Users Guide
Table Of Contents
- Dell PowerConnect W-Series ArubaOS 6.1
- Contents
- About this Guide
- The Basic User-Centric Networks
- Configuring the User-Centric Network
- Deployment and Configuration Tasks
- Configuring the Controller
- Configuring a VLAN for Network Connection
- Additional Configuration
- Network Parameters
- Configuring VLANs
- Configuring Ports
- About VLAN Assignments
- How a VLAN Obtains its IP Address
- Assigning a Static Address to a VLAN
- Using CLI
- Configuring a VLAN to Receive a Dynamic Address
- Enabling the DHCP Client
- Enabling the PPPoE Client
- Default Gateway from DHCP/PPPoE
- Configuring DNS/WINS Server from DHPC/PPPoE
- Using the WebUI
- Configuring Source NAT to Dynamic VLAN Address
- Configuring Source NAT for VLAN Interfaces
- Inter-VLAN Routing
- Configuring Static Routes
- Configuring the Loopback IP Address
- Configuring the Controller IP Address
- Configuring GRE Tunnels
- RF Plan
- Supported Planning
- Before You Begin
- Launching the RF Plan
- Using the FQLN Mapper in the AP Provision Page
- RF Plan Example
- Sample Building
- Create a Building
- Model the Access Points
- Model the Air Monitors
- Add and Edit a Floor
- Adding the background image and naming the first floor
- Adding the background image and naming the second floor
- Defining Areas
- Creating a Don’t Care Area
- Creating a Don’t Deploy Area
- Running the AP Plan
- Running the AM Plan
- Access Points
- Basic Functions and Features
- AP Names and Groups
- AP Configuration Profiles
- Profile Hierarchy
- Deploying APs
- Provisioning Installed APs
- Configuring a Provisioned AP
- Managing RF Interference
- AP Channel Assignments
- AP Console Settings
- Virtual APs
- Virtual AP Profiles
- Configuring a Virtual AP
- Configuring a High-Throughput Virtual AP
- Adaptive Radio Management (ARM)
- Remote Access Points
- Overview
- Configuring the Secure Remote Access Point Service
- Deploying a Branch Office/Home Office Solution
- Enabling Double Encryption
- Advanced Configuration Options
- Understanding Remote AP Modes of Operation
- Fallback Mode
- Configuring the fallback mode
- Configuring the DHCP Server on the Remote AP
- Advanced Backup Configuration Options
- DNS Controller Setting
- Backup Controller List
- Remote AP Failback
- RAP Local Network Access
- Remote AP Authorization Profiles
- Access Control Lists and Firewall Policies
- Split Tunneling
- Configuring the Session ACL
- Configuring ACL for restricted LD homepage access
- Configuring the AAA Profile and the Virtual AP Profile
- Wi-Fi Multimedia
- Uplink Bandwidth Reservation
- Secure Enterprise Mesh
- Mesh Access Points
- Mesh Links
- Mesh Profiles
- Mesh Solutions
- Before You Begin
- Mesh Radio Profiles
- RF Management (802.11a and 802.11g) Profiles
- Mesh High-Throughput SSID Profiles
- Mesh Cluster Profiles
- Ethernet Ports for Mesh
- Provisioning Mesh Nodes
- AP Boot Sequence
- Verifying the Network
- Remote Mesh Portals
- Authentication Servers
- Important Points to Remember
- Servers and Server Groups
- Configuring Servers
- Internal Database
- Server Groups
- Assigning Server Groups
- Configuring Authentication Timers
- 802.1x Authentication
- Overview of 802.1x Authentication
- Configuring 802.1x Authentication
- Example Configurations
- Authentication with an 802.1x RADIUS Server
- Configuring Roles and Policies
- Configuring the RADIUS Authentication Server
- Configure 802.1x Authentication
- Configure VLANs
- Configuring the WLANs
- Configuring the Guest WLAN
- Configuring the Non-Guest WLANs
- Authentication with the Controller’s Internal Database
- Configuring the Internal Database
- Configure 802.1x Authentication
- Configure VLANs
- Configuring the WLANs
- Configuring the Guest WLAN
- Configuring the Non-Guest WLANs
- Mixed Authentication Modes
- Advanced Configuration Options for 802.1x
- Certificate Revocation
- Roles and Policies
- Policies
- User Roles
- User Role Assignments
- Global Firewall Parameters
- Dashboard Monitoring
- Stateful and WISPr Authentication
- Captive Portal
- Captive Portal Overview
- Captive Portal in the Base ArubaOS
- Captive Portal with the PEFNG License
- Example Authentication with Captive Portal
- Configuring Guest VLANs
- Captive Portal Authentication
- Optional Captive Portal Configurations
- Personalizing the Captive Portal Page
- Creating Walled Garden Access
- Advanced Security
- Virtual Private Networks
- Planning a VPN Configuration
- VPN Authentication Profiles
- Configuring a Basic VPN for L2TP/IPsec
- Configuring a VPN for L2TP/IPsec with IKEv2
- Configuring a VPN for Smart Card Clients
- Configuring a VPN for Clients with User Passwords
- Configuring Remote Access VPNs for XAuth
- Remote Access VPNs for PPTP
- Site-to-Site VPNs
- VPN Dialer
- Virtual Intranet Access
- MAC-based Authentication
- Control Plane Security
- Control Plane Security Overview
- Configuring Control Plane Security
- Whitelists on Master and Local Controllers
- Environments with Multiple Master Controllers
- Replacing a Controller on a Multi-Controller Network
