-
Dell PowerConnect W-Series ArubaOS 6.
-
Copyright Information © 2013 Aruba Networks, Inc. Aruba Networks trademarks include , Aruba Networks®, Aruba ® Wireless Networks , the registered Aruba the Mobile Edge Company logo, and Aruba Mobility Management System®. Dell™, the DELL™ logo, and PowerConnect™ are trademarks of Dell Inc. All rights reserved. Specifications in this manual are subject to change without notice. Originated in the USA. All other trademarks are the property of their respective owners.
-
Contents Copyright Information 2 Open Source Code 2 Legal Notice 2 Contents About this Guide 3 61 What’s New In ArubaOS 6.
-
Configuring a VLAN to Connect to the Network Creating, Updating, and Viewing VLANs and Associated IDs 74 Creating, Updating, and Deleting VLAN Pools 74 Assigning and Configuring the Trunk Port 74 In the WebUI 75 In the CLI 75 Configuring the Default Gateway 75 In the WebUI 75 In the CLI 75 Configuring the Loopback IP Address for the Controller 75 In the WebUI 76 In the CLI 76 Configuring the System Clock 76 Installing Licenses 77 Connecting the Controller to the Network 77 Enabli
-
Viewing the Master or Local Switch Whitelist 88 Deleting an Entry from the Master or Local Switch Whitelist 89 Purging the Master or Local Switch Whitelist 90 Working in Environments with Multiple Master Controllers 90 Configuring Networks with a Backup Master Controller 90 Configuring Networks with Clusters of Master Controllers 90 Creating a Cluster Root 91 Creating a Cluster Member 92 Viewing Controller Cluster Settings 92 Replacing a Controller on a Multi-Controller Network Replacing C
-
Using Licenses 102 Understanding License Interaction 103 License Installation Best Practices and Exceptions 104 Installing a License 104 Enabling a new license on your controller 104 Requesting a Software License in Email 105 Locating the System Serial Number 105 Obtaining a Software License Key 105 Creating a Software License Key 105 Applying the Software License Key in the WebUI 106 Applying the Software License Key in the License Wizard 106 Deleting a License 106 Moving Licenses
-
Adding a Bandwidth Contract to the VLAN 113 Optimizing VLAN Broadcast and Multicast Traffic 113 Using the CLI 114 Using the WebUI 114 Configuring Ports Classifying Traffic as Trusted or Untrusted 114 115 About Trusted and Untrusted Physical Ports 115 About Trusted and Untrusted VLANs 115 Configuring Trusted/Untrusted Ports and VLANs 115 In the WebUI 115 In the CLI 116 Configuring Trusted and Untrusted Ports and VLANs in Trunk Mode 116 In the WebUI 116 In the CLI 117 Understanding V
-
In the CLI Configuring Source NAT to Dynamic VLAN Address 121 In the WebUI 121 In the CLI 121 Configuring Source NAT for VLAN Interfaces 121 Example Configuration 122 In the WebUI 122 In the CLI 122 Inter-VLAN Routing 122 Using the WebUI to restrict VLAN routing 123 Using the CLI 123 Configuring Static Routes 123 In the WebUI 123 In the CLI 124 Configuring the Loopback IP Address 124 In the WebUI 124 In the CLI 124 Configuring the Controller IP Address Using the CLI Configuri
-
Understanding IPv6 Notation 128 Understanding IPv6 Topology 128 Enabling IPv6 129 Enabling IPv6 Support for Controller and APs 129 Configuring IPv6 Addresses In the WebUI 131 131 To Configure Link Local Address 131 To Configure Global Unicast Address 131 To Configure Loopback Interface Address 132 In the CLI Configuring IPv6 Static Neighbors 132 132 In the WebUI 132 In the CLI 132 Configuring IPv6 Default Gateway and Static IPv6 Routes In the WebUI 133 133 To Configure IPv6 Default G
-
Configuring a Captive Portal over IPv6 136 Working with IPv6 Router Advertisements (RAs) 136 137 Configuring an IPv6 RA on a VLAN Using WebUI 137 Using CLI 138 138 Configuring Optional Parameters for RAs In the WebUI 139 In the CLI 139 140 Viewing IPv6 RA Status Understanding ArubaOS Supported Network Configuration for IPv6 Clients Supported Network Configuration 140 Understanding the Network Connection Sequence for Windows IPv6 Clients 141 Understanding ArubaOS Authentication and Firewall F
-
Understanding OSPFv2 by Example using a WLAN Scenario 153 WLAN Topology 153 WLAN Routing Table 153 Understanding OSPFv2 by Example using a Branch Office Scenario 154 Branch Office Topology 154 Branch Office Routing Table 155 Configuring OSPF 155 Sample Topology and Configuration 157 Remote Branch 1 157 Remote Branch 2 158 W-3200 Central Office Controller—Active 159 W-3200 Central Office Controller—Backup 160 Tunneled Nodes 163 Understanding Tunneled Node Configuration 163 Configu
-
Using the CLI Configuring an LDAP Server 172 Using the WebUI 173 Using the CLI 173 Configuring a TACACS+ Server 173 Using the WebUI 174 Using the CLI 174 Configuring a Windows Server 174 Using the WebUI 175 Using the CLI 175 Managing the Internal Database Configuring the Internal Database 175 175 Using the WebUI 176 Using the CLI 176 Managing Internal Database Files 176 Exporting Files in the WebUI 176 Importing Files in the WebUI 177 Exporting and Importing Files in the CLI 1
-
Using the WebUI 181 Using the CLI 181 Trimming Domain Information from Requests 181 Using the WebUI 181 Using the CLI 182 Configuring Server-Derivation Rules 182 Using the WebUI 183 Using the CLI 183 Configuring a Role Derivation Rule for the Internal Database 183 Using the WebUI 183 Using the CLI 184 Assigning Server Groups 184 User Authentication 184 Management Authentication 184 Using the WebUI 184 Using the CLI 184 Accounting 185 RADIUS Accounting 185 Using the WebUI
-
191 In the CLI 192 802.1X Authentication 192 Understanding 802.1X Authentication Supported EAP Types 193 Configuring Authentication with a RADIUS Server 193 Configuring Authentication Terminated on Controller 194 195 Configuring 802.
-
In the WebUI 208 In the CLI 208 Using the WebUI to create the computer role 208 Creating an Alias for the Internal Network Using the CLI Configuring the RADIUS Authentication Server 208 208 In the WebUI 209 In the CLI 209 Configuring 802.
-
Configuring WLANs 216 Configuring the Guest WLAN 217 In the WebUI 217 In the CLI 217 Configuring the Non-Guest WLANs In the WebUI 218 In the CLI 219 Configuring Mixed Authentication Modes In the CLI Performing Advanced Configuration Options for 802.
-
Configuring an OCSP Controller as a Responder Configuring the Controller as an OCSP Client 228 229 In the WebUI 229 In the CLI 230 Configuring the Controller as a CRL Client 230 In the WebUI 231 In the CLI 231 Configuring the Controller as an OCSP Responder 231 In the WebUI 231 In the CLI 232 Captive Portal Authentication Understanding Captive Portal 233 233 Policy Enforcement Firewall Next Generation (PEFNG) License 234 Controller Server Certificate 234 Configuring Captive Portal in
-
Defining a Time Range 244 Creating Aliases 244 Creating a Guest-Logon-Access Policy 245 Creating an Auth-Guest-Access Policy 245 Creating a Block-Internal-Access Policy 245 Creating a Drop-and-Log Policy 245 Creating a Guest-Logon Role 245 Creating an Auth-Guest Role 245 Configuring Guest VLANs In the WebUI 246 In the CLI 246 Configuring Captive Portal Authentication Profiles 246 Modifying the Initial User Role 247 Configuring the AAA Profile 247 Configuring the WLAN 248 Managing
-
Reverting to the Default Captive Portal 259 Configuring Localization 259 Customizing the Welcome Page 262 Customizing the Pop-Up box 263 Customizing the Logged Out Box 264 Creating Walled Garden Access 265 In the WebUI 265 In the CLI 266 Enabling Captive Portal Enhancements 266 Configuring the Redirect-URL 266 Configuring the Login URL 266 Defining Netdestination Descriptions 267 Configuring a Whitelist 267 Configuring the Netdestination for a Whitelist: 267 Associating a Whiteli
-
Selecting Certificates 276 Defining IKEv1 Shared Keys 277 Configuring IKE Policies 277 Setting the IPsec Dynamic Map 278 Finalizing WebUI changes 278 279 Configuring a VPN for L2TP/IPsec with IKEv2 in the WebUI Defining Authentication Method and Server Addresses 279 Defining Address Pools 280 Enabling Source NAT 280 Selecting Certificates 280 Configuring IKE Policies 281 Setting the IPsec Dynamic Map 282 Finalizing WebUI changes 282 283 Configuring a VPN for Smart Card Clients Workin
-
Detecting Dead Peers 292 Understanding Default IKE policies 293 Working with VPN Dialer Configuring VPN Dialer 293 294 In the WebUI 294 In the CLI 294 Assigning a Dialer to a User Role 294 In the WebUI 295 In the CLI 295 Roles and Policies Configuring Firewall Policies 296 296 Working With Access Control Lists (ACLs) 297 Support for Desktop Virtualization Protocols 297 Creating a Firewall Policy 297 In the WebUI 299 In the CLI 299 Creating a Network Service Alias 300 In the Web
-
Bandwidth Contract Exceptions Viewing the Current Exceptions List 305 Configuring Bandwidth Contract Exceptions 305 Assigning User Roles Assigning User Roles in AAA Profiles 305 305 In the WebUI 306 In the CLI 306 Working with User-Derived VLANs 306 Understanding Device Identification 307 Configuring a User-derived VLAN in the WebUI 307 Configuring a User-derived Role or VLAN in the CLI 308 User-Derived Role Example 308 Configuring a Default Role for Authentication Method 309 In the We
-
In the CLI Applying the Virtual AP 320 320 In the WebUI 320 In the CLI 324 Creating a new SSID Profile 324 In the WebUI 325 In the CLI 329 Configuring an SSID for Suite-B Cryptography 329 Configuring a Guest WLAN 330 Configuring a VLAN 330 In the WebUI 330 In the CLI 330 Configuring a Guest Role 330 In the WebUI 330 In the CLI 331 Configuring a Guest Virtual AP 331 In the WebUI 331 In the CLI 332 Enabling bSec SSID Support 332 In the CLI 332 In the WebUI 332 Sample Co
-
Managing High-Throughput Profiles In the WebUI Adaptive Radio Management (ARM) Understanding ARM 345 346 346 ARM Support for 802.
-
Troubleshooting ARM 362 Too many APs on the Same Channel 362 Wireless Clients Report a Low Signal Level 362 Transmission Power Levels Change Too Often 362 APs Detect Errors but Do Not Change Channels 363 APs Don’t Change Channels Due to Channel Noise 363 Wireless Intrusion Prevention Working with the Reusable Wizard 364 364 Understanding Wizard Intrusion Detection 365 Understanding Wizard Intrusion Protection 366 Protecting Your Infrastructure 366 Protecting Your Clients 366 Monitoring
-
Detecting AP Impersonation 374 Detecting AP Spoofing 374 Detecting Bad WEP Initialization 375 Detecting a Beacon Frame Spoofing Attack 375 Detecting a Client Flood Attack 375 Detecting an RTS Rate Anomaly 375 Detecting Devices with an Invalid MAC OUI 375 Detecting an Invalid Address Combination 375 Detecting an Overflow EAPOL Key 375 Detecting Overflow IE Tags 375 Detecting a Malformed Frame-Assoc Request 375 Detecting Malformed Frame-Auth 376 Detecting a Malformed Frame-HT IE 376
-
Detecting a TKIP Replay Attack 380 Detecting Unencrypted Valid Clients 380 Detecting a Valid Client Misassociation 380 Detecting an AirJack Attack 380 Detecting ASLEAP 380 Detecting a Null Probe Response 380 Configuring Intrusion Protection Understanding Infrastructure Intrusion Protection 381 381 Protecting 40MHz 802.11 High Throughput Devices 382 Protecting 802.
-
Configuring TotalWatch Understanding TotalWatch Channel Types and Qualifiers 388 Understanding TotalWatch Monitoring Features 389 Understanding TotalWatch Scanning Spectrum Features 389 Understanding TotalWatch Channel Dwell Time 389 Understanding TotalWatch Channel Visiting 390 Understanding TotalWatch Age out of Devices 390 Administering TotalWatch 390 Configuring Per Radio Settings 390 Configuring Per AP Setting 390 Licensing 392 Working with Tarpit Shielding 392 Configuring Tarpit
-
Profile Hierarchy 401 Deploying APs 404 Running the RF Plan 404 Verifying that APs Can Connect to the Controller 404 Configuring Firewall Settings 404 Enabling Controller Discovery 405 Configuring DNS Resolution 405 Configuring DHCP Server Communication with APs 405 Using the Aruba Discovery Protocol (ADP) 406 Verifying that APs Are Receiving IP Addresses 406 In the WebUI 406 In the CLI 407 Provisioning APs for Mesh 407 Provisioning 802.
