USB storage. 3. In the Destination Selection section, choose Flash File System. 4. Enter the filename of the flash backup and click Apply. By default, the flash backup file is named flashbackup.tar.gz. 5.
-
Do you really want to restart the system(y/n): y System will now restart! Modify the Host Name Issue the hostname command in the command-line interface to give the new controller a unique hostname. (The flash restoration process gave the new controller the same name as the existing controller.) Do not save the configuration or write to memory at the end of this step. (host)(config) #hostname Modify Topology Settings This is required when migrating to a newer controller model.
-
----------Slot-Port PortType --------- -------0/0/0 GE 0/0/1 GE 0/0/2 GE 0/0/3 GE 0/0/4 GE 0/0/5 GE adminstate ---------Enabled Enabled Enabled Enabled Enabled Enabled operstate --------Down Down Down Down Down Down poe --Enabled Enabled Enabled Enabled Enabled Enabled Trusted ------Yes Yes Yes Yes Yes Yes SpanningTree -----------Disabled Disabled Disabled Disabled Disabled Disabled PortMode -------Access Access Access Access Access Access Save your Configuration Now, you must save the configuration
-
Chapter 2 Control Plane Security ArubaOS supports secure IPsec communications between a controller and campus or remote APs using publickey self-signed certificates created by each master controller. The controller certifies its APs by issuing them certificates. If the master controller has any associated local controllers, the master controller sends a certificate to each local controller, which in turn sends certificates to their own associated APs.
-
and remote APs to the secure network by adding each AP's information to the whitelists when you first run the initial setup wizard. If you are confident that all APs currently on your network are valid APs, then you can use the initial setup wizard to configure automatic certificate provisioning to send certificates from the controller to each campus or remote AP, or to all campus and remote APs within specific ranges of IP addresses.
-
Table 19: Control Plane Security Parameters Parameter Description Control Plane Security Select enable or disable to turn the control plane security feature on or off. This feature is enabled by default. Auto Cert Provisioning When you enable the control plane security feature, you can select this checkbox to turn on automatic certificate provisioning. When you enable this feature, the controller attempts to send certificates to all associated campus APs.
-
Figure 4 Control Plane Security Settings In the CLI Use the commands below to configure control plane security via the command line interface on a standalone or master controller. Descriptions of the individual parameters are listed in Table 19, above.
-
Figure 5 Control Plane Security Settings 4. Click Entries in the upper right corner of the whitelist status window. 5. Click New. 6. Define the following parameters for each AP you want to add to the AP whitelist. Table 20: AP Whitelist Parameters Parameter Description Campus AP whitelist configuration parameters AP MAC Address MAC address of campus AP that supports secure communications to and from its controller. AP Group Name of the AP group to which the campus AP is assigned.
-
7. Click Add.
-
Table 21: Whitelist status information Status Entry Description NOTE: If an AP is in the hold state because of connectivity problems, then the AP recovers and moves out of the hold state when connectivity is restored. Revoked entries Number of entries in the campus AP whitelist that has been manually revoked. Marked for deletion entries Number of entries in the campus AP whitelist that has been marked for deletion, but not removed from the Remote AP whitelist.
-
Table 22: Additional Campus AP Status Information Parameter Cert Type State Description The type of certificate used by the campus AP. l switch-cert: The campus AP is using a certificate signed by the controller. l factory-cert: The campus AP is using a factory-installed certificate. The state of a campus AP. l unapproved-no-cert: The campus AP has no certificate and is not approved. l unapproved-factory-cert: The campus AP has a pre-installed certificate which is not approved.
-
certified-factory-cert| unapproved-factory-cert| unapproved-no-cert} (host) #show whitelist-db cpsec-status (host) #show whitelist-db rap apgroup apname fullname long mac-address page start (host) #show whitelist-db rap-status Modifying an AP in the Campus AP Whitelist Use the following procedures to modify the AP group, AP name, certificate type, state, description, and revoked status of an AP in the campus AP whitelist.
-
(host) #whitelist-db cpsec modify mac-address ap-group ap-name cert-type {switch-cert|factory-cert} description mode {disable|enable} revoke-text state {approved-ready-for-cert|certified-factory-cert} Revoking an AP from the Campus AP Whitelist You can revoke an invalid or rogue AP either by modifying its revoke status (as described in Modifying an AP in the Campus AP Whitelist) or by directly revoking it from the campus AP whitelist without modifying
-
want to locate in these fields, then click Search. The campus AP whitelist displays a list of APs that match your search criteria. Select the checkbox of the AP that you want to delete, then click Delete. In the CLI To delete an AP from the campus AP whitelist: (host) #whitelist-db cpsec del mac-address Purging a Campus AP Whitelist Before adding a new local controller to a network using control plane security, purge the campus AP whitelist on the new controller.
-
b. Select Radius Server to display the CPPM Server List. c. To configure a CPPM server, enter the name for the server and click Add. d. Select the name to configure server parameters. Select the Mode check box to activate the authentication server. e. Click Apply. 2. Create a server group that contains the CPPM server. 3. Navigate to Configuration > All Profile Management > Wireless LAN > VPN Authentication > default-rap > Server Group. 4. Select the CPPM server from the Server Group drop-down list. 5.
-
Table 23: Control Plane Security Whitelists Controller Role Campus AP Whitelist Master Controller Whitelist Local Controller Whitelist On a (standalone) master controller with no local controllers: The campus AP whitelist contains entries for the secure campus APs associated with that controller. The master controller whitelist is empty, and does not appear in the WebUI. The local controller whitelist is empty, and does not appear in the WebUI.
-
changes to the other controllers on the network. If all other controllers on the network have successfully received and acknowledged all whitelist changes made on that controller, every entry in the sequencenumber column in the local controller or master controller whitelists has the same value as the sequence number displayed in the AP Whitelist Sync Status field.
-
Table 24: Master and Local Controller Whitelist Information Field Description same as the sequence number on the local controller. l Null Update Count The remote sequence number on a local controller should be the same as the sequence number on the master controller. The number of times the controller checked its campus AP whitelist and found nothing to synchronize with the other controller.
-
Purging the Master or Local Controller Whitelist There is no need to purge a master controller whitelist during the course of normal operation. If, however, you are removing a controller from the network, you can purge its controller whitelist after it has been disconnected from the network. To clear a local controller whitelist entry on a master controller that is still connected to the network, select that individual whitelist entry and delete it using the delete option.
-
own local controllers and APs. Next, the cluster root sends a certificate to each cluster member, which in turn certifies its own local controllers and APs. Because all controllers and APs in the cluster have the same trust anchor, the APs can switch to any other controller in the cluster and still remain securely connected to the network.
-
In the CLI To create a cluster root, access the command-line interface of the controller you want to identify as the root of the controller cluster, then issue one of the following commands: l To authenticate cluster members using a custom certificate: (host)(config) #cluster-member-custom-cert member-mac ca-cert server-cert suite-b ] l To authenticate cluster members using a factory-installed certificate: (host)(config) #cluster-member-factory-cert member-mac l
-
In the WebUI To view the current cluster configuration: 1. Navigate to Configuration > Controller. 2. Click the Cluster Setting tab. l If you are viewing the WebUI of a cluster root, the output of this command displays the IP address of the VLAN on the cluster member used to connect to the cluster root. l If you are viewing the WebUI of a cluster member, the output of this command displays the IP address of the VLAN on the cluster root used to connect to the cluster member.
-
Access the command-line interface on the old local controller and issue the whitelist-db cpsec purge command. or, Access the local controller WebUI, navigate to Configuration > AP Installation > Campus AP Whitelist and click Purge. 3.
-
Replacing a Redundant Master Controller The control plane security feature requires you to synchronize databases from the primary master controller to the backup master controller at least once after the network is up and running. This ensures that all certificates, keys, and whitelist entries are synchronized to the backup controller. Because the AP whitelist may change periodically, you should regularly synchronize these settings to the backup controller.
-
6. Remove the old cluster member from the network. Remember, that controller still has campus AP whitelist entries from the entire cluster. You may want to delete or revoke unwanted entries from the campus AP whitelist. Now, you must install the new cluster member controller according to the procedure described in Creating a Cluster Member on page 137. The new cluster member obtains a certificate from the cluster root when it first becomes active. 7.
-
Replacing a Redundant Cluster Root Controller Best practices is to use a backup controller with your cluster root controller. If your cluster root has a backup controller, you can replace the backup cluster root without having to reboot all cluster master and local controllers, minimizing network disruptions. The control plane security feature requires you to synchronize databases from the primary controller to the backup controller at least once after the network is up at running.
-
Table 26: Control Plane Security Upgrade Strategies Automatically send Certificates to Campus APs Manually Certify Campus APs 1. Access the control plane security window and enable both the control plane security feature and the auto certificate provisioning option. Next, specify whether you want all associated campus APs to automatically receive a certificate, or if you want to certify only those APs within a defined range of IP addresses. 1.
-
the AP is not be approved as a secure AP until a network administrator manually changes the status of the AP to verify that it is not compromised. If an AP is in this state due to connectivity problems, then the AP recovers and is taken out of this hold state as soon as connectivity is restored.
-
Figure 8 Sequence numbers on Master and Local Controllers Rogue APs If you enable auto certificate provisioning enabled with the Auto Cert Allow All option, any AP that appears on the network receives a certificate. If you notice unwanted or rogue APs connecting to your controller via an IPsec tunnel, verify that automatic certificate provisioning has been disabled, then manually remove the unwanted APs by deleting their entries from the campus AP whitelist.
-
Chapter 3 Software Licenses ArubaOS base features include sophisticated authentication and encryption; protection against wireless rogue APs; seamless mobility with fast roaming; origination and termination of IPsec/L2TP/PPTP tunnels between controllers, clients, and other VPN gateways; adaptive RF management and analysis tools; centralized configuration; and location tracking. Optional add-on licenses provide advanced features such as Wireless Intrusion Protection and Policy Enforcement Firewall.
-
Working with Licenses Each license refers to a specific functionality (or module) that supports unique features. The licenses are: l Base OS: base operating functions including VPN and VIA clients. l AP Capacity: capacity license for RAP indoor and outdoor Mesh APs. Campus, Remote, or Mesh APs can terminate on the controller without the need for a separate license. l Advanced Cryptography (ACR): this license is required for the Suite B Cryptography in IPsec and 802.11 modes.
-
Figure 9 Alert Flag At the end of the 90-day period, you must apply for a permanent license to re-enable the features permanently on the controller. Evaluation software license keys are only available in electronic form and are emailed to you. When an evaluation period expires: l n The controller automatically backs up the startup configuration and reboots itself at midnight (according to the system clock). n All permanent licenses are unaffected.
-
l Replacing a Controller l Failover Behaviors l Configuring Centralized Licensing Primary and Backup Licensing Servers Centralized licensing allows the primary and backup licensing server controllers to share a single set of licenses. If you do not enable this feature, the master and backup master controller each require separate, identical license sets.
-
Client controllers do not share information about built-in licenses to the licensing server. A controller using the centralized licensing feature will use its built-in licenses before it consumes available licenses from the license pool. As a result, when a client controller sends the licensing server information about the licenses that a client is using, it only reports licenses taken from the licensing pool, and disregards any built-in licenses used.
-
Figure 12 License Pool Reflecting Used licenses Supported Topologies The following table describes the controller topologies supported by this feature. 151 | Software Licenses Dell Networking W-Series ArubaOS 6.4.
-
Table 27: Centralized Licensing Topologies Topology Example All controllers are master controllers. The master and standby licensing servers must be defined. A single master controller is connected to one or more local controllers. Only the master controller can be a license server. A local controller can only be license client, not a license server. A master and standby master are connected to one or more local controllers.
-
Figure 13 Topologies Not Supported by Centralized Licensing Adding and Deleting Licenses New licenses can be added to any controller managed by a centralized licensing system, although best practices recommend adding them to the primary licensing server for easier management and tracking of licenses across a wide network. Licenses can only be deleted from the controller on which the license is installed.
-
Although a client controller retains its licensing information for 30 days after it loses contact with the licensing server, if the client reboots at any time during this 30-day window, the window will restart, and the client will retain its information for another 30 days. APs that use centralized licensing in conjunction with a ArubaOS high availability feature behave differently than APs that do not use a high availability solution.
-
3. (Optional) If your primary licensing server does not yet have a dedicated, redundant backup controller and you want to use a backup server with the centralized licensing feature, you must identify a second controller to use as the backup licensing server, and create a virtual router on the primary licensing server. 4.
-
(host)(License provisioning profile) #centralized-licensing-enable If the licensing server already has a dedicated redundant standby controller, that standby controller will automatically become the backup license server.
-
Table 29: License Client Table Data Column Service Type System Limit Server Licenses Description Type of license on the licensing client. The maximum number of licenses supported by the controller platform. Number of licenses sent from the licensing server. NOTE: This number is limited by the total license capacity of the controller platform. A controller cannot use more licenses than is supported by that controller platform, even if additional license are available.
-
Aggregate License Table This command is issued from the command-line interface of the centralized licensing server controller to view license limits sent by licensing clients. Table 31: Aggregate License Table Data Column Description Hostname Name of the licensing client controller. IP Address IP address of the licensing client controller. AP Total number of AP licenses sent from licensing clients associated with this controller.
-
License limits are enforced until you reach the controller limit (see Table 34). Table 33 lists how licenses are consumed on the Controllers.
