Users Guide
Table Of Contents
- Dell PowerConnect ArubaOS 5.0
- Contents
- About this Guide
- The Basic User-Centric Networks
- Configuring the User-Centric Network
- Deployment and Configuration Tasks
- Configuring the Controller
- Configuring a VLAN for Network Connection
- Deploying APs
- Additional Configuration
- Network Parameters
- Configuring VLANs
- Configuring Ports
- About VLAN Assignments
- Assigning a Static Address to a VLAN
- Using CLI
- Configuring a VLAN to Receive a Dynamic Address
- Enabling the DHCP Client
- Enabling the PPPoE Client
- Default Gateway from DHCP/PPPoE
- Configuring DNS/WINS Server from DHPC/PPPoE
- Using the WebUI
- Configuring Source NAT to Dynamic VLAN Address
- Configuring Source NAT for VLAN Interfaces
- Inter-VLAN Routing
- Configuring Static Routes
- Configuring the Loopback IP Address
- Configuring the Controller IP Address
- Configuring GRE Tunnels
- RF Plan
- Supported Planning
- Before You Begin
- Launching the RF Plan
- Using the FQLN Mapper in the AP Provision Page
- RF Plan Example
- Sample Building
- Create a Building
- Model the Access Points
- Model the Air Monitors
- Add and Edit a Floor
- Adding the background image and naming the first floor
- Adding the background image and naming the second floor
- Defining Areas
- Creating a Don’t Care Area
- Creating a Don’t Deploy Area
- Running the AP Plan
- Running the AM Plan
- Access Points
- Remote AP vs Campus AP
- Basic Configuration
- AP Names and Groups
- Virtual APs
- Configuring Profiles
- Profile Hierarchy
- Virtual AP Configurations
- Configuring High-throughput on Virtual APs
- Advanced Configuration Options
- Automatic Channel and Transmit Power Selection Using ARM
- APs Over Low-Speed Links
- AP Redundancy
- AP Maintenance Mode
- Managing AP LEDs
- Adaptive Radio Management (ARM)
- Remote Access Points
- Overview
- Configuring the Secure Remote Access Point Service
- Deploying a Branch Office/Home Office Solution
- Enabling Double Encryption
- Advanced Configuration Options
- Understanding Remote AP Modes of Operation
- Fallback Mode
- Configuring the fallback mode
- Configuring the DHCP Server on the Remote AP
- Advanced Backup Configuration Options
- DNS Controller Setting
- Backup Controller List
- Remote AP Failback
- RAP Local Network Access
- Remote AP Authorization Profiles
- Access Control Lists and Firewall Policies
- Split Tunneling
- Configuring the Session ACL
- Configuring ACL for restricted LD homepage access
- Configuring the AAA Profile and the Virtual AP Profile
- Wi-Fi Multimedia
- Uplink Bandwidth Reservation
- Secure Enterprise Mesh
- Mesh Access Points
- Mesh Links
- Mesh Profiles
- Mesh Solutions
- Before You Begin
- Mesh Radio Profiles
- RF Management (802.11a and 802.11g) Profiles
- Mesh High-Throughput SSID Profiles
- Mesh Cluster Profiles
- Ethernet Ports for Mesh
- Provisioning Mesh Nodes
- AP Boot Sequence
- Verifying the Network
- Remote Mesh Portals
- Authentication Servers
- Important Points to Remember
- Servers and Server Groups
- Configuring Servers
- Internal Database
- Server Groups
- Assigning Server Groups
- Configuring Authentication Timers
- 802.1x Authentication
- Overview of 802.1x Authentication
- Configuring 802.1x Authentication
- Example Configurations
- Authentication with an 802.1x RADIUS Server
- Configuring Roles and Policies
- Configuring the RADIUS Authentication Server
- Configure 802.1x Authentication
- Configure VLANs
- Configuring the WLANs
- Configuring the Guest WLAN
- Configuring the Non-Guest WLANs
- Authentication with the Controller’s Internal Database
- Configuring the Internal Database
- Configure 802.1x Authentication
- Configure VLANs
- Configuring the WLANs
- Configuring the Guest WLAN
- Configuring the Non-Guest WLANs
- Advanced Configuration Options for 802.1x
- Roles and Policies
- Stateful and WISPr Authentication
- Captive Portal
