Users Guide
Table Of Contents
- Dell PowerConnect ArubaOS 5.0
- Contents
- About this Guide
- The Basic User-Centric Networks
- Configuring the User-Centric Network
- Deployment and Configuration Tasks
- Configuring the Controller
- Configuring a VLAN for Network Connection
- Deploying APs
- Additional Configuration
- Network Parameters
- Configuring VLANs
- Configuring Ports
- About VLAN Assignments
- Assigning a Static Address to a VLAN
- Using CLI
- Configuring a VLAN to Receive a Dynamic Address
- Enabling the DHCP Client
- Enabling the PPPoE Client
- Default Gateway from DHCP/PPPoE
- Configuring DNS/WINS Server from DHPC/PPPoE
- Using the WebUI
- Configuring Source NAT to Dynamic VLAN Address
- Configuring Source NAT for VLAN Interfaces
- Inter-VLAN Routing
- Configuring Static Routes
- Configuring the Loopback IP Address
- Configuring the Controller IP Address
- Configuring GRE Tunnels
- RF Plan
- Supported Planning
- Before You Begin
- Launching the RF Plan
- Using the FQLN Mapper in the AP Provision Page
- RF Plan Example
- Sample Building
- Create a Building
- Model the Access Points
- Model the Air Monitors
- Add and Edit a Floor
- Adding the background image and naming the first floor
- Adding the background image and naming the second floor
- Defining Areas
- Creating a Don’t Care Area
- Creating a Don’t Deploy Area
- Running the AP Plan
- Running the AM Plan
- Access Points
- Remote AP vs Campus AP
- Basic Configuration
- AP Names and Groups
- Virtual APs
- Configuring Profiles
- Profile Hierarchy
- Virtual AP Configurations
- Configuring High-throughput on Virtual APs
- Advanced Configuration Options
- Automatic Channel and Transmit Power Selection Using ARM
- APs Over Low-Speed Links
- AP Redundancy
- AP Maintenance Mode
- Managing AP LEDs
- Adaptive Radio Management (ARM)
- Remote Access Points
- Overview
- Configuring the Secure Remote Access Point Service
- Deploying a Branch Office/Home Office Solution
- Enabling Double Encryption
- Advanced Configuration Options
- Understanding Remote AP Modes of Operation
- Fallback Mode
- Configuring the fallback mode
- Configuring the DHCP Server on the Remote AP
- Advanced Backup Configuration Options
- DNS Controller Setting
- Backup Controller List
- Remote AP Failback
- RAP Local Network Access
- Remote AP Authorization Profiles
- Access Control Lists and Firewall Policies
- Split Tunneling
- Configuring the Session ACL
- Configuring ACL for restricted LD homepage access
- Configuring the AAA Profile and the Virtual AP Profile
- Wi-Fi Multimedia
- Uplink Bandwidth Reservation
- Secure Enterprise Mesh
- Mesh Access Points
- Mesh Links
- Mesh Profiles
- Mesh Solutions
- Before You Begin
- Mesh Radio Profiles
- RF Management (802.11a and 802.11g) Profiles
- Mesh High-Throughput SSID Profiles
- Mesh Cluster Profiles
- Ethernet Ports for Mesh
- Provisioning Mesh Nodes
- AP Boot Sequence
- Verifying the Network
- Remote Mesh Portals
- Authentication Servers
- Important Points to Remember
- Servers and Server Groups
- Configuring Servers
- Internal Database
- Server Groups
- Assigning Server Groups
- Configuring Authentication Timers
- 802.1x Authentication
- Overview of 802.1x Authentication
- Configuring 802.1x Authentication
- Example Configurations
- Authentication with an 802.1x RADIUS Server
- Configuring Roles and Policies
- Configuring the RADIUS Authentication Server
- Configure 802.1x Authentication
- Configure VLANs
- Configuring the WLANs
- Configuring the Guest WLAN
- Configuring the Non-Guest WLANs
- Authentication with the Controller’s Internal Database
- Configuring the Internal Database
- Configure 802.1x Authentication
- Configure VLANs
- Configuring the WLANs
- Configuring the Guest WLAN
- Configuring the Non-Guest WLANs
- Advanced Configuration Options for 802.1x
- Roles and Policies
- Stateful and WISPr Authentication
- Captive Portal
- Captive Portal Overview
- Captive Portal in the Base ArubaOS
- Captive Portal with the PEFNG License
- Example Authentication with Captive Portal
- Creating a Guest-logon User Role
- Creating an Auth-guest User Role
