Users Guide

ManualsBrandsDell ManualsTVs & monitorsW-620

281

282

283

284

285

286

287

288

289

290

Table Of Contents

Dell PowerConnect ArubaOS 5.0
Contents
About this Guide
- Audience
- Fundamentals
  - WebUI
  - CLI
- Related Documents
- Conventions
- Contacting Support
The Basic User-Centric Networks
- Configuring the User-Centric Network
- Deployment and Configuration Tasks
- Configuring the Controller
  - Running the Initial Setup
  - Connecting to the Controller after Initial Setup
- Configuring a VLAN for Network Connection
- Deploying APs
- Additional Configuration
Network Parameters
- Configuring VLANs
  - Creating and Updating VLANs
  - Creating, Updating and Deleting VLAN Pools
- Configuring Ports
- About VLAN Assignments
- Configuring Static Routes
  - Using the WebUI
  - Using CLI
- Configuring the Loopback IP Address
- Configuring the Controller IP Address
  - Using CLI
- Configuring GRE Tunnels
  - Creating a Tunnel Interface
    - Using the WebUI
    - Using CLI
  - Directing Traffic into the Tunnel
RF Plan
- Supported Planning
- Before You Begin
  - Task Overview
  - Planning Requirements
- Launching the RF Plan
- Using the FQLN Mapper in the AP Provision Page
  - Using the WebUI
  - Using CLI
- RF Plan Example
Access Points
- Remote AP vs Campus AP
- Basic Configuration
- AP Names and Groups
- Virtual APs
- Configuring Profiles
- Profile Hierarchy
  - Applying Profiles
    - Excluding a virtual AP profile from an AP in the WebUI
    - Excluding a virtual AP profile from an AP in the CLI
  - Viewing Profile Errors
- Virtual AP Configurations
- Configuring High-throughput on Virtual APs
- Advanced Configuration Options
- Automatic Channel and Transmit Power Selection Using ARM
- APs Over Low-Speed Links
  - Best Practices
- AP Redundancy
  - AP failback
    - Configuring in the WebUI
    - Configuring in the CLI
- AP Maintenance Mode
  - Configuring in the WebUI
  - Configuring in the CLI
- Managing AP LEDs
Adaptive Radio Management (ARM)
- ARM Overview
  - ARM Support for 802.11n
  - Monitoring Your Network with ARM
    - Noise and Error Monitoring
    - Application Awareness
- ARM Profiles
- Assigning an ARM Profile to an AP Group
  - Assigning a Profile via the WebUI
  - Assigning a Profile via the CLI
- Multi-Band ARM and 802.11a/802.11g Traffic
- Band Steering
  - Enabling Band Steering via the WebUI
  - Enabling Band Steering via the CLI
- Traffic Shaping
  - Enabling Traffic Shaping via the WebUI
- Spectrum Load Balancing
- RX Sensitivity Tuning Based Channel Reuse
- Non-802.11 Noise Interference Immunity
- ARM Metrics
- ARM Troubleshooting
Remote Access Points
- Overview
- Configuring the Secure Remote Access Point Service
- Deploying a Branch Office/Home Office Solution
  - Configuring the branch office AP
  - Troubleshooting Remote AP
- Enabling Double Encryption
  - Using the WebUI
  - Using CLI
- Advanced Configuration Options
- Wi-Fi Multimedia
- Uplink Bandwidth Reservation
  - Bandwidth Reservation for Uplink Voice Traffic
  - Configuring Bandwidth Reservation
    - Using the WebUI
    - Using CLI
Secure Enterprise Mesh
- Mesh Access Points
- Mesh Links
  - Link Metrics
  - Optimizing Links
- Mesh Profiles
- Mesh Solutions
- Before You Begin
- Mesh Radio Profiles
  - Managing Mesh Profiles via the WebUI
  - Managing Mesh Profiles using the CLI
- RF Management (802.11a and 802.11g) Profiles
  - Managing 802.11a/802.11g Profiles Via the WebUI
  - Managing 802.11a/802.11g Profiles using the CLI
- Mesh High-Throughput SSID Profiles
  - Managing Profiles via the WebUI
  - Managing high-throughput SSID profiles using the CLI
- Mesh Cluster Profiles
- Ethernet Ports for Mesh
- Provisioning Mesh Nodes
- AP Boot Sequence
- Verifying the Network
- Remote Mesh Portals
Authentication Servers
- Important Points to Remember
- Servers and Server Groups
- Configuring Servers
- Internal Database
- Server Groups
- Assigning Server Groups
- Configuring Authentication Timers
  - Setting an Authentication Timer
    - In the WebUI
    - In the CLI
802.1x Authentication
- Overview of 802.1x Authentication
- Configuring 802.1x Authentication
- Example Configurations
- Advanced Configuration Options for 802.1x
  - Configuring reauthentication with Unicast Key Rotation
    - Using the WebUI
    - Using the CLI
Roles and Policies
- Policies
- User Roles
  - Creating a User Role
    - In the WebUI
    - In the CLI
  - Bandwidth Contracts
- User Role Assignments
- Global Firewall Parameters
Stateful and WISPr Authentication
- Stateful Authentication Overview
- WISPr Authentication Overview
- Important Points to Remember
- Stateful 802.1x Authentication
  - Configure Authentication via the WebUI
  - Configure Authentication via the CLI
- Stateful NTLM Authentication
  - Configure Authentication via the WebUI
  - Configure Authentication via the CLI
- Configuring WISPr Authentication
  - Configure WISPr Authentication via the WebUI
  - Configure WISPr Authentication via the CLI
Captive Portal
- Captive Portal Overview
  - Policy Enforcement Firewall Next Generation (PEFNG) License
  - Controller Server Certificate
- Captive Portal in the Base ArubaOS
  - Configuring Captive Portal via the WebUI
  - Configuring Captive Portal via the CLI
- Captive Portal with the PEFNG License
  - Configuring Captive Portal via the WebUI
  - Configuring Captive Portal via the CLI
- Example Authentication with Captive Portal
- Guest VLANs
  - Configuring the guest VLAN via the WebUI
  - Configuring the guest VLAN via the CLI
- Captive Portal Authentication
- Optional Captive Portal Configurations
- Personalizing the Captive Portal Page
- Securing Client Traffic
- Securing Controller-to-Controller Communication
  - Configuring Controllers for xSec
    - In the WebUI
