Dell PowerConnect W-Series Instant Access Point 6.2.0.0-3.2.0.
Copyright © 2013 Aruba Networks, Inc. Aruba Networks trademarks include , Aruba Networks®, Aruba Wireless Networks®, the registered Aruba the Mobile Edge Company logo, and Aruba Mobility Management System®. Dell™, the DELL™ logo, and PowerConnect™ are trademarks of Dell Inc. All rights reserved. Specifications in this manual are subject to change without notice. Originated in the USA. All other trademarks are the property of their respective owners.
Contents 3 Contents 15 About This Guide Dell PowerConnect W-Instant Access Point Overview 15 Supported Devices Objective 15 Intended Audience 16 Conventions 16 Contacting Support 16 17 Initial Configuration 17 Initial Setup 17 Pre-Installation Checklist Connecting a W-IAP 18 Assigning an IP Address to the W-IAP 18 Connecting to a Provisioning Wi-Fi Network 18 Disabling the Provisioning Wi-Fi Network 20 20 Assigning a Static IP Log in to the Dell W-Series Instant UI 21 Specifying
Settings 27 RF 29 PEF 30 WIP 30 VPN 31 Wired 31 Maintenance 32 Support 32 Help 32 Logout 33 Monitoring 33 Info 33 RF Dashboard 34 Usage Trends 35 Spectrum 36 Overview (Device list) 36 Channel Utilization and Monitoring 36 Channel Details 37 Alerts 37 Client Alerts 37 Fault History 38 Active Faults 38 IDS 39 Configuration 39 AirGroup 40 Language 40 Dell PowerConnect W-AirWave Setup 40 Pause/Resume 41 Views 41 Wireless Network 43 Network Types 43 E
44 Adding an Employee Network 53 Voice Network 53 Adding a Voice Network 60 Guest Network 60 Adding a Guest Network Editing a Network 68 Deleting a Network 68 68 Number of WLAN SSIDs Supported 69 Enabling the Extended SSID Option VLAN Pooling 69 Managing W-IAPs 71 Preferred Band 71 Auto Join Mode 71 71 Disabling Auto Join Mode Terminal Access 72 LED Display 72 TFTP Dump Server 72 Extended SSID 73 Deny Inter User Bridging and Deny Local Routing 73 Syslog Server 73 74 Syslog
Converting a W-IAP to Standalone Mode 83 Converting Back to a W-IAP 84 Rebooting the W-IAP 84 Firmware Image Server in Cloud Network 86 Upgrade Using Dell PowerConnect W-AirWave and Image Server 86 Image Management Using Cloud Server 86 Image Management Using Dell PowerConnect W-AirWave 86 Automatic Firmware Image Check and Upgrade Upgrading to New Version 87 88 Manual 88 Automatic 90 Layer-3 Mobility 91 Overview 91 Configuring a Mobility Domain 92 Home Agent Load Balancing 95 Sp
Preference to an IAP with 3G/4G Card 109 Preference to a W-IAP with Non-Default IP 109 110 Virtual Controller IP Address Specifying Name and IP Address for the Virtual Controller 110 Configuring the DHCP Server 110 111 Authentication Authentication Methods in Dell W-Instant 111 802.
MAC Authentication Configuring MAC Authentication Walled Garden Access Creating a Walled Garden Access MAC + 802.1X Authentication Configuring MAC + 802.
151 User Role 151 Configuring a User Role 152 SSID Profile Configuring VLAN Derivation Rules Using an SSID Profile 155 Instant Firewall Service Options 156 Destination Options 158 Examples for Access Rules 158 Allow TCP Service to a Particular Network 158 Allow POP3 Service to a Particular Server 159 Deny FTP Service except to a Particular Server 160 Deny bootp Service except to a Particular Network 161 Content Filtering 163 Enabling Content Filtering 163 Enterprise Domains 164 OS
ARM Metrics 172 Configuring Administrator Assigned Radio Settings for W-IAP 172 Configuring Radio Profiles in Instant Intrusion Detection System 173 177 Rogue AP Detection and Classification 177 Wireless Intrusion Protection (WIP) 177 Containment Methods 181 183 SNMP SNMP Parameters for W-IAP 183 SNMP Traps 185 Ethernet Downlink 187 Ethernet Downlink Overview 187 Ethernet Downlink Profile Parameters 187 Assigning a Profile to the Ethernet Port 190 Hierarchical Deployment Deployment U
Uplink Switching Based on Internet Connectivity Status 202 PPPoE 202 Configuring PPPoE Dell PowerConnect W-AirWave Integration and Management 205 205 Dell PowerConnect W-AirWave Features Image Management 205 W-IAP and Client Monitoring 205 Template-based Configuration 205 Trending Reports 206 Intrusion Detection System 206 Wireless Intrusion Detection System (WIDS) Event Reporting to Dell PowerConnect W-AirWave 206 RF Visualization Support for Dell W-Instant 207 207 Configuring Dell Powe
Enabling or Disabling AirGroup 220 Disallow Role 221 Disallow VLAN 222 Configuring AirGroup-CPPM Interface in W-Instant 223 Creating a RADIUS Server 223 Assign a Server to AirGroup 224 Configure CPPM to Enforce Registration 225 Change of Authorization (CoA) 225 AirGroup Monitoring 226 Troubleshooting and Log Messages 226 Monitoring Virtual Controller View Monitoring Link Info 229 229 230 230 RF Dashboard 230 Usage Trends 230 Client Alerts Link 232 IDS Link 232 Network View 232
Policy Enforcement Firewall 251 Authentication Servers 251 Users for Internal Server 251 Roles 252 253 Extended Voice and Video Functionalities QoS for Microsoft Office OCS and Apple Facetime Microsoft OCS 254 Apple Facetime 254 Client Blacklisting 255 Types of Client Blacklisting 256 Manual Blacklisting 256 Adding a Client to the Manual Blacklist 256 Dynamic Blacklisting 257 Authentication Failure Blacklisting 257 Session Firewall Based Blacklisting 257 PEF Settings 258 Firewall
Country Codes List Controller Configuration for VPN 271 277 Whitelist DB Configuration 277 VPN Local Pool Configuration 277 W-IAP VPN Profile Configuration 278 Dell PowerConnect W-ClearPass Configuration for AirGroup Dell PowerConnect W-ClearPass Setup 279 279 Testing 283 Troubleshooting 283 285 IAP-VPN Licensing Requirements 285 VPN Configuration 286 Creating a W-IAP Whitelist 286 Controller Whitelist DB 286 External Whitelist DB 286 VPN Local Pool Configuration 287 VPN Profile Co
Chapter 1 About This Guide Dell PowerConnect W-Instant Access Point Overview Thank you for choosing Dell PowerConnect W-Instant Access Point 6.2.0.0-3.2.0.0. Dell PowerConnect W-Instant Access Point virtualizes Dell PowerConnect W-Series MobilityController capabilities on 802.11n access points (APs), creating a feature-rich enterprisegrade wireless LAN (WLAN) that combines affordability and configuration simplicity.
Intended Audience This guide is intended for customers who configure and use Dell W-Instant. Conventions The following conventions are used throughout this manual to emphasize important concepts: Table 1 - Conventions Type Style Description Italics This style is used to emphasize important terms and provide cross-references to other books.
Chapter 2 Initial Configuration This section provides information required to setup Dell W-Instant and access the Dell W-Series Instant User Interface. Initial Setup This section provides a pre-installation checklist and describes the initial procedures required to set up Dell W-Instant. Pre-Installation Checklist Before installing the Instant Access Point (W-IAP), make sure that you have the following: l l Ethernet cable of required length to connect the W-IAP to the home router.
2. 3. 4. 5. "Assigning an IP Address to the W-IAP" on page 18 "Connecting to a Provisioning Wi-Fi Network" on page 18 "Log in to the Dell W-Series Instant UI" on page 21 "Specifying a Country Code " on page 21 — Skip this step if you are installing the W-IAP in the United States or Japan.
NOTE: Instant SSIDs are only broadcasted in 2.4 GHz. NOTE: While connecting to the provisioning Wi-Fi network, ensure that the client is not connected to any wired network. Figure 1 - Connecting to a provisioning Wi-Fi Network — Microsoft Windows Figure 2 - Connecting to a provisioning Wi-Fi Network — Mac OS Dell PowerConnect W-Series Instant Access Point 6.2.0.0-3.2.0.
Disabling the Provisioning Wi-Fi Network The provisioning network is enabled by default. Instant provides the option to disable the provisioning network in APBoot through console. Use this option when you do not want the default SSID instant to appear in your network. To disable the provisioning network: 1. Connect a terminal or PC/workstation running a terminal emulation program to the Console port on the W-IAP. 2.
Log in to the Dell W-Series Instant UI Launch a web browser and enter instant.dell-pcw.com. In the login screen, enter the following credentials: n n Username— admin Password— admin Figure 3 - Dell W-Series Instant UI Login Screen When you use a provisioning Wi-Fi network to connect to the Internet, all browser requests are directed to the Dell W-Series Instant UI. For example, if you enter www.example.com in the address field, you are directed to the Instant user interface.