-
Understanding License Interaction Some licenses interact with each other and may require some equality. l AP/PEFNG and RFProtect must be equal. n All active APs run AP/PEFNG and RFProtect services (if enabled). If they are not equal, the number of active APs are restricted to the minimum AP/PEFNG and RFProtect license count. It is not possible to designate specific APs for RFProtect/non-RFProtect operations.
-
Installing a License The Dell licensing system is controller-based. A license key is a unique alphanumerical string generated using the controller’s serial number and is valid only for that controller only. Licenses can be pre-installed at the factory so all licensed features are available upon initial setup. You can also install license features yourself.
-
Obtaining a Software License Key To obtain a software license key, you must log in to the Dell License Management website. If you are a first time user, you can use the software license certificate ID number to log in and request a new user account. If you already have a user account, log in to the site with your login credentials.
-
1. Navigate to the Configuration > Network > Controller > System Settings page and select the License tab. 2. Scroll down to the License Table and locate the license you want to delete. 3. Click Delete at the far right hand side of the license to delete the license. If a license feature is under an evaluation license, it will not generate a key when the feature is deleted. Moving Licenses It may be necessary to move licenses from one controller to another or delete a license for future use.
-
Chapter 4 Network Configuration Parameters The following topics in this chapter describe some basic network configuration on the controller: l Configuring VLANs on page 164 l Configuring Ports on page 169 l Understanding VLAN Assignments on page 171 l Configuring Static Routes on page 179 l Configuring the Loopback IP Address on page 179 l Configuring the Controller IP Address on page 180 l Configuring GRE Tunnels on page 181 l Jumbo Frame Support on page 196 Configuring VLANs The controlle
-
6. If you selected Port in step 4, select the ports you want to associate with the VLAN from the Port Selection window. or If you selected Port-Channel in step 4, click the Port-Channel ID drop-down list, select the specific channel number you want to associate with the VLAN, then select the ports from the Port Selection window. 7. Click Apply.
-
The Even named VLAN assignment type is only supported in tunnel and decrypt-tunnel modes. It is not supported in split or bridge modes. It is not allowed for named VLANs that are configured directly under a virtual AP (VAP). It must only be used under named VLANs. L2 Mobility is not compatible with the existing implementation of the Even named VLAN assignment type. 6. In the List of VLAN IDs field, enter the VLAN IDs you want to add to this pool. If you know the ID, enter each ID separated by a comma.
-
Creating a Named VLAN Using the CLI Named VLAN should not be used with static IP addresses. The following example creates named VLAN called mygroup that has assignment type even.
-
Aruba-Named-UserVLAN 9 String Aruba 14823 In the WebUI To apply a named VLAN in a user rule, navigate to the WebUI page: Security > Authentication > User Rules To apply a named VLAN in a user role, navigate to the WebUI page: Security > Access Control > User Roles > Add or Edit Role To apply a named VLAN in a server derivation (server group), navigate to the WebUI page: Security > Authentication> Servers > Server Group > >Server Rules Adding a Bandwidth Contract to the VLAN Bandwid
-
Figure 14 Enable BCMC Optimization In the CLI (host)(config) #interface vlan 1 (host)(config-subif)#bcmc-optimization (host)(config-subif)#show interface vlan 1 Configuring Ports Both Fast Ethernet and Gigabit Ethernet ports can be set to access or trunk mode. A port is in access mode enabled by default and carries traffic only for the VLAN to which it is assigned. In trunk mode, a port can carry traffic for multiple VLANs.
-
Table 35: Classifying Trusted and Untrusted Traffic Port VLAN Traffic Status Trusted Trusted Trusted Untrusted Untrusted Untrusted Untrusted Trusted Untrusted Trusted Untrusted Untrusted Configuring Trusted/Untrusted Ports and VLANs You can configure an Ethernet port as an untrusted access port, assign VLANs and classify them as untrusted, and designate a policy through which VLAN traffic on this port must pass. In the WebUI 1. Navigate to the Configuration > Network > Ports window. 2.
-
Configuring Trusted and Untrusted Ports and VLANs in Trunk Mode The following procedures configure a range of Ethernet ports as untrusted native trunks ports, assign VLANs and classify them as untrusted, and designate a policy through which VLAN traffic on the ports must pass. In the WebUI 1. Navigate to the Configuration > Network > Ports window. 2. In the Port Selection section, click the port you want to configure. 3. For Port Mode select Trunk. 4.
-
2. Before client authentication, the VLAN can be derived from rules based on client attributes (SSID, BSSID, client MAC, location, and encryption type). A rule that derives a specific VLAN takes precedence over a rule that derives a user role that may have a VLAN configured for it. 3. After client authentication, the VLAN can be configured for a default role for an authentication method, such as 802.1x or VPN. 4.
-
Use the following command to display user VLAN derivation related debug information: (host) #show aaa debug vlan user [ip | ipv6 | mac] How a VLAN Obtains an IP Address A VLAN on the controller obtains its IP address in one of the following ways: l You can manually configure it. This is the default method and is described in Assigning a Static Address to a VLAN on page 173. At least one VLAN on the controller must be assigned a static IP address.
-
The following restrictions apply when enabling the DHCP or PPPoE client on the controller: l You can enable the DHCP/PPPoE client multiple uplink VLAN interfaces (up to four) on the controller; these VLANs cannot be VLAN 1. l Only one port in the VLAN can be connected to the modem or uplink switch. l At least one interface in the VLAN must be in the up state before the DHCP/PPPoE client requests an IP address from the server.
-
Enabling the PPPoE Client To authenticate the BRAS and request a dynamic IP address, the controller must have the following configured: l PPPoE user name and password to connect to the DSL network l PPPoE service name: either an ISP name or a class of service configured on the PPPoE server When you shut down the VLAN, the PPPoE session terminates. In the WebUI 1. Navigate to the Configuration > Network > IP > IP Interfaces page. 2. Click Edit for a previously-created VLAN. 3.
-
2. Select Enable DCHP Server. 3. Under Pool Configuration, select Add. 4. For Pool Name, enter employee-pool. 5. For Default Router, enter 10.1.1.254. 6. For DNS Servers, select Import from DHCP/PPPoE. 7. For WINS Servers, select Import from DHCP/PPPoE. 8. For Network, enter 10.1.1.0 for IP Address and 255.255.255.0 for Netmask. 9. Click Done. In the CLI Use the following commands: (host)(config) #ip dhcp pool employee-pool default-router 10.1.1.254 dns-server import netbios-name-server import network 10.
-
Configuring Source NAT for VLAN Interfaces The example configuration in the previous section illustrates how to configure source NAT using a policy that is applied to a user role. You can also enable source NAT for a VLAN interface to perform NAT on the source address for all traffic that exits the VLAN.
-
(host)(config) #interface vlan 1 ip address 66.1.131.5 255.255.255.0 (host)(config) #interface vlan 6 (host)(config) #ip address 192.168.2.1 255.255.255.0 ip nat inside ip default-gateway 66.1.131.1 Inter-VLAN Routing On the controller, you can map a VLAN to a layer-3 subnetwork by assigning a static IP address and a netmask, or by configuring a DHCP or PPPoE server to provide a dynamic IP address and netmask to the VLAN interface.
-
In the CLI Use the following commands: (host)(config) #interface vlan ip address { |dhcp-client|pppoe} no ip routing Configuring Static Routes To configure a static route (such as a default route) on the controller, do the following: In the WebUI 1. Navigate to the Configuration > Network > IP > IP Routes page. 2. Click Add to add a static route to a destination network or host. Enter the destination IP address and network mask (255.255.255.
-
7. The controller boots up with the changed loopback IP address. In the CLI Use the following commands: (host)(config) #interface loopback ip address
(host)(config) #write memory Enter the following command in Enable mode to reboot the controller : (host) #reload Configuring the Controller IP Address The Controller IP address is used by the controller to communicate with external devices such as APs. IP addresses used by the controller is not limited to the controller IP address.
-
8. The controller boots up with the changed controller IP address. of the selected VLAN ID. In the CLI (host)(config) #controller-ip [loopback|vlan ] Configuring GRE Tunnels Controllers support Generic Routing Encapsulation (GRE) tunnels between controllers and between controllers and other network devices that support GRE tunnels.
-
The frame is bridged through Controller-1 into the Layer-2 GRE tunnel. 2. The frame is encapsulated in a GRE packet. 3. The GRE packet enters the network on VLAN 10, is routed across the network to the destination controller (Controller-2), and then exits the network on VLAN 20. The source IP address of the GRE packet is the IP address of the interface in VLAN 10 in Controller 1. 4. The frame is de-encapsulated and bridged out of the destination controller (Controller-2) on VLAN 101.
-
The source IP address of the GRE packet is the IP address of the interface in VLAN 10 in Controller 1. 4. The IP packet is de-encapsulated and routed out of the destination controller (Controller-2) on VLAN 202. Configuring a Layer-2 GRE Tunnel In the WebUI To configure a Layer-2 GRE tunnel for via the WebUI: Controller-1 1. Log into Controller-1. 2. Navigate to Configuration > Network > IP > GRE Tunnels. The GRE Tunnels page is displayed. Figure 22 GRE Tunnels Page 3.
-
Figure 23 Layer-2 GRE Tunnel UI Configuration for Controller-1 4. Enter the corresponding GRE tunnel values for this controller. 5. Click Apply. Controller-2 1. Log into Controller-2. 2. Navigate to Configuration > Network > IP > GRE Tunnels. 3. Highlight the line for the tunnel ID of interest and click Edit. The Edit GRE Tunnel screen appears (the tunnel ID also displayed).
-
Figure 24 Layer 2 GRE Tunnel UI Configuration for Controller-2 4. Enter the corresponding GRE tunnel values for this controller. 5. Click Apply.
-
Configuring a Layer-3 GRE Tunnel for IPv4 In the WebUI To configure a Layer-3 GRE tunnel for IPv4 via the WebUI: Controller-1 1. Log into Controller-1. 2. Navigate to Configuration > Network > IP > GRE Tunnels. The GRE Tunnels page is displayed. Figure 25 GRE Tunnels Page 3. Highlight the line for the tunnel ID of interest and click Edit. The Edit GRE Tunnel screen appears.
-
4. Enter the corresponding GRE tunnel values for this controller. 5. Click Apply. Controller-2 1. Log into Controller-2. 2. Navigate to Configuration > Network > IP > GRE Tunnels. The GRE Tunnels page appears. 3. Highlight the line for the tunnel ID of interest and click Edit. The Edit GRE Tunnel screen appears. Figure 27 displays the values that would be entered into the Edit GRE Tunnel page to configure Controller-2 based on the network shown in Figure 20.
-
Controller-2 Configuration (Controller-2) (config) # interface tunnel 204 description “IPv4 L3 GRE 204" tunnel mode gre ip ip address 1.1.1.2 255.255.255.255 tunnel source vlan 20 tunnel destination 10.10.10.249 trusted Configuring a Layer-3 GRE Tunnel for IPv6 In the WebUI To configure a Layer-3 GRE tunnel for IPv6 via the WebUI: Controller-1 1. Log into Controller-1. 2. Navigate to Configuration > Network > IP > GRE Tunnels. The GRE Tunnels page appears. 3.
-
5. Click Apply. Controller-2 1. Log into Controller-2. 2. Navigate to Configuration > Network > IP > GRE Tunnels. The GRE Tunnels page appears. 3. Highlight the line for the tunnel ID of interest and click Edit. The Edit GRE Tunnel screen appears. Figure 29 displays the values that would be entered into the Edit GRE Tunnel screen to configure Controller2 based on the network shown in Figure 21. Figure 29 Layer-3 IPv6 GRE Tunnel UI Configuration for Controller-2 4.
-
tunnel source vlan 10 tunnel destination 2001:1:2:2020::1 trusted Controller-2 Configuration (Controller-2) (config) # interface tunnel 206 description “IPv6 Layer-3 GRE 206" tunnel mode gre ipv6 ip address 2001:1:2:1::2 tunnel source vlan 20 tunnel destination 2001:1:2:1010::1 trusted Limitations for Static IPv6 Layer-3 Tunnels ArubaOS does not support the following functions for static IPv6 Layer-3 GRE tunnels: l IPv6 Auto-configuration and IPv6 Neighbor Discovery mechanisms do not apply to IPv6 GRE tu
-
Figure 30 Firewall Policies Page 2. To create a new firewall policy, click Add. To edit an existing policy, click Edit. The Add New Policy screen appears. Figure 31 Adding a New Firewall Policy 3. Enter the Policy Name. 4. For Policy Type, specify Session (the default). 5. To create a new policy rule, scroll to the Rules section and click Add. 191 | Network Configuration Parameters Dell Networking W-Series ArubaOS 6.4.
-
Figure 32 Specifying Firewall Rules a. Specify the IP Version. b. Configure the Source, Destination, and Service/Application for the rule. c. For Action, select redirect to tunnel. d. Enter the Tunnel ID. e. Configure any additional options. 6. When satisfied with the settings, click Add, then click Apply.
-
Figure 33 Configuring Heartbeats (Keepalives) 3. To enable tunnel keepalives and display the Heartbeat Interval and Heartbeat Retries fields, click Enable Heartbeats. a. Specify a value for Heartbeat Interval. The default value is 10 seconds. b. Specify a value for Heartbeat Retries. The default value is 3 retries. 4. Click Apply.
