Dell PowerConnect ArubaOS 5.
Copyright © 2010 Aruba Networks, Inc. AirWave®, Aruba Networks®, Aruba Mobility Management System®, and other registered marks are trademarks of Aruba Networks, Inc. Dell™, the DELL™ logo, and PowerConnect™ are trademarks of Dell Inc. All rights reserved. Specifications in this manual are subject to change without notice. Originated in the USA. Any other trademarks appearing in this manual are the property of their respective companies.
Contents About this Guide.................................................................................................................37 Audience............................................................................................................................................ 37 Fundamentals.................................................................................................................................... 37 WebUI..................................................................
Additional Configuration.................................................................................................................. 53 Chapter 2 Network Parameters.........................................................................................................55 Configuring VLANs ........................................................................................................................... 55 Creating and Updating VLANs ...........................................................
Using the WebUI....................................................................................................................... 66 Using CLI .................................................................................................................................... 66 Using the CLI to reboot the controller................................................................................... 66 Configuring the Controller IP Address .................................................................
RF Plan Example .............................................................................................................................. 95 Sample Building........................................................................................................................ 95 Create a Building ..................................................................................................................... 96 Model the Access Points ................................................................
Guest WLAN............................................................................................................................ 123 Configuring the VLAN ............................................................................................................ 123 In the WebUI ................................................................................................................... 123 In the CLI................................................................................................
Noise and Error Monitoring.......................................................................................... 140 Application Awareness................................................................................................. 140 ARM Profiles ................................................................................................................................... 140 Creating a New ARM Profile ............................................................................................
Remote AP Summary..................................................................................................... 164 Remote AP Connectivity................................................................................................ 166 Remote AP Diagnostics................................................................................................. 166 Enabling Double Encryption..........................................................................................................
Using CLI.......................................................................................................................... 187 Chapter 7 Secure Enterprise Mesh.................................................................................................189 Mesh Access Points ...................................................................................................................... 189 Mesh Portals ......................................................................................
Creating a Profile............................................................................................................ 211 Assigning a Profile to an AP Group............................................................................. 212 Editing a Profile............................................................................................................... 212 Deleting a Profile............................................................................................................
Configuring a RADIUS Server .............................................................................................. 232 In the WebUI ................................................................................................................... 233 In the CLI.......................................................................................................................... 233 RADIUS Server Authentication Codes........................................................................
In the CLI.......................................................................................................................... 249 TACACS+ Accounting............................................................................................................ 249 Configuring Authentication Timers.............................................................................................. 249 Setting an Authentication Timer ................................................................................
Configuring the WLANs......................................................................................................... 275 Configuring the Guest WLAN ............................................................................................... 275 Using the WebUI ............................................................................................................ 275 Using the CLI ...............................................................................................................
Configuring WISPr Authentication .............................................................................................. 296 Configure WISPr Authentication via the WebUI............................................................... 296 Configure WISPr Authentication via the CLI ..................................................................... 297 Chapter 12 Captive Portal ...................................................................................................................
In the WebUI ................................................................................................................... 326 In the CLI.......................................................................................................................... 327 Securing Wireless Clients Through Non-Dell APs ........................................................... 327 In the WebUI ...................................................................................................................
Example Configurations for Remote Access Clients ........................................................ 351 Configuring a VPN for Smart Card Clients via the WebUI....................................... 351 Configuring a VPN for Smart Card Clients via the CLI.............................................. 353 VPNs for L2TP/IPsec Clients with Passwords................................................................... 353 Configure the L2TP/IPsec VPN via the WebUI.............................................
Control Plane Security Overview................................................................................................. 373 Configuring Control Plane Security ............................................................................................. 374 Verifying Certificates ............................................................................................................. 374 Configuring Settings via the WebUI ..........................................................................
Configuring APs ...................................................................................................................... 396 Using the WebUI to configure the LMS IP................................................................. 396 Using the CLI to configure the LMS IP........................................................................ 397 Chapter 19 IP Mobility .........................................................................................................................
Rapid Convergence........................................................................................................................ 421 Edge Port and Point-to-Point................................................................................................ 422 Configuring RSTP............................................................................................................................ 422 In the WebUI ...................................................................................
Remote Branch 2 .................................................................................................................... 458 W-3200 Central Office Controller—Active ......................................................................... 459 W-3200 Central Office Controller—Backup....................................................................... 461 Chapter 24 Wireless Intrusion Prevention.......................................................................................
Client Blacklisting........................................................................................................................... 484 Methods of Blacklisting......................................................................................................... 484 Manual Blacklisting ............................................................................................................... 485 Authentication Failure Blacklisting ............................................................
Obtaining a Server Certificate.............................................................................................. 504 In the WebUI ................................................................................................................... 504 In the CLI.......................................................................................................................... 505 Obtaining a Client Certificate ..................................................................................
Licenses ........................................................................................................................................... 528 License Types ......................................................................................................................... 528 Multi-Controller Network .............................................................................................................. 529 License Usage..................................................................
Dial Plan Format ............................................................................................................. 553 Configuring Dial Plans ................................................................................................... 554 Voice over Remote Access Point ........................................................................................ 556 Configuring Video ................................................................................................................
Editing an existing syslog parser domain................................................................... 579 Managing Syslog Parser Rules............................................................................................ 580 In the WebUI ................................................................................................................... 580 Adding a new parser rule .............................................................................................
Appendix A DHCP with Vendor-Specific Options ............................................................................597 Overview .......................................................................................................................................... 597 Windows-Based DHCP Server..................................................................................................... 597 Configuring Option 60..................................................................................
Connection Details Tab ......................................................................................................... 640 Diagnostic Tab ........................................................................................................................ 641 Diagnostics Tools........................................................................................................... 641 Settings Tab..................................................................................................
Figures Figure 1 Figure 2 Figure 3 Figure 4 Figure 5 Figure 6 Figure 7 Figure 8 Figure 9 Figure 10 Figure 11 Figure 12 Figure 13 Figure 14 Figure 15 Figure 16 Figure 17 Figure 18 Figure 19 Figure 20 Figure 21 Figure 22 Figure 23 Figure 24 Figure 25 Figure 26 Figure 27 Figure 28 Figure 29 Figure 30 Figure 31 Figure 32 Figure 33 Figure 34 Figure 35 Figure 36 Figure 37 Figure 38 Figure 39 Figure 40 Figure 41 Figure 42 Figure 43 Figure 44 ArubaOS 5.0 | User Guide APs Connected to Controller ..................
Figure 45 Figure 46 Figure 47 Figure 48 Figure 49 Figure 50 Figure 51 Figure 52 Figure 53 Figure 54 Figure 55 Figure 56 Figure 57 Figure 58 Figure 59 Figure 60 Figure 61 Figure 62 Figure 63 Figure 64 Figure 65 Figure 66 Figure 67 Figure 68 Figure 69 Figure 70 Figure 71 Figure 72 Figure 73 Figure 74 Figure 75 Figure 76 Figure 77 Figure 78 Figure 79 Figure 80 Figure 81 Figure 82 Figure 83 Figure 84 Figure 85 Figure 86 Figure 87 Figure 88 Figure 89 Figure 90 Figure 91 Figure 92 Figure 93 Figure 94 30 | 802.
Figure 95 Figure 96 Figure 97 Figure 98 Figure 99 Figure 100 Figure 101 Figure 102 Figure 103 Figure 104 Figure 105 Figure 106 Figure 107 Figure 108 Figure 109 Figure 110 Figure 111 Figure 112 Figure 113 Figure 114 Figure 115 Figure 116 Figure 117 Figure 118 Figure 119 Figure 120 Figure 121 Figure 122 Figure 123 Figure 124 Figure 125 Figure 126 Figure 127 Figure 128 Figure 129 Figure 130 Figure 131 Figure 132 Figure 133 Figure 134 Figure 135 Figure 136 Figure 137 Figure 138 Figure 139 Figure 140 Figure 141
Figure 145 Figure 146 Figure 147 Figure 148 Figure 149 Figure 150 32 | Downloading VIA set up file after authentication..................................................................... 640 Show Advanced Settings.............................................................................................................. 643 Provision RAP using Static IP....................................................................................................... 644 Provision RAP on a PPPoE Connection .......
Tables Table 1 Table 2 Table 3 Table 4 Table 5 Table 6 Table 7 Table 8 Table 9 Table 10 Table 11 Table 12 Table 13 Table 14 Table 15 Table 16 Table 17 Table 18 Table 19 Table 20 Table 21 Table 22 Table 23 Table 24 Table 25 Table 26 Table 27 Table 28 Table 29 Table 30 Table 31 Table 32 Table 33 Table 34 Table 35 Table 36 Table 37 Table 38 Table 39 Table 40 Table 41 Table 42 Table 43 Table 44 Dell PowerConnect ArubaOS 5.0 | User Guide Typographical Conventions ...............................................
Table 45 Table 46 Table 47 Table 48 Table 49 Table 50 Table 51 Table 52 Table 53 Table 54 Table 55 Table 56 Table 57 Table 58 Table 59 Table 60 Table 61 Table 62 Table 63 Table 64 Table 65 Table 66 Table 67 Table 68 Table 69 Table 70 Table 71 Table 72 Table 73 Table 74 Table 75 Table 76 Table 77 Table 78 Table 79 Table 80 Table 81 Table 82 Table 83 Table 84 Table 85 Table 86 Table 87 Table 88 Table 89 Table 90 Table 91 Table 92 Table 93 Table 94 34 | LDAP Server Configuration Parameters...................
Table 95 Table 96 Table 97 Table 98 Table 99 Table 100 Table 101 Table 102 Table 103 Table 104 Table 105 Table 106 Table 107 Table 108 Table 109 Table 110 Table 111 Table 112 Table 113 Table 114 Table 115 Table 116 Table 117 Table 118 Table 119 Table 120 Table 121 Table 122 Table 123 Table 124 Table 125 Table 126 Table 127 Table 128 Table 129 Table 130 Table 131 Table 132 Table 133 Table 134 Table 135 Table 136 Table 137 Table 138 Dell PowerConnect ArubaOS 5.
| Dell PowerConnect ArubaOS 5.
About this Guide This User Guide describes the features supported by Dell PowerConnect ArubaOS and provides instructions and examples for configuring controllers and Access Points (APs).
Related Documents The following items are part of the complete documentation for the Dell user-centric network: z Dell PowerConnent Controller Installation Guides z Dell PowerConnent Access Point Installation Guides z Dell PowerConnect ArubaOS Quick Start Guid z Dell PowerConnect ArubaOS User Guide z Dell PowerConnect ArubaOS Command Line Reference Guide z Dell PowerConnect Release Notes Conventions The following conventions are used throughout this manual to emphasize important concepts: Table
Contacting Support Table 3 Web site contact Web Site z Main Site http://www.dell.com z Support Site http://www.support.dell.com z Documentation Site http://www.support.dell.com/manuals Dell PowerConnect ArubaOS 5.
| About this Guide Dell PowerConnect ArubaOS 5.
Chapter 1 The Basic User-Centric Networks This chapter describes how to connect a Dell controller and Dell APs to your wired network. After completing the tasks described in this chapter, see “Access Points” on page 101 for information on configuring APs.
Deployment Scenario #1 Router is Default Gateway for controller and clients In this deployment scenario, the APs and controller are on the same subnetwork and will use IP addresses assigned to the subnetwork. There are no routers between the APs and the controller. APs can be physically connected directly to the controller. The uplink port on the controller is connected to a layer-2 switch or router. For this scenario, you must perform the following tasks: 1. Run the initial setup wizard.
For this scenario, you must perform the following tasks: 1. Run the initial setup wizard. z Set the IP address for VLAN 1. z Set the default gateway to the IP address of the interface of the upstream router to which you will connect the controller. 2. Connect the uplink port on the controller to the switch or router interface. 3. Deploy APs. The APs will use DNS or DHCP to locate the controller. 4. Configure VLANs for the wireless subnetworks on the controller. 5.
For this scenario, you must perform the following tasks: 1. Run the initial setup. z Use the default IP address for VLAN 1. Since VLAN 1 is not used to connect to the layer-2 switch or router through the trunk port, you must configure the appropriate VLAN in a later step. z Do not specify a default gateway (use the default “none”). In a later step, you configure the default gateway. 2. Create a VLAN that has the same VLAN ID as the VLAN on the switch or router to which you will connect the controller.
The initial setup might require that you specify the country code for the country in which the controller will operate; this sets the regulatory domain for the radio frequencies that the APs use. Note: You cannot change the country code for controllers designated for certain countries, such as the U.S. Improper country code assignment can disrupt wireless transmissions. Most countries impose penalties and sanctions for operators of wireless networks with devices set to improper country codes.
z Configure the port as a trunk port. z Configure a default gateway for the controller. Creating and Updating a VLAN You can create and update a single VLAN or bulk VLANS using the WebUI or the CLI. See “Creating and Updating VLANs” on page 55. Note: In the WebUI configuration windows, clicking the Save Configuration button saves configuration changes so they are retained after the controller is rebooted.
Assigning and Configuring the Trunk Port The following procedures configures a Gigabit Ethernet port as trunk port. In the WebUI 1. Navigate to the Configuration > Network > Ports window on the WebUI. 2. In the Port Selection section, click the port that will connect the controller to the network. In this example, click port 25. 3. For Port Mode, select Trunk. 4. For Native VLAN, select VLAN 5 from the scrolling list, then click the <-- arrow. 5. Click Apply.
Note: After you configure or modify a loopback address, you must reboot the controller. If configured, the loopback address is used as the controller’s IP address. If you do not configure a loopback address for the controller, the IP address assigned to the first configured VLAN interface IP address. Generally, VLAN 1 is configured first and is used as the controller’s IP address. ArubaOS allows the loopback address to be part of the IP address space assigned to a VLAN interface.
Installing Licenses ArubaOS consists of a base operating system with optional software modules that you can activate by installing license keys. If you use the Setup Wizard during the initial setup phase, you will have the opportunity to install software licenses at that time. Refer to Chapter 27, “Software Licenses” on page 527 for detailed information on Licenses. Connecting the Controller to the Network Connect the ports on the controller to the appropriately-configured ports on an L2 switch or router.
Enabling APs to Connect to the Controller Before you install APs in a network environment, you must ensure that the APs are able to locate and connect to the controller. Specifically, you must ensure the following: z When connected to the network, each AP is assigned a valid IP address z APs are able to locate the controller Dell APs use Trivial File Transfer Protocol (TFTP) during the AP’s initial boot to grab their software image and configuration from the controller.
Locating the Controller An AP can discover the IP address of the controller in the following ways: z From a DNS server z From a DHCP server z Using the Dell Discovery Protocol (ADP) At boot time, the AP builds a list of controller IP addresses and then tries these addresses in order until a controller is reached successfully. The list of controller addresses is constructed as follows: 1.
Using the Dell Discovery Protocol (ADP) ADP is enabled by default on all Dell APs and controllers. To use ADP, all APs and controllers must be connected to the same Layer-2 network. If the devices are on different networks, a Layer-3 compatible discovery mechanism, such as DNS, DHCP, or IGMP forwarding, must be used instead. With ADP, APs send out periodic multicast and broadcast queries to locate the master controller.
If the Ethernet port on the controller is an 802.3af Power over Ethernet (PoE) port, the AP automatically uses it to power up. If a PoE port is not available, you must get an AC adapter for the AP from Dell Networks. For more information, see the Installation Guide for the specific AP. Once an AP is connected to the network and powered up, it attempts to locate the master controller using one of the methods described in “Locating the Controller” on page 51.
| The Basic User-Centric Networks Dell PowerConnect ArubaOS 5.
Chapter 2 Network Parameters This chapter describes some basic network configuration on the controller.
Create a Bulk VLANs using the WebUI 1. To add multiple VLANs at one time, click Add Bulk VLANs. 2. In the VLAN Range pop-up window, enter a range of VLANs you want to create at once. For example, to add VLAN IDs numbered 200-300 and 302-350, enter 200-300, 302-350. 3. Click OK. 4. To add physical ports to a VLAN, click Edit next to the VLAN you want to configure and click the port in the Port Selection section. 5. Click Apply.
3. Click Apply. 4. At the top of the window, click Save Configuration. Create a VLAN Pool using CLI The pool option allows you to create a VLAN pool consisting of two more VLAN IDs. (host) #configure terminal Enter Configuration commands, one per line. End with CNTL/Z (host) (config) #vlan-name mygroup (host) (config) #vlan-name mygroup pool (host) (config) # Viewing existing VLAN IDs using CLI (host) #configure terminal Enter Configuration commands, one per line.
Classifying Traffic as Trusted or Untrusted You can classify wired traffic based not only on the incoming physical port and channel configuration but also on the VLAN associated with the port and channel. About Trusted and Untrusted Physical Ports By default, physical ports on the controller are trusted and are typically connected to internal networks while untrusted ports connect to third-party APs, public areas, or other networks to which access controls can be applied.
10. Select the policy To apply a policy to this session’s traffic on this port and VLAN, select the policy from the session drop-down list. 11. Click Apply.
Using CLI (host) (host) (host) (host) (host) (host) (host) (config) #interface fastethernet 2/0 (config-if)#description FE2/ (config-if)#trusted vlan 1-99,101, 104, 106-199, 201-299 (config-range)# switchport mode trunk (config-if)#switchport trunk native vlan 100 (config-range)# ip access-group (config-range)# ip access-group test session vlan 2 About VLAN Assignments A client is assigned to a VLAN by one of several methods. There is an order of precedence by which VLANs are assigned.
z Dynamically assigned from a Dynamic Host Configuration Protocol (DHCP) or Point-to-Point Protocol over Ethernet (PPPoE) server. These methods are described in the following section. In a branch office, you can connect a controller to an uplink switch or server that dynamically assigns IP addresses to connected devices. For example, the controller can be connected to a DSL or cable modem, or a broadband remote access server (BRAS).
Using the WebUI 1. Navigate to the Configuration > Network > IP > IP Interfaces page. 2. Click Edit for a previously-created VLAN. 3. Select Obtain an IP address with PPPoE. 4. Enter the service name, username, and password for the PPPoE session. 5. Click Apply.
Using CLI ip dhcp pool employee-pool default-router 10.1.1.254 dns-server import netbios-name-server import network 10.1.1.0 255.255.255.0 Configuring Source NAT to Dynamic VLAN Address When a VLAN interface obtains an IP address through DHCP or PPPoE, a NAT pool (dynamic-srcnat) and a session ACL (dynamic-session-acl) are automatically created which reference the dynamically-assigned IP addresses.
z If the controller is forwarding the packets at Layer-3, packets that exit the VLAN are given the IP address of the next-hop VLAN for their source IP address. Example Configuration In the following example, the controller operates within an enterprise network. VLAN 1 is the outside VLAN. Traffic from VLAN 6 is source NATed using the IP address of the controller. In this example, the IP address assigned to VLAN 1 is used as the controller’s IP address; thus traffic from VLAN 6 would be source NATed to 66.
Figure 4 Default Inter-VLAN Routing Client A VLAN 200 VLAN 300 Server B You can optionally disable layer-3 traffic forwarding to or from a specified VLAN. When you disable layer-3 forwarding on a VLAN, the following restrictions apply: z Clients on the restricted VLAN can ping each other, but cannot ping the VLAN interface on the controller. Forwarding of inter-VLAN traffic is blocked. z IP mobility does not work when a mobile client roams to the restricted VLAN.
Using CLI ip route
Configuring the Loopback IP Address The loopback IP address is a logical IP interface that is used by the controller to communicate with APs. The loopback address is used as the controller’s IP address for terminating VPN and GRE tunnels, originating requests to RADIUS servers and accepting administrative communications. You configure the loopback address as a host address with a 32-bit netmask.You can set the Controller IP address to the loopback interface address or to an existing VLAN ID address. This allows you to force the controller IP address to be a specific VLAN interface or loopback address across multiple machine reboots. Once you configure an interface to be the controller IP address, that interface address cannot be deleted until you remove it from the controller IP configuration.
Creating a Tunnel Interface To create a GRE tunnel on the controller, you need to specify the following: z Tunnel ID: this can be a number between 1 and 2147483647. z IP address and netmask for the tunnel. z Tunnel source: the local endpoint for the tunnel on the controller. This can be one of the following: z Loopback address of the controller A specified IP address A specified VLAN Tunnel destination: the IP address of the remote endpoint of the tunnel on the other GRE device.
WebUI 1. Navigate to the Configuration > Security > Access Control > Policies page. 2. Click Add to create a new firewall policy, or click Edit to edit a specific policy. 3. Click Add to create a new policy rule. 4. Configure the Source, Destination, and Service for the rule. 5. For Action, select redirect to tunnel. Enter the tunnel ID. 6. Configure any additional options, and click Add. 7. Click Apply.
| Network Parameters Dell PowerConnect ArubaOS 5.
Chapter 3 RF Plan RF Plan is a wireless deployment modeling tool that helps you design an efficient Wireless Local Area Network (WLAN) that optimizes coverage and performance, without complicated WLAN network setup. RF Plan provides the following critical functionality: z Defines WLAN coverage. z Defines WLAN environment security coverage. z Assesses equipment requirements. z Optimizes radio resources.
RF Plan will deploy APs outside of the hotspot area based on the 802.11a and/or 802.11b/g rates defined by the system. For the system to define 802.11a and/or 802.11b/g rates, the system looks at the defined 802.11n rate and the distance covered by the defined rate; it then selects corresponding 802.11a and/or 802.11b/g rates based on the distance covered. Before You Begin Review the following steps to create a building model and plan the WLAN for your model. Task Overview 1.
Use the worksheets (Table 5, Table 6, and Table 7) to collect your information: Table 5 Planning Worksheet - Building Dimensions Building Dimensions Height: Width: Number of Floors: Number of Users: Users per AP: Radio Types: AP Type: Overlap Factor: 802.11a Desired Rate: 802.11n (HT) Support: Use 40 MHz Channel Spacing: 802.11n Desired Rate: Table 6 Planning Worksheet - AP Desired Rates AP Desired Rates (2.4 GHz Radio Properties) 802.11b/g Desired Rate: 802.
Note: If 802.11n (HT) support is enabled, the system will automatically define the 802.11a and/or 802.11b/g rate as applicable. For details, see “Radio Properties (Desired Rates and HT Support Options)” on page 80. Launching the RF Plan This section describes how to launch the RF Plan and enter information in RF Plan windows. To launch RF Plan from the WebUI, click the Plan tab in the WebUI menu bar. When you launch the RF Plan, the browser window displays the Campus List page.
Building List Pane Edit a campus from the building list pane. Figure 6 Plan>Building List Pane You can add, edit, and delete buildings using this page. You may also import and export building information. The buttons on this page are defined in Table 9. Table 9 Building List Buttons Buttons Description New Building Use this button to create a new building. When you add or edit a building, you can access other RF Plan pages.
The Overview page includes the following: z Building Dimensions: Your building’s name and dimensions z Access Point Modeling Parameters z Air Monitor Modeling Parameters z Building Dimension button (in the upper right-hand portion of the page). Click on this button to edit the building dimensions settings.
Table 10 New Building Specifications Parameters (Continued) Parameter Description Width and Length Enter the rectangular exterior dimensions of the building. The valid range for this field is any integer from 1 to a value corresponding to 1x10,000. If your building has an irregular shape, the width and length should represent the maximum width and length of the overall footprint of the building as seen from above.
. Table 11 AP Modeling Parameters Parameter Description Radio Type Use this drop-down menu to specify the radio type. See “Radio Type” on page 78 AP Type Dell AP device. Use the drop-down menu to select the device type. The supported APs listed in the drop-down menu are dependent on the selected radio type. Design Model Use the Coverage, Capacity, and Custom radio buttons to specify a design model to use in the placement of APs.
Table 13 Design Model Radio Buttons Radio Button Description Coverage Use this option to let RF Plan automatically determine the number of APs based on desired data rates and the configuration of your building. The higher the data rate, the smaller the coverage area, and the more APs that are required. Coverage is the most common type of installation. Capacity Use this option to let RF Plan determine the number of APs based on the total number of users, ratio of users to APs, and desired data rates.
Radio Properties (Desired Rates and HT Support Options) Define 802.11a, 802.11b/g, and 802.11n settings for the 5 GHz and 2.4 GHz frequency bands, including highthroughput, data rates, and 40 Mhz channel spacing. Table 15 Radio Properties 80 | RF Plan Radio Property Description 802.11a Desired Rate The desired 802.11a rate defines the estimated transmit rate within the WLAN coverage area. The higher the speed, the smaller the coverage area, and the more APs required.
Table 15 Radio Properties (Continued) Radio Property Description 2.4 GHz Use 40 MHz Channel Spacing 40 MHz operation, which supports higher data rates by utilizing two 20 MHz channels as a bonded pair, requires that high-throughput be enabled (checked). Due to a limited number of channels on the 2.4 GHz frequency band, 40 MHz mode is most often utilized on the 5 GHz frequency band where a greater number of channels are available. This option is only available when 802.
Design Models Two radio buttons on the page allow you to specify the model used to determine the number and type of APs. Table 17 Design Model Radio Buttons Radio Button Description Coverage Use this option to let RF Plan automatically determine the number of AMs based on desired monitor rates and the configuration of the building. Desired rate is selectable from 1 to 54 Mbps in the Coverage model. Custom Use this option to specify a fixed number of AMs.
Table 18 Floor Planning Features Feature Description Zoom Use this drop-down menu or type a zoom factor in the text field to increase or decrease the size of the displayed floor area. See “Zoom” on page 83. Approximate Coverage Map (select radio type) Use this drop-down to select a particular radio type for which to show estimated coverage. See “Approximate Coverage Map” on page 83. Edit Floor Click on this link to launch the Floor Editor dialog box. See “Floor Editor Dialog Box” on page 84.
Figure 12 Coverage Map Example Floor Editor Dialog Box The Floor Editor dialog box allows you to modify the floor level, specify the background image, and name the floor. The Floor Editor is accessible from the Floors Page by clicking on the Edit Floor link. Figure 13 Floor Editor Dialog Box Level When modifying an existing floor, you can configure it with a negative integer to specify a basement or some other underground floor that you do not need or want to deploy APs.
z Multiple floors—If your building has multiple floors, make sure there is a common anchor point for all floors; for example an elevator shaft, a staircase, and so on. z Larger dimensions—Use larger dimensions only for scaling to more accurately calculate the full dimensions. For best results, final floor images 2048 X 2048 and smaller perform best. Select a background image using the Browse button on the Floor Editor dialog box.
Location settings are zero-based. Values range from 0 to (height -1 and width -1). For example, coordinates of the upper right corner for a building that measures 200 ft. wide x 400 ft. in length, would be 199 and 399. Note: The unit of measurement displayed as either feet or meters is based on your building settings. See “Building Dimension Page” on page 76 for details about configuring building parameters.
Figure 15 Access Point Editor Naming RF Plan automatically names APs using the default convention ap number, where number starts at 1 and increments by one for each new AP. When you manually create an AP, the new AP is assigned the next number and is added to the bottom of the suggested AP list. You may name an AP anything you wish. The name must consist of alphanumeric characters and be 64 characters or less in length. Fixed Fixed APs do not move when RF Plan executes the positioning algorithm.
X and Y Coordinates The physical location of the AP is specified by X-Y coordinates that begin at the lower left corner of the display area. The numbers you specify in the X and Y text boxes are whole units. The Y-coordinate increases as a point moves up the display and the X-coordinate increases as they move from left to right across the display. 802.11 Types The 802.11 b/g and 802.11a Type drop-down menus allow you to choose the mode of operation for the AP.
AP Plan Page The AP Plan page uses the information entered in the modeling pages to locate APs in the building(s) you described. All of the options on the Floors page can also be viewed and configured on the AP Plan page. The AP Plan page also includes some additional options, such as initializing, optimizing, and fixing AP/AM locations. Figure 16 AP Planning Initialize Initialize the Algorithm by clicking the Initialize button.