Figure 4 - Specifying a Country Code W-IAP Cluster W-IAPs in the same VLAN automatically find each other and form a single functioning network managed by a Virtual Controller. CAUTION: Moving a W-IAP from one cluster to another requires a factory reset of the W-IAP that is being moved. See "Managing W-IAPs" on page 71 for more information 22 | Initial Configuration Dell PowerConnect W-Series Instant Access Point 6.2.0.0-3.2.0.
Chapter 3 Dell W-Instant User Interface The Dell W-Series Instant User Interface (UI) provides a standard web based interface that allows you to configure and monitor a Wi-Fi network. It is accessible through a standard web browser from a remote management console or workstation. JavaScript must be enabled on the web browser to view the Dell W-Series Instant UI. Supported browsers are: l l l l Internet Explorer 8.0.7601.17514 and 9.0.11 Safari 6.0.2 Google Chrome 23.0.1271.95 m Mozilla Firefox 17.
Banner The banner is a horizontal grey rectangle that appears at the top left corner of the Dell W-Series Instant UI. It displays the company name, logo, and Virtual Controller's name. Search Administrators can search a W-IAP, client, or a network using a simple Search window in the Dell W-Series Instant UI. This Search option helps fill in the blank when you type in a word and suggested matches are automatically displayed in a dynamic list.
Access Points Tab If the Auto Join Mode feature is enabled, a list of enabled and active W-IAPs in the Dell WInstant network is displayed in the Access Points tab. The W-IAP names are displayed as links. If the Auto Join Mode feature is disabled, a New link appears. Click on this link to add a new WIAP to the network. If a W-IAP is configured and not active, its MAC Address is displayed in red.
l l l l l l l l OS— Operating system that runs on the client. Network— The network to which the client is connected. Access Point— W-IAP to which the client is connected. Channel — The client operating channel. Type— Wi-Fi type of the client: A, G, AN, or GN. Role— Role assigned to the client. Signal— Signal strength of the client, as detected by the AP. Speed (mbps)— Current PHY rate.
New Version Available This link appears in the top right corner of Dell W-Series Instant UI only if a new image version is available on the image server and Dell PowerConnect W-AirWave is not configured. For more information about the New version available link and its functions, see "Firmware Image Server in Cloud Network" on page 86. Settings This link displays the Settings window.
l l location reports are sent), a shared secret key, and the frequency at which packets are sent to the server. Aeroscout— Enable this option to send the RFID tag information to an AeroScout RTLS. Specify the IP address and port number of the AeroScout server, to which location reports should be sent. Include unassociated stations— Enable this option to send mobile unit reports to the Aeroscout and the Dell RTLS servers for the client stations that are not associated to any WIAP (unassociated stations).
l l l l l Content Filtering is enabled for a network, the domain names that do not match the names in the list are sent to OpenDNS server. Walled Garden— The Walled Garden directs the user’s navigation within particular areas to allow access to a selection of websites and/or prevent access to other websites. For more information, see "Walled Garden Access" on page 134. Syslog— View or specify a Syslog Server for sending syslog messages to the external servers.
PEF This link displays the following features. Figure 12 - PEF Authentication Servers— Use this window to configure an external RADIUS server for a wireless network. See "802.1X Authentication" on page 111 for more information. Users for Internal Server— Use this window to populate the system’s internal authentication server with users. This list is used by networks for which per-user authorization is specified using the Virtual Controller’s internal authentication server.
Figure 13 - WIP - Default View VPN Use this window to define how the W-IAP communicates with the remote controller. See "VPN Configuration" on page 261 for more information. Figure 14 - VPN - Default View Wired Specify the desired profile for each port of the W-IAP. See "Ethernet Downlink" on page 187 for more information. Dell PowerConnect W-Series Instant Access Point 6.2.0.0-3.2.0.
Maintenance This link displays the Maintenance window. The Maintenance window allows you to maintain the Wi-Fi network. It consists of the following tabs: l l l l l l About— Displays the Build Time, W-IAP model name, Dell OS version, Web address of Dell Networks, and Copyright information. Configuration— Displays the current configuration of the network. n Clear Configuration— Click to delete or clear the current configuration of the network and reset to provisioning configuration.
Figure 15 - Help Link 2. Click any text or term displayed in green italics to view its description or definition. 3. To disable the help mode, click Done. Logout Use this link to logout of the Dell W-Series Instant UI. Monitoring This link displays the Monitoring pane. This pane can be used to monitor the Dell W-Instant network. Use the down arrow located to the right side of these links to compress or expand the monitoring pane.
RF Dashboard Allows you to view trouble spots in the network. It displays the following information: Figure 18 - RF Dashboard in the Monitoring Pane The RF Dashboard displays the following information: Clients— Lists the clients with low speed or signal strength in the network. Access Points— Lists the W-IAPs whose utilization, noise, or errors are not within the specified threshold. The W-IAP names appear as links.
Icon Name Description Green— Utilization is less than 50 percent. Orange— Utilization is between 50-75 percent. l Red— Utilization is more than 75 percent. To view the utilization graph of a W-IAP, click on the Utilization icon against the W-IAP in the Utilization column. l l 4 5 Noise icon Displays the noise floor of the W-IAPs. Noise is measured in decibels/meter. Depending on the noise floor, the color of the lines on the Noise icon changes from Green > Orange > Red.
Figure 19 - Usage Trends Section in the Monitoring Pane For more information about the graphs and monitoring procedures, see "Monitoring" on page 229. Spectrum The spectrum link (in the Access Point view) displays the spectrum data that is collected by a hybrid AP or by a W-IAP that has enabled spectrum monitor. The spectrum data is not reported to the VC.
Channel Details When you move your mouse over a channel, the channel details or the summary of the 5 GHz and 2.4 GHz channels as detected by a spectrum monitor are displayed. You can view the aggregate data for each channel seen by the spectrum monitor radio, including the maximum AP power, interference and the Signal-to-Noise and Interference Ratio (SNIR).
Figure 23 - Client Alerts Fault History These alerts occur in the event of a system fault. A Fault History consists of the following fields: l l l l Time— Displays the system time when an event occurs. Number— Indicates the number of sequence. Cleared by— Displays the module which cleared this fault. Description— Displays the event details. Figure 24 - Fault History Active Faults These alerts occur in the event of a system fault.
IDS This link displays a list of foreign APs and foreign clients that are detected in the network. It consists of the following sections: l l Foreign Access Points Detected— Lists the APs that are not controlled by the Virtual Controller. The following information is displayed for each foreign AP: n MAC address— Displays the MAC address of the foreign AP. n Network— Displays the name of the network to which the foreign AP is connected.
Figure 27 - Configuration Link AirGroup This link provides an overall view of your AirGroup configuration. Click on each of the features to view or edit the settings. Figure 28 - AirGroup Link l l l l l l l l l l l MAC — Displays the MAC address of the AirGroup servers. IP — Displays the IP address of the AirGroup servers. Host Name — Displays the machine name or hostname of the AirGroup servers. Service— Displays the type of the services such as AirPlay or AirPrint.
PowerConnect W-AirWave. The Settings window appears with Admin tab selected. For information to configure Dell PowerConnect W-AirWave, see "Configuring Dell PowerConnect W-AirWave" on page 207. Figure 29 - Dell PowerConnect W-AirWave Setup Link – Dell PowerConnect W-AirWave Configuration Pause/Resume The Pause/Resume link is located at the bottom right corner of the Dell W-Series Instant UI. The Dell W-Series Instant UI is automatically refreshed after every 15 seconds by default.
Clients tab. Click the IP address of the client that you want to monitor. Client view for that client appears. For more information on the graphs and the views, see "Monitoring" on page 229. 42 | Dell W-Instant User Interface Dell PowerConnect W-Series Instant Access Point 6.2.0.0-3.2.0.
Chapter 4 Wireless Network In a Wireless LAN (WLAN), laptops, desktops, PDAs, and other computer peripherals are connected to each other without any network cables. These network elements or clients use radio signals to communicate with each other. Wireless networks are set up based on the IEEE 802.11 standards. The IEEE 802.11 is a set of standards that are categorized based on the radio wave frequency and the data transfer rate. For more information about the IEEE 802.11 standards, see Table 4.
Employee Network An Employee network is a classic Wi-Fi network. This network type is supported with full customization on Dell W-Instant. It is used by the employees in the organization. Passphrase based or 802.1X based authentication methods are supported on this network type. Employees can access the protected data of an enterprise through the employee network after successful authentication. Adding an Employee Network This section provides the procedure to add an employee network. 1.
Mbps for 5.0 GHz bands. Multicast traffic can be sent at up to 24 Mbps when this option is enabled. This option is disabled by default. l Dynamic multicast optimization— When Enabled, the W-IAP converts multicast streams into unicast streams over the wireless link. DMO enhances the quality and reliability of streaming video, while preserving the bandwidth available to non-video clients.