-
Prioritizing AP heartbeats AP Redundancy 421 Using the WebUI 421 Using the CLI 421 AP Maintenance Mode 421 Using the WebUI 422 Using the CLI 422 Energy Efficient Ethernet 422 Using the WebUI 422 Using the CLI 423 Managing AP LEDs 423 Using the WebUI 423 Using the CLI 424 RF Management 424 802.11a and 802.11g RF Management Profiles 424 Managing 802.11a/802.11g Profiles Using the WebUI 425 Creating or Editing a Profile 425 Assigning an 802.11a/802.
-
Configuring AP Channel Assignments 435 Using the WebUI 435 Using the CLI 436 Channel Switch Announcement (CSA) 436 Using the WebUI 436 Using the CLI 437 Automatic Channel and Transmit Power Selection Managing AP Console Settings Secure Enterprise Mesh Understanding Mesh Access Points 437 437 439 439 Mesh Portals 440 Mesh Points 440 Mesh Clusters 441 Understanding Mesh Links 441 Link Metrics 442 Optimizing Links 442 Understanding Mesh Profiles 443 Mesh Cluster Profile 443 Mesh R
-
Collecting Required Information 448 Working with Mesh Radio Profiles 450 Managing Mesh Profiles In the WebUI Creating a New Profile 450 Assigning a Profile to a Mesh AP or AP Group 453 Editing a Profile 453 Deleting a Profile 454 Managing Mesh Profiles In the CLI 454 Creating or Modifying a Profile 454 Viewing Profile Settings 454 Assigning a Profile to an AP Group 455 Deleting a Mesh Radio Profile 455 Working with Mesh High Throughput SSID Profiles Managing Profiles In the WebUI 455
-
Associating Mesh Cluster Profiles 463 Excluding a Mesh Cluster Profile from a Mesh Node 464 Deleting a Mesh Cluster Profile 464 Configuring Ethernet Ports for Mesh 464 Configuring Bridging on the Ethernet Port 464 Configuring Ethernet Ports for Secure Jack Operation 465 In the WebUI 465 In the CLI 466 Extending the Life of a Mesh Network 466 In the WebUI 466 In the CLI 466 Provisioning Mesh Nodes 467 Outdoor AP Parameters 467 Provisioning Caveats 468 Provisioning Mesh Nodes 468
-
Configuring a DHCP Pool 475 Configuring the VLAN ID of the Virtual AP Profile 475 Provisioning a Remote Mesh Portal In the CLI 476 Additional Information 476 477 VRRP Configuring Redundancy Parameters Configuring the Local Controller for Redundancy 478 In the WebUI 479 In the CLI 479 Configuring the LMS IP 479 In the WebUI 479 In the CLI 479 Configuring the Master Controller for Redundancy 479 Configuring Database Synchronization 481 In the WebUI 481 In the CLI 481 Enabling Incre
-
Understanding Dell Mobility Architecture 492 Configuring Mobility Domains 493 Configuring a Mobility Domain 494 Using the WebUI 494 Using the CLI 494 Joining a Mobility Domain 495 In the WebUI 495 In the CLI 495 Example Configuration Configuring Mobility using the WebUI Configuring Mobility using the CLI Tracking Mobile Users Mobile Client Roaming Status 495 496 497 497 497 Viewing mobile client status using the WebUI 497 Viewing mobile client status using the CLI 497 Viewing user roam
-
Configuring Mobility Multicast In the WebUI 505 In the CLI 506 Example 506 External Firewall Configuration 507 Understanding Firewall Port Configuration Among Dell Devices 507 Enabling Network Access 508 Ports Used for Virtual Internet Access (VIA) 508 Configuring Ports to Allow Other Traffic Types 508 Remote Access Points 510 About Remote Access Points 510 Configuring the Secure Remote Access Point Service 512 Configure a Public IP Address for the Controller 512 Using the WebUI to c
-
Using the CLI 516 Provision the AP 516 Deploying a Branch Office/Home Office Solution 517 Provisioning the Branch Office AP 518 Configuring the Branch Office AP 518 Troubleshooting Remote AP 518 Local Debugging 518 Remote AP Summary 518 Multihoming on remote AP (RAP) 520 Seamless failover from backup link to primary link on RAP 520 Remote AP Connectivity 520 Remote AP Diagnostics 521 Enabling Remote AP Advanced Configuration Options 521 Understanding Remote AP Modes of Operation 5
-
532 In the WebUI 532 Backup Controller List Configuring the LMS and backup LMS IP addresses in the WebUI 533 Configuring the LMS and backup LMS IP addresses in the CLI 533 Configuring Remote AP Failback In the WebUI 533 In the CLI 534 Enabling RAP Local Network Access 534 In the WebUI 534 In the CLI 534 Configuring Remote AP Authorization Profiles 534 Adding or Editing a Remote AP Authorization Profile 535 Working with Access Control Lists and Firewall Policies 535 Understanding Split
-
Understanding Bandwidth Reservation for Uplink Voice Traffic 542 Configuring Bandwidth Reservation 542 In the WebUI 542 In the CLI 542 Provisioning 4G USB Modems on Remote Access Points 543 4G USB Modem Provisioning Best Practices and Exceptions 543 Provisioning RAP for USB Modems 543 In the WebUI 543 In the CLI 544 RAP 3G/4G Backhaul Link Quality Monitoring Configuring W-IAP3WN Access Points 544 545 Using the WebUI 545 Using the CLI 545 Converting an IAP to RAP or CAP 546 Converti
-
Minimal Upgrade 553 Complete Upgrade 553 VIA Compatibility Configuring the VIA Controller 553 Before you Begin 554 Supported Authentication Mechanisms 554 Authentication mechanisms supported in VIA 1.x 554 Authentication mechanisms supported in VIA 2.x 554 Other authentication methods: Suite B Cryptography Support 802.
-
Downloading VIA 566 Pre-requisites 566 Downloading VIA 567 Installing VIA 568 Using VIA 568 Connection Details Tab 568 Diagnostic Tab 569 Settings Tab 569 Troubleshooting 569 Spectrum Analysis Understanding Spectrum Analysis 570 570 Spectrum Analysis Clients 573 Hybrid AP Channel Changes 574 Hybrid APs Using Mode-Aware ARM 574 Creating Spectrum Monitors and Hybrid APs Converting APs to Hybrid APs 574 575 In the WebUI 575 In the CLI 575 Converting an Individual AP to a Spectru
-
Resizing an Individual Graph Customizing Spectrum Analysis Graphs Spectrum Analysis Graph Configuration Options 582 583 Active Devices 583 Active Devices Table 585 Active Devices Trend 587 Channel Metrics 588 Channel Metrics Trend 590 Channel Summary Table 592 Device Duty Cycle 593 Channel Utilization Trend 594 Devices vs Channel 595 FFT Duty Cycle 597 Interference Power 598 Quality Spectrogram 600 Real-Time FFT 601 Swept Spectrogram 603 Working with Non-Wi-Fi Interferers 606
-
Understanding Spectrum Analysis Syslog Messages 613 Playing a Recording in the RFPlayback Tool 613 Understanding Device Ageout Times 613 Dashboard Monitoring Monitoring Performance 615 615 Clients 615 APs 615 Using Dashboard Histograms 616 Monitoring Usage 616 Clients 616 APs 616 Monitoring Security 617 Monitoring Potential Issues 617 Monitoring WLANs 617 Monitoring Access Points 618 Monitoring Clients 618 Monitoring Firewalls 619 In the WebUI 619 In the CLI 619 Element V
-
627 Enabling RADIUS Server Authentication Configuring RADIUS Server Username and Password Authentication In the WebUI 627 In the CLI 627 Configuring RADIUS Server Authentication with VSA 628 Configuring RADIUS Server Authentication with Server Derivation Rule 628 In the WebUI 628 In the CLI 629 Configuring a set-value server-derivation rule 629 In the WebUI 629 In the CLI 630 Disabling Authentication of Local Management User Accounts 630 In the WebUI 630 In the CLI 630 Verifying the
-
In the CLI 638 Viewing Certificate Information 638 Imported Certificate Locations 638 Checking CRLs 639 Configuring SNMP 639 SNMP Parameters for the Controller 639 In the WebUI 640 In the CLI 640 Configuring Logging 640 In the WebUI 642 In the CLI 642 Enabling Guest Provisioning Configuring the Guest Provisioning Page In the WebUI 643 643 643 Configuring the Guest Fields 643 Configuring the Page Design 645 Configuring Email Messages 646 Configuring the SMTP Server and Port in t
-
652 Importing Multiple Guest Entries Creating Multiple Guest Entries in a CSV File 652 Importing the CSV File into the Database 653 Printing Guest Account Information 656 656 Optional Configurations 656 Restricting one Captive Portal Session for each Guest Using the CLI to restrict one Captive Portal session for each guest 657 Setting the Maximum Time for Guest Accounts Using the WebUI to set the maximum time for guest accounts 657 Using the CLI to set the maximum time for guest accounts 657
-
Configuring NTP Authentication 661 In the WebUI 661 In the CLI 662 Timestamps in CLI Output Enabling Capacity Alerts 662 662 In the WebUI 663 In the CLI 663 Examples 663 Adding Local Controllers Configuring Local Controllers 664 664 Using the Initial Setup 664 Using the Web UI 665 Using the CLI 665 Configuring Layer-2/Layer-3 Settings 665 Configuring Trusted Ports 665 Configuring Local Controller Settings 665 Configuring APs 666 Using the WebUI to configure the LMS IP 666 Usi
-
In the WebUI 671 In the CLI 672 Securing Wired Clients In the WebUI 673 In the CLI 674 Securing Wireless Clients Through Non-Dell APs 674 In the WebUI 674 In the CLI 675 Securing Clients on an AP Wired Port 675 In the WebUI 675 In the CLI 676 Securing Controller-to-Controller Communication Configuring Controllers for xSec 677 677 In the WebUI 677 In the CLI 677 Configuring the Odyssey Client on Client Machines Installing the Odyssey Client Voice and Video 678 678 682 Voice and Vi
-
Using the CLI to derive the role based on MAC OUI 686 Configuring Firewall Settings for Voice and Video ALGs 687 In the WebUI 687 In the CLI 687 Additional Video Configurations 687 Configuring Video over WLAN enhancements 687 Pre-requisites 688 In the CLI 688 In the WebUI 691 Working with QoS for Voice and Video Understanding VoIP Call Admission Control Profile 694 695 In the WebUI 695 In the CLI 696 Understanding Wi-Fi Multimedia 696 Enabling WMM 697 In the WebUI 697 In the CL
-
704 Enabling WPA Fast Handover In the WebUI 704 In the CLI 704 Enabling Mobile IP Home Agent Assignment 704 Scanning for VoIP-Aware ARM 704 In the WebUI 704 In the CLI 705 705 Disabling Voice-Aware 802.