- Configure Policies and Roles via the WebUI
- Time Range
- Auth-Guest-Access Policy
- Block-Internal-Access Policy
- Drop-and-Log Policy
- Guest-logon Role
- Guest-Logon Role
- Configure Policies and Roles via the CLI
- Time Range
- Create Aliases
- Guest-Logon-Access Policy
- Auth-Guest-Access Policy
- Block-Internal-Access Policy
- Drop-and-Log Policy
- Guest-Logon Role
- Auth-Guest Role
- Guest VLANs
- Captive Portal Authentication
- Optional Captive Portal Configurations
- Personalizing the Captive Portal Page
- Securing Client Traffic
- Securing Controller-to-Controller Communication
- Configuring the Odyssey Client on Client Machines
- Advanced Security
- Virtual Intranet Access
- VIA
- Configuring the VIA Controller
- VPN Configuration
- Remote Access VPN for L2TP IPsec
- Remote Access VPNs for XAuth
- Remote Access VPN for PPTP
- Site-to-Site VPNs
- Dell Dialer
- Virtual Private Networks
- MAC-based Authentication
- Control Plane Security
- Control Plane Security Overview
- Configuring Control Plane Security
- Whitelists on Master and Local Controllers
- Environments with Multiple Master Controllers
- Replacing a Controller on a Multi-Controller Network
- Troubleshooting Control Plane Security
- Adding Local Controllers
- IP Mobility
- VRRP
- RSTP
- W-600 Series Controller
- OSPFv2
- Wireless Intrusion Prevention
- IDS Features
- IDS Configuration
- WLAN Management System
- Client Blacklisting
- Link Aggregation Control Protocol
- Management Access
- Certificate Authentication for WebUI Access
- Public Key Authentication for SSH Access
- Radius Server Authentication
- Radius Server Username/Password Authentication
- RADIUS Server Authentication with VSA
- RADIUS Server Authentication with Server-Derivation Rule
- Disabling Authentication of Local Management User Accounts
- Verifying the configuration
- Resetting the Admin or Enable Password
- Setting an Administrator Session Timeout
- Management Password Policy
- Managed RFprotect Sensors
- Managing Certificates
- Configuring SNMP
- Configuring Logging
- Guest Provisioning
- Managing Files on the Controller
- Setting the System Clock
- Software Licenses
- IPv6 Client Support
- Voice and Video
- License Requirements
- Configuring Voice
- Configuring Video
- QoS
- External Services Interface
- Understanding ESI
- Understanding the ESI Syslog Parser
- ESI Configuration Overview
- Configuring Health-Check Method, Groups, and Servers
- Defining the ESI Server
- Defining the ESI Server Group
- Redirection Policies and User Role
- ESI Syslog Parser Domains and Rules
- Managing Syslog Parser Domains in the WebUI
- Managing Syslog Parser Domains in the CLI
- Managing Syslog Parser Rules
- Monitoring Syslog Parser Statistics
- Example Route-mode ESI Topology
- ESI server configuration on controller
- IP routing configuration on Fortinet gateway
- Configuring the Example Routed ESI Topology
- Health-Check Method, Groups, and Servers
- Defining the Ping Health-Check Method
- Defining the ESI Server
- Defining the ESI Server Group
- Redirection Policies and User Role
- Syslog Parser Domain and Rules
- Example NAT-mode ESI Topology
- Basic Regular Expression Syntax
- DHCP with Vendor-Specific Options
- External Firewall Configuration
- Behavior and Defaults
- 802.1x Configuration for IAS and Windows Clients
- Internal Captive Portal
- VIA End User Instructions
- Provisioning RAP at Home
- Index
194 | Secure Enterprise Mesh Dell PowerConnect ArubaOS 5.0 | [User Guide
Each ARM-enabled mesh portal monitors defined thresholds for interference, noise, errors, rogue APs and radar
settings, then calculates interference and coverage values and selects the best channel for its radio band(s). The
mesh portal communicates its channel selection to its mesh points via Channel Switch Announcements (CSAs),
and the mesh points will change their channel to match their mesh portal. Although channel settings can still be
defined for a mesh point via that mesh point's 802.11a and 802.11g radio profiles, these settings will be overridden
by any channel changes from the mesh portal.