Figure 31 - Adding an Employee Network— VLAN Tab 5. Select the required Client IP assignment option — Virtual Controller assigned or Network assigned. Table 5 - Conditions for Client IP and VLAN assignment If you select then Virtual Controller assigned The client obtains the IP address from the Virtual Controller. The Virtual Controller creates a private subnet and VLAN on the WIAP for the wireless clients. The Virtual Controller NATs all traffic that passes out of this interface.
7. Set the appropriate security levels using the slider in the Security tab. The default level is Personal. The available options are Enterprise, Personal, and Open which are described in the following tables. Figure 32 - Employee Security Tab— Enterprise Table 6 - Conditions for Adding an Employee Network— Security Tab If then, You select the Enterprise security level Perform the following steps: 1. Select the required key options from the Key management drop-down list.
If then, l 4. 5. 6. 7. 8. You want to use the default security level, Personal 48 | Wireless Network external RADIUS server has to be configured to authenticate the users. For information on configuring an external RADIUS server, see "Authentication" on page 111. InternalServer— If you select this option, users who are required to authenticate with the internal RADIUS server must be added. Click the Users link to add the users. For information on adding a user, see "Adding a User" on page 269.
If then, Key management drop-down list. Available options are: l WPA-2 Personal l WPA Personal l Both (WPA-2 & WPA) l Static WEP— If you have selected Static WEP, do the following: l Select appropriate WEP key size from the WEP key size drop-down list. Available options are 64-bit and 128-bit. l Select appropriate Tx key from the Tx Key drop-down list. Available options are 1, 2, 3,and 4. l Enter an appropriate WEP key and reconfirm.
If then, blacklisting of the clients with a specific number of authentication failures. 10. Max authentication failures— Users who fail to authenticate the number of times specified here are dynamically blacklisted. The maximum value for this entry is 10. 11. Internal server— If you select this option, users who are required to authenticate with the internal RADIUS server must be added. Click the Users link to add the users.For information on adding a user, see "Adding a User" on page 269.
If then, page 133 for further details. 2. Authentication server 1— Select the required Authentication server option from the drop-down list. Available options are: l New— If you select this option, an external RADIUS server has to be configured to authenticate the users. For information on configuring an external RADIUS server, see "Authentication" on page 111. 3. Reauth interval— When set to a value greater than zero, the Access Points periodically reauthenticate all associated and authenticated clients.
Figure 34 - Employee Security Tab— Open 10. Click Next to continue. 11. Use the Access Rules page to specify optional access rules for this network. 12. Network-based— Set the slider to Network-based if you want the same rules to apply to all users. The Allow any to all destinations access rule is enabled by default. This rule allows traffic to all destinations. W-Instant Firewall treats packets based on the first rule matched. For more information, see "Instant Firewall" on page 155.
Figure 35 - Adding an Employee Network— Access Rules Tab 14. Click Finish. The network is added and listed in the Networks tab. Voice Network Use the Voice network type when you want devices that provide only voice services like handsets or only applications that require voice-like prioritization need connectivity. Adding a Voice Network This section provides the procedure to add a voice network. 1. In the Networks tab, click the New link. The New WLAN window appears.
b. Primary usage— Select Voice from the Primary usage options. This selection determines whether the network is primarily intended to be used for employee data, guest data, or voice traffic. 3. Click the Show advanced options link and perform the following steps. a. Broadcast/Multicast l Broadcast filtering— When set to All, the W-IAP drops all broadcast and multicast frames except for DHCP and ARP.
l Hide SSID— Select this check box if you do not want the SSID (network name) to be visible to users. NOTE: The Airtime Fairness and Bandwidth limits do not apply for voice traffic. 4. Click Next to continue. 5. Select the required Client IP assignment option— Virtual Controller assigned and Network assigned. Table 8 - Conditions for Client IP and VLAN Assignment If you select then Virtual Controller assigned The client obtains the IP address from the Virtual Controller.
Figure 37 - Voice Security Tab— Enterprise Table 9 - Conditions for Adding a Voice Network— Security Tab If then, You select the Enterprise security level Perform the following steps: 1. Select the required key options from the Key management drop-down list. Available options are: l WPA-2 Enterprise l WPA Enterprise l Both (WPA-2 & WPA) l Dynamic WEP with 802.1X l Use Session Key for LEAP: Use the Session Key for LEAP instead of using Session Key from the RADIUS Server to derive pair wise unicast keys.
If then, information on configuring an external RADIUS server, see "Authentication" on page 111. 4. Reauth interval— When set to a value greater than zero, the Access Points periodically reauthenticate all associated and authenticated clients. 5. Blacklisting— Select Enabled to enable blacklisting of the clients with a specific number of authentication failures. 6. Max authentication failures— Users who fail to authenticate the number of times specified here are dynamically blacklisted.
If then, the drop-down list. Available options are: New— If you select this option, then an external RADIUS server has to be configured to authenticate the users. For information on configuring an external RADIUS server, see "Authentication" on page 111. 7. Reauth interval— When set to a value greater than zero, the Access Points periodically reauthenticate all associated and authenticated clients. 8.
If then, RADIUS server, see "Authentication" on page 111. 3. Reauth interval— When set to a value greater than zero, the Access Points periodically reauthenticate all associated and authenticated clients. 4. Accounting — When enabled, the Access Points posts accounting information as RADIUS START and RADIUS STOP accounting records to the RADIUS server. 5.
n n Role-based— Select Role-based if you want to specify per-user access rules. See "Creating a New User Role" on page 145 for more information. Unrestricted— Select this to set no restrictions on access based on destination or type of traffic. Figure 38 - Adding a Voice Network— Access Rules Tab 12. Click Finish. The network is added and listed in the Networks tab.
Figure 39 - Adding a Guest Network— WLAN Settings Tab 1. In the Networks tab, click the New link. The WLAN Settings window appears. 2. In the WLAN Settings tab, perform the following steps: a. Name (SSID)— Enter a name that uniquely identifies a wireless network. b. Primary usage— Select Guest from the Primary usage options. This selection determines whether the network is primarily intended to be used for employee data, guest data, or voice traffic. 3.
If the threshold value exceeds the maximum value, then the W-IAP sends multicast traffic over the wireless link. b. Bandwidth Limits— You can specify three types of bandwidth limits. l Airtime— Indicates the aggregate amount of airtime that all clients on this Network can use to send/receive data. l Each user— Indicates the throughput for any single user on this Network. The throughput value is specified in kbps.
If you select then NOTE: Select the Static option in Client VLAN assignment section to configure VLAN pooling. See "VLAN Pooling" on page 69 for additional details. 6. Click Next to continue. 7. This tab allows you to configure the captive portal page and encryption for the Guest network.
Splash Page Type Description and steps to set up 6. Click Upload Certificate and browse to upload a certificate file for the internal server. See "Certificates" on page 138 for more information. 7. Redirect URL— Users can be redirected to a specific URL (instead of the original URL) after successful captive portal authentication. This entry is optional. Internal — Acknowledged The user has to accept the terms and conditions for this splash page type.
Splash Page Type Description and steps to set up 6. Reauth interval— When set to a value greater than zero, the Access Points periodically reauthenticates all associated and authenticated clients. 7. Accounting — When enabled, the Access Points posts accounting information as RADIUS START and RADIUS STOP accounting records to the RADIUS server. 8.
Splash Page Type Description and steps to set up blacklisted. The maximum value for this entry is 10. 4. Walled Garden— The walled garden directs the user’s navigation within particular areas to allow access to a selection of websites or prevent access to other websites. For more information, see "Walled Garden Access" on page 134. None Select this option if you do not want to set the captive portal authentication.
Figure 41 - Configuring a Splash Page — Encryption Settings NOTE: You can customize the captive portal page using double-byte characters. Traditional Chinese, Simplified Chinese, and Korean are a few languages that use double-byte characters. Click on the banner, term, or policy in the Splash Page Visuals to modify the text in the red box. These fields accept double-byte characters or a combination of English and double-byte characters. 5.
Figure 42 - Adding a Guest Network — Access Rules Tab 6. Click Finish. The network is added and listed in the Networks tab. Editing a Network To edit a network: 1. In the Networks tab, select the network that you want to edit. The edit link appears. 2. Click the edit link. The Edit network window appears. 3. Make the required changes in any of the tabs. Click Next or the tab name to move to the next tab. 4. Click Finish. Deleting a Network To delete a network: 1.
Enabling the Extended SSID Option To enable the extended SSID option: 1. 2. 3. 4. 5. Click the Settings link at the upper right corner of the Dell W-Series Instant UI. Click the Show advanced options link. In the General tab, select Enabled from the Extended SSID drop-down list. Click OK. Reboot the AP for the changes to take effect. After you enable the option and reboot, the Wi-Fi link and mesh are disabled automatically.
| Wireless Network Dell PowerConnect W-Series Instant Access Point 6.2.0.0-3.2.0.
Chapter 5 Managing W-IAPs This section describes the Preferred band, Auto join mode, Terminal Access, LED display, and Syslog server features in Dell W-Instant. In addition, this section provides procedures for adding and removing W-IAPs, editing the W-IAP settings, and upgrading the firmware on the W-IAP using the Dell W-Series Instant UI. Preferred Band At the top right corner of Dell W-Series Instant UI, click the Settings link. The Settings window appears. 1.
