Users Guide

ManualsBrandsDell ManualsTVs & monitorsW-620

281

282

283

284

285

286

287

288

289

290

Table Of Contents

Dell PowerConnect ArubaOS 5.0
Contents
About this Guide
- Audience
- Fundamentals
  - WebUI
  - CLI
- Related Documents
- Conventions
- Contacting Support
The Basic User-Centric Networks
- Configuring the User-Centric Network
- Deployment and Configuration Tasks
- Configuring the Controller
  - Running the Initial Setup
  - Connecting to the Controller after Initial Setup
- Configuring a VLAN for Network Connection
- Deploying APs
- Additional Configuration
Network Parameters
- Configuring VLANs
  - Creating and Updating VLANs
  - Creating, Updating and Deleting VLAN Pools
- Configuring Ports
- About VLAN Assignments
- Configuring Static Routes
  - Using the WebUI
  - Using CLI
- Configuring the Loopback IP Address
- Configuring the Controller IP Address
  - Using CLI
- Configuring GRE Tunnels
  - Creating a Tunnel Interface
    - Using the WebUI
    - Using CLI
  - Directing Traffic into the Tunnel
RF Plan
- Supported Planning
- Before You Begin
  - Task Overview
  - Planning Requirements
- Launching the RF Plan
- Using the FQLN Mapper in the AP Provision Page
  - Using the WebUI
  - Using CLI
- RF Plan Example
Access Points
- Remote AP vs Campus AP
- Basic Configuration
- AP Names and Groups
- Virtual APs
- Configuring Profiles
- Profile Hierarchy
  - Applying Profiles
    - Excluding a virtual AP profile from an AP in the WebUI
    - Excluding a virtual AP profile from an AP in the CLI
  - Viewing Profile Errors
- Virtual AP Configurations
- Configuring High-throughput on Virtual APs
- Advanced Configuration Options
- Automatic Channel and Transmit Power Selection Using ARM
- APs Over Low-Speed Links
  - Best Practices
- AP Redundancy
  - AP failback
    - Configuring in the WebUI
    - Configuring in the CLI
- AP Maintenance Mode
  - Configuring in the WebUI
  - Configuring in the CLI
- Managing AP LEDs
Adaptive Radio Management (ARM)
- ARM Overview
  - ARM Support for 802.11n
  - Monitoring Your Network with ARM
    - Noise and Error Monitoring
    - Application Awareness
- ARM Profiles
- Assigning an ARM Profile to an AP Group
  - Assigning a Profile via the WebUI
  - Assigning a Profile via the CLI
- Multi-Band ARM and 802.11a/802.11g Traffic
- Band Steering
  - Enabling Band Steering via the WebUI
  - Enabling Band Steering via the CLI
- Traffic Shaping
  - Enabling Traffic Shaping via the WebUI
- Spectrum Load Balancing
- RX Sensitivity Tuning Based Channel Reuse
- Non-802.11 Noise Interference Immunity
- ARM Metrics
- ARM Troubleshooting
Remote Access Points
- Overview
- Configuring the Secure Remote Access Point Service
- Deploying a Branch Office/Home Office Solution
  - Configuring the branch office AP
  - Troubleshooting Remote AP
- Enabling Double Encryption
  - Using the WebUI
  - Using CLI
- Advanced Configuration Options
- Wi-Fi Multimedia
- Uplink Bandwidth Reservation
  - Bandwidth Reservation for Uplink Voice Traffic
  - Configuring Bandwidth Reservation
    - Using the WebUI
    - Using CLI
Secure Enterprise Mesh
- Mesh Access Points
- Mesh Links
  - Link Metrics
  - Optimizing Links
- Mesh Profiles
- Mesh Solutions
- Before You Begin
- Mesh Radio Profiles
  - Managing Mesh Profiles via the WebUI
  - Managing Mesh Profiles using the CLI
- RF Management (802.11a and 802.11g) Profiles
  - Managing 802.11a/802.11g Profiles Via the WebUI
  - Managing 802.11a/802.11g Profiles using the CLI
- Mesh High-Throughput SSID Profiles
  - Managing Profiles via the WebUI
  - Managing high-throughput SSID profiles using the CLI
- Mesh Cluster Profiles
- Ethernet Ports for Mesh
- Provisioning Mesh Nodes
- AP Boot Sequence
- Verifying the Network
- Remote Mesh Portals
Authentication Servers
- Important Points to Remember
- Servers and Server Groups
- Configuring Servers
- Internal Database
- Server Groups
- Assigning Server Groups
- Configuring Authentication Timers
  - Setting an Authentication Timer
    - In the WebUI
    - In the CLI
802.1x Authentication
- Overview of 802.1x Authentication
- Configuring 802.1x Authentication
- Example Configurations
- Advanced Configuration Options for 802.1x
  - Configuring reauthentication with Unicast Key Rotation
    - Using the WebUI
    - Using the CLI
Roles and Policies
- Policies
- User Roles
  - Creating a User Role
    - In the WebUI
    - In the CLI
  - Bandwidth Contracts
- User Role Assignments
- Global Firewall Parameters
Stateful and WISPr Authentication
- Stateful Authentication Overview
- WISPr Authentication Overview
- Important Points to Remember
- Stateful 802.1x Authentication
  - Configure Authentication via the WebUI
  - Configure Authentication via the CLI
- Stateful NTLM Authentication
  - Configure Authentication via the WebUI
  - Configure Authentication via the CLI
- Configuring WISPr Authentication
  - Configure WISPr Authentication via the WebUI
  - Configure WISPr Authentication via the CLI
Captive Portal
- Captive Portal Overview
  - Policy Enforcement Firewall Next Generation (PEFNG) License
  - Controller Server Certificate
- Captive Portal in the Base ArubaOS
  - Configuring Captive Portal via the WebUI
  - Configuring Captive Portal via the CLI
- Captive Portal with the PEFNG License
  - Configuring Captive Portal via the WebUI
  - Configuring Captive Portal via the CLI
- Example Authentication with Captive Portal
- Guest VLANs
  - Configuring the guest VLAN via the WebUI
  - Configuring the guest VLAN via the CLI
- Captive Portal Authentication
- Optional Captive Portal Configurations
- Personalizing the Captive Portal Page
- Securing Client Traffic
- Securing Controller-to-Controller Communication
  - Configuring Controllers for xSec
    - In the WebUI
