Users Guide
Table Of Contents
- Dell PowerConnect W-Series ArubaOS 6.1
- Contents
- About this Guide
- The Basic User-Centric Networks
- Configuring the User-Centric Network
- Deployment and Configuration Tasks
- Configuring the Controller
- Configuring a VLAN for Network Connection
- Additional Configuration
- Network Parameters
- Configuring VLANs
- Configuring Ports
- About VLAN Assignments
- How a VLAN Obtains its IP Address
- Assigning a Static Address to a VLAN
- Using CLI
- Configuring a VLAN to Receive a Dynamic Address
- Enabling the DHCP Client
- Enabling the PPPoE Client
- Default Gateway from DHCP/PPPoE
- Configuring DNS/WINS Server from DHPC/PPPoE
- Using the WebUI
- Configuring Source NAT to Dynamic VLAN Address
- Configuring Source NAT for VLAN Interfaces
- Inter-VLAN Routing
- Configuring Static Routes
- Configuring the Loopback IP Address
- Configuring the Controller IP Address
- Configuring GRE Tunnels
- RF Plan
- Supported Planning
- Before You Begin
- Launching the RF Plan
- Using the FQLN Mapper in the AP Provision Page
- RF Plan Example
- Sample Building
- Create a Building
- Model the Access Points
- Model the Air Monitors
- Add and Edit a Floor
- Adding the background image and naming the first floor
- Adding the background image and naming the second floor
- Defining Areas
- Creating a Don’t Care Area
- Creating a Don’t Deploy Area
- Running the AP Plan
- Running the AM Plan
- Access Points
- Basic Functions and Features
- AP Names and Groups
- AP Configuration Profiles
- Profile Hierarchy
- Deploying APs
- Provisioning Installed APs
- Configuring a Provisioned AP
- Managing RF Interference
- AP Channel Assignments
- AP Console Settings
- Virtual APs
- Virtual AP Profiles
- Configuring a Virtual AP
- Configuring a High-Throughput Virtual AP
- Adaptive Radio Management (ARM)
- Remote Access Points
- Overview
- Configuring the Secure Remote Access Point Service
- Deploying a Branch Office/Home Office Solution
- Enabling Double Encryption
- Advanced Configuration Options
- Understanding Remote AP Modes of Operation
- Fallback Mode
- Configuring the fallback mode
- Configuring the DHCP Server on the Remote AP
- Advanced Backup Configuration Options
- DNS Controller Setting
- Backup Controller List
- Remote AP Failback
- RAP Local Network Access
- Remote AP Authorization Profiles
- Access Control Lists and Firewall Policies
- Split Tunneling
- Configuring the Session ACL
- Configuring ACL for restricted LD homepage access
- Configuring the AAA Profile and the Virtual AP Profile
- Wi-Fi Multimedia
- Uplink Bandwidth Reservation
- Secure Enterprise Mesh
- Mesh Access Points
- Mesh Links
- Mesh Profiles
- Mesh Solutions
- Before You Begin
- Mesh Radio Profiles
- RF Management (802.11a and 802.11g) Profiles
- Mesh High-Throughput SSID Profiles
- Mesh Cluster Profiles
- Ethernet Ports for Mesh
- Provisioning Mesh Nodes
- AP Boot Sequence
- Verifying the Network
- Remote Mesh Portals
- Authentication Servers
- Important Points to Remember
- Servers and Server Groups
- Configuring Servers
- Internal Database
- Server Groups
- Assigning Server Groups
- Configuring Authentication Timers
- 802.1x Authentication
- Overview of 802.1x Authentication
- Configuring 802.1x Authentication
- Example Configurations
- Authentication with an 802.1x RADIUS Server
- Configuring Roles and Policies
- Configuring the RADIUS Authentication Server
- Configure 802.1x Authentication
- Configure VLANs
- Configuring the WLANs
- Configuring the Guest WLAN
- Configuring the Non-Guest WLANs
- Authentication with the Controller’s Internal Database
- Configuring the Internal Database
- Configure 802.1x Authentication
- Configure VLANs
- Configuring the WLANs
- Configuring the Guest WLAN
- Configuring the Non-Guest WLANs
- Mixed Authentication Modes
- Advanced Configuration Options for 802.1x
- Certificate Revocation
- Roles and Policies
- Policies
- User Roles
- User Role Assignments
- Global Firewall Parameters
- Dashboard Monitoring
- Stateful and WISPr Authentication
- Captive Portal
- Captive Portal Overview
- Captive Portal in the Base ArubaOS
- Captive Portal with the PEFNG License
- Example Authentication with Captive Portal
- Configuring Guest VLANs
- Captive Portal Authentication
- Optional Captive Portal Configurations
- Personalizing the Captive Portal Page
- Creating Walled Garden Access
- Advanced Security
- Virtual Private Networks
- Planning a VPN Configuration
- VPN Authentication Profiles
- Configuring a Basic VPN for L2TP/IPsec
- Configuring a VPN for L2TP/IPsec with IKEv2
- Configuring a VPN for Smart Card Clients
- Configuring a VPN for Clients with User Passwords
- Configuring Remote Access VPNs for XAuth
- Remote Access VPNs for PPTP
- Site-to-Site VPNs
- VPN Dialer
- Virtual Intranet Access
- MAC-based Authentication
- Control Plane Security
- Control Plane Security Overview
- Configuring Control Plane Security