-
Working with Voice over Remote Access Point 714 Understanding Battery Boost 715 In the WebUI 715 In the CLI 715 Enabling LLDP 715 In the WebUI 716 In the CLI 719 Advanced Voice Troubleshooting Viewing Troubleshooting Details on Voice Client Status 720 720 In the WebUI 720 In the CLI 720 Viewing Troubleshooting Details on Voice Call CDRs 722 In the WebUI 722 In the CLI 722 Enabling Voice Logs In the WebUI Enabling Logging for a Specific Client In the CLI Viewing Voice Traces 723 72
-
VPN Local Pool Configuration 729 VPN Profile Configuration 729 Radius proxy for VPN connected IAPs 729 Viewing Branch Status Example W-600 Series Controllers 729 731 Understanding W-600 Series Best Practices and Exceptions 731 Connecting with a USB Cellular Modems 732 How it Works 732 Switching Modes 732 Finding USB Modem Commands 732 Uplink Manager 733 Cellular Profile 733 Dialer Group 734 Configuring a Supported USB Modem 735 Configuring a New USB Modem 736 Configuring the Prof
-
W-3200 Central Office Controller—Active 745 W-3200 Central Office Controller—Backup 746 External Services Interface 748 Sample ESI Topology 748 Understanding the ESI Syslog Parser 750 ESI Parser Domains 750 Peer Controllers 751 Syslog Parser Rules 751 Condition Pattern Matching 752 User Pattern Matching 752 Configuring ESI Configuring Health-Check Method, Groups, and Servers 752 753 In the WebUI 753 In the CLI 753 Defining the ESI Server 753 In the WebUI 753 In the CLI 754 De
-
Editing an existing syslog parser domain Managing Syslog Parser Rules 757 In the WebUI 758 Adding a new parser rule 758 Deleting a syslog parser rule 758 Editing an existing syslog parser rule 758 Testing a Parser Rule 759 In the CLI 759 Adding a new parser rule 759 Showing ESI syslog parser rule information: 760 Deleting a syslog parser rule: 760 Editing an existing syslog parser rule 760 Testing a parser rule 760 Monitoring Syslog Parser Statistics 760 In the WebUI 760 In the C
-
In the CLI Syslog Parser Domain and Rules 764 765 Add a New Syslog Parser Domain in the WebUI 765 Adding a New Parser Rule in the WebUI 765 In the CLI 765 Sample NAT-mode ESI Topology ESI server configuration on the controller 766 767 Configuring the Example NAT-mode ESI Topology 768 Configuring the NAT-mode ESI Example in the WebUI 768 In the WebUI 768 Configuring the ESI Group in the WebUI 768 Configure the ESI Servers in the WebUI 769 Configuring the Redirection Filter in the WebUI 7
-
Authenticating a User 775 Blacklisting a User 776 Querying for User Status 776 XML Response Default Response Format Response Codes Query Command Response Format Using the XML API Server 776 777 778 779 Configuring the XML API Server 779 Associating the XML API Server to a AAA profile 779 Set up Captive Portal profile 781 Associating the Captive Portal Profile to an Initial Role 781 Creating an XML API Request 782 Monitoring External Captive Portal Usage Statistics 783 Sample Code Using X
-
Response from the controller 792 793 RF Plan Supported Planning 793 Planning Deployment 794 Pre-Deployment Considerations 794 Outdoor-Specific Deployment Considerations 794 Configuration Considerations 794 Post-Deployment Considerations 795 Dual-Port AP Considerations 795 Launching the RF Plan 796 Campus List Page 796 Building List Pane 797 Building Specifications Overview 798 Building Dimension Page 798 AP Modeling Parameters Page 799 Radio Type 800 Design Model 801 Overlap
-
Location and Dimensions 808 Area Types 808 Access Point Editor Dialog Box Naming 809 Fixed 809 Radio Types 810 X and Y Coordinates 810 802.11 Types 810 802.11 Channels 810 802.11 Power Levels 810 802.
-
RF Plan Example 818 Sample Building 818 Create a Building 819 Model the Access Points 820 Model the Air Monitors 821 Add and Edit a Floor 821 Adding the background image and naming the first floor 821 Adding the background image and naming the second floor 821 Defining Areas 821 Creating a Don’t Care Area 821 Creating a Don’t Deploy Area 822 Running the AP Plan 822 Running the AM Plan 823 Behavior and Defaults 824 Understanding Mode Support 824 Understanding Basic System Defaul
-
842 802.
-
About this Guide This User Guide describes the features supported by Dell PowerConnect W-Series ArubaOS and provides instructions and examples for configuring Dell controllers and Access Points (APs). This guide is intended for system administrators responsible for configuring and maintaining wireless networks and assumes you are knowledgeable in Layer 2 and Layer 3 networking technologies. This chapter covers the following topics: l "What’s New In ArubaOS 6.
-
Feature Description Provisioning 802.11n APs for Single-Chain Transmission AP radios in single-chain mode will transmit and receive data using only legacy rates and single-stream HT rates up to MCS 7. This setting is disabled by default.
-
Table 2: New Hardware Platforms introduced with ArubaOS 6.2 Feature Description Dell W-7200 Series Series Controller The W-7200 Series Controller deliver a wide range of network services to large campus networks. The W-7200 Series supports up to 32,000 users and performs stateful firewall policy enforcement at speeds up to 40 Gbps. W-IAP108 and W-IAP109 Remote Access Points The W-IAP108 and W-IAP109 are dual-radio, dual-band remote access points that supports the IEEE 802.
-
l the backspace key will erase your entry one letter at a time l the question mark ( ? ) will list available commands and options Related Documents The following items are part of the complete documentation for the Dell user-centric network: l Dell PowerConnect W-Series Controller Installation Guides l Dell PowerConnect W-Series Access Point Installation Guides l Dell PowerConnect W-Series ArubaOS Quick Start Guide l Dell PowerConnect W-Series ArubaOS User Guide l Dell PowerConnect W-Series Aru
-
WARNING: Indicates a risk of personal injury or death. Dell PowerConnect W-Series ArubaOS 6.
-
Chapter 4 The Basic User-Centric Networks This chapter describes how to connect a Dell controller and Dell AP to your wired network. After completing the tasks described in this chapter, see "Access Points (APs)" on page 393 for information on configuring APs.
-
4. Configure the SSID(s) with VLAN 1 as the assigned VLAN for all users. Deployment Scenario #2: APs All on One Subnet Different from Controller Subnet Figure 5: APs All on One Subnet Different from Controller Subnets In this deployment scenario, the APs and the controller are on different subnetworks and the APs are on multiple subnetworks. The controller acts as a router for the wireless subnetworks (the controller is the default gateway for the wireless clients).
-
NOTE: Each wireless client VLAN must be configured on the controller with an IP address. On the uplink switch or router, you must configure static routes for each client VLAN, with the controller’s VLAN 1 IP address as the next hop. Deployment Scenario #3: APs on Multiple Different Subnets from Controllers Figure 6: APs on Multiple Different Subnets from Controllers In this deployment scenario, the APs and the controller are on different subnetworks and the APs are on multiple subnetworks.
-
2. Create a VLAN that has the same VLAN ID as the VLAN on the switch or router to which you will connect the controller. Add the uplink port on the controller to this VLAN and configure the port as a trunk port. 3. Add client VLANs to the trunk port. 4. Configure the default gateway on the controller. This gateway is the IP address of the router to which you will connect the controller. 5. Configure the loopback interface for the controller. 6.
-
The initial setup requires that you configure an IP address for the VLAN 1 interface, which you can use to access and configure the controller remotely via an SSH or WebUI session. Configuring an IP address for the VLAN 1 interface ensures that there is an IP address and default gateway assigned to the controller upon completion of the initial setup. Connecting to the Controller after Initial Setup After you complete the initial setup, the controller reboots using the new configuration.
-
The W-7200 Series Controller is equipped with an LCD panel that displays a variety of information about the controller’s status and provides a menu that allows for basic operations such as initial setup and reboot. The LCD panel displays two lines of text with a maximum of 16 characters on each line. When using the LCD panel, the active line is indicated by an arrow next to the first letter. The LCD panel is operated using the two navigation buttons to the left of the screen.
-
Table 10: LCD Panel Mode: Maintenance Function/Menu Options Displays Upgrade Image Upgrade the software image on the selected partition from a predefined location on the attached USB flash device. Partition [0 | 1] Upgrade Image [no | yes] Upload Config Uploads the controller’s current configuration to a predefined location on the attached USB flash device. Upload Config [no | yes] Factory Default Allows you to return the controller to the factory default settings.
-
Disabling LCD Menu Functions For security purpose, you can disable all LCD menu functions by disabling the entire menu functionality using the following command: (host) (config) #lcd-menu (host) (lcd-menu) #disable menu To prevent inadvertent menu changes, you can disable LCD individual menu function using the following commands: (host) (lcd-menu) #disable menu maintenance ? factory-default Disable factory default menu media-eject Disable media eject menu on LCD system-halt Disable system halt menu on LCD
-
l Configure the port as a trunk port. l Configure a default gateway for the controller. Creating, Updating, and Viewing VLANs and Associated IDs You can create and update a single VLAN or bulk VLANS using the WebUI or the CLI. See "Creating and Updating VLANs" on page 108. NOTE: In the WebUI configuration windows, clicking the Save Configuration button saves configuration changes so they are retained after the controller is rebooted.
-
In the WebUI 1. Navigate to the Configuration > Network > Ports window on the WebUI. 2. In the Port Selection section, click the port that will connect the controller to the network. In this example, click port 25. 3. For Port Mode, select Trunk. 4. For Native VLAN, select VLAN 5 from the scrolling list, then click the left (<--) arrow. 5. Click Apply.
-
NOTE: After you configure or modify a loopback address, you must reboot the controller. If configured, the loopback address is used as the controller’s IP address. If you do not configure a loopback address for the controller, the IP address assigned to the first configured VLAN interface IP address. Generally, VLAN 1 is configured first and is used as the controller’s IP address. ArubaOS allows the loopback address to be part of the IP address space assigned to a VLAN interface.
-
clock, see "Setting the System Clock" on page 660. Installing Licenses ArubaOS consists of a base operating system with optional software modules that you can activate by installing license keys. If you use the Setup Wizard during the initial setup phase, you will have the opportunity to install software licenses at that time. Refer to Software Licenses on page 100 for detailed information on Licenses.
-
l The command line interface (CLI) allows you to configure and manage Dell controllers. The CLI is accessible from a local console connected to the serial port on the controller or through a Telnet or Secure Shell (SSH) session from a remote management console or workstation. NOTE: By default, you can only access the CLI from the serial port or from an SSH session. To use the CLI in a Telnet session, you must explicitly enable Telnet on the controller. Dell PowerConnect W-Series ArubaOS 6.
-
Chapter 5 Control Plane Security ArubaOS supports secure IPsec communications between a controller and campus or remote APs using public-key self-signed certificates created by each master controller. The controller certifies its APs by issuing them certificates. If the master controller has any associated local Dell controllers, the master controller sends a certificate to each local controller, which in turn sends certificates to their own associated APs.
-
Control Plane Security Overview Controllers using control plane security only send certificates to APs that you have identified as valid APs on the network. If you want closer control over each AP that gets certified, you can manually add individual campus and remote APs to the secure network by adding each AP's information to the whitelists when you first run the initial setup wizard.
-
Parameter Description Auto Cert sent to all associated APs, or just APs within one or more specific IP address ranges. If your controller has a publicly accessible interface, you should identify your campus and Remote APs by IP address range. This prevents the controller from sending certificates to external or rogue campus APs that may attempt to access your controller through that interface. Select All to allow all associated campus and remote APs to receive automatic certificate provisioning.
-
Managing AP Whitelists Campus and Remote APs appear as valid APs in the campus and Remote AP whitelists when you manually enter their information into the whitelists via the controller’s CLI or WebUI, or after the controller sends the AP a certificate via automatic certificate provisioning and the AP connects to its controller via a secure tunnel. Any APs not approved or certified on the network are also included in the whitelists, but these APs appear in an unapproved state.
-
Parameter Description Description (Optional) Use this field to add a brief description of the campus AP. Remote AP whitelist configuration parameters AP MAC Address MAC address of the remote AP, in colon-separated octets. User Name Name of the end user who provisions and uses the remote AP. AP Group Select the name of the AP group to which the remote AP is assigned. AP Name (Optional) Name of the remote AP. If you not specify a name, the AP uses its MAC address as a name.
-
Status Entry Description Certified Entries AP has an approved certificate from the controller Certified Hold Entries An AP is put in this state when the controller thinks the AP has been certified with a factory certificate yet the AP requests to be certified again. Since this is not a normal condition, the AP is not approved as a secure AP until a network administrator manually changes the status of the AP to verify that it is not compromised.
-
To view information about the remote and campus AP whitelists using the command-line interface, use the commands described in Table 17. Table 17: View the Campus AP Whitelist via the CLI Command Description show whitelist-db cpsec [mac-address ] Shows detailed information for each AP in the whitelist, including the AP’s MAC address, approved state, certificate type and description. Include the optional mac-address parameters to view data for a single entry.
-
whitelist-db cpsec modify mac-address cert-type switch-cert|factory-cert description mode disable|enable revoke-text state approved-ready-for-cert|certified-factory-cert Revoking an AP via the Campus AP Whitelist You can revoke an invalid or rogue AP either by opening the modify menu and modifying the AP’s revoke status (as described in the section above), or by selecting the AP in the campus whitelist and revoking it’s secure status directly, without modifying any other paramet
-
all other master and local Dell controllers as soon as the new controller is added to the hierarchy. If any old or invalid AP entries are added to the campus AP whitelist, all Dell controllers in the hierarchy begins trusting those APs, creating a potential security risk. For additional information on adding a new local controller using control plane security to your network, see "Replacing a Local Controller" on page 93 To purge a controller’s campus AP whitelist via the WebUI: 1.
-
If your deployment includes both master and local Dell controllers, then the campus AP whitelist on every controller contains an entry for every secure AP on the network, regardless of the controller to which it is connected. The master controller also maintains a whitelist of local Dell controllers using control plane security. When you change a campus AP whitelist on any controller, that controller contacts the other connected Dell controllers to notify them of the change.