AM Plan Page The AM Plan page uses the information entered in the modeling pages to locate AMs in the building(s) you described and calculate the optimum placement for the AMs. All of the options on the Floors page can also be viewed and configured on the AM Plan page. The AM Plan page also includes some additional options, such as initializing, optimizing, and fixing AP/AM locations. Initialize Initialize the Algorithm by clicking Initialize.
Export Campus To export a file that defines the parameters of one or more campuses, including all of its associated buildings, select the campus(es) to be exported in the Campus List page and then click Export. After you click the Export button, you are prompted to include the background images. When exporting a campus file, Dell recommends that you click OK to export the background images. If you click Cancel, the exported file does not include the background images. The File Download window appears.
Import Buildings Page You can import only XML files exported from another controller or from the standalone version of RF Plan that runs as a Windows application. Note: Importing any other file, including XML files from other applications, may result in unpredictable results. To import a file that defines the parameters of one or more buildings, click the Import button in the Building List page. In the Import Buildings page, click Browse to select the file to be imported, then click the Import button.
To search for deployed APs, enter information in the Search fields and click Search. You can perform a search based on one or more of the following AP properties: Table 19 AP Property Search Property Description AP Name Logical name of the AP or AM. You can enter a portion of the name to widen the search. Wired MAC MAC address of the AP or AM. You can enter a portion of the MAC address to widen the search. IP Address IP address of the AP or AM.
In addition to displaying AP names, wired MAC addresses, serial numbers, IP addresses, FQLNs, and AP status, the Search Result table displays the AP type and when it was last updating. From here you can modify the attributes that create the FQLN for the selected AP, using the following drop-down lists: z Campus—Displays the campus where the AP is deployed. To deploy the AP in a different campus, select a campus form the drop-down list. The Campus defines the buildings and floors displayed.
3. Modify the FQLN attributes: z In the Provisioning page, scroll to the FQLN Mapper near the bottom of the page and modify the campus, building, and floor attributes. z Optionally, if you want rename an AP, scroll to the AP List at the bottom of the page and enter the new name in the AP Name field. For more information about AP names, see Chapter 4, “Access Points” 4. Click Apply and Reboot. Using CLI Reprovisioning the AP causes it to automatically reboot.
Table 20 Sample Building (Continued) Building Dimensions AP Desired Rates (2.4 GHz Radio Properties) 802.11b/g Desired Rate: 48 Mbps 802.11n (HT) Support: N/A Use 40 MHz Channel Spacing: N/A 802.11n Desired Rate: N/A AM Desired Rates 802.11b|g: 24 Mbps 802.11a: 24 Mbps Don’t Care/Don’t Deploy Areas Shipping & Receiving = Don’t CareLobby = Don’t Deploy 802.11n Hotspot (Zone) Areas N/A Create a Building In this section you create a building using the information supplied in the planning table. 1.
7. Click Save. A dialog box appears that asks if you want to save and reload this building now since the building name was changed. Click OK to accept. Another dialog box appears stating that the building was saved successfully. Click OK to close the dialog box. 8. Click Apply. RF Plan returns you to the Overview page. Model the Access Points You now determine how many APs are required to cover your building with a specified data transfer rate and overlap. In this example, you use the Coverage Model.
Adding the background image and naming the first floor 1. In the Planning page, click the Edit Floor link at the right of the Floor 1 indicator. The Floor Editor dialog box appears. 2. Enter: Entrance Level in the Name box of the Floor Editor Dialog. 3. Use the Browse button to locate the background image for the 1st floor. 4. Click Apply. Adding the background image and naming the second floor 1. Click the Edit Floor link at the right of the Floor 2 indicator. 2.
Creating a Don’t Deploy Area 1. Click the New link in the Areas section under Floor 1 (named Entrance Level) to open the Area Editor. 2. Enter: Lobby in the Name text box in the Area Editor. 3. Select Don’t Deploy from the Type drop-down menu box. 4. Click Apply. Notice that an yellow box appears near the center of the floor plan. 5. Use your mouse (or other pointing device) to place the cursor over the box. Notice that the information you typed in the editor appears in the box.
Running the AM Plan Running the AM Plan algorithm is similar to running the AP Plan. 1. From the navigation tree, click AM Plan under the Planning section. The AM Planning page appears. 2. Click Initialize then Optimize. The algorithm stops when the movement is less than a threshold value calculated based on the number of AMs. The threshold value may be seen in the status bar at the bottom of the browser window. 3. Click Save, then OK. 100 | RF Plan Dell PowerConnect ArubaOS 5.
Chapter 4 Access Points Dell APs receive their configuration from their host controller. At power on, an AP locates its host controller and the AP’s configuration is “pushed” from the controller to the AP. This chapter describes how to configure your controllers so that your APs performs the functions required for your network. Note: In a network with a master and local controllers, an AP will initially connect to the master controller.
Basic Configuration You configure APs using the WebUI and the CLI. Table 22 list the basic configuration functions and features. Table 22 AP Configuration Function Overview Features and Function Wireless LANs Description A wireless LAN (WLAN) permits wireless clients to connect to the network. An AP broadcasts the SSID (which corresponds to a WLAN configured on the controller) to wireless clients. APs support multiple SSIDs.
Note: Renaming an AP requires a reboot of the AP before the new name takes effect. Therefore, if you need to do this, there should be little or no client traffic passing through the AP. In RF Plan or RF Live, the AP name can be part of a fully-qualified location name (FQLN) in the format APname.floor.building.campus. The APname portion of the FQLN must be unique. Duplicate Names You can display the status of APs in your database by executing the show ap database long command.
Figure 17 AP Groups “DEFAULT” AP GROUP “VICTORIA” AP GROUP “TORONTO” AP GROUP NOTE: An AP can belong to only one AP group at a time. While you can use an AP group to apply a feature to a set of APs, you can also configure a feature or option for a specific AP by referencing the AP’s name. Any options or values that you configure for a specific AP will override the same options or values configured for the AP group to which the AP belongs.
Note: Once the ap-regroup command is executed, the AP automatically reboots. If the AP is powered off or otherwise not connected to the network or controller, the executed command is queued until the AP is powered on or reconnected. Again, the AP will automatically reboot as soon as the command is executed. Virtual APs APs advertise WLANs to wireless clients by sending out beacons and probe responses that contain the WLAN’s SSID and supported authentication and data rates.
Wireless LAN Profiles The Wireless LAN collection of profiles configure WLANs in the form of virtual AP profiles. A virtual AP profile contains an SSID profile which defines the WLAN, the high-throughput SSID profile, and an AAA profile that defines the authentication for the WLAN. Unlike other profile types, you can configure and apply multiple instances of virtual AP profiles to an AP group or to an individual AP. z 802.11k profile—Manages settings for the 802.11k protocol. The 802.
z XML API server profile—Specifies the IP address of an external XML API server. z RFC 3576 server—Specifies the IP address of a RFC 3576 RADIUS server. z MAC authentication profile—Defines parameters for MAC address authentication, including upper- or lower-case MAC string, the diameter format in the string, and the maximum number of authentication failures before a user is blacklisted.
z AP system profile—Defines administrative options for the controller, including the IP addresses of the local, backup, and master controllers, Real-time Locating Systems (RTLS) server values and the number of consecutive missed heartbeats on a GRE tunnel before an AP reboots. z Regulatory domain—Defines the AP’s country code and valid channels for both legacy and high-throughput 802.11a and 802.11b/g radios. z Wired AP profile—Controls if 802.
z ARM profile—Defines the Adaptive Radio Management (ARM) settings for scanning, acceptable coverage levels, transmission power and noise thresholds. In most network environments, ARM does not need any adjustments from its factory-configured settings. However, if you are using VoIP or have unusually high security requirements you may want to manually adjust the ARM thresholds. For complete details on Adaptive Radio Management, refer to Chapter 5, “Adaptive Radio Management (ARM)” on page 139.
Controller Profiles These controller profiles set the management password policy, define equipment OUIs, or configure VIA authentication and connection settings. z Valid Equipment OUI Profile—Set one or more Dell OUIs for the controller. z VIA Authentication Profile—Define an authentication profile for the VIA feature. z VIA Connection Profile—Define authentication and connection settings profile for the VIA feature.
Figure 19 AP Specific and AP Group Profile Hierarchies Figure 20 displays how the Layer 2 authentication profiles and Layer 3 authentication profiles reference other types of profiles. To view the profile hierarchy for Layer 2 authentication profiles in the WebUI, navigate to the Configuration>Authentication and select the L2 Authentication tab. To view the profile hierarchy for Layer 3 authentication profiles, navigate to Configuration>Authentication and select the L3 Authentication tab.
Figure 20 Layer 2/Layer3 Profile Hierarchies The example below follows the suggested order of steps to configure a virtual AP. vlan 60 ! ip access-list session THR-POLICY-NAME-WPA2 user any any permit ! user-role THR-ROLE-NAME-WPA2 session-acl THR-POLICY-NAME-WPA2 ! 112 | Access Points Dell PowerConnect ArubaOS 5.
aaa authentication dot1x "THR-DOT1X-AUTH-PROFILE-WPA2" termination enable ! aaa server-group "THR-DOT1X-SERVER-GROUP-WPA2" auth-server Internal ! aaa profile "THR-AAA-PROFILE-WPA2" authentication-dot1x "THR-DOT1X-AUTH-PROFILE-WPA2" dot1x-default-role "THR-ROLE-NAME-WPA2" dot1x-server-group "THR-DOT1X-SERVER-GROUP-WPA2" ! wlan ssid-profile "THR-SSID-PROFILE-WPA2" essid "THR-WPA2" opmode wpa2-aes ! wlan virtual-ap "THR-VIRTUAL-AP-PROFILE-WPA2" ssid-profile "THR-SSID-PROFILE-WPA2" aaa-profile "THR-AAA-PROFILE-
Table 23 AP Profiles to AP Groups AP Profiles “default” AP Group “Toronto” AP Group Regulatory Domain “default” “default” SNMP “default” “default” Note: Each instance of a profile must have a unique name. In the example above, there are two different AP system profiles, therefore each instance should have a unique name. You can apply the same virtual AP profiles to the AP groups shown in Table 23. For example, there are users in both Edmonton and Toronto that access the same “Corpnet” WLAN.
Excluding a virtual AP profile from an AP in the WebUI 1. Navigate to the Configuration > Wireless > AP Configuration > AP Specific page. 2. Do one of the following: z If the AP you want to exclude is in included in the list, click Edit for the AP. z If the AP does not appear in the list, click New. Either type in the name of the AP, or select the AP from the drop-down list. Then click Add. 3. Select Wireless LAN under the Profiles list, then select Excluded Virtual AP. 4.
Because all APs discovered by the controller belong to the AP group called “default”, you assign the virtual AP profile that contains the SSID profile “Corpnet” to the “default” AP group. For the “Guest” SSID, you configure a new virtual AP profile that you assign to the AP named “building3-lobby”. Table 25 list the profiles that you need to modify or create for these examples.
In the WebUI 1. Navigate to the Configuration > Security > Access Control > Policies page. 2. Click Add to add a new policy. Enter the name of the policy. Default settings for a policy rule permit all traffic from any source to any destination, but you can make a rule more restrictive. You can also configure multiple rules; the first rule in a policy that matches the traffic is applied. Click Add to add a rule. When you are done adding rules, click Apply. 3. Click the User Roles tab.
Configuring Authentication In this example, you create the 802.1x authentication profile corpnet. The AAA profile configures the authentication for a WLAN. The AAA profile defines the type of authentication (802.1x in this example), the authentication server group, and the default user role for authenticated users. In the WebUI 1. Navigate to the Configuration > Security > Authentication > L2 Authentication page. Select 802.1x Authentication Profile. a. In the 802.
4. Select the 802.1x Authentication Server Group under the corpnet AAA profile to reveal the 802.1X Authentication Server Group pane. a. Click the 802.1X Authentication Server Group drop-down list and select the corpnet server group you previously configured. b. Click Apply.
Table 27 Virtual AP Profile Parameters Parameter Allowed band Description The band(s) on which to use the virtual AP: a—802.11a band only (5 GHz). z g—802.11b/g band only (2.4 GHz). z all—both 802.11a and 802.11b/g bands (5 GHz and 2.4 GHz). This is the default setting. z VLAN The VLAN(s) into which users are placed in order to obtain an IP address. Click the drop-down list to select a configured VLAN, the click the arrow button to associate that VLAN with the virtual AP profile.
Table 27 Virtual AP Profile Parameters Parameter Description Station Blacklisting Select the Station Blacklisting checkbox to enable detection of denial of service (DoS) attacks, such as ping or SYN floods, that are not spoofed deauth attacks. Default: Enabled Blacklist Time Number of seconds that a client is quarantined from the network after being blacklisted. Default: 3600 seconds (1 hour) Multicast Optimization for Video Enable/Disable dynamic multicast optimization.
Table 27 Virtual AP Profile Parameters Parameter Description Drop Broadcast and Multicast Select the Drop Broadcast and Multicast checkbox to filter out broadcast and multicast traffic in the air. Do not enable this option for virtual APs configured in bridge forwarding mode. This configuration parameter is only intended for use for virtual APs in tunnel mode. In tunnel mode, all packets travel to the controller, so the controller is able to drop all broadcast traffic.
In the CLI wlan ssid-profile corpnet essid Corpnet opmode wpa2-aes wlan virtual-ap corpnet vlan 1 aaa-profile corpnet ssid-profile corpnet ap-group default virtual-ap corpnet Guest WLAN To configure Guest WLAN, the following basic steps are required. z Configure the VLAN for guest users. z Configure the guest role which only allows HTTP and HTTPS traffic from 9:00 a.m. to 5 p.m. on weekdays.
Select Service, then select svc-http from the drop-down list. For Time Range, select the time range you previously configured. Select Add. Add another rule for svc-https. Click Apply. 4. Select the User Roles tab. Click Add. Enter guest for Role Name. Under Firewall Policies, click Add. Select Choose from Configured Policies and select the policy you previously configured. Click Done. 5. Click Apply.
In the CLI wlan ssid-profile guest opmode opensystem wlan virtual-ap guest vap-enable vlan 2 deny-time-range workhours ssid-profile guest aaa-profile default-open ap-name building3-lobby virtual-ap guest Configuring High-throughput on Virtual APs With the implementation of the IEEE 802.11n standard, high-throughput can be configured to operate on the 5 GHz and/or 2.4 GHz frequency band.
a. Select New from the 802.11a radio profile drop-down menu. b. Enter ht-corpnet-a for the 802.11a radio profile name. c. Select (check) the High Throughput enable (radio) checkbox to enable high-throughput. By default, this is enabled (checked). d. Click Apply. 5. Select the High-throughput Radio Profile under the 802.11a radio profile. a. Select New from the High-throughput Radio Profile drop-down menu. b. Enter ht-radioa-corpnet for the high-throughput radio profile name. c.
f. Click Apply to create the SSID profile and return to the virtual AP profile page. g. Click Apply on the virtual AP profile page. 10. Select the ht-vap-corpnet virtual AP profile. a. Select all from the Allowed band drop-down menu. b. Click Apply. 11. Select the SSID profile ht-corpnet. The High-throughput SSID profile option will appear. 12. Select the High-throughput SSID Profile. a. Select New from the High-throughput SSID Profile drop-down menu. b.
In the WebUI 1. Navigate to the Configuration > Wireless > AP Configuration window. Select either the AP Group or AP Specific tab. z If you selected the AP Group tab, click the Edit button by the AP group name for which you want to configure the new 802.11K profile. z If you selected the AP Specific tab, click the Edit button by the AP for which you want to create the 802.11K profile. 2. In the Profiles list, expand the Wireless LAN menu, then expand the Virtual AP menu. 3.
In the CLI Use the following command to configure 802.11k profiles. The available parameters for this profile are described in Table 29. wlan dotllk bcn-measurement-mode {active|beacon-table|passive} clone dot11k-enable force-disassoc Configuring RF Optimization ArubaOS includes an RF Optimization profile that allows you to configure settings for detecting interference.
Table 30 RF Optimization Profile Parameters Parameter Description Low RSSI Threshold Minimum RSSI above which de-authorization messages should never be sent. RSSI Check Frequency Interval, in seconds, to sample RSSI. In the CLI Use the following command to configure RF Optimization profiles. The parameters described in Table 30.
5. Configure your settings as detailed in Table 31 and click Apply to save your settings. Table 31 RF Event Profile Parameters Parameter Description Detect Frame Rate Anomalies Enable or disables detection of frame rate anomalies. This feature is disabled by default. Bandwidth Rate High Watermark If bandwidth in an AP exceeds this value, a bandwidth exceeded condition exists. The value represents the percentage of maximum for a given radio. (For 802.11b, the maximum bandwidth is 7 Mbps. For 802.
fer-low-wm ffr-high-wm ffr-low-wm flsr-high-wm flsr-low-wm fnur-high-wm fnur-low-wm frer-high-wm frer-low-wm frr-high-wm frr-low-wm Changing AP Installation Modes By default, all AP models initially ship with an indoor or outdoor installation mode.
Status Up time Installation Up; Mesh 9m:55s indoor Configuring Channel Switch Announcement (CSA) When an AP changes its channel, an existing wireless clients may “time out” while waiting to receive a new beacon from the AP; the client must begin scanning to discover the new channel on which the AP is operating. If the disruption is long enough, the client may need to reassociate, reauthenticate, and re-request an IP address. Channel Switch Announcement (CSA), as defined by IEEE 802.
Table 32 20 MHz and 40 MHz Static Channel Configuration Options WebUI CLI Definition Channel Text Field None Radio Button channel Entering a channel number in the CLI, or entering a channel number in the WebUI and selecting the None radio button, disables 40 MHz mode and activates 20 MHz mode for the entered channel.
12. Enter 1 in the Channel text field and select the None radio button. In this instance, channel 1 is the assigned 20 MHz channel and 40 MHz mode is disabled and click Apply.
Configuring in the WebUI 1. Navigate to the Configuration > Wireless > AP Configuration page. 2. Select either the AP Group or AP Specific tab. Click Edit for the AP group or AP name. 3. Under Profiles, select AP, then AP system profile. The configuration settings are displayed in Profile Details. 4. Under Profile Details: a. At the Bootstrap threshold, enter 30. b. Click Apply. Configuring in the CLI ap system-profile bootstrap-threshold 30 Prioritizing AP heartbeats in the WebUI 1.
Configuring in the WebUI 1. Navigate to the Configuration > Wireless > AP Configuration page. 2. Select either the AP Group or AP Specific tab. Click Edit for the AP group or AP name. 3. Under Profiles, select AP to display the AP profiles. 4. Select the AP system profile you want to modify. 5. Under Profile Details: a. At the LMS IP field, enter the primary controller IP address. b. At the Backup LMS IP field, enter the backup controller IP address. c. Click (select) LMS Preemption.
To view the maintenance mode status of APs, use the following commands: show ap config {ap-group |ap-name |essid } show ap debug system-status {ap-name |bssid | ip-addr } On the local controller, you can also view maintenance mode status using the following commands: show ap active {ap-name |essid |ip-addr } show ap database show ap details {ap-name |bssid |ip-addr } Managing AP LEDs AP LEDs can be configured in two modes: norma
Chapter 5 Adaptive Radio Management (ARM) This chapter outlines how to configure the ARM function to automatically select the best channel and transmission power settings for each AP on your WLAN. This chapter describes the following topics: z “ARM Overview” on page 139 z “ARM Profiles” on page 140 z “Multi-Band ARM and 802.11a/802.
Monitoring Your Network with ARM When ARM is enabled, your AP will dynamically scan all 802.11 channels within its 802.11 regulatory domain at regular intervals and will report everything it sees to the controller on each channel it scans. This includes, but is not limited to, data regarding WLAN coverage, interference, and intrusion detection.
Table 33 ARM Profile Types ARM Profiles Example WLAN Description default profile only z z multiple profiles z z A warehouse where the physical environment is nearly the same for all APs, and each AP manages the same number of clients and traffic load. A training room, where the clients are evenly spaced throughout the room, have the same security requirements and are using the same amount of network resources.
To create a copy of an existing ARM profile via the command-line interface, access the CLI in config mode and issue the following command. rf arm-profile clone where is a unique name for the new ARM profile, and is the name of the existing profile whose setting you want to copy. The name must be 1–63 characters, and can be composed of alphanumeric characters, special characters and spaces.
Table 34 ARM Profile Configuration Parameters Setting Description Client Aware If the Client Aware option is enabled, the AP does not change channels if there is an active client associated to that AP. (Activity is defined by the sta-inactivity-time parameter in the IDS general profile. By default, a client is considered active if it has sent or received traffic within the last 60 seconds.
Table 34 ARM Profile Configuration Parameters Setting Description Scanning The Scanning checkbox enables or disables AP scanning across multiple channels. Disabling this option also disables the following scanning features: z Multi Band Scan z Rogue AP Aware z Voip Aware Scan z Power Save Scan Do not disable Scanning unless you want to disable ARM and manually configure AP channel and transmission power.
Table 34 ARM Profile Configuration Parameters Setting Description Noise Wait Time Minimum time in seconds the noise level has to exceed the Noise Threshold before it triggers a channel change. The range of possible values is 120–3600 seconds. Default: 120 seconds Minimum Scan Time Minimum number of times a channel must be scanned before it is considered for assignment. The supported range for this setting is 0–2,147,483,647 scans. Dell recommends a Minimum Scan Time between 1–20 scans.
scan-interval scan-time scanning voip-aware-scan Assigning an ARM Profile to an AP Group Once you have created a new ARM profile, you must assign it to a group of APs before those ARM settings go into effect. Each AP group has a separate set of configuration settings for its 802.11a radio profile and its 802.11g radio profile. You can assign the same ARM profile to each radio profile, or select different ARM profiles for each radio.
Multi-Band ARM and 802.11a/802.11g Traffic Dell recommends using the multi-band ARM assignment and Mode Aware ARM feature for single-radio APs in networks with traffic in the 802.11a and 802.11g bands. This feature allows a single-radio AP to dynamically change its radio bands based on current coverage on the configured band. This feature is enabled via the AP's ARM profile. When you first provision a single-radio AP, it initially operates in the radio band specified in its AP system profile.
6. Click Apply to save your changes. Enabling Band Steering via the CLI Use the following commands to enable band steering via the command-line interface. Access the CLI in config mode then specify an existing virtual AP with the parameter to modify an existing profile, or enter a new name to create an entirely new virtual AP profile.
4. In the Profiles Details window, select the name of the traffic management profile for which you want to configure traffic shaping. (If you do not have any traffic management profiles configured, enter a name for a new profile in the Profile Details pane, then click Add. Select the new profile from the profiles list.) 5. In the Profile Details pane, click the Station Shaping Policy drop-down list and select either default-access, fair-access or preferred-access. 6. Click Apply to save your changes.
You can configure the channel reuse feature to operate in either of the following three modes; static, dynamic or disable. (This feature is disabled by default.) z Static mode: This mode of operation is a coverage-based adaptation of the Clear Channel Assessment (CCA) thresholds. In the static mode of operation, the CCA is adjusted according to the configured transmission power level on the AP, so as the AP transmit power decreases as the CCA threshold increases, and vice versa.
z Coverage Index: The AP uses this metric to measure RF coverage. The coverage index is calculated as x/y, where “x” is the AP’s weighted calculation of the Signal-to-Noise Ratio (SNR) on all valid APs on a specified 802.11 channel, and “y” is the weighted calculation of the Dell APs SNR the neighboring APs see on that channel.
Wireless Clients Report a Low Signal Level If APs detect strong signals from other APs on the same channel, they may decrease their power levels accordingly. Issue the CLI commands show ap arm rf-summary ap-name or show ap arm rfsummary ip-addr for all APs and check their current coverage index (cov-idx). If the AP’s coverage index is at or higher than the configured coverage index value, then the APs have correctly chosen the transmit power setting.
Chapter 6 Remote Access Points The Secure Remote Access Point Service allows AP users, at remote locations, to connect to a controller over the Internet. Since the Internet is involved, data traffic between the controller and the remote AP is VPN encapsulated. That is, the traffic between the controller and AP is encrypted. Remote AP operations are supported on all APs.
Figure 24 Remote AP with Controller on Public Network Internet Corporate Network Controller’s IP Address z Deployment Scenario 3: The remote AP is on the public network or behind a NAT device and the controller is also behind a NAT device. (Dell recommends this deployment for remote access.) The remote AP must be configured with the tunnel termination point which must be a publicly-routable IP address. In this scenario, the remote AP uses the public IP address of the corporate firewall.
install the PEFNG and PEFV license in the controller, as described in Chapter 27, “Software Licenses” . . Configure the authentication server that will validate the username and password for the remote AP. z Provision the AP with IPSec settings, including the username and password for the AP, before you install it at the remote location. ArubaOS supports multiple remote AP modes of operation. By default, the remote AP operates in standard mode.
4. To configure the L2TP IP pool, click Add in the Address Pools section. Configure the L2TP pool from which the APs will be assigned addresses, then click Done. Note: The size of the pool should correspond to the maximum number of APs that the controller is licensed to manage. 5. To configure an Internet Security Association and Key Management Protocol (ISAKMP) encrypted subnet and preshared key, click Add in the IKE Shared Secrets section and configure the preshared key.
6. To create the next rule: a. Under Rules, click Add. b. For Source, select any. c. For Destination, select any. d. For Service, select service, then select svc-gre. e. Click Add. 7. To create the next rule: a. Under Rules, click Add. b. For Source, select any. c. For Destination, select any. d. For Service, select service, then select svc-l2tp. e. Click Add. 8. To create the next rule: a. Under Rules, click Add. b. For Source, select any. c. For Destination, select alias, then select mswitch. d.
Configure VPN Authentication Before you enable VPN authentication, you must configure the authentication server(s) and server group that the controller will use to validate the remote AP. When you provision the remote AP, you configure IPSec settings for the AP, including the username and password. This username and password must be validated by an authentication server before the remote AP is allowed to establish a VPN tunnel to the controller.
Using the WebUI The following procedure illustrates the steps to configure an internal database for a remote AP user. To configure the user role, you first create a policy that permits the following traffic: z AP control traffic via the Dell PAPI protocol z GRE tunnel traffic z ESP tunnel traffic z Layer-2 Tunneling Protocol (L2TP) traffic z TFTP traffic z FTP traffic Then, you create a user role that contains this policy. 1.
c. For Destination, select any. d. For Service, select service, then select svc-tftp. e. Click Add. 10. To create the next rule: a. Under Rules, click Add. b. For Source, select any. c. For Destination, select any. d. For Service, select service, then select svc-ftp. e. Click Add. 11. Click Apply. 12. Click the User Roles tab. a. Click Add. b. Enter the Role Name (for example, rap_role). c. Click Add under Firewall Policies. d. In the Choose from Configured Policies menu, select the policy you just created.
user-role rap_role session-acl rap_policy Configure VPN authentication using the internal database: aaa authentication vpn default-role rap_role server-group internal Add the user to the internal database: local-userdb add username rapuser1 password Provision the AP You need to configure the VPN client settings on the AP to instruct the AP to use IPSec to connect to the controller. You can provision the remote AP and give it to users and allow remote users to provision AP at their home.
Creating a Remote AP Whitelist Remote AP whitelist is the list of approved AP’s that can be provisioned on your controller. To create a remote AP whitelist: 1. Navigate to Configuration > AP Installation (under Wireless) and then click the RAP Whitelist tab on the right side. 2. Click the New button and provide the following details: z AP MAC Address—Mandatory parameter. Enter the MAC address of the AP. z Username—Enter a username that will be used when the AP is provisioned.
z Local termination of 802.11 management frames which provides survivability of the branch office WLAN. z All 802.1x authenticator functionality is implemented in the AP. The controller is used as a RADIUS passthrough when the authenticator has to communicate with a RADIUS server (which also supports survivability). z 802.11 encryption/decryption is in the AP to provide access to local resources.