- Whitelists on Master and Local Controllers
- Environments with Multiple Master Controllers
- Replacing a Controller on a Multi-Controller Network
- Configuring Control Plane Security after Upgrading
- Troubleshooting Control Plane Security
- Adding Local Controllers
- Remote Nodes
- Creating Remote Node Profiles
- Adding a New Remote Node Profile
- Defining Remote Node Address Pools
- OSPF and Static Routes
- Configuration Examples
- Create a remote node profile
- Define VLANs for a remote node profile and assign a wired aaa profile to each VLAN
- Identify the RN interfaces to be used as access ports for each VLAN
- Configure each VLAN interface with an internal IP address
- Manage and configure the uplink network connection
- Configure the uplink network connection and define a static IPsec route map
- Configure user roles and passwords for administrative users
- Define the server used for name and address resolution
- Define the OSPF settings for the upstream router
- (Optional) Define SNMP settings
- Specify that the RN use its internal database to authenticate clients
- Define NAT settings and identify the interface for outgoing RADIUS packets
- Define DHCP pools for a RN tunnel
- Define RN DHCP pools for each VLAN
- Configuring the Remote Node Whitelist
- Installing the Remote Node at the Remote Site
- Monitoring and Managing Remote Nodes
- Creating Remote Node Profiles
- IP Mobility
- VRRP
- RSTP
- PVST+
- W-600 Series Controller
- OSPFv2
- Wireless Intrusion Prevention
- Reusable Wizard
- Monitoring Dashboard
- Rogue AP Detection
- Intrusion Detection
- Infrastructure Intrusion Detection
- Detect 802.11n 40MHz Intolerance Setting
- Detect Active 802.11n Greenfield Mode
- Detect Ad hoc Networks
- Detect Ad hoc Network Using Valid SSID
- Detect AP Flood Attack
- Detect AP Impersonation
- Detect AP Spoofing
- Detect Bad WEP
- Detect Beacon Wrong Channel
- Detect Client Flood Attack
- Detect CTS Rate Anomaly
- Detect RTS Rate Anomaly
- Detect Devices with an Invalid MAC OUI
- Detect Invalid Address Combination
- Detect Overflow EAPOL Key
- Detect Overflow IE
- Detect Malformed Frame-Assoc Request
- Detect Malformed Frame-Auth
- Detect Malformed Frame-HT IE
- Detect Malformed Frame-Large Duration
- Detect Misconfigured AP
- Detect Windows Bridge
- Detect Wireless Bridge
- Detect Broadcast Deauthentication
- Detect Broadcast Disassociation
- Detect Netstumbler
- Detect Valid SSID Misuse
- Detect Wellenreiter
- Client Intrusion Detection
- Detect Block ACK DoS
- Detect ChopChop Attack
- Detect Disconnect Station Attack
- Detect EAP Rate Anomaly
- Detect FATA-Jack Attack Structure
- Detect Hotspotter Attack
- Detect Meiners Power Save DoS Attack
- Detect Omerta Attack
- Detect Rate Anomalies
- Detect TKIP Replay Attack
- Detect Unencrypted Valid Clients
- Detect Valid Client Misassociation
- Detect AirJack
- Detect ASLEAP
- Detect Null Probe Response
- Infrastructure Intrusion Detection
- Intrusion Protection
- WLAN Management System
- Client Blacklisting
- WIP Advanced Features
- Link Aggregation Control Protocol
- Management Access
- Certificate Authentication for WebUI Access
- Public Key Authentication for SSH Access
- Radius Server Authentication
- Radius Server Username/Password Authentication
- RADIUS Server Authentication with VSA
- RADIUS Server Authentication with Server-Derivation Rule
- Disabling Authentication of Local Management User Accounts
- Verifying the configuration
- Resetting the Admin or Enable Password
- Bypassing the Enable Password Prompt
- Setting an Administrator Session Timeout
- Management Password Policy
- Managing Certificates
- Configuring SNMP
- Configuring Logging
- Guest Provisioning
- Managing Files on the Controller
- Setting the System Clock
- Spectrum Analysis
- Overview
- Creating Spectrum Monitors and Hybrid APs
- Connecting Spectrum Devices to the Spectrum Analysis Client
- Configuring the Spectrum Analysis Dashboards
- Customizing Spectrum Analysis Graphs
- Recording Spectrum Analysis Data
- Non-Wi-Fi Interferers
- Spectrum Analysis Session Log
- Viewing Spectrum Analysis Data via the CLI
- Spectrum Analysis Troubleshooting Tips
- Software Licenses
- IPv6 Support
- About IPv6
- IPv6 Topology
- IPv6 Support for Controller and AP
- IPv6 Extension Header (EH) Filtering
- Captive Portal over IPv6
- ArubaOS Support for IPv6 Clients
- ArubaOS Features that Support IPv6
- IPv6 User Addresses
- Important Points to Remember
- Voice and Video
- Voice and Video License Requirements
- Configuring Voice and Video
- QoS for Voice and Video
- Extended Voice and Video Functionalities
- QoS for Microsoft Office OCS and Apple Facetime
- WPA Fast Handover
- Mobile IP Home Agent Assignment
- VoIP-Aware ARM Scanning
- Voice-Aware 802.1x
- SIP Authentication Tracking
- Real Time Call Quality Analysis
- SIP Session Timer
- Voice and Video Traffic Awareness for Encrypted Signaling Protocols
- Wi-Fi Edge Detection and Handover for Voice Clients