-
Data Column Description For deployments with both master and local Dell controllers: l The sequence number on a master controller should be the same as the remote sequence number on the local controller. l The sequence number on a local controller should be the same as the remote sequence number on the master controller.
-
Purging the Master or Local Switch Whitelist There is no need to purge a master switch whitelist during the course of normal operation. If, however, you are removing a controller from the network, you can purge its switch whitelist after it has been disconnected from the network. To clear a local switch whitelist entry on a master controller that is still connected to the network, select that individual whitelist entry and delete it using the delete option.
-
Figure 21: A Cluster of Master Controllers using Control Plane Security To create a controller cluster, you must first define the root master controller and set an IPsec key or select a certificate for communications between the cluster root and cluster members. NOTE: You must use the command-line interface to configure certificate authentication for cluster members. The WebUI supports cluster authentication using IPsec keys only.
-
The parameter in this command is the IP address of a member controller in the cluster, and the parameter in each command is the IPsec key for communication between the specified member controller and the cluster root. Use the IP address 0.0.0.0in this command to set a single IPsec key for all member Dell controllers, or repeat this command as desired to define a different IPsec key for each cluster member.
-
Table 22: CLI Commands to Display Cluster Settings Command Description show cluster-switches When you issue this command from the cluster root, the output of this command displays the IP address of the VLAN used by the cluster member to connect to the cluster root. If you issue this command from a cluster member, the output of this command displays the IP address of the VLAN used by the cluster root to connect to the cluster member.
-
window, select the entry for the local controller you want to delete from the local switch whitelist, and click Delete. 4. Install the new local controller, but do not connect it to the network yet. If the controller has been previously installed on the network, you must ensure that the new local controller has a clean whitelist. 5.
-
Replacing Controllers in a Multi-Master Network Use the following procedures to replace a master or local controller in a network environment with a multiple master Dell controllers. Replacing a Local Controller in a Multi-Master Network The procedure to replace a local controller in a network with multiple master Dell controllers is the same as the procedure to replace a local controller is a single-master network.
-
are synchronized to the backup controller. Since the AP whitelist may change periodically, the network administrator should regularly synchronize these settings to the backup controller. For details, see "Configuring Networks with a Backup Master Controller" on page 90. When you install a new backup cluster member, you must add it as a lower priority controller than the existing primary controller.
-
Configuring Control Plane Security after Upgrading When you initially deploy a controller running ArubaOS 6.0 or later, create your initial control plane security configuration using the initial setup wizard. However, if you are upgrading to ArubaOS 6.0 or if you are upgrading from ArubaOS 5.0 but did not yet have control plane security enabled before the upgrade, then you can use the strategies described in Table 23 to enable and configure control plane security feature.
-
approved as a secure AP until a network administrator manually changes the status of the AP to verify that it is not compromised. If an AP is in this state due to connectivity problems, then the AP recovers and is taken out of this hold state as soon as connectivity is restored. l certified-hold-switch-cert: An AP is put in this state when the controller thinks the AP has been certified with a controller certificate yet the AP requests to be certified again.
-
Figure 24: Sequence numbers on Master and Local Controllers Supported APs The control plane security feature is supported on AP models W-AP105 and W-AP120 Series, W-AP130 Series, and W-AP175 Series. APs that do not support control plane security are not able to connect to a controller enabled with this feature. Rogue APs If you enable auto certificate provisioning enabled with the Auto Cert Allow All option, any AP that appears on the network receive a certificate.
-
Chapter 6 Software Licenses ArubaOS base features include sophisticated authentication and encryption, protection against rogue wireless APs, seamless mobility with fast roaming, the origination and termination of IPsec/L2TP/PPTP tunnels between Dell controllers, clients, and other VPN gateways, adaptive RF management and analysis tools, centralized configuration, and location tracking. Optional add-on licenses provide advanced feature such as Wireless Intrusion Protection and Policy Enforcement Firewall.
-
l Upgrade License—a license that adds AP capacity to your controller. Note that Upgrade Licenses do not support an evaluation license. Working with Licenses Each license refers to specific functionality (or module) that supports unique features. The licenses are: l Base OS—base operating functions including VPN and VIA clients. l AP Capacity —capacity license for RAP indoor and outdoor Mesh APs. Campus, Remote, or Mesh APs can terminate on the controller without the need for a separate license.
-
Figure 25: Alert Flag At the end of the 90-day period, you must apply for a permanent license to re-enable the features permanently on the controller. Evaluation software license keys are only available in electronic form and are emailed to you. When an evaluation period expires: l n The controller automatically backs up the startup configuration and reboots itself at midnight (according to the system clock). n All permanent licenses are unaffected.
-
NOTE: In Table 27, the Remote AP count is equal to the total AP count for all the Dell controllers. The Campus AP count is 1/4 of the total AP count except for the W-6000M3 which is 1/2 the AP count.
-
n A single client using both 802.11i Suite B and IPsec Suite B simultaneously will consume two ACR licenses. License Installation Best Practices and Exceptions l Back up the controller’s configuration (backup flash command) and back up the License database (license export filename) before making any changes. (host) #backup flash Please wait while we tar relevant files from flash... Please wait while we compress the tar file... Checking for free space on flash... Copying file to flash... File flashbackup.
-
Requesting a Software License in Email To obtain either a permanent or evaluation software license, contact your sales account manager or authorized reseller. The license details are provided via email with an attached text file. Use the text file to cut and paste the licensing information into the WebUI or at the command line. NOTE: Ensure that you have provided your sales person with a valid email address.
-
3. Review the license agreement and select Yes to accept the agreement. 4. Click Activate it. A copy of the transaction and the software license key is emailed to you at the email address you entered for your user account . NOTE: The software license key is only valid for the system serial number for which you activated the certificate. Applying the Software License Key in the WebUI To enable the software module and functionality, you must apply the software license key to your controller: 1.
-
Issuing the write erase command on a controller running software licenses does not affect the license key management database on the controller. Issuing the write erase all command resets the controller to factory defaults, and deletes all databases on the controller including the license key management database. You must reinstall all previously-installed license keys. A W-7200 Series controller can be reset using the LCD screen.
-
Chapter 7 Network Configuration Parameters The following topics in this chapter describe some basic network configuration on the controller: l "Configuring VLANs" on page 108 l "Configuring Ports " on page 114 l "Understanding VLAN Assignments" on page 117 l "Configuring Static Routes" on page 123 l "Configuring the Loopback IP Address" on page 124 l "Configuring the Controller IP Address" on page 125 l "Configuring GRE Tunnels" on page 125 Configuring VLANs The controller operates as a layer
-
Note that this profile will only take effect if the VLAN or port on the controller is untrusted. If you do not assign an wired AAA profile to the VLAN, the global wired AAA profile applies to traffic from untrusted wired ports. 6. If you selected Port in step 4, select the ports you want to associate with the VLAN from the Port Selection window.
-
Figure 28: Named VLAN not in a Pool 6. In the List of VLAN IDs field, enter the VLAN ID you want to name. If you know the ID, enter the ID. Or, click the drop-down list to view the IDs then click the <-- arrow to add the ID to the pool. 7. ClickApply. In the CLI This example assigns a name to an existing VLAN ID.
-
5. In the Assignment Type field, select Hash or Even from the drop-down menu. See "Distinguishing Between Even and Hash Assignment Types" on page 111 for information and condtions regarding Hash and Even assignment types NOTE: The Even VLAN pool assignment type is only supported in tunnel and dtunnel modes. It is not supported in split or bridge modes. It is not allowed for VLAN pools that are configured directly under a virtual AP (VAP). It must only be used under named VLANs.
-
If a VLAN pool is given an Even assignment and is assigned to user roles, user rules, VSA or a server derivation rules, then while applying VLAN derivation for the client “on run time,” the Even assignment is ignored and the Hash assignment is applied with a message displaying this change. NOTE: L2 Mobility is not compatible with the existing implementation of the Even VLAN pool assignment type. Updating a VLAN Pool 1. On the VLAN Pool window, click Modify next to the VLAN name you want to edit. 2.
-
The following example shows how to add existing VLAN IDs to a VLAN pool: (host) #configure terminal Enter Configuration commands, one per line.
-
The bcmc-optimization parameter has the following exemptions: l All DHCP traffic will continue to flood VLAN member ports even if the bcmc-optimization parameter is enabled. l ARP broadcasts and VRRP (multicast) traffic will still be allowed. You can configure BCMC optimization using the CLI or WebUI.
-
Classifying Traffic as Trusted or Untrusted You can classify wired traffic based not only on the incoming physical port and channel configuration but also on the VLAN associated with the port and channel. About Trusted and Untrusted Physical Ports By default, physical ports on the controller are trusted and are typically connected to internal networks while untrusted ports connect to third-party APs, public areas, or other networks to which access controls can be applied.
-
8. From the Firewall Policy section, select the policy from the in drop-down list through which inbound traffic on this port must pass. 9. Select the policy from the out drop-down list through which outbound traffic on this port must pass. 10. Select the policy To apply a policy to this session’s traffic on this port and VLAN, select the policy from the session drop-down list. 11. Click Apply.
-
11. When you are finished listing VLAN and policies, click Cancel. 12. Click Apply.
-
In the WebUI 1. Navigate to the Configuration > Network > IP > IP Interfaces page on the WebUI. Click Edit for the VLAN you just added. 2. Select the Use the following IP address option. Enter the IP address and network mask of the VLAN interface. If required, you can also configure the address of the DHCP server for the VLAN by clicking Add. 3. Click Apply.
-
4. Enter a priority value for the VLAN ID in the Uplink Priority field. By default, all wired uplink interfaces have the same priority. If you want to use an active-standby topology then prioritize each uplink interfaces by entering a different priority value (1– 4) for each uplink interface. Figure 33: Assigning VLAN uplink priority—Active-Standby configuration 5. Click Apply.
-
5. Enter a priority value for the VLAN ID in the Uplink Priority field. By default, all wired uplink interfaces have the same priority. If you want to use an active-standby topology then prioritize each uplink interfaces by entering a different priority value (1– 4) for each uplink interface. 6. Click Apply. In the CLI In this example, a PPoE service name, username and password are assigned. The interface VLAN 14 has an uplink priority of 3.
-
d>efault-router 10.1.1.254 d>ns-server import netbios-name-server import network 10.1.1.0 255.255.255.0 Configuring Source NAT to Dynamic VLAN Address When a VLAN interface obtains an IP address through DHCP or PPPoE, a NAT pool (dynamic-srcnat) and a session ACL (dynamic-session-acl) are automatically created which reference the dynamically-assigned IP addresses. This allows you to configure policies that map private local addresses to the public address(es) provided to the DHCP or PPPoE client.
-
Example Configuration In the following example, the controller operates within an enterprise network. VLAN 1 is the outside VLAN. Traffic from VLAN 6 is source NATed using the IP address of the controller. In this example, the IP address assigned to VLAN 1 is used as the controller’s IP address; thus traffic from VLAN 6 would be source NATed to 66.1.131.5. Figure 34: Example: Source NAT using Controller IP Address In the WebUI 1. Navigate to the Configuration > Network > VLANs page.
-
Figure 35: Default Inter-VLAN Routing You can optionally disable layer-3 traffic forwarding to or from a specified VLAN. When you disable layer-3 forwarding on a VLAN, the following restrictions apply: l Clients on the restricted VLAN can ping each other, but cannot ping the VLAN interface on the controller. Forwarding of inter-VLAN traffic is blocked. l IP mobility does not work when a mobile client roams to the restricted VLAN.
-
In the CLI (host) (config) #ip route
Configuring the Loopback IP Address The loopback IP address is a logical IP interface that is used by the controller to communicate with APs. The loopback address is used as the controller’s IP address for terminating VPN and GRE tunnels, originating requests to RADIUS servers and accepting administrative communications. You configure the loopback address as a host address with a 32-bit netmask.
-
Configuring the Controller IP Address The Controller IP address is used by the controller to communicate with external devices such as APs. You can set the Controller IP address to the loopback interface address or to an existing VLAN ID address. This allows you to force the controller IP address to be a specific VLAN interface or loopback address across multiple machine reboots.
-
The controller also supports GRE tunnels between the controller and other GRE-capable devices. This section describes how to configure a GRE tunnel to such a device and how to direct traffic into the tunnel. NOTE: The controller uses GRE tunnels for communications between master and local Dell controllers; these GRE tunnels are automatically created and are not subject to the configuration described in this section.
-
Traffic redirected by a firewall policy rule is not forwarded to a tunnel that is “down” (see "Tunnel Keepalives" on page 127 for more information on how GRE tunnel status is determined). If you have more than one GRE tunnel configured, you can create multiple firewall policy rules with each rule redirecting the same traffic to different tunnels. If the tunnel in the first traffic redirect rule is down, then the tunnel in the subsequent traffic redirect rule is used instead. In the WebUI 1.