Figure 44 - Disabling Auto Join Mode 3. Click OK. Terminal Access Instant supports terminal access for diagnostic purpose only. To enable or disable the SSH access to the W-IAPs CLI, navigate to Settings > Advanced > Terminal access. NOTE: Telnet access to the CLI has been deprecated as of the 6.2.0.0-3.2.0.0 release. As of that release, when the Terminal Access option is enabled, only SSH access to the CLI will be possible. NOTE: W-Instant does not support configuration using CLI.
Extended SSID You can increase the number of SSIDs or networks that can be created by enabling the extended SSID option. To enable this feature, navigate to Settings > General and click Show advanced options in the Dell W-Series Instant UI. Deny Inter User Bridging and Deny Local Routing To enable or disable these features, navigate to Settings > General in the Dell W-Series Instant UI.
Syslog Facility Levels Dell W-Instant supports facility-based logging levels. Syslog Facility is an information field associated with a syslog message. It is an application or operating system component that generates a log message. The following seven facilities are supported by Syslog: l l l l l l l AP-Debug— Detailed log about AP device. Network— Log about change of network, for example, when a new W-IAP is added to a network.
Figure 46 - Adding a W-IAP to the Instant Network 2. In the New Access Point window, enter the MAC address for the new W-IAP. Figure 47 - Entering the MAC Address for the New W-IAP 3. Click OK. Removing a W-IAP from the Network A W-IAP can be manually removed from the network only if the "Auto Join Mode" on page 71 feature is disabled. To manually remove a W-IAP from the network: 1. In the Access Points tab, click the W-IAP which you want to delete. An x appears against the W-IAP. 2.
Figure 48 - Editing W-IAP Settings 2. Click the edit link. Figure 49 - Changing W-IAP Name 3. Edit the W-IAP name in the Name text box. 4. Click OK. Changing IP Address of the W-IAP The Dell W-Series Instant UI allows you to change the IP address of the W-IAP connected to the network. To change the IP address of the W-IAP: 1. In the Access Points tab, click the W-IAP for which you want to change the IP address. The edit link appears. 2. Click the edit link. The Edit AP window appears.
Figure 50 - Configuring W-IAP Settings — Connectivity Tab 3. Select either the Get IP address from DHCP server or Specify statically option. If you have selected the Specify statically option, then perform the following steps: a. Enter the new IP address for the W-IAP in the IP address text box. b. Enter the netmask of the network in the Netmask text box. c. Enter the IP address of the default gateway in the Default gateway text box. d. Enter the IP address of the DNS server in the DNS server text box. e.
Figure 51 - Configuring W-IAP Connectivity Settings — Specifying Static Settings 4. Click OK and reboot the W-IAP. Configuring Adaptive Radio Management Adaptive Radio Management (ARM) is enabled in Dell W-Instant by default. However, if ARM is disabled, perform the following steps to enable it. 1. 2. 3. 4. In the Access Points tab, click the W-IAP for which you want to configure ARM. Click the edit link. An Edit AP window appears. In the Edit AP window, select the Radio tab.
Figure 52 - Configuring W-IAP Radio Settings Mode — Access 5. Click OK. For more information about ARM, see "Adaptive Radio Management" on page 169. Configuring Uplink Management VLAN Instant supports a management VLAN for the uplink traffic on a W-IAP. After a W-IAP is provisioned with this parameter, all management traffic sent from the W-IAP is tagged with the management VLAN. Perform the following steps to configure a uplink management VLAN on a W-IAP: 1. 2. 3. 4. 5.
Figure 53 - Configuring Wired Bridging on Ethernet 0 of a W-IAP 5. Click OK. Enabling wired bridging on this port of the W-IAP makes the port available as a downlink wired bridge and allows client access via the port. You can also use the port to connect a wired device when a 3G uplink is used. NOTE: Reboot the W-IAP after the bridging is set for the configuration to take effect.
l l reboots and comes up as a RAP. The W-IAP then establishes an IPSEC connection with the controller and begins operating in RAP mode. If a W-IAP entry for the AP is present in the firmware image cloud server, the W-IAP obtains AirWave server information from the cloud server and downloads configuration from Dell PowerConnect W-AirWave to operate in W-IAP mode. If there is no response from the cloud server or Dell PowerConnect W-AirWave, the W-IAP comes up in Dell W-Instant mode.
Figure 54 - Maintenance — Convert Tab Figure 55 - Convert options 3. Select Remote APs managed by a Mobility Controller from the drop-down list. 4. Enter the hostname (fully qualified domain name) or the IP address of the controller in the Hostname or IP Address of Mobility Controller text box. This information is provided by your network administrator. NOTE: Ensure the Mobility Controller IP Address is reachable by the W-IAPs. 5. Click Convert Now to complete the conversion.
7. After conversion, the W-IAP is managed by the Dell PowerConnect W-Series Mobility Controller which has been specified in the Dell W-Series Instant UI. NOTE: In order for the RAP conversion to work, ensure that you configure the W-Instant AP in the RAP white-list and enable the FTP service on the controller. NOTE: If the VPN setup fails and an error message pops up, please click OK, copy the error logs and share them with your Dell support engineer.
Figure 58 - Standalone AP Conversion 3. 4. 5. 6. Select Standalone AP from the drop-down list. Select the Access Point from the drop-down list. Click Convert Now to complete the conversion. After the conversion the Access Point specified in the Dell W-Series Instant UI operates in standalone mode. Converting Back to a W-IAP The reset button located on the rear of a W-IAP can be used to reset the W-IAP to factory default settings.
Figure 59 - Rebooting the W-IAP 3. In the W-IAP list, select the W-IAP that you want to reboot and click Reboot selected Access Point. To reboot all the W-IAPs in the network, click Reboot All. 4. The Confirm Reboot for W-IAP window appears. Click Reboot Now to proceed. Figure 60 - Confirm Reboot message 5. The Reboot in Progress message appears indicating that the reboot is in progress. Figure 61 - Reboot In Progress Dell PowerConnect W-Series Instant Access Point 6.2.0.0-3.2.0.
6. The Reboot Successful message appears once the process is complete. If the system fails to boot, then the Unable to contact Access Points after reboot was initiated message appears. Figure 62 - Reboot Successful 7. Click OK to close the window and re-login to the system. Firmware Image Server in Cloud Network The image check feature allows the W-IAP to discover new software image versions on a cloudbased image server hosted by Dell Networks.
Automatic Firmware Image Check and Upgrade Automatic image check is enabled by default. If Dell PowerConnect W-AirWave is configured, then the automatic image check is automatically disabled, use the manual image check option to check for the latest image. For more information, see "Upgrading to New Version" on page 88 and "Configuring Dell PowerConnect W-AirWave" on page 207 for steps on how to configure Dell PowerConnect W-AirWave.
l l l Upgrading — While image upgrading is in progress. Upgrade successful —When the upgrading is successful. Upgrade fail —When the upgrading fails. Upgrading to New Version To manually check for a new firmware image version: Manual 1. Navigate to Maintenance > Firmware to select and manually upgrade the image file. Figure 65 - Single class or Multi-class W-IAPNetworks Firmware Upgrade 88 | Managing W-IAPs Dell PowerConnect W-Series Instant Access Point 6.2.0.0-3.2.0.
Figure 66 - Mixed W-IAP Network Firmware Upgrade l l Image file— Select to directly upload an image file. This method is only available for singleclass W-IAPs. n Example: DellInstant_Orion_6.2.0.0-3.2.0.0_xxxx n Example: DellInstant_Cassiopeia_6.2.0.0-3.2.0.0_xxxx n Example: DellInstant_Pegasus_6.2.0.0-3.2.0.
Automatic 1. Click Check for New Version to automatically check for images on the Dell image server in the cloud. The field is replaced with the Image Check in Progress message. After the image check is completed, one of the following messages appears: No new version available— If there is no new version available. n Image server timed out— Connection or session between the image server and the W-IAP is timed out. n Image server failure— If the image server does not respond.
Chapter 6 Layer-3 Mobility W-IAPs form a single W-Instant network when they are in the same L2 domain. As the number of clients increase, multiple subnets are required to avoid broadcast overhead. In such a scenario, a client should be allowed to roam away from the W-Instant network to which it first connected (home network) to another W-Instant network supporting the same WLAN access parameters (foreign network) and continue its existing sessions.
client. If the AP has no GRE tunnel to this home network, a new tunnel is formed to an AP (home AP) from the client's home network. Each foreign AP has only one home AP per W-Instant network to avoid duplication of broadcast traffic. Separate GRE tunnels are created for each foreign AP / home AP pair. If a peer AP is a foreign AP for one client and a home AP for another, two separate GRE tunnels are used to handle L3 roaming traffic between these APs.
Figure 68 - Add Virtual Controller IP Addresses 4. Repeat Step 3 to add the IP addresses of all Virtual Controllers that form the L3 mobility domain. 5. Click New in the Subnets section and specify the following: a. Enter the client subnet in the IP address text box. b. Enter the mask in the Subnet mask text box. c. Enter the VLAN ID in the home network in the VLAN ID text box. d. Enter the home VC IP address for this subnet in the Virtual Controller IP text box.