Remote AP Summary The Summary tab has two views; basic and advanced. Click the basic or advanced links at the top of this tab to toggle between the two views. The table below shows the information displayed for both the basic and advanced views of the Summary tab. Table 35 Rap Console Summary Tab Information Summary Table Name Basic View Information Wired Ports Status z z Wireless SSIDs z z z Advanced View Information Port: Port numbers of the wired ports on the AP.
Table 35 Rap Console Summary Tab Information Summary Table Name Basic View Information Wireless User z z MAC Address: MAC address of the wireless user. IP address: IP address of the wireless user. Advanced View Information z z z z z z z z z Device Info Type: AP device/model type. Name: Name assigned to the AP. Wired MAC address: MAC address of the wired port. Serial #: AP serial number. Tunnel IP address: IP address of the tunnel between the AP and controller.
Remote AP Connectivity The information shown on the Connectivity tab will vary, depending upon the current status of the remote AP. If a remote AP has been successfully provisioned and connected, it should display some or all of the information in Table 36. Table 36 Rap Console Connectivity Tab Information Data Description Uplink status Shows if the link connected failed. If the link is connected, the Uplink status also displays the name of the interface.
Using the WebUI 1. Navigate to the Configuration > Wireless > AP Configuration > AP Specific page. Click Edit for the remote AP. 2. Under Profiles, select AP, then select AP system profile. 3. Under Profile Details, select the AP system profile for this AP from the drop-down menu. Select Double Encrypt. Click Apply.
Table 37 Remote AP Modes of Operation and Behavior Remote AP Operation Setting Forward Mode Setting all bridge split-tunnel tunnel decrypt-tunnel Management frames on AP. Frames are bridged between wired and wireless interfaces. No frames are tunneled to the controller. Station acquires its IP address locally from an external DHCP server. Management frames on AP.
Table 37 Remote AP Modes of Operation and Behavior Remote AP Operation Setting standard Forward Mode Setting ESSID is up only when there is connectivity with the controller. SSID configuration obtained from the controller. Behaves like a classic Dell branch office AP. Provides a bridged ESSID that is configured from the controller and stays up if there is controller connectivity. Split tunneling mode. Classic Dell thin AP operation.
Using WebUI to configure the AAA profile The AAA profile defines the authentication method and the default user role for unauthenticated users. Note: 802.1x and PSK authentication is supported when configuring bridge or split tunnel mode. 1. Navigate to the Security > Authentication > AAA Profiles page. From the AAA Profiles Summary list, click Add. 2. Enter the AAA profile name, then click Add. 3. Select the AAA profile that you just created: a.
3. To create a new virtual AP profile in the WebUI, select New from the Add a profile drop-down menu. Enter the name for the virtual AP profile, and click Add. Note: Whenever you create a new virtual AP profile in the WebUI, the profile automatically contains the “default” SSID profile with the default ESSID. You must configure a new ESSID and SSID profile for the virtual AP profile before you apply the profile. a.
To configure the remote AP DHCP server: z Enter the VLAN ID for the remote AP DHCP VLAN in the AP system profile. This VLAN enables the DHCP server on the AP (also known as the remote AP DHCP server VLAN). If you enter the native VLAN ID, the DHCP server is not configured and is unavailable. z Specify the DHCP IP address pool and netmask. By default, the AP assigns IP addresses from the DHCP pool 192.168.11.0/24, with an IP address range from 192.168.11.2 through 192.168.11.254.
Using CLI ap system-profile lms-ip master-ip rap-dhcp-default-router rap-dhcp-dns-server rap-dhcp-lease rap-dhcp-pool-end rap-dhacp-pool-netmask rap-dhcp-pool-start rap-dhcp-server-id rap-dhcp-server-vlan wlan virtual-ap ssid-profile vlan forward-mode bridge aaa-profile rap-operation {always|backup|persistent} ap-group ap-system-profile virtual-ap or ap-name
z Connect the remote AP to the available public network (for example, a hotel or airport network). The remote AP advertises the backup SSID so the wireless client can connect and obtain an IP address from the available DHCP server. Note: The remote AP can obtain an IP address from the public network, for example a hotel or airport, or from the DHCP server on the remote AP.
Using the WebUI to configure the AAA profile 1. Navigate to the Security > Authentication > AAA Profiles page. From the AAA Profiles Summary list, click Add. 2. Enter the AAA profile name, then click Add. 3. Select the AAA profile that you just created: a. For Initial role, select the user role you just created. b. For 802.1X Authentication Default Role, select the appropriate role for your remote AP configuration, then click Apply. c. Under the AAA profile that you created, locate 802.
8. Under Profile Details, do the following: a. Select the AP system profile to edit. b. At the LMS IP field, enter the LMS IP address. c. At the Master controller IP address field, enter the master controller IP address. d. Configure the Remote-AP DHCP Server fields. e. Click Apply.
or ap-name virtual-ap ap-system-profile DNS Controller Setting In addition to specifying IP addresses for controllers, you can also specify the master DNS name for the controller when provisioning the remote AP. The name must be resolved to an IP address when attempting to setup the IPSec tunnel. For information on how to configure a host name entry on the DNS server, refer to the vendor documentation for your server.
Figure 28 Sample Backup Controller Scenario data center 1 data center 2 remote office arun_023 Configuring the LMS and backup LMS IP addresses using WebUI 1. Navigate to the Configuration > Wireless > AP Configuration page. 2. Select either the AP Group or AP Specific tab. Click Edit for the AP group or AP name. 3. Under Profiles, select AP to display the AP profiles. 4. Select the AP system profile you want to modify. 5. Under Profile Details: a.
3. Under Profiles, select AP to display the AP profiles. 4. Select the AP system profile you want to modify. 5. Under Profile Details: a. Click (select) LMS Preemption. This is disabled by default. b. At the LMS Hold-down period field, enter the amount of time the remote AP must wait before moving back to the primary controller. 6. Click Apply.
Remote AP Authorization Profiles Remote AP configurations include an authorization profile that specifies which profile settings should be assigned to a remote AP that has been provisioned but not yet authenticated at the remote site. By default, these yet-unauthorized APs are put into the temporary AP group authorization-group and assigned the predefined profile NoAuthApGroup.
local resources (for example, a local printer). The remote AP examines session ACLs to distinguish between corporate traffic destined for the controller and local traffic.
Note: When creating a new virtual AP profile In the WebUI, you can also configure the SSID at the same time. For information about AP profiles, see “Configuring Profiles” on page 105 in Chapter 6, “Remote Access Points” . z Optionally, create a list of network names resolved by corporate DNS servers. Clients send DNS requests to the corporate DNS server address that it learned from DHCP. If configured for split tunneling, corporate domains and traffic destined for corporate use the corporate DNS server.
a. Under Rules, click Add. b. Under Source, select user. c. Under Destination, select any. d. Under Service, select any. e. Under Action, select any and check src-nat. f. Click Add. 13. Click Apply. 14. Click the User Roles tab. a. Click Add to create and configure a new user role. b. Enter the desired name for the role in the Role Name field. c. Under Firewall Policies, click Add. d. From the Choose from Configured Policies drop-down menu, select the policy you just configured. e. Click Done. 15.
Using CLI Use the localip keyword in the user role ACL. By default, all users have an ACL entry of type any any deny. This rule restricts access to all users. When the ACL is configured for a user role, if a user any permit ACL rule is configured, add a deny ACL before that for localip for restricting the user from accessing the LD homepage. Example: ip access-list session logon-control user localip svc-http deny user any permit Using WebUI 1.
b. Under the AAA profile that you created, locate 802.1x Authentication Server Group, and select the authentication server group to use, then click Apply. If you need to create an authentication server group, select new and enter the appropriate parameters. Using CLI aaa profile authentication-dot1x dot1x-default-role dot1x-server-group Configuring split tunneling in the virtual AP profile 1. Navigate to Configuration > Wireless > AP Configuration page.
ap-group virtual-ap or ap-name virtual-ap Using the WebUI to list the corporate DNS servers 1. Navigate to Configuration > Wireless > AP Configuration page. 2. Select either the AP Group or AP Specific tab. Click Edit for the AP group or AP name. 3. Under Profiles, select AP, then AP system profile. 4. Under Profile Details: a. Enter the corporate DNS servers. b. Click Add. The DNS name appears in Corporate DNS Domain list. You can add multiple names the same way. 5.
Bandwidth Reservation for Uplink Voice Traffic The voice ACLs are applicable on the voice signalling traffic used to establish voice call through a firewall. When a voice ACL is executed, a dynamic session is introduced to allow voice traffic through the firewall. This prevents the re-use of voice ACLs for bandwidth reservation. However, you can create bandwidth reservation rules that can be applied on voice signalling traffic and also on ports used for voice data traffic.
| Remote Access Points Dell PowerConnect ArubaOS 5.
Chapter 7 Secure Enterprise Mesh The Dell secure enterprise mesh solution is an effective way to expand network coverage for outdoor and indoor enterprise environments without any wires. Using mesh, you can bridge multiple Ethernet LANs or you can extend your wireless coverage. As traffic traverses across mesh APs, the mesh network automatically reconfigures around broken or blocked paths.
You configure the AP for mesh on the controller using either the WebUI or the CLI. All mesh related configuration parameters are grouped into mesh profiles that you can apply as needed to an AP group or to individual APs. By default, APs operate as thin APs, which means their primary function is to receive and transmit electromagnetic signals; other WLAN processing is left to the controller. When planning a mesh network, you manually configure APs to operate in mesh portal or mesh point roles.
points that facilitate wireless communication between wired LANs. Mesh portals in a mesh cluster do not need to be on the same VLAN. Figure 33 shows two mesh clusters and their relationship to the controller. Figure 33 Sample Mesh Clusters cluster one mesh point mesh portal cluster two controller mesh point mesh portal Mesh Links In simple terms, the mesh link is the data link between a mesh point and its parent.
z Using a new mesh link if the current mesh link goes down If an uplink goes down, the affected mesh nodes re-establish a connection with the mesh portal by re-scanning to choose a new path to the mesh portal. If a mesh portal goes down, and a redundant mesh portal is available, the affected mesh nodes update their forwarding tables to reflect the path to the new mesh portal.
the flexibility of applying the “default” versions of profiles in addition to customizing profiles that are necessary for the AP or AP group to function. If you assign a profile to an individual AP, the values in the profile override the profile assigned to the AP group to which the AP belongs. The exception is the mesh cluster profile—you can apply multiple mesh cluster profiles to individual APs, as well as to AP groups.
Each ARM-enabled mesh portal monitors defined thresholds for interference, noise, errors, rogue APs and radar settings, then calculates interference and coverage values and selects the best channel for its radio band(s). The mesh portal communicates its channel selection to its mesh points via Channel Switch Announcements (CSAs), and the mesh points will change their channel to match their mesh portal. Although channel settings can still be defined for a mesh point via that mesh point's 802.11a and 802.
The mesh portal advertises the provisioned cluster profile. If a mesh point is unaware of the active mesh cluster profile, but is aware of and has the same recovery profile as the mesh portal, the mesh point can use the recovery profile to connect to the mesh portal. Note: The mesh point must have the same recovery profile as the parent to which it connects. If you provision the mesh points with the same master controller, the recovery profiles should match.
Figure 34 Sample Wireless Backhaul Deployment mesh portal controller mesh point Point-to-Point Deployment In this point-to-point scenario, two Ethernet LAN segments are bridged via a wireless connection that carries both client services traffic and mesh-backhaul traffic between the mesh portal and the mesh point. This provides communication from one LAN to another. Figure 35 shows a single-hop point-to-point deployment.
Figure 36 Sample Point-to-Multipoint Deployment remote sites with connectivity via the mesh points mesh point mesh portal host site with access to the data center and the controller mesh point arun_019 High-Availability Deployment In this high-availability scenario, multiple Ethernet LAN segments are bridged via multiple wireless backhauls that carry traffic between the mesh portal and the mesh points. You configure one mesh portal for each remote LAN that you are bridging with the host LAN.
Before You Begin Dell recommends the following when planning and deploying a mesh solution: Pre-Deployment Considerations z Ensure the controller has Layer-2/3 network connectivity to the network segment where the mesh portal will be installed. z Keep the AP packaging materials and reuse them to send the APs to the installation location . z Verify the layout of the physical location to determine the appropriate configuration and placement of the APs.
z Align the AP antenna for optimal RSSI. z Do not delete or modify mesh cluster profiles once you use them to provision mesh nodes. You can recover the mesh point if the original cluster profile is still available. Dell recommends creating a new mesh cluster profile if needed. z If you create a new mesh cluster profile for an existing deployment, you must re-provision the AP for the new profile to take affect.
Table 39 Mesh Radio Profile Configuration Parameters Parameter Description Mesh radio profile Select an existing radio profile to modify or create a new radio profile. The radio profile can have a maximum of 32 characters. Default: Mesh radio profile named “default.” Maximum Children Indicates the maximum number of children a mesh node can accept. Default: 64 children. The range is 1–64. Maximum Hop Count Indicates the maximum hop count from the mesh portal. Default: 8 hops. The range is 1–32.
Table 39 Mesh Radio Profile Configuration Parameters (Continued) Parameter Description Reselection mode Use this setting to optimize operation of the link metric algorithm. The reselection mode specifies the method a mesh node uses to find a better uplink to create a path to the mesh portal. Only neighbors on the same channel in the same mesh cluster are considered.
Table 39 Mesh Radio Profile Configuration Parameters (Continued) Parameter Description Allowed VLANs on Mesh Link List the VLAN ID numbers of VLANs allowed on the mesh link. BC/MC Rate Optimization Broadcast/Multicast Rate Optimization dynamically selects the rate for sending broadcast/multicast frames on any BSS. This feature determines the optimal rate for sending broadcast and multicast frames based on the lowest of the unicast rates across all associated clients.
Deleting a Profile Use the following procedure to delete an existing mesh radio profile via the WebUI. You can delete a mesh radio profile only if no other APs or AP groups are using that profile. 1. Navigate to the Configuration > Advanced Services> All Profiles window. 2. Expand the Mesh menu, then select Mesh radio profile. A list of mesh radio profiles appears in the Profile Details window pane. 3. Click the Delete button by the name of the profile you want to delete.
ap-group mesh-radio-profile priority To associate a mesh radio profile with an individual AP: ap-name mesh-radio-profile priority The following examples assign the mesh cluster profiles cluster1 and cluster2 to two different AP groups. In the AP group group1, cluster1 has a priority of 5, and cluster2 has a priority of 10, so cluster1 has the higher priority.
3. If you selected 802.11a radio profile, click the 802.11a radio profile drop-down list in the Profile Details window pane and select NEW. -orIf you selected 802.11g radio profile, click the 802.11g radio profile drop-down list in the Profile Details window pane and select NEW. 4. Enter a name for your new 802.11a or 802.11g radio profile. 5. Configure the radio settings described in Table 40, then click Apply to save your settings.
Table 40 802.11a/802.11g RF Management Configuration Parameters (Continued) Parameter Description Spectrum Load Balancing The Spectrum Load Balancing feature helps optimize network resources by balancing clients across channels, regardless of whether the AP or the controller is responding to the wireless clients' probe requests. If enabled, the controller compares whether or not an AP has more clients than its neighboring APs on other channels.
Table 40 802.11a/802.11g RF Management Configuration Parameters (Continued) Parameter Description ARM/WIDS Override If selected, this option disables Adaptive Radio Management (ARM) and Wireless IDS functions and slightly increases packet processing performance. If a radio is configured to operate in Air Monitor mode, then the ARM/WIDS override functions are always enabled, regardless of whether or not this check box is selected. Protection for 802.11b Clients (For 802.
2. In the Profiles list, expand the RF Management menu. 3. To reference a new high-througput profile for an 802.11a RF management profile, expand the 802.11a radio profile menu, then select High-throughput radio profile.’ -orTo reference a new high-througput profile for an 802.11g RF management profile, expand the 802.11g radio profile menu, then select High-throughput radio profile. 4. The Profile Details pane appears and displays information for the currently referenced high-througput profile.
b. (Optional) If you are not configuring ARM for a mesh node, select 40 MHz intolerance if you want to enable 40 MHz intolerance. This parameter controls whether or not APs using this high-throughput profile will advertise intolerance of 40 MHz operation. By default, this option is disabled and 40 MHz operation is allowed. c.
rf dot11a-radio-profile|dot11g-radio-profile arm-profile beacon-period channel channel-reuse channel-reuse-threshold clone csa csa-count disable-arm-wids-function dot11b-protection (for 802.11b profiles only) dot11h high-throughput-enable ht-radio-profile interference-immunity (for 802.11g profiles only) maximum-distance mgmt-frame-throttle-interval mgmt-frame-throttle-limit mode no radio-enable spectrum-load-balancing tx-power You can also create a new 802.11a or 802.
Deleting a Profile If no AP or AP group is using an RF management profile, you can delete that profile using the no parameter: no rf dot11a-radio-profile Mesh High-Throughput SSID Profiles The mesh high-throughput SSID profile defines settings unique to 802.11n-capable, high-throughput APs. If none of the APs in your mesh deployment are 802.11n-capable APs, you do not need to configure a highthroughput SSID profile.
Table 41 Mesh High-Throughput SSID Profile Configuration Parameters (Continued) Parameter Description Min MPDU start spacing Minimum time between the start of adjacent MPDUs within an aggregate MPDU, in microseconds. Allowed values: 0 (No restriction on MDPU start spacing), .25 μsec, .5 μsec, 1 μsec, 2 μsec, 4 μsec. Supported MCS set A list of Modulation Coding Scheme (MCS) values or ranges of values to be supported on this SSID. The MCS you choose determines the channel width (20MHz vs.
3. In the Profile Details window pane, click the Mesh High-throughput SSID profile drop-down list and select the name of the profile you want to edit. 4. Change the settings as desired. Table 41 describes the parameters you can configure in this profile. 5. Click Apply to save your changes. Deleting a Profile You can delete a mesh high-throughput SSID profile only if no APs or AP groups are associated with that profile. 1. Navigate to the Configuration > Advanced Services> All Profiles window. 2.
To view the settings of a specific high-throughput profile: show ap mesh-ht-ssid-profile Deleting a Profile If no AP or AP group is using a mesh high-throughput SSID profile, you can delete that profile using the no parameter: no ap mesh-ht-ssid-profile Mesh Cluster Profiles The mesh cluster configuration gets pushed from the controller to the mesh portal and the other mesh points, which allows them to inherit the characteristics of the mesh cluster of which they are a member
z Create an AP group for each 802.11a channel. If a mesh link breaks or the primary cluster profile is unavailable, mesh nodes use the highest priority backup cluster profile to re-establish the uplink or check for parents in the backup profiles. If these profiles are unavailable, the mesh node can revert to the recovery profile to bring up the mesh network until a cluster profile is available. For a sample configuration, see “show ap mesh topology” on page 225.
Table 42 Mesh Cluster Profile Configuration Parameters (Continued) Parameter Description Priority Indicates the priority of the cluster profile. The mesh cluster priority determines the order by which the mesh cluster profiles are used. This allows you, rather than the link metric algorithm, to control the network topology by defining the cluster profiles to use if one becomes unavailable Specify the cluster priority when creating a new profile or adding an existing profile to a mesh cluster.
Editing a Profile If you modify any mesh cluster profile setting, you must reprovision your AP. For example, if you change the priority of a cluster profile from 5 to 2, you must reprovision the AP before you can assign priority 5 to another cluster profile. Reprovisioning the AP causes it to automatically reboot. For more information, see “Provisioning Mesh Nodes” on page 222. 1. Navigate to the Configuration > Wireless > AP Configuration window. Select either the AP Group or AP Specific tab.
The following examples create and configure the mesh cluster profiles cluster1 and cluster2. ap mesh-cluster-profile cluster1 cluster corporate opmode wpa2-psk-aes wpa-passphrase mesh_123 rf-band a ap mesh-cluster-profile cluster2 cluster corporate opmode wpa2-psk-aes wpa-passphrase mesh_123 rf-band a You can also create a new mesh radio profile by copying the settings of an existing profile using the clone parameter.
Excluding a Mesh Cluster Profile from a Mesh Node To exclude a specific mesh cluster profile from an AP: ap-name exclude-mesh-cluster-profile-ap Deleting a Mesh Cluster Profile If no AP or is using a mesh cluster profile, you can delete that profile using the no parameter: no ap mesh-cluster-profile Ethernet Ports for Mesh If you are using mesh to join multiple Ethernet LANs, configure and enable bridging on the mesh point Ethernet port This section describes how to co
5. Click Apply. Use the following commands to configure ethernet port bridging via the CLI.
Configuring Secure Jack via the CLI To configure secure jack operation via the command-line interface, access the CLI in config mode and issue the following commands: ap wired-ap-profile forward-mode tunnel wired-ap-enable Optionally, you can configure the following wired AP profile settings: ap wired-ap-profile trusted Extending the Life of a Mesh Network To prevent your mesh network from going down if you experience a controller failure, modify the following settings in the AP system
Provisioning Mesh Nodes Provisioning mesh nodes is similar to thin APs; however, there are some key differences. Thin APs establish a channel to the controller from which they receive the configuration for each radio interface. Mesh nodes, in contrast, get their radio interfaces up and running before making contact with the controller.
Provisioning Caveats Remember the following when provisioning APs for mesh: z You must provision the AP before you install it as a mesh node in a mesh deployment. To provision the AP, it must be physically connected to the local network or directly connected to the controller. When connected and powered on, the AP must also be able to obtain an IP address from a DHCP server on the local network or from the controller.
Provisioning Mesh Nodes via the CLI When you use the command-line interface to reprovision a mesh node, you may also provision other AP settings. To provision a remote mesh portal, see “Remote Mesh Portals” on page 225.
For all thin APs and mesh nodes, the AM identifies a mesh node from other packets monitored on the air, and the AM will not trigger “wireless-bridging” events for packets transmitted between mesh nodes. Verifying the Network After provisioning the mesh APs, ensure that the mesh network is up and operating correctly.
All requests tagged with the MPV are sent over the split tunnel. Hence the MPV should be different from any user VLAN that is bridged using the mesh network. Figure 38 Working of RMP Creating a Remote Mesh Portal via the WebUI A remote mesh portal must be provisioned as both a remote access point and a mesh portal. For instructions on provisioning the remote mesh portal as a remote access point, see “Configuring the Secure Remote Access Point Service” on page 154.
Figure 39 Provisioning an AP as a Remote Mesh Portal Defining the Mesh Private VLAN Edit the mesh radio profile for the remote mesh portal and choose a new, non-zero tag value for the mesh private VLAN. Make sure that the mesh private VLAN so that it does not conflict with any local tags assigned in the mesh network. once configured, all Mesh Points will come up in that Mesh Private Vlan. This mesh private VLAN must not be used as a VLAN for any other virtual AP. 1.
Selecting a Mesh Radio Profile Use the following procedure to select a mesh radio profile for a remote mesh AP or AP group: 1. Navigate to the Configuration > Wireless > AP Configuration window. Select either the AP Group or AP Specific tab. z If you selected AP Group, click the Edit button by the AP group to which you want to assign a new mesh radio profile. z If you selected AP Specific, click the Edit button by the AP to which you want to assign a new mesh radio profile. 2.
4. Click the using priority drop-down list to select a priority for the mesh cluster profile. The lower the number, the higher the priority. Note: If you configure multiple cluster profiles with different cluster priorities, you manually override the link metric algorithm because the priority takes precedence over the path cost. In this scenario, the mesh portal uses the profile with the highest priority to bring-up the mesh network. 5. Click Add to add the mesh cluster profile to the AP group.
Provisioning a Remote Mesh Portal via the CLI Reprovisioning the AP causes it to automatically reboot. When you use the CLI to reprovision a mesh node, you may also provision other AP settings. provision-ap read-bootinfo ap-name mesh-role remote-mesh-portal reprovision ap-name Additional Information By default, the data frames the mesh portal receives on its mesh link are forwarded according to the bridge table entries on the portal.
Chapter 8 Authentication Servers The ArubaOS software allows you to use an external authentication server or the controller internal user database to authenticate clients who need to access the wireless network. Important Points to Remember z In order for an external authentication server to process requests from the Dell controller, you must configure the server to recognize the controller. Refer to the vendor documentation for information on configuring the authentication server.
Figure 40 Server Group 802.1x Server Group Server Group Radii RADIUS-1 RADIUS-2 Server names are unique. You can configure the same server in multiple server groups. You must configure the server before you can add it to a server group. Note: If you are using the controller’s internal database for user authentication, use the predefined “Internal” server group. You can also include conditions for server-derived user roles or VLANs in the server group configuration.
Table 43 RADIUS Server Configuration Parameters (Continued) Parameter Description NAS IP NAS IP address to send in RADIUS packets. You can configure a “global” NAS IP address that the controller uses for communications with all RADIUS servers. If you do not configure a server-specific NAS IP, the global NAS IP is used. To set the global NAS IP in the WebUI, navigate to the Configuration > Security > Authentication > Advanced page.
Configuring an LDAP Server Table 45 describes the parameters you configure for an LDAP server. Table 45 LDAP Server Configuration Parameters Parameter Description Host IP address of the LDAP server. Default: N/A Admin-DN Distinguished name for the admin user who has read/search privileges across all the entries in the LDAP database (the user need not have write privileges but the user should be able to search the database, and read attributes of other users in the database).
Configuring a TACACS+ Server Table 46 defines the TACACS+ server parameters. Table 46 TACACS+ Server Configuration Parameters Parameter Description Host IP address of the server. Default: N/A Key Shared secret to authenticate communication between the TACACS+ client and server. Default: N/A TCP Port TCP port used by server. Default: 49 Retransmits Maximum number of times a request is retried. Default: 3 Timeout Timeout period for TACACS+ requests, in seconds.
In the WebUI 1. Navigate to the Configuration > Security > Authentication > Servers page. 2. Select Windows Server to display the Windows Server List. 3. To configure a Windows server, enter the name for the server and click Add. 4. Select the name of the server to configure its parameters. Enter the parameters as described in Table 47. 5. Select the Mode checkbox to activate the authentication server. 6. Click Apply to apply the configuration.
Table 48 Internal Database Configuration Parameters (Continued) Parameters Description Expiration Select one of the following options: z Entry does not expire: No expiration on user entry z Set Expiry time (mins): Enter the number of minutes the user will be authenticated before their user entry expires. z Set Expiry Date (mm/dd/yyyy) Expiry Time (hh:mm): To select a specific expiration date and time, enter the expiration date in mm/dd/yyyy format, and the expiration time in hh:mm format.
Figure 42 IP-Address parameter in the RAP Whitelist Note: You cannot configure the IP-Address parameter by using the WebUI.
Importing files in the WebUI 1. Navigate to the Configuration > Security > Authentication > Servers > page. 2. Select Internal DB. 3. Click Import in the Internal DB Maintenance section. A popup window opens. 4. Enter the name of the file you want to import 5. Click OK.
In the WebUI 1. Navigate to the Configuration > Security > Authentication > Servers page. 2. Select Server Group to display the Server Group list. 3. Enter the name of the new server group and click Add. 4. Select the name to configure the server group. 5. Under Servers, click New to add a server to the group. a. Select a server from the drop-down menu and click Add Server. b. Repeat the above step to add other servers to the group. 6. Click Apply.
