Users Guide
Table Of Contents
- Dell PowerConnect W-Series ArubaOS 6.1
- Contents
- About this Guide
- The Basic User-Centric Networks
- Configuring the User-Centric Network
- Deployment and Configuration Tasks
- Configuring the Controller
- Configuring a VLAN for Network Connection
- Additional Configuration
- Network Parameters
- Configuring VLANs
- Configuring Ports
- About VLAN Assignments
- How a VLAN Obtains its IP Address
- Assigning a Static Address to a VLAN
- Using CLI
- Configuring a VLAN to Receive a Dynamic Address
- Enabling the DHCP Client
- Enabling the PPPoE Client
- Default Gateway from DHCP/PPPoE
- Configuring DNS/WINS Server from DHPC/PPPoE
- Using the WebUI
- Configuring Source NAT to Dynamic VLAN Address
- Configuring Source NAT for VLAN Interfaces
- Inter-VLAN Routing
- Configuring Static Routes
- Configuring the Loopback IP Address
- Configuring the Controller IP Address
- Configuring GRE Tunnels
- RF Plan
- Supported Planning
- Before You Begin
- Launching the RF Plan
- Using the FQLN Mapper in the AP Provision Page
- RF Plan Example
- Sample Building
- Create a Building
- Model the Access Points
- Model the Air Monitors
- Add and Edit a Floor
- Adding the background image and naming the first floor
- Adding the background image and naming the second floor
- Defining Areas
- Creating a Don’t Care Area
- Creating a Don’t Deploy Area
- Running the AP Plan
- Running the AM Plan
- Access Points
- Basic Functions and Features
- AP Names and Groups
- AP Configuration Profiles
- Profile Hierarchy
- Deploying APs
- Provisioning Installed APs
- Configuring a Provisioned AP
- Managing RF Interference
- AP Channel Assignments
- AP Console Settings
- Virtual APs
- Virtual AP Profiles
- Configuring a Virtual AP
- Configuring a High-Throughput Virtual AP
- Adaptive Radio Management (ARM)
- Remote Access Points
- Overview
- Configuring the Secure Remote Access Point Service
- Deploying a Branch Office/Home Office Solution
- Enabling Double Encryption
- Advanced Configuration Options
- Understanding Remote AP Modes of Operation
- Fallback Mode
- Configuring the fallback mode
- Configuring the DHCP Server on the Remote AP
- Advanced Backup Configuration Options
- DNS Controller Setting
- Backup Controller List
- Remote AP Failback
- RAP Local Network Access
- Remote AP Authorization Profiles
- Access Control Lists and Firewall Policies
- Split Tunneling
- Configuring the Session ACL
- Configuring ACL for restricted LD homepage access
- Configuring the AAA Profile and the Virtual AP Profile
- Wi-Fi Multimedia
- Uplink Bandwidth Reservation
- Secure Enterprise Mesh
- Mesh Access Points
- Mesh Links
- Mesh Profiles
- Mesh Solutions
- Before You Begin
- Mesh Radio Profiles
- RF Management (802.11a and 802.11g) Profiles
- Mesh High-Throughput SSID Profiles
- Mesh Cluster Profiles
- Ethernet Ports for Mesh
- Provisioning Mesh Nodes
- AP Boot Sequence
- Verifying the Network
- Remote Mesh Portals
- Authentication Servers
- Important Points to Remember
- Servers and Server Groups
- Configuring Servers
- Internal Database
- Server Groups
- Assigning Server Groups
- Configuring Authentication Timers
- 802.1x Authentication
- Overview of 802.1x Authentication
- Configuring 802.1x Authentication
- Example Configurations
- Authentication with an 802.1x RADIUS Server
- Configuring Roles and Policies
- Configuring the RADIUS Authentication Server
- Configure 802.1x Authentication
- Configure VLANs
- Configuring the WLANs
- Configuring the Guest WLAN
- Configuring the Non-Guest WLANs
- Authentication with the Controller’s Internal Database
- Configuring the Internal Database
- Configure 802.1x Authentication
- Configure VLANs
- Configuring the WLANs
- Configuring the Guest WLAN
- Configuring the Non-Guest WLANs
- Mixed Authentication Modes
- Advanced Configuration Options for 802.1x
- Certificate Revocation
- Roles and Policies
- Policies
- User Roles
- User Role Assignments
- Global Firewall Parameters
- Dashboard Monitoring
- Stateful and WISPr Authentication
- Captive Portal
- Captive Portal Overview
- Captive Portal in the Base ArubaOS
- Captive Portal with the PEFNG License
- Example Authentication with Captive Portal
- Configuring Guest VLANs
- Captive Portal Authentication