-
Chapter 8 IPv6 Support This chapter describes ArubaOS support for IPv6 features.
-
The following image illustrates how IPv6 clients, APs, and controller communicate with each other in an IPv6 network. Figure 36: IPv6 Topology l The IPv6 controller (MC2) terminates both V4 AP (IPv4 AP) and V6 AP (IPv6 AP). l Client 1 (IPv4 client) terminates to V6 AP and Client 2 (IPv6 client) terminates to V4 AP. l Router is an external IPv6 router in the subnet that acts as the default gateway in this illustration. l MC1 (master) and MC2 (local) communicates in IPv4.
-
You can perform the following IPv6 operations on the controller: l "Configuring IPv6 Addresses" on page 131 l "Configuring IPv6 Static Neighbors" on page 132 l "Configuring IPv6 Default Gateway and Static IPv6 Routes" on page 133 l "Managing Controller IP Addresses" on page 133 l "Configuring Multicast Listener Discovery (MLD)" on page 134 l "Debugging an IPv6 Controller" on page 135 l "Provisioning an IPv6 AP" on page 135 You can also view the IPv6 statistics on the controller using the follo
-
Features Supported on IPv6 APs? CPSec No Wired-AP/Secure-Jack No Fragmentation/Reassembly Yes MTU Discovery Yes Provisioning through Static IPv6 Addresses Yes Provisioning through IPv6 FQDN Master Name Yes Provisioning from WebUI Yes AP boot by Flash Yes AP boot by TFTP No WMM QoS No AP Debug and Syslog Yes ARM & AM Yes WIDS Yes (Limited) CLI support for users & datapath Yes Configuring IPv6 Addresses You can configure IPv6 addresses for the management interface, VLAN interface
-
4. (Optional) Select the EUI64 Format check box, if applicable. 5. Click the Add button add the address to the global address list. 6. Click the Apply button to apply the configuration. To Configure Loopback Interface Address 1. Navigate to the Configuration > Network > Controller page and select the System Settings tab. 2. Under Loopback Interface enter the loopback address in the IPv6 Address field. 3. Click the Apply button to apply the configuration.
-
Configuring IPv6 Default Gateway and Static IPv6 Routes You can configure IPv6 default gateway and static IPv6 routes using the WebUI or CLI. In the WebUI To Configure IPv6 Default Gateway 1. Navigate to the Configuration > Network > IP page and select the IP Routes tab. 2. Under the Default Gateway section, click the Add button. 3. Select IPv6 as IP Version, and enter the IPv6 address in the IP Address field. 4. Click the Add button to add the address to the IPv6 default gateway table. 5.
-
Configuring Multicast Listener Discovery (MLD) You can enable the IPv6 multicast snooping on the controller using the WebUI or CLI. You can also modify the default values of the MLD parameters such as query interval, query response interval, and robustness variable. In the WebUI To Enable IPv6 MLD Snooping 1. Navigate to the Configuration > Network > IP page and select the IP Interfaces tab. 2. Edit the required VLAN interface. 3. Check the Enable MLD Snooping check box to enable IPv6 MLD snooping. 4.
-
Debugging an IPv6 Controller You can now use the debug options such as ping and tracepath for IPv6 hosts. You can either use the WebUI or the CLI to use the ping and tracepath options. In the WebUI 1. To ping an IPv6 host, navigate to the Diagnostics > Network > Ping page, enter an IPv6 address, and click the Ping button. 2. To trace the path of an IPv6 host, navigate to the Diagnostics > Network > Tracepath page, enter an IPv6 address, and click the Trace button.
-
(host) (host) (host) (host) (host) (host) (config)# provision-ap (AP provisioning)# master (AP provisioning)# dns-server-ip6 (AP provisioning)# ip6addr (AP provisioning)# ip6prefix (AP provisioning)# gateway6 Filtering an IPv6 Extension Header (EH) ArubaOS firewall is enhanced to process the IPv6 Extensi
-
establish continuous connectivity to the default router, the host starts the neighbor reachability state machine for the router. NOTE: ArubaOS uses Radvd, an open source Linux IPv6 Router Advertisement daemon maintained by Litech Systems Design.
-
4. To enable IPv6 RA on a VLAN, select the Enable Router Advertisements (RA) check box under Neighbor Discovery. 5. To configure IPv6 RA prefix for a VLAN, follow the steps below: a. Under Neighbor Discovery, enter an IPv6 prefix in the IPv6 RA Prefix field. b. ClickAdd to configure an IPv6 prefix for the VLAN. You can add up to three IPv6 prefixes per VLAN interface. 6. ClickApply to apply the configurations.
-
NOTE: If you enable RAs on more than 100 VLAN interfaces, some of the interfaces may not send out the RAs at regular intervals. In the WebUI 1. Navigate to the Configuration>Network>IP page. 2. Select the IP Interfaces tab. 3. Edit the VLAN on which you want to configure the neighbor discovery or RA options. 4. SelectIP Version as IPv6. 5. Under Neighbor Discovery, configure the following neighbor discovery and RA options for the VLAN based on your requirements. a.
-
To configure RA interval: (host) (config-subif)#ipv6 nd ra interval To configure RA lifetime: (host) (config-subif)#ipv6 nd ra life-time To enable hosts to use DHCP server for stateful address autoconfiguration: (host) (config-subif)#ipv6 nd ra managed-config-flag To configure maximum transmission unit for RA: (host) (config-subif)#ipv6 nd ra mtu To enable hosts to use DHCP server for other non-address stateful autoconfiguration: (host) (config-subif)#ipv6 nd ra other
-
NOTE: IPv6 clients and the IPv6 router must be on the same VLAN. Understanding the Network Connection Sequence for Windows IPv6 Clients This section describes the network connection sequence for Windows Vista/XP clients that use IPv6 addresses, and the actions performed by the AP and controller. 1. The IPv6 client sends a Router Solicit message through the AP. The AP passes the Router Solicit message from the IPv6 client through the GRE tunnel to the controller. 2. The controller removes the 802.
-
You configure 802.1x authentication for IPv6 clients in the same way as for IPv4 client configuration. For more information about configuring 802.1x authentication on the controller, see 802.1X Authentication on page 192. NOTE: This release does not support authentication of management users on IPv6 clients. Working with Firewall Features If you installed a Policy Enforcement Firewall Next Generation (PEFNG) license in the controller, you can configure firewall functions for IPv6 client traffic.
-
Authentication Method Description Attack direction. You should not enable this option unless instructed to do so by a Dell representative. Default: Disabled Session Mirror Destination Destination (IPv4 address or controller port) to which mirrored session packets are sent. You can configure IPv6 flows to be mirrored with the session ACL “mirror” option. This option is used only for troubleshooting or debugging.
-
Table 40: IPv6 Firewall Policy Rule Parameters Field Description Source (required) Source of the traffic, which can be one of the following: l any: Acts as a wildcard and applies to any source address. l user: This refers to traffic from the wireless client. l host: This refers to traffic from a specific host. When this option is chosen, you must configure the IPv6 address of the host. For example, 2002:d81f:f9f0:1000:c7e:5d61:585c:3ab.
-
The following example creates a policy ‘ipv6-web-only’ that allows only web (HTTP and HTTPS) access for IPv6 clients and assigns the policy to the user role “web-guest”. NOTE: The user role “web-guest” can include both IPv6 and IPv4 policies, although this example only shows configuration of an IPv6 policy. Creating an IPv6 Firewall Policy Following the procedure below to create an IPv6 firewall policy via the WebUI. 1. Navigate to the Configuration > Security > Access Control > Policies page. 2.
-
4. Under Firewall Policies, click Add. From Choose from Configured Policies, select the “ipv6-web-only” IPv6 session policy from the list. 5. Click Done to add the policy to the user role. 6. Click Apply to apply this configuration.
-
l Remote AP supports IPv6 clients in tunnel forwarding mode only. The Remote AP bridge and split-tunnel forwarding modes do not support IPv6 clients. Secure Thin Remote Access Point (STRAP) cannot support IPv6 clients. l The controller cannot terminate VPNs for IPv6 clients. l VPN authentication cannot be performed for IPv6 clients. l ArubaOS does not support RADIUS over IPv6 as an authentication protocol. l Authentication of management users on IPv6 clients is not supported.
-
Chapter 9 Link Aggregation Control Protocol (LACP) Dell’s implementation of Link Aggregation Control Protocol (LACP) is based on the standards specified in 802.3ad. LACP provides a standardized means for exchanging information, with partner systems, to form a link aggregation group (LAG). LACP avoids port channel misconfiguration. Two devices (actor and partner) exchange LACP data units (DUs) in the process of forming a LAG.
-
Configuring LACP Two LACP configured devices exchange LACPDUs to form a LAG. A device is configurable as an active or passive participant. In active mode, the device initiates DUs irrespective of the partner state; passive mode devices respond only to the incoming DUs sent by the partner device. Hence, to form a LAG group between two devices, one device must be an active participant. For detailed information on the LACP commands, see the ArubaOS Command Line Reference Guide.
-
Flags: S - Device is requesting Slow LACPDUs F - Device is requesting fast LACPDUs A - Device is in active mode P - Device is in passive mode Port ---FE 1/1 FE 1/2 Flags ----SA SA Pri ---1 1 AdminKey -------0x1 0x1 OperKey -------0x1 0x1 State ----0x45 0x45 Num ---0x2 0x3 Status ------DOWN UP In the WebUI Access LACP from the Configuration->Network->Port tabs. Use the drop down menus to enter the LACP values.
-
lacp group 0 mode active ! interface fastethernet 1/2 description "FE1/2" trusted vlan 1-4094 lacp group 0 mode passive ! 151 | Dell PowerConnect W-Series ArubaOS 6.
-
Chapter 10 OSPFv2 OSPFv2 (Open Shortest Path First) is a dynamic Interior Gateway routing Protocol (IGP) based on IETF RFC 2328. The premise of OSPF is that the shortest or fastest routing path is used. Dell’s implementation of OSPFv2 allows Dell controllers to deploy effectively in a Layer 3 topology. Dell controllers can act as default gateway for all clients and forward user packets to the upstream router.
-
l The default MTU value for a Layer 3 GRE tunnel in a Dell controller is 1100. When running OSPF over a GRE tunnel between a Dell controller and another vendor’s router, the MTU values must be the same on both sides of the GRE tunnel. l Do not enable OSPF on any uplink/WAN interfaces on the Branch Office Controller. Enable OSPF only on the Layer 3 GRE tunnel connecting the master controller. l Use only one physical port in the uplink VLAN interface that is connecting to the upstream router.
-
O O C 10.1.1.0/24 [1/0] via 4.1.1.1 12.1.1.0/24 [1/0] via 4.1.1.1 4.1.1.0 is directly connected, VLAN4 Below is the routing table for Router 2: (router2) #show ip route Codes: C - connected, O - OSPF, R - RIP, S - static M - mgmt, U - route usable, * - candidate default O O C 10.1.1.0/24 [2/0] via 5.1.1.1 12.1.1.0/24 [2/0] via 5.1.1.1 5.1.1.
-
Branch Office Routing Table View the branch office controller routing table using the show ip route command: (host) #show ip route Codes: C - connected, O - OSPF, R - RIP, S - static M - mgmt, U - route usable, * - candidate default Gateway of last resort is 20.1.1.2 to network 0.0.0.0 O* C C C 30.0.0.0/0 [1/0] via 20.1.1.2* 14.1.1.0 is directly connected, VLAN14 15.1.1.0 is directly connected, VLAN15 20.1.1.
-
Figure 42: General OSPF Configuration Select the Add button to add an area (see Figure 43). Figure 43: Add an OSPF Area Configure the OSPF interface settings in the Configuration screen (Figure 44). If OSPF is enable, the parameters contain the correct default values. The OSPF values are editable only when OSPF is enabled on the interface. Figure 44: Edit OSPF VLAN Settings OSPF monitoring is available from an IP Routing sub-section (Controller > IP Routing > Routing).
-
Sample Topology and Configuration displays a sample OSPF topology followed by sample configurations of the Remote Branch 1, Remote Branch 2, and the W-3200 Central Office Controller (Active and Backup).
-
! interface vlan 16 ip address 192.168.16.251 255.255.255.0 ! interface vlan 30 ip address 192.168.30.1 255.255.255.0 ! interface vlan 31 ip address 192.168.31.1 255.255.255.0 ! interface vlan 32 ip address 192.168.32.1 255.255.255.0 ! uplink wired priority 202 uplink cellular priority 201 uplink wired vlan 16 interface tunnel 2003 description "Tunnel Interface" ip address 2.0.0.3 255.0.0.0 tunnel source 192.168.30.1 tunnel destination 192.168.68.217 trusted ip ospf area 10.10.10.