5. Under the Servers tab, select ldap-1 to configure server parameters. Enter the IP address for the server. Select the Mode checkbox to activate the authentication server. Click Apply. 6. Repeat step 5 to configure ldap-2. 7. Display the Server Group list: Under the Servers tab, select Server Group. 8. Enter corp-serv as the new server group and click Add. 9. Select corp-serv, under the Server tab, to configure the server group. 10. Select Fail Through. 11.
Figure 43 Domain-Based Server Selection Example host/.xyz.corpnet.com host/.sales.corpnet.com host/.hq.corpnet.com abc.corpnet.com\ @abc.corpnet.com radius-1 radius-2 You configure the following rules for servers in the corp-serv server group: z radius-1 will be selected if the client information starts with “host/”. z radius-2 will be selected if the client information contains “abc.corpnet.com”. In the WebUI 1.
Configuring Match FQDN Option You can also use the “match FQDN” option for a server match rule. With a match FQDN rule, the server is selected if the portion of the user information in the formats \ or @ exactly matches a specified string. Note the following caveats when using a match FQDN rule: z This rule does not support client information in the host/. format, so it is not useful for 802.1x machine authentication.
5. Under Servers, click Edit for a configured server or click New to add a server to the group. z If editing a configured server, select Trim FQDN, scroll right, and click Update Server. z If adding a new server, select a server from the drop-down menu, then select Trim FQDN, scroll right, and click Add Server. 6. Click Apply. In the CLI aaa server-group corp-serv auth-server radius-2 match-authstring contains abc.corpnet.
Table 49 Server Rule Configuration Parameters (Continued) Parameter Description Value The user role or the VLAN applied to the client when the rule is matched. position Position of the condition rule. Rules are applied based on the first match principle. 1 is the top. Default: bottom In the WebUI 1. Navigate to the Configuration > Security > Authentication > Servers page. 2. Select Server Group to display the Server Group list. 3. Enter the name of the new server group and click Add. 4.
c. Select Set Role from the drop-down menu. d. Click Add. 5. Click Apply. In the CLI aaa server-group internal set role condition Role value-of Assigning Server Groups You can create server groups for the following purposes: z user authentication z management authentication z accounting You can configure all types of servers for user and management authentication (see Table 50). Accounting is only supported with RADIUS and TACACS+ servers when RADIUS or TACACS+ is used for authentication.
Accounting You can configure accounting for RADIUS and TACACS+ server groups. Note: RADIUS or TACACS+ accounting is only supported when RADIUS or TACACS+ is used for authentication. RADIUS Accounting RADIUS accounting allows user activity and statistics to be reported from the controller to RADIUS servers. RADIUS accounting works as follows: 1. The controller generates an Accounting Start packet when a user logs in. The code field of transmitted RADIUS packet is set to 4 (Accounting-Request).
The following attributes are sent in Accounting-Request packets when Acct-Status-Type value is Start: z Acct-Status-Type z User-Name z NAS-IP-Address z NAS-Port z NAS-Port-Type z NAS-Identifier z Framed-IP-Address z Calling-Station-ID z Called-station-ID z Acct-Session-Id z Acct-Authentic The following attributes are sent in Accounting-Request packets when Acct-Status-Type value is Stop: z Acct-Status-Type z User-Name z NAS-IP-Address z NAS-Port z NAS-Port-Type z NAS-Identif
In the CLI aaa profile radius-accounting TACACS+ Accounting TACACS+ accounting allows commands issued on the controller to be reported to TACACS+ servers. You can specify the types of commands that are reported (action, configuration, or show commands) or have all commands reported.
In the WebUI 1. Navigate to the Configuration > Security > Authentication > Advanced page. 2. Configure the timers as described above. 3. Click Apply before moving on to another page or closing the browser window. Failure to do this results in loss of configuration and you will have to reconfigure the settings. In the CLI aaa timers {dead-time |idle-timeout |logon-lifetime } 250 | Authentication Servers Dell PowerConnect ArubaOS 5.
Chapter 9 802.1x Authentication 802.1x is an Institute of Electrical and Electronics Engineers (IEEE) standard that provides an authentication framework for WLANs. 802.1x uses the Extensible Authentication Protocol (EAP) to exchange messages during the authentication process. The authentication protocols that operate inside the 802.1x framework that are suitable for wireless networks include EAP-Transport Layer Security (EAP-TLS), Protected EAP (PEAP), and EAP-Tunneled TLS (EAP-TTLS).
Supported EAP Types The following is the list of supported EAP types. z PEAP—Protected EAP (PEAP) is an 802.1x authentication method that uses server-side public key certificates to authenticate clients with server. The PEAP authentication creates an encrypted SSL / TLS tunnel between the client and the authentication server. The exchange of information is encrypted and stored in the tunnel ensuring the user credentials are kept secure.
Figure 44 802.1x Authentication with RADIUS Server Client (Supplicant) WLAN Switch (Authenticator) • EAP Type • EAP Type • Server IP • Shared Secret • Auth Port • Acct Port • ESSID • Network Authentication • Data Encryption Authentication Server • Client IP • Shared Secret • ESSID • Network Authentication • Data Encryption The supplicant and authentication server must be configured to use the same EAP type.
Figure 45 802.1x Authentication with Termination on Controller User authentication via internal database or non802.1x server Client (Supplicant) WLAN Switch (Authenticator and Authentication Server) • EAP Type = EAP-TLS or EAP-PEAP • ESSID • Network Authentication • Data Encryption • EAP Type = EAP-TLS or EAP-PEAP • ESSID • Network Authentication • Data Encryption In this scenario, the supplicant is configured for EAP-Transport Layer Security (TLS) or EAP-Protected EAP (PEAP).
authentication server; server-derived user roles take precedence over default roles. For more information about policies and roles, see Chapter 10, “Roles and Policies” . Note: The Policy Enforcement Firewall Virtual Private Network (PEFV) module provides identity-based security for wired and wireless users and must be installed on the controller.
Table 52 802.1x Authentication Profile Basic WebUI Parameters (Continued) Parameter Description Machine Authentication: Default Machine Role Select the default role to be assigned to the user after completing only machine authentication. Default: guest Machine Authentication: Default User Role Select the default role to be assigned to the user after completing 802.1x authentication. Default: guest Reauthentication Select this option to force the client to do a 802.
Table 52 802.1x Authentication Profile Basic WebUI Parameters (Continued) Parameter Description Use Server provided Reauthentication Interval Select this option to override any user-defined reauthentication interval and use the reauthentication period defined by the authentication server. Multicast Key Rotation Time Interval Interval, in seconds, between multicast key rotation. The allowed range of values for this parameter is 60-864000 seconds, and the default value is 1800 seconds.
Table 52 802.1x Authentication Profile Basic WebUI Parameters (Continued) Parameter Description Reauthentication Select the Reauthentication checkbox to force the client to do a 802.1x reauthentication after the expiration of the default timer for reauthentication. (The default value of the timer is 24 hours.) If the user fails to reauthenticate with valid credentials, the state of the user is cleared. If derivation rules are used to classify 802.
Table 52 802.1x Authentication Profile Basic WebUI Parameters (Continued) Parameter Description TLS Guest Access Select TLS Guest Access to enable guest access for EAP-TLS users with valid certificates. This option is disabled by default. TLS Guest Role Click the TLS Guest Role drop-down list and select the default user role for EAP-TLS guest users. NOTE: This option may require a license (see Chapter 27 on page 527)..
use-static-key validate-pmkid voice-aware wep-key-retries wep-key-size {40|128} wpa-fast-handover wpa-key-retries xSec-mtu Configuring and Using Certificates with AAA FastConnect The controller supports 802.1x authentication using digital certificates for AAA FastConnect. z Server Certificate—A server certificate installed in the controller verifies the authenticity of the controller for 802.1x authentication. Dell controllers ship with a demonstration digital certificate.
known as machine authentication. Machine authentication ensures that only authorized devices are allowed on the network. You can configure 802.1x for both user and machine authentication (select the Enforce Machine Authentication option described in Table 52 on page 255). This tightens the authentication process further since both the device and user need to be authenticated.
VLAN Assignment with Machine Authentication Enabled With machine authentication enabled, the VLAN to which a client is assigned (and from which the client obtains its IP address) depends upon the success or failure of the machine and user authentications. The VLAN that is ultimately assigned to a client can also depend upon attributes returned by the authentication server or server derivation rules configured on the controller (see “About VLAN Assignments” on page 60).
z The authentication type is WPA. From the 802.1x authentication exchange, the client and the controller derive dynamic keys to encrypt data transmitted on the wireless network. z 802.1x authentication based on PEAP with MS-CHAPv2 provides both computer and user authentication. If a user attempts to log in without the computer being authenticated first, the user is placed into a more limited “guest” user role.
a. Under Source, select user. b. Under Destination, select alias. Then select Internal Network. c. Under Service, select service. In the Service scrolling list, select svc-pop3. d. Under Action, select drop. e. Click Add. 6. Repeat steps 4A-E to create rules for the following services: svc-ftp, svc-smtp, svc-snmp, and svc-ssh. 7. Click Apply. 8. Click the User Roles tab. Click Add to create the student role. 9. For Role Name, enter student. 10. Under Firewall Policies, click Add.
8. Under Firewall Policies, click Add. In Choose from Configured Policies, select the faculty policy you previously created. Click Done.
e. Click Add. To create rules to permit HTTP and HTTPS access during working hours: a. Under Source, select user. b. Under Destination, select any. c. Under Service, select service. In the Services scrolling list, select svc-http. d. Under Action, select permit. e. Under Time Range, select working-hours. f. Click Add. g. Repeat steps A-F for the svc-https service. To create a rule that denies the user access to all destinations and all services: a. Under Source, select user. b.
Using the CLI to create the sysadmin role user-role sysadmin session-acl allowall Using the WebUI to create the computer role 1. Navigate to Configuration > Security > Access Control > User Roles page. Click Add to create the computer role. 2. For Role Name, enter computer. 3. Under Firewall Policies, click Add. In Choose from Configured Policies, select the predefined allowall policy. Click Done. 4. Click Apply.
Using the CLI aaa authentication-server radius IAS1 host 10.1.1.21 key |*a^t%183923! aaa server-group IAS auth-server IAS1 set role condition Class value-of Configure 802.1x Authentication An AAA profile specifies the 802.1x authentication profile and 802.1x server group to be used for authenticating clients for a WLAN. The AAA profile also specifies the default user roles for 802.1x and MAC authentication. In the 802.
mac-default-role computer authentication-dot1x dot1x dot1x-server-group IAS Configure VLANs In this example, wireless clients are assigned to either VLAN 60 or 61 while guest users are assigned to VLAN 63. VLANs 60 and 61 split users into smaller IP subnetworks, improving performance by decreasing broadcast traffic. The VLANs are internal to the Dell controller only and do not extend into other parts of the wired network.
ip address 10.1.61.1 255.255.255.0 ip helper-address 10.1.1.25 vlan 63 interface vlan 63 ip address 10.1.63.1 255.255.255.0 ip helper-address 10.1.1.25 ip default-gateway 10.1.1.254 Configuring the WLANs In this example, default AP parameters for the entire network are as follows: the default ESSID is WLAN-01 and the encryption mode is TKIP. A second ESSID called “guest” has the encryption mode set to static WEP with a configured WEP key.
9. Select guest from the Add a profile drop-down menu. Click Add. 10. Click Apply. Using the CLI wlan ssid-profile guest essid guest wepkey1 aaaaaaaaaa opmode static-wep wlan virtual-ap guest vlan 63 ssid-profile guest ap-group first-floor virtual-ap guest ap-group second-floor virtual-ap guest Configuring the Non-Guest WLANs You create and configure the SSID profile “WLAN-01” with the ESSID “WLAN-01” and WPA TKIP encryption.
9. To configure the WLAN-01_second-floor virtual AP: a. Select NEW from the Add a profile drop-down menu. Enter WLAN-second-floor, and click Add. b. In the Profile Details entry for the virtual AP profile, select aaa_dot1x from the AAA profile drop-down menu. A pop-up window displays the configured AAA profile parameters. Click Apply in the pop-up window. c. From the SSID profile drop-down menu, select WLAN-01. A pop-up window displays the configured SSID profile parameters.
5. Select the Role for each user (if a role is not specified, the default role is guest). 6. Select the expiration time for the user account in the internal database. 7. Click Apply. Using the CLI Note: Use the privileged mode in the CLI to configure users in the controller’s internal database. local-userdb add username password Configuring a server rule using the WebUI 1. Navigate to the Configuration > Security > Authentication > Servers page. 2.
d. For 802.1x Authentication Default Role, select faculty. e. Click Apply. 3. In the Profiles list (under the aaa_dot1x profile you just created), select 802.1x Authentication Profile. a. Select the dot1x profile from the 802.1x Authentication Profile drop-down menu. b. Click Apply. 4. In the Profiles list (under the aaa_dot1x profile you just created), select 802.1x Authentication Server Group. a. Select the internal server group. b. Click Apply.
c. Under DHCP Helper Address, click Add. Enter: 10.1.1.25 and click Add. d. Click Apply. 5. Select the IP Routes tab. a. For Default Gateway, enter: 10.1.1.254 b. Click Apply. Using the CLI vlan 60 interface vlan 60 ip address 10.1.60.1 255.255.255.0 ip helper-address 10.1.1.25 vlan 61 interface vlan 61 ip address 10.1.61.1 255.255.255.0 ip helper-address 10.1.1.25 vlan 63 interface vlan 63 ip address 10.1.63.1 255.255.255.0 ip helper-address 10.1.1.25 ip default-gateway 10.1.1.
e. For Network Authentication, select None. f. For Encryption, select WEP. g. Enter the WEP key. h. Click Apply. i. Under Profile Details, click Apply. 5. Click on the guest virtual AP name in the Profiles list or in Profile Details to display configuration parameters. a. Make sure Virtual AP enable is selected. b. For VLAN, select 63. c. Click Apply. 6. Navigate to the Configuration > Wireless > AP Configuration page. 7. In the AP Group list, select second-floor. 8.
e. Enter WLAN-01 for the Network Name. f. Select WPA for Network Authentication. g. Click Apply in the pop-up window. h. At the bottom of the Profile Details page, click Apply. 5. Click on the WLAN-01_first-floor virtual AP profile name in the Profiles list or in Profile Details to display configuration parameters. a. Make sure Virtual AP enable is selected. b. For VLAN, select 60. c. Click Apply. 6. Navigate to the Configuration > Wireless > AP Configuration page. 7.
Advanced Configuration Options for 802.1x This section describes advanced configuration options for 802.1x authentication. Configuring reauthentication with Unicast Key Rotation When enabled, unicast and multicast keys are updated after each reauthorization. It is a best practice to configure the time intervals for reauthentication, multicast key rotation, and unicast key rotation to be at least 15 minutes.
Chapter 10 Roles and Policies Every client in a Dell user-centric network is associated with a user role, which determines the client’s network privileges, how often it must re-authenticate, and which bandwidth contracts are applicable. A policy is a set of rules that applies to traffic that passes through the Dell controller. You specify one or more policies for a user role. Finally, you can assign a user role to clients before or after they authenticate to the system.
Access Control Lists (ACLs) Access control lists (ACLs) are a common way of restricting certain types of traffic on a physical port. ArubaOS provides the following types of ACLs: z Standard ACLs permit or deny traffic based on the source IP address of the packet. Standard ACLS can be either named or numbered, with valid numbers in the range of 1-99 and 1300-1399. Standard ACLs use a bitwise mask to specify the portion of the source IP address to be matched.
Table 55 Firewall Policy Rule Parameters (Continued) Field Description Service (required) Type of traffic, which can be one of the following: z any: This option specifies that this rule applies to any type of traffic. z tcp: Using this option, you configure a range of TCP port(s) to match for the rule to be applied. z udp: Using this option, you configure a range of UDP port(s) to match for the rule to be applied.
In the WebUI 1. Navigate to the Configuration > Security > Access Control > Policies page on the WebUI. 2. Click Add to create a new policy. 3. Enter web-only for the Policy Name. 4. To configure a firewall policy, select IPv4 Session for Policy Type. 5. Click Add to add a rule that allows HTTP traffic. a. Under Service, select service from the drop-down list. b. Select svc-http from the scrolling list. c. Click Add. 6. Click Add to add a rule that allows HTTPS traffic. a.
5. In the Starting Ports field, enter a starting port. This is the first port, in the port range, on which permitted or denied session traffic is running. Port range: 1–65535. 6. In the End Ports field, enter an ending port. This is the last port, in the port range, on which permitted or denied session traffic is running. Port range: 1–65535. 7. (Optional) Click the White list Bandwidth Contract drop-down list and specify the name of a bandwidth contract to apply to the session traffic.
Table 56 User Role Parameters (Continued) Field Description Role VLAN ID (optional) By default, a client is assigned a VLAN on the basis of the ingress VLAN for the client to the controller. You can override this assignment and configure the VLAN ID that is to be assigned to the user role. You configure a VLAN by navigating to the Configuration > Network > VLANs page.
2. Click the Delete button against the role you want to delete. Note: You cannot delete a user-role that is referenced to profile or server derived role. Deleting a server referenced role will result in an error. Remove all references to the role and then perform the delete operation.
1. Navigate to the Configuration > Security > Access Control > User Roles page. 2. Select Edit for the web-guest user role. 3. In the Bandwidth Contract section, click the Upstream drop-down list and select Add New. The New Bandwidth Contract fields appear. a. In the Name field, enter BC512_up. b. In the Bandwidth field, enter 512. c. Click the Bandwidth drop-down list and select kbps. d. Click Done to add the new contract and assign it to the role. The New Bandwidth Contract section closes. 4.
4. Click the 802.1x Authentication Default Role drop-down list and select the desired user role for users who have completed 802.1x authentication. 5. Click the MAC Authentication Default Role drop-down list and select the desired user role for clients who have completed MAC authentication. 6. Click Apply. In the CLI aaa profile initial-role dot1x-default-role mac-default-role For additional information on creating AAA profiles, see “AAA Profile Parameters” on page 118.
Table 57 Conditions for User-Derived Role (Continued) Rule Type Condition Value Location–AP name of the AP to which the client is associated One of the following: equals z does not equal string z One of the following: z contains z ends with z equals z does not equal z starts with MAC address (xx:xx:xx:xx:xx:xx) MAC address of the client Configuring a User-derived Role 1. Navigate to the Configuration > Security > Authentication > User Rules page. 2. Click Add to add a new set of derivation rules.
In the CLI To configure the default user role for MAC or 802.
Table 58 IPv4 Firewall Parameters (Continued) Parameter Description Monitor TCP SYN Attack rate Number of TCP SYN messages per second, which if exceeded, can indicate a denial of service attack. Valid range is 1-255 messages per second. Recommended value is 32. Default: No default Monitor IP Session Attack Number of TCP or UDP connection requests per second, which if exceeded, can indicate a denial of service attack. Valid range is 1-255 requests per second. Recommended value is 32.
Table 58 IPv4 Firewall Parameters (Continued) Parameter Description Session Mirror Destination Destination (IP address or port) to which mirrored session packets are sent. This option is used only for troubleshooting or debugging. Packets can be mirrored in multiple ACLs, so only a single copy is mirrored if there is a match within more than one ACL. You can configure the following: Ethertype to be mirrored with the Ethertype ACL mirror option. IP flows to be mirrored with the session ACL mirror option.
Table 58 IPv4 Firewall Parameters (Continued) Parameter Description Rate limit CP untrusted mcast traffic (Mbps) Specifies the untrusted multicast traffic rate limit. Range is 1-200 Mbps. Default: 2 Mbps Rate limit CP trusted ucast traffic (Mbps) Specifies the trusted unicast traffic rate limit. Range is 1-200 Mbps. Default: 80 Mbps Rate limit CP trusted mcast traffic (Mbps) Specifies the trusted multicast traffic rate limit. Range is 1-200 Mbps.
Chapter 11 Stateful and WISPr Authentication ArubaOS supports stateful 802.1x authentication, stateful NTLM authentication and authentication for Wireless Internet Service Provider roaming (WISPr). Stateful authentication differs from 802.
If, however, the client only has an account with a partner ISP, then your ISP’s WISPr AAA server will forward that client’s credentials to the partner ISP’s WISPr AAA server for authentication. Once the client has been authenticated on the partner ISP, it will be authenticated on your hotspot’s own ISP, as per their service agreements. Once your ISP sends an authentication message to the controller, the controller assigns the default WISPr user role to that client.
Configure Authentication via the CLI Use the following commands to configure stateful 802.1x authentication via the command-line interface. The first set of commands defines the RADIUS server used for 802.1x authentication, and the second set assigns that server to a server group. The third set of commands associates that server group with the stateful 802.1x authentication profile, then sets the authentication role and timeout period.
7. Click Apply. 8. In the Profiles list, select the Server Group entry below the Stateful NTLM Authentication profile. 9. Click the Server Group drop-down list and select the group of Windows servers you want to use for stateful NTLM authentication. 10. Click Apply. Configure Authentication via the CLI Use the following commands to configure stateful NTLM authentication via the command-line interface.
4. Define values for the following parameters Table 59 WISPr Authentication Profile Parameters Parameter Description Default Role Default role assigned to users that complete WISPr authentication. Logon wait minimum wait If the controller’s CPU utilization has surpassed the Login wait CPU utilization threshold value, the Logon wait minimum wait parameter defines the minimum number of seconds a user will have to wait to retry a login attempt. Range: 1–10 seconds. Default: 5 seconds.
default-role logon-wait {cpu-threshold|maximum-delay|minimum-delay} server-group wispr-location-id-ac wispr-location-id-cc wispr-location-id-isocc wispr-location-id-network wispr-location-name-location wispr-location-name-operator-name 298 | Stateful and WISPr Authentication Dell PowerConnect ArubaOS 5.
Chapter 12 Captive Portal Captive portal is one of the methods of authentication supported by ArubaOS. A captive portal presents a web page which requires action on the part of the user before network access is granted. The required action can be simply viewing and agreeing to an acceptable use policy, or entering a user ID and password which must be validated against a database of authorized users.
There are differences in how captive portal functions work and how you configure captive portal, depending on whether the license is installed. Later sections in this chapter describe how to configure captive portal in the base operating system (without the PEFNG license) and with the license installed. Controller Server Certificate The Dell controller is designed to provide secure services through the use of digital certificates.
What follows are the tasks for configuring captive portal in the base ArubaOS. The example server group and profile names appear inside quotation marks. z Create the Server Group name. In this example, the server group name is “cp-srv”. If you are configuring captive portal for registered users, configure the server(s) and create the server group. For more information about configuring authentication servers and server groups, see Chapter 8, “Authentication Servers” .
c. For Initial Role, select the captive portal authentication profile (for example, c-portal) you created previously. Note: The Initial Role must be exactly the same as the name of the captive portal authentication profile you created. d. Click Apply. 4. Navigate to the Configuration > Wireless > AP Configuration page. Select either the AP Group or AP Specific tab. Click Edit for the applicable AP group name or AP name. 5. Under Profiles, select Wireless LAN, then select Virtual AP. 6.
The captive portal authentication profile specifies the captive portal login page and other configurable parameters. The initial user role configuration must include the applicable captive portal authentication profile instance. Note: MAC-based authentication, if enabled on the controller, takes precedence over captive portal authentication. If you use captive portal, do not enable MAC-based authentication.
a. In the Captive Portal Authentication Profile Instance list, enter the name of the profile (for example, cportal), then click Add. b. Select the captive portal authentication profile you just created. c. Select the default role (for example, employee) for captive portal users. d. Enable guest login and/or user login, as well as other parameters (refer to Table 60). e. Click Apply. 3.
aaa authentication captive-portal c-portal default-role employee server-group cp-srv user-role logon captive-portal c-portal aaa profile aaa_c-portal initial-role logon wlan ssid-profile ssid_c-portal essid c-portal-ap vlan 20 wlan virtual-ap vp_c-portal aaa-profile aaa_c-portal ssid-profile ssid_c-portal Example Authentication with Captive Portal In the following example: z Guest clients associate to the guestnet SSID which is an open wireless LAN.
Creating an Auth-guest User Role The auth-guest user role consists of the following ordered policies: z cplogout is a predefined policy that allows captive portal logout. z guest-logon-access is a policy that you create with the following rules: Allows DHCP exchanges between the user and the DHCP server during business hours while blocking other users from responding to DHCP requests. Allows DNS exchanges between the user and the public DNS server during business hours.
e. Click Add. 6. Under Rules, click Add. a. Under Source, select user. b. Under Destination, select any. c. Under Service, select service. Select svc-dhcp. d. Under Action, select permit. e. Under Time Range, select working-hours. f. Click Add. 7. Under Rules, click Add. a. Under Source, select user. b. Under Destination, select alias. Note: The following step defines an alias representing the public DNS server addresses. Once defined, you can use the alias for other rules and policies. c.
e. Under Time Range, select working-hours. f. Click Add. 7. Under Rules, click Add. a. Under Source, select user. b. Under Destination, select alias. Select Public DNS from the drop-down menu. c. Under Service, select service. Select svc-dns. d. Under Action, select src-nat. e. Under Time Range, select working-hours. f. Click Add. 8. Under Rules, click Add. a. Under Source, select user. b. Under Destination, select any. c. Under Service, select service. Select svc-http. d. Under Action, select src-nat. e.
255.255.0.0 and 192.168.0.0 255.255.0.0. Click Apply. The alias “Internal Network” appears in the Destination menu d. Under Destination, select Internal Network. e. Under Service, select any. f. Under Action, select drop. g. Click Add. 6. Click Apply. Drop-and-Log Policy To create the drop-and-log policy via the WebUI: 1. Navigate to the Configuration > Security > Access Control > Policies page. 2. Select Add to add the drop-and-log policy. 3. For Policy Name, enter drop-and-log. 4.
3. For Role Name, enter auth-guest. 4. Under Firewall Policies, click Add. 5. For Choose from Configured Policies, select cplogout from the drop-down menu. 6. Click Done. 7. Under Firewall Policies, click Add. 8. For Choose from Configured Policies, select guest-logon-access from the drop-down menu. 9. Click Done. 10. Under Firewall Policies, click Add. 11. For Choose from Configured Policies, select block-internal-access from the drop-down menu. 12. Click Done. 13. Under Firewall Policies, click Add. 14.
ip access-list session auth-guest-access user any udp 68 deny user any svc-dhcp permit time-range working-hours user alias “Public DNS” svc-dns src-nat time-range working-hours user any svc-http src-nat time-range working-hours user any svc-https src-nat time-range working-hours Block-Internal-Access Policy To create a block-internal-access policy via the command-line interface, access the CLI in config mode and issue the following commands: ip access-list session block-internal-access user alias “Internal
d. Click Apply. 3. Click the DHCP Server tab. a. Select Enable DHCP Server. b. Click Add under Pool Configuration. c. For Pool Name, enter guestpool. d. For Default Router, enter 192.168.200.20. e. For DNS Server, enter 64.151.103.120. f. For Lease, enter 4 hours. g. For Network, enter 192.168.200.0. For Netmask, enter 255.255.255.0. h. Click Done. 4. Click Apply. Configuring the guest VLAN via the CLI vlan 900 interface vlan 900 ip address 192.168.200.20 255.255.255.
server-group internal Modifying the Initial User Role The captive portal authentication profile specifies the captive portal login page and other configurable parameters. The initial user role configuration must include the applicable captive portal authentication profile instance. Therefore, you need to modify the guest-logon user role configuration to include the guestnet captive portal authentication profile. To modify the guest-logon role via the WebUI: 1.
a. In the Profile Details entry for the new virtual AP profile, select the AAA profile you previously configured. A pop-up window displays the configured AAA profile parameters. Click Apply in the pop-up window. b. From the SSID profile drop-down menu, select NEW. A pop-up window allows you to configure the SSID profile. c. Enter the name for the SSID profile (for example, guestnet). d. Enter the Network Name for the SSID (for example, guestnet). e. For Network Authentication, select None. f.