- Captive Portal Overview
- Captive Portal in the Base ArubaOS
- Captive Portal with the PEFNG License
- Example Authentication with Captive Portal
- Creating a Guest-logon User Role
- Creating an Auth-guest User Role
- Configure Policies and Roles via the WebUI
- Time Range
- Auth-Guest-Access Policy
- Block-Internal-Access Policy
- Drop-and-Log Policy
- Guest-logon Role
- Guest-Logon Role
- Configure Policies and Roles via the CLI
- Time Range
- Create Aliases
- Guest-Logon-Access Policy
- Auth-Guest-Access Policy
- Block-Internal-Access Policy
- Drop-and-Log Policy
- Guest-Logon Role
- Auth-Guest Role
- Guest VLANs
- Captive Portal Authentication
- Optional Captive Portal Configurations
- Personalizing the Captive Portal Page
- Securing Client Traffic
- Securing Controller-to-Controller Communication
- Configuring the Odyssey Client on Client Machines
- Advanced Security
- Virtual Intranet Access
- VIA
- Configuring the VIA Controller
- VPN Configuration
- Remote Access VPN for L2TP IPsec
- Remote Access VPNs for XAuth
- Remote Access VPN for PPTP
- Site-to-Site VPNs
- Dell Dialer
- Virtual Private Networks
- MAC-based Authentication
- Control Plane Security
- Control Plane Security Overview
- Configuring Control Plane Security
- Whitelists on Master and Local Controllers
- Environments with Multiple Master Controllers
- Replacing a Controller on a Multi-Controller Network
- Troubleshooting Control Plane Security
- Adding Local Controllers
- IP Mobility
- VRRP
- RSTP
- W-600 Series Controller
- OSPFv2
- Wireless Intrusion Prevention
- IDS Features
- IDS Configuration
- WLAN Management System
- Client Blacklisting
- Link Aggregation Control Protocol
- Management Access
- Certificate Authentication for WebUI Access
- Public Key Authentication for SSH Access
- Radius Server Authentication
- Radius Server Username/Password Authentication
- RADIUS Server Authentication with VSA
- RADIUS Server Authentication with Server-Derivation Rule
- Disabling Authentication of Local Management User Accounts
- Verifying the configuration
- Resetting the Admin or Enable Password
- Setting an Administrator Session Timeout
- Management Password Policy
- Managed RFprotect Sensors
- Managing Certificates
- Configuring SNMP
- Configuring Logging
- Guest Provisioning
- Managing Files on the Controller
- Setting the System Clock
- Software Licenses
- IPv6 Client Support
- Voice and Video
- License Requirements
- Configuring Voice
- Configuring Video
- QoS
- External Services Interface
- Understanding ESI
- Understanding the ESI Syslog Parser
- ESI Configuration Overview
- Configuring Health-Check Method, Groups, and Servers
- Defining the ESI Server
- Defining the ESI Server Group
- Redirection Policies and User Role
- ESI Syslog Parser Domains and Rules
- Managing Syslog Parser Domains in the WebUI
- Managing Syslog Parser Domains in the CLI
- Managing Syslog Parser Rules
- Monitoring Syslog Parser Statistics
- Example Route-mode ESI Topology
- ESI server configuration on controller
- IP routing configuration on Fortinet gateway
- Configuring the Example Routed ESI Topology
- Health-Check Method, Groups, and Servers
- Defining the Ping Health-Check Method
- Defining the ESI Server
- Defining the ESI Server Group
- Redirection Policies and User Role
- Syslog Parser Domain and Rules
- Example NAT-mode ESI Topology
- Basic Regular Expression Syntax
- DHCP with Vendor-Specific Options
- External Firewall Configuration
- Behavior and Defaults
- 802.1x Configuration for IAS and Windows Clients
- Internal Captive Portal
- VIA End User Instructions
- Provisioning RAP at Home
- Index
120 | Access Points Dell PowerConnect ArubaOS 5.0 | [User Guide
Allowed band The band(s) on which to use the virtual AP:
z a—802.11a band only (5 GHz).
z g—802.11b/g band only (2.4 GHz).
z all—both 802.11a and 802.11b/g bands (5 GHz and 2.4 GHz). This is the default setting.
