Users Guide
Table Of Contents
- Dell PowerConnect W-Series ArubaOS 6.1
- Contents
- About this Guide
- The Basic User-Centric Networks
- Configuring the User-Centric Network
- Deployment and Configuration Tasks
- Configuring the Controller
- Configuring a VLAN for Network Connection
- Additional Configuration
- Network Parameters
- Configuring VLANs
- Configuring Ports
- About VLAN Assignments
- How a VLAN Obtains its IP Address
- Assigning a Static Address to a VLAN
- Using CLI
- Configuring a VLAN to Receive a Dynamic Address
- Enabling the DHCP Client
- Enabling the PPPoE Client
- Default Gateway from DHCP/PPPoE
- Configuring DNS/WINS Server from DHPC/PPPoE
- Using the WebUI
- Configuring Source NAT to Dynamic VLAN Address
- Configuring Source NAT for VLAN Interfaces
- Inter-VLAN Routing
- Configuring Static Routes
- Configuring the Loopback IP Address
- Configuring the Controller IP Address
- Configuring GRE Tunnels
- RF Plan
- Supported Planning
- Before You Begin
- Launching the RF Plan
- Using the FQLN Mapper in the AP Provision Page
- RF Plan Example
- Sample Building
- Create a Building
- Model the Access Points
- Model the Air Monitors
- Add and Edit a Floor
- Adding the background image and naming the first floor
- Adding the background image and naming the second floor
- Defining Areas
- Creating a Don’t Care Area
- Creating a Don’t Deploy Area
- Running the AP Plan
- Running the AM Plan
- Access Points
- Basic Functions and Features
- AP Names and Groups
- AP Configuration Profiles
- Profile Hierarchy
- Deploying APs
- Provisioning Installed APs
- Configuring a Provisioned AP
- Managing RF Interference
- AP Channel Assignments
- AP Console Settings
- Virtual APs
- Virtual AP Profiles
- Configuring a Virtual AP
- Configuring a High-Throughput Virtual AP
- Adaptive Radio Management (ARM)
- Remote Access Points
- Overview
- Configuring the Secure Remote Access Point Service
- Deploying a Branch Office/Home Office Solution
- Enabling Double Encryption
- Advanced Configuration Options
- Understanding Remote AP Modes of Operation
- Fallback Mode
- Configuring the fallback mode
- Configuring the DHCP Server on the Remote AP
- Advanced Backup Configuration Options
- DNS Controller Setting
- Backup Controller List
- Remote AP Failback
- RAP Local Network Access
- Remote AP Authorization Profiles
- Access Control Lists and Firewall Policies
- Split Tunneling
- Configuring the Session ACL
- Configuring ACL for restricted LD homepage access
- Configuring the AAA Profile and the Virtual AP Profile
- Wi-Fi Multimedia
- Uplink Bandwidth Reservation
- Secure Enterprise Mesh
- Mesh Access Points
- Mesh Links
- Mesh Profiles
- Mesh Solutions
- Before You Begin
- Mesh Radio Profiles
- RF Management (802.11a and 802.11g) Profiles
- Mesh High-Throughput SSID Profiles
- Mesh Cluster Profiles
- Ethernet Ports for Mesh
- Provisioning Mesh Nodes
- AP Boot Sequence
- Verifying the Network
- Remote Mesh Portals
- Authentication Servers
- Important Points to Remember
- Servers and Server Groups
- Configuring Servers
- Internal Database
- Server Groups
- Assigning Server Groups
- Configuring Authentication Timers
- 802.1x Authentication
- Overview of 802.1x Authentication
- Configuring 802.1x Authentication
- Example Configurations
- Authentication with an 802.1x RADIUS Server
- Configuring Roles and Policies
- Configuring the RADIUS Authentication Server
- Configure 802.1x Authentication
- Configure VLANs
- Configuring the WLANs
- Configuring the Guest WLAN
- Configuring the Non-Guest WLANs
- Authentication with the Controller’s Internal Database
- Configuring the Internal Database
- Configure 802.1x Authentication
- Configure VLANs
- Configuring the WLANs
- Configuring the Guest WLAN
- Configuring the Non-Guest WLANs
- Mixed Authentication Modes
- Advanced Configuration Options for 802.1x
- Certificate Revocation
- Roles and Policies
- Policies
- User Roles
- User Role Assignments
- Global Firewall Parameters
- Dashboard Monitoring
- Stateful and WISPr Authentication
- Captive Portal
- Captive Portal Overview
- Captive Portal in the Base ArubaOS
- Captive Portal with the PEFNG License
- Example Authentication with Captive Portal
- Configuring Guest VLANs
- Captive Portal Authentication
- Optional Captive Portal Configurations
- Personalizing the Captive Portal Page
- Creating Walled Garden Access
- Advanced Security
- Virtual Private Networks
- Planning a VPN Configuration