Table 60 Captive Portal Authentication Profile Parameters Parameter Description Default role Role assigned to the Captive Portal user upon login. When both user and guest logon are enabled, the default role applies to the user logon; users logging in using the guest interface are assigned the guest role. The Policy Enforcement Firewall Next Generation (PEFNG) license must be installed.
Table 60 Captive Portal Authentication Profile Parameters (Continued) Parameter Description Adding switch ip address in redirection URL Select this checkbox to add the switch ip address in the redirection URL. This parameter requires the Public Access license. Adding user vlan in redirection URL Select this checkbox to add the user VLAN in the redirection URL Default: disabled This parameter requires the Public Access license.
for each WLAN that will use captive portal. For example, if you want to have different captive portal login pages for the engineering, business and faculty departments, you need to create and configure according to Table 61. Table 61 Captive Portal login Pages Entity Engineering Business Faculty Captive portal login page /auth/eng-login.html /auth/bus-login.html /auth/fac-login.
To change the protocol to HTTP via the command-line interface, access the CLI in config mode and issue the following commands: aaa authentication captive-portal profile protocol-http (For captive portal with role-based access only) ip access-list session captiveportal no user alias mswitch svc-https dst-nat user alias mswitch svc-http dst-nat user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 Proxy Server Redirect You can configure captive portal to work with proxy Web servers.
To redirect proxy server traffic via the command-line interface, access the CLI in config mode and issue the following commands.
3. Click Add to add the rule. Use the up arrows to move this rule above the rules that perform destination NAT. 4. Click Apply.
2. To customize the page background: a. Select the YOUR CUSTOM BACKGROUND page. b. Under Additional options, enter the location of the JPEG image in the Upload your own custom background field. c. Set the background color in the Custom page background color field. The color code must a hexadecimal value in the format #hhhhhh. d. To view the page background changes, click Submit at the bottom on the page and then click the View CaptivePortal link.
3. To customize the captive portal background text: a. Enter the text that needs to be displayed in the Page Text (in HTML format) message box. b. To view the background text changes, click Submit at the bottom on the page and then click the View CaptivePortal link. The User Agreement Policy page appears. c. Click Accept. This displays the Captive Portal page as it will be seen by users. 4. To customize the text under the Acceptable Use Policy: a. Enter the policy information in the Policy Text text box.
Chapter 13 Advanced Security Extreme Security (xSec) is a cryptographically secure, Layer-2 tunneling network protocol implemented over the 802.1x protocol. The xSec protocol can be used to secure Layer-2 traffic between the Dell controller and wired and wireless clients, or between Dell controllers. Note: xSec is an optional ArubaOS software module. You must purchase and install the license for the xSec software module on the controller.
Securing Client Traffic You can secure wireless or wired client traffic with xSec. On the client, install the Odyssey Client software. The xSec client must complete 802.1x authentication. to connect to the network. The client indicates the use of the xSec protocol during 802.1x exchanges with the controller. (Dell controllers support 802.1x for both wired and wireless clients.) Upon successful client authentication, an xSec tunnel is established between the controller and the client.
In the WebUI 1. Navigate to the Configuration > Security > Authentication > AAA Profiles page. a. To create a new AAA profile, click Add in the AAA Profiles Summary. b. Enter a name for the profile (for example, xsec-wireless), and click Add. c. To configure the AAA profile, click on the newly-created profile name. d. For 802.1x Authentication Default Role, select a configured user role (for example, employee). e. Click Apply. f. In the AAA Profile list, select 802.
This VLAN must have an IP interface, and is a different VLAN from the port’s “native” VLAN that provides connectivity to the network. 2. Configure the user role for the authenticated xSec clients. See Chapter 10, “Roles and Policies” for information. 3. Configure the server group that will be used to authenticate clients using 802.1x. See Chapter 8, “Authentication Servers” for more information. 4. Configure the controller port to which the wired client(s) are connected.
f. In the AAA Profile list, select 802.1x Authentication Profile under the AAA profile you configured. Select the applicable 802.1x authentication profile (for example, xsec-wired-dot1x). Click Apply. g. In the AAA Profile list, select 802.1x Authentication Server Group under the AAA profile you configured. Select the applicable server group (for example, xsec-svrs). Click Apply. 3. Navigate to the Configuration > Advanced Services > Wired Access page. a.
c. For Enter VLAN(s), select the native VLAN (for example, VLAN 1) on the port to ensure Layer-2 connectivity to the network. d. For xSec VLAN, select the VLAN to which authenticated users are assigned from the drop-down menu (for example, VLAN 20) e. Click Apply. 2. Navigate to the Configuration > Security > Authentication > AAA Profiles page to configure the AAA profile. a. To create a new AAA profile, click Add. b. Enter a name for the profile (for example, xsec-3party), and click Add. c.
Figure 48 Controller-to-Controller xSec Example 101 101 VLAN 1 200 200 250 250 Controller 1 MAC: 01:02:03:04:05:06 Controller 2 MAC: 10:11:12:13:14:15 Configuring Controllers for xSec The following sections describe how to use the WebUI or CLI to configure the port that connects to the wired network on which the other controller is installed. Other chapters in this manual describe the configuration of VLANs. In the WebUI 1. On each controller, navigate to the Configuration > Network > Port page. 2.
c. Navigate down the tree to HKEY_LOCAL_MACHINE\SOFTWARE\Funk Software, Inc.\odyssey\client\configuration\options\wiredxsec. Figure 49 The regedit Window d. Select “policy” from the registry values and right click on it. Select Modify to modify the contents of policy. Set the value in the resulting window to required. Figure 50 Modifying a regedit Policy 3. Open the Funk Odyssey Client. Click the Profile tab in the client window. This allows the user to create the user profile for 802.1x authentication.
Figure 51 The Funk Odyssey Client Profile a. In the login name dialog box, enter the login name used for 802.1x authentication. For the password, the client could use the WINDOWS password or use the configured password based on the selection made. b. Click the certificate tab and enter the certificate information required. This example shows the PEAP settings. Figure 52 Certificate Information c. Click the Authentication tab. In the resultant window, click the Add tab and select EAP/PEAP.
Figure 53 Network Profile a. Click the Add tab. Enter the SSID to which the client connects. b. Set the Network type to Infrastructure. c. Set the Association mode to xSec, AES encryption is automatically selected. d. Under Authentication, select the Authenticate using profile checkbox. e. From the pull down menu, select the profile used for 802.1x authentication. This would be one of the profiles configured in step 2. f. Select the keys that will be generated automatically for data privacy. g.
Chapter 14 Virtual Intranet Access Virtual Intranet Access (VIA) is part of the Dell remote networks solution targeted for teleworkers and mobile users. It detects the users network environment (trusted and un-trusted) and automatically connects the user to their enterprise network. Trusted networks typically refers to a protected office network that allows users to directly access corporate intranet. Un-trusted networks are public wi-fi hotspots like airports, cafes, or home network.
Table 62 VIA Connectivity Behavior User action / environment VIA’s behavior While in an un-trusted environment, user disconnects the remote connection. Disconnects gracefully. User moves to a trusted environment. Stays idle and does not connect. User moves to an un-trusted environment Stays idle and does not connect. This usually happens, if the user has in a previous occasion disconnected a secure connection by clicking the Disconnect button in VIA.
Configuring VIA Settings The following steps are required to configure your controller for VIA. These steps are described in detail in the subsections that follow. 1. Enable VPN Server Module—The BaseOS allows you to connect to the VIA controller using the default user roles. However, to configure and assign specific user roles you must install the Policy Enforcement Firewall Virtual Private Network (PEFV) license. 2.
2. Click Add to create new policies. Click Done after creating the user role and apply to save it to the configuration. Create VIA Authentication Profile This following steps illustrate the procedure to create an authentication profile to authenticate users against a server group. 1. Navigate to Configuration > Security > Authentication > L3 Authentication. 2. Under the Profiles section, expand the VIA Authentication Profile option.
Figure 56 VIA - Enter a name for the server group Create VIA Connection Profile To create VIA connection profile: 1. Navigate to Configuration > Security > Authentication > L3 Authentication tab. Click the VIA Connection Profile option and enter a name for the connection profile. Figure 57 VIA - Create VIA Connection Profile---redo image 2. Now click on the new VIA connection profile to configure the connection settings: Dell PowerConnect ArubaOS 5.
Figure 58 VIA - Configure VIA Connection Profile 1 11 2 12 3 13 4 14 5 15 6 16 7 17 18 8 9 19 10 20 You can configure the following options for a VIA connection profile. Table 64 VIA - Connection Profile Options Configuration Option 1 VIA Controller Description Enter the following information about the VIA controller. Controller Hostname/IP Address: This is the public IP address or the DNS hostname of the VIA controller.
Table 64 VIA - Connection Profile Options Configuration Option Description 4 VIA Client WLAN profiles A list of VIA client WLAN profiles that needs to be pushed to the client machines that use Windows Zero Config (WZC) to configure or manage their wireless networks. z Select a WLAN profile and click the Add button to add to the client WLAN profiles list. z To delete an entry, select the profile name and click the Delete button. See “Configure VIA Client WLAN Profiles” on page 341 for more information.
Table 64 VIA - Connection Profile Options 20 Configuration Option Description Allow user to disconnect VIA Enable or disable users to disconnect their VIA sessions. Default: on Configure VIA Web Authentication To configure VIA web authentication profile: 1. Navigate to Configuration > Security > Authentication > L3 Authentication tab. 2. Expand VIA Web Authentication and click on default profile. Note: You can have only one profile (default) for VIA web authentication. 3.
Figure 60 VIA - Associate VIA Connection Profile to User Role Configure VIA Client WLAN Profiles To configure a VIA client WLAN profile: 1. Navigate to Configuration > Advanced Services > All Profiles. 2. Expand Controller Profiles and select VIA Client WLAN Profile. 3. In the Profile Details, enter a name for the WLAN profile and click the Add button. Figure 61 VIA - Create VIA Client WLAN Profile 4. Expand the new WLAN profile and click SSID Profile.
Figure 62 VIA - Configure the SSID Profile 6. You can now configure the SSID profile by select the SSID profile under VIA Client WLAN Profile option. Figure 63 VIA - Configure VIA Client WLAN Profile The VIA client WLAN profile are similar to the authentication settings used to set up a wireless network in Microsoft Windows.
Table 65 Configure VIA client WLAN profile Option EAP-Certificate Options Description If you select EAP type as certificate, you can select one of the following options: mschapv2-use-windows-credentials z use-smartcard z simple-certificate-selection z use-different-name z validate-server-certificate z Inner EAP Type Select the inner EAP type.
Download VIA Installer and Version File To download the VIA installer and version file: 1. Navigate to Configuration > Advanced Services > VPN Services > VIA tab. 2. Under VIA installers for various platforms section, click ansetup.msi to download the installation file.Using CLI to Configure VIA Customize VIA Logo To use a custom logo on the VIA download page and the VIA client: 1. Navigate to Configuration > Advanced Services > VPN Services > VIA tab. 2.
Create VIA authentication profiles (host) (config) #aaa server-group "via-server-group" (host) (Server Group "via-server-group") #auth-server "Internal" position 1 (host) (Server Group "via-server-group") #aaa authentication via auth-profile default (host) (VIA Authentication Profile "default") #default-role example-via-role (host) (VIA Authentication Profile "default") #desc "Default VIA Authentication Profile" (host) (VIA Authentication Profile "default") #server-group "via-server-group" Create VIA conne
| Virtual Intranet Access Dell PowerConnect ArubaOS 5.
Chapter 15 Virtual Private Networks For wireless networks, virtual private network (VPN) connections can be used to further secure the wireless data from attackers. The Dell controller can be used as a VPN concentrator that terminates all VPN connections from both wired and wireless clients.
VPN authentication To configure VPN authentication via the WebUI: 1. Navigate to the Configuration > Security > Authentication > L3 Authentication page. 2. In the Profiles list, select the default VPN Authentication Profile. 3. Select the Default Role from the drop-down menu. 4. (Optional) Set Max Authentication failures to an integer value (the default value is 0, which disables this feature). This number indicates the number of contiguous authentication failures before the station is blacklisted. 5.
Remote Access VPN for L2TP IPsec The combination of Layer-2 Tunneling Protocol and Internet Protocol Security (L2TP/IPsec) is a highly-secure technology that enables VPN connections across public networks such as the Internet. L2TP/IPsec provides both a logical transport mechanism on which to transmit PPP frames as well as tunneling or encapsulation so that the PPP frames can be sent across an IP network.
f. In the Destination NAT IP Address field, enter the destination NAT IP address in dotted-decimal format. If you do not enter an address into this field, the NAT pool will use the destination NAT IP 0.0.0.0. g. Click Done to close the NAT pools tab h. Navigate to Configuration > Advanced Services > VPN Services and click the IPsec tab to return to the IPsec window. i. Click the NAT Pool drop-down list and select the NAT pool you just created.
IKE Policies crypto isakmp policy encryption {3des|aes128|aes192|aes256|des} authentication {pre-share|rsa-sig} group {1|2} hash {md5|sha} lifetime Example Configurations for Remote Access Clients This section describes how to configure remote access VPNs for L2TP/IPsec clients. This section describes how to configure a remote access VPN on the controller for Microsoft L2TP/IPsec clients with smart cards.
3. Navigate to the Configuration > Security > Authentication > Servers page. a. Select Radius Server to display the Radius Server List. b. To configure a RADIUS server, enter the name for the server (for example, ias1) and click Add. c. Select the name to configure the IP address and key for the server. Select Mode to enable the server. d. Click Apply. 4. In the Servers list, select Server Group. a. Enter the name of the new server group (for example, ias-server) and click Add. b.
Configuring a VPN for Smart Card Clients via the CLI Use the following procedure to configure a L2TP/IPsec VPN for Microsoft smart card clients via the CLI: ip access-list session authenticated any any any permit position 1 user-role employee access-list session authenticated aaa authentication-server ias1 host 1.1.1.
Configure the L2TP/IPsec VPN via the WebUI Use the following procedure the configure L2TP/IPsec VPN for username/password clients via the WebUI: 1. Navigate to the Configuration > Security > Access Control > Policies page. 2. Click Add to add a new policy. a. Enter the name of the policy (for example, authenticated). Default settings for a policy rule permit all traffic from any source to any destination, but you can make a rule more restrictive.
m. Set the Authentication to Pre-Share. n. Click Done to activate the changes. o. Click Apply. Next, you must configure client entries in the internal database. 1. Navigate to the Configuration > Security > Authentication > Servers page. 2. Select Internal DB. 3. Click Add User in the Users section. The user configuration page displays. 4. Enter information for the client. 5. Click Enabled to activate this entry on creation. 6. Click Apply to apply the configuration.
Authentication Method and Server Addresses 1. Navigate to the Configuration > Advanced Services > VPN Services > IPSEC page. 2. To enable or disable Extended Authentication (XAuth), select or deselect Enable XAuth (this is enabled by default). Disable XAuth if the VPN client is authenticated using a smart card. After successful IKE main mode exchange, the controller extracts the values of the Principal name (SubjectAltname in X.
IKE Shared Secrets You can configure a global IKE key or configure an IKE key for each subnet. Make sure that this key matches the key on the client. 1. Under IKE Shared Secrets, click Add to open the Add IKE Secret page. 2. Enter the subnet and subnet mask. To make the IKE key global, specify 0.0.0.0 and 0.0.0.0 for both values. 3. Enter the IKE Shared Secret and Verify IKE Shared Secret. 4. Click Done to apply the configurations. IKE Policies 1.
IKE Policies crypto isakmp policy encryption {3des|aes128|aes192|aes256|des} authentication {pre-share|rsa-sig} group {1|2} hash {md5|sha} lifetime Configurations for XAuth Clients using Smart Cards This section describes how to configure a remote access VPN on the controller for Cisco VPN XAuth clients using smart cards. (A smart card contains a digital certificate which allows user-level authentication without the user entering a username and password.
3. Navigate to the Configuration > Security > Authentication > L3 Authentication page. a. Select default VPN Authentication Profile. b. From the Default Role drop-down menu, select employee. c. Click Apply. d. Under default VPN Authentication Profile, select Server Group. e. Select the server group internal from the drop-down menu. f. Click Apply. 4. Navigate to the Configuration > Advanced Services > VPN Services > IPSEC page. a. Select Enable L2TP (this is enabled by default). b.
enable client dns 101.1.1.245 ip local pool sc-clients 10.1.1.1 10.1.1.
4. Navigate to the Configuration > Advanced Services > VPN Services > IPSEC page. a. Select Enable L2TP (this is enabled by default). b. Select Enable XAuth (this is enabled by default). c. Configure the IP addresses of the primary and secondary Domain Name System (DNS) servers and primary and secondary Windows Internet Naming Service (WINS) Server that will be pushed to the VPN client. d. Under Address Pools, click Add to open the Add Address Pool page. e.
crypto isakmp policy 1 authentication pre-share Enter the following command in enable mode to configure client entries in the internal database: local-userdb add username password Remote Access VPN for PPTP Point-to-Point Tunneling Protocol (PPTP) is an alternative to L2TP/IPsec. Like L2TP/IPsec, PPTP provides a logical transport mechanism to send PPP frames as well as tunneling or encapsulation so that the PPP frames can be sent across an IP network.
z Digital certificates: You can configure a server certificate and a CA certificate for each site-to-site VPN IPsec map configuration. For more information about importing server and CA certificates into the controller, see Chapter 26, “Management Access” on page 503. Note: Certificate-based authentication is only supported for site-to-site VPN between two controllers with static IP addresses.
5. Enter the IP address and netmask for the destination (the remote network to which the local network will communicate) in the Destination Network and Destination Subnet Mask fields, respectively. (See controller B in Figure 65.) 6. In the Peer Gateway field, enter the IP address of the interface on the remote controller that connects to the Layer-3 network. (See Interface B in Figure 65.
d. Set the HASH Algorithm to SHA or MD5. e. Set the Authentication to PRE-SHARE if you are using preshared keys. If you are using certificate-based IKE, select RSA. f. Set the Diffie Hellman Group to Group 1 or Group 2. g. The IKE policy selections, along with the preshared key, need to be reflected in the VPN client configuration. When using a third party VPN client, set the VPN configuration on clients to match the choices made above.
For the Pre-shared-key: crypto-local isakmp key address netmask 255.255.255.255 For a static IP controller that responds to IKE Aggressive-mode for Site-Site VPN: crypto-local ipsec-map src-net dst-net peer-ip 0.0.0.
If a preshared key is configured for IKE Shared Secrets in the VPN Services > IPSEC page, enter the key. The key you enter in the Dialers page must match the preshared key configured on the IPSEC page. Select the IPSEC Mode Group that matches the Diffie Hellman Group configured for the IPSEC policy. Select the IPSEC Encryption that matches the Encryption configured for the IPSEC policy. Select the IPSEC Hash Algorithm that matches the Hash Algorithm configured for the IPSEC policy. 6.
| Virtual Private Networks Dell PowerConnect ArubaOS 5.
Chapter 16 MAC-based Authentication This chapter describes how to configure MAC-based authentication on the Dell controller using the WebUI. Use MAC-based authentication to authenticate devices based on their physical media access control (MAC) address. While not the most secure and scalable method, MAC-based authentication implicitly provides an addition layer of security authentication devices.
Table 67 MAC Authentication Profile Configuration Parameters (Continued) Parameter Description Max Authentication failures Number of times a station can fail to authenticate before it is blacklisted. A value of 0 disables blacklisting. Default: 0 Using the WebUI to configure a MAC authentication profile 1. Navigate to the Configuration > Security > Authentication > L2 Authentication page. 2. Select MAC Authentication Profile. 3. Enter a profile name and click Add. 4.
Using the CLI to configure clients in the internal database Enter the following command in enable mode: local-userdb add username password ... Dell PowerConnect ArubaOS 5.
| MAC-based Authentication Dell PowerConnect ArubaOS 5.
Chapter 17 Control Plane Security ArubaOS supports secure IPsec communications between a controller and campus APs using public-key selfsigned certificates created by each master controller. The controller certifies its APs by issuing them certificates. If the master controller has any associated local controllers, the master controller sends a certificate to each local controller, which in turn sends certificates to their own associated campus APs.
certificates to all APs on the network. This ensures that all valid APs will receive a certificate, but also increases the chance that a rogue or unwanted AP will also be certified.
the controller has a valid certificate, the output of the command should appear similar to the output in the example below. (host) # show tpm cert-info subject= /CN=AC1234567::00:0b:86:11:22:33 issuer= /DC=com/DC=arubanetworks/DC=ca3/CN=DEVICE-CA3 serial=5147D5BC00000000000C notBefore=Aug 29 22:16:12 2009 GMT notAfter=Aug 18 22:16:12 2029 GMT If the controller displays the following output, it may have a corrupted or missing TPM and factory certificates. Contact Dell technical support.
4. Click Apply to save your changes. The master controller will generate its self-signed certificate and will begin distributing certificates to campus APs and any local controllers on the network over a clear channel. After all APs have received a certificate and have connected to the network using a secure channel, access the Control Plane Security window and turn off auto certificate provisioning if that feature was enabled.
You can add an AP to the campus AP whitelist via the WebUI or command-line interface. To add an entry via the WebUI, use the following procedure. 1. Access the WebUI, and navigate to Configuration>AP Installation. 2. Click the Campus AP Whitelist tab. 3. To add a new AP to the whitelist, click New. 4. Define the following parameters for each campus AP you want to add to the campus AP whitelist.
Table 71 View Campus AP Whitelist Parameters Parameter Description State The Campus AP Whitelist reports one of the following states for each campus AP: z unapproved-no-cert: AP has no certificate and is not approved. z unapproved-factory-cert: AP has a preinstalled certificate that was not approved. z approved-ready-for-cert: The AP has been approved as a valid campus AP and is ready to receive a certificate. z certified-factory-cert: The AP is already has a factory certificate.
2. Click the Campus AP Whitelist tab. 3. Select the checkbox by the entry for the AP you want to edit, then click Modify. If your campus AP whitelist is large and you cannot immediately locate the AP entry you want to edit, select the Search link by the upper right corner of the whitelist. The Campus AP Whitelist tab will display several fields that allow you to search for an AP with a specified MAC address, certificate type or state.
whitelist-db cpsec revoke mac-address revoke-text <"revoke text"> Deleting an AP Entry from the Campus AP Whitelist Before you delete an AP entry from the campus whitelist, verify that auto certificate provisioning is either no longer enabled, or only enabled for IP addresses that do not include the AP being removed.
Table 73 Control Plane Security Whitelists Master Controller Whitelist Local Controller Whitelist The campus AP whitelist contains an entry for every secure campus AP on the network, regardless of the controller to which it is connected. The master controller whitelist is empty, and does not appear in the WebUI. The local controller whitelist contains an entry for each associated local controller.
You can view a controller’s current sequence number via the CLI using the command: show whitelist-db cpsec-seq Viewing and Managing the Master or Local controller Whitelists The following sections describe the commands to view and delete entries in a master or local controller whitelist. Viewing the Master or Local Controller Whitelist To view the master or local controller whitelists via the WebUI, use the procedure below: 1. Access the controller’s WebUI, and navigate to Configuration>Controller. 2.
To delete an entry from the master or local controller whitelist via the WebUI: 1. Access the controller’s WebUI, and navigate to Configuration>Controller. 2. Select the Control Plane Security tab. 3. To delete an entry from the Local controller Whitelist: In the Local Controller List For AP Whitelist Sync section, click the Delete button by each controller entry you want to remove.
z Automatic Synchronization: Schedule automatic database backups using the database synchronize period CLI command in config mode. Note: If you add a new backup controller to an existing controller, the backup controller must be added as the lower priority controller. If the backup controller is not added as a lower priority controller, your control plane security keys and certificates may be lost.
8. Click Apply to save your settings To create a cluster root via the CLI, access the command-line interface of the controller you want to become the root of the controller cluster, then issue the following command. (host)(config)# cluster-member-ip ipsec The parameter is the switch IP address of a member controller in the cluster, and the parameter in each command is the IPsec key for communication between the specified member controller and the cluster root.
To view your current cluster configuration via the command-line interface, issue the CLI commands described in Table 75. Table 75 CLI Commands to Display Cluster Settings Command Description show cluster-switches When you issue this command from the cluster root, the output of this command displays the IP address of the VLAN used by the cluster member to connect to the cluster root.
window, select the entry for the local controller you want to delete from the local controller whitelist, and click Delete. 4. Install the new local controller, but do not connect it to the network yet. If the controller has been previously installed on the network, you must ensure that the new local controller has a clean whitelist.
controller to act as the primary controller, you can increase that controller’s priority after the settings have been synchronized. Replacing Controllers in a Multi-Master Network Use the following procedures to replace a master or local controller in a network environment with a multiple master controllers.
Replacing a Redundant Cluster Member Controller The control plane security feature requires you to synchronize databases from the primary controller to the backup controller at least once after the network is up at running. This will ensure that all certificates, keys and whitelist entries are synchronized to the backup controller. Since the AP whitelist may change periodically, the network administrator should regularly synchronize these settings to the backup controller.
controller to act as the primary controller, you can increase that controller’s priority after the settings have been resynchronized Troubleshooting Control Plane Security Certificate Problems If an AP has a problem with its certificate, check the state of the AP in the campus AP whitelist. If the AP is in either the certified-hold-factory-cert or certified-hold-controller-cert states, you may need to manually change the status of that AP before it can be certified.
Figure 69 Sequence numbers on Master and Local Controllers Supported APs The control plane security feature is supported on W-AP120 Series and Ortronics APs. APs that do not support control plane security will not be able to connect to a controller enabled with this feature. Rogue APs If you enable auto certificate provisioning enabled with the Auto Cert Allow All option, any AP that appears on the network will receive a certificate.
| Control Plane Security Dell PowerConnect ArubaOS 5.
Chapter 18 Adding Local Controllers This chapter explains how to expand your network by adding a local controller to a master controller configuration. Typically, this is the first expansion of a network with just one controller (which is a master controller). This chapter is a basic discussion of creating master-local controller configurations. More complicated multi-controller configurations are discussed in other chapters.
Best Security Practices for the Preshared Key Note: Do not use the default global PSK on a master or stand-alone controller. If you have a multi-controller network then configure the local controllers to match the new IPSec PSK key on the master controller. Leaving the PSK set to the default value exposes the IPSec channel to serious risk, therefore you should always configure a unique PSK for each controller pair.
Using the CLI to configure the PSK Master Controller On the master controller you can configure a specific IPSec PSK for a local controller and use the localip 0.0.0.0 ipsec command: Note: You need to change the secret key to a non-default PSK key value even if you use a per-local controller PSK key configuration. localip 0.0.0.0 ipsec localip ipsec Local Controller On the local controller the secret key (PSK) must match the master controller’s PSK.
IP address of the master controller for the WLAN network. Enter the preshared key (PSK) that is used to authenticate communications between controllers. Note: You need to enter the same PSK on the master controller and on the local controllers that are managed by the master. Using the Web UI For a controller that is up and operating with layer-3 connectivity, configure the following to set the controller as local: 1. Navigate to the Configuration > Network > Controller > System Settings page. 2.
2. Under the Profiles section, select AP to display the AP profiles. 3. Select the AP system profile you want to modify. 4. Enter the controller IP address in the LMS IP field. 5. Click Apply. Using the CLI to configure the LMS IP ap system-profile lms-ip ap-group ap-system-profile ap-name ap-system-profile Dell PowerConnect ArubaOS 5.
| Adding Local Controllers Dell PowerConnect ArubaOS 5.