    - In the CLI
- Configuring the Odyssey Client on Client Machines
  - Installing the Odyssey Client
Advanced Security
Virtual Intranet Access
- VIA
- Configuring the VIA Controller
- VPN Configuration
  - VPN authentication
  - Supported VPN AAA Deployments
- Remote Access VPN for L2TP IPsec
- Remote Access VPNs for XAuth
- Remote Access VPN for PPTP
  - Configuring a VPN with PPTP via the WebUI
  - Configuring a VPN with PPTP via the CLI
- Site-to-Site VPNs
- Dell Dialer
Virtual Private Networks
- Configuring MAC-Based Authentication
  - Configuring the MAC Authentication Profile
    - Using the WebUI to configure a MAC authentication profile
    - Using the CLI to configure a MAC authentication profile
- Configuring Clients
  - Using the WebUI to configure clients in the internal database
  - Using the CLI to configure clients in the internal database
MAC-based Authentication
Control Plane Security
- Control Plane Security Overview
- Configuring Control Plane Security
- Whitelists on Master and Local Controllers
  - Campus AP Whitelist Synchronization
  - Viewing and Managing the Master or Local controller Whitelists
- Environments with Multiple Master Controllers
  - Configuring Networks with a Backup Master Controller
  - Configuring Networks with Clusters of Master Controllers
- Replacing a Controller on a Multi-Controller Network
  - Replacing Controllers in a Single Master Network
  - Replacing Controllers in a Multi-Master Network
- Troubleshooting Control Plane Security
Adding Local Controllers
- Moving to a Multi-Controller Environment
- Configuring Local Controllers
IP Mobility
- Dell Mobility Architecture
- Configuring Mobility Domains
- Tracking Mobile Users
- Advanced Mobility Functions
- Mobility Multicast
  - Proxy IGMP and Proxy Remote Subscription
  - Inter-controller Mobility
VRRP
- Redundancy Parameters
RSTP
- Migration and Interoperability
- Rapid Convergence
  - Edge Port and Point-to-Point
- Configuring RSTP
- Troubleshooting
W-600 Series Controller
- Important Points to Remember
- Internal Access Point (AP)
- USB Cellular Modems
- Configuring a Supported USB Modem
- Configuring a New USB Modem
- NAS (Network-Attached Storage)
- Print Server
  - Printer Setup
- Sample Topology and Configuration
OSPFv2
- Important Points to Remember
- WLAN Scenario
  - WLAN Topology
  - WLAN Routing Table
- Branch Office Scenario
  - Branch Office Topology
  - Branch Office Routing Table
- Configuring OSPF
- Deployment Best Practices
- Sample Topology and Configuration
Wireless Intrusion Prevention
- IDS Features
- IDS Configuration
- WLAN Management System
- Client Blacklisting
Link Aggregation Control Protocol
- Important Points to Remember
- Configuring LACP
  - In the CLI
  - In the WebUI
- Best Practices
- Sample Configuration
Management Access
- Certificate Authentication for WebUI Access
  - Configuring Certificate Authentication for WebUI Access
    - In the WebUI
    - In the CLI
- Public Key Authentication for SSH Access
  - In the WebUI
  - In the CLI
- Radius Server Authentication
- Management Password Policy
  - Defining a Management Password Policy
    - In the WebUI
- Managed RFprotect Sensors
- Managing Certificates
- Configuring SNMP
  - SNMP Parameters for the Controller
    - In the WebUI
    - In the CLI
- Configuring Logging
  - In the WebUI
  - In the CLI
- Guest Provisioning
- Managing Files on the Controller
- Setting the System Clock
  - Manually Setting the Clock
    - In the WebUI
    - In the CLI
  - Configuring an NTP Server
    - In the WebUI
    - In the CLI
Software Licenses
- Terminology
- Licenses
  - License Types
- Multi-Controller Network
- License Usage
- Interaction
- Best Practices
- Installing a License
- Deleting a License
- Moving Licenses
- Resetting the Controller
IPv6 Client Support
- About IPv6
- Support for IPv6
  - Supported Network Configuration
  - Network Connection for Windows IPv6 Clients
- Features that Support IPv6
- IPv6 User Addresses
  - Viewing or Deleting User Entries
  - Viewing Datapath Statistics for IPv6 Sessions
- Important Points to Remember
Voice and Video
- License Requirements
- Configuring Voice
- Configuring Video
- QoS
External Services Interface
- Understanding ESI
- Understanding the ESI Syslog Parser
- ESI Configuration Overview
- Example Route-mode ESI Topology
- Example NAT-mode ESI Topology
- Basic Regular Expression Syntax
DHCP with Vendor-Specific Options
- Overview
- Windows-Based DHCP Server
  - Configuring Option 60
    - To configure option 60 on the Windows DHCP server
  - Configuring Option 43
    - To configure option 43 on the Windows DHCP server:
- Linux DHCP Servers
External Firewall Configuration
- Communication Between Dell Devices
- Network Management Access
- Other Communications
Behavior and Defaults
- Mode Support
- Basic System Defaults
- Default Management User Roles
- Default Open Ports
802.1x Configuration for IAS and Windows Clients
- Configuring Microsoft IAS
- Configure Management Authentication using IAS
  - Configure the Controller to use IAS Management Authentication
  - Verify Communication between the Controller and the RADIUS Server
- Window XP Wireless Client Example Configuration
Internal Captive Portal
- Creating a New Internal Web Page
  - Basic HTML Example
- Installing a New Captive Portal Page
- Displaying Authentication Error Message
- Reverting to the Default Captive Portal
- Language Customization
- Customizing the Welcome Page
- Customizing the Pop-Up box
- Customizing the Logged Out Box
VIA End User Instructions
- Pre-requisites
- Downloading VIA
- Installing VIA
- Using VIA
Provisioning RAP at Home
- Provision the RAP using a Static IP Address
- Provision the RAP on a PPPoE Connection
- Using 3G/EVDO USB Modem
Index