- Dial Plan for SIP Calls
- Enhanced 911 Support
- Voice over Remote Access Point
- Battery Boost
- Advanced Voice Troubleshooting
- External Services Interface
- Understanding ESI
- Understanding the ESI Syslog Parser
- ESI Configuration Overview
- Configuring Health-Check Method, Groups, and Servers
- Defining the ESI Server
- Defining the ESI Server Group
- Redirection Policies and User Role
- ESI Syslog Parser Domains and Rules
- Managing Syslog Parser Domains in the WebUI
- Managing Syslog Parser Domains in the CLI
- Managing Syslog Parser Rules
- Monitoring Syslog Parser Statistics
- Example Route-mode ESI Topology
- ESI server configuration on controller
- IP routing configuration on Fortinet gateway
- Configuring the Example Routed ESI Topology
- Health-Check Method, Groups, and Servers
- Defining the Ping Health-Check Method
- Defining the ESI Server
- Defining the ESI Server Group
- Redirection Policies and User Role
- Syslog Parser Domain and Rules
- Example NAT-mode ESI Topology
- Basic Regular Expression Syntax
- External User Management
- DHCP with Vendor-Specific Options
- External Firewall Configuration
- Behavior and Defaults
- 802.1x Configuration IAS Windows
- Internal Captive Portal
- Tunneled Nodes
- VIA: End User Instructions
- Provisioning RAP at Home
- Acronyms and Terms
- Index
446 | Control Plane Security Dell PowerConnect W-Series ArubaOS 6.1 | User Guide
Access the command-line interface on the old local controller and issue the command whitelist-db cpsec
purge
-or-
Access the local controller WebUI, navigate to Configuration>AP Installation>Campus AP Whitelist and
click Purge.
3. Once the campus AP whitelist has been purged, you must inform the master controller that the local
controller will no longer be available. .
Access the command-line interface on the master controller, and issue the command whitelist-db cpsec-local-
switch-list del mac-address <local-controller-mac>
-or -
Access the maser controller WebUI, navigate to the Configuration>Controller>Control Plane Security
window, select the entry for the local controller you want to delete from the local switch whitelist, and click
Delete.
4. Install the new local controller, but do not connect it to the network yet. If the controller has been previously
installed on the network, you must ensure that the new local controller has a clean whitelist.
Access the command-line interface on the new local controller and issue the command whitelist-db cpsec
purge
-or-
Access the local controller WebUI, navigate to Configuration>AP Installation>Campus AP Whitelist and
click Purge.
5. Now, connect the new local controller to the network. It is very important that the local controller is able to
contact the master controller the first time it is connected to the network, because the local controller will try
to get its control plane security certificate certified by the master controller the first time the local controller
contacts its master.
6. Once the local controller has a valid control plane security certificate and configuration, the local controller
will receive the campus AP whitelist from the master controller and will start certifying approved APs.
7. APs associated with the new local controller will reboot and create new IPsec tunnels to their controller using
the new certificate keys
Replacing a Master Controller (With No Backup)
Use the following procedure to replace a master controller that does not have a backup controller.
1. Remove the old master controller from the network.
2. Install and configure the new master controller, then connect the new master to the network. The new master
controller will generate a new certificate when it first becomes active
3. If the new master controller has a different IP address than the old master controller, change the master IP
address on the local controllers to reflect the address of the new master.
4. Reboot each local controller to ensure that the local controllers get their certificate from the new master. Each
local controller will begin using a new certificate signed by the master controller.
5. APs will no longer be able to securely communicate with the controller using their current key, and must
receive a new certificate. Access the campus AP whitelist on any local controller and change all APs in a
“certified” state to an “approved” state. The new master controller will send the approved APs new
certificates. The APs will reboot and create new IPsec tunnels to their controller using the new certificate key.
If the master controller does not have any local controllers, you must recreate the campus AP whitelist by
turning on automatic certificate provisioning or manually reentering the campus AP whitelist entries.
NOTE: This step is very important; unused local controller entries in the local switch whitelist can significantly increase network
traffic and reduce controller memory resources.