Users Guide

ManualsBrandsDell ManualsTVs & monitorsW-620

371

372

373

374

375

376

377

378

379

380

Table Of Contents

Dell PowerConnect ArubaOS 5.0
Contents
About this Guide
- Audience
- Fundamentals
  - WebUI
  - CLI
- Related Documents
- Conventions
- Contacting Support
The Basic User-Centric Networks
- Configuring the User-Centric Network
- Deployment and Configuration Tasks
- Configuring the Controller
  - Running the Initial Setup
  - Connecting to the Controller after Initial Setup
- Configuring a VLAN for Network Connection
- Deploying APs
- Additional Configuration
Network Parameters
- Configuring VLANs
  - Creating and Updating VLANs
  - Creating, Updating and Deleting VLAN Pools
- Configuring Ports
- About VLAN Assignments
- Configuring Static Routes
  - Using the WebUI
  - Using CLI
- Configuring the Loopback IP Address
- Configuring the Controller IP Address
  - Using CLI
- Configuring GRE Tunnels
  - Creating a Tunnel Interface
    - Using the WebUI
    - Using CLI
  - Directing Traffic into the Tunnel
RF Plan
- Supported Planning
- Before You Begin
  - Task Overview
  - Planning Requirements
- Launching the RF Plan
- Using the FQLN Mapper in the AP Provision Page
  - Using the WebUI
  - Using CLI
- RF Plan Example
Access Points
- Remote AP vs Campus AP
- Basic Configuration
- AP Names and Groups
- Virtual APs
- Configuring Profiles
- Profile Hierarchy
  - Applying Profiles
    - Excluding a virtual AP profile from an AP in the WebUI
    - Excluding a virtual AP profile from an AP in the CLI
  - Viewing Profile Errors
- Virtual AP Configurations
- Configuring High-throughput on Virtual APs
- Advanced Configuration Options
- Automatic Channel and Transmit Power Selection Using ARM
- APs Over Low-Speed Links
  - Best Practices
- AP Redundancy
  - AP failback
    - Configuring in the WebUI
    - Configuring in the CLI
- AP Maintenance Mode
  - Configuring in the WebUI
  - Configuring in the CLI
- Managing AP LEDs
Adaptive Radio Management (ARM)
- ARM Overview
  - ARM Support for 802.11n
  - Monitoring Your Network with ARM
    - Noise and Error Monitoring
    - Application Awareness
- ARM Profiles
- Assigning an ARM Profile to an AP Group
  - Assigning a Profile via the WebUI
  - Assigning a Profile via the CLI
- Multi-Band ARM and 802.11a/802.11g Traffic
- Band Steering
  - Enabling Band Steering via the WebUI
  - Enabling Band Steering via the CLI
- Traffic Shaping
  - Enabling Traffic Shaping via the WebUI
- Spectrum Load Balancing
- RX Sensitivity Tuning Based Channel Reuse
- Non-802.11 Noise Interference Immunity
- ARM Metrics
- ARM Troubleshooting
Remote Access Points
- Overview
- Configuring the Secure Remote Access Point Service
- Deploying a Branch Office/Home Office Solution
  - Configuring the branch office AP
  - Troubleshooting Remote AP
- Enabling Double Encryption
  - Using the WebUI
  - Using CLI
- Advanced Configuration Options
- Wi-Fi Multimedia
- Uplink Bandwidth Reservation
  - Bandwidth Reservation for Uplink Voice Traffic
  - Configuring Bandwidth Reservation
    - Using the WebUI
    - Using CLI
Secure Enterprise Mesh
- Mesh Access Points
- Mesh Links
  - Link Metrics
  - Optimizing Links
- Mesh Profiles
- Mesh Solutions
- Before You Begin
- Mesh Radio Profiles
  - Managing Mesh Profiles via the WebUI
  - Managing Mesh Profiles using the CLI
- RF Management (802.11a and 802.11g) Profiles
  - Managing 802.11a/802.11g Profiles Via the WebUI
  - Managing 802.11a/802.11g Profiles using the CLI
- Mesh High-Throughput SSID Profiles
  - Managing Profiles via the WebUI
  - Managing high-throughput SSID profiles using the CLI
- Mesh Cluster Profiles
- Ethernet Ports for Mesh
- Provisioning Mesh Nodes
- AP Boot Sequence
- Verifying the Network
- Remote Mesh Portals
Authentication Servers
- Important Points to Remember
- Servers and Server Groups
- Configuring Servers
- Internal Database
- Server Groups
- Assigning Server Groups
- Configuring Authentication Timers
  - Setting an Authentication Timer
    - In the WebUI
    - In the CLI
802.1x Authentication
- Overview of 802.1x Authentication
- Configuring 802.1x Authentication
- Example Configurations
- Advanced Configuration Options for 802.1x
  - Configuring reauthentication with Unicast Key Rotation
    - Using the WebUI
    - Using the CLI
Roles and Policies
- Policies
- User Roles
  - Creating a User Role
    - In the WebUI
    - In the CLI
  - Bandwidth Contracts
- User Role Assignments
- Global Firewall Parameters
Stateful and WISPr Authentication
- Stateful Authentication Overview
- WISPr Authentication Overview
- Important Points to Remember
- Stateful 802.1x Authentication
  - Configure Authentication via the WebUI
  - Configure Authentication via the CLI
- Stateful NTLM Authentication
  - Configure Authentication via the WebUI
  - Configure Authentication via the CLI
- Configuring WISPr Authentication
  - Configure WISPr Authentication via the WebUI
  - Configure WISPr Authentication via the CLI
Captive Portal
- Captive Portal Overview
  - Policy Enforcement Firewall Next Generation (PEFNG) License
  - Controller Server Certificate
- Captive Portal in the Base ArubaOS
  - Configuring Captive Portal via the WebUI
  - Configuring Captive Portal via the CLI
- Captive Portal with the PEFNG License
  - Configuring Captive Portal via the WebUI
  - Configuring Captive Portal via the CLI
- Example Authentication with Captive Portal
- Guest VLANs
  - Configuring the guest VLAN via the WebUI
  - Configuring the guest VLAN via the CLI
- Captive Portal Authentication
- Optional Captive Portal Configurations
- Personalizing the Captive Portal Page
- Securing Client Traffic
- Securing Controller-to-Controller Communication
  - Configuring Controllers for xSec
    - In the WebUI