- VPN Authentication Profiles
- Configuring a Basic VPN for L2TP/IPsec
- Configuring a VPN for L2TP/IPsec with IKEv2
- Configuring a VPN for Smart Card Clients
- Configuring a VPN for Clients with User Passwords
- Configuring Remote Access VPNs for XAuth
- Remote Access VPNs for PPTP
- Site-to-Site VPNs
- VPN Dialer
- Virtual Intranet Access
- MAC-based Authentication
- Control Plane Security
- Control Plane Security Overview
- Configuring Control Plane Security
- Whitelists on Master and Local Controllers
- Environments with Multiple Master Controllers
- Replacing a Controller on a Multi-Controller Network
- Configuring Control Plane Security after Upgrading
- Troubleshooting Control Plane Security
- Adding Local Controllers
- Remote Nodes
- Creating Remote Node Profiles
- Adding a New Remote Node Profile
- Defining Remote Node Address Pools
- OSPF and Static Routes
- Configuration Examples
- Create a remote node profile
- Define VLANs for a remote node profile and assign a wired aaa profile to each VLAN
- Identify the RN interfaces to be used as access ports for each VLAN
- Configure each VLAN interface with an internal IP address
- Manage and configure the uplink network connection
- Configure the uplink network connection and define a static IPsec route map
- Configure user roles and passwords for administrative users
- Define the server used for name and address resolution
- Define the OSPF settings for the upstream router
- (Optional) Define SNMP settings
- Specify that the RN use its internal database to authenticate clients
- Define NAT settings and identify the interface for outgoing RADIUS packets
- Define DHCP pools for a RN tunnel
- Define RN DHCP pools for each VLAN
- Configuring the Remote Node Whitelist
- Installing the Remote Node at the Remote Site
- Monitoring and Managing Remote Nodes
- Creating Remote Node Profiles
- IP Mobility
- VRRP
- RSTP
- PVST+
- W-600 Series Controller
- OSPFv2
- Wireless Intrusion Prevention
- Reusable Wizard
- Monitoring Dashboard
- Rogue AP Detection
- Intrusion Detection
- Infrastructure Intrusion Detection
- Detect 802.11n 40MHz Intolerance Setting
- Detect Active 802.11n Greenfield Mode
- Detect Ad hoc Networks
- Detect Ad hoc Network Using Valid SSID
- Detect AP Flood Attack
- Detect AP Impersonation
- Detect AP Spoofing
- Detect Bad WEP
- Detect Beacon Wrong Channel
- Detect Client Flood Attack
- Detect CTS Rate Anomaly
- Detect RTS Rate Anomaly
- Detect Devices with an Invalid MAC OUI
- Detect Invalid Address Combination
- Detect Overflow EAPOL Key
- Detect Overflow IE
- Detect Malformed Frame-Assoc Request
- Detect Malformed Frame-Auth
- Detect Malformed Frame-HT IE
- Detect Malformed Frame-Large Duration
- Detect Misconfigured AP
- Detect Windows Bridge
- Detect Wireless Bridge
- Detect Broadcast Deauthentication
- Detect Broadcast Disassociation
- Detect Netstumbler
- Detect Valid SSID Misuse
- Detect Wellenreiter
- Client Intrusion Detection
- Detect Block ACK DoS
- Detect ChopChop Attack
- Detect Disconnect Station Attack
- Detect EAP Rate Anomaly
- Detect FATA-Jack Attack Structure
- Detect Hotspotter Attack
- Detect Meiners Power Save DoS Attack
- Detect Omerta Attack
- Detect Rate Anomalies
- Detect TKIP Replay Attack
- Detect Unencrypted Valid Clients
- Detect Valid Client Misassociation
- Detect AirJack
- Detect ASLEAP
- Detect Null Probe Response
- Infrastructure Intrusion Detection
- Intrusion Protection
- WLAN Management System
- Client Blacklisting
- WIP Advanced Features
- Link Aggregation Control Protocol
- Management Access
- Certificate Authentication for WebUI Access
- Public Key Authentication for SSH Access
- Radius Server Authentication
- Radius Server Username/Password Authentication
- RADIUS Server Authentication with VSA
- RADIUS Server Authentication with Server-Derivation Rule
- Disabling Authentication of Local Management User Accounts
- Verifying the configuration
- Resetting the Admin or Enable Password
- Bypassing the Enable Password Prompt
- Setting an Administrator Session Timeout
- Management Password Policy
- Managing Certificates
- Configuring SNMP
- Configuring Logging
- Guest Provisioning
- Managing Files on the Controller
- Setting the System Clock
- Spectrum Analysis
- Overview
- Creating Spectrum Monitors and Hybrid APs
- Connecting Spectrum Devices to the Spectrum Analysis Client
- Configuring the Spectrum Analysis Dashboards
- Customizing Spectrum Analysis Graphs