-
interface vlan 20 ip address 192.168.20.1 255.255.255.0 ! interface vlan 50 ip address 192.168.50.1 255.255.255.0 ! interface vlan 51 ip address 192.168.51.1 255.255.255.0 ! interface vlan 52 ip address 192.168.52.1 255.255.255.0 ! uplink wired priority 206 uplink cellular priority 205 uplink wired vlan 20 interface tunnel 2005 description "Tunnel Interface" ip address 2.0.0.5 255.0.0.0 tunnel source 192.168.50.1 tunnel destination 192.168.68.217 trusted ip ospf area 10.10.10.10 ! ip default-gateway 192.
-
ip address 192.168.225.2 255.255.255.0 ! interface tunnel 2003 description "Tunnel Interface" ip address 2.1.0.3 255.0.0.0 tunnel source 192.168.225.2 tunnel destination 192.168.30.1 trusted ip ospf area 10.10.10.10 ! interface tunnel 2005 description "Tunnel Interface" ip address 2.1.0.5 255.0.0.0 tunnel source 192.168.225.2 tunnel destination 192.168.50.1 trusted ip ospf area 10.10.10.10 ! master-redundancy master-vrrp 2 peer-ip-address 192.168.68.
-
! interface gigabitethernet 1/1 description "GE1/1" trusted switchport access vlan 100 ! interface gigabitethernet 1/2 description "GE1/2" trusted switchport access vlan 68 ! interface vlan 68 ip address 192.168.68.221 255.255.255.224 ! interface vlan 100 ip address 192.168.100.5 255.255.255.0 ! interface vlan 225 ip address 192.168.225.1 255.255.255.0 ! interface tunnel 2003 description "Tunnel Interface" ip address 2.1.0.3 255.0.0.0 tunnel source 192.168.225.1 tunnel destination 192.168.30.
-
! router router router router ! ospf ospf router-id 192.168.225.1 ospf area 10.10.10.10 stub ospf redistribute vlan 100,225 Dell PowerConnect W-Series ArubaOS 6.
-
Chapter 11 Tunneled Nodes This chapter describes how to configure a Dell tunneled node, also known as a wired tunneled node. Dell tunneled nodes provide access and security using an overlay architecture.
-
Figure 46: Tunneled node configuration operation Configuring a Wired Tunneled Node Client NOTE: ArubaOS does not allow a tunneled-node client and tunneled-node server to co-exist on the same controller at the same time. The controller must be configured as either a tunneled-node client or a tunneled-node server. By default, the Aruba controller behaves as a tunneled-node server. However, once tunneled-node-server xxx.xxx.xxx.
-
b. Locate the Wired Access Concentration Configuration section. c. T o enable tunneled nodes, click the Enable Wired Access Concentrator checkbox. d. Enter the IP address of the controller in the Wired Access Concentrator Server IP field. e. To enable tunnel loop prevention, click the Enable Wired Access Concentrator Loop Prevention checkbox. f. Click Apply. 3. Access each interface that you want to use, and assign it as a tunneled node port.
-
Sample Output Use the show tunneled-node state command to verify the status of the Wired tunneled node. (show) # show tunneled-node state Tunneled Node State ------------------IP MAC ---192.168.123.14 00:0b:86:40:32:40 192.168.123.14 00:0b:86:40:32:40 192.168.123.
-
Total 802.11n-124abg Licenses 802.11n-124abg Licenses Used Total 802.11n-125abg Licenses 802.11n-125abg Licenses Used Dell PowerConnect W-Series ArubaOS 6.
-
Chapter 12 Authentication Servers The ArubaOS software allows you to use an external authentication server or the controller internal user database to authenticate clients who need to access the wireless network.
-
Figure 47 graphically represents a server group named “Radii” that consists of two RADIUS servers, Radius-1 and Radius-2. The server group is assigned to the server group for 802.1x authentication. Figure 47: Server Group Server names are unique. You can configure the same server in multiple server groups. You must configure the server before you can add it to a server group. NOTE: If you are using the controller’s internal database for user authentication, use the predefined “Internal” server group.
-
Parameter Description Accounting Port Accounting port on the server Default: 1813 Retransmits Maximum number of retries sent to the server by the controller before the server is marked as down. Default: 3 Timeout Maximum time, in seconds, that the controller waits before timing out the request and resending it. Default: 5 seconds NAS ID Network Access Server (NAS) identifier to use in RADIUS packets. Default: N/A NAS IP NAS IP address to send in RADIUS packets.
-
RADIUS Server Authentication Codes A configured RADIUS server returns the following standard response codes. Table 49: RADIUS Authentication Response Codes Code Description 0 Authentication OK. 1 Authentication failed—user/password combination not correct. 2 Authentication request timed out—No response from server. 3 Internal authentication error. 4 Bad Response from RADIUS server. Verify shared secret is correct. 5 No RADIUS authentication server is configured. 6 Challenge from server.
-
The disconnect and change-of-authorization messages sent from the server to the controller contains information to identify the user for which the message is sent.
-
Parameter Description Default: 389 Base-DN Distinguished Name of the node that contains the entire user database. Default: N/A Filter A string that is used to search for users in the LDAP database. The default filter string is: (objectclass=*). Default: N/A Key Attribute A string that is used to search for a LDAP server. For Active Directory, the value is sAMAccountName. Default: sAMAccountName Timeout Timeout period of a LDAP request, in seconds.
-
Table 51: TACACS+ Server Configuration Parameters Parameter Description Host IP address of the server. Default: N/A Key Shared secret to authenticate communication between the TACACS+ client and server. Default: N/A TCP Port TCP port used by server. Default: 49 Retransmits Maximum number of times a request is retried. Default: 3 Timeout Timeout period for TACACS+ requests, in seconds. Default: 20 seconds Mode Enables or disables the server.
-
Table 52: Windows Server Configuration Parameters Parameter Description Host IP address of the server. Default: N/A Mode Enables or disables the server. Default: enabled Windows Domain Name of the Windows Domain assigned to the server. Using the WebUI 1. Navigate to the Configuration > Security > Authentication > Servers page. 2. Select Windows Server to display the Windows Server List. 3. To configure a Windows server, enter the name for the server and click Add. 4.
-
Parameters Description Password (Required) Enter a password or select Generate to automatically generate a password string. An entered password must be a minimum of 6 characters and can be up to 128 characters in length. Role Role for the client. In order for this role to be assigned to a client, you need to configure a server derivation rule, as described in "Configuring Server-Derivation Rules" on page 182.
-
3. Click Export in the Internal DB Maintenance section. A popup window opens. 4. Enter the name of the file you want to export 5. Click OK. Importing Files in the WebUI 1. Navigate to the Configuration > Security > Authentication > Servers page. 2. Select Internal DB. 3. Click - in the Internal DB Maintenance section. A popup window opens. 4. Enter the name of the file you want to import 5. Click OK.
-
Configuring Server Groups Server names are unique. You can configure the same server in more than one server group. The server must be configured before you can include it in a server group. Using the WebUI 1. Navigate to the Configuration > Security > Authentication > Servers page. 2. Select Server Group to display the Server Group list. 3. Enter the name of the new server group and click Add. 4. Select the name to configure the server group. 5. Under Servers, click New to add a server to the group. a.
-
Using the WebUI 1. Navigate to the Configuration > Security > Authentication > Servers page. 2. Select LDAP Server to display the LDAP Server List. 3. Enter ldap-1 for the server name and click Add. 4. Enter ldap-2 for the server name and click Add. 5. Under the Servers tab, select ldap-1 to configure server parameters. Enter the IP address for the server. Select the Mode checkbox to activate the authentication server. Click Apply. 6. Repeat step 5 on page 179 to configure ldap-2. 7.
-
For example, Figure 54 depicts a network consisting of several subdomains in corpnet.com. The server radius-1 provides 802.1x machine authentication to PC clients in xyz.corpnet.com, sales.corpnet.com, and hq.corpnet.com. The server radius-2 provides authentication for users in abc.corpnet.com. Figure 54: Domain-Based Server Selection Example You configure the following rules for servers in the corp-serv server group: l radius-1 is selected if the client information starts with “host/”.
-
Using the CLI (host)(config) #aaa server-group corp-serv auth-server radius-1 match-authstring starts-with host/ position 1 auth-server radius-2 match-authstring contains abc.corpnet.com position 2 Configuring Match FQDN Option You can also use the “match FQDN” option for a server match rule. With a match FQDN rule, the server is selected if the portion of the user information in the formats \ or @ exactly matches a specified string.
-
4. Select the name to configure the server group. 5. Under Servers, click Edit for a configured server or click New to add a server to the group. l If editing a configured server, select Trim FQDN, scroll right, and click Update Server. l If adding a new server, select a server from the drop-down menu, then select Trim FQDN, scroll right, and click Add Server. 6. Click Apply. Using the CLI (host)(config) #aaa server-group corp-serv auth-server radius-2 match-authstring contains abc.corpnet.
-
Parameter Description returned as the value of the attribute selected must be already configured on the controller when the rule is applied. Operand This is the string to which the value of the returned attribute is matched. Value The user role or the VLAN name applied to the client when the rule is matched. position Position of the condition rule. Rules are applied based on the first match principle. 1 is the top. Default: bottom Using the WebUI 1.
-
4. Under Server Rules, click New to add a server derivation rule. a. For Condition, enter Role. b. Select value-of from the drop-down menu. c. Select Set Role from the drop-down menu. d. Click Add. 5. Click Apply.
-
server-group Accounting You can configure accounting for RADIUS and TACACS+ server groups. NOTE: RADIUS or TACACS+ accounting is only supported when RADIUS or TACACS+ is used for authentication. RADIUS Accounting RADIUS accounting allows user activity and statistics to be reported from the controller to RADIUS servers. RADIUS accounting works as follows: 1. The controller generates an Accounting Start packet when a user logs in.
-
The following attributes are sent in Accounting-Request packets when Acct-Status-Type value is Start: l Acct-Status-Type l User-Name l NAS-IP-Address l NAS-Port l NAS-Port-Type l NAS-Identifier l Framed-IP-Address l Calling-Station-ID l Called-station-ID l Acct-Session-Id l Acct-Authentic The following attributes are sent in Accounting-Request packets when Acct-Status-Type value is Stop: l Acct-Status-Type l User-Name l NAS-IP-Address l NAS-Port l NAS-Port-Type l NAS-Identif
-
3. (Optional) In the Profile Details pane, select RADIUS Interim Accounting to allow the controller to send Interim-Update messages with current user statistics to the server at regular intervals. This option is disabled by default, allowing the controller to send only start and stop messages RADIUS accounting server. 4. In the profile list, scroll down and select the Radius Accounting Server Group for the AAA profile. Select the server group from the drop-down menu.
-
Timer Description Logon User Lifetime Maximum time, in minutes, unauthenticated clients are allowed to remain logged on. Range: 0–255 Default: 5 minutes User Interim stats frequency Set the timeout value for user stats reporting in minutes or seconds. The supported range is 300-600 seconds, or 5-10 minutes, and the default value is 600 seconds. Setting an Authentication Timer To set an authentication timer, complete one of the following procedures: Using the WebUI 1.
-
Chapter 13 MAC-based Authentication This chapter describes how to configure MAC-based authentication on the Dell controller using the WebUI. Use MAC-based authentication to authenticate devices based on their physical media access control (MAC) address. While not the most secure and scalable method, MAC-based authentication implicitly provides an addition layer of security authentication devices.
-
Parameter Description Case The case (upper or lower) used in the MAC string. Default: lower Max Authentication failures Number of times a station can fail to authenticate before it is blacklisted. A value of 0 disables blacklisting. Default: 0 Using the WebUI to configure a MAC authentication profile 1. Navigate to the Configuration > Security > Authentication > L2 Authentication page. 2. Select MAC Authentication Profile. 3. Enter a profile name and click Add. 4.
-
In the CLI Enter the following command in enable mode: (host)(config) #local-userdb add username password ... Dell PowerConnect W-Series ArubaOS 6.
-
Chapter 14 802.1X Authentication 802.1X is an Institute of Electrical and Electronics Engineers (IEEE) standard that provides an authentication framework for WLANs. 802.1x uses the Extensible Authentication Protocol (EAP) to exchange messages during the authentication process. The authentication protocols that operate inside the 802.1X framework that are suitable for wireless networks include EAP-Transport Layer Security (EAP-TLS), Protected EAP (PEAP), and EAP-Tunneled TLS (EAP-TTLS).
-
Supported EAP Types The following is the list of supported EAP types. l PEAP—Protected EAP (PEAP) is an 802.1X authentication method that uses server-side public key certificates to authenticate clients with server. The PEAP authentication creates an encrypted SSL / TLS tunnel between the client and the authentication server. The exchange of information is encrypted and stored in the tunnel ensuring the user credentials are kept secure.