Chapter 19 IP Mobility A mobility domain is a group of Dell controllers among which a wireless user can roam without losing their IP address. Mobility domains are not tied with the master controller, thus it is possible for a user to roam between controllers managed by different master controllers as long as all of the controllers belong to the same mobility domain. You enable and configure mobility domains only on Dell controllers.
4. Traffic sent by Mobile Client B is also tunneled back to the home agent. Figure 70 Routing of Traffic to Mobile Client within Mobility Domain Mobile Client B Client’s Home Network 3 2 Home Agent 4 Foreign Agent 1 Foreign Network Host A Configuring Mobility Domains Before configuring a mobility domain, you should determine the user VLAN(s) for which mobility is required. For example, you may want to allow employees to be able to roam from one subnetwork to another.
Configuring a Mobility Domain You configure mobility domains on master controllers. All local controllers managed by the master controller share the list of mobility domains configured on the master. Mobility is disabled by default and must be explicitly enabled on all controllers that will support client mobility. Disabling mobility does not delete any mobilityrelated configuration. The home agent table (HAT) maps a user VLAN IP subnet to potential home agent addresses.
Make sure that the ESSID to which the mobile client will connect supports IP mobility. You can disable IP mobility for an ESSID in the virtual AP profile (IP mobility is enabled by default). If you disable IP mobility for a virtual AP, any client that associates to the virtual AP will not have mobility service. Joining a Mobility Domain Assigning a controller to a specific mobility domain is the key to defining the roaming area for mobile clients.
Figure 71 Example Configuration: Campus-Wide Controller B 10.2.1.245 Controller A 10.1.1.245 (Master) Controller C 10.1.3.245 This example uses the “default” mobility domain for the campus-wide roaming area. Since all controllers are initially included in the default mobility domain, you do not need to explicitly configure “default” as the active domain on each controller. Configuring Mobility using the WebUI On controller A (the master controller): 1.
4. Click Apply. On controllers B and C: 1. Navigate to the Configuration > Advanced Services > IP Mobility page. 2. Select the Enable IP Mobility checkbox. 3. Click Apply. Configuring Mobility using the CLI On controller A (the master controller): ip mobile domain default hat 10.1.1.0 255.255.255.0 hat 10.1.1.0 255.255.255.0 hat 10.1.2.0 255.255.255.0 hat 10.1.3.0 255.255.255.0 hat 10.2.1.0 255.255.255.0 hat 10.2.2.0 255.255.255.0 hat 10.2.3.0 255.255.255.0 hat 10.3.1.0 255.255.255.0 hat 10.3.2.0 255.255.
Roaming status can be one of the following: Table 78 Client Roaming Status Roaming Status Type Description Home Switch/Home VLAN This controller is the home agent for a station and the client is on the VLAN on which it has an IP address. Mobile IP Visitor This controller is not the home agent for a client. Mobile IP Binding (away) This controller is the home agent for a client that is currently away.
In the WebUI 1. Navigate to the Monitoring > controller > Clients page. 2. Click Status. The mobility state section contains information about the user locations. In the CLI show ip mobile trail | HA Discovery on Association In normal circumstances a controller performs an HA discovery only when it is aware of the client’s IP address which it learns through the ARP or any L3 packet from the client.
Table 80 IP Mobility Configuration Parameters Parameter Description Registration Requests Retransmits Maximum number of times the foreign agent attempts mobile IP registration message exchanges before giving up. The range of allowed values for this option is 0-5 attempts. The default setting is 3 attempts. Registration Requests Interval Retransmission interval, in milliseconds. The range of allowed values for this option is 100-10000 milliseconds, inclusive. The default setting is 1000 milliseconds.
Table 80 IP Mobility Configuration Parameters Parameter Description Station Trail Max. Entries Specifies the maximum number of entries (client moves) stored in the user mobility trail. The allowed range of values is 1-100 entries, and the default value is 30 entries. Mobility Host Entry Hold Time Number of seconds the mobility state is retained after the loss of connectivity. This allows authentication state and mobility information to be preserved on the home agent controller.
z Derives the address of the home agent for a mobile client from the HAT using the mobile client’s IP address. If there is more than one possible home agent for a mobile client in the HAT, the proxy mobile IP module uses a discovery mechanism to find the current home agent for the client. z Detects when a mobile client has moved. Client moves are detected based on ingress port and VLAN changes and mobility is triggered accordingly.
router. When Proxy IGMP is enabled, all multicast clients not associated with the controller are hidden from the upstream multicast device or router. Note: The newer IGMP proxy feature and the older IGMP snooping feature cannot be enabled at the same time, as both features add membership information to multicast group table. For most multicast deployments, you should enable the IGMP Proxy feature on all VLAN interfaces to manage all the multicast membership requirements on the controller.
local controller leaves the group, it will also notify remote controller A.) If either controller has other clients using that group, that controller it will continue its group1 membership. Configuring Mobility Multicast Using the WebUI To configure the mobility multicast feature using the controller WebUI: 1. Navigate to the Configuration > Network > IP window. Click the Edit button by the VLAN interface for which you want to configure mobility multicast. The Edit VLAN window opens. 2.
| IP Mobility Dell PowerConnect ArubaOS 5.
Chapter 20 VRRP The underlying mechanism for the Dell redundancy solution is the Virtual Router Redundancy Protocol (VRRP).
Table 82 VRRP Parameters (Continued) Parameter Description Tracking Configures a tracking mechanism that modifies a specified value to the priority after a controller has been the master for the VRRP instance. This mechanism is used to avoid failing over to a backup Master for transient failures. Tracking can be based on one of the following: z Master Up Time: how long the controller has been the master.
4. Click Done to apply the configuration and add the VRRP instance. In the CLI vrrp ip address vlan no shutdown Configuring the LMS IP Configure the APs to terminate their tunnels on the virtual-IP address. To specify the controller to which an AP or AP group tunnels client traffic, you configure the LMS IP in the AP system profile on the master controller. For information on how to configure the LMS IP in the AP system profile, see “Configuring APs” on page 396.
The master controller is also responsible for providing the configuration for any AP to complete its boot process. If the master controller becomes unavailable, the network continues to run without any interruption. However, any change in the network topology or configuration will require the availability of the master controller. To maintain a highly redundant network, the administrator can use a controller to act as a hot standby for the master controller.
Note: All the APs and local controllers in the network should be configured with the virtual IP address as the master IP address. The master IP address can be configured for local controllers during the Initial Setup (refer to the ArubaOS Quick Start Guide). You can also use the following commands to change the master IP of the local controller. The controller will require a reboot after changing the master IP on the controller.
Configuring Master-Local Controller Redundancy This section outlines the concepts behind a redundancy solution where a master can act as a backup for one or more local controllers and shows how to configure the Dell controllers for such a redundant solution. In this solution, the local controllers act as the controller for the APs.
vrrp 22 vlan 22 ip address 10.200.22.254 priority 100 preempt authentication password description Master-acting-as-backup-to-local tracking master-up-time 30 add 20 no shutdown The following example configuration on the corresponding local controller. vrrp 22 vlan 22 ip address 10.200.22.
| VRRP Dell PowerConnect ArubaOS 5.
Chapter 21 RSTP Dell’s implementation of Rapid Spanning Tree Protocol (RSTP) is as specified in 802.1w with backward compatibility to legacy Spanning Tree (STP) 802.1D. RSTP takes advantage of point-to-point links and provides rapid convergence of the spanning tree. RSTP is enabled by default on all Dell controllers. Migration and Interoperability Dell’s RSTP implementation interoperates with both PVST (Per VLAN Spanning Tree 802.1D) and Rapid-PVST (802.
In addition to port state changes, RSTP introduces port roles for all the interfaces (see Table 85). Table 85 Port Role Descriptions RSTP (802.1w) Port Role Description Root The port that receives the best BPDU on a bridge. Designated The port can send the best BPDU on the segment to which it is connected. Alternate The port offers an alternate path, in the direction of root bridge, to that provided by bridge’s root port.
Figure 73 Configuring RSTP Since RSTP is enabled by default, the default values appear in the WebUI. Table 86 list the RSTP defaults and ranges (when applicable) in the configuration interface mode (config-if). Table 86 RSTP Default Values Feature Default Value/Range Port Cost The RSTP interface path cost.
In the CLI Change the default configurations via the command line. (host) (config-if)#spanning-tree ? cost Change an interface's spanning tree path cost point-to-point Set interface as point-to-point link port-priority Change an interface's spanning tree priority portfast Allow a change from blocking to forwarding Monitoring RSTP Statistical information for point-to-point, role, BPDU etc. can be viewed from the WebUI (see Figure 74).
z The show spanning-tree interface command (config-if mode) displays Tx/Rx BPDU counters. Validate those values. For example, if a port’s role is “designated”, it only transmit BPDUs and does not receive any. In this case, Tx counter will keep incrementing while Rx counter will remain the same. It is quite opposite for a port with role as “root/alternate/backup”.
| RSTP Dell PowerConnect ArubaOS 5.
Chapter 22 W-600 Series Controller The Dell PowerConnect W-600 Series Controller is designed for compact, cost-effective "all-in-one" networking solutions. The W-600 Series Controller includes a firewall, wireless LAN controller, 9-port (8-port for the W-650 and W-651) Ethernet switch with PoE+, IP router, site-to-site VPN edge device, file server, and print server. Additionally, the W-651 controller includes an integrated single radio dual-band (802.11 a/n or 802.
Internal Access Point (AP) The W-651 controller includes an internal AP. The internal AP is provisioned in the same way as any other external AP. The provisioning data is stored in the NVRAM. The internal AP identifies itself to a Master controller as the W-651. The internal AP can operate as an AP, Mesh Portal, or an Air Monitor. However, the W651 internal AP can not operate as a remote AP, a mesh point, or an RF Protect sensor. USB Cellular Modems USB Cellular Modems are supported via a USB port.
Figure 75 Cellular Profile Commands (host) (config) # cellular profile profile_name (host) (config-cellular profile_name)# ? dialer Dialer group settings driver Cellular modem driver import Import USB device parameters modeswitch USB device modeswitch settings no Delete Command priority Override default priority serial USB device serial tty Modem TTY port user User name authentication vendor USB Vendor ID (host) (config-cellular profile_name)# Figure 76 list the Uplink commands.
Figure 78 WebUI Uplink Manager You can enable/disable the uplink to overwrite cellular and wired uplink priority. The corresponding commands are: (host) (config)# uplink [enable | disable] (host) (config)# uplink [cellular | wired] priority [x] Cellular Profile The Cellular Profile tab allows you to add/modify/delete one or more cellular profiles. The WebUI screen for Cellular Profile is divided into the Cellular Profile Table (the top portion) and the Modify Cellular Profile (the bottom portion).
Figure 79 Cellular Profile from the WebUI Dialer Group Use the Dialer Group command to configure EVDO devices that require specific input for the initial string (initstring) and dial string. When adding or modifying an existing dialer group (see Figure 80), the WebUI executes the following commands: (host) (config-cellular profile_name)# dialer group init-string (host) (config-cellular profile_name)# dialer group dial-string Dell PowerConnect ArubaOS 5.
Figure 80 Configuring Dialer Group Configuring a Supported USB Modem If your USB Modem is a validated modem, then no configuration is needed. Just follow the “plug and play” steps below. 1. Insert the USB Modem into an open USB port. 2.
Figure 83 show uplink (host) #show uplink Id Uplink Type Properties -- ----------- ---------1 Wired vlan 1 2 Cellular Novatel_U727 (host) # Priority State ------- ----200 Connected 100 Standby Status -----* Active * Ready Cellular uplinks have a lower priority than wired links by default. You can change the default by changing the profile-specific priority or by changing the default cell priority. Figure 84 uplink cellular priority (host) (config) #uplink cellular priority 201 (host) (config) # 4.
If your modem is not recognized (such as “type is unknown”, “no matching profile”, or “device not ready”), use the show usb verbose ( Figure 86) command to verify your modem is listed. Figure 86 show usb verbose for profile and driver (host) #show usb verbose ... T: Bus=01 Lev=02 Prnt=02 Port=00 Cnt=01 Dev#= 3 Spd=12 MxCh= 0 D: Ver= 1.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=1410 ProdID=4100 Rev= 0.00 S: Manufacturer=Novatel Wireless Inc.
If you get entries similar to the example below: Figure 89 Driver=(none) (host) #show usb verbose ... I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) I: If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) ... This means the driver does not work with these ports. Try the other drivers and see if they pick up the device. Airprime is the reliable catch-all driver, Sierra is for certain Sierra cards, and cdc-acm is a legacy abstract control modem driver.
Figure 93 Port I/O error (host) (support)#show usb test 16 ttyUSB4 Error: Port I/O error. TTY port usb/16/ttyUSB4 inaccessible (host) (support)# Once you find one (or more) modem TTY port, configure it in the cellular profile and test the port. Testing the TTY Port After your TTY port is correctly configured, the port is in the 'Device Ready' state.
Figure 96 show dialer group example (host)# show dialer group Dialer Group Table -----------------Name Init String -------------evdo_us ATQ0V1E0 gsm_us AT+CGDCONT=1,"IP","ISP.CINGULAR" (host)# Dial String ----------ATDT#777 ATD*99# The ATD, in the Dial String column in Figure 96, specifies the number to dial, and is typically the same among respective CDMA/GSM carriers.
Power on the NAS device after you connect the NAS device to the W-600 Series Controller’s USB port. Verify that the usb disk is detected (show usb command). (host) #show usb USB Device Table ---------------Address Product Vendor ProdID Serial Type Profile State ------- ------- ------ ------ ------ ---- ------- ----- 5 OneTouch 0d49 7350 2HAS49ZZ Storage 0424 2502 03f0 7317 3 4 HP LaserJet P3005 Hub CNH1D00105 Printer Configuring in the CLI 1.
Users can now access the connected storage device from the filesystem path. For example: \\\\\ Managing NAS Devices The following commands are available for managing a NAS devices after they are mounted and configured in the controller. For more details on these command, see the Dell PowerConnect Command Line Reference Guide.
Table 88 Multi-function Media Eject Button Initial State LED State Action Status LED Function LED Action Completed NAS Media Operational Green-solid Press and hold media eject button for 1 to 5 seconds only Amber-flashing Un-mount all NAS media Amber-solid NAS Media Unmounted Amber-solid Press and hold media eject button for 1 to 5 seconds only Amber-flashing Mount all attached NAS devices, and return to fully functional operation Green-solid Operational Green-solid Press and hold media e
3. You can rename or unmount a disk by right-clicking on the disk. z Rename—To rename a disk, right click on the disk name and select the Rename option. In the pop-up window, enter a new name for the disk and click the Ok button. z Un-mount—To un-mount a disk from the controller, right click on the disk name and select Unmount option. In the pop-up window, click the Unmount button confirm. 4. To view the list of directories in a mounted disk, expand and click on the partition name. 5.
6. Sharing folder—To enable share, click Share this folder check box and enter a name for the share. You can also set the access rights for the folder. Print Server The W-600 Series Controller allows you to connect a printer so that it is available to all connected clients. Printer Setup Connect the printer to the controller’s USB port and power on the printer. Then you can configure the printer using either the CLI or the WebUI. In the CLI 1.
In the WebUI You can set up and attach a printer using the W-600 Series Controller’s WebUI. The printer management options are available in the Configuration tab of the WebUI. Go to the Configuration tab and click Printer under Management. This will display the list of connected printer and the clients using the printer. If the printer service is not enabled, a blank page with a message and hyperlink to enable the printer service is displayed. 1.
Sample Topology and Configuration Figure 97 uses both the W-650 and W-651 to illustrate this example topology. Where the W-650 is used, a W620 could be used just as effectively. Figure 97 W-650 Sample Topology Remote Branch 1 User/AP Vlans/SW-IP: SW-IP: 192.168.30.1 Vlan-30: 192.168.30.x Vlan-31: 192.168.31.x Vlan-32: 192.168.32.x W-651 Enterprise/HQ SW-IP: 192.168.225.1 Vlan-225: 192.168.225.x Vlan-100: 192.168.100.x Vlan-68: 192.168.68.x UplinkVlan: 192.168.16.
interface gigabitethernet 1/3 description "GE1/3" trusted switchport access vlan 32 ! interface vlan 16 ip address 192.168.16.251 255.255.255.0 ! interface vlan 30 ip address 192.168.30.1 255.255.255.0 ! interface vlan 31 ip address 192.168.31.1 255.255.255.0 ! interface vlan 32 ip address 192.168.32.1 255.255.255.0 ! uplink wired priority 202 uplink cellular priority 201 uplink wired vlan 16 interface tunnel 2003 description "Tunnel Interface" ip address 2.0.0.3 255.0.0.0 tunnel source 192.168.30.
! interface gigabitethernet 1/3 description "GE1/3" trusted switchport access vlan 52 ! interface vlan 20 ip address 192.168.20.1 255.255.255.0 ! interface vlan 50 ip address 192.168.50.1 255.255.255.0 ! interface vlan 51 ip address 192.168.51.1 255.255.255.0 ! interface vlan 52 ip address 192.168.52.1 255.255.255.0 ! uplink wired priority 206 uplink cellular priority 205 uplink wired vlan 20 interface tunnel 2005 description "Tunnel Interface" ip address 2.0.0.5 255.0.0.0 tunnel source 192.168.50.
! interface vlan 68 ip address 192.168.68.220 255.255.255.0 ! interface vlan 100 ip address 192.168.100.1 255.255.255.0 ! interface vlan 225 ip address 192.168.225.2 255.255.255.0 ! interface tunnel 2003 description "Tunnel Interface" ip address 2.1.0.3 255.0.0.0 tunnel source 192.168.225.2 tunnel destination 192.168.30.1 trusted ip ospf area 10.10.10.10 ! interface tunnel 2005 description "Tunnel Interface" ip address 2.1.0.5 255.0.0.0 tunnel source 192.168.225.2 tunnel destination 192.168.50.
W-3200 Central Office Controller—Backup localip 0.0.0.0 ipsec db947e8d1b383813a4070ab0799fa6246b80fc5cfcc3268f controller-ip vlan 225 ! interface gigabitethernet 1/0 description "GE1/0" trusted switchport access vlan 225 ! interface gigabitethernet 1/1 description "GE1/1" trusted switchport access vlan 100 ! interface gigabitethernet 1/2 description "GE1/2" trusted switchport access vlan 68 ! interface vlan 68 ip address 192.168.68.221 255.255.255.224 ! interface vlan 100 ip address 192.168.100.5 255.255.
vrrp 2 priority 99 ip address 192.168.225.9 vlan 225 tracking vlan 68 sub 40 tracking vlan 100 sub 40 tracking vlan 225 sub 40 no shutdown ! ip default-gateway 192.168.68.1 ip route 192.168.0.0 255.255.0.0 null 0 ! router ospf router ospf router-id 192.168.225.1 router ospf area 10.10.10.10 stub router ospf redistribute vlan 100,225 ! Dell PowerConnect ArubaOS 5.
| W-600 Series Controller Dell PowerConnect ArubaOS 5.
Chapter 23 OSPFv2 OSPFv2 (Open Shortest Path First) is a dynamic Interior Gateway routing Protocol (IGP) based on IETF RFC 2328. The premise of OSPF is that the shortest or fastest routing path is used. Dell’s implementation of OSPFv2 allows Dell controllers to be deployed effectively in a Layer 3 topology. Dell controllers can act as default gateway for all clients and forward user packets to the upstream router.
WLAN Topology The controller (Figure 98) is configured with VLAN 10 and VLAN 12 as user VLANs. These VLANs have clients on the subnets and the controller is the default router for those clients. VLAN 4 and VLAN 5 both have OSPF enabled. These interfaces are connected to a upstream routers (Router 1 and Router 2). The OSPF interface cost on VLAN 4 is configured lower than VLAN 5. The IDs are: z Dell controller—40.1.1.1 z Router 1—50.1.1.1 z Router 2—60.1.1.1 Figure 98 WLAN OSPF Topology VLAN 10: 10.1.
Below is the routing table for Router 2: (router2) #show ip route Codes: C - connected, O - OSPF, R - RIP, S - static M - mgmt, U - route usable, * - candidate default O O C 10.1.1.0/24 [2/0] via 5.1.1.1 12.1.1.0/24 [2/0] via 5.1.1.1 5.1.1.0 is directly connected, VLAN5 Branch Office Scenario The branch office scenario has a number of remote branch offices with controllers talking to a central office via an Dell concentrator/controller using site-to-site VPN tunnels or master-local IPsec tunnels.
Branch Office Routing Table View the branch office controller routing table using the show ip route command: (host) #show ip route Codes: C - connected, O - OSPF, R - RIP, S - static M - mgmt, U - route usable, * - candidate default Gateway of last resort is 20.1.1.2 to network 0.0.0.0 O* C C C 30.0.0.0/0 [1/0] via 20.1.1.2* 14.1.1.0 is directly connected, VLAN14 15.1.1.0 is directly connected, VLAN15 20.1.1.
Configuring OSPF Configure general OSPF settings from the OSPF tab on the Configuration >IP page (see Figure 100). The Area and Excluded subnets are displayed in table format. If not explicitly specified for OSPF, the router ID defaults to the switch IP. Figure 100 General OSPF Configuration Configure the OSPF interface settings in the Configuration screen (Figure 101). If OSPF is enable, the parameters contain the correct default values.
OSPF monitoring is available from an IP Routing sub-section (see Figure 102). Both Static and OSPF routes are available in table format. Figure 102 Monitoring OSPF OSPF Interfaces and Neighboring information is available from the OSPF tab (see Figure 102). The Interface information includes transmit (TX) and receive (RX) statistics. Deployment Best Practices Below are some guidelines regarding deployment and topology for this release of OSPFv2.
Sample Topology and Configuration Figure 103 displays a sample OSPF topology followed by sample configurations of the Remote Branch 1, Remote Branch 2, and the W-3200 Central Office Controller (Active and Backup). Figure 103 Sample OSPF Topology Remote Branch 1 User/AP Vlans/SW-IP: SW-IP: 192.168.30.1 Vlan-30: 192.168.30.x Vlan-31: 192.168.31.x Vlan-32: 192.168.32.x Enterprise/HQ SW-IP: 192.168.225.1 Vlan-225: 192.168.225.x Vlan-100: 192.168.100.x Vlan-68: 192.168.68.
trusted switchport access vlan 32 ! interface vlan 16 ip address 192.168.16.251 255.255.255.0 ! interface vlan 30 ip address 192.168.30.1 255.255.255.0 ! interface vlan 31 ip address 192.168.31.1 255.255.255.0 ! interface vlan 32 ip address 192.168.32.1 255.255.255.0 ! uplink wired priority 202 uplink cellular priority 201 uplink wired vlan 16 interface tunnel 2003 description "Tunnel Interface" ip address 2.0.0.3 255.0.0.0 tunnel source 192.168.30.1 tunnel destination 192.168.68.
description "GE1/3" trusted switchport access vlan 52 ! interface vlan 20 ip address 192.168.20.1 255.255.255.0 ! interface vlan 50 ip address 192.168.50.1 255.255.255.0 ! interface vlan 51 ip address 192.168.51.1 255.255.255.0 ! interface vlan 52 ip address 192.168.52.1 255.255.255.0 ! uplink wired priority 206 uplink cellular priority 205 uplink wired vlan 20 interface tunnel 2005 description "Tunnel Interface" ip address 2.0.0.5 255.0.0.0 tunnel source 192.168.50.1 tunnel destination 192.168.68.
! interface vlan 100 ip address 192.168.100.1 255.255.255.0 ! interface vlan 225 ip address 192.168.225.2 255.255.255.0 ! interface tunnel 2003 description "Tunnel Interface" ip address 2.1.0.3 255.0.0.0 tunnel source 192.168.225.2 tunnel destination 192.168.30.1 trusted ip ospf area 10.10.10.10 ! interface tunnel 2005 description "Tunnel Interface" ip address 2.1.0.5 255.0.0.0 tunnel source 192.168.225.2 tunnel destination 192.168.50.1 trusted ip ospf area 10.10.10.
W-3200 Central Office Controller—Backup localip 0.0.0.0 ipsec db947e8d1b383813a4070ab0799fa6246b80fc5cfcc3268f controller-ip vlan 225 ! interface gigabitethernet 1/0 description "GE1/0" trusted switchport access vlan 225 ! interface gigabitethernet 1/1 description "GE1/1" trusted switchport access vlan 100 ! interface gigabitethernet 1/2 description "GE1/2" trusted switchport access vlan 68 ! interface vlan 68 ip address 192.168.68.221 255.255.255.224 ! interface vlan 100 ip address 192.168.100.5 255.255.
priority 99 ip address 192.168.225.9 vlan 225 tracking vlan 68 sub 40 tracking vlan 100 sub 40 tracking vlan 225 sub 40 no shutdown ! ip default-gateway 192.168.68.1 ip route 192.168.0.0 255.255.0.0 null 0 ! router ospf router ospf router-id 192.168.225.1 router ospf area 10.10.10.10 stub router ospf redistribute vlan 100,225 ! 462 | OSPFv2 Dell PowerConnect ArubaOS 5.
Chapter 24 Wireless Intrusion Prevention This chapter describes how to configure various intrusion detection system (IDS) capabilities of the Dell usercentric network. The Dell network offers a variety of IDS/intrusion prevention system (IPS) features that you can configure and deploy as required. Like most other security-related features of the Dell network, the IDS configuration is done completely on the master controller in the network.
Adhoc Network Detection and Containment As far as network administrators are concerned, ad-hoc wireless networks are uncontrolled. If they do not use encryption, they may expose sensitive data to outside eavesdroppers. If a device is connected to a wired network and has bridging enabled, an ad-hoc network may also function like a rogue AP. Additionally, ad-hoc networks can expose client devices to viruses and other security vulnerabilities.
network equipment. Denial of Service attack detection encompasses both rate analysis and the detection of a specific DoS attack known as Fake AP. Rate Analysis Many DoS attacks flood an AP or multiple APs with 802.11 management frames. These can include authenticate/ associate frames which are designed to fill up the association table of an AP. Other management frame floods, such as probe request floods, can consume excess processing power on the AP.
Signature Detection Many WLAN intrusion and attack tools generate characteristic signatures that can be detected by the Dell network. The system is pre-configured with several known signatures, and also includes the ability for you to create new signatures. For more details on how to configure and create new signatures refer to “Signature Detection” on page 466. IDS Configuration This section describes how to configure IDS features using the IDS profiles.
Configuring IDS via the CLI To configure the IDS profile via the command-line interface, access the CLI in config mode and issue the following commands: ap-group ids-profile IDS General Profile Table 90 describes the parameters you can configure in the IDS general profile. Table 90 IDS General Profile Configuration Parameters Parameter Description Stats Update Interval Time interval, in seconds, for the AP to update the controller with statistics.
Configuring the General Profile via the WebUI 1. Navigate to the Configuration > AP Configuration page. Select either AP Group or AP Specific. If you selected AP Group, click Edit for the AP group name for which you want to configure IDS. If you selected AP Specific, select the name of the AP for which you want to configure IDS. 2. Expand the IDS menu. Select IDS profile to display the IDS profiles that are contained in the top-level profile. 3. Select IDS General profile. 4.
Table 92 IDS Denial of Service Profile Configuration Parameters (Continued) Parameter Description AP Flood Increase Time Time, in seconds, during which a configured number of Fake AP beacons must be received to trigger an alarm. Default: 3 seconds AP Flood Detection Quiet Time After an alarm has been triggered by a Fake AP flood, the time (in seconds) that must elapse before an identical alarm may be triggered.