- Optional Captive Portal Configurations
- Personalizing the Captive Portal Page
- Creating Walled Garden Access
- Advanced Security
- Virtual Private Networks
- Planning a VPN Configuration
- VPN Authentication Profiles
- Configuring a Basic VPN for L2TP/IPsec
- Configuring a VPN for L2TP/IPsec with IKEv2
- Configuring a VPN for Smart Card Clients
- Configuring a VPN for Clients with User Passwords
- Configuring Remote Access VPNs for XAuth
- Remote Access VPNs for PPTP
- Site-to-Site VPNs
- VPN Dialer
- Virtual Intranet Access
- MAC-based Authentication
- Control Plane Security
- Control Plane Security Overview
- Configuring Control Plane Security
- Whitelists on Master and Local Controllers
- Environments with Multiple Master Controllers
- Replacing a Controller on a Multi-Controller Network
- Configuring Control Plane Security after Upgrading
- Troubleshooting Control Plane Security
- Adding Local Controllers
- Remote Nodes
- Creating Remote Node Profiles
- Adding a New Remote Node Profile
- Defining Remote Node Address Pools
- OSPF and Static Routes
- Configuration Examples
- Create a remote node profile
- Define VLANs for a remote node profile and assign a wired aaa profile to each VLAN
- Identify the RN interfaces to be used as access ports for each VLAN
- Configure each VLAN interface with an internal IP address
- Manage and configure the uplink network connection
- Configure the uplink network connection and define a static IPsec route map
- Configure user roles and passwords for administrative users
- Define the server used for name and address resolution
- Define the OSPF settings for the upstream router
- (Optional) Define SNMP settings
- Specify that the RN use its internal database to authenticate clients
- Define NAT settings and identify the interface for outgoing RADIUS packets
- Define DHCP pools for a RN tunnel
- Define RN DHCP pools for each VLAN
- Configuring the Remote Node Whitelist
- Installing the Remote Node at the Remote Site
- Monitoring and Managing Remote Nodes
- Creating Remote Node Profiles
- IP Mobility
- VRRP
- RSTP
- PVST+
- W-600 Series Controller
- OSPFv2
- Wireless Intrusion Prevention
- Reusable Wizard
- Monitoring Dashboard
- Rogue AP Detection
- Intrusion Detection
- Infrastructure Intrusion Detection
- Detect 802.11n 40MHz Intolerance Setting
- Detect Active 802.11n Greenfield Mode
- Detect Ad hoc Networks
- Detect Ad hoc Network Using Valid SSID
- Detect AP Flood Attack
- Detect AP Impersonation
- Detect AP Spoofing
- Detect Bad WEP
- Detect Beacon Wrong Channel
- Detect Client Flood Attack
- Detect CTS Rate Anomaly
- Detect RTS Rate Anomaly
- Detect Devices with an Invalid MAC OUI
- Detect Invalid Address Combination
- Detect Overflow EAPOL Key
- Detect Overflow IE
- Detect Malformed Frame-Assoc Request
- Detect Malformed Frame-Auth
- Detect Malformed Frame-HT IE
- Detect Malformed Frame-Large Duration
- Detect Misconfigured AP
- Detect Windows Bridge
- Detect Wireless Bridge
- Detect Broadcast Deauthentication
- Detect Broadcast Disassociation
- Detect Netstumbler
- Detect Valid SSID Misuse
- Detect Wellenreiter
- Client Intrusion Detection
- Detect Block ACK DoS
- Detect ChopChop Attack
- Detect Disconnect Station Attack
- Detect EAP Rate Anomaly
- Detect FATA-Jack Attack Structure
- Detect Hotspotter Attack
- Detect Meiners Power Save DoS Attack
- Detect Omerta Attack
- Detect Rate Anomalies
- Detect TKIP Replay Attack
- Detect Unencrypted Valid Clients
- Detect Valid Client Misassociation
- Detect AirJack
- Detect ASLEAP
- Detect Null Probe Response
- Infrastructure Intrusion Detection
- Intrusion Protection
- WLAN Management System
- Client Blacklisting
- WIP Advanced Features
- Link Aggregation Control Protocol
- Management Access
- Certificate Authentication for WebUI Access
- Public Key Authentication for SSH Access
- Radius Server Authentication
- Radius Server Username/Password Authentication
- RADIUS Server Authentication with VSA
- RADIUS Server Authentication with Server-Derivation Rule
- Disabling Authentication of Local Management User Accounts
- Verifying the configuration
- Resetting the Admin or Enable Password
- Bypassing the Enable Password Prompt
- Setting an Administrator Session Timeout
- Management Password Policy
- Managing Certificates