Figure 69 - Add Subnets Information 6. Click OK. Figure 70 - Example Layer-3 Configuration 94 | Layer-3 Mobility Dell PowerConnect W-Series Instant Access Point 6.2.0.0-3.2.0.
Home Agent Load Balancing Home Agent Load Balancing is required in large networks where multiple tunnels might terminate on a single border or lobby AP and overload it. When load balancing is enabled, the VC assigns the home AP for roamed clients by using a round robin policy. With this policy, the load for the APs acting as Home Agents for roamed clients is uniformly distributed across the W-Instant cluster. By default, home agent load balancing is disabled.
| Layer-3 Mobility Dell PowerConnect W-Series Instant Access Point 6.2.0.0-3.2.0.
Chapter 7 Spectrum Monitor Wireless networks operate in environments with electrical and radio frequency devices that can interfere with network communications. Microwave ovens, cordless phones, and even adjacent WiFi networks are all potential sources of continuous or intermittent interference.
Figure 71 - Configuring a Hybrid W-IAP 3. To enable a spectrum monitor on the 802.11g radio band, in the 2.4 GHz radio profile, select Enabled from the Background Spectrum Monitoring drop-down list. 4. To enable a spectrum monitor on the 802.11a radio band, in the 5 GHz radio profile, select Enabled from the Background Spectrum Monitoring drop-down list. 5. Click OK. Converting a W-IAP to a Spectrum Monitor You can configure a W-IAP to function as a standalone spectrum monitor.
Figure 72 - Configuring a Spectrum Monitor By default, spectrum monitoring is performed on the 5 GHz - higher band. 7. To enable spectrum monitoring for any other band for the 5 GHz radio: a. Click the RF link at the upper right corner of the Dell W-Series Instant UI. b. Click Show advanced options to view the Radio tab. c. For the 5 GHz radio, specify the spectrum band you want that radio to monitor by selecting Lower, Middle, or Higher from the Standalone spectrum band drop-down list. d. Click OK.
Figure 73 - Monitor Middle Band for 5 GHz Radio. Spectrum Data The spectrum data is collected by each W-IAP spectrum monitor and hybrid AP. The spectrum data is not reported to the VC. The Spectrum link is visible in the Dell W-Series Instant UI (Access Point view) only if you have enabled the spectrum monitoring feature.
Table 14 - Device Summary and Channel Information Column Description Type Device type.
Non Wi-Fi Interferer Description Fixed Frequency (Cordless Phones) Some cordless phones use a fixed frequency to transmit data (much like the fixed frequency video devices). These devices are classified as Fixed Frequency (Cordless Phones). Fixed Frequency (Video) Video transmitters that continuously transmit video on a single frequency are classified as Fixed Frequency (Video). These devices typically have close to a 100% duty cycle.
Non Wi-Fi Interferer Description example a Microwave-like device that does not operate in the known operating frequencies used by the Microwave ovens may be classified as a Generic Interferer. Similarly wide-band interfering devices may be classified as Generic Interferers. Channel Metrics The channel metrics graph displays channel quality, availability and utilization metrics as seen by a spectrum monitor or hybrid AP.
Column Description noise floor, and the duty cycle for non Wi-Fi devices on that channel. Availability(%) The percentage of the channel currently available for use. Utilization(%) The percentage of the channel being used. WiFi Util(%) The percentage of the channel currently being used by Wi-Fi devices.
Column Description UnKnown APs Number of invalid or rogue APs identified on the radio channel. Channel Util (%) Percentage of the channel currently in use. Max AP Signal (dBm) Signal strength of the AP that has the maximum signal strength on a channel. Max Interference (dBm) Signal strength of the non Wi-Fi device that has the highest signal strength. SNIR (db) The ratio of signal strength to the combined levels of interference and noise on that channel.
| Spectrum Monitor Dell PowerConnect W-Series Instant Access Point 6.2.0.0-3.2.0.
Chapter 8 Time Management NTP Server For successful and proper communication between various elements in a network, time synchronization between the elements and across the network is critical. Following are the uses of time synchronization: l l l Trace and track security gaps, network usage, and troubleshoot network issues. Map event on one network element to a corresponding event on another. Maintain accurate time for billing services and similar.
2. In the General tab, enter the IP address or the URL (domain name) of the NTP server in the NTP Server text box. 3. Select the timezone from the Timezone drop-down list. This indicates the time returned by the NTP server. NOTE: You can enable daylight saving time on W-IAPs if the time zone you selected supports the daylight saving time. This feature ensures that the W-IAPs reflect the seasonal time changes in the region they serve. 4. Click OK.
Chapter 9 Virtual Controller Dell W-Instant does not require an external Dell PowerConnect W-Series Mobility Controller to regulate and manage the Wi-Fi network. Instead, one W-IAP in every network assumes the role of virtual controller. It coordinates, stores, and distributes all the settings required to provide a centralized functionality to regulate and manage the Wi-Fi network. The Virtual Controller (VC) is the single point of configuration and firmware management.
Virtual Controller IP Address You can specify a single static IP address that can be used to manage a multi-AP Dell W-Instant network. This IP address is automatically provisioned on a shadow interface on the W-IAP that takes the role of a Virtual Controller. When a W-IAP becomes a Virtual Controller, it sends three Address Resolution Protocol (ARP) messages with the static IP address and its own MAC address to update the network ARP cache.
Chapter 10 Authentication Authentication Methods in Dell W-Instant Authentication is a process of identifying a user by having them to provide a valid username and password. Clients can also be authenticated based on their MAC addresses. The following authentication methods are supported in Dell W-Instant: l l l l l "802.1X Authentication" on page 111 "Captive Portal" on page 121 "MAC Authentication" on page 133 "MAC + 802.
Internal RADIUS Server Each W-IAP has an instance of Free RADIUS server operating locally. When you enable the Internal RADIUS server option for the network, the authenticator on the W-IAP sends a RADIUS packet to the local IP address. The Internal RADIUS server listens and replies to the RADIUS packet.
EAP-Generic Token Card (GTC)— This EAP method permits the transfer of unencrypted usernames and passwords from client to server. The main uses for EAP-GTC are one-time token cards such as SecureID and the use of LDAP or RADIUS as the user authentication server. You can also enable caching of user credentials on the W-IAP as a backup to an external authentication server. EAP-Microsoft Challenge Authentication Protocol version 2 (MS-CHAPv2)— This EAP method is widely supported by Microsoft clients.
NAS IP address— Enter the Virtual Controller IP address. The NAS IP address is the Virtual Controller IP address that is sent in data packets. Note: If you do not enter the IP address, the Virtual Controller IP address is used by default when Dynamic RADIUS Proxy is enabled. n NAS identifier— Use this to configure strings for RADIUS attribute 32, NAS Identifier, to be sent with RADIUS requests to the RADIUS server. LDAP Server n Name— Enter the name of the new external RADIUS server.
8. Blacklisting— Select Enabled to enable blacklisting of the clients with a specific number of authentication failures. n Max authentication failures— Users who fail to authenticate the number of times specified here are dynamically blacklisted. The maximum value for this entry is 10. 9. Navigate to PEF > Blacklisting in the Dell W-Series Instant UI to specify the duration of the blacklisting on the Blacklisting tab of the PEF window. 10.
l l l 802.1X Authentication when Dell PowerConnect W-ClearPass Policy Manager is available (refer to Figure 83) 802.1X Authentication using cached crendentials when Dell PowerConnect W-ClearPass Policy Manager is not available (refer to Figure 82 ) 802.1X Authentication when Dell PowerConnect W-ClearPass Policy Manager is available again (refer to Figure 83) Figure 81 depicts a process wherein the W-IAP offloads EAP method authentication to ClearPass over a remote link connection.
Figure 82 - 802.1X Authentication using cached credentials Figure 83 depicts a situation when the CPPM link is reachable again. The W-IAP will send the RADIUS-Request message to the CPPM server directly for client authentication. Figure 83 - 802.1X Authentication when Dell PowerConnect W-ClearPass Policy Manager is reachable again Dell PowerConnect W-Series Instant Access Point 6.2.0.0-3.2.0.