-
Figure 59: 802.1X Authentication with RADIUS Server The supplicant and authentication server must be configured to use the same EAP type. The controller does not need to know the EAP type used between the supplicant and authentication server. For the controller to communicate with the authentication server, you must configure the IP address, authentication port, and accounting port of the server on the controller.
-
n EAP-Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2): Described in RFC 2759, this EAP method is widely supported by Microsoft clients. A RADIUS server must be used as the backend authentication server. If you are using the controller’s internal database for user authentication, you need to add the names and passwords of the users to be authenticated.
-
The 802.1X authentication profile configuration settings are divided into two tabs, Basic and Advanced. The Basic tab displays only those configuration settings that often need to be adjusted to suit a specific network. The Advanced tab shows all configuration settings, including settings that do not need frequent adjustment or should be kept at their default values.
-
Parameter Description Advanced 802.1x Authentication Settings Machine Authentication Cache Timeout The timeout, in hours, for machine authentication. The allowed range of values is 1-1000 hours, and the default value is 24 hours. Blacklist on Machine Authentication Failure Select the Blacklist on Machine Authentication Failure checkbox to blacklist a client if machine authentication fails.
-
Parameter Description Dynamic WEP Key Size The default dynamic WEP key size is 128 bits, If desired, you can change this parameter to either 40 bits. Interval between WPA/WPA2 Key Messages Interval, in milliseconds, between each WPA key exchanges. The allowed range of values is 1000-5000 ms, and the default value is 3000 ms. Delay between EAPSuccess and WPA2 Unicast Key Exchange Interval, in milliseconds, between EAP-Success and unicast key exchanges.
-
Parameter Description for the cached information. The default value is 24 hours. CA-Certificate Click the CA-Certificate drop-down list and select a certificate for client authentication. The CA certificate needs to be loaded in the controller before it will appear on this list. Server-Certificate Click the Server-Certificate drop-down list and select a server certificate the controller will use to authenticate itself to the client.
-
termination {eap-type }|enable|enable-token-caching|{inner-eap-type (eapgtc| eap-mschapv2)}|{token-caching-period } timer {idrequest_period }|{mkey-rotation-period }|{quiet-period }|{reauth-period }|{ukey-rotation-period }|{wpagroupkeydelay }|{wpa-key-period } tls-guest-access tls-guest-role unicast-keyrotation use-session-key use-static-key validate-pmkid voice-aware wep-key-retries wep-key-size {40|128} wpa-fa
-
server-cert ca-cert Configuring User and Machine Authentication When a Windows device boots, it logs onto the network domain using a machine account. Within the domain, the device is authenticated before computer group policies and software settings can be executed; this process is known as machine authentication. Machine authentication ensures that only authorized devices are allowed on the network. You can configure 802.
-
l Machine authentication default user role (in 802.1x authentication profile): guest Role assignments would be as follows: l If both machine and user authentication succeed, the role is dot1x_user. If there is a server-derived role, the server-derived role takes precedence. l If only machine authentication succeeds, the role is dot1x_mc. l If only user authentication succeeds, the role is guest. l On failure of both machine and user authentication, the user does not have access to the network.
-
NOTE: Both Campus APs (CAPs) and Remote APs (RAPs) can be provisioned to use 802.1X authentication. Prerequisites l An AP has to be configured with the credentials for 802.1X authentication. These credentials are stored securely in the AP flash. l The AP must complete the 802.1X authentication before it sends or receives IP traffic such as DHCP. NOTE: If the AP cannot complete 802.
-
1 = 802.1x authenticated AP; 2 = Using IKE version 2; Sample Configurations The following examples show basic configurations on the controller for: l "Configuring Authentication with an 802.1X RADIUS Server" on page 204 l "Configuring Authentication with the Controller’s Internal Database" on page 214 In the following examples: l Wireless clients associate to the ESSID WLAN-01.
-
In the WebUI 1. Navigate to the Configuration > Security > Access Control > Policies page. Select Add to add the student policy. 2. For Policy Name, enter student. 3. For Policy Type, select IPv4 Session. 4. Under Rules, select Add to add rules for the policy. a. Under Source, select user. b. Under Destination, select alias. NOTE: The following step defines an alias representing all internal network addresses. Once defined, you can use the alias for other rules and policies. c.
-
Creating the Faculty Role and Policy The faculty policy is similar to the student policy, however faculty members are allowed to use POP3 and SMTP for VPN remote access from home. (Students are not permitted to use VPN remote access.) The faculty policy is mapped to the faculty user role. Using the WebUI 1. Navigate to the Configuration > Security > Access Control > Policies page. Click Add to add the faculty policy. 2. For Policy Name, enter faculty. 3. For Policy Type, select IPv4 Session. 4.
-
g. Click Done. h. Click Apply. 2. Click the Policies tab. Click Add to add the guest policy. 3. For ePolicy Name, enter guest. 4. For Policy Type, select IPv4 Session. 5. Under Rules, click Add to add rules for the policy. To create rules to permit access to DHCP and DNS servers during working hours: a. Under Source, select user. b. Under Destination, select host. In Host IP, enter 10.1.1.25. c. Under Service, select service. In the Service scrolling list, select svc-dhcp. d. Under Action, select permit. e.
-
(host)(config) #ip access-list session guest user host 10.1.1.25 svc-dhcp permit time-range working-hours user host 10.1.1.
-
On the controller, you add the configured server (IAS1) into a server group. For the server group, you configure the server rule that allows the Class attribute returned by the server to set the user role. In the WebUI 1. Navigate to the Configuration > Security > Authentication > Servers page. 2. In the Servers list, select Radius Server. In the RADIUS Server Instance list, enter IAS1 and click Add. a. Select IAS1 to display configuration parameters for the RADIUS server. b. For IP Address, enter 10.1.1.
-
3. Select the AAA Profiles tab. a. In the AAA Profiles Summary, click Add to add a new profile. b. Enter aaa_dot1x, then click Add. a. Select the profile name you just added. b. For MAC Auth Default Role, select computer. c. For 802.1x Authentication Default Role, select faculty. d. Click Apply. 4. In the Profiles list (under the aaa_dot1x profile), select 802.1x Authentication Profile. a. From the drop-down menu, select the dot1x 802.1x authentication profile you configured previously. b. Click Apply. 5.
-
3. In the IP Interfaces page, click Edit for VLAN 61. a. For IP Address, enter 10.1.61.1. b. For Net Mask, enter 255.255.255.0. c. Under DHCP Helper Address, click Add. Enter 10.1.1.25 and click Add. d. Click Apply. 4. In the IP Interfaces page, click Edit for VLAN 63. a. For IP Address, enter 10.1.63.1. b. For Net Mask, enter 255.255.255.0. c. Under DHCP Helper Address, click Add. Enter 10.1.1.25 and click Add. d. Click Apply. 5. Select the IP Routes tab. a. For Default Gateway, enter 10.1.1.254. b.
-
2. In the AP Group list, click Edit for first-floor. 3. Under Profiles, select Wireless LAN, then select Virtual AP. 4. To create the guest virtual AP: a. Select NEW from the Add a profile drop-down menu. Enter guest, and click Add. b. In the Profile Details entry for the guest virtual AP profile, select NEW from the SSID profile drop-down menu. A pop-up window allows you to configure the SSID profile. c. For the name for the SSID profile enter guest. d. For the Network Name for the SSID, enter guest. e.
-
3. In the Profiles list, select Wireless LAN, then select Virtual AP. 4. To configure the WLAN-01_first-floor virtual AP: a. Select NEW from the Add a profile drop-down menu. Enter WLAN-01_first-floor, and click Add. b. In the Profile Details entry for the WLAN-01_first-floor virtual AP profile, select the aaa_dot1x AAA profile you previously configured. A pop-up window displays the configured AAA profile parameters. Click Apply in the pop-up window. c. From the SSID profile drop-down menu, select NEW.
-
(host)(config) #ap-group first-floor virtual-ap WLAN-01_first-floor ap-group second-floor virtual-ap WLAN-01_second-floor Configuring Authentication with the Controller’s Internal Database In the following example: l The controller’s internal database provides user authentication. l The authentication type is WPA. From the 802.1x authentication exchange, the client and the controller derive dynamic keys to encrypt data transmitted on the wireless network.
-
Configuring 802.1x Authentication An AAA profile specifies the 802.1x authentication profile and 802.1x server group to be used for authenticating clients for a WLAN. The AAA profile also specifies the default user role for 802.1x authentication. For this example, you enable both 802.1x authentication and termination on the controller. In the WebUI 1. Navigate to the Configuration > Security > Authentication > L2 Authentication page. In the profiles list, select 802.1x Authentication Profile. a.
-
In the WebUI 1. Navigate to the Configuration > Network > VLAN page. Click Add to add VLAN 60. a. For VLAN ID, enter 60. b. Click Apply. c. Repeat steps A and B to add VLANs 61 and 63. 2. To configure IP parameters for the VLANs, navigate to the Configuration > Network > IP > IP Interfaces page. a. Click Edit for VLAN 60. b. For IP Address, enter 10.1.60.1. c. For Net Mask, enter 255.255.255.0. d. Under DHCP Helper Address, click Add. Enter 10.1.1.25 and click Add. e. Click Apply. 3.
-
configured WEP key. In this example, the non-guest clients that associate to an AP are mapped into one of two different user VLANs. The initial AP to which the client associates determines the VLAN: clients that associate to APs in the first floor of the building are mapped to VLAN 60 and clients that associate to APs in the second floor of the building are mapped to VLAN 61. Therefore, the APs in the network are segregated into two AP groups, named “first-floor” and “second-floor”.
-
ssid-profile guest (host)(config) #ap-group first-floor virtual-ap guest (host)(config) #ap-group second-floor virtual-ap guest Configuring the Non-Guest WLANs You create and configure the SSID profile “WLAN-01” with the ESSID “WLAN-01” and WPA TKIP encryption. You need to create and configure two virtual AP profiles: one with VLAN 60 for the first-floor AP group and the other with VLAN 61 for the second-floor AP group.
-
10. Click on the WLAN-01_second-floor virtual AP profile name in the Profiles list or in Profile Details to display configuration parameters. a. Make sure Virtual AP enable is selected. b. For VLAN, select 61. c. Click Apply.
-
Performing Advanced Configuration Options for 802.1X This section describes advanced configuration options for 802.1X authentication. Configuring Reauthentication with Unicast Key Rotation When enabled, unicast and multicast keys are updated after each reauthorization. It is a best practice to configure the time intervals for reauthentication, multicast key rotation, and unicast key rotation to be at least 15 minutes.
-
Chapter 15 Stateful and WISPr Authentication ArubaOS supports stateful 802.1x authentication, stateful NTLM authentication and authentication for Wireless Internet Service Provider roaming (WISPr). Stateful authentication differs from 802.
-
profile. Dell’s stateful NTLM authentication does not support placing users in various roles based upon group membership or other role-derivation attributes. Working With WISPr Authentication WISPr authentication allows a “smart client” to authenticate on the network when they roam between Wireless Internet Service Providers, even if the wireless hotspot uses an ISP for which the client may not have an account.
-
In the WebUI To configure the Stateful 802.1x Authentication profile via the WebUI: 1. Navigate to the Configuration > Security > Authentication > L2 Authentication window. 2. In the Profiles list, select Stateful 802.1x Authentication Profile. 3. Click the Default Role drop-down list, and select the role assigned to stateful 802.1x authenticated users. 4. Specify the timeout period for authentication requests, from 1-20 seconds. The default value is 10 seconds. 5.
-
2. In the Profiles list, expand the Stateful NTLM Authentication Profile. 3. To define settings for an existing profile, click that profile name in the profiles list. To create and define settings for a new Stateful NTLM Authentication profile, select an existing profile, then click the Save As button in the right window pane. Enter a name for the new profile in the entry field. at the top of the right window pane. 4.
-
2. In the Profiles list, expand the Stateful Kerberos Authentication Profile. 3. To define settings for an existing profile, click that profile name in the profiles list. To create and define settings for a new Stateful Kerberos Authentication profile, select an existing profile, then click the Save Asbutton in the right window pane. Enter a name for the new profile in the entry field. at the top of the right window pane. 4.
-
2. In the Profiles list, expand the WISPr Authentication Profile. 3. To define settings for an existing profile, click that profile name in the profiles list. To create and define settings for a new WISPr Authentication profile, select an existing profile, then click the Save As button in the right window pane. Enter a name for the new profile in the entry field. at the top of the right window pane. 4.