Table 93 Predefined IDS DoS Profiles Parameter ids-dosdisabled ids-dos-lowsetting ids-dosmedium-setting ids-dos-highsetting EAP Rate Quiet Time 900 seconds 900 seconds 900 seconds 900 seconds Detect Rate Anomalies disabled disabled disabled enabled Detect 802.
detect-ap-flood detect-eap-rate-anomaly detect-ht-40mhz-intolerance detect-rate-anomalies disassoc-rate-thresholds eap-rate-quiet-time eap-rate-threshold eap-rate-time-interval probe-request-rate-thresholds probe-response-rate-thresholds spoofed-deauth-blacklist IDS Rate Thresholds Profile IDS rate threshold profile defines thresholds assigned to the different frame types for rate anomaly checking.
Configuring the Rate Thresholds Profile via the CLI To configure this profile via the command-line interface, access the CLI in config mode and issue the following commands: ids rate-thresholds-profile channel-inc-time channel-quiet-time clone node-quiet-time node-threshold node-time-interval ids dos-profile Impersonation Detection Profile Table 95 describes the parameters you can configure in the
Configuring the Impersonation Profile via the CLI To configure this profile via the command-line interface, access the CLI in config mode and issue the following commands: ids impersonation-profile beacon-diff-threshold beacon-inc-wait-time clone detect-ap-impersonation protect-ap-impersonation Signature Matching Profile The IDS signature matching profile contains signatures for intrusion detection.
Configuring the Signature Matching Profile via the CLI To configure this profile via the command-line interface, access the CLI in config mode and issue the following commands: ids signature-matching-profile signature IDS Signature Profile Signature rules match an attribute to a value. For example, you can add a rule that matches the BSSID to the value 00:00:00:00:00:0a. Table 97 describes the attributes and values you can configure for a signature rule.
Creating a New Signature via the CLI To configure this profile via the command-line interface, access the CLI in config mode and issue the following commands: ids signature-profile bssid clone dst-mac frame-type {assoc|auth|beacon|control|data|deauth|disassoc|mgmt|probe-request| probe-response} [ssid ] [ssid-length ] payload [offset ] seq-num src-mac Unauthorized Device Detection Table 98 describes the parameters (and
Table 98 IDS Unauthorized Device Profile Configuration Parameters (Continued) Parameter Description Overlay Rogue Classification Overlay Rogue Classification is classification through valid/rogue APs. A controller uses the wired-mac table of other valid and rogue APs as equivalents of the wired MACs that it sees on our network. When this match is triggered, it makes a note of the AP that helped in this process, and this info will be displayed as the Helper-AP.
Table 98 IDS Unauthorized Device Profile Configuration Parameters (Continued) Parameter Description Protect Valid Stations Does not allow valid stations to connect to a non-valid AP (see “Classifying APs” on page 482). Default: disabled Detect Bad WEP Enables or disables detection of WEP initialization vectors that are known to be weak. A primary means of cracking WEP keys is to capture 802.
The default and predefined IDS unauthorized device profiles are shown in the table below. The Default profile is the equivalent of an “ids-unauthorized-device-low-setting” profile.
Table 99 Default and Predefined IDS Unauthorized Device Profiles idsDefault unauthorizeddevice-disabled idsunauthorizeddevice-mediumsetting idsunauthorizeddevice-highsetting Protect 40 MHz 802.11n Highthroughput Devices disabled disabled disabled enabled Detect Active 802.11n Greenfield Mode disabled enabled enabled enabled Parameter Configuring the Unauthorized Device Profile via the WebUI 1. Navigate to the Configuration > AP Configuration page. Select either AP Group or AP Specific.
require-wpa rogue-containment suspect-rogue-conf-level suspect-rogue-containment valid-and-protected-ssid valid-oui valid-wired-mac wireless-bridge-quiet-time WLAN Management System The WLAN management system (WMS) on the controller monitors wireless traffic to detect any new AP or wireless client station that tries to connect to the network.
Configuring WMS via the CLI Use the following commands to configure WMS via the CLI. The parameters in this command are described in detail in Table 100.
To enable AP learning via the command-line interface, access the CLI in config mode and issue the following commands: wms general learn-ap {enable|disable} Classifying APs If AP learning is enabled, non-Dell APs connected on the same wired network as Dell APs are classified as valid APs. If AP learning is disabled, a non-Dell AP is classified as a rogue AP. You can also manually classify an AP. For example, if you know about an interfering AP, you can manually reclassify it as a known interfering AP.
z List of valid AP MAC OUIs z Valid SSID list (exceptions are described in “Valid Enterprise SSIDs” on page 483) This classification is primarily for enforcing security policies on non-Dell APs, although the classification and protection mechanism also applies to all valid Dell APs. Valid Enterprise SSIDs SSIDs added to the Valid Enterprise SSID list are known as “Valid SSIDs” or “Reserved SSIDs.” The list is empty by default and does not contain any SSIDs configured on the controller.
Table 102 Valid SSIDs with Multi-Tenancy and Misconfigured AP Protection Multi-Tenancy Protection Misconfigured AP Protection Enabled Enabled Client Connections If there are entries in the valid SSID list: Clients can connect to valid SSIDs on valid APs. z Clients cannot connect to valid SSIDs on interfering APs (including known interfering APs). z Clients cannot connect to SSIDs not in the valid SSID list on valid APs. z Clients can connect to SSIDs not in the valid SSID list on interfering APs.
Manual Blacklisting There are several reasons why you may choose to blacklist a client. For example, you can enable different Dell intrusion detection system (IDS) features that detect suspicious activities, such as MAC address spoofing or denial of service attacks. When these activities are detected, an event is logged and an SNMP trap is sent with the client information.To blacklist a client, you need to know its MAC address. To manually blacklist a client via the WebUI: 1.
Man in the middle (MITM) attacks begin with an intruder impersonating a valid enterprise AP. If an AP needs to reboot, it sends deauthentication packets to connected clients to enable them to disconnect and reassociate with another AP. An intruder or attacker can spoof deauthentication packets, forcing clients to disconnect from the network and reassociate with the attacker’s AP. A valid enterprise client associates to the intruder’s AP, while the intruder then associates to the enterprise AP.
Removing a Client from Blacklisting You can manually remove a client from blacklisting using either the WebUI or CLI: To remove a client from blacklisting via the WebUI: 1. Navigate to the Monitoring > Controller > Blacklist Clients page. 2. Select the client that you want to remove from the blacklist, then click Remove from Blacklist.
| Wireless Intrusion Prevention Dell PowerConnect ArubaOS 5.
Chapter 25 Link Aggregation Control Protocol Dell PowerConnect implementation of Link Aggregation Control Protocol (LACP) is based on the standards specified in 802.3ad. LACP provides a standardized means for exchanging information, with partner systems, to form a link aggregation group (LAG). LACP avoids port channel misconfiguration. Two devices (actor and partner) exchange LACP data units (DUs) in the process of forming a LAG.
1. Enable LACP and configure the per-port specific LACP. The group number range is 0 to 7. lacp group mode {active | passive} z Active mode—the interface is in active negotiating state. LACP runs on any link that is configured to be in the active state. The port in an active mode also automatically initiates negotiations with other ports by initiating LACP packets. z Passive mode—the interface is not in an active negotiating state.
In the WebUI Access LACP from the Configuration->Network->Port tabs. Use the drop down menus to enter the LACP values. z LACP Group—The link aggregation group (LAG) number; range is 0 to 7 z Mode—Active negotiation state or not in an active negotiation state indicated by the passive option.
z The output of the command show interface port-channel now indicates if the LAG is created by LACP (dynamic) or static configuration. If the LAG is created via LACP, you can not add/delete any ports under that port channel. All other commands are allowed.
Chapter 26 Management Access This chapter describes management access and tasks for a user-centric network and includes the following topics: z “Certificate Authentication for WebUI Access” on page 493 z “Management Password Policy” on page 500 z “Managed RFprotect Sensors” on page 502 z “Managing Certificates” on page 503 z “Configuring SNMP” on page 507 z “Configuring Logging” on page 509 z “Guest Provisioning” on page 510 z “Managing Files on the Controller” on page 521 z “Setting the S
5. To configure the management user, navigate to the Configuration > Management > Administration page. a. Under Management Users, click Add. b. Select Certificate Management. c. Select WebUI Certificate. d. Enter the username. e. Select the user role assigned to the user upon validation of the client certificate f. Enter the serial number for the client certificate. g. Select the name of the CA that issued the client certificate. h. Click Apply.
f. Select the client certificate. g. Click Apply. In the CLI ssh mgmt-auth public-key [username/password] mgmt-user ssh-pubkey client-cert Radius Server Authentication Radius Server Username/Password Authentication In this example, an external RADIUS server is used to authenticate management users. Upon authentication, users are assigned the default role root. In the WebUI 1. Navigate to the Configuration > Security > Authentication > Servers page. 2.
RADIUS Server Authentication with VSA In this scenario, an external RADIUS server authenticates management users and returns to the controller the Dell vendor-specific attribute (VSA) called Dell-Admin-Role that contains the name of the management role for the user. The authenticated user is placed into the management role specified by the VSA. The controller configuration is identical to the “Radius Server Username/Password Authentication” on page 495.
4. Navigate to the Configuration > Management > Administration page. a. Under Management Authentication Servers, select a management role (for example, read-only) for the Default Role. b. Select (check) Mode. c. For Server Group, select the server group that you just configured. d. Click Apply.
In the CLI aaa authentication-server radius rad1 host enable aaa server-group corp_rad auth-server rad1 set role condition Class equals it set-value root aaa authentication mgmt default-role read-only enable server-group corp_rad For more information about configuring server-derivation rules, see “Configuring Server-Derivation Rules” on page 244.
This procedure also resets the enable mode password to enable. If you have defined a management user password policy, make sure that the new password conforms to this policy. For details, see “Management Password Policy” on page 500. Figure 104 is an example of how to reset the password. The commands in bold type are what you enter.
Setting a WebUI Session Timeout To define a timeout interval for a WebUI session, use the command: web-server sessiontimeout In the above command, can be any number of seconds from 30 to 3600, inclusive. Management Password Policy By default, the password for a new management user has no requirements other than a minimum length of 6 alphanumeric or special characters.
Table 103 Management Password Policy Settings Parameter Description Maximum Number of failed attempts in 3 minute window to lockout user The number of failed attempts within a 3 minute window that causes the user to be locked out for the period of time specified by the Time duration to lockout the user upon crossing the "lock-out" threshold parameter. Range: 0-10 attempts. By default, the password lockout feature is disabled, and the default value of this parameter is 0 attempts.
In the CLI aaa password-policy mgmt enable no password-lock-out password-lock-out-time password-max-character-repeat. password-min-digit password-min-length password-min-lowercase-characters password-min-special-character password-min-uppercase-characters password-not-username Managed RFprotect Sensors When an Dell controller is present in an Dell RFprotect system, an Dell AP that is acting as an RFprotect sensor can be configured and managed from the controller.
RFprotect Managed Sensors are shown in the Network > RFprotect Sensors and Controller > RFprotect Sensors pages. In the CLI rf dot11a|dot11g-radio-profile mode sensor-mode In the outputs of the show ap database and show ap active, sensor mode is indicated with an “S” flag (for RFprotect Sensor). Configuring the RFprotect Server You can configure RFprotect server to monitor rogue APs and adhoc clients. In the WebUI 1. Navigate to the Configuration > Wireless > AP Configuration page. 2.
During certificate-based authentication, the controller provides its server certificate to the client for authentication. After validating the controller’s server certificate, the client presents its own certificate to the controller for authentication. To validate the client certificate, the controller checks the certificate revocation list (CRL) maintained by the CA that issued the client certificate.
Table 105 CSR Parameters Parameter Description Range key Length of private/public key. 1024/2048/4096 common_name Typically, this is the host and domain name, as in www.yourcompany.com. — country Two-letter ISO country code for the country in which your organization is located. state_or_province State, province, region, or territory in which your organization is located. city City in which your organization is located. organization Name of your organization.
z Client certificate and client’s public key. (The public key is used for applications such as SSH which does not support X509 certificates and requires the public key to verify an allowed certificate.) Certificates can be in the following formats: z X509 PEM unencrypted z X509 PEM encrypted with a key z DER z PKCS7 encrypted z PKCS12 encrypted In the WebUI 1. Navigate to the Configuration > Management > Certificates > Upload page. 2. For Certificate Name, enter a user-defined name. 3.
Imported Certificate Locations Imported certificates and keys are stored in the following locations in flash on the controller: Table 107 Imported Certificate Locations Location Description /flash/certmgr/trustedCAs Trusted CA certificates, either for root or intermediate CAs. Dell recommends that if you import the certificate for an intermediate CA, you also import the certificate for the signing CA. /flash/certmgr/serverCerts Server certificates.
Table 108 SNMP Parameters for the Controller (Continued) Field Description Enable Trap Generation Enables generation of SNMP traps to configured SNMP trap receivers. Refer to the list of traps in the “SNMP traps” section below for a list of traps that are generated by the Dell controller. Trap receivers Host information about a trap receiver. This host needs to be running a trap receiver to receive and interpret the traps sent by the Dell controller.
Configuring Logging This section outlines the steps required to configure logging on an Dell controller. For each category or subcategory of message, you can set the logging level or severity level of the messages to be logged.
For each category or subcategory, you can configure a logging level. Table 110 describes the logging levels in order of severity, from most to least severe. Table 110 Logging Levels Logging Level Description Emergency Panic conditions that occur when the system becomes unusable. Alert Any condition requiring immediate attention and correction. Critical Any critical conditions such as a hard drive error. Errors Error conditions. Warning Warning messages.
Configuring the Guest Provisioning Page Use the Guest Provisioning Configuration page to create the Guest Provisioning page. This configuration page consists of three tabs: Guest Fields, Page Design and Email. You configure the information on all three tabs to create a Guest Provisioning page. z Guest Fields tab—lets you select the fields that appear on the Guest Provisioning page.
Figure 106 Guest Provisioning Configuration Page—Guest Fields Tab 2. Select the checkbox next to each field, described in Table 111, that you want to appear on the Guest Provisioning page. Optionally, you can customize the label that appears in the UI. 3. Click Preview Current Settings to view what the Guest Provisioning page looks like while you are designing it. 4. To save changes, click Apply.
Table 111 Guest Provisioning—Guest Field Descriptions (Continued) Guest Field grantor_role sponsor_category Description (Continued) The authentication role of the grantor. A sponsor is the guest's primary contact for the visit. This is the label in the Guest Provisioning page for the sponsor information. sponsor_username Username of the sponsor. sponsor_dept Sponsor's work department sponsor_email Sponsor's Email address.
5. Enter the hex value for the color of the background in the Background color field. This determines the color of the header of the guest listing. 6. Click Preview Current Settings to preview the Guest Provisioning page while you are designing it. 7. To save changes, click Apply. Configuring Email Messages You can specify an email to be sent to the guest or sponsor (or both).
Figure 108 Guest Provisioning Configuration Page—Email Tab 2. To create a message for a guest or sponsor, customize the text in the Subject, From and Body fields as needed for both the Guest message and Sponsor message. 3. Optionally, select the Send automatically at account creation time checkbox when you want an email message to be sent to the guest and/or sponsor alerting them that a guest account has just been created.
z Smart Card authentication Static authentication —Uses a configured certificate name and serial number to derive the user role. This authentication process uses a previously configured certificate name and serial number to derive the user role. This method does not use and external authentication server. Authentication server — Uses an external authentication server to derive the management role.
9. In the Management Users section, click Add to display the Configuration > Management > Add User page. 10. Select Certificate Management, WebUI Certificate and Use external authentication server to authenticate. 11. Select the trusted CA certificate you want to use from the Trusted CA Certificated Name drop-down menu. 12. Click Apply and Save Configuration. In the CLI Username and Password Method This example creates a user named Paula and assigns her the role of guest provisioning.
Creating Guest Accounts After the Guest Provisioning user is created, that person can log in to the controller using the preconfigured username and password. The Management User Summary page displays. (See Figure 112.) This is a sample page as the fields may differ based on how the network administrator designed the page.
Figure 112 Creating a Guest Account—New Guest Window To see details about an existing user account, highlight an existing account and select the Show Details checkbox. The Show Details popup-window displays. The Guest Provisioning user can send out Email from this window. (See Figure 113.) Figure 113 Creating a Guest Account—Show Details Pop-up Window Printing Guest Account Information To print guest account information: 1. Highlight the guest account you want to print and click Print.
2. Click Print password if you want to print the guest password on the badge. Then enter or generate a new password for the guest. This modifies the existing guest password. (See Figure 114.) 3. Optionally, click Print policy text if you want your company policy text to appear on the print out. 4. Click Show preview to view the information before it is printed. 5. Click Print to print the guest account information.
Setting the Maximum Time for Guest Accounts You can set the maximum expiration time (in minutes) for guest accounts. If the guest-provisioning user attempt to add a guest account that expires beyond this time period, an error message is displayed and the guest account is created with the maximum time you configured. Note: If you set the maximum expiration time, it applies to all users in the internal database whether they are guests or not. Using the WebUI to set the maximum time for guest accounts 1.
Table 112 File Transfer Configuration Parameters Server Type Configuration Trivial File Transfer Protocol (TFTP) z z File Transfer Protocol (FTP) z z z Secure Copy (SCP) You must use the CLI to transfer files with SCP.
3. Click Copy Backup to enter the Copy Files page where you can select the destination server for the file. 4. Click Apply. Backup the flash file system in the CLI backup flash copy flash: flashbackup.tar.gz tftp: copy flash: flashbackup.tar.gz scp: Restore the flash file system in the WebUI 1. Navigate to the Maintenance > File > Copy Files page. a. For Source Selection, specify the server to which the flashbackup.tar.
In the WebUI 1. Navigate to the Maintenance > File > Copy Files page. 2. Select the source where the file or image exists. 3. Select the destination to where the file or image is to be copied. 4. Click Apply.
For each NTP server, you can optionally specify the NTP iburst mode for faster clock synchronization. The iburst mode sends up ten queries within the first minute to the NTP server. (When iburst mode is not enabled, only one query is sent within the first minute to the NTP server.) After the first minute, the iburst mode typically synchronizes the clock so that queries need to be sent at intervals of 64 seconds or more.
| Management Access Dell PowerConnect ArubaOS 5.
Chapter 27 Software Licenses Dell PowerConnect base features include sophisticated authentication and encryption, protection against rogue wireless As, seamless mobility with fast roaming, the origination and termination of IPsec/L2TP/PPTP tunnels between controllers, clients, and other VPN gateways, adaptive RF management and analysis tools, centralized configuration, and location tracking.
Licenses Each license refers to specific functionality (or module) that supports unique features. The licenses are: z Base OS—base operating functions including VPN and VIA clients. z AP Capacity License—For RAP indoor and Outdoor mesh APs. Campus, Remote or Mesh APs can terminate on the controller without the need for a separate license. z Policy Enforcement Firewall Virtual Private Network (PEFV)—Enables the roles based Policy Enforcement Firewall for VPN and VIA clients.
At the end of the 90-day period, you must apply for a permanent license to re-enable the features permanently on the controller. Evaluation software license keys are only available in electronic form and are emailed to you. When an evaluation period expires: z The controller automatically backs up the startup configuration and reboots itself at midnight (according to the system clock). All permanent licenses are unaffected.
Interaction The various licenses do require some equality and other important interactions. z AP/PEFNG and WIP must be equal All active APs run AP/PEFNG and WIP services (if enabled). If they are not equal, the number of active APs are restricted to the minimum of the AP/PEFNG and WIP license count. Note: It is not possible to designate specific APs for WIP/non-WIP operations.
3. Use your system’s serial number to obtain a software license key from the Software License Management web site (see “Obtaining a Software License Key” on page 532). 4. Enter the software license key via the controller’s WebUI; navigate to Configuration > Network > Controller > System Settings page and select the License tab. Enter the software license key and click Apply (see “Applying the Software License Key in the WebUI” on page 532).
Creating a software license key 1. Select Activate a Certificate. 2. Enter the certificate ID number and the system serial number of your controller. 3. Review the license agreement and select Yes to accept the agreement. 4. Click Activate it. A copy of the transaction and the software license key is emailed to you at the email address you entered for your user account . Note: The software license key is only valid for the system serial number for which you activated the certificate.
Resetting the Controller Rebooting or resetting a controller has no effect on either permanent or evaluation licenses. Issuing the write erase command on a controller running software licenses does not affect the license key management database on the controller. Warning: Issuing the write erase all command resets the controller to factory defaults, and deletes all databases on the controller including the license key management database. You must reinstall all previously-installed license keys.
| Software Licenses Dell PowerConnect ArubaOS 5.
Chapter 28 IPv6 Client Support This chapter describes ArubaOS support for IPv6 clients. z “About IPv6” on page 535 z “Support for IPv6” on page 535 z “Features that Support IPv6” on page 537 z “IPv6 User Addresses” on page 542 z “Important Points to Remember” on page 542 About IPv6 The IPv6 protocol enables the next generation of large-scale IP networks by supporting addresses that are 128 bits long. This allows for 2128 possible addresses (versus 232 possible IPv4 addresses).
IPv6 clients must be mapped to a VLAN that is bridged to an external router which provides IPv6 services to those clients. On the controller, you can configure IPv4 and IPv6 clients on the same VLAN. Note: IPv6 clients and the IPv6 router must be on the same VLAN.
Features that Support IPv6 This section describes ArubaOS features that support IPv6 clients. Authentication ArubaOS only supports 802.1x authentication for IPv6 clients. You cannot configure layer-3 authentications such as captive portal to authenticate IPv6 clients. Table 115 IPv6 Client Authentication Authentication Method Supported for IPv6 Clients? 802.1x Yes Stateful 802.
Table 116 IPv6 Firewall Parameters (Continued) Authentication Method Description Deny Inter User Bridging Prevents the forwarding of Layer-2 traffic between wired or wireless users. You can configure user role policies that prevent Layer-3 traffic between users or networks but this does not block Layer-2 traffic. This option can be used to prevent traffic, such as Appletalk or IPX, from being forwarded. Default: Disabled Deny All IP Fragments Drops all IP fragments.
To configure firewall functions using the command line interface, issue the following commands in config mode: ipv6 firewall attack-rate ping 15 ipv6 firewall attack-rate session 25 ipv6 firewall session-idle-timeout 60 Firewall Policies A user role, which determines a client’s network privileges, is defined by one or more firewall policies.
Table 117 IPv6 Firewall Policy Rule Parameters (Continued) Field Description Mirror (optional) Mirrors session packets to datapath or remote destination specified in the IPv6 firewall function (see “Session Mirror Destination” in Table 116 on page 537). If the destination is an IP address, it must be an IPv4 IP address. Queue (optional) The queue in which a packet matching this rule should be placed. Select High for higher priority data, such as voice, and Low for lower priority traffic.
. Note: Rules can be reordered using the up and down arrow buttons provided for each rule. 7. Click Apply to apply the configuration. The policy is not created until the configuration is applied.
8. Click Apply. To enable MLDv1 via the command-line interface, issue the following commands in config mode: vlan 22 interface vlan 22 ipv6 mld snooping IPv6 User Addresses Viewing or Deleting User Entries There is a separate user table for IPv6 users that contains entries for every IPv6 address used by a client. To view or delete IPv6 User entries via the WebUI: 1. Navigate to the Monitoring > Controller > Clients page. 2. Click the IPv6 tab to display IPv6 clients. 3.
z Authentication of management users on IPv6 clients is not supported. z The controller does not access the flow information field in IPv6 packet headers. (This field can be used by IPv6 routers to identify the sequence of packets and to facilitate routing decisions.) z A client can have an both IPv4 address and an IPv6 address, but the controller does not relate the states of the IPv4 and IPv6 addresses on the same client.
| IPv6 Client Support Dell PowerConnect ArubaOS 5.
Chapter 29 Voice and Video This chapter outlines the steps required to configure voice and video services on Dell controller for Voice over IP (VoIP) devices, including Session Initiation Protocol (SIP), Spectralink Voice Priority (SVP), H323, SCCP, Vocera, and Alcatel NOE phones. Since video and voice applications are more vulnerable to delay and jitter, the network infrastructure must be able to prioritize video and voice traffic over data traffic.
Table 118 Default Voice Net Services and Ports Net Service Name Protocol Port ALG svc-noe UDP 32512 NOE svc-h323-udp UDP 1718, 1719 H.323 svc-h323-tcp TCP 1720 H.323 svc-vocera UDP 5002 VOCERA svc-svp SVP None SVP Creating or Modifying Net Services You can use CLI to create or modify net services.
z DNS-ACL z ICMP-ACL For more details on the default voice role, enter the following command in the config mode on your controller: (host) (config) #show rights voice Creating or Modifying User Roles You can create roles for NOE, SIP, SVP, Vocera, SCCP, and H.323 ALGs. Use the WebUI or CLI to configure user roles for any of the ALGs. Using the WebUI to configure user roles 1. Navigate to the Configuration > Security > Access Control page. 2. Select the Policies tab. Click Add to create a new policy. 3.
7. Select the User Roles tab. Click Add to add a user role. a. For Role Name, enter a name for the user role. b. Under Firewall Policies, click Add. c. Select the previously-configured policy name (step 3) from the Choose from Configured Policies dropdown menu. d. Click Done. e. Under Firewall Policies, click Add. f. Select control from the Choose from Configured Policies drop-down menu. g. Click Done. 8.
Using the CLI to derive the role based on SSID aaa derivation-rules user name set role condition essid equals ssid set-value role Using the WebUI to derive the role based on MAC OUI 1. Navigate to the Configuration > Security > Authentication > User Rules page. 2. Click Add to add a new set of derivation rules. Enter a name for the set of rules, and click Add. The name appears in the User Rules Summary list. 3. In the User Rules Summary list, select the name of the rule set to configure rules. 4.
Using the CLI to enable WPA fast handover aaa authentication dot1x wpa-fast-handover For deployments where there are expected to be considerable delays between the controller and APs (for example, in a remote location where an AP is not in range of another Dell AP), Dell recommends that you enable the “local probe response” option in the SSID profile. (Generating probe responses on the Dell controller is an optimization that allows ArubaOS to make better decisions.
Table 120 VoIP Call Admission Control Configuration Parameters Parameter Description VoIP Send SIP 100 Trying The SIP invite call setup message is time-sensitive, as the originator retries the call as quickly as possible if it does not proceed. You can direct the controller to immediately reply to the call originator with a “SIP 100 - trying” message to indicate that the call is proceeding and to avoid a possible timeout.
VoIP-Aware ARM Scanning The VoIP-aware ARM scanning feature allows you to provide higher QoS to the voice traffic. You can use the WebUI or CLI to enable VoIP-aware ARM scanning. Using the WebUI to enable VoIP aware scanning in the ARM profile 1. Navigate to the Configuration > AP Configuration page. Select either the AP Group or AP Specific tab. z If you selected the AP Group tab, click the Edit button by the name of the AP group with the ARM profile you want to configure.
Using the WebUI to configure the SIP client user role 1. Navigate to the Configuration > AP Configuration page. Select either AP Group or AP Specific. z If you select AP Group, click Edit for the AP group name for which you want to configure the SIP client user role. z If you select AP Specific, select the name of the AP for which you want to configure the SIP client user role. 2. Under Profiles, select Wireless LAN, then select Virtual AP.
Table 121 Examples of Dial Plans Dialplan Pattern Action Description XXXX %e When the user dials a four digit number, no action is taken and the call is allowed. XXXXXXX 9%e When the user dials a seven digit number, a nine (9) is prefixed to that number and the call is executed. Example, if the user dials 2274500, the call is executed by adding 9 to the number, 92274500. XXXXXXXXXX 91%e This dial plan prefixes 91 to the dialed number. Example, call to 4082274500 will be executed as 914082274500.
Using WebUI to configure dial plan 1. In the WebUI, navigate to Configuration > Advanced Services > All Profiles > Controller > Dialplan Profile. Enter a name for the dial plan profile and click the Add button. 2. Under Profiles, expand Controller and select the newly created dial plan profile. Enter the following dial plan details and click the Add button. Sequence number: The dial plan position in the list of dial plans. Pattern: The number that the user will dial.