RADIUS Server Authentication with VSA An external RADIUS server authenticates network users and returns to the W-IAP the vendorspecific attribute (VSA) that contains the name of the network role for the user. The authenticated user is placed into the management role specified by the VSA.
l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l CHAP-Challenge Callback-Id Callback-Number Class Connect-Info Connect-Rate Crypt-Password DB-Entry-State Digest-Response Domain-Name EAP-Message Error-Cause Event-Timestamp Exec-Program Exec-Program-Wait Expiration Fall-Through Filter-Id Framed-AppleTalk-Link Framed-AppleTalk-Network Framed-AppleTalk-Zone Framed-Compression Framed-IP-Address Framed-IP-Netmask Framed-IPX-Network Framed-MTU Framed-Protocol Framed-Route Framed
l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l Message-Auth NAS-Port-Type Password Password-Retry Port-Limit Prefix Prompt Rad-Authenticator Rad-Code Rad-Id Rad-Length Reply-Message Revoke-Text Server-Group Server-Name Service-Type Session-Timeout Simultaneous-Use State Strip-User-Name Suffix Termination-Action Termination-Menu Tunnel-Assignment-Id Tunnel-Client-Auth-Id Tunnel-Client-Endpoint Tunnel-Connection-Id Tunnel-Medium-Type Tunnel-Preference Tunnel-Private-Group-Id Tunnel
2. Select the Admin tab. 3. In the Authentication drop-down list, select any one of the following: l Internal— Select to specify a single set of user credentials. Enter the Username and Password for accessing the Virtual Controller Management User Interface. l RADIUS Server— Specify one or two RADIUS servers to authenticate the Dell W-Series Instant UI.
l Internal Acknowledged— To gain access to the wireless network, a user must accept the terms and conditions. Configuring Internal Captive Portal Authentication when Adding a Guest Network To configure internal captive portal authentication when adding a guest network, perform the following steps: 1. In the Network tab, click the New link. The New WLAN window opens. 2. In the WLAN Settings tab, update the following information: 1. Enter a name for the network in the Name (SSID) text box. 2.
8. Select InternalServer from the Auth server 1 drop-down list to authenticate user credentials at run time. 9. Reauth interval — When set to a value greater than zero, the Access Points periodically reauthenticate all associated and authenticated clients. 10. Blacklisting — Select Enabled to enable blacklisting of the clients with a specific number of authentication failures. 11. Max authentication failures — Users who fail to authenticate the number of times specified here are dynamically blacklisted.
Figure 86 - Configuring Captive Portal when Editing a Guest Network The appearance of a splash page can be customized as required. For information on customizing a splash page, see "Customizing a Splash Page" on page 125. 4. Click Next and click Finish. Configuring Internal Captive Portal with External RADIUS Server Authentication when Adding a Guest Network To configure internal captive portal with external RADIUS server authentication, perform the following steps: 1.
Figure 87 - Configuring Internal Captive Portal with External RADIUS Server Authentication Customizing a Splash Page A splash page is a web page that is displayed to a guest user when they are trying to access the Internet. The appearance of a splash page can be customized as required. To customize a splash page, perform the following steps: NOTE: The current release does not support per SSID splash page.
Figure 88 - Customizing a Splash Page 4. Click Next and then click Finish. NOTE: You can customize the captive portal page using double-byte characters. Traditional Chinese, Simplified Chinese, and Korean are a few languages that use double-byte characters. Click on the banner, term, or policy in the Splash Page Visuals to modify the text in the red box. These fields accept double-byte characters or a combination of English and double-byte characters.
Figure 89 - Disabling Captive Portal Authentication 4. Click Next and then click Finish. External Captive Portal Dell W-Instant supports external captive portal authentication. The external portal can be on the cloud or on a server outside the enterprise network. Configuring External Captive Portal Authentication when Adding a Guest Network To configure external captive portal authentication when adding a guest network, perform the following steps: 1. In the Network tab, click the New link.
Figure 90 - External Captive Portal when Adding a Guest Network - External RADIUS Server 6. Select Disabled or Enabled from the WISPr drop-down list to disable or enable the WISPr authentication. For information on WISPr authentication, see "WISPr Authentication" on page 132. 7. Select Disabled or Enabled from the MAC authentication drop-down list to disable or enable the MAC authentication. For information on MAC authentication, see "MAC Authentication" on page 133.
10. Blacklisting— Select Enabled to enable blacklisting of the clients with a specific number of authentication failures. 11. Max authentication failures— Users who fail to authenticate the number of times specified here are dynamically blacklisted. The maximum value for this entry is 10. Navigate to PEF > Blacklisting in the Dell W-Series Instant UI to specify the duration of the blacklisting on the Blacklisting tab of the PEF window. 12. Walled garden — Click on the link to open the Walled Garden window.
a. IP or hostname— Enter the IP address or the hostname of the external splash page server. b. URL— Enter the URL for the external splash page server. c. Port— Enter the number of the port to be used for communicating with the external splash page server. d. Auth text— Enter the authentication text. This indicates the text string returned by the external server after a successful authentication. Figure 92 - Configuring External Captive Portal Authentication for a Guest Network e.
WPA-2 Personal n WPA Personal n Both (WPA-2 & WPA) n Passphrase format — Specify either an alphanumeric or a hexadecimal string. Ensure that the hexadecimal string must be exactly 64 digits in length. n Passphrase — Enter a pre-shared key (PSK) passphrase. External splash page a. IP or hostname— Enter the IP address or the hostname of the external splash page server. b. URL— Enter the URL for the external splash page server. c.
a. Enter the IP address of the ClearPass Guest server in the IP or hostname field. The IP address is 10.65.77.245. b. Enter /page_name.php in the URL field. This URL must correspond to the Page Name configured in the ClearPass Guest RADIUS Web Login page. For example, if the Page Name is Dell, then the URL should be /Dell.php in the Instant UI. c. Enter the Port number (generally should be 80). The ClearPass Guest server uses this port for HTTP services. d.
1. In the Dell W-Series Instant UI, click Settings in the top-right corner, then select the WISPr tab. 2. Enter the ISO Country Code section of the WISPr Location ID in the ISO Country Code text box. 3. Enter the E.164 Area Code section of the WISPr Location ID in the E.164 Area Code text box. 4. Enter the operator name of the Hotspot in the Operator Name text box. 5. Enter the E.164 Country Code section of the WISPr Location ID in the E.164 Country Code text box. 6.
of MAC addresses. Additionally, it is easy to change the MAC address of a station to match one on the accepted list. This spoofing is trivial to perform with built-in driver tools, and it should not be relied upon to provide security. MAC authentication can be used alone, but typically it is combined with other forms of authentication, such as WEP authentication.
page (for example, a hotel website) and all its contents. Users who do not sign up for Internet service can view “allowed” websites (typically hotel property websites). The website names must be DNS-based (not IP address based) and support the option to define wildcards. This works for client devices with or without HTTP proxy settings. When a user attempts to navigate to other websites not configured in the white list walled garden profile, the user is redirected back to the login page.
4. Select the domain name/URL and click Edit to modify or Delete to remove the entry from the list. 5. Click OK to apply the changes. MAC + 802.1X Authentication This authentication method has the following features: l l l MAC authentication must succeed before 802.1X authentication The administrator is allowed to enable MAC authentication for 802.1X authentication. MAC authentication shares all the authentication server configurations with 802.1X authentication.
Figure 96 - Configuring MAC+802.1X Authentication 4. Click Next and then click Finish to apply the changes. MAC + Captive Portal Authentication This authentication method has the following features: l l l l If the captive portal splash page type is Internal-Authenticated or External-RADIUS Server, MAC authentication reuses the server configurations.
Figure 97 - Configuring MAC + Captive Portal Authentication 4. Click Next and then click Finish to apply the changes. Wired Authentication on a W-IAP W-Instant supports wired authentication on the Ethernet uplink (Ethernet 0) and downlink (Ethernet 1/Ethernet 2) ports of an W-Instant AP. The following wired authentication methods are supported: l l l MAC Authentication Captive Portal Authentication 802.1X Wired Authentication To configure wired authentication on a W-IAP: 1.
l CA certificate: PEM or DER format There are two ways to upload the certificates. 1. Instant UI: Navigate to Maintenance > Certificates and then click Upload New Certificate to directly upload the certificate. Refer to "Loading Certificates using Dell W-Series Instant UI" on page 139 for further instructions. 2. Dell PowerConnect W-AirWave: Navigate to Device Setup > Certificate and then click Add New Certificate.
Figure 99 - New Certificate 3. Select the Certificate type— CA certificate and Server certificate from the drop-down list. The CA certificate is required to validate the client’s certificate and the server certificate verifies the server's identity to the client. 4. Select the certificate format from the Certificate format drop-down list. 5. If you have selected Server certificate type, then enter a passphrase in Passphrase and reconfirm. The default password is whatever. 6.
Figure 100 - Loading Certificate via Dell PowerConnect W-AirWave 3. Select the appropriate Format that matches the certificate file name. Select Server Cert certificate Type, and provide the passphrase if you want to upload a Server certificate. Select either Intermediate CA or Trusted CA certificate Type, if you want to upload a CA certificate. Figure 101 - CA Certificate Figure 102 - Server Certificate 4.
Figure 103 - Selecting the Group 5. The Virtual Controller Certificate section displays the certificates (CA cert and Server) as highlighted in the figure below. Figure 104 - Virtual Controller Certificate 6. Click Save to apply the changes only to Dell PowerConnect W-AirWave. Click Save and Apply to apply the changes to the Instant AP. NOTE: To unselect the certificate options, click Revert. 142 | Authentication Dell PowerConnect W-Series Instant Access Point 6.2.0.0-3.2.0.