    - In the CLI
- Configuring the Odyssey Client on Client Machines
  - Installing the Odyssey Client
Advanced Security
Virtual Intranet Access
- VIA
- Configuring the VIA Controller
- VPN Configuration
  - VPN authentication
  - Supported VPN AAA Deployments
- Remote Access VPN for L2TP IPsec
- Remote Access VPNs for XAuth
- Remote Access VPN for PPTP
  - Configuring a VPN with PPTP via the WebUI
  - Configuring a VPN with PPTP via the CLI
- Site-to-Site VPNs
- Dell Dialer
Virtual Private Networks
- Configuring MAC-Based Authentication
  - Configuring the MAC Authentication Profile
    - Using the WebUI to configure a MAC authentication profile
    - Using the CLI to configure a MAC authentication profile
- Configuring Clients
  - Using the WebUI to configure clients in the internal database
  - Using the CLI to configure clients in the internal database
MAC-based Authentication
Control Plane Security
- Control Plane Security Overview
- Configuring Control Plane Security
- Whitelists on Master and Local Controllers
  - Campus AP Whitelist Synchronization
  - Viewing and Managing the Master or Local controller Whitelists
- Environments with Multiple Master Controllers
  - Configuring Networks with a Backup Master Controller
  - Configuring Networks with Clusters of Master Controllers
- Replacing a Controller on a Multi-Controller Network
  - Replacing Controllers in a Single Master Network
  - Replacing Controllers in a Multi-Master Network
- Troubleshooting Control Plane Security
Adding Local Controllers
- Moving to a Multi-Controller Environment
- Configuring Local Controllers
IP Mobility
- Dell Mobility Architecture
- Configuring Mobility Domains
- Tracking Mobile Users
- Advanced Mobility Functions
- Mobility Multicast
  - Proxy IGMP and Proxy Remote Subscription
  - Inter-controller Mobility
VRRP
- Redundancy Parameters
RSTP
- Migration and Interoperability
- Rapid Convergence
  - Edge Port and Point-to-Point
- Configuring RSTP
- Troubleshooting
W-600 Series Controller
- Important Points to Remember
- Internal Access Point (AP)
- USB Cellular Modems
- Configuring a Supported USB Modem
- Configuring a New USB Modem
- NAS (Network-Attached Storage)
- Print Server
  - Printer Setup
- Sample Topology and Configuration
OSPFv2
- Important Points to Remember
- WLAN Scenario
  - WLAN Topology
  - WLAN Routing Table
- Branch Office Scenario
  - Branch Office Topology
  - Branch Office Routing Table
- Configuring OSPF
- Deployment Best Practices
- Sample Topology and Configuration
Wireless Intrusion Prevention
- IDS Features
- IDS Configuration
- WLAN Management System
- Client Blacklisting
Link Aggregation Control Protocol
- Important Points to Remember
- Configuring LACP
  - In the CLI
  - In the WebUI
- Best Practices
- Sample Configuration
Management Access
- Certificate Authentication for WebUI Access
  - Configuring Certificate Authentication for WebUI Access
    - In the WebUI
    - In the CLI
- Public Key Authentication for SSH Access
  - In the WebUI
  - In the CLI
- Radius Server Authentication
- Management Password Policy
  - Defining a Management Password Policy
    - In the WebUI
- Managed RFprotect Sensors
- Managing Certificates
- Configuring SNMP
  - SNMP Parameters for the Controller
    - In the WebUI
    - In the CLI
- Configuring Logging
  - In the WebUI
  - In the CLI
- Guest Provisioning
- Managing Files on the Controller
- Setting the System Clock
  - Manually Setting the Clock
    - In the WebUI
    - In the CLI
  - Configuring an NTP Server
    - In the WebUI
    - In the CLI
Software Licenses
- Terminology
- Licenses
  - License Types
- Multi-Controller Network
- License Usage
- Interaction
- Best Practices
- Installing a License
- Deleting a License
- Moving Licenses
- Resetting the Controller
IPv6 Client Support
- About IPv6
- Support for IPv6
  - Supported Network Configuration
  - Network Connection for Windows IPv6 Clients
- Features that Support IPv6
- IPv6 User Addresses
  - Viewing or Deleting User Entries
  - Viewing Datapath Statistics for IPv6 Sessions
- Important Points to Remember
Voice and Video
- License Requirements
- Configuring Voice
- Configuring Video
- QoS
External Services Interface
- Understanding ESI
- Understanding the ESI Syslog Parser
- ESI Configuration Overview
- Example Route-mode ESI Topology
- Example NAT-mode ESI Topology
- Basic Regular Expression Syntax
DHCP with Vendor-Specific Options
- Overview
- Windows-Based DHCP Server
  - Configuring Option 60
    - To configure option 60 on the Windows DHCP server
  - Configuring Option 43
    - To configure option 43 on the Windows DHCP server:
- Linux DHCP Servers
External Firewall Configuration
- Communication Between Dell Devices
- Network Management Access
- Other Communications
Behavior and Defaults
- Mode Support
- Basic System Defaults
- Default Management User Roles
- Default Open Ports
802.1x Configuration for IAS and Windows Clients
- Configuring Microsoft IAS
- Configure Management Authentication using IAS
  - Configure the Controller to use IAS Management Authentication
  - Verify Communication between the Controller and the RADIUS Server
- Window XP Wireless Client Example Configuration
Internal Captive Portal
- Creating a New Internal Web Page
  - Basic HTML Example
- Installing a New Captive Portal Page
- Displaying Authentication Error Message
- Reverting to the Default Captive Portal
- Language Customization
- Customizing the Welcome Page
- Customizing the Pop-Up box
- Customizing the Logged Out Box
VIA End User Instructions
- Pre-requisites
- Downloading VIA
- Installing VIA
- Using VIA
Provisioning RAP at Home
- Provision the RAP using a Static IP Address
- Provision the RAP on a PPPoE Connection
- Using 3G/EVDO USB Modem
Index