-
Preemption You can also enable or disable preemption as part of the tunnel-group configuration. Preemption is enabled by default. (For CLI examples, see Enabling Preemption on page 194.) The preemptive-failover option automatically redirects the traffic whenever it detects an active tunnel with a higher precedence in the tunnel group. When preemption is disabled, the traffic gets redirected to a higher precedence tunnel only when the tunnel carrying the traffic fails.
-
Viewing Operational Status To view the operational status of all the tunnel groups and their members, issue the following command: (Controller-1) #show tunnel-group The following is the sample output of the show tunnel-group command: (Controller-1) #show tunnel-group Tunnel-Group Table Entries -------------------------Tunnel Group Mode Tunnel Group Id --------------- --------------branch_1 L2 16385 Preemptive Failover -------------------enabled Active Tunnel Id ---------------1 Tunnel Members ----------
-
# Source Destination Prt Type MTU VLAN Acls ------ ------------- -------------- --- ---- ---- ---- ------------------10 192.0.2.1 198.51.100.1 47 1 1100 0 0 0 0 0 11 192.0.2.1 203.0.113.1 47 1 1100 0 0 0 0 0 BSSID Decaps Encaps Heartbeats Cpu QSz Flags EncapKBytes DecapKBytes 00:00:00:00:00:00 0 5 0 22 0 TEFPR 00:00:00:00:00:00 0 0 0 23 0 LEFPRH In this example, the member tunnel 11 is a standby tunnel, which is denoted by the H flag.
-
Configuring Jumbo Frame Support You can use the WebUI or CLI to configure the jumbo frame support. In the WebUI To enable jumbo frame support globally: 1. Navigate to the Configuration > ADVANCED SERVICES > Stateful firewall > Global Setting page. 2. Select the Jumbo frames processing checkbox to enable the jumbo frames support. 3. Enter the value of the MTU in the Jumbo MTU [1789-9216] bytes textbox. 4. Click Apply. To enable jumbo frame support on a port: 1.
-
Chapter 5 IPv6 Support This chapter describes ArubaOS support for IPv6 features: l Understanding IPv6 Notation on page 198 l Understanding IPv6 Topology on page 198 l Enabling IPv6 on page 199 l Enabling IPv6 Support for Controller and APs on page 199 l Filtering an IPv6 Extension Header (EH) on page 207 l Configuring a Captive Portal over IPv6 on page 207 l Working with IPv6 Router Advertisements (RAs) on page 208 l RADIUS Over IPv6 on page 211 l TACACS Over IPv6 on page 212 l DHCPv6 Se
-
default gateway in most deployments. However, the controller can be the default gateway by using static routes. The master-local communication always occurs in IPv4. The following image illustrates how IPv6 clients, APs, and controllers communicate with each other in an IPv6 network: Figure 34 IPv6 Topology l The IPv6 controller (MC2) terminates both V4 AP (IPv4 AP) and V6 AP (IPv6 AP). l Client 1 (IPv4 client) terminates to V6 AP and Client 2 (IPv6 client) terminates to V4 AP.
-
terminate on the IPv6 controller. You can provision an IPv6 AP in the network only if the controller interface is configured with an IPv6 address. An IPv6 AP can serve both IPv4 and IPv6 clients. You must manually configure an IPv6 address on the controller interface to enable IPv6 support.
-
Features Supported on IPv6 APs? AP Type - RAP No AP Type - Mesh Node No IPSEC No CPSec No Wired-AP/Secure-Jack No Fragmentation/Reassembly Yes MTU Discovery Yes Provisioning through Static IPv6 Addresses Yes Provisioning through IPv6 FQDN Master Name Yes Provisioning from WebUI Yes AP boot by Flash Yes AP boot by TFTP No WMM QoS No AP Debug and Syslog Yes ARM & AM Yes WIDS Yes (Limited) CLI support for users & datapath Yes Configuring IPv6 Addresses You can configure IPv6
-
l Global unicast—2000::/3 l Unique local unicast—fc00::/7 l Link local unicast—fe80::/10 In the WebUI To Configure Link Local Address 1. Navigate to the Configuration > Network > IP page and select the IP Interfaces tab. 2. Edit a VLAN # and select IP version as IPv6. 3. Enter the link local address in the Link Local Address field. 4. Click Apply. To Configure Global Unicast Address 1. Navigate to the Configuration > Network > IP page and select the IP Interfaces tab. 2.
-
In the WebUI 1. Navigate to the Configuration > Network > IP page and select the IPv6 Neighbors tab. 2. Click Add and enter the following details of the IPv6 neighbor: l IPV6 Address l Link-layer Addr l VLAN Interface 3. Click Done to apply the configuration.
-
2. Under the Controller IP Details section, select the VLAN Id or the loopback interface Id in the IPv6 Address drop down. 3. Click Apply.
-
To configure the SSM Range: 1. Navigate to Configuration>Network>IP page and select the Multicast tab. 2. In the MLD section, use the SSM Range Start-IP and SSM Range End-IP fields to configure the SSM Range. 3. Click Apply to save your changes.
-
In the CLI To verify the DMO configuration, execute the following command: (host) #show wlan virtual-ap Limitations The following are the MLDv2 limitations: l Controller cannot route multicast packets. l For mobility clients mld proxy should be used. l VLAN pool scenario stream is forwarded to clients in both the VLANs even if the client from one of the VLANs is subscribed. l Dynamic Multicast Optimization is applicable for wired clients in controllers.
-
In the WebUI 1. Navigate to the Configuration > AP Installation> Provision page and select the Provisioning tab. 2. Select an AP and click Provision. 3. Under the Master Discovery section, enter the host controller IP address and the IPv6 address of the master controller. 4.
-
You can configure captive portal over IPv6 (similar to IPv4) using the WebUI or CLI. For more information on configuration, see Configuring Captive Portal in the Base Operating System on page 373. Working with IPv6 Router Advertisements (RAs) ArubaOS enables the controllers to send router advertisements (RA) in an IPv6 network. Each host auto generates a link local address when you enable ipv6 on the host. The link local address allows the host to communicate between the nodes attached to the same link.
-
l l l l The advertised IPv6 prefix length must be 64 bits for the stateless address autoconfiguration to be operational. You can configure up to three IPv6 prefixes per VLAN interface. Each IPv6 prefix must have an on-link interface address configured on the VLAN. Ensure you configure the upstream routers to route the packets back to Dell controller. You can use the WebUI or CLI to configure the IPv6 RA on a VLAN. Using WebUI 1.
-
l RA lifetime – the lifetime associated with the default router in seconds. A value of zero indicates that the router is not a default router and will not appear on the default router list. The router lifetime applies only to the router's usefulness as a default router; it does not apply to information contained in other message fields or options.
-
In the CLI Execute the following CLI commands to configure the neighbor discovery and RA options for a VLAN interface: To configure neighbor discovery reachable time: (host)(config) #interface vlan (host)(config-subif)#ipv6 nd reachable-time To configure neighbor discovery retransmit time: (host)(config-subif)#ipv6 nd retransmit-time To configure IPv6 recursive DNS server: (host)(config-subif)#ipv6 nd ra dns X:X:X:X::X To configure RA hop-limit: (host)(config-subif)#ipv6 nd ra h
-
The parameter can also be a fully qualified domain name that can resolve to an IPv6 address. To resolve FQDN, you must configure the DNS server name using the ip name-server command.
-
(host)(TACACS Server "IPv6") #host In the WebUI 1. Navigate to the Configuration > Security > Authentication > Servers page. 2. SelectTACACS Server to display the Server List. 3. Select the required server from the list to go to the TACACS server page. 4. To configure an IPv6 host for the selected server, specify an IPv6 address in the Host field. 5. Click Apply.
-
Platform Maximum number of DHCP Leases Supported W-6000M3 512 W-3400 512 W-3600 512 W-7005 512 W-7010 1024 W-7030 2048 W-7210 5120 W-7220 10240 W-7240 15360 Configuring DHCPv6 Server You must enable the global DHCPv6 knob for the DHCPv6 functionality to be operational. You can enable and configure DHCPv6 server using the WebUI or CLI. In the WebUI 1. Navigate to Configuration > Network > IP page and select the DHCP Server tab. 2.
-
9. Enter the number of days, hours, minutes, and seconds in Lease to configure the lease time. The default value is 12 hours. 10.Specify an IPv6 prefix in Network to configure an IPv6 network. 11.Enter the following details under Option to configure client specific DHCPv6 options. a. Specify the option code in Option. b. Select IP or text from the IP/Text drop-down list. c. Enter a value in Value. If you selected IP in step b, then you must enter a valid IPv6 address in this field. d. Click Add. 12.
-
To clear all the DHCPv6 bindings, use the following command: (host)# clear ipv6 dhcp binding To view the DHCPv6 server statistics, use the following command: (host)(config) #show ip dhcp statistics To view the DHCPv6 active pools, use the following command: (host) #show ipv6 dhcp active-pools Understanding ArubaOS Supported Network Configuration for IPv6 Clients ArubaOS provides wired or wireless clients using IPv6 addresses with services such as firewall functionality, layer-2 authentication, and, with
-
Understanding ArubaOS Authentication and Firewall Features that Support IPv6 This section describes ArubaOS features that support IPv6 clients. Understanding Authentication This release of ArubaOS only supports 802.1x authentication for IPv6 clients. You cannot configure layer-3 authentications to authenticate IPv6 clients. Table 38: IPv6 Client Authentication Authentication Method Supported for IPv6 Clients? 802.1x Yes Stateful 802.
-
Table 39: IPv6 Firewall Parameters Parameter Monitor Ping Attack (per 30 seconds) Description Number of ICMP pings per 30 second, which if exceeded, can indicate a denial of service attack. Valid range is 1-16384 pings per 30 seconds. Recommended value is 120. Default: No default Monitor TCP SYN Attack rate (per 30 seconds) Number of TCP SYN messages per 30 second, which if exceeded, can indicate a denial of service attack. Valid range is 1-16384 pings per 30 seconds. Recommended value is 960.
-
Table 39: IPv6 Firewall Parameters Parameter Session Mirror Destination Description Destination (IPv4 address or controller port) to which mirrored session packets are sent. You can configure IPv6 flows to be mirrored with the session ACL “mirror” option. This option is used only for troubleshooting or debugging. Default: N/A Session Idle Timeout Set the time, in seconds, that a non-TCP session can be idle before it is removed from the session table. Specify a value in the range 16–259 seconds.
-
Table 40: IPv6 Firewall Policy Rule Parameters Field Source (required) Description Source of the traffic: l any: Acts as a wildcard and applies to any source address. l user: This refers to traffic from the wireless client. l host: This refers to traffic from a specific host. When this option is chosen, you must configure the IPv6 address of the host. For example, 2002:d81f:f9f0:1000:c7e:5d61:585c:3ab. l network: This refers to a traffic that has a source IP from a subnet of IP addresses.
-
Table 40: IPv6 Firewall Policy Rule Parameters Field Description Queue (optional) The queue in which a packet matching this rule should be placed. Select High for higher priority data, such as voice, and Low for lower priority traffic. Time Range (optional) Time range for which this rule is applicable. You configure time ranges in the Configuration > Security > Access Control > Time Ranges page.
-
f. Select svc-https from the scrolling list. g. Click Add. . Rules can be reordered using the up and down arrow buttons provided for each rule. 7. Click Apply. The policy is not created until the configuration is applied.
-
Understanding User Roles An IPv6 user or a client can inherit the corresponding IPv4 roles. A user or client entry on the user table will contain the user or client’s IPv4 and IPv6 entries. After captive-portal authentication, a IPv4 client can acquire a different role. This role is also updated on the client’s IPv6 entry in the user table.
-
l Remote AP supports IPv6 clients in tunnel forwarding mode only. The Remote AP bridge and split-tunnel forwarding modes do not support IPv6 clients. Secure Thin Remote Access Point (STRAP) cannot support IPv6 clients. l IPSec is not supported over IPv6. l IPv6 Auto configuration and IPv6 Neighbor Discovery mechanisms does not apply to IPv6 tunnels. l Tunnel Encapsulation Limit, Tunnel-group, and MTU discovery options on IPv6 tunnels are not supported.
-
Chapter 6 Link Aggregation Control Protocol The ArubaOS implementation of Link Aggregation Control Protocol (LACP) is based on the standards specified in 802.3ad. LACP provides a standardized means for exchanging information, with partner systems, to form a Link Aggregation Group (LAG). LACP avoids port channel misconfiguration. Two devices (actor and partner) exchange LACP Data Units (DUs) when forming a LAG.
-
Configuring LACP Two LACP configured devices exchange LACPDUs to form a link aggregation group (LAG). A device is configurable as an active or passive participant. In active mode, the device initiates DUs irrespective of the partner state; passive mode devices respond only to the incoming DUs sent by the partner device. Hence, to form a LAG group between two devices, one device must be an active participant. For detailed information on the LACP commands, see the ArubaOS 6.4.
-
F - Device is requesting fast LACPDUs A - Device is in active mode P - Device is in passive mode Port ---FE 1/1 FE 1/2 Flags ----SA SA Pri ---1 1 AdminKey -------0x1 0x1 OperKey -------0x1 0x1 State ----0x45 0x45 Num ---0x2 0x3 Status ------DOWN UP In the WebUI Access LACP from the Configuration >Network >Port tabs. Use the drop-down list to enter the LACP values. l LACP Group— the link aggregation group (LAG) number; the range is 0 to 7.