- Recording Spectrum Analysis Data
- Non-Wi-Fi Interferers
- Spectrum Analysis Session Log
- Viewing Spectrum Analysis Data via the CLI
- Spectrum Analysis Troubleshooting Tips
- Software Licenses
- IPv6 Support
- About IPv6
- IPv6 Topology
- IPv6 Support for Controller and AP
- IPv6 Extension Header (EH) Filtering
- Captive Portal over IPv6
- ArubaOS Support for IPv6 Clients
- ArubaOS Features that Support IPv6
- IPv6 User Addresses
- Important Points to Remember
- Voice and Video
- Voice and Video License Requirements
- Configuring Voice and Video
- QoS for Voice and Video
- Extended Voice and Video Functionalities
- QoS for Microsoft Office OCS and Apple Facetime
- WPA Fast Handover
- Mobile IP Home Agent Assignment
- VoIP-Aware ARM Scanning
- Voice-Aware 802.1x
- SIP Authentication Tracking
- Real Time Call Quality Analysis
- SIP Session Timer
- Voice and Video Traffic Awareness for Encrypted Signaling Protocols
- Wi-Fi Edge Detection and Handover for Voice Clients
- Dial Plan for SIP Calls
- Enhanced 911 Support
- Voice over Remote Access Point
- Battery Boost
- Advanced Voice Troubleshooting
- External Services Interface
- Understanding ESI
- Understanding the ESI Syslog Parser
- ESI Configuration Overview
- Configuring Health-Check Method, Groups, and Servers
- Defining the ESI Server
- Defining the ESI Server Group
- Redirection Policies and User Role
- ESI Syslog Parser Domains and Rules
- Managing Syslog Parser Domains in the WebUI
- Managing Syslog Parser Domains in the CLI
- Managing Syslog Parser Rules
- Monitoring Syslog Parser Statistics
- Example Route-mode ESI Topology
- ESI server configuration on controller
- IP routing configuration on Fortinet gateway
- Configuring the Example Routed ESI Topology
- Health-Check Method, Groups, and Servers
- Defining the Ping Health-Check Method
- Defining the ESI Server
- Defining the ESI Server Group
- Redirection Policies and User Role
- Syslog Parser Domain and Rules
- Example NAT-mode ESI Topology
- Basic Regular Expression Syntax
- External User Management
- DHCP with Vendor-Specific Options
- External Firewall Configuration
- Behavior and Defaults
- 802.1x Configuration IAS Windows
- Internal Captive Portal
- Tunneled Nodes
- VIA: End User Instructions
- Provisioning RAP at Home
- Acronyms and Terms
- Index
Dell PowerConnect W-Series ArubaOS 6.1 | User Guide Authentication Servers | 275
You can configure multiple match rules for the same server. The controller compares the client/user information
with the match rules configured for each server, starting with the first server in the server group. If a match is
found, the controller sends the authentication request to the server with the matching rule. If no match is found
before the end of the server list is reached, an error is returned and no authentication request for the client/user is
sent.
For example, Figure 46 depicts a network consisting of several subdomains in corpnet.com. The server radius-1
provides 802.1x machine authentication to PC clients in xyz.corpnet.com, sales.corpnet.com, and
hq.corpnet.com. The server radius-2 provides authentication for users in abc.corpnet.com.
Figure 46 Domain-Based Server Selection Example
You configure the following rules for servers in the corp-serv server group:
radius-1 will be selected if the client information starts with “host/”.
radius-2 will be selected if the client information contains “abc.corpnet.com”.
In the WebUI
1. Navigate to the Configuration > Security > Authentication > Servers page.
2. Under the Servers tab, select Server Group to display the Server Group list.
3. Enter corp-serv for the new server group and click Add.
4. Under the Servers tab, select corp-serv to configure the server group.
5. Under Servers, click New to add the radius-1 server to the group. Select radius-1 from the drop-down menu.
a. For Match Type, select Authstring.
b. For Operator, select starts-with.
c. For Match String, enter host/.
d. Click Add Rule >>.
e. Scroll to the right and click Add Server.
6. Under Servers, click New to add the radius-2 server to the group. Select radius-2 from the drop-down menu.
a. For Match Type, select Authstring.
b. For Operator, select contains.
c. For Match String, enter abc.corpnet.com.
d. Click Add Rule >>.
host/<pc-name>.xyz.corpnet.com
abc.corpnet.com\<user>
<user>@abc.corpnet.com
radius-1
radius-2
host/<pc-name>.sales.corpnet.com
host/<pc-name>.hq.corpnet.com