Dell PowerConnect ArubaOS 5.0 | User Guide Roles and Policies | 289

In the CLI

To configure the default user role for MAC or 802.1x authentication:

aaa profile <profile>

mac-default-role <role>

dot1x-default-role <role>

To configure the default user role for other authentication methods:

aaa authentication captive-portal <profile>

default-role <role>

aaa authentication stateful-dot1x

default-role <role>

aaa authentication stateful-ntlm

default-role <role>

aaa authentication vpn

default-role <role>

Server-Derived Role

If the client is authenticated via an authentication server, the user role for the client can be based on one or more

attributes returned by the server during authentication. You configure the user role to be derived by specifying

condition rules; when a condition is met, the specified user role is assigned to the client. You can specify more

than one condition rule; the order of rules is important as the first matching condition is applied. You can also

define server rules based on client attributes such as ESSID, BSSID, or MAC address, even though these

attributes are not returned by the server.

For information about configuring a server-derived role, see “Configuring Server-Derivation Rules” on page244.

VSA-Derived Role

Many Network Address Server (NAS) vendors, including Dell, use VSAs to provide features not supported in

standard RADIUS attributes. For Dell systems, VSAs can be employed to provide the user role and VLAN for

RADIUS-authenticated clients, however the VSAs must be present on your RADIUS server. This involves

defining the vendor (Dell) and/or the vendor-specific code (14823), vendor-assigned attribute number, attribute

format (such as string or integer), and attribute value in the RADIUS dictionary file. VSAs supported on

controllers conform to the format recommended in RFC 2865, “Remote Authentication Dial In User Service

(RADIUS)”.

Dictionary files that contain Dell VSAs are available on the Dell support website for various RADIUS servers. Log

into the Dell support website to download a dictionary file from the Tools folder.

Global Firewall Parameters

Table 58 describes optional firewall parameters you can set on the controller for IPv4 traffic. To set these options

in the WebUI, navigate to the Configuration > Advanced Services > Stateful Firewall > Global Setting page

and select or enter values in the IPv4 column. To set these options in the CLI, use the firewall configuration

commands.

See Chapter 28, “IPv6 Client Support” for information about configuring firewall parameters for IPv6 traffic.

Table 58 IPv4 Firewall Parameters

Parameter Description

Monitor Ping Attack Number of ICMP pings per second, which if exceeded, can indicate a denial of service

attack. Valid range is 1-255 pings per second. Recommended value is 4.

Default: No default