-
key qwERtyuIOp enable nas-identifier corp_venue1 ! (host)(config)# aaa server-group group auth-server ! (host)(config)# aaa authentication wispr default-role logon-wait {cpu-threshold|maximum-delay|minimum-delay} server-group wispr-location-id-ac wispr-location-id-cc wispr-location-id-isocc wispr-location-id-network wispr-location-name-location
-
Chapter 16 Certificate Revocation The Certificate Revocation feature enables the ArubaOS controller to perform real-time certificate revocation checks using the Online Certificate Status Protocol (OCSP) or traditional certificate validation using the Certificate Revocation List (CRL) client.
-
The OCSP responder on the controller is accessible over HTTP port 8084. This port is not configurable by the administrator. Although the OCSP responder accepts signed OCSP requests, it does not attempt to verify the signature before processing the request. Therefore, even unsigned OCSP requests are supported. The controller as an OCSP responder provides revocation status information to ArubaOS applications that are using CRLs.
-
Figure 67: View certificate details 8. Select the Revocation Checkpoint tab. 9. In the Revocation Checkpoint pane, click Edit next to the revocation checkpoint that you want to configure. The Revocation Checkpoint pane displays. 10. In the Revocation Check field, select ocsp from the Method 1 drop-down list as the primary check method. 11. In the OCSP URL field, enter the URL of the OCSP responder. 12.
-
In the WebUI 1. Navigate to the Configuration > Management > Certificates > Upload page. 2. Enter a name in the Certificate Name field. This name identifies the CRL certificate you are uploading. 3. Enter the certificate file name in the Certificate Filename field. Use the Browse button to enter the full pathname. 4. Select the certificate format from the Certificate Format drop-down menu. 5. Select CRL from the Certificate Type drop-down menu.
-
The OCSP signer cert is used to sign OCSP responses for this revocation check point. The OCSP signer cert can be the same trusted CA as the check point, a designated OCSP signer certificate issued by the same CA as the check point or some other local trusted authority. If you do not specify an OCSP signer cert, OCSP responses are signed using the global OCSP signer certificate. If that is not present, than an error message is sent out to clients.
-
Chapter 17 Captive Portal Authentication Captive portal is one of the methods of authentication supported by ArubaOS. A captive portal presents a web page which requires user action before network access is granted. The required action can be simply viewing and agreeing to an acceptable use policy, or entering a user ID and password which must be validated against a database of authorized users.
-
Policy Enforcement Firewall Next Generation (PEFNG) License You can use captive portal with or without the PEFNG license installed in the controller. The PEFNG license provides identity-based security to wired and wireless clients through user roles and firewall rules. You must purchase and install the PEFNG license on the controller to use identity-based security features.
-
implicit user role or its rules. Upon authentication, captive portal clients are allowed full access to their assigned VLAN. NOTE: The WLAN Wizard within the ArubaOS WebUI allows for basic captive portal configuration for WLANs associated with the “default” ap-group: Configuration > Wizards > WLAN Wizard. Follow the steps in the workflow pane within the wizard and refer to the help tab for assistance. What follows are the tasks for configuring captive portal in the base ArubaOS.
-
2. To specify authentication servers, select Server Group under the captive portal authentication profile you just configured. a. Select the server group (for example, cp-srv) from the drop-down menu. b. Click Apply. 3. Select the AAA Profiles tab. a. In the AAA Profiles Summary, click Add to add a new profile. Enter the name of the profile (for example, aaa_c-portal), then click Add. b. Select the AAA profile you just created. c.
-
Using Captive Portal with a PEFNG License The PEFNG license provides identity-based security for wired and wireless users. There are two user roles that are important for captive portal: l Default user role, which you specify in the captive portal authentication profile, is the role granted to clients upon captive portal authentication. This can be the predefined guest system role.
-
The following sections present the WebUI and Command Line (CLI) procedures for configuring the captive portal authentication profile, initial user role, the AAA profile, and the virtual AP profile. Other chapters within this document detail the configuration of the user roles and policies, authentication servers, and server groups. Configuring Captive Portal in the WebUI To configure captive portal with PEFNG license via the WebUI: 1.
-
10. Click on the new virtual AP name in the Profiles list or in Profile Details to display configuration parameters. a. Make sure Virtual AP enable is selected. b. For VLAN, select the VLAN to which users are assigned (for example, 20). c. Click Apply.
-
l n Allows DHCP exchanges between the user and the DHCP server during business hours while blocking other users from responding to DHCP requests. n Allows ICMP exchanges between the user and the controller during business hours. block-internal-access is a policy that you create that denies user access to the internal networks. NOTE: The guest-logon user role configuration needs to include the name of the captive portal authentication profile instance.
-
3. For Policy Name, enter guest-logon-access. 4. For Policy Type, select IPv4 Session. 5. Under Rules, select Add to add rules for the policy. a. Under Source, select user. b. Under Destination, select any. c. Under Service, select udp. Enter 68. d. Under Action, select drop. e. Click Add. 6. Under Rules, click Add. a. Under Source, select any. b. Under Destination, select any. c. Under Service, select service. Select svc-dhcp. d. Under Action, select permit. e. Under Time Range, select working-hours. f.
-
5. Under Rules, select Add to add rules for the policy. a. Under Source, select user. b. Under Destination, select any. c. Under Service, select udp. Enter 68. d. Under Action, select drop. e. Click Add. 6. Under Rules, click Add. a. Under Source, select any. b. Under Destination, select any. c. Under Service, select service. Select svc-dhcp. d. Under Action, select permit. e. Under Time Range, select working-hours. f. Click Add. 7. Under Rules, click Add. a. Under Source, select user. b.
-
5. Under Rules, select Add to add rules for the policy. a. Under Source, select user. b. Under Destination, select alias. NOTE: The following step defines an alias representing all internal network addresses. Once defined, you can use the alias for other rules and policies. c. Under the alias selection, click New. For Destination Name, enter “Internal Network”. Click Add to add a rule. For Rule Type, select network. For IP Address, enter 10.0.0.0. For Network Mask/Range, enter 255.0.0.0.
-
10. Under Firewall Policies, click Add. 11. For Choose from Configured Policies, select block-internal-access from the drop-down menu. 12. Click Done. 13. Click Apply. Creating an Auth-Guest Role To create the guest-logon role via the WebUI: 1. Navigate to the Configuration > Security > Access Control > User Roles page. 2. Click Add. 3. For Role Name, enter auth-guest. 4. Under Firewall Policies, click Add. 5. For Choose from Configured Policies, select cplogout from the drop-down menu. 6. Click Done. 7.
-
Creating a Guest-Logon-Access Policy To create a guest-logon-access policy via the command-line interface, access the CLI in config mode and issue the following commands: (host)(config) #ip access-list session guest-logon-access user any udp 68 deny any any svc-dhcp permit time-range working-hours user alias “Public DNS” svc-dns src-nat time-range working-hours Creating an Auth-Guest-Access Policy To create an auth-guest-access policy via the command-line interface, access the CLI in config mode and issue
-
In the WebUI 1. Navigate to the Configuration > Network > VLANs page. a. Click Add. b. For VLAN ID, enter 900. c. Click Apply. 2. Navigate to the Configuration > Network > IP > IP Interfaces page. a. Click Edit for VLAN 900. b. For IP Address, enter 192.168.200.20. c. For Net Mask, enter 255.255.255.0. d. Click Apply. 3. Click the DHCP Server tab. a. Select Enable DHCP Server. b. Click Add under Pool Configuration. c. For Pool Name, enter guestpool. d. For Default Router, enter 192.168.200.20. e.
-
f. Click Apply. 2. Select Server Group under the guestnet captive portal authentication profile you just created. a. Select internal from the Server Group drop-down menu. b. Click Apply.
-
Configuring the WLAN In this section, you create the guestnet virtual AP profile for the WLAN. The guestnet virtual AP profile contains the SSID profile guestnet (which configures opensystem for the SSID) and the AAA profile guestnet. To configure the guest WLAN via the WebUI: 1. Navigate to the Configuration > Wireless > AP Configuration page. 2. Select either AP Group or AP Specific tab. Click Edit for the AP group or AP name. 3.
-
Configuring Captive Portal Configuration Parameters Table 68 describes configuration parameters on the WebUI Captive Portal Authentication profile page. NOTE: In the CLI, you configure these options with the aaa authentication captive-portal commands. Table 68: Captive Portal Authentication Profile Parameters Parameter Description Black List Name of an existing black list on an IPv4 or IPv6 network destination. The black list contains websites (unauthenticated) that a guest cannot access.
-
Parameter Description server group Name of the group of servers used to authenticate Captive Portal users. Show FDQN Allows the user to see and select the fully-qualified domain name (FQDN) on the login page. The FQDNs shown are specified when configuring individual servers for the server group used with captive portal authentication. Default: Disabled Show Acceptable Use Policy Page Show the acceptable use policy page before the logon page.
-
l "Redirecting Clients on Different VLANs" on page 253 l "Web Client Configuration with Proxy Script" on page 254 Uploading Captive Portal Pages by SSID Association You can upload custom login pages for captive portal into the controller through the WebUI (refer to "Creating and Installing an Internal Captive Portal" on page 256). The SSID to which the client associates determines the captive portal login page displayed.
-
1. Edit the captive portal authentication profile by navigating to the Configuration > Security > Authentication > L3 Authentication page. a. Enable (select) “Use HTTP for authentication”. b. Click Apply. 2. (For captive portal with role-based access only) Edit the captiveportal policy by navigating to the Configuration > Security > Access Control > Policies page. a. Delete the rule for “user mswitch svc-https dst-nat”. b.
-
2. For captive portal with role-based access, edit the captiveportal policy by navigating to the Configuration > Security > Access Control > Policies page. 3. Add a new rule with the following values: a. Source is user b. Destination is any c. Service is TCP d. Port is the TCP port on the proxy server e. Action is dst-nat f. IP address is the IP address of the proxy port g. Port is the port on the proxy server 4. Click Add to add the rule.
-
Web Client Configuration with Proxy Script If the web client proxy configuration is distributed through a proxy script (a .pac file), you need to configure the captiveportal policy to allow the client to download the file. Note that in order modify the captiveportal policy, you must have the PEFNG license installed in the controller. To allow clients to download proxy script via the WebUI: 1. Edit the captiveportal policy by navigating to the Configuration > Security > Access Control > Policies page. 2.
-
2. To customize the page background: a. Select the YOUR CUSTOM BACKGROUND page. b. Under Additional options, enter the location of the JPEG image in the Upload your own custom background field. c. Set the background color in the Custom page background color field. The color code must a hexadecimal value in the format #hhhhhh. d. To view the page background changes, click Submit at the bottom on the page and then click the View CaptivePortal link.
-
4. To customize the text under the Acceptable Use Policy: a. Enter the policy information in the Policy Text text box. Use this only in the case of guest logon. b. To view the use policy information changes, click Submitat the bottom on the page and then click the View CaptivePortal link. The User Agreement Policy page appears. The text you entered appears in the Acceptable Use Policy text box. c. Click Accept. This displays the Captive Portal page as it will be seen by users .
-
Table 70: Web Page Authentication Variables Variable Description user (Required) password (Required) FQDN The fully-qualified domain name (this is dependent on the setting of the controller and is supported only in Global Catalog Servers software. The form can use either the "get" or the "post" methods, but the "post" method is recommended. The form's action must absolutely or relatively reference https:///auth/index.html/u.
-
Basic HTML Example
You can find a more advanced example simply by using your browser’s "view-source" function while viewing the default captive portal page.
-
{ function createCookie(name,value,days) { if (days) { var date = new Date(); date.setTime(date.getTime()+(days*24*60*60*1000)); var expires = "; expires="+date.toGMTString(); } else var expires = ""; document.cookie = name+"="+value+expires+"; path=/"; } var q = window.location.search; var errmsg = null; if (q && q.length > 1) { q = q.substring(1).split(/[=&]/); for (var i = 0; i < q.
-
Repeat steps 1 and 2 until you are satisfied with your page. 3. Once you have a page you find acceptable, click on View Captive Portal one more time to display your login page. From your browser, choose "View->Source" or its equivalent. Your system will display the HTML source for the captive portal page. Save this source as a file on your local system. 4. Open the file that you saved in step 3 on page 260, using a standard text editor, and make the following changes: a. Fix the character set.
-
When the controller detects an error situation, it will pass the user's page a variable called "errmsg" with a value of what the error is in English. Currently, only "Authentication Failed" is supported as a valid error message. To localize the authentication failure message, replace the following text (it is just a few lines below the
tag):
with the script below.
-
To make any adjustments to your page, edit your file locally and simply re-upload to the controller in order to view the page again. 6. Finally, it is possible to customize the welcome page on the controller, however for language localization it is recommended to use an "external welcome page" instead. This can be a web site on an external server, or it can be a static page that is uploaded to a controller. You set the welcome page in the captive portal authentication profile.
-
An example that will create the same page as displayed in Figure 72 is shown below. The part in red will redirect the user to the web page you originally setup. For this to work, please follow the procedure described above in this document. :