-
interface fastethernet 1/0 description "FE1/0" trusted vlan 1-4094 lacp group 0 mode active ! interface fastethernet 1/1 description "FE1/1" trusted vlan 1-4094 lacp timeout short lacp group 0 mode active ! interface fastethernet 1/2 description "FE1/2" trusted vlan 1-4094 lacp group 0 mode passive ! 228 | Link Aggregation Control Protocol Dell Networking W-Series ArubaOS 6.4.
-
Chapter 7 OSPFv2 OSPFv2 (Open Shortest Path First) is a dynamic Interior Gateway routing Protocol (IGP) based on IETF RFC 2328. The OSPF uses the shortest or fastest routing path. Dell’s implementation of OSPFv2 allows Dell controllers to deploy effectively in a Layer 3 topology. Dell controllers can act as default gateway for all clients and forward user packets to the upstream router.
-
Platform Branches Routes W-7220 16K 16K W-7240 32K 32K Below are some guidelines regarding deployment and topology for this release of OSPFv2. l In the WLAN scenario, configure the Dell controller and all upstream routers in totally stub area; in the Branch scenario, configure as stub area so that the Branch controller can receive corporate subnets. l In the WLAN scenario upstream router, only configure the interface connected to the controller in the same area as the controller.
-
Codes: C - connected, O - OSPF, R - RIP, S - static M - mgmt, U - route usable, * - candidate default Below is the routing table for Router 1: (router1) #show ip route O O C 10.1.1.0/24 [1/0] via 4.1.1.1 12.1.1.0/24 [1/0] via 4.1.1.1 4.1.1.0 is directly connected, VLAN4 Below is the routing table for Router 2: (router2) #show ip route O O C 10.1.1.0/24 [2/0] via 5.1.1.1 12.1.1.0/24 [2/0] via 5.1.1.1 5.1.1.
-
In Figure 35, the branch office controller is configured using VLAN 14 and VLAN 15. Layer 3 GRE tunnel is configured with IP address 20.1.1.1/24 and OSPF is enabled on the tunnel interface. In the Central office controller, OSPF is enabled on VLAN interfaces 4, 5, and the Layer 3 GRE tunnel interface (configured with IP address 20.1.1.2/24). OSPF interface cost on VLAN 4 is configured lower than VLAN 5.
-
Figure 36 General OSPF Configuration 2. Click Add to add an area (see Figure 37). Figure 37 Add an OSPF Area 3. Configure the OSPF interface settings in the Configuration screen (Figure 38). If OSPF is enabled, the parameters contain the correct default values. You can edit the OSPF values only when you enable OSPF on the interface. Dell Networking W-Series ArubaOS 6.4.
-
Figure 38 Edit OSPF VLAN Settings OSPF monitoring is available from an IP Routing sub-section (Controller > IP Routing > Routing). Both Static and OSPF routes are available in table format. OSPF Interfaces and Neighboring information is available from the OSPF tab. The Interface information includes transmit (TX) and receive (RX) statistics. Exporting VPN Client Addresses to OSPF You can configure VPN client addresses so that they can be exported to OSPF and be advertised as host routes (/32).
-
Figure 39 Sample OSPF Topology Remote Branch 1 controller-ip vlan 30 vlan 16 vlan 30 vlan 31 vlan 32 interface gigabitethernet 1/0 description "GE1/0" trusted switchport access vlan 16 ! interface gigabitethernet 1/1 description "GE1/1" trusted switchport access vlan 30 ! interface gigabitethernet 1/2 description "GE1/2" trusted switchport access vlan 31 ! interface gigabitethernet 1/3 description "GE1/3" trusted switchport access vlan 32 ! interface vlan 16 ip address 192.168.16.251 255.255.255.
-
! interface vlan 30 ip address 192.168.30.1 255.255.255.0 ! interface vlan 31 ip address 192.168.31.1 255.255.255.0 ! interface vlan 32 ip address 192.168.32.1 255.255.255.0 ! uplink wired priority 202 uplink cellular priority 201 uplink wired vlan 16 interface tunnel 2003 description "Tunnel Interface" ip address 2.0.0.3 255.0.0.0 tunnel source 192.168.30.1 tunnel destination 192.168.68.217 trusted ip ospf area 10.10.10.10 ! ip default-gateway 192.168.16.254 ip route 192.168.0.0 255.255.0.
-
ip address 192.168.50.1 255.255.255.0 ! interface vlan 51 ip address 192.168.51.1 255.255.255.0 ! interface vlan 52 ip address 192.168.52.1 255.255.255.0 ! uplink wired priority 206 uplink cellular priority 205 uplink wired vlan 20 interface tunnel 2005 description "Tunnel Interface" ip address 2.0.0.5 255.0.0.0 tunnel source 192.168.50.1 tunnel destination 192.168.68.217 trusted ip ospf area 10.10.10.10 ! ip default-gateway 192.168.20.254 ip route 192.168.0.0 255.255.0.
-
tunnel source 192.168.225.2 tunnel destination 192.168.30.1 trusted ip ospf area 10.10.10.10 ! interface tunnel 2005 description "Tunnel Interface" ip address 2.1.0.5 255.0.0.0 tunnel source 192.168.225.2 tunnel destination 192.168.50.1 trusted ip ospf area 10.10.10.10 ! master-redundancy master-vrrp 2 peer-ip-address 192.168.68.221 ipsec password123 ! vrrp 1 priority 120 authentication password123 ip address 192.168.68.
-
interface gigabitethernet 1/2 description "GE1/2" trusted switchport access vlan 68 ! interface vlan 68 ip address 192.168.68.221 255.255.255.224 ! interface vlan 100 ip address 192.168.100.5 255.255.255.0 ! interface vlan 225 ip address 192.168.225.1 255.255.255.0 ! interface tunnel 2003 description "Tunnel Interface" ip address 2.1.0.3 255.0.0.0 tunnel source 192.168.225.1 tunnel destination 192.168.30.1 trusted ip ospf area 10.10.10.10 ! interface tunnel 2005 description "Tunnel Interface" ip address 2.
-
The following figure displays how the controller is configured for Instant AP VPN for different OSPF cases. Topology l Area-10 is NSSA (Not-So-Stubby Area) l Area-11 is Normal area. l RAPNG AP-1 is configured to have a 3600-UP controller as its primary controller and a 3600-DOWN as secondary controller. l RAPNG AP-2 is configured to have a 3600-DOWN as its primary controller and a 3600-UP as secondary controller. l RAPNG AP-1 is configured to have a 201.201.203.0/24 L3-distributed network.
-
The following commands displays the configuration and run time protocol details on W-3600-UP Controller: (host)#show ip route Codes: C - connected, O - OSPF, R - RIP, S - static M - mgmt, U - route usable, * - candidate default, V - RAPNG VPN Gateway of last resort is Imported from DHCP to network 0.0.0.0 at cost 10 Gateway of last resort is Imported from CELL to network 0.0.0.0 at cost 10 Gateway of last resort is Imported from PPPOE to network 0.0.0.0 at cost 10 Gateway of last resort is 10.15.231.
-
N/A N/A N/A AS_EXTERNAL AS_EXTERNAL AS_EXTERNAL 201.201.203.0 201.201.203.0 202.202.202.0 (host) #show ip ospf neighbor OSPF Neighbor Table ------------------Neighbor ID Pri State Address ----------- --- ----------21.21.21.1 1 FULL/DR 21.21.21.1 10.15.231.186 192.100.2.3 25.25.25.1 3600 1104 268 0x80000001 0x80000002 0x80000003 0x6690 0xe4a2 0x4385 Interface --------Vlan Configuring W-3600-DOWN Controller interface vlan 22 ip address 22.22.22.2 255.255.255.0 ip ospf area 0.0.0.
-
0.0.0.10 0.0.0.10 0.0.0.10 0.0.0.10 0.0.0.10 N/A N/A NSSA NSSA NSSA NSSA NSSA AS_EXTERNAL AS_EXTERNAL 0.0.0.0 10.15.228.0 12.12.12.0 25.25.25.0 202.202.202.0 12.12.12.0 202.202.202.0 25.25.25.1 25.25.25.1 192.100.2.2 25.25.25.1 192.100.2.2 192.100.2.2 192.100.2.
-
5.5.0.2 00:24:6C:C9:27:A3 10.15.149.30 00:24:6C:C9:27:A3 10.15.149.25 00:0B:86:40:93:00 (host)# show clients Client List ----------Name IP Address MAC Address Signal Speed (mbps) ---- -----------------------------------201.201.203.8 00:26:c6:52:6b:14 (good) 6(poor) Info timestamp :80259 1 1 1 LP LP A OS Network Access Point Channel Type Role -- ------- ------------ ------- ---- ---- 149.30 00:24:6c:c9:27:a3 48- AN 149.
-
192.100.2.2 192.168.10.1 201.201.203.8 10.1.1.50 192.168.11.7 4.4.0.2 10.13.6.110 10.15.149.38 10.15.149.35 10.15.149.33 00:00:00:00:00:00 00:24:6C:C0:41:F2 00:00:00:00:00:00 00:00:00:00:00:00 00:26:C6:52:6B:14 00:24:6C:C0:41:F2 00:00:00:00:00:00 00:24:6C:C9:27:CC 00:24:6C:C0:41:F2 00:0B:86:40:93:00 (host)# show clients Client List ----------Name IP Address MAC Address Signal Speed (mbps) ---- -----------------------------------202.202.202.
-
Chapter 8 Tunneled Nodes This chapter describes how to configure a Dell tunneled node, also known as a wired tunneled node. Dell tunneled nodes provide access and security using an overlay architecture.
-
Figure 40 Tunneled Node Configuration Operation Configuring a Wired Tunneled Node Client ArubaOS does not allow a tunneled-node client and tunneled-node server to co-exist on the same controller at the same time. The controller must be configured as either a tunneled-node client or a tunneled-node server. By default, the controller behaves as a tunneled-node server. However, once tunneled-node-server xxx.xxx.xxx.xxx is configured on the controller, the controller becomes a tunneled-node client.
-
d. Enter the IP address of the controller in the Wired Access Concentrator Server IP field. e. To enable tunnel loop prevention, click the Enable Wired Access Concentrator Loop Prevention checkbox. f. Click Apply. 3. Access each interface that you want to use, and assign it as a tunneled node port. (host (config) # interface fastethernet n/m (host (config-if) # tunneled-node port 4. Verify the configuration.
-
Chapter 9 Authentication Servers The ArubaOS software allows you to use an external authentication server or the controller internal user database to authenticate clients who need to access the wireless network.
-
Figure 41 represents a server group named “Radii” that consists of two RADIUS servers, Radius-1 and Radius-2. The server group is assigned to the server group for 802.1x authentication. Figure 41 Server Group Server names are unique. You can configure the same server in multiple server groups. You must configure the server before you can add it to a server group. If you use the controller’s internal database for user authentication, use the predefined “Internal” server group.
-
Using the WebUI 1. Navigate to the Configuration > Security > Authentication > Servers page. 2. Select Radius Server to display the Radius Server List. 3. To configure a RADIUS server, enter the name for the server and click Add. 4. Select the name to configure server parameters. Enter the parameters as described in Table 42. Select the Mode checkbox to activate the authentication server. 5. Click Apply. The configuration does not take effect until you perform this step.
-
Parameter Timeout Description Maximum time, in seconds, that the controller waits before timing out the request and resending it. Default: 5 seconds NAS ID Network Access Server (NAS) identifier to use in RADIUS packets. NAS IP The NAS IP address to be sent in RADIUS packets. You can configure a “global” NAS IP address that the controller uses for communications with all RADIUS servers. If you do not configure a serverspecific NAS IP, the global NAS IP is used.
-
Parameter Description l oui-nic: Send MAC address as XXXXXX-XXXXXX Default: none Service-type of FRAMEDUSER Send the service-type as FRAMED-USER instead of LOGIN-USER. For more information, see RADIUS Service-Type Attribute on page 253. Default: Disabled Radsec Enable or disable RADIUS over TLS for this server. Default: Disabled Radsec Trusted CA Name Enter the trusted CA name to be used to verify this server.
-
Enabling Radsec on RADIUS Servers Conventional RADIUS protocol offers limited security. This level of limited security is not sufficient for authentication that takes place across unsecured networks such as the Internet. To address this, the RADIUS over TLS or Radsec enhancement is introduced to ensure RADIUS authentication and accounting data is transmitted safely and reliably across insecure networks. The default destination port for RADIUS over TLS is TCP/2083.
-
attribute format (such as string or integer) for each VSA. For more information on VSA-derived user roles, see Configuring a VSA-Derived Role on page 452 The following table describes Dell-specific RADIUS VSAs. For the current and complete list of all RADIUS VSAs available in the version of ArubaOS currently running on your controller, access the command-line interface and issue the command show aaa radius attributes.
-
VSA Aruba-MdpsDevice-Udid Type Value Description String 15 UDID is unique device identifier which is used as input attribute by the Onboard application while performing the device authorization to the internal RADIUS server within the ClearPass Policy Manager (CPPM). The UDID checks against role mappings or enforcement policies to determine if the device is authorized to be onboarded.