A mesh point will take the same channel setting as its mesh portal, regardless of its associated clients. If you want
to manually assign channels to mesh portals or mesh points, disable the ARM profile associated with the 802.11a
or 802.11g radio profile by setting the ARM profile’s assignment parameter to disable.
The ARM power adjustment feature does not apply to all ARM-enabled Mesh portals. Indoor mesh portals can
take advantage of this feature to adjust power settings according to their ARM profiles, but outdoor mesh portals
will continue to run at their configured power level to maximize their range. It is also important to note that mesh
points, unlike mesh portals, do not scan channels. This means that once a mesh point has selected a mesh portal
or an upstream mesh point, it will tune to this channel, form the link, and will not scan again unless the mesh link
gets broken. This provides good mesh link stability, but may adversely affect system throughput in networks with
mesh portals and mesh points.
When ARM assigns optimal channels to mesh portals, those portals use different channels, and once the mesh
network has formed and all the mesh points have selected a portal (or upstream mesh point), those mesh points
will not be able to detect other portals on other channels that could offer better throughput. This type of
suboptimal mesh network may form if, for example, two or three mesh points select the same mesh portal after
booting, form the mesh network, and leave a nearby mesh portal without any mesh points. Again, this will not
affect mesh functionality, but may affect total system throughput. For details about associating an ARM profile
with a mesh AP, see “Assigning an ARM Profile” on page 208.
High-Throughput Profiles
Each 802.11a and 802.11g radio profile also references a high-throughput profile that manages an AP or AP
group’s 40Mhz tolerance settings. For information about referencing a high-throughput profile, see “Assigning a
High-throughput Profile” on page 207.
Mesh High-Throughput SSID Profile
High-throughput APs support additional settings not available in legacy APs. A mesh high-throughput SSID
profile can enable or disable high-throughput (802.11n) features and 40 Mhz channel usage, and define values for
aggregated MAC protocol data units (MDPUs) and Modulation and Coding Scheme (MCS) ranges.
Dell provides a “default” version of the mesh high-throughput SSID profile. You can use the “default” version or
create a new instance of a profile which you can then edit as you need. High-throughput Mesh nodes operating in
different cluster profiles can share the same high-throughput SSID radio profile. For information about
configuring mesh high-throughput SSID profiles, see “Mesh High-Throughput SSID Profiles” on page 211.
Wired AP Profile
The wired AP profile controls the configuration of the Ethernet port(s) on your AP. You can use the wired AP
profile to configure Ethernet ports for bridging or secure jack operation using the wired AP profile. For details, see
“Ethernet Ports for Mesh” on page219
Mesh Recovery Profile
In addition to the “default” and user-defined mesh cluster profiles, mesh nodes also have a recovery profile. The
master controller dynamically generates a recovery profile, and each mesh node provisioned by the same master
controller has the same recovery profile. The recovery profile is based on a pre-shared key (PSK), and mesh nodes
use the recovery profile to establish a link to the controller if the mesh link is broken and no other mesh cluster
profiles are available.