Chapter 11 Encryption Encryption Types Supported in Dell W-Instant Encryption is the process of converting data into an undecipherable format or code when it is transmitted on a network. Encryption prevents unauthorized use of the data. The following encryption types are supported in Dell W-Instant: WEP Though WEP is an authentication method, it is also an encryption algorithm where all users typically share the same key.
Understanding WPA and WPA2 The Wi-Fi Alliance created the Wi-Fi Protected Access (WPA) and WPA2 certifications to describe the 802.11i standard. The standard was written to replace WEP, which was found to have numerous security flaws. It took longer than expected to complete the standard, so WPA was created based on a draft of 802.11i, which allowed people to move forward quickly to create more secure WLANs. WPA2 encompasses the full implementation of the 802.11i standard.
Chapter 12 Role Derivation Every client in a Dell W-Instant network is associated with a user role, which determines the client’s network privileges, how often it must re-authenticate, and which bandwidth contracts are applicable. This section describes creating and assigning roles using the Dell W-Series Instant UI. User Roles This section describes how to create a new user role. Figure 105 - Access Tab - Instant User Role Settings Creating a New User Role To create a new user role: 1.
7. Click New. The New Rule window appears. Enter the name of the new user role. To delete a user role, select the user role and click Delete. Figure 106 - Creating a New User Role 8. Click OK. The Allow any to all destinations access rule is enabled by default. This rule allows traffic to all destinations. To create new access rules, see "Examples for Access Rules" on page 158. 9. Assign pre-authentication role— Use this option if you want to allow some access to users even before they are authenticated.
Creating Role Assignment Rules This section describes the rules for determining the role that is assigned for each authenticated client. NOTE: When Enforce Machine Authentication is enabled, both the device and the user must be authenticated for the role assignment rule to apply. To create role assignment rules for the user role: 1. Click New in the Role Assignment Rules section of the window. The default user role is the newly created user role. 2.
Registration Authority. This identifier uniquely identifies a vendor, manufacturer, or other organization (referred to by the IEEE as the “assignee”) globally and effectively reserves a block of each possible type of derivative identifier (such as MAC addresses) for the exclusive use of the assignee. IAP uses the OUI part of a MAC address to identify the device manufacturer and assigns a desired role for users who have completed 802.1X authentication and MAC authentication.
Chapter 13 User VLAN Derivation User VLAN Derivation W-Instant allows you to assign a user VLAN based on user attributes. When an external RADIUS authentication server is used for authentication, the user VLAN can be derived from Vendor Specific Attributes (VSAs). The user VLAN can be derived in 802.
Figure 109 - Configure VSA on a RADIUS Server VLAN Derivation Rule When an external RADIUS server is used for authentication, the RADIUS server may return a reply message for authentication. If the RADIUS server supports return attributes, and sets an attribute value to the reply message, W-IAP can analyze the return message and match attributes with a user pre-defined VLAN derivation rule. If the rule is matched, the VLAN value defined by the rule is assigned to the user.
To configure VLAN derivation rules on a W-IAP: 1. Select a network on the Instant UI and click on the edit link. 2. Select the VLAN tab and check the Dynamic radio button under the client VLAN assignment. 3. Click New to assign the user to a VLAN. The New VLAN Assignment Rule window appears. Enter the following information: l Attribute— Select the attribute returned by the RADIUS server during authentication or the MAC-Address. l Operator— Select an operator for matching the string.
Figure 112 - Configuring VLAN Derivation using the User Role To use a defined user VLAN role: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Select a network on the Dell W-Series Instant UI and click on the edit link. Select the Access tab Under role-based, select the defined role. Select the access rule for the defined role from the list of Access rules. Click the New button under the New Role Assignment window. Select the attribute from the Attribute drop-down list.
Configuring VLAN Derivation Rules Using an SSID Profile To configure VLAN derivation rules on a W-IAP: 1. 2. 3. 4. Select a network on the Dell W-Series Instant UI and click on the edit link. Select the VLAN tab and check the static radio button under the client VLAN assignment. Enter the ID of the VLAN in the VLAN ID text box. Click OK. Figure 114 - Configuring VLAN Derivation Rules Using an SSID Profile Dell PowerConnect W-Series Instant Access Point 6.2.0.0-3.2.0.
| User VLAN Derivation Dell PowerConnect W-Series Instant Access Point 6.2.0.0-3.2.0.
Chapter 14 Instant Firewall A firewall is a system designed to prevent unauthorized Internet users from accessing a private network connected to the Internet. It defines access rules and monitors all data entering or leaving the network and blocks data that does not satisfy the specified security policies. Dell W-Instant implements a W-Instant Firewall feature that uses a simplified firewall policy language.
l l DSCP tag— Select this check box if you want to specify a DSCP value to prioritize traffic when this rule is triggered. Specify a value between 0 and 63. The higher the value, the higher the priority. 802.1p priority— Select this check box if you want to specify an 802.1p priority. Specify a value between 0 and 7. The higher the value, the higher the priority.
Service Description gre Generic Routing Encapsulation h323-tcp H.323-Transmission Control Protocol h323-udp H.
Service Description smb-tcp Server Message Block-Transmission Control Protocol smb-udp Server Message Block-User Datagram Protocol smtp Simple mail transfer protocol snmp Simple network management protocol snmp-trap Simple network management protocol-trap svp Software Validation Protocol tftp Trivial file transfer protocol Destination Options Table 22 lists the destination options available in the Dell W-Series Instant UI.
2. 3. 4. 5. To define the access rule to an existing network, click the network. The edit link appears. Click the edit link and navigate to the Access tab. In the WLAN Settings tab, enter the appropriate information. and click Next to continue. Use the VLAN tab, to specify how the clients on this network get their IP address and VLAN. Click Next to continue. Click Next and set appropriate values in the Security tab. Click Next. The Access tab appears.
5. Click Next. The Access tab appears. The Allow any to all destinations access rule is enabled by default. This rule allows traffic to all destinations. To define allow POP3 service access rule to a particular server: a. Click New, the New Rule window appears. b. Select Allow from the Action drop-down list. c. Select pop3 from the Service drop-down list. d. Select to a particular server from the Destination drop-down list and enter appropriate IP address in the IP text box. e. Click OK. 6. Click Finish.
6. Click Finish Figure 118 - Defining Rule — Deny FTP Service Except to a Particular Server Deny bootp Service except to a Particular Network 1. Click the New link in the Networks tab. To define the access rule to an existing network, click the network. The edit link appears. Click the edit link and navigate to the Access tab. 2. In the WLAN Settings tab, enter the appropriate information. and click Next to continue. 3.
Figure 119 - Defining Rule — Deny bootp Service Except to a Network 162 | Instant Firewall Dell PowerConnect W-Series Instant Access Point 6.2.0.0-3.2.0.
Chapter 15 Content Filtering The Content Filtering feature allows you to create Internet access policies that allow or deny user access to websites based on website categories and security ratings. This feature is useful to: l l l Prevent known malware hosts from accessing your wireless network. Improve employee productivity by limiting access to certain websites. Reduce bandwidth consumption significantly. Content Filtering is based on per SSID, and up to four domain names can be configured manually.
Figure 120 - Enabling Content Filtering The content filtering configuration applies to all the W-IAPs in the Dell W-Instant network and the service is enabled or disabled globally across all the wireless networks that are configured in the Dell W-Series Instant UI. Enterprise Domains The Enterprise Domain Names list displays all the DNS domain names that are valid on the enterprise network. This list is used to determine how client DNS requests should be routed.
To manually add or delete a domain, perform the following steps. 1. Navigate to Settings at the top right corner of the Dell W-Series Instant UI and then select Enterprise Domains in the UI. 2. Click New and enter a New Domain Name or select the domain and click Delete to remove the domain name from the list. 3. Click OK to apply the changes. Dell PowerConnect W-Series Instant Access Point 6.2.0.0-3.2.0.
| Content Filtering Dell PowerConnect W-Series Instant Access Point 6.2.0.0-3.2.0.
Chapter 16 OS Fingerprinting The OS Fingerprinting feature gathers information about the client that is connected to the Dell W-Instant network to find the operating system that the client is running on. The following is a list of advantages of this feature: l l l Identifying rogue clients— Helps to identify clients that are running on forbidden operating systems. Identifying outdated operating systems— Helps to locate outdated and unexpected OS in the company network.
| OS Fingerprinting Dell PowerConnect W-Series Instant Access Point 6.2.0.0-3.2.0.
Chapter 17 Adaptive Radio Management Adaptive Radio Management (ARM) is a radio frequency management technology that optimizes WLAN performance even in the networks with highest traffic by dynamically and intelligently choosing the best 802.11 channel and transmitting power for each W-IAP in its current RF environment. ARM works with all standard clients, across all operating systems, while remaining in compliance with the IEEE 802.11 standards.
l l l Force 5 GHz— When the W-IAP is configured in force-5 GHz band steering mode, the WIAP forces 5 GHz-capable W-IAPs to use that radio band. Balance Bands— In this band steering mode, the W-IAP tries to balance the clients across the two radios in order to best utilize the available 2.4 GHz bandwidth. This feature takes into account the fact that the 5 GHz band has more channels than the 2.4 GHz band, and that the 5 GHz channels operate in 40MHz while the 2.5 Ghz band operates in 20MHz.