-
VSA Type Value Description Aruba-AirGroupUser-Name String 24 A device owner or username associated with the device. Aruba-AirGroupShared-User String 25 This VSA contains a comma separated list of user names with Aruba-AirGroupShared-Role String 26 This VSA contains a comma separated list of user roles with whom the device is shared.
-
Table 45: RADIUS Authentication Response Codes Code Description 0 Authentication OK. 1 Authentication failed : user/password combination not correct. 2 Authentication request timed out : No response from server. 3 Internal authentication error. 4 Bad Response from RADIUS server : verify shared secret is correct. 5 No RADIUS authentication server is configured. 6 Challenge from server. (This does not necessarily indicate an error condition.
-
3. Enter the cppm_username and cppm_password in the CPPM credentials option. 4. Click Apply. In the CLI: (host)(config) #aaa authentication-server radius (host)(config) #show aaa authentication-server radius Configuring an RFC-3576 RADIUS Server You can configure a RADIUS server to send user disconnect, change-of-authorization (CoA), and session timeout messages as described in RFC 3576, “Dynamic Authorization Extensions to Remote Dial In User Service (RADIUS).
-
Configuring an RFC-3576 RADIUS Server with Radsec Using the WebUI 1. Navigate to the Configuration > Security > Authentication > Servers page. 2. Select RFC 3576 Server to display the Radius Server List. 3. To define a new RFC 3576 RADIUS server, enter the IP address for the server and click Add. 4. Select the server name to configure server parameters. 5. Select the Radsec checkbox. 6. Click Apply. Using the CLI (host)(config) #aaa rfc-3576-server enable-radsec no ...
-
Parameter Description Default: sAMAccountName Timeout Timeout period of a LDAP request, in seconds. Default: 20 seconds Mode Enables or disables the server. Default: enabled Preferred Connection Type Preferred type of connection between the controller and the LDAP server. The default order of connection type is: 1. ldap-s 2. start-tls 3.
-
Table 47: TACACS+ Server Configuration Parameters Parameter Host Description IP address of the server. Default: N/A Key Shared secret to authenticate communication between the TACACS+ client and server. Default: N/A TCP Port TCP port used by server. Default: 49 Retransmits Maximum number of times a request is retried. Default: 3 Timeout Timeout period for TACACS+ requests, in seconds. Default: 20 seconds Mode Enables or disables the server.
-
Configuring a Windows Server Table 48 defines parameters for a Windows server used for stateful NTLM authentication. Table 48: Windows Server Configuration Parameters Parameter Host Description IP address of the server. Default: N/A Mode Enables or disables the server. Default: enabled Windows Domain Name of the Windows Domain assigned to the server. Using the WebUI 1. Navigate to the Configuration > Security > Authentication > Servers page. 2. Select Windows Server to display the Windows Server List.
-
Table 49: Internal Database Configuration Parameters Parameters Description User Name (Required) Enter a user name or select Generate to automatically generate a user name. An entered user name can be up to 64 characters in length. Password (Required) Enter a password or select Generate to automatically generate a password string. An entered password must be a minimum of 6 characters and can be up to 128 characters in length. Role Role for the client.
-
Managing Internal Database Files ArubaOS allows you to import and export user information tables to and from the internal database. These files should not be edited once they are exported. ArubaOS only supports the importing of database files that were created during the export process. Note that importing a file into the internal database overwrites and removes all existing entries. Exporting Files in the WebUI 1. Navigate to the Configuration > Security > Authentication > Servers page. 2.
-
4. Click OK. Configuring Server Groups You can create groups of servers for specific types of authentication – for example, you can specify one or more RADIUS servers to be used for 802.1x authentication. You can configure servers of different types in one group. For example, you can include the internal database as a backup to a RADIUS server. Configuring Server Groups Server names are unique. You can configure the same server in more than one server group.
-
l Certain servers, such as the RSA RADIUS server, lock out the controller if there are multiple authentication failures. Therefore, you should not enable fail-through authentication with these servers. In the following example, you create a server group "corp-serv" with two LDAP servers (ldap-1 and ldap-2), each containing a subset of the usernames and passwords used in the network.
-
l The server is selected if the client/user information exactly matches a specified string. You can configure multiple match rules for the same server. The controller compares the client/user information with the match rules configured for each server, starting with the first server in the server group. If a match is found, the controller sends the authentication request to the server with the matching rule.
-
c. For Match String, enter abc.corpnet.com. d. Click Add Rule >>. e. Scroll to the right and click Add Server. The last server you added to the server group (radius-2) automatically appears as the first server in the list. In this example, the order of servers is not important. If you need to reorder the server list, scroll to the right and click the up or down arrow for the appropriate server. 7. Click Apply.
-
l @ : the @ portion is truncated This option does not support client information sent in the format host/. Using the WebUI 1. Navigate to the Configuration > Security > Authentication > Servers page. 2. Select Server Group to display the Server Group list. 3. Enter the name of the new server group and click Add. 4. Select the name to configure the server group. 5. Under Servers, click Edit for a configured server or click New to add a server to the group.
-
Table 50: Server Rule Configuration Parameters Parameter Description Role or VLAN The server derivation rules apply to either user role or VLAN assignment. With Role assignment, a client can be assigned a specific role based on the attributes returned. In VLAN assignment, the client can be placed in a specific VLAN based on the attributes returned. Attribute This is the attribute returned by the authentication server that is examined for Operation and Operand match.
-
b. Select the operation from the drop-down list. c. Enter the operand. d. To set the role, select set role from the Set drop-down list and enter the value to be assigned from the Value drop-down list. e. Or, to set the vlan, select set vlan from the Set drop-down list and select the VLAN name or ID from the Value drop-down list and click the left-arrow. f. Click Add. g. Repeat the above steps to add other rules for the server group. 7. Click Apply.
-
Table 51: Server Types and Purposes RADIUS TACACS+ LDAP Internal Database User authentication Yes Yes Yes Yes Management authentication Yes Yes Yes Yes Accounting Yes Yes No No User Authentication For information about assigning a server group for user authentication, refer to the Roles and Policies chapter of the Dell Networking W-Series ArubaOS User Guide.
-
2. The controller sends an Accounting Stop packet when a user logs off; the packet information includes various statistics such as elapsed time, input and output bytes, and packets. The RADIUS server sends an acknowledgment of the packet. The following is the list of attributes that the controller can send to a RADIUS accounting server: l Acct-Status-Type: This attribute marks the beginning or end of accounting record for a user. Current values are Start, Stop, and Interim Update.
-
The following attributes are sent in Accounting-Request packets when Acct-Status-Type value is Stop: l Acct-Status-Type l User-Name l NAS-IP-Address l NAS-Port l NAS-Port-Type l NAS-Identifier l Framed-IP-Address l Calling-Station-ID l Called-station-ID l Acct-Session-ID l Acct-Authentic l Terminate-Cause l Acct-Session-Time The following attributes are sent only in Accounting Stop packets (they are not sent in Accounting Start packets): l Acct-Input-Octets l Acct-Output-Octets
-
RADIUS Accounting on Multiple Servers ArubaOS provides support for the controllers to send RADIUS accounting to multiple RADIUS servers. The controller notifies all the RADIUS servers to track the status of authenticated users. Accounting messages are sent to all the servers configured in the server group in a sequential order. You can enable multiple server account functionality by using the WebUI and CLI: Using the WebUI 1. Navigate to the Configuration > Security > Authentication > AAA Profiles page. 2.
-
Table 52: Authentication Timers Timer User Idle Timeout Description Maximum period after which a client is considered idle if there is no wireless traffic from the client.The timeout period is reset if there is wireless traffic. If there is no wireless traffic in the timeout period, the client is aged out. Once the timeout period has expired, the user is removed. If the keyword seconds is not specified, the value defaults to minutes at the command line.
-
Using the CLI The commands below configure timers you can apply to clients. If the optional seconds keyword is not specified for the idle-timeout and stats-timeout parameters, the value defaults to minutes.
-
Chapter 10 MAC-based Authentication This chapter describes how to configure MAC-based authentication on the Dell controller using the WebUI. Use MAC-based authentication to authenticate devices based on their physical media access control (MAC) address. Although this not the most secure and scalable method, MAC-based authentication implicitly provides an addition layer of security to authenticate devices.
-
Table 53: MAC Authentication Profile Configuration Parameters Parameter Delimiter Description Delimiter used in the MAC string: l colon specifies the format Xx:XX:XX:XX:XX:XX l dash specifies the format XX-XX-XX-XX-XX-XX l none specifies the format XXXXXXXXXXXX l oui-nic specifies the format XXXXXX:XXXXXX Default: none NOTE: This parameter is available for the aaa authentication-server radius command. Case The case (upper or lower) used in the MAC string.
-
In the WebUI 1. Navigate to the Configuration > Security > Authentication > Servers page. 2. Select Internal DB. 3. Click Add User in the Users section. The user configuration page displays. 4. For User Name and Password, enter the MAC address for the client. Use the format specified by the Delimiter parameter in the MAC Authentication profile. For example, if the MAC Authentication profile specifies the default delimiter (none), enter MAC addresses in the format xxxxxxxxxxxx. 5.
-
Chapter 11 Branch Controller Config for Controllers Many distributed enterprises with branch and remote offices and locations use cost-effective hybrid WAN connectivity solutions that include low-cost DSL, 4G and LTE technologies, rather than relying solely on traditional E1/T1 or T3/E3 dedicated circuits.
-
This chapter describes the features and functions of a branch controller, and includes the following topics: l Branch Deployment Features on page 283 l Zero-Touch Provisioning on page 296 l Using Smart Config to create a Branch Config Group on page 298 l PortFast and BPDU Guard on page 320 l Preventing WAN Link Failure on Virtual APs on page 322 l Branch WAN Dashboard Changes on page 323 Branch Deployment Features This section describes the following branch controller features.
-
WAN Failure (Authentication) Survivability This section contains the following information about the authentication survivability feature. This feature is supported on W-7000 Series controllers. l Supported Client and Authentication Types l Administrative Functions l About the Survival Server l Trigger Conditions for Critical Actions l Authentication for Captive Portal Clients l Authentication for 802.
-
Clients VPN clients VIA and other VPN clients Wireless Internet Service Provider roaming (WISPr) clients Authentication Methods l PAP with an external authentication server l CN lookup with an external authentication server PAP method and CN lookup PAP In this initial release, the external authentication server can be either a RADIUS server or an LDAP server.
-
Enabling Authentication Survivability on a Local Branch Controller You can configure each local branch controller to enable or disable Authentication Survivability; by default, this feature is disabled. When authentication survivability is enabled, the enabled authentication survivability state is published, which instructs the Survival Server to start storing client access credential attributes and Key Reply attributes.
-
Picking Up the Survival Server for Authentication The Survival Server performs an authentication or query request when: l Authentication survivability is enabled > AND > a. All servers are out of service in the server group if fail-through is disabled > OR > b. All in-service servers failed the authentication and at least one server is out of service when fail-through is enabled.
-
Table 56: Captive Portal Authentication Using XML-API When Authentication Servers Are Available When Authentication Servers Are Not Available For authentication requests from an External Captive Portal using the XML-API, PAP is used to authenticate these requests with an external authentication server. l If authentication succeeds, the associated access credential with an encrypted SHA-1 hash of the password and Key Reply attributes are stored in the Survival Server database.
-
The external authentication server can be either a RADIUS server or an LDAP server. Table 58: 802.1X Client Authentication Using EAP_TLS with CN Lookup When Authentication Servers Are Available l If the query succeeds, the associated access credential with a returned indicator of EXIST, plus the Key Reply attributes, are stored in the Survival Server database.
-
Table 60: WISPr Authentication Using PAP When Authentication Servers Are Available For a WISPr client authenticated by an external server using PAP: l l If authentication succeeds, the associated access credential, along with an encrypted SHA-1 hash of the password and Key Reply attributes, are stored in the Survival Server database.
-
Distributed Layer 3 Branch Deployment Model In the branch deployment model shown in Figure 43, the IPsec tunnels are terminated on the master controller. IPsec tunnels are treated as master-local tunnels. Figure 43 Branch Deployment Model with Master Controller in HQ Compression/Decompression Engine The W-7000 Series Controllers contain the Compression/Decompression Engine (CDE) that compresses the raw IP payload data and also decompresses the compressed payload data.
-
The advantage of dynamic compression is a higher compression ratio. However, dynamic compression is slower than static compression, as it requires two passes to complete the process. l No Compression You can use no compression for data such as an embedded image file that might already be in a compressed format. Such data does not compress well, and may even increase in size. For details on configuring this feature using the Smart Config WebUI, see WAN Configuration on page 317.
-
The uplink VLAN manager is enabled by default on branch controller uplinks. Master or local (non-branch) controllers using the PAN portal feature must enable the uplink VLAN manager using the uplink command in the controller command-line interface. Figure 44 Branch Controller and PAN Firewall Integration Integration Workflow The following steps describes the work flow to integrate a branch controller with a Palo Alto Networks (PAN) Large-Scale VPN (LSVPN) firewall. 1.
-
Figure 45 Palo Alto Networks Active Satellites List . 5. The branch controller uses the Palo Alto Networks gateway list and credentials from the portal to contact all PAN gateways. Each PAN gateway sends the branch controller information that allows the branch controller to automatically create a secure IPsec tunnel and exchange branch subnet routes with each PAN gateway. 6.
