Users Guide
Table Of Contents
- Dell PowerConnect W-Series ArubaOS 6.1
- Contents
- About this Guide
- The Basic User-Centric Networks
- Configuring the User-Centric Network
- Deployment and Configuration Tasks
- Configuring the Controller
- Configuring a VLAN for Network Connection
- Additional Configuration
- Network Parameters
- Configuring VLANs
- Configuring Ports
- About VLAN Assignments
- How a VLAN Obtains its IP Address
- Assigning a Static Address to a VLAN
- Using CLI
- Configuring a VLAN to Receive a Dynamic Address
- Enabling the DHCP Client
- Enabling the PPPoE Client
- Default Gateway from DHCP/PPPoE
- Configuring DNS/WINS Server from DHPC/PPPoE
- Using the WebUI
- Configuring Source NAT to Dynamic VLAN Address
- Configuring Source NAT for VLAN Interfaces
- Inter-VLAN Routing
- Configuring Static Routes
- Configuring the Loopback IP Address
- Configuring the Controller IP Address
- Configuring GRE Tunnels
- RF Plan
- Supported Planning
- Before You Begin
- Launching the RF Plan
- Using the FQLN Mapper in the AP Provision Page
- RF Plan Example
- Sample Building
- Create a Building
- Model the Access Points
- Model the Air Monitors
- Add and Edit a Floor
- Adding the background image and naming the first floor
- Adding the background image and naming the second floor
- Defining Areas
- Creating a Don’t Care Area
- Creating a Don’t Deploy Area
- Running the AP Plan
- Running the AM Plan
- Access Points
- Basic Functions and Features
- AP Names and Groups
- AP Configuration Profiles
- Profile Hierarchy
- Deploying APs
- Provisioning Installed APs
- Configuring a Provisioned AP
- Managing RF Interference
- AP Channel Assignments
- AP Console Settings
- Virtual APs
- Virtual AP Profiles
- Configuring a Virtual AP
- Configuring a High-Throughput Virtual AP
- Adaptive Radio Management (ARM)
- Remote Access Points
- Overview
- Configuring the Secure Remote Access Point Service
- Deploying a Branch Office/Home Office Solution
- Enabling Double Encryption
- Advanced Configuration Options
- Understanding Remote AP Modes of Operation
- Fallback Mode
- Configuring the fallback mode
- Configuring the DHCP Server on the Remote AP
- Advanced Backup Configuration Options
- DNS Controller Setting
- Backup Controller List
- Remote AP Failback
- RAP Local Network Access
- Remote AP Authorization Profiles
- Access Control Lists and Firewall Policies
- Split Tunneling
- Configuring the Session ACL
- Configuring ACL for restricted LD homepage access
- Configuring the AAA Profile and the Virtual AP Profile
- Wi-Fi Multimedia
- Uplink Bandwidth Reservation
- Secure Enterprise Mesh
- Mesh Access Points
- Mesh Links
- Mesh Profiles
- Mesh Solutions
- Before You Begin
- Mesh Radio Profiles
- RF Management (802.11a and 802.11g) Profiles
- Mesh High-Throughput SSID Profiles
- Mesh Cluster Profiles
- Ethernet Ports for Mesh
- Provisioning Mesh Nodes
- AP Boot Sequence
- Verifying the Network
- Remote Mesh Portals
- Authentication Servers
- Important Points to Remember
- Servers and Server Groups
- Configuring Servers
- Internal Database
- Server Groups
- Assigning Server Groups
- Configuring Authentication Timers
- 802.1x Authentication
- Overview of 802.1x Authentication
- Configuring 802.1x Authentication
- Example Configurations
- Authentication with an 802.1x RADIUS Server
- Configuring Roles and Policies
- Configuring the RADIUS Authentication Server
- Configure 802.1x Authentication
- Configure VLANs
- Configuring the WLANs
- Configuring the Guest WLAN
- Configuring the Non-Guest WLANs
- Authentication with the Controller’s Internal Database
- Configuring the Internal Database
- Configure 802.1x Authentication
- Configure VLANs
- Configuring the WLANs
- Configuring the Guest WLAN
- Configuring the Non-Guest WLANs
- Mixed Authentication Modes
- Advanced Configuration Options for 802.1x
- Certificate Revocation
- Roles and Policies
- Policies
- User Roles
- User Role Assignments
- Global Firewall Parameters
- Dashboard Monitoring
- Stateful and WISPr Authentication
- Captive Portal
- Captive Portal Overview
- Captive Portal in the Base ArubaOS
- Captive Portal with the PEFNG License
- Example Authentication with Captive Portal
- Configuring Guest VLANs
- Captive Portal Authentication
- Optional Captive Portal Configurations
- Personalizing the Captive Portal Page
- Creating Walled Garden Access
- Advanced Security
- Virtual Private Networks
- Planning a VPN Configuration
- VPN Authentication Profiles
- Configuring a Basic VPN for L2TP/IPsec
- Configuring a VPN for L2TP/IPsec with IKEv2
- Configuring a VPN for Smart Card Clients
- Configuring a VPN for Clients with User Passwords
- Configuring Remote Access VPNs for XAuth
- Remote Access VPNs for PPTP
- Site-to-Site VPNs
- VPN Dialer
- Virtual Intranet Access
- MAC-based Authentication
- Control Plane Security
- Control Plane Security Overview
- Configuring Control Plane Security