- Configuring Control Plane Security after Upgrading
- Troubleshooting Control Plane Security
- Adding Local Controllers
- Remote Nodes
- Creating Remote Node Profiles
- Adding a New Remote Node Profile
- Defining Remote Node Address Pools
- OSPF and Static Routes
- Configuration Examples
- Create a remote node profile
- Define VLANs for a remote node profile and assign a wired aaa profile to each VLAN
- Identify the RN interfaces to be used as access ports for each VLAN
- Configure each VLAN interface with an internal IP address
- Manage and configure the uplink network connection
- Configure the uplink network connection and define a static IPsec route map
- Configure user roles and passwords for administrative users
- Define the server used for name and address resolution
- Define the OSPF settings for the upstream router
- (Optional) Define SNMP settings
- Specify that the RN use its internal database to authenticate clients
- Define NAT settings and identify the interface for outgoing RADIUS packets
- Define DHCP pools for a RN tunnel
- Define RN DHCP pools for each VLAN
- Configuring the Remote Node Whitelist
- Installing the Remote Node at the Remote Site
- Monitoring and Managing Remote Nodes
- Creating Remote Node Profiles
- IP Mobility
- VRRP
- RSTP
- PVST+
- W-600 Series Controller
- OSPFv2
- Wireless Intrusion Prevention
- Reusable Wizard
- Monitoring Dashboard
- Rogue AP Detection
- Intrusion Detection
- Infrastructure Intrusion Detection
- Detect 802.11n 40MHz Intolerance Setting
- Detect Active 802.11n Greenfield Mode
- Detect Ad hoc Networks
- Detect Ad hoc Network Using Valid SSID
- Detect AP Flood Attack
- Detect AP Impersonation
- Detect AP Spoofing
- Detect Bad WEP
- Detect Beacon Wrong Channel
- Detect Client Flood Attack
- Detect CTS Rate Anomaly
- Detect RTS Rate Anomaly
- Detect Devices with an Invalid MAC OUI
- Detect Invalid Address Combination
- Detect Overflow EAPOL Key
- Detect Overflow IE
- Detect Malformed Frame-Assoc Request
- Detect Malformed Frame-Auth
- Detect Malformed Frame-HT IE
- Detect Malformed Frame-Large Duration
- Detect Misconfigured AP
- Detect Windows Bridge
- Detect Wireless Bridge
- Detect Broadcast Deauthentication
- Detect Broadcast Disassociation
- Detect Netstumbler
- Detect Valid SSID Misuse
- Detect Wellenreiter
- Client Intrusion Detection
- Detect Block ACK DoS
- Detect ChopChop Attack
- Detect Disconnect Station Attack
- Detect EAP Rate Anomaly
- Detect FATA-Jack Attack Structure
- Detect Hotspotter Attack
- Detect Meiners Power Save DoS Attack
- Detect Omerta Attack
- Detect Rate Anomalies
- Detect TKIP Replay Attack
- Detect Unencrypted Valid Clients
- Detect Valid Client Misassociation
- Detect AirJack
- Detect ASLEAP
- Detect Null Probe Response
- Infrastructure Intrusion Detection
- Intrusion Protection
- WLAN Management System
- Client Blacklisting
- WIP Advanced Features
- Link Aggregation Control Protocol
- Management Access
- Certificate Authentication for WebUI Access
- Public Key Authentication for SSH Access
- Radius Server Authentication
- Radius Server Username/Password Authentication
- RADIUS Server Authentication with VSA
- RADIUS Server Authentication with Server-Derivation Rule
- Disabling Authentication of Local Management User Accounts
- Verifying the configuration
- Resetting the Admin or Enable Password
- Bypassing the Enable Password Prompt
- Setting an Administrator Session Timeout
- Management Password Policy
- Managing Certificates
- Configuring SNMP
- Configuring Logging
- Guest Provisioning
- Managing Files on the Controller
- Setting the System Clock
- Spectrum Analysis
- Overview
- Creating Spectrum Monitors and Hybrid APs
- Connecting Spectrum Devices to the Spectrum Analysis Client
- Configuring the Spectrum Analysis Dashboards
- Customizing Spectrum Analysis Graphs
- Recording Spectrum Analysis Data
- Non-Wi-Fi Interferers
- Spectrum Analysis Session Log
- Viewing Spectrum Analysis Data via the CLI
- Spectrum Analysis Troubleshooting Tips
- Software Licenses
- IPv6 Support
- About IPv6
- IPv6 Topology
- IPv6 Support for Controller and AP
- IPv6 Extension Header (EH) Filtering
- Captive Portal over IPv6
- ArubaOS Support for IPv6 Clients
- ArubaOS Features that Support IPv6
- IPv6 User Addresses
- Important Points to Remember
- Voice and Video
- Voice and Video License Requirements
- Configuring Voice and Video
- QoS for Voice and Video
- Extended Voice and Video Functionalities
- QoS for Microsoft Office OCS and Apple Facetime
- WPA Fast Handover
- Mobile IP Home Agent Assignment
- VoIP-Aware ARM Scanning
- Voice-Aware 802.1x
- SIP Authentication Tracking
- Real Time Call Quality Analysis
- SIP Session Timer
- Voice and Video Traffic Awareness for Encrypted Signaling Protocols
- Wi-Fi Edge Detection and Handover for Voice Clients
- Dial Plan for SIP Calls
- Enhanced 911 Support
- Voice over Remote Access Point
- Battery Boost
- Advanced Voice Troubleshooting
- External Services Interface
- Understanding ESI
- Understanding the ESI Syslog Parser