    - In the CLI
- Configuring the Odyssey Client on Client Machines
  - Installing the Odyssey Client
Advanced Security
Virtual Intranet Access
- VIA
- Configuring the VIA Controller
- VPN Configuration
  - VPN authentication
  - Supported VPN AAA Deployments
- Remote Access VPN for L2TP IPsec
- Remote Access VPNs for XAuth
- Remote Access VPN for PPTP
  - Configuring a VPN with PPTP via the WebUI
  - Configuring a VPN with PPTP via the CLI
- Site-to-Site VPNs
- Dell Dialer
Virtual Private Networks
- Configuring MAC-Based Authentication
  - Configuring the MAC Authentication Profile
    - Using the WebUI to configure a MAC authentication profile
    - Using the CLI to configure a MAC authentication profile
- Configuring Clients
  - Using the WebUI to configure clients in the internal database
  - Using the CLI to configure clients in the internal database
MAC-based Authentication
Control Plane Security
- Control Plane Security Overview
- Configuring Control Plane Security
- Whitelists on Master and Local Controllers
  - Campus AP Whitelist Synchronization
  - Viewing and Managing the Master or Local controller Whitelists
- Environments with Multiple Master Controllers
  - Configuring Networks with a Backup Master Controller
  - Configuring Networks with Clusters of Master Controllers
- Replacing a Controller on a Multi-Controller Network
  - Replacing Controllers in a Single Master Network
  - Replacing Controllers in a Multi-Master Network
- Troubleshooting Control Plane Security
Adding Local Controllers
- Moving to a Multi-Controller Environment
- Configuring Local Controllers
IP Mobility
- Dell Mobility Architecture
- Configuring Mobility Domains
- Tracking Mobile Users
- Advanced Mobility Functions
- Mobility Multicast
  - Proxy IGMP and Proxy Remote Subscription
  - Inter-controller Mobility
VRRP
- Redundancy Parameters
RSTP
- Migration and Interoperability
- Rapid Convergence
  - Edge Port and Point-to-Point
- Configuring RSTP
- Troubleshooting
W-600 Series Controller
- Important Points to Remember
- Internal Access Point (AP)
- USB Cellular Modems
- Configuring a Supported USB Modem
- Configuring a New USB Modem
- NAS (Network-Attached Storage)
- Print Server
  - Printer Setup
- Sample Topology and Configuration
OSPFv2
- Important Points to Remember
- WLAN Scenario
  - WLAN Topology
  - WLAN Routing Table
- Branch Office Scenario
  - Branch Office Topology
  - Branch Office Routing Table
- Configuring OSPF
- Deployment Best Practices
- Sample Topology and Configuration
Wireless Intrusion Prevention
- IDS Features
- IDS Configuration
- WLAN Management System
- Client Blacklisting
Link Aggregation Control Protocol
- Important Points to Remember
- Configuring LACP
  - In the CLI
  - In the WebUI
- Best Practices
- Sample Configuration
Management Access
- Certificate Authentication for WebUI Access
  - Configuring Certificate Authentication for WebUI Access
    - In the WebUI
    - In the CLI
- Public Key Authentication for SSH Access
  - In the WebUI
  - In the CLI
- Radius Server Authentication
- Management Password Policy
  - Defining a Management Password Policy
    - In the WebUI
- Managed RFprotect Sensors
- Managing Certificates
- Configuring SNMP
  - SNMP Parameters for the Controller
    - In the WebUI
    - In the CLI
- Configuring Logging
  - In the WebUI
  - In the CLI
- Guest Provisioning
- Managing Files on the Controller
- Setting the System Clock
  - Manually Setting the Clock
    - In the WebUI
    - In the CLI
  - Configuring an NTP Server
    - In the WebUI
    - In the CLI
Software Licenses
- Terminology
- Licenses
  - License Types
- Multi-Controller Network
- License Usage
- Interaction
- Best Practices
- Installing a License
- Deleting a License
- Moving Licenses
- Resetting the Controller
IPv6 Client Support
- About IPv6
- Support for IPv6
  - Supported Network Configuration
  - Network Connection for Windows IPv6 Clients
- Features that Support IPv6
- IPv6 User Addresses
  - Viewing or Deleting User Entries
  - Viewing Datapath Statistics for IPv6 Sessions
- Important Points to Remember
Voice and Video
- License Requirements
- Configuring Voice
- Configuring Video
- QoS
External Services Interface
- Understanding ESI
- Understanding the ESI Syslog Parser
- ESI Configuration Overview
- Example Route-mode ESI Topology
- Example NAT-mode ESI Topology
- Basic Regular Expression Syntax
DHCP with Vendor-Specific Options
- Overview
- Windows-Based DHCP Server
  - Configuring Option 60
    - To configure option 60 on the Windows DHCP server
  - Configuring Option 43
    - To configure option 43 on the Windows DHCP server:
- Linux DHCP Servers
External Firewall Configuration
- Communication Between Dell Devices
- Network Management Access
- Other Communications
Behavior and Defaults
- Mode Support
- Basic System Defaults
- Default Management User Roles
- Default Open Ports
802.1x Configuration for IAS and Windows Clients
- Configuring Microsoft IAS
- Configure Management Authentication using IAS
  - Configure the Controller to use IAS Management Authentication
  - Verify Communication between the Controller and the RADIUS Server
- Window XP Wireless Client Example Configuration
Internal Captive Portal
- Creating a New Internal Web Page
  - Basic HTML Example
- Installing a New Captive Portal Page
- Displaying Authentication Error Message
- Reverting to the Default Captive Portal
- Language Customization
- Customizing the Welcome Page
- Customizing the Pop-Up box
- Customizing the Logged Out Box
VIA End User Instructions
- Pre-requisites
- Downloading VIA
- Installing VIA
- Using VIA
Provisioning RAP at Home
- Provision the RAP using a Static IP Address
- Provision the RAP on a PPPoE Connection
- Using 3G/EVDO USB Modem
Index