- Whitelists on Master and Local Controllers
- Environments with Multiple Master Controllers
- Replacing a Controller on a Multi-Controller Network
- Configuring Control Plane Security after Upgrading
- Troubleshooting Control Plane Security
- Adding Local Controllers
- Remote Nodes
- Creating Remote Node Profiles
- Adding a New Remote Node Profile
- Defining Remote Node Address Pools
- OSPF and Static Routes
- Configuration Examples
- Create a remote node profile
- Define VLANs for a remote node profile and assign a wired aaa profile to each VLAN
- Identify the RN interfaces to be used as access ports for each VLAN
- Configure each VLAN interface with an internal IP address
- Manage and configure the uplink network connection
- Configure the uplink network connection and define a static IPsec route map
- Configure user roles and passwords for administrative users
- Define the server used for name and address resolution
- Define the OSPF settings for the upstream router
- (Optional) Define SNMP settings
- Specify that the RN use its internal database to authenticate clients
- Define NAT settings and identify the interface for outgoing RADIUS packets
- Define DHCP pools for a RN tunnel
- Define RN DHCP pools for each VLAN
- Configuring the Remote Node Whitelist
- Installing the Remote Node at the Remote Site
- Monitoring and Managing Remote Nodes
- Creating Remote Node Profiles
- IP Mobility
- VRRP
- RSTP
- PVST+
- W-600 Series Controller
- OSPFv2
- Wireless Intrusion Prevention
- Reusable Wizard
- Monitoring Dashboard
- Rogue AP Detection
- Intrusion Detection
- Infrastructure Intrusion Detection
- Detect 802.11n 40MHz Intolerance Setting
- Detect Active 802.11n Greenfield Mode
- Detect Ad hoc Networks
- Detect Ad hoc Network Using Valid SSID
- Detect AP Flood Attack
- Detect AP Impersonation
- Detect AP Spoofing
- Detect Bad WEP
- Detect Beacon Wrong Channel
- Detect Client Flood Attack
- Detect CTS Rate Anomaly
- Detect RTS Rate Anomaly
- Detect Devices with an Invalid MAC OUI
- Detect Invalid Address Combination
- Detect Overflow EAPOL Key
- Detect Overflow IE
- Detect Malformed Frame-Assoc Request
- Detect Malformed Frame-Auth
- Detect Malformed Frame-HT IE
- Detect Malformed Frame-Large Duration
- Detect Misconfigured AP
- Detect Windows Bridge
- Detect Wireless Bridge
- Detect Broadcast Deauthentication
- Detect Broadcast Disassociation
- Detect Netstumbler
- Detect Valid SSID Misuse
- Detect Wellenreiter
- Client Intrusion Detection
- Detect Block ACK DoS
- Detect ChopChop Attack
- Detect Disconnect Station Attack
- Detect EAP Rate Anomaly
- Detect FATA-Jack Attack Structure
- Detect Hotspotter Attack
- Detect Meiners Power Save DoS Attack
- Detect Omerta Attack
- Detect Rate Anomalies
- Detect TKIP Replay Attack
- Detect Unencrypted Valid Clients
- Detect Valid Client Misassociation
- Detect AirJack
- Detect ASLEAP
- Detect Null Probe Response
- Infrastructure Intrusion Detection
- Intrusion Protection
- WLAN Management System
- Client Blacklisting
- WIP Advanced Features
- Link Aggregation Control Protocol
- Management Access
- Certificate Authentication for WebUI Access
- Public Key Authentication for SSH Access
- Radius Server Authentication
- Radius Server Username/Password Authentication
- RADIUS Server Authentication with VSA
- RADIUS Server Authentication with Server-Derivation Rule
- Disabling Authentication of Local Management User Accounts
- Verifying the configuration
- Resetting the Admin or Enable Password
- Bypassing the Enable Password Prompt
- Setting an Administrator Session Timeout
- Management Password Policy
- Managing Certificates
- Configuring SNMP
- Configuring Logging
- Guest Provisioning
- Managing Files on the Controller
- Setting the System Clock
- Spectrum Analysis
- Overview
- Creating Spectrum Monitors and Hybrid APs
- Connecting Spectrum Devices to the Spectrum Analysis Client
- Configuring the Spectrum Analysis Dashboards
- Customizing Spectrum Analysis Graphs
- Recording Spectrum Analysis Data
- Non-Wi-Fi Interferers
- Spectrum Analysis Session Log
- Viewing Spectrum Analysis Data via the CLI
- Spectrum Analysis Troubleshooting Tips
- Software Licenses
- IPv6 Support
- About IPv6
- IPv6 Topology
- IPv6 Support for Controller and AP
- IPv6 Extension Header (EH) Filtering
- Captive Portal over IPv6
- ArubaOS Support for IPv6 Clients
- ArubaOS Features that Support IPv6
- IPv6 User Addresses
- Important Points to Remember
- Voice and Video
- Voice and Video License Requirements
- Configuring Voice and Video
- QoS for Voice and Video
- Extended Voice and Video Functionalities
- QoS for Microsoft Office OCS and Apple Facetime
- WPA Fast Handover
- Mobile IP Home Agent Assignment
- VoIP-Aware ARM Scanning
- Voice-Aware 802.1x
- SIP Authentication Tracking
- Real Time Call Quality Analysis
- SIP Session Timer
- Voice and Video Traffic Awareness for Encrypted Signaling Protocols
- Wi-Fi Edge Detection and Handover for Voice Clients