-
Branch Controller Routing Features The following sections describe some of the features that can be configured using the Smart Config WebUI. For details on configuring these feature using the Smart Config WebUI, see Routing Configuration on page 309. Uplink Routing Using Nexthop Lists A next-hop IP is the IP address of a adjacent router or device with Layer-2 connectivity to the controller.
-
Zero-Touch Provisioning Traditionally, the deployment of controllers was a multiple step process where the master controller information and local configurations were first pre-provisioned. After the local controller connected to the network, it established a secure tunnel to the master and downloaded the global configuration. Zero touch provisioning makes the deployment of local controllers plug-n-play.
-
The parameters of role, country code, and IP address of the master controller are collectively known as the provisioning parameters. Provisioning Modes for branch deployments The administrator has the choice of several provisioning modes that alter how the branch controller is supplied with its own IP address, role, country code, and branch config group. During the various provisioning modes, the branch controller is supplied with the IP address of the master controller.
-
To interrupt the auto provisioning process, enter the string mini-setup or full-setup at the initial setup dialog prompt shown below. Auto-provisioning is in progress. Choose one of the following options to override or debug...
-
Create and configure a branch config group on a master controller by navigating to the Configuration > BRANCH > Smart Config section of the master controller WebUI. The Smart Config page contains eight tabs for configuring the branch config group settings. The BRANCH > Smart Config section of the master controller WebUI is available on the W-7200 Series controllers only.
-
To create a new branch config group: 1. Navigate to Configuration>Branch>Smart Config and select the Management tab. 2. Click the New button under the branch config group list. You are prompted to enter a name for the new branch config group profile. 3. Click OK. 4. Next, click the Model drop-down list and select the model type of your branch controllers. Each profile can support a single controller model . 5. Click the IP Address Management drop-down list and select the Static or Dynamic option. 6.
-
The new branch config group appears in the Branch Config Group List table. This table displays the branch config group name, validated/not validated status, and reboot status for each branch config group. l Status: A status of Validated indicates that the branch config group has a complete configuration that can be applied to branch controllers.
-
Table 62: Supported Branch Config Group Time Zone Formats UTC- Time Zones UTC+ Time Zones l "International-Date-Line-West", "UTC-12", l "Casablanca", "UTC+00", "UTC", l "American-Samoa", "UTC-11", "SST" l "Coordinated-Universal-Time", "UTC+00", "UTC", l "Hawaii", "UTC-10", "HST" l "Dublin", "UTC+00", "UTC", "IST" l "Alaska", "UTC-09", "AKST" l "Edinburgh", "UTC+00", "UTC", "BST" l "Baja-California", "UTC-08", "PST" l "Lisbon", "UTC+00", "UTC", "WEST" l "Pacific-Time", "UTC-08", "PST"
-
Table 62: Supported Branch Config Group Time Zone Formats UTC- Time Zones UTC+ Time Zones l "Salvador", "UTC-03", "BST", "BRST" l "Pretoria", "UTC+02", "EET" l "Mid-Atlantic", "UTC-02", "FNT" l "Helsinki", "UTC+02", "EET" "EEST" l "Azores", "UTC-01", "AZOST", "AZOST" l "Istanbul", "UTC+02", "EET" "EEST" l "Cape-Verde-Is", "UTC-01", "CVT" l "Kyiv", "UTC+02", "EET" "EEST" l "Casablanca", "UTC+00", "UTC", l "Riga", "UTC+02", "EET" "EEST" l "Coordinated-Universal-Time", "UTC+00", "UTC",
-
Table 62: Supported Branch Config Group Time Zone Formats UTC- Time Zones UTC+ Time Zones l "Cairo", "UTC+02", "EET" l "Yangon", "UTC+06:30", "MMT" l "Damascus", "UTC+02", "EET" "EEST" l "Bangkok", "UTC+07", "THA" l "East-Europe", "UTC+02", "EET" "EEST" l "Hanoi", "UTC+07", "THA" l "Harare", "UTC+02", "EET" l "Jakarta", "UTC+07", "THA" l "International-Date-Line-West", "UTC-12", l "Novosibirsk", "UTC+07", "THA" l "American-Samoa", "UTC-11", "SST" l "Beijing" ,"UTC+08", "CCT" l "Ha
-
Table 62: Supported Branch Config Group Time Zone Formats UTC- Time Zones UTC+ Time Zones l "Cayenne", "UTC-03", "BST" l "Nukualofa", "UTC+13" l "Fortaleza", "UTC-03", "BST" l "Samoa", "UTC+13" l "Greenland", "UTC-03", "BST", "GRED" l "Montevideo", "UTC-03", "BST," "UYST" l "Salvador", "UTC-03", "BST", "BRST" l "Mid-Atlantic", "UTC-02", "FNT" l "Azores", "UTC-01", "AZOST", "AZOST" l "Cape-Verde-Is", "UTC-01", "CVT" System Configuration Configure general system settings for the branch c
-
Parameter Description Advanced Settings firewall-visibility (Optional) Enable or disable the firewall visibility feature. For more information, see Firewall on page 854. AppRF (Optional) Enable or disable the AppRF feature. For more information, see AppRF on page 828. URL Filtering (Optional) Enable Web Content Classification. For more information, see Web Content Classification on page 837.
-
Parameter Description Community Strings for SNMPv1 and SNMPv2 Enter community string to authenticate SNMPv1 and SNMPv2 requests. For more information on SNMP settings, see Configuring SNMP. Trap Receiver Enter host information about a SNMP trap receiver that can receive and interpret the traps sent by the controller. Click New, enter the following types of trap information, then click Add. l IP address: Trap receiver IP address l SNMP version: SNMPv1,SNMPv 2c, or SNMPv3.
-
Figure 47 Branch Controller Networking Settings. Parameter Description User VLANs VLAN ID Identifier for the VLAN. Description Text string describing the VLAN. NAT Inside Click this checkbox to enable source NAT for this VLAN. BCMC Optimization Click this checkbox to effectively prevent flooding of BCMC traffic on all VLAN member ports. This option ensures controlled flooding of BCMC traffic without compromising the client connectivity.
-
Parameter l VLAN l PortFast l BPDU Guard Description Tunnels Tunnel settings: l Tunnel ID l Source IP l Destination IP l Mode l Keepalive l MTU l Trusted ArubaOS supports generic routing encapsulation (GRE) tunnels between the branch controller and APs. To define tunnel settings for the branch controllers using this branch config group, click New, select your tunnel settings, then click Add.
-
Figure 48 Branch Controller Static Route Settings Parameter Description Destination IP Destination IP address,s in dotted decimal format. Destination Mask Destination netmask, in dotted decimal format. NextHop The IP address of the forwarding router in dotted decimal format. IPsec To use a static IPsec route, map click the IPsec drop-down list and select a static IPsec route map, or click New and enter the name of a new IPsec route map.
-
2. Click the Add button below the Nexthop Configuration table to open a pop-up window that allows you to configure the following next-hop settings: Figure 50 Branch Controller Next-Hop Settings Parameter Description Nexthop-list name Name for the new nexthop list. Nexthop IP / DHCP IP address of the nexthop device or the VLAN ID of the VLAN used by the nexthop device.
-
Table 63: Policy Based Routing ACL Rule Parameters Field Description IP version Specifies whether the policy applies to IPv4 or IPv6 traffic. Source (required) Destination (required) Source of the traffic, which can be one of the following: l any: Acts as a wildcard and applies to any source address. l user: This refers to traffic from the wireless client. l host: This refers to traffic from a specific host. When this option is chosen, you must configure the IP address of the host.
-
Field Service (required) Action (required) Position Description Type of traffic, which can be one of the following: l any: This option specifies that this rule applies to any type of traffic. l application: For session and route policies on a W-7000 Series controller, you can create a rule that applies to a specific application type. Click the Application drop-down list and select an application type.
-
l If you selected the User Role type, click the Target drop-down list and select a user role. The rule will be applied to traffic from clients with the selected user role. 5. Click Done. 6. Click Apply. VPN Configuration Configure IPsec crypto maps and DTP settings for the branch controllers in a branch config group by navigating to Configuration>Branch>Smart Config and selecting the VPN tab. The settings on the VPN tab are described in the table below.
-
Parameter Description Description Security Association Lifetime (seconds) Configures the lifetime for the security association (SA), in seconds. Security Association Lifetime (Kilobites) Specifies the amount of traffic (in kilobytes) that can pass between IPSec peers in the local and remote networks before the security association expires. Version Click the drop-down list and select None (to create an IPsec map that doesn't use IKE), IKEv1 or IKEv2.
-
Parameter Description Description of the master controller WebUI, then click the arrow button by the dropdown list to add that transform set to the IPsec map. Dynamically Addressed Peer Select either the Pre-shared Key or Certificate optoins to define security options for a dynamically address peer. Pre-shared Key For pre-shared key authentication, select Pre-Shared Key, then enter a shared secret in the IKE Shared Secret and Verify IKE Shared Secret fields.
-
Policy Name Policy Number IKE Version Encryption Algorithm Hash Algorithm Authentica -tion Method PRF Method DiffieHellman Group Default RAP IKEv2 RSA protection suite 1004 IKEv2 AES -256 SSHA160 RSA Signature hmacsha1 2 (1024 bit) Default Cluster PSK protection suite 10005 IKEv1 AES -256 SHA160 Pre-Shared Key PreShared Key 2 (1024 bit) Default IKEv2 RSA protection suite 1006 IKEv2 AES - 128 SHA 96 RSA Signature hmacsha1 2 (1024 bit) Default IKEv2 PSK protection suite 10007
-
Table 66: Branch Config Group WAN Setting Parameter Description WAN Failure Survivability Enable AuthSurvivability This parameter controls whether to use the Survival Server when no other authentication servers in the server group are in-service. This parameter also controls whether to store the user access credential in the Survival Server when it is authenticated by an external RADIUS or LDAP server in the server group. Authentication Survivability is enabled or disabled at each controller.
-
Table 66: Branch Config Group WAN Setting Parameter Description Compression The Compression/Decompression Engine feature is enabled by default. However, the packets are compressed only if the IP Payload Compression Protocol (IPComp) is successfully negotiated via the Internet Key Exchange (IKE) protocol. BW Management Uplink Select an interface uplink to which you will apply the bandwidth contract.
-
3. Click the Profile drop-down list and select the branch config group whose configuration settings you want to review. To view a summary of the settings specific to an individual branch controller: 1. Navigate to Configuration>Branch>Smart Config>Summary. 2. Select the BOC Summary subtab. 3. Click the Profile drop-down list and select the MAC address of the branch controller whose configuration settings you want to review.
-
server can access the network only after passing all these STP states. Some applications need to connect to the network immediately, else they will timeout. Enabling the PortFast feature causes a switch or a trunk port to enter the STP forwarding-state immediately or upon a linkup event, thus bypassing the listening and learning states. The PortFast feature is enabled at a port level, and this port can either be a physical or a logical port.
-
Enabling PortFast and BPDU Guard on a Port The following section guides you to enable the PortFast and BPDU Guard features on a port. In the Web UI Follow the steps below to enable PortFast and BPDU Guard features on a port using the WebUI: 1. Navigate to Configuration>Branch>Smart Config and select the Networking tab. 2. In the Ports table, click the port number for which you want to enable PortFast and BPDU Guard. 3. Click Edit. 4. Select the PortFast and BPDU Guard checkbox. 5. Click Update.
-
When all the WAN links are down, an AP management module in the controller updates the link state using the notification it receives from the health check manager. Depending on the link state, the new set of Virtual APs are made available to the users, ensuring minimum service depending on the deployment. The VAPs for WAN link failure feature can be configured using the branch controller WebUI or command-line interface. In the WebUI 1.
-
l Status : Displays the Link status and WAN Status for VLANs. For each VLAN, the green represents an up status and red represents a down status for the Link and WAN. l Throughput : Displays the In and Out traffic for VLANs. The Throughput table has four tabs for different uplinks. First tab shows throughput of VLANs having high priority followed by other VLAN data based on its priority. Clicking on each tab loads In and Out traffic throughput data for that particular VLAN.
-
-
Chapter 12 802.1X Authentication 802.1X is an Institute of Electrical and Electronics Engineers (IEEE) standard that provides an authentication framework for WLANs. 802.1x uses the Extensible Authentication Protocol (EAP) to exchange messages during the authentication process. The authentication protocols that operate inside the 802.1X framework that are suitable for wireless networks include EAP-Transport Layer Security (EAP-TLS), Protected EAP (PEAP), and EAPTunneled TLS (EAP-TTLS).
-
l PEAP—Protected EAP (PEAP) is an 802.1X authentication method that uses server-side public key certificates to authenticate clients with the server. The PEAP authentication creates an encrypted SSL / TLS tunnel between the client and the authentication server. The exchange of information is encrypted and stored in the tunnel to ensure that the user credentials are kept secure.
-
For the controller to communicate with the authentication server, you must configure the IP address, authentication port, and accounting port of the server on the controller. The authentication server must be configured with the IP address of the RADIUS client, which is the controller in this case. Both the controller and the authentication server must be configured to use the same shared secret.