VLAN The VLAN(s) into which users are placed in order to obtain an IP address. Click the drop-down list
to select a configured VLAN, the click the arrow button to associate that VLAN with the virtual AP
profile.
Forward mode This parameter controls whether data is tunneled to the controller using generic routing
encapsulation (GRE), bridged into the local Ethernet LAN (for remote APs), or a combination
thereof depending on the destination (corporate traffic goes to the controller, and Internet access
remains local). All forwarding modes support band steering, TSPEC/TCLAS enforcement, 802.11k
and station blacklisting.
Click the drop-down list to select one of the following forward modes:
z Tunnel: The AP handles all 802.11 association requests and responses, but sends all 802.11
data packets, action frames and EAPOL frames over a GRE tunnel to the controller for
processing. The controller removes or adds the GRE headers, decrypts or encrypts 802.11
frames and applies firewall rules to the user traffic as usual. Both remote and campus APs can
be configured in tunnel mode.
z Bridge: 802.11 frames are bridged into the local Ethernet LAN. When a remote AP or campus
AP is in bridge mode, the AP (and not the controller) handles all 802.11 association requests
and responses, encryption/decryption processes, and firewall enforcement. The 802.11e and
802.11k action frames are also processed by the AP, which then sends out responses as
needed.
An AP in bridge mode does not support captive portal authentication. Both remote and campus
APs can be configured in bridge mode. Note that you must enable the control plane security
feature on the controller before you configure campus APs in bridge mode.
z Split-Tunnel: 802.11 frames are either tunneled or bridged, depending on the destination
(corporate traffic goes to the controller, and Internet access remains local).
A remote AP in split-tunnel forwarding mode handles all 802.11 association requests and
responses, encryption/decryption, and firewall enforcement. the 802.11e and 802.11k action
frames are also processed by the remote AP, which then sends out responses as needed.
z Decrypt-Tunnel: Both remote and campus APs can be configured in decrypt-tunnel mode.
When an AP uses decrypt-tunnel forwarding mode, that AP decrypts and de-capsulates all
802.11 frames from a client and sends the 802.3 frames through the GRE tunnel to the controller,
which then applies firewall policies to the user traffic.
When the controller sends traffic to a client, the controller sends 802.3 traffic through the GRE
tunnel to the AP, which then converts it to encrypted 802.11 and forwards to the client. This
forwarding mode allows a network to utilize the encryption/decryption capacity of the AP while
reducing the demand for processing resources on the controller.
APs in decrypt-tunnel forwarding mode also manage all 802.11 association requests and
responses, and process all 802.11e and 802.11k action frames. APs using decrypt-tunnel mode
do have some limitations that not present for APs in regular tunnel forwarding mode.
You must enable the control plane security feature on the controller before you configure
campus APs in decrypt-tunnel forward mode. High-throughput APs in decrypt-tunnel mode do
not support de-aggregation of MAC Service Data Units (A-MSDUs).
NOTE: Virtual APs in bridge or split-tunnel mode using static WEP should use key slots 2-4 on the
controller. Key slot 1 should only be used with Virtual APs in tunnel mode.
Deny time range Click the drop-down list and select a configured time range for which the AP will deny access. If
you have not yet configured a time range, navigate to Configuration > Security > Access Control >
Time Ranges to define a time range before configuring this setting in the virtual AP profile.
Mobile IP Enables or disables IP mobility for this virtual AP.
Default: Enabled
HA Discovery
on-association
If enabled, all clients of a virtual AP will receive mobility service on association.
Default: Disabled
DoS Prevention If enabled, APs ignore deauthentication frames from clients. This prevents a successful deauth
attack from being carried out against the AP. This does not affect third-party APs. Default: Disabled
Table 27 Virtual AP Profile Parameters
Parameter Description