- Dial Plan for SIP Calls
- Enhanced 911 Support
- Voice over Remote Access Point
- Battery Boost
- Advanced Voice Troubleshooting
- External Services Interface
- Understanding ESI
- Understanding the ESI Syslog Parser
- ESI Configuration Overview
- Configuring Health-Check Method, Groups, and Servers
- Defining the ESI Server
- Defining the ESI Server Group
- Redirection Policies and User Role
- ESI Syslog Parser Domains and Rules
- Managing Syslog Parser Domains in the WebUI
- Managing Syslog Parser Domains in the CLI
- Managing Syslog Parser Rules
- Monitoring Syslog Parser Statistics
- Example Route-mode ESI Topology
- ESI server configuration on controller
- IP routing configuration on Fortinet gateway
- Configuring the Example Routed ESI Topology
- Health-Check Method, Groups, and Servers
- Defining the Ping Health-Check Method
- Defining the ESI Server
- Defining the ESI Server Group
- Redirection Policies and User Role
- Syslog Parser Domain and Rules
- Example NAT-mode ESI Topology
- Basic Regular Expression Syntax
- External User Management
- DHCP with Vendor-Specific Options
- External Firewall Configuration
- Behavior and Defaults
- 802.1x Configuration IAS Windows
- Internal Captive Portal
- Tunneled Nodes
- VIA: End User Instructions
- Provisioning RAP at Home
- Acronyms and Terms
- Index
Dell PowerConnect W-Series ArubaOS 6.1 | User Guide Virtual Intranet Access | 419
1. Enable VPN Server Module—ArubaOS allows you to connect to the VIA controller using the default user
roles. However, to configure and assign specific user roles you must install the Policy Enforcement Firewall
Virtual Private Network (PEFV) license.
2. Create VIA User Roles—VIA user roles contain access control policies for users connecting to your network
using VIA. You can configure different VIA roles or use the default VIA role—default-via-role
3. Create VIA Authentication Profile—A VIA authentication profile contains a server group for authenticating
VIA users. The server group contains the list of authentication servers and server rules to derive user roles
based on the user authentication. You can configure multiple VIA authentication profiles and / or use the
default VIA authentication profile created with Internal server group.
4. Create VIA Connection Profile— A VIA connection profile contains settings required by VIA to establish a
secure connection to the controller. You can configure multiple VIA connection profiles. A VIA connection
profile is always associated to a user role and all users belonging to that role will use the configured settings. If
you do not assign a VIA connection profile to a user role, the default connection profile is used.
5. Configure VIA Web Authentication—A VIA web authentication profile contains an ordered list of VIA
authentication profiles. The web authentication profile is used by end users to login to the VIA download page
(https://<server-IP-address>/via) for downloading the VIA client. Only one VIA web authentication profile is
available. If more than one VIA authentication profile (step3 on page 419) is configured, users can view this
list and select one during the client login.
6. Associate VIA Connection Profile to User Role—A VIA connection profile has to be associated to a user role.
Users will login by authenticating against the server group specified in the VIA authentication profile and are
put into that user role. The VIA configuration settings are derived from the VIA connection profile attached
to that user role. Default connection profile is used.
7. Configure VIA Client WLAN Profiles—You can push WLAN profiles to end-user computers that use the
Microsoft Windows Wireless Zero Config (WZC) service to configure and maintain their wireless networks.
After the WLAN profiles are pushed to end-user computers, they are automatically displayed as an ordered
list in the preferred networks. The VIA client WLAN profiles provisioned on the client can be selected from
the VIA connection profile described in Step 6.
8. Re-branding VIA and Downloading the Installer—You can use a custom logo on the VIA client and on the
VIA download web page.
9. Download VIA Installer and Version File
Using WebUI to Configure VIA
The following steps illustrate configuring your controller for VIA using the WebUI.
Enable VPN Server Module
You must install the PEFV license to configure and assign user roles. See Chapter 34, “Software Licenses” for
licensing requirements.
To install a license:
1. Navigate to Configuration > Network > Controller and select the Licenses tab on the right hand side.
2. Paste the license key in the Add New License key text box and click the Add button.
Create VIA User Roles
To create VIA users roles:
1. Navigate to Configuration > Security > Access Control > User Roles.
2. Click Add to create new policies. Click Done after creating the user role and apply to save it to the
configuration.