286 | Roles and Policies Dell PowerConnect ArubaOS 5.0 | [User Guide

1. Navigate to the Configuration > Security > Access Control > User Roles page.

2. Select Edit for the web-guest user role.

3. In the Bandwidth Contract section, click the Upstream drop-down list and select Add New. The New

Bandwidth Contract fields appear.

a. In the Name field, enter BC512_up.

b. In the Bandwidth field, enter 512.

c. Click the Bandwidth drop-down list and select kbps.

d. Click Done to add the new contract and assign it to the role. The New Bandwidth Contract section closes.

4. In the Bandwidth Contract section, select the Per User checkbox.

5. Scroll to the bottom of the page, and click Apply.

Configuring and Assigning Bandwidth Contracts in the CLI

aaa bandwidth-contract BC512_up kbps 512

user-role web-guest

bw-contract BC512_up per-user upstream

User Role Assignments

A client is assigned a user role by one of several methods. A user role assigned by one method may take

precedence over a user role assigned by a different method. The methods of assigning user roles are, from lowest

to highest precedence:

1. The initial user role for unauthenticated clients is configured in the AAA profile for a virtual AP (see Chapter

4, “Access Points” ).

2. The user role can be derived from user attributes upon the client’s association with an AP (this is known as a

user-derived role). You can configure rules that assign a user role to clients that match a certain set of criteria.

For example, you can configure a rule to assign the role “VoIP-Phone” to any client that has a MAC address

that starts with bytes xx:yy:zz. User-derivation rules are executed before client authentication.

3. The user role can be the default user role configured for an authentication method, such as 802.1x or VPN.

For each authentication method, you can configure a default role for clients who are successfully

authenticated using that method.

4. The user role can be derived from attributes returned by the authentication server and certain client attributes

(this is known as a server-derived role). If the client is authenticated via an authentication server, the user role

for the client can be based on one or more attributes returned by the server during authentication, or on client

attributes such as SSID (even if the attribute is not returned by the server). Server-derivation rules are

executed after client authentication.

5. The user role can be derived from Dell Vendor-Specific Attributes (VSA) for RADIUS server authentication.

A role derived from an Dell VSA takes precedence over any other user roles.

The following sections describe the methods of assigning user roles.

User Role in AAA Profile

An AAA profile defines the user role for unauthenticated clients (initial role) as well as the default user role for

MAC and 802.1x authentication. To conconfigure user roles in the AAA profile:

In the WebUI

1. Navigate to the Configuration > Security > Authentication > AAA Profiles page.

2. Select the “default” profile or a user-defined AAA profile.

3. Click the Initial Role drop-down list, and select the desired user role for unauthenticated users.