Dell PowerConnect ArubaOS 5.0 | User Guide Control Plane Security | 375

the controller has a valid certificate, the output of the command should appear similar to the output in the

example below.

If the controller displays the following output, it may have a corrupted or missing TPM and factory certificates.

Contact Dell technical support.

Configuring Settings via the WebUI

1. Access the WebUI of a standalone or master controller, and navigate to Configuration>Controller.

2. Select the Control Plane Security tab.

3. Configure the following control plane security parameters.

Table 69 Control Plane Security Parameters

Parameter Description

Control Plane Security Select Enable to enable the control plane security feature. This feature is disabled by default.

When control plane security is enabled, any APs on the network that do not have a valid

certificate will not be able to communicate with the controller on a clear channel, except to

obtain a certificate.

NOTE: If you plan on manually adding entries into the AP whitelist, do not enable control plane

security until after the completed whitelist has been synchronized to all controllers on the

network.

Auto Cert Provisioning When the control plane security feature is enabled, you can select this checkbox to turn on

automatic certificate provisioning. When this feature is enabled, the controller will attempt to

send certificates to all associated campus APs. Auto certificate provisioning is disabled by

default.

NOTE: If you do not want to enable automatic certificate provisioning the first time you enable

control plane security on the controller, you must identify the valid APs on your network by

adding those to the campus AP whitelist. For details, see “Viewing and Managing the Master

or Local controller Whitelists” on page382.

After you have enabled automatic certificate provisioning, you must select either Auto Cert

Allow all or Addresses Allowed for Auto Cert.

Auto Cert Allow All After you enable both control plane security and auto certificate provisioning, select Auto

Cert Allow All to allow all associated campus APs to receive automatic certificate

provisioning. This parameter is enabled by default.

Addresses Allowed for Auto

Cert

If your controller has a publicly accessible interface, you should identify the campus APs by

IP address range. This will prevent the controller from sending certificates to external or

rogue campus APs that may attempt to access your controller through that interface.

After you have enabled both control plane security and auto certificate provisioning, select

Addresses Allowed for Auto Cert to send certificates to a group of campus APs within a range

of IP addresses. In the two fields below, enter the start and end IP addresses, then click Add.

Repeat this procedure to add additional IP ranges to the list of allowed addresses. If both

control plane security and auto certificate provisioning is enabled, all campus APs in the

address list will receive automatic certificate provisioning.

Remove a range IP addresses from the list of allowed addresses by selecting the IP address

range from the list and clicking Delete.

(host) # show tpm cert-info

subject= /CN=AC1234567::00:0b:86:11:22:33

issuer= /DC=com/DC=arubanetworks/DC=ca3/CN=DEVICE-CA3

serial=5147D5BC00000000000C

notBefore=Aug 29 22:16:12 2009 GMT

notAfter=Aug 18 22:16:12 2029 GMT

(host) # show tpm cert-info

Cannot get TPM and Factory Certificate Info.

TPM and/or Factory Certificates might be missing.