-
Configuring 802.1X Authentication On the controller, use the following steps to configure a wireless network that uses 802.1x authentication: 1. Configure the VLANs to which the authenticated users will be assigned. See Network Configuration Parameters on page 164. 2. Configure policies and roles. You can specify a default role for users who are successfully authenticated using 802.1X.
-
Table 68: 802.1x Authentication Profile Basic WebUI Parameters Parameter Description Basic 802.1x Authentication Settings Max authentication failures Number of times a user can try to log in with wrong credentials after which the user is blacklisted as a security threat. Set to 0 to disable blacklisting, otherwise enter a non-zero integer to blacklist the user after the specified number of failures. Range: 0-5 failures. Default: 0 failure. NOTE: This option may require a license.
-
Table 68: 802.1x Authentication Profile Basic WebUI Parameters Parameter Description by Microsoft clients. Enforce Suite-B 128 bit or more security level Authentication Configure Suite-B 128 bit or more security level authentication enforcement. Enforce Suite-B 128 bit or more security level Authentication Configure Suite-B 192 bit security level authentication enforcement. Advanced 802.1x Authentication Settings Machine Authentication Cache Timeout The timeout, in hours, for machine authentication.
-
Table 68: 802.1x Authentication Profile Basic WebUI Parameters Parameter Description Range: 5-65535 seconds. Default: 30 seconds. Authentication Server Retry Count Maximum number of authentication requests that are sent to server group. Range: 0-3 requests. Default: 2 requests. Framed MTU Sets the framed Maximum Transmission Unit (MTU) attribute sent to the authentication server. Range: 500-1500 bytes. Default: 1100 bytes.
-
Table 68: 802.1x Authentication Profile Basic WebUI Parameters Parameter Delay between EAPSuccess and WPA2 Unicast Key Exchange Description Interval, in milliseconds, between EAP-Success and unicast key exchanges. Range: 0-2000 ms. Default: 0 ms (no delay). Delay between WPA/WPA2 Unicast Key and Group Key Exchange Interval, in milliseconds, between unicast and multicast key exchange. Time interval in milliseconds. Range: 0-2000. Default: 0 (no delay).
-
Table 68: 802.1x Authentication Profile Basic WebUI Parameters Parameter xSec MTU Description Set the maximum transmission unit (MTU) for frames using the xSec protocol. Range: 1024-1500 bytes. Default: 1300 bytes. Token Caching If you select EAP-GTC as the inner EAP method, you can select the Token Caching checkbox to enable the controller to cache the username and password of each authenticated user. The controller continues to reauthenticate users with the remote authentication server.
-
In the CLI The following command configures settings for an 802.1X authentication profiles. Individual parameters are described in the previous table. (host)(config) #aaa authentication dot1x {|countermeasures} Configuring and Using Certificates with AAA FastConnect The controller supports 802.1x authentication using digital certificates for AAA FastConnect. l Server Certificate—A server certificate installed in the controller verifies the authenticity of the controller for 802.1x authentication.
-
You can configure 802.1x for both user and machine authentication (select the Enforce Machine Authentication option described in Table 68). This tightens the authentication process further, since both the device and user need to be authenticated. Working with Role Assignment with Machine Authentication Enabled When you enable machine authentication, there are two additional roles you can define in the 802.
-
Role assignment is as follows: l If both machine and user authentication succeed, the role is dot1x_user. If there is a server-derived role, the server-derived role takes precedence. l If only machine authentication succeeds, the role is dot1x_mc. l If only user authentication succeeds, the role is guest. l On failure of both machine and user authentication, the user does not have access to the network.
-
using 802.1x. You can provision an AP to act as an 802.1X supplicant and authenticate to the infrastructure using the PEAP protocol. Both Campus APs (CAPs) and Remote APs (RAPs) can be provisioned to use 802.1X authentication. Prerequisites l An AP has to be configured with the credentials for 802.1X authentication. These credentials are stored securely in the AP flash. l The AP must complete the 802.1X authentication before it sends or receives IP traffic such as DHCP. If the AP cannot complete 802.
-
n guest n system administrators The examples show how to configure using the WebUI and CLI commands. Configuring Authentication with an 802.1X RADIUS Server l An EAP-compliant RADIUS server provides the 802.1X authentication. The RADIUS server administrator must configure the server to support this authentication. The administrator must also configure the server to all communications with the Dell controller. l The authentication type is WPA. From the 802.
-
255.0.0.0. Click Add to add the network range. Repeat these steps to add the network range 172.16.0.0 - 255.255.0.0. Click Done. The alias Internal Network appears in the Destination menu. This step defines an alias representing all internal network addresses. Once defined, you can use the alias for other rules and policies. d. Under Destination, select Internal Network. e. Under Service, select service. In the Service scrolling list, select svc-telnet. f. Under Action, select drop. g. Click Add. 5.
-
c. Under Service, select service. In the Service scrolling list, select svc-telnet. d. Under Action, select drop. e. Click Add. f. Repeat steps A-E to create rules for the following services: svc-ftp, svc-snmp, and svc-ssh. 5. Click Apply. 6. Select the User Roles tab. Click Add to create the faculty role. 7. For Role Name, enter faculty. 8. Under Firewall Policies, click Add. In Choose from Configured Policies, select the faculty policy you previously created. Click Done.
-
g. Repeat steps A-F to create a rule for svc-dns. To create a rule to deny access to the internal network: a. Under Source, select user. b. Under Destination, select alias. Select Internal Network. c. Under Service, select any. d. Under Action, select drop. e. Click Add. To create rules to permit HTTP and HTTPS access during working hours: a. Under Source, select user. b. Under Destination, select any. c. Under Service, select service. In the Services scrolling list, select svc-http. d.
-
In the WebUI 1. Navigate to Configuration > Security > Access Control > User Roles page. Click Add to create the sysadmin role. 2. For Role Name, enter sysadmin. 3. Under Firewall Policies, click Add. In Choose from Configured Policies, select the predefined allowall policy. Click Done. 4. Click Apply. In the CLI (host)(config) #user-role sysadmin session-acl allowall Creating a computer role In the WebUI 1. Navigate to Configuration > Security > Access Control > User Roles page.
-
3. In the Servers list, select Server Group. In the Server Group Instance list, enter IAS and click Add. a. Select the server group IAS to display configuration parameters for the server group. b. Under Servers, click New. c. From the Server Name drop-down list, select IAS1. Click Add Server. 4. Under Server Rules, click New. a. For Condition, enter Class. b. For Attribute, select value-of from the drop-down list. c. For Operand, select set role. d. Click Add. 5. Click Apply.
-
b. Click Apply. 5. In the Profiles list (under the aaa_dot1x profile), select 802.1x Authentication Server Group. a. From the drop-down list, select the IAS server group you created previously. b. Click Apply.
-
5. Select the IP Routes tab. a. For Default Gateway, enter 10.1.1.254. b. Click Apply. In the CLI (host)(config) #vlan 60 (host)(config) #interface vlan 60 ip address 10.1.60.1 255.255.255.0 ip helper-address 10.1.1.25 (host)(config) #vlan 61 (host)(config) #interface vlan 61 ip address 10.1.61.1 255.255.255.0 ip helper-address 10.1.1.25 (host)(config) #vlan 63 (host)(config) #interface vlan 63 ip address 10.1.63.1 255.255.255.0 ip helper-address 10.1.1.25 (host)(config) #ip default-gateway 10.1.1.
-
h. Click Apply to apply the SSID profile to the Virtual AP. i. Under Profile Details, click Apply. 5. Click on the guest virtual AP name in the Profiles list or in Profile Details to display configuration parameters. a. Ensure that you select Virtual AP enable. b. For VLAN, select 63. c. Click Apply. 6. Navigate to the Configuration > Wireless > AP Configuration page. 7. In the AP Group list, click Edit for the second-floor. 8. In the Profiles list, select Wireless LAN and then Virtual AP. 9.
-
h. At the bottom of the Profile Details page, click Apply. 5. Click on the WLAN-01_first-floor virtual AP name in the Profiles list or in Profile Details to display configuration parameters. a. Ensurer that you select Virtual AP enable. b. For VLAN, select 60. c. Click Apply. 6. Navigate to the Configuration > Wireless > AP Configuration page. 7. In the AP Group list, click Edit for the second-floor. 8. In the Profiles list, select Wireless LAN and then Virtual AP. 9.
-
Configuring the Internal Database Configure the internal database with the username, password, and role (student, faculty, or sysadmin) for each user. There is a default internal server group that includes the internal database. For the internal server group, configure a server derivation rule that assigns the role to the authenticated client. In the WebUI 1. Navigate to the Configuration > Security > Authentication > Servers page. 2. In the Servers list, select Internal DB. 3.
-
b. Select the dot1x profile you just created. c. Select Termination. The defaults for EAP Method and Inner EAP Method are EAP-PEAP and EAP-MSCHAPv2, respectively. d. Click Apply. 2. Select the AAA Profiles tab. a. In the AAA Profiles Summary, click Add to add a new profile. b. Enter aaa_dot1x, then click Add. c. Select the aaa_dot1x profile you just created. d. For 802.1x Authentication Default Role, select faculty. e. Click Apply. 3.
-
c. For Net Mask, enter 255.255.255.0. d. Under DHCP Helper Address, click Add. Enter 10.1.1.25 and click Add. e. Click Apply. 3. In the IP Interfaces page, click Edit for VLAN 61. a. For IP Address, enter 10.1.61.1. b. For Net Mask, enter 255.255.255.0. c. Under DHCP Helper Address, click Add. Enter 10.1.1.25 and click Add. d. Click Apply. 4. In the IP Interfaces page, click Edit for VLAN 63. a. For IP Address, enter 10.1.63.1. b. For Net Mask, enter 255.255.255.0. c. Under DHCP Helper Address, click Add.
-
In the WebUI 1. Navigate to the Configuration > Wireless > AP Configuration page. 2. In the AP Group list, select first-floor. 3. In the Profiles list, select Wireless LAN and then Virtual AP. 4. To configure the guest virtual AP: a. Select NEW from the Add a profile drop-down list. Enter guest for the name of the virtual AP profile, and click Add. b. In the Profile Details entry for the guest virtual AP profile, select NEW from the SSID profile drop-down list.
-
In the WebUI 1. Navigate to the Configuration > Wireless > AP Configuration page. 2. In the AP Group list, select first-floor. 3. In the Profiles list, select Wireless LAN, then select Virtual AP. 4. To configure the WLAN-01_first-floor virtual AP: a. Select NEW from the Add a profile drop-down list. Enter WLAN-01_first-floor, and click Add. b. In the Profile Details entry for the WLAN-01_first-floor virtual AP profile, select aaa_dot1x from the AAA Profile drop-down list.
-
vlan 61 aaa-profile aaa_dot1x sid-profile WLAN-01 (host)(config) #ap-group first-floor virtual-ap WLAN-01_first-floor (host)(config) #ap-group second-floor virtual-ap WLAN-01_second-floor Configuring Mixed Authentication Modes Use l2-auth-fail-through command to perform mixed authentication which includes both MAC and 802.1x authentication. When MAC authentication fails, enable the l2-auth-fail-through command to perform 802.1x authentication. By default the l2-auth-fail-through command is disabled.
-
The following is an example of the parameters you can configure for reauthentication with unicast and multicast key rotation: l Reauthentication: Enabled l Reauthentication Time Interval: 6011 Seconds l Multicast Key Rotation: Enabled l Multicast Key Rotation Time Interval: 1867 Seconds l Unicast Key Rotation: Enabled l Unicast Key Rotation Time Interval: 1021 Seconds In the WebUI 1. Navigate to the Configuration > Security > Authentication > L2 Authentication page. 2. Select 802.
-
l SSO occurs after 802.1x authentication. Therefore, SSO after captive portal authentication is not supported. Roles for captive portal and SSO are mutually exclusive and, therefore, a user in the captive portal role cannot perform SSO and vice-versa. l SSO with VIA is not supported. l There is a limit on the number of concurrent sessions that can be serviced at a given instant. This limit is set at the webserver level using the web-server profile web-max-clients command.
-
In the CLI sso idp-profile idp Applying an SSO Profile to a User Role The newly created SSO profile must be applied to any applicable user rules that require SSO. Apply the SSO profile be completing the steps below. In the WebUI 1. Navigate to Configuration > Security > Access Control. 2. Select the User Roles tab. 3. Select the User Role that the SSO profile will be linked to and click Edit. 4. Under Misc.
-
Chapter 13 Stateful and WISPr Authentication ArubaOS supports stateful 802.1X authentication, stateful NTLM authentication, and authentication for Wireless Internet Service Provider roaming (WISPr). Stateful authentication differs from 802.
-
Working With WISPr Authentication WISPr authentication allows a “smart client” to authenticate to the network when roaming between Wireless Internet Service Providers, even if the wireless hotspot uses an ISP, which the client may not have an account for.
-
1. Navigate to the Configuration > Security > Authentication > L2 Authentication page. 2. In the Profiles list, select Stateful 802.1X Authentication Profile. 3. Click the Default Role drop-down list, and select the role assigned to stateful 802.1X authenticated users. 4. Specify the timeout period for authentication requests, between 1 and 20 seconds. The default value is 10 seconds. 5. Select the Mode checkbox to enable stateful 802.1X authentication.