3. Under Profile, navigate to Controller > SIP settings and select Dialplan Profile. In the Profile Details section, select the Dialplan Profile from the drop down list and click the Apply button. The Dialplan Profile displays the dial plan details: Voice over Remote Access Point Voice traffic support is enhanced on split tunnel mode over remote access point. The voice traffic management for remote and local users are done on the controller. However, the sessions are created differently for both users.
The flag parameter in the show voice client-status command is updated to indicate remote users. (host) #show voice client-status Voice Client(s) Status ---------------------AP Name BSSID ESSID Client(MAC) Client(IP) Registration State Call Status ALG Flags ------- --------- ----------------------------- ------------ ------moscatp 00:0b:11:5c:d6:80 home 00:00:5c:04:b3:10 10.20.1.
Using CLI 1. Set a DSCP value for video traffic. (host) (config)#wlan ssid-profile default (host) (ssid-profile “default” )#wmm-vi-dscp Example: (host) (ssid-profile “default”)#wmm-vi-dscp 40 Setting the DSCP value, tags the content as video stream that the APs can recognize. By default, the DSCP value is set to 40. You must also set an ACL on the controller with equivalent mappings to prioritize the video traffic.
Adaptive Radio Management (ARM) profile "default" ------------------------------------------------Parameter Value ------------Assignment single-band Allowed bands for 40MHz channels a-only Client Aware Enabled Max Tx EIRP 127 dBm Min Tx EIRP 9 dBm Multi Band Scan Enabled Rogue AP Aware Disabled Scan Interval 10 sec Active Scan Disabled Scanning Enabled Scan Time 110 msec VoIP Aware Scan Disabled Power Save Aware Scan Enabled Video Aware Scan Enabled Ideal Coverage Index 10 Acceptable Coverage Index 4 Free C
After you configure the WMM bandwidth management profile, apply it to the virtual AP profile. (config) #wlan virtual-ap default (Virtual AP profile "default") #wmm-traffic-management-profile default Using WebUI To access the WebUI configuration screens navigate to Configuration > Advanced Services > All Profiles. 1. Set a DSCP value for video traffic. Under the Profiles column, expand Wireless LAN > SSID Profile and select the profile name. This example uses the default profile.
Figure 118 Enabling Video Aware Scan 4. Configure and apply bandwidth management profile Under the Profiles column, expand Virtual AP > [profile-name] > WMM Traffic Management Profile. In the Profile Details section, select the profile name from the drop down list box. Select the Enable Shaping Policy option and enter the bandwidth share values. Click the Apply button to save the settings. This step is optional.
Table 122 WMM Access Category to 802.1D Priority Mapping Priority 802.1D Priority WMM Access Category Lowest 1 Background 2 0 Best effort 3 4 Video 5 6 Highest Voice 7 In non-WMM, or hybrid environments where some clients are not WMM-capable, Dell uses voice and best effort to prioritize traffic from these clients. Unscheduled Automatic Power Save Delivery (U-APSD) is a component of the IEEE 802.11e standard that extends the battery life on voice over WLAN devices.
configure these services in accordance with your network policies. Table 123 on page 563 shows the default WMM AC to DSCP decimal mappings and the recommended WMM AC to DSCP Hex mappings.
6. Modify the DSCP mapping settings, as needed: DSCP mapping for WMM voice AC—DSCP used to map voice traffic DSCP mapping for WMM video AC—DSCP used to map video traffic DSCP mapping for WMM best-effort AC—DSCP used to map best-effort traffic DSCP mapping for WMM background AC—DSCP used to map background traffic 7. Click Apply.
Dynamic WMM Queue Management Traditional wireless networks provide all clients with equal bandwidth access. However, delays or reductions in throughput can adversely affect voice and video applications, resulting in disrupted VoIP conversations or dropped frames in a streamed video. Thus, data streams that require strict latency and throughput need to be assigned higher traffic priority than other traffic types.
Using the WebUI to configure EDCA parameters Use the following procedure to define an Enhanced Distributed Channel Access (EDCA) profile for APs or for clients (stations). 1. Navigate to the Configuration > AP Configuration page. Select either the AP Group tab or AP Specific tab. z If you selected AP Group, click Edit for the AP group name for which you want to configure EDCA parameters. z If you selected AP Specific, select the name of the AP for which you want to configure EDCA parameters. 2.
Table 125 EDCA Parameters Station and EDCA Parameters AP Profile Settings Parameter Voice Description Set the following parameters to define the background queue. aifsn: Arbitrary inter-frame space number. Possible values are 1-15. z ecw-max: The exponential (n) value of the maximum contention window size, as expressed by 2n-1. A value of 4 computes to 24-1 = 15. Possible values are 1-15. z ecw-min: The exponential (n) value of the minimum contention window size, as expressed by 2n-1.
| Voice and Video Dell PowerConnect ArubaOS 5.
Chapter 30 External Services Interface The Dell External Services Interface (ESI) provides an open interface that is used to integrate security solutions that solve interior network problems such as viruses, worms, spyware, and corporate compliance. ESI allows selective redirection of traffic to external service appliances such as anti-virus gateways, content filters, and intrusion detection systems.
Figure 120 ESI-Fortinet Topology Wireless Users Untrusted Interface Corporate Network Controller DMZ/ Internet Wired Users AntiVirus Firewall Server Trusted Interface arun_007 In the topology in , the clients connect to access points (both wireless and wired). The wired access points tunnel all traffic back to the controller over the existing network.
Figure 121 Load Balancing Groups Email Group Wireless Users Load Balancing HTTP Group Corporate Network DMZ/ Internet Wired Users arun_003 Understanding the ESI Syslog Parser The ESI syslog parser adds a UNIX-style regular expression engine for parsing relevant fields in messages from third-party appliances such as anti-virus gateways, content filters, and intrusion detection systems.
Figure 122 ESI Parser Domains Domain Fortinet Domain Acme Fortinet 1 10.1.1.1 Acme 1 10.2.2.1 Controller Acme 2 10.2.2.2 Fortinet 2 10.1.1.2 Fortinet 3 10.1.1.3 Access Point Acme 3 10.2.2.3 arun_006 The ESI syslog parser begins with a list of configured IP interfaces which listen for ESI messages. When a syslog message is received, it is checked against the list of defined ESI servers. If a server match is found, the message is then tested against the list of predefined rules.
Peer Controllers As an alternative, consider a topology where multiple controllers share one or more ESI servers (see “Peer Controllers” on page 573). Figure 123 Peer Controllers ESI Server Group Fortinet Server 30.0.0.1 Fortinet Server 30.0.0.3 Fortinet Server 30.0.0.2 Peer Controllers Local Controller 20.0.0.1 Master Controller 10.0.0.
Sep 26 18:30:02 log_id=0100030101 type=virus subtype=infected src=1.2.3.4 This message example contains the Fortigate virus log ID number 0100030101 (“log_id=0100030101”), which can be used as the condition—the pattern that uniquely identifies this syslog message.
In general, there are three ESI configuration “phases” on the controller as a part of the solution: z The first phase configures the ESI ping health-check method, servers, and server groups.The term server here refers to external server devices—for example, an AVF. z The second phase configures the redirection policies instructing the controller how to redirect the different types of traffic to different server groups.
In the WebUI To configure an ESI server: 1. Navigate to the Configuration > Advanced Services > External Services page on the WebUI. 2. Click Add in the External Servers section. 3. Provide the following details: a. Server Name. b. Server Group. Use the drop-down list to assign this server to a group from the existing configured groups. c. Server Mode. Use the drop-down list to choose the mode (bridge, nat, or route) your topology requires.
4. Click Done when you are finished. 5. To apply the configuration (changes), click Apply. (The configuration will not take effect until you click Apply.
In the CLI Use these commands to define the redirection filter for sending traffic to the ESI server and apply the firewall policy to a user role. ip access-list session policy any any any redirect esi-group group direction both blacklist //For any incoming traffic, going to any destination, //redirect the traffic to servers in the specified ESI group. any any any permit //For everything else, allow the traffic to flow normally.
Deleting an existing syslog parser domain To delete an existing parser domain: 1. Identify the target parser domain in the list shown in the Domain section of the Syslog Parser Domains view. 2. Click Delete on the same row in the Actions column. Editing an existing syslog parser domain To change an existing syslog parser domain: 1. Identify the target parser domain in the list shown in the Syslog Parser Domains view (see on page 578). 2. Click Edit on the same row in the Actions column.
For example (based on the example shown in Figure 123 on page 573): esi parser domain forti_domain server 30.0.0.1 server 30.0.0.2 server 30.0.0.3 peer 20.0.0.1 Managing Syslog Parser Rules The following sections describe how to manage syslog parser domains using the WebUI and CLI. In the WebUI Click on the Syslog Parser Rules tab to display the Syslog Parser Rules view.
Deleting a syslog parser rule To delete an existing syslog parser rule: 1. Identify the target parser rule in the list shown in the Syslog Parser Rules view. 2. Click Delete on the same row in the Actions column. Editing an existing syslog parser rule To change an existing syslog parser rule: 1. Identify the target parser rule in the list shown in the Syslog Parser Rules view. 2. Click Edit on the same row in the Actions column.
The test results are displayed in a box in the area below the Test button. The test results contain information about the matching rule and match pattern. In the CLI Use these CLI commands to manage syslog parser rules. Adding a new parser rule esi parser rule rule-name condition expression domain name enable match {ipaddr expression | mac expression | user expression} position position set {blacklist | role role} For example: esi parser rule forti_virus condition “log_id=[0-9]{10}[ ]” match “src=(.
In the CLI show esi parser stats Example Route-mode ESI Topology This section introduces the configuration for a sample route-mode topology using the controller and Fortinet Anti-Virus gateways. In route mode, the trusted and untrusted interfaces between the controller and the Fortinet gateways are on different subnets. shows an example route-mode topology. Note: ESI with Fortinet Anti-Virus gateways is supported only in route mode.
The ESI configuration process will redirect all HTTP user traffic to the Fortinet server for examination, and any infected user will be blacklisted. The configuration process consists of these general tasks: z Defining the ESI server. z Defining the default ping health check method. z Defining the ESI group. z Defining the HTTP redirect filter for sending HTTP traffic to the ESI server. z Applying the firewall policy to the guest role. z Defining ESI parser domains and rules.
retry-count count timeout seconds For example: esi ping default frequency 5 retry-count 3 timeout 3 Defining the ESI Server The following sections describe how to configure an ESI server using the WebUI and CLI. In the WebUI To configure an ESI server: 1. Navigate to the Configuration > Advanced Services > External Services page on the WebUI. 2. Click Add in the External Servers section. 3. Provide the following details: a. Server Name. (This example uses the name forti_1.) b. Server Group.
1. Navigate to the Configuration > Advanced Services > External Services page. 2. Click Add in the Server Groups section. 3. Provide the following details: a. Enter a Group Name. Enter fortinet.) b. In the drop-down list, select default as the health check profile. 4. Click Done when you are finished. 5. To apply the configuration (changes), click Apply. (The configuration will not take effect until you click Apply.
d. Repeat the steps to configure additional rules. (This example adds a rule that specifies any, any, any, permit.) e. Click Done to return to the User Roles tab. 3. To apply the configuration (changes), click Apply. (The configuration will not take effect until you click Apply.) 4. Refer to Chapter 10, “Roles and Policies” on page 279, for directions on how to apply a policy to a user role.
Adding a New Parser Rule in the WebUI To add a new syslog parser rule for the route-mode example: 1. Click Add in the Syslog Parser Rules tab (Advanced Services > External Services > Syslog Parser Rule). The system displays the new rule view. 2. In the Rule Name text box, type the name of the rule to be added (in this example, “forti_virus”). 3. Click the Enable checkbox to enable the rule. 4. In the Condition Pattern text box, type the regular expression to be used as the condition pattern.
Figure 125 Example NAT-Mode Topology In this example, all HTTP traffic received by the controller is redirected to the external captive portal server group and load-balanced across the captive portal servers. All wireless client traffic with destination port 80 is redirected to the captive portal server group, with the new destination port 8080. Note: The external servers do not necessarily have to be on the subnet as the controller.
z Health-check ping: Name = externalcp_ping Frequency = 30 seconds Retry-count = 2 attempts Timeout = 2 seconds (2 seconds is the default) z ESI group = external_cps z Session access control list (ACL) Name = cp_redirect_acl Session policy = user any svc-http redirect esi-group external_cps direction both Configuring the Example NAT-mode ESI Topology This section describes how to implement the example NAT-mode ESI topology shown in using both the WebUI, then the CLI.
Configuring the ESI Group in the WebUI 1. Click Add in the Server Groups section External Services view on the WebUI. 2. Provide the following details: a. Group Name. (This example uses external_cps.) b. Health-Check Profile. Select the health-check ping from the drop-down list. (This example uses externalcp_ping.) 3. Click Done when you are finished. Note: To apply the configuration (changes), you must click Apply in the External Services view on the WebUI.
Configuring the Example NAT-mode Topology in the CLI The CLI configuration process consists of these general tasks: z Configuring captive portal (see Chapter 12, “Captive Portal” on page 299). z Configuring the health-check ping method. z Configuring the ESI servers. z Configuring the ESI group. z Defining the redirect filter for sending traffic to the ESI server.
frequency 30 retry-count 3 esi server external_cp1 dport 8080 mode nat trusted-ip-addr 10.1.1.1 esi server external_cp2 dport 8080 mode nat trusted-ip-addr 10.1.1.2 esi server external_cp3 dport 8080 mode nat trusted-ip-addr 10.1.1.
z “Regular Expression Repetition Operators” on page 513 z “Regular Expression Anchors” on page 513 z “References” on page 514 Character-Matching Operators Character-matching operators define what the search will match. Table 126 Character-matching operators in regular expressions Operator Description Sample Result . Match any one character. grep .ord sample.txt Matches ford, lord, 2ord, etc. in the file sample.txt. [] Match any one character listed between the brackets grep [cng]ord sample.
Regular Expression Anchors Anchors describe where to match the pattern, and are a handy tool for searching for common string combinations. Some of the anchor examples use the vi line editor command :s, which stands for substitute. That command uses the syntax: s/pattern_to_match/pattern_to_substitute.
| External Services Interface Dell PowerConnect ArubaOS 5.
Appendix A DHCP with Vendor-Specific Options A standards-compliant DHCP server can be configured to return the host Dell controller’s IP address through the Vendor-Specific Option Code (option 43) in the DHCP reply. In the Dell user-centric network, this information can allow an Dell AP to automatically discover the IP address of a master controller for its configuration and management. This appendix describes how to configure vendor-specific option 43 on various DHCP servers.
To configure option 60 on the Windows DHCP server 1. On the DHCP server, open the DHCP server administration tool by clicking Start > Administrative Tools > DHCP. 2. Find your server and right-click on the scope to be configured under the server name. Select Set Predefined Options. 3. In the Predefined Options and Values dialog box, click the Add button. 4.
Figure 126 Scope Options Dialog Box. 4. In the Data Entry field, click anywhere in the area under the ASCII heading and enter the following information: ASCII : Loopback address of the master controller 5. Click the OK button to save the configuration. Option 43 is configured for this DHCP scope. Note that even though you entered the IP address in ASCII text, it displays in binary form. Figure 127 DHCP Scope Values Linux DHCP Servers The following is an example configuration for the Linux dhcpd.
max-lease-time 200; option subnet-mask 255.255.255.0; option routers 10.200.10.1; option domain-name-servers 10.4.0.12; option domain-name "vlan10.aa.mycorpnetworks.com"; subclass "vendor-class" "ArubaAP" { option vendor-class-identifier "ArubaAP"; # # option serverip # option serverip 10.200.10.10; } range 10.200.10.200 10.200.10.252; } 600 | DHCP with Vendor-Specific Options Dell PowerConnect ArubaOS 5.
Appendix B External Firewall Configuration In many deployment scenarios, an external firewall is situated between Dell devices. This appendix describes the network ports that need to be configured on the external firewall to allow proper operation of the Dell network. You can also use this information to configure session ACLs to apply to physical ports on the controller for enhanced security.
Between a Remote AP (IPsec) and a controller: z NAT-T (UDP port 4500). z TFTP (UDP port 69) . Note: TFTP is not needed for normal operation. If the remote AP loses its local image for any reason, it will use TFTP to download the latest image. Network Management Access This section describes the network ports that need to be configured on the firewall to manage the Dell network.
Appendix C Behavior and Defaults This appendix contains the following topics: z “Mode Support” on page 603 z “Basic System Defaults” on page 604 z “Default Management User Roles” on page 610 z “Default Open Ports” on page 613 Mode Support Most ArubaOS features are supported in all forwarding modes. However, there are a some features that are not supported in one or more forwarding modes.
Table 130 Features not Supported in Each Forwarding Mode Forwarding Mode Feature Not Supported Bridge Mode on Campus APs or Remote APs (continued) SIP ALG SIP: SIP authentication tracking SIP: CAC enforcement enhancements SIP: Phone number awareness SIP: R-Value computation SIP: Delay measurement Management: Voice-specific views Management: Voice client statistics Management: Voice client troubleshooting Voice protocol monitoring/reporting SVP ALG H.
Table 131 Predefined Network Services (Continued) Name Protocol Port(s) svc-sip-tcp tcp 5060 svc-kerberos udp 88 svc-pop3 tcp 110 svc-adp udp 8200 svc-noe udp 32512 svc-noe-oxo udp 5000 svc-dns udp 53 svc-msrpc-tcp tcp 135 139 svc-rtsp tcp 554 svc-http tcp 80 svc-vocera udp 5002 svc-nterm tcp 1026 1028 svc-sip-udp udp 5060 svc-papi udp 8211 svc-ftp tcp 21 svc-natt udp 4500 svc-svp 119 0 svc-gre gre 0 svc-smtp tcp 25 svc-smb-udp udp 445 svc-esp
Table 131 Predefined Network Services (Continued) Name Protocol Port(s) svc-v6-icmp icmp 0 any any 0 Policies The following are predefined policies. Table 132 Predefined Policies Predefined Policy Description ip access-list session allowall any any any permit An "allow all" firewall rule that permits all traffic.
Table 132 Predefined Policies (Continued) Predefined Policy Description ip access-list session ap-acl any any udp 5000 any any udp 5555 any any svc-gre permit any any svc-syslog permit any user svc-snmp permit user any svc-snmp-trap permit user any svc-ntp permit This is a policy for internal use and should not be modified. It permits APs to boot up and communicate with the controller.
Table 132 Predefined Policies (Continued) Predefined Policy Description ip access-list session svp-acl any any svc-svp permit queue high user host 224.0.1.116 any permit Use for Spectralink VoIP devices to automatically permit and prioritize Spectralink Voice Protocol (SVP). ip access-list session noe-acl any any svc-noe permit queue high Use for Alcatel NOE VoIP devices to automatically permit and prioritize NOE traffic.
Table 133 Predefined Roles (Continued) Predefined Role Description user-role default-vpn-role session-acl allowall ipv6 session-acl v6-allowall This is the default role used for VPN-connected clients. It is referenced in the default "aaa authentication vpn" profile.
Table 133 Predefined Roles (Continued) Predefined Role Description user-role -logon session-acl control session-acl captiveportal session-acl vpnlogon This role is only generated when creating a new WLAN using the WLAN Wizard. The WLAN Wizard creates this role when captive portal is enabled and a PEFNG license is installed. This is the initial role that a client will be placed in prior to captive portal authentication.
Table 134 Predefined Management Roles (Continued) Predefined Role Permissions network-operations This role supports a subset of show, configuration, action, and database commands that are used to monitor the controller. You can log into the CLI; however, you can only use a subset of CLI commands to monitor the controller.
Table 134 Predefined Management Roles (Continued) Predefined Role Permissions network-operations (continued) Monitoring > Network > All Access Points Monitoring > Network > All Wired Access Points You can view the reports created by the following CLI commands: z DB:opcode=monitor-summary z DB:opcode=cr-load z DB:opcode=wlm-search&class=probes&start z DB:opcode=wlm-search&class=amii z DB:opcode=monitor-get-all-gps&status=any z show ap-group z show vlan status Monitoring > Controller > Controller Summary Y
Table 134 Predefined Management Roles (Continued) Predefined Role Permissions network-operations (continued) Monitoring > Controller > Clients > Blacklist You can view the reports created by the following CLI commands: z stm add-blacklist-client z aaa user delete { | all | mac | name | role } Monitoring > Controller > Blacklist Clients You can view the reports created by the following CLI commands: z stm remove-blacklist-client Monitoring > Controlle
Table 135 Default (Trusted) Open Ports (Continued) Port Number Protocol Where Used Description 21 TCP controller FTP server for AP6X software download. 22 TCP controller SSH 23 TCP AP and controller Telnet is disabled by default but the port is still open. 53 UDP controller Internal domain. 67 UDP AP (and controller if DHCP server is configured) DHCP server. 68 UDP AP (and controller if DHCP server is configured) DHCP client.
Table 135 Default (Trusted) Open Ports (Continued) Port Number Protocol Where Used Description 8083 TCP controller Used internally for single sign-on authentication (HTTPS). Not exposed to wireless users. 8088 TCP controller For internal use. 8200 UDP controller Dell Discovery Protocol (ADP). 8211 UDP controller For internal use. 8888 TCP controller Used for HTTP access. Dell PowerConnect ArubaOS 5.
| Behavior and Defaults Dell PowerConnect ArubaOS 5.
Appendix D 802.1x Configuration for IAS and Windows Clients This appendix provides examples of how to configure a Microsoft Internet Authentication Server, and a Windows XP wireless client for 802.1x authentication with the controller (see Chapter 9, “802.1x Authentication” for information about configuring the controller).
4. In the New RADIUS Client dialog window, enter the name and IP address for the controller. Click Next. 5. In the next window that appears, enter and confirm a shared secret. The shared secret is configured on both the RADIUS server and client, and ensures that an unauthorized client cannot perform authentication against the server. 6. Click Finish.
Figure 129 IAS Remote Access Policies 2. To add a new policy, select Action > New Remote Access Policy. This launches a wizard that steps you through configuring the remote access policy. 3. Click Next on the initial wizard window to proceed. 4. Enter the name for the policy, for example, “Wireless Computers” and click Next. 5. In the Access Method window, select the Wireless option, then click Next. 6.
Figure 131 Policy Configuration Wizard—PEAP Properties 10. For PEAP, select the “inner” authentication method. The authentication method shown is MS-CHAPv2. (Because password authentication is being used on this network, this is the only EAP authentication type that should be selected.) You can also enable fast reconnect in this screen.
Another example of a Class attribute configuration is shown below for the “Wireless-Student” policy. This policy returns the RADIUS attribute Class with the value “student” upon successful completion. Figure 133 Example RADIUS Class Attribute for “student” Configure Management Authentication using IAS Before you can configure the controller for management authentication using Windows IAS, you must perform the following steps to configure a Windows IAS RADIUS server on your Windows client.
5. In the User or Group Access window of the wizard, select either user or group, depending upon how your user permissions are defined. Click Next. 6. In the Authentication Method window, click the Type drop-down list and select Protected EAP (PEAP). Click Next. 7. Click Finish. Now you must define properties for the remote policy you just created. 1. 1. In the Internet Authentication Service window, click the Remote Access Policy icon.
Figure 134 Configuring a RADIUS Server for IAS Management Authentication 6. In the Host field, enter the IP address of the RADIUS server you want to use for Management Authentication. 7. Enter and then retype the shared key for the server. 8. Click Apply 9. Select Server Group from the server list on the left window pane. 10. In the entry blank on the right window pane, enter the name of a new server group (for example, “Management_group”), then click Add. 11. Click Apply. 12.
Verify Communication between the Controller and the RADIUS Server After you have configured your Windows Server and the Dell controller for Windows IAS Management Authentication, you can verify that the controller and server are communicating. 1. Navigate to Diagnostics>AAA Test Server. 2. Click the Server Name drop-down list and select the RADIUS server. 3. Select either MSCHAP-V2 or PAP as the authentication method. 4. Enter the user name and password in the Username and Password fields. 5.
4. Click the Advanced button to display the Networks to access window. Figure 138 Networks to Access This window determines what types of wireless networks the client can access. By default, Windows connects to any type of wireless network. Make sure that the option Computer-to-computer (ad hoc) networks only is not selected. Click Close. 5. In the Wireless Networks tab, click Add to add a wireless network. 6. Click the Association tab to enter the network properties for the SSID.
Enter the preshared key Note: Do not select the option “This is a computer-to-computer (ad hoc) network; wireless access points are not used”. Figure 139 shows the configuration for the SSID WLAN-01 which uses WPA network authentication with TKIP data encryption. Figure 139 Wireless Network Association 7. Click the Authentication tab to enter the 802.1x authentication parameters for the SSID. This tab configures the EAP type used between the wireless client and the authentication server.
Figure 140 Wireless Network Authentication 8. Under EAP type, select Properties to display the Protected EAP Properties window. Configure the client PEAP properties, as shown in Figure 141: z Select Validate server certificate. This instructs the client to check the validity of the server certificate from an expiration, identity, and trust perspective. z Select the trusted Certification Authority (CA) that can issue server certificates for the network.
Figure 142 EAP MSCHAPv2 Properties 628 | 802.1x Configuration for IAS and Windows Clients Dell PowerConnect ArubaOS 5.
Appendix E Internal Captive Portal You can customize the default captive portal page through the WebUI, as detailed in Chapter 12, “Captive Portal” . This appendix discusses creating and installing a new internal captive portal page and other customization.
Username: Minimal: Recommended Options: accesskey="u" Sets the keyboard shortcut to 'u' SIZE="25"Sets the size of the input box to 25 VALUE=""Ensures no default value Password: Minimal: Recommended Options: accesskey="p" Sets the keyboard shortcut to 'p' SIZE="25"Sets the size of the input box to 25 VALUE=""Ensures no default value FQDN: Minimal: Re
Installing a New Captive Portal Page You can install the captive portal page by using the Maintenance function of the WebUI. Log into the WebUI and navigate to Configuration > Management >Captive Portal > Upload Custom Login Pages. This page lets you upload your own files to the controller. There are different page types that you can choose: z Captive Portal Login (top level): This type uploads the file into the controller and sets the captive portal page to reference the file that you are uploading.
createCookie('url',unescape(q[i+1]),0) } } } if (errmsg && errmsg.length > 0) { errmsg = "
\n" + errmsg + "\n
\n"; document.write(errmsg); } } Reverting to the Default Captive Portal You can reassign the default captive portal site using the "Revert to factory default settings" check box in the "Upload Custom Login Pages" section of the Maintenance tab in the WebUI.In order to control the character set that the browser will use to show the text with, you will need to insert the following line inside the
... element: Replace the "Shift_JIS" part of the above line with the character set that is used by your system.if (q[i] == "errmsg") { errmsg = unescape(q[i + 1]); break; } } } if (errmsg && errmsg.length > 0) { switch(errmsg) { case "Authentication Failed": localized_msg="Authentication Failed"; break; default: localised_msg=errmsg; break; } errmsg = "
\n" + localised_msg + "\n
\n"; document.write(errmsg); }; } e. Translate the web page text. Once you have made the changes as above, you only need to translate the rest of the text that appears on the page.Any required client side script (CSS) and media files can also be uploaded using the “Content” Page Type, however file space is limited (use the CLI command show storage to see available space). Remember to leave ample room for system files. Note: The "Registered User" and "Guest User" sections of the login page are implemented as graphics files, referenced by the default CSS styles.
An example that will create the same page as displayed in Figure 143 is shown below. The part in red will redirect the user to the web page you originally setup. For this to work, please follow the procedure described above in this document. :