- ESI Configuration Overview
- Configuring Health-Check Method, Groups, and Servers
- Defining the ESI Server
- Defining the ESI Server Group
- Redirection Policies and User Role
- ESI Syslog Parser Domains and Rules
- Managing Syslog Parser Domains in the WebUI
- Managing Syslog Parser Domains in the CLI
- Managing Syslog Parser Rules
- Monitoring Syslog Parser Statistics
- Example Route-mode ESI Topology
- ESI server configuration on controller
- IP routing configuration on Fortinet gateway
- Configuring the Example Routed ESI Topology
- Health-Check Method, Groups, and Servers
- Defining the Ping Health-Check Method
- Defining the ESI Server
- Defining the ESI Server Group
- Redirection Policies and User Role
- Syslog Parser Domain and Rules
- Example NAT-mode ESI Topology
- Basic Regular Expression Syntax
- External User Management
- DHCP with Vendor-Specific Options
- External Firewall Configuration
- Behavior and Defaults
- 802.1x Configuration IAS Windows
- Internal Captive Portal
- Tunneled Nodes
- VIA: End User Instructions
- Provisioning RAP at Home
- Acronyms and Terms
- Index
450 | Control Plane Security Dell PowerConnect W-Series ArubaOS 6.1 | User Guide
Table 86 Control Plane Security Upgrade Strategies
Troubleshooting Control Plane Security
Certificate Problems
If an AP has a problem with its certificate, check the state of the AP in the campus AP whitelist. If the AP is in
either the certified-hold-factory-cert or certified-hold-switch-cert states, you may need to manually change the
status of that AP before it can be certified.
certified-hold-factory-cert: An AP is put in this state when the controller thinks the AP has been certified with
a factory certificate yet the AP requests to be certified again. Since this is not a normal condition, the AP will
not be approved as a secure AP until a network administrator manually changes the status of the AP to verify
that it is not compromised. If an AP is in this state due to connectivity problems, then the AP will recover and
will be out of this hold state as soon as connectivity is restored.
certified-hold-switch-cert: An AP is put in this state when the controller thinks the AP has been certified with
a controller certificate yet the AP requests to be certified again. Since this is not a normal condition, the AP
will not be approved as a secure AP until a network administrator manually changes the status of the AP to
verify that it is not compromised. If an AP is in this state due to connectivity problems, then the AP will
recover and will be out of this hold state as soon as connectivity is restored.
Verifying Certificates
If you are unable to configure the control plane security feature on W-6000M3, W-600 Series or W-3000 Series
controllers, verify that its Trusted Platform Module (TPM) and factory-installed certificates are present and valid
Automatically send Certificates to Campus APs
Manually Certify Campus APs
1. Access the control plane security window and enable both
the control plane security feature and the auto certificate
provisioning option. Next, specify whether you want all
associated campus APs to automatically receive a
certificate, or if you want to certify only those APs within a
defined range of IP addresses.
1. Identify the campus APs that should receive certificates by
entering the campus APs’ MAC addresses in the campus AP
whitelist.
2. Once all APs have received their certificates, disable auto
certificate provisioning to prevent certificates from being
issued to any rogue APs that may appear on your network
at a later time.
2. If your network includes both master and local controllers, wait
a few minutes, then verify that the campus AP whitelist has
been propagated to all other controllers on the network.
Access the WebUI of the master controller, navigate to
Configuration>Controller>Control Plane Security, then verify
that the Current Sequence Number field has the same value as
the Sequence Number entry for each local controller in the
local switch whitelist. (For details, see “Verify Whitelist
Synchronization” on page 451.)
3. If a valid AP did not receive a certificate during the initial
certificate distribution, you can manually certify the AP by
adding that AP’s MAC address to the campus AP whitelist.
You can also use this whitelist to revoke certificates from
APs that should not be allowed access to the secure
network.
3. Enable the control plane security feature.
CAUTION: If you upgraded your controller from ArubaOS 5.0 or earlier and you want to use this feature for the first time, you
must either add all valid APs to the campus AP whitelist or enable automatic certificate provisioning before you enable the
feature. If you do not enable automatic certificate provisioning, only the APs currently approved in the campus AP whitelist will
be allowed to communicate with the controller over a secure channel. Any APs that do not receive a certificate will not be able
to communicate with the controller except to request a certificate.