-
To create and define settings for a Stateful NTLM Authentication profile, select an existing profile, then click Save As in the right window pane. Enter a name for the new profile in the entry field at the top of the right window pane. 4. Click the Default Role drop-down list, and select the role to be assigned to all users after they complete stateful NTLM authentication. 5. Specify the timeout period for authentication requests, between 1 and 20 seconds. The default value is 10 seconds. 6.
-
To create and define settings for a new Stateful Kerberos Authentication profile, select an existing profile, then click Save As in the right window pane. Enter a name for the new profile in the entry field at the top of the right window pane. 4. Click the Default Role drop-down list, and select the role to be assigned to all users after they complete stateful Kerberos authentication. 5. Specify the timeout period for authentication requests, from 1-20 seconds. The default value is 10 seconds. 6.
-
Table 72: WISPr Authentication Profile Parameters Parameter Description Default Role Default role assigned to users that complete WISPr authentication. Logon wait minimum wait If the controller’s CPU utilization has surpassed the Login wait CPU utilization threshold value, the Logon wait minimum wait parameter defines the minimum number of seconds a user has to wait to retry a login attempt. Range: 1–10 seconds. Default: 5 seconds.
-
set of commands associates that server group with the WISPR authentication profile, then defines the profile settings. (host)(config)# aaa authentication-server radius host 172.4.77.
-
Chapter 14 Certificate Revocation The Certificate Revocation feature enables the controller to perform real-time certificate revocation checks using the Online Certificate Status Protocol (OCSP), or traditional certificate validation using the Certificate Revocation List (CRL) client.
-
Configuring an OCSP Controller as a Responder The controller can be configured to act as an OCSP responder (server) and respond to OCSP queries from clients that want to obtain revocation status of certificates. The OCSP responder on the controller is accessible over HTTP port 8084. You cannot configure this port. Although the OCSP responder accepts signed OCSP requests, it does not attempt to verify the signature before processing the request. Therefore, even unsigned OCSP requests are supported.
-
Figure 53 Upload a certificate 6. Click Upload. The certificate appears in the Certificate Lists pane. 7. For detailed information about an uploaded certificate, click View next to the certificate. Figure 54 View certificate details 8. Select the Revocation Checkpoint tab. Dell Networking W-Series ArubaOS 6.4.
-
9. In the Revocation Checkpoint pane, click Edit next to the revocation checkpoint that you want to configure. The Revocation Checkpoint pane displays. 10.In the Revocation Check field, select ocsp from the Method 1 drop-down list as the primary check method. 11.In the OCSP URL field, enter the URL of the OCSP responder. 12.In the OCSP Responder Cert field, select the OCSP certificate you want to configure from the drop-down menu. 13.Click Apply.
-
9. In the Revocation Checkpoint pane, click Edit next to the revocation checkpoint that you want to configure. The Revocation Checkpoint pane displays. 10.In the Revocation Check field, select crl from the Method 1 drop-down list. 11.In the CRL Location field, enter the CRL you want to use for this revocation checkpoint. The CRLs listed are files that have already been imported onto the controller. 12.Click Apply.
-
11.In the Revocation Checkpoint pane, click Edit next to the revocation checkpoint that you want to configure. The Revocation Checkpoint pane displays. 12.In the Revocation Check field, optionally select a check method from the Method 1 drop-down list. Optionally, select a backup check method from the Method 2 drop-down list. 13.Select Enable next to Enable OCSP Responder. 14.Select OCSP signer cert from the OCSP Signer Cert drop-down menu. 15.
-
(host)(config) #mgmt-user ssh-pubkey client-cert client1-rg test1 root rcp ca-rg In this example, a user is configured without the RCP: (host)(config) #mgmt-user ssh-pubkey client-cert client2-rg test2 root Displaying Revocation Checkpoint for the SSH Pubkey User The RCP checks the revocation status of the SSH user’s client certificate before permitting access. If the revocation check fails, the user is denied access using the ssh-pubkey authentication method.
-
Chapter 15 Captive Portal Authentication Captive portal is one of the methods of authentication supported by ArubaOS. A captive portal presents a web page which requires user action before network access is granted. The required action can be simply viewing and agreeing to an acceptable use policy, or entering a user ID and password which must be validated against a database of authorized users.
-
There are differences in how captive portal functions work and how you configure captive portal, depending on whether the license is installed. Other parts of this chapter describe how to configure captive portal in the base operating system (without the PEFNG license) and with the license installed. Controller Server Certificate The Dell controller is designed to provide secure services through the use of digital certificates.
-
The WLAN Wizard within the ArubaOS WebUI allows for basic captive portal configuration for WLANs associated with the “default” ap-group: Configuration > Wizards > WLAN Wizard. Follow the steps in the workflow pane within the wizard and refer to the help tab for assistance. What follows are the tasks for configuring captive portal in the base ArubaOS. The example server group and profile names appear inside quotation marks. l Create the Server Group name. In this example, the server group name is “cp-srv”.
-
c. For Initial Role, select the captive portal authentication profile (for example, c-portal) you created previously. The Initial Role must be exactly the same as the name of the captive portal authentication profile you created. d. Click Apply. 4. Navigate to the Configuration > Wireless > AP Configuration page. Select either the AP Group or AP Specific tab. Click Edit for the applicable AP group name or AP name. 5. Under Profiles, select Wireless LAN, then select Virtual AP. 6.
-
The captive portal authentication profile specifies the captive portal login page and other configurable parameters. The initial user role configuration must include the applicable captive portal authentication profile instance. MAC-based authentication, if enabled on the controller, takes precedence over captive portal authentication. The following are the basic tasks for configuring captive portal using role-based access provided by the Policy Enforcement Firewall software module.
-
a. In the Captive Portal Authentication Profile Instance list, enter the name of the profile (for example, cportal), then click Add. b. Select the captive portal authentication profile you just created. c. Select the default role (for example, employee) for captive portal users. d. Enable guest login and/or user login, as well as other parameters (refer to Table 73). e. Click Apply. 3.
-
Configuring Captive Portal in the CLI To configure captive portal with the PEFNG license via the command-line interface, access the CLI in config mode and issue the following commands: (host)(config) #aaa authentication captive-portal c-portal d>efault-role employee server-group cp-srv (host)(config) #user-role logon captive-portal c-portal (host)(config) #aaa profile aaa_c-portal initial-role logon (host)(config) #wlan ssid-profile ssid_c-portal essid c-portal-ap vlan 20 (host)(config) #wlan virtual-ap vp_
-
The guest-logon user role configuration needs to include the name of the captive portal authentication profile instance. You can modify the user role configuration after you create the captive portal authentication profile instance. Creating an Auth-guest User Role The auth-guest user role consists of the following ordered policies: l cplogout is a predefined policy that allows captive portal logout.
-
b. Under Destination, select any. c. Under Service, select udp. Enter 68. d. Under Action, select drop. e. Click Add. 6. Under Rules, click Add. a. Under Source, select any. b. Under Destination, select any. c. Under Service, select service. Select svc-dhcp. d. Under Action, select permit. e. Under Time Range, select working-hours. f. Click Add. Creating Aliases The following step defines an alias representing the public DNS server addresses.
-
5. Under Rules, select Add to add rules for the policy. a. Under Source, select user. b. Under Destination, select any. c. Under Service, select udp. Enter 68. d. Under Action, select drop. e. Click Add. 6. Under Rules, click Add. a. Under Source, select any. b. Under Destination, select any. c. Under Service, select service. Select svc-dhcp. d. Under Action, select permit. e. Under Time Range, select working-hours. f. Click Add. 7. Under Rules, click Add. a. Under Source, select user. b.
-
a. Under Source, select user. b. Under Destination, select alias. The following step defines an alias representing all internal network addresses. Once defined, you can use the alias for other rules and policies. c. Under the alias selection, click New. For Destination Name, enter “Internal Network”. Click Add to add a rule. For Rule Type, select network. For IP Address, enter 10.0.0.0. For Network Mask/Range, enter 255.0.0.0. Click Add to add the network range.
-
11.For Choose from Configured Policies, select block-internal-access from the drop-down menu. 12.Click Done. 13.Click Apply. Creating an Auth-Guest Role To create the guest-logon role via the WebUI: 1. Navigate to the Configuration > Security > Access Control > User Roles page. 2. Click Add. 3. For Role Name, enter auth-guest. 4. Under Firewall Policies, click Add. 5. For Choose from Configured Policies, select cplogout from the drop-down menu. 6. Click Done. 7. Under Firewall Policies, click Add. 8.
-
Creating a Guest-Logon-Access Policy To create a guest-logon-access policy via the command-line interface, access the CLI in config mode and issue the following commands: (host)(config) #ip access-list session guest-logon-access user any udp 68 deny any any svc-dhcp permit time-range working-hours user alias “Public DNS” svc-dns src-nat time-range working-hours Creating an Auth-Guest-Access Policy To create an auth-guest-access policy via the command-line interface, access the CLI in config mode and issue
-
In the WebUI 1. Navigate to the Configuration > Network > VLANs page. a. Select the VLAN ID tab. a. Click Add. b. For VLAN ID, enter 900. c. Click Apply. 2. Navigate to the Configuration > Network > IP > IP Interfaces page. a. Click the IP Interfaces tab. a. Click Edit for VLAN 900. b. For IP Address, enter 192.168.200.20. c. For Net Mask, enter 255.255.255.0. d. Click Apply. 3. Click the DHCP Server tab. a. Select Enable DHCP Server. b. Click Add under Pool Configuration. c.
-
e. Deselect (uncheck) Guest Login. f. Click Apply. 2. Select Server Group under the guestnet captive portal authentication profile you just created. a. Select internal from the Server Group drop-down menu. b. Click Apply.
-
Configuring the WLAN In this section, you create the guestnet virtual AP profile for the WLAN. The guestnet virtual AP profile contains the SSID profile guestnet (which configures opensystem for the SSID) and the AAA profile guestnet. To configure the guest WLAN via the WebUI: 1. Navigate to the Configuration > Wireless > AP Configuration page. 2. Select either AP Group or AP Specific tab. Click Edit for the AP group or AP name. 3.
-
Configuring Captive Portal Configuration Parameters Table 73 describes configuration parameters on the WebUI Captive Portal Authentication profile page. In the CLI, you configure these options with the aaa authentication captive-portal commands. Table 73: Captive Portal Authentication Profile Parameters Parameter Default Role Description Role assigned to the Captive Portal user upon login.
-
Parameter Description Logon wait CPU utilization threshold CPU utilization percentage above which the Logon wait interval is applied when presenting the user with the logon page. Max Authentication failures Maximum number of authentication failures before the user is blacklisted. Show FDQN Allows the user to see and select the fully-qualified domain name (FQDN) on the login page.
-
Parameter White List Description To add a netdestination to the captive portal whitelist, enter the destination host or subnet, then click Add. The netdestination will be added to the whitelist. To remove a netdestination from the whitelist, select it in the whitelist field, then click Delete. If you have not yet defined a netdestination, use the CLI command netdestination to define a destination host or subnet before you add it to the whitelist. This parameter requires the Public Access license.
-
automatically created when you create the captive portal authentication profile instance.) You then specify the initial user role for captive portal in the AAA profile for the WLAN. When you have multiple captive portal login pages loaded in the controller, you must configure a unique initial user role and user role, and captive portal authentication profile, AAA profile, SSID profile, and virtual AP profile for each WLAN that will use captive portal.
-
2. (For captive portal with role-based access only) Edit the captiveportal policy by navigating to the Configuration > Security > Access Control > Policies page. a. Delete the rule for “user mswitch svc-https dst-nat”. b. Add a new rule with the following values and move this rule to the top of the rules list: l source is user l destination is the mswitch alias l service is svc-http l action is dst-nat c. Click Apply.
-
c. Service is TCP d. Port is the TCP port on the proxy server e. Action is dst-nat f. IP address is the IP address of the proxy port g. Port is the port on the proxy server 4. Click Add to add the rule. Use the up arrows to move this rule just below the rule that allows HTTP(S) traffic. 5. Click Apply. To redirect proxy server traffic via the command-line interface, access the CLI in config mode and issue the following commands.
-
1. Edit the captiveportal policy by navigating to the Configuration > Security > Access Control > Policies page. 2. Add a new rule with the following values: n Source is user n Destination is host n Host IP is the IP address of the proxy server n Service is svc-https or svc-http n Action is permit 3. Click Add to add the rule. Use the up arrows to move this rule above the rules that perform destination NAT. 4. Click Apply.
-
2. To customize the page background: a. Select the YOUR CUSTOM BACKGROUND page. b. Under Additional options, enter the location of the JPEG image in the Upload your own custom background field. c. Set the background color in the Custom page background color field. The color code must a hexadecimal value in the format #hhhhhh. d. To view the page background changes, click Submit at the bottom on the page and then click the View CaptivePortal link.
-
3. To customize the captive portal background text: a. Enter the text that needs to be displayed in the Page Text (in HTML format) message box. b. To view the background text changes, click Submitat the bottom on the page and then click the View CaptivePortal link. The User Agreement Policy page appears. c. Click Accept. This displays the Captive Portal page as it will be seen by users. 4. To customize the text under the Acceptable Use Policy: a. Enter the policy information in the Policy Text text box.
-
Creating a New Internal Web Page In addition to customizing the default captive portal page, you can also create your own internal web page. A custom web page must include an authentication form to authenticate a user.
-
Recommended Options: None Finally, an HTML also requires an input button: Basic HTML Example