- Configuring SNMP
- Configuring Logging
- Guest Provisioning
- Managing Files on the Controller
- Setting the System Clock
- Spectrum Analysis
- Overview
- Creating Spectrum Monitors and Hybrid APs
- Connecting Spectrum Devices to the Spectrum Analysis Client
- Configuring the Spectrum Analysis Dashboards
- Customizing Spectrum Analysis Graphs
- Recording Spectrum Analysis Data
- Non-Wi-Fi Interferers
- Spectrum Analysis Session Log
- Viewing Spectrum Analysis Data via the CLI
- Spectrum Analysis Troubleshooting Tips
- Software Licenses
- IPv6 Support
- About IPv6
- IPv6 Topology
- IPv6 Support for Controller and AP
- IPv6 Extension Header (EH) Filtering
- Captive Portal over IPv6
- ArubaOS Support for IPv6 Clients
- ArubaOS Features that Support IPv6
- IPv6 User Addresses
- Important Points to Remember
- Voice and Video
- Voice and Video License Requirements
- Configuring Voice and Video
- QoS for Voice and Video
- Extended Voice and Video Functionalities
- QoS for Microsoft Office OCS and Apple Facetime
- WPA Fast Handover
- Mobile IP Home Agent Assignment
- VoIP-Aware ARM Scanning
- Voice-Aware 802.1x
- SIP Authentication Tracking
- Real Time Call Quality Analysis
- SIP Session Timer
- Voice and Video Traffic Awareness for Encrypted Signaling Protocols
- Wi-Fi Edge Detection and Handover for Voice Clients
- Dial Plan for SIP Calls
- Enhanced 911 Support
- Voice over Remote Access Point
- Battery Boost
- Advanced Voice Troubleshooting
- External Services Interface
- Understanding ESI
- Understanding the ESI Syslog Parser
- ESI Configuration Overview
- Configuring Health-Check Method, Groups, and Servers
- Defining the ESI Server
- Defining the ESI Server Group
- Redirection Policies and User Role
- ESI Syslog Parser Domains and Rules
- Managing Syslog Parser Domains in the WebUI
- Managing Syslog Parser Domains in the CLI
- Managing Syslog Parser Rules
- Monitoring Syslog Parser Statistics
- Example Route-mode ESI Topology
- ESI server configuration on controller
- IP routing configuration on Fortinet gateway
- Configuring the Example Routed ESI Topology
- Health-Check Method, Groups, and Servers
- Defining the Ping Health-Check Method
- Defining the ESI Server
- Defining the ESI Server Group
- Redirection Policies and User Role
- Syslog Parser Domain and Rules
- Example NAT-mode ESI Topology
- Basic Regular Expression Syntax
- External User Management
- DHCP with Vendor-Specific Options
- External Firewall Configuration
- Behavior and Defaults
- 802.1x Configuration IAS Windows
- Internal Captive Portal
- Tunneled Nodes
- VIA: End User Instructions
- Provisioning RAP at Home
- Acronyms and Terms
- Index
Dell PowerConnect W-Series ArubaOS 6.1 | User Guide Authentication Servers | 279
Configuring a Role Derivation Rule for the Internal Database
When you add a user entry in the controller’s internal database, you can optionally specify a user role (see
“Internal Database” on page269). In order for the role specified in the internal database entry to be assigned to
the authenticated client, you must configure a server derivation rule as shown in the following sections:
In the WebUI
1. Navigate to the Configuration > Security > Authentication > Servers page.
2. Select Server Group to display the Server Group list.
3. Select the internal server group.
4. Under Server Rules, click New to add a server derivation rule.
a. For Condition, enter Role.
b. Select value-of from the drop-down menu.
c. Select Set Role from the drop-down menu.
d. Click Add.
5. Click Apply.
In the CLI
aaa server-group internal
set role condition Role value-of
Assigning Server Groups
You can create server groups for the following purposes:
user authentication
management authentication
accounting
You can configure all types of servers for user and management authentication (see Table 53). Accounting is only
supported with RADIUS and TACACS+ servers when RADIUS or TACACS+ is used for authentication.
User Authentication
For information about assigning a server group for user authentication, see the configuration chapter for the
authentication method.
Table 53 Server Types and Purposes
RADIUS TACACS+ LDAP Internal Database
User authentication Yes Yes Yes Yes
Management authentication Yes Yes Yes Yes
Accounting Yes Yes No No