Access Point Control Customize Valid Channels You can customize Valid 5 GHz channels and Valid 2.4 GHz channels for 20MHz and 40MHz channels in the W-IAP. Here, the administrator can configure the ARM channels in the channel width window. The valid channels automatically show in the static channel assignment window. Min Transmit Power This indicates the minimum effective isotropic radiated power (EIRP) from 3 to 33 dBm in 3 dBm increments.
Monitoring the Network with ARM When ARM is enabled, a W-IAP dynamically scans all 802.11 channels within its 802.11 regulatory domain at regular intervals and provides reports for network (WLAN) coverage, interference, and intrusion detection, to a Virtual Controller. ARM Metrics ARM computes coverage and interference metrics for each valid channel and chooses the best performing channel and transmit power settings for each W-IAP RF environment.
Monitor Mode— In Monitor mode the AP acts as a dedicated monitor scanning all channels for rogue APs and clients. n Spectrum Monitor— In the Spectrum Monitor mode the AP functions as a dedicated fullspectrum RF monitor, scanning all channels to detect interference, whether from neighboring APs or from non Wi-Fi devices such as microwaves and cordless phones. By default the access point’s channel and power are optimized dynamically using Adaptive Radio Management (ARM). You can override ARM on the 2.
Figure 125 - Radio Profile 1. Navigate to RF which is at the top right corner of the Dell W-Series Instant UI. 2. Click Show advanced options to view the Radio tab. 3. Refer to the table below to configure the radio settings for bands 2.4 GHz and 5 GHz. Table 24 - Radio Profile Configuration Parameters Parameter Description Legacy only Enable to run the radio in non-802.11n mode. This is disabled by default. 802.11d / 802.11h Enable the radio to advertise its 802.11d (Country Information) and 802.
Parameter Description l l l l l l l l Level 0— no ANI adaptation. Level 1— Noise immunity only. This level enables power-based packet detection by controlling the amount of power increase that makes a radio aware that it has received a packet. Level 2— Noise and spur immunity. This level also controls the detection of OFDM packets, and is the default setting for the Noise Immunity feature. Level 3— Level 2 settings and weak OFDM immunity.
| Adaptive Radio Management Dell PowerConnect W-Series Instant Access Point 6.2.0.0-3.2.0.
Chapter 18 Intrusion Detection System Intrusion Detection System (IDS) is a feature that monitors the network for the presence of unauthorized W-IAPs and clients. It also logs information about the unauthorized W-IAPs and clients, and generates reports based on the logged information.
In each of these options there are several default levels that enable different sets of policies. An administrator can customize (enable/disable) these options accordingly. Four levels of detection can be configured in the WIP Detection page— Off, Low, Medium, and High (as shown in Figure 127). Figure 127 - Wireless Intrusion Protection— Detection The following table describes the detection policies that are enabled in the Infrastructure Detection Custom settings field.
Detection Level Detection Policy l l l l l l l l l l l l Detect Client Flood Attack Detect Bad WEP Detect CTS Rate Anomaly Detect RTS Rate Anomaly Detect Invalid Address Combination Detect Malformed Frame— HT IE Detect Malformed Frame— Association Request Detect Malformed Frame— Auth Detect Overflow IE Detect Overflow EAPOL Key Detect Beacon Wrong Channel Detect devices with invalid MAC OUI The following table describes the detection policies that are enabled in the Client Detection Custom settings field
Figure 128 - Wireless Intrusion Protection— Detection The following table describes the detection policies that are enabled in the Infrastructure Protection Custom settings field.
Containment Methods You can enable wired and wireless containments to prevent unauthorized stations from connecting to your W-Instant network. W-Instant supports the following types of containment mechanisms: l l Wired containment— When enabled, Dell Access Points generate ARP packets on the wired network to contain wireless attacks. Wireless containment— When enabled, the system attempts to disconnect all clients that are connected or attempting to connect to the identified Access Point.
| Intrusion Detection System Dell PowerConnect W-Series Instant Access Point 6.2.0.0-3.2.0.
Chapter 19 SNMP Dell W-Instant supports SNMPv1, SNMPv2c, and SNMPv3 for reporting purposes only. An WIAP cannot use SNMP to set values in an Dell system. SNMP Parameters for W-IAP You can configure the following parameters for W-IAP. Table 29 - SNMP Parameters for W-IAP Field Description Community Strings for SNMPV1 and SNMPV2 An SNMP Community string is a text string that acts as a password, and is used to authenticate messages sent between the Virtual Controller and the SNMP agent.
To delete a community string, select the string and click Delete. Figure 130 - Creating Community Strings for SNMPV1 and SNMPV2 Follow the procedure below to create, edit, and delete users for SNMPV3. 1. 2. 3. 4. 5. In the Settings tab, click the SNMP tab. Click New in the Users for SNMPV3 box. Enter the name of the user in the Name text box. Select the type of authentication protocol from the Auth protocol drop-down list.
Figure 131 - Creating Users for SNMPV3 SNMP Traps Dell W-Instant supports the configuration of external trap receivers in the Dell W-Series Instant UI. Only the W-IAP acting as the Virtual Controller generates traps. The OID of the traps is 1.3.6.1.4.1.14823.2.3.3.1.200.2.X. Figure 132 - SNMP Traps To configure an SNMP trap receiver: Dell PowerConnect W-Series Instant Access Point 6.2.0.0-3.2.0.
1. Enter a name in the SNMP Engine ID text box. It indicates the name of the SNMP agent on the access point. SNMPV3 agent has an engine ID that uniquely identifies the agent in the device and is unique to that internal network. 2. Click New and update the following fields: 1. IP Address— Enter the IP Address of the new SNMP Trap receiver. 2. Version— Select the SNMP version— v1, v2c, v3 from the drop-down list. The version specifies the format of traps generated by the access point. 3.
Chapter 20 Ethernet Downlink Ethernet Downlink Overview The Ethernet downlink ports allow third party devices such as VoIP phones or printers (which support only wired connections) to connect to the wireless network. Additionally, an Access Control List (ACL) can be configured for added security on the Ethernet downlink. NOTE: This release of W-Instant supports only the OpenAuth mechanism. Ethernet Downlink Profile Parameters To create a new Ethernet downlink profile: 1.
Figure 133 - Ethernet Profile Configuration - Wired Tab 3. Click the VLAN tab or click Next and enter the following information: Table 31 - Ethernet Downlink Profile Parameters - VLAN Tab Field Description l Mode l In Access mode the port carries a single VLAN, specified as the Native VLAN. In Trunk mode the port carries packets for multiple VLANs, specified as the Allowed VALN. Native VLAN Specifies the VLAN carried by the port in Access mode.
Table 32 - Ethernet Downlink Profile Parameters - Security Tab Field Description l MAC authentication l Disable— Disable MAC Authentication on the profile (default). Enable— Enable MAC Authentication on the profile. The following figure displays the security parameters of the Ethernet profile configuration: Figure 135 - Ethernet Profile Configuration - Security Tab 5. Click the Access tab and configure the access rule for the profile.
Figure 136 - Ethernet Profile Configuration - Access Tab 6. Click New in the Access Rules window to create a new rule and enter the following: Table 34 - Access Rule Parameters Field Description Rule type Access Control Action l Service Type of service. Destination Specify the destination. Options Disable or enable logging. l Allow— Allow users based on the access rule. Deny— Deny users based on the access rule.
1. Enable wired bridging on the port. See "Configuring Wired Bridging on Ethernet 0" on page 79. 2. Select and assign a profile from the 0/0 drop down list. NOTE: Wired bridging must be enable on Ethernet 0 (0/0) port before you can assign a Ethernet downlink profile. l l To assign an Ethernet downlink profile to Ethernet 1 port, select the profile from the 0/1 drop down list. To assign an Ethernet downlink profile to Ethernet 2 port, select the profile from the 0/2 drop down list.
| Ethernet Downlink Dell PowerConnect W-Series Instant Access Point 6.2.0.0-3.2.0.
Chapter 21 Hierarchical Deployment In earlier releases of Dell W-Instant, a W-IAP could be connected to another W-IAP via the uplink port through a wired switch. If there is no wired infrastructure (Ethernet connection with a L3 NAT router), then multiple W-IAPs could not be deployed. A W-IAP-130 series or W-IAP3WN AP (with more than one wired port) can now be connected to the downlink wired port of another W-IAP (ethX).
| Hierarchical Deployment Dell PowerConnect W-Series Instant Access Point 6.2.0.0-3.2.0.
Chapter 22 Uplink Configuration The Dell W-Instant network supports Ethernet and 3G/4G USB modems and the Wi-Fi uplink for the corporate Instant network. The 3G/4G USB modems and the Wi-Fi uplink can be used to extend the connectivity to places where an Ethernet uplink cannot be configured, allowing the client traffic to reach the Internet and the corporate network. It also provides a reliable backup link for the Ethernet based Instant network.
Figure 141 - Uplink Status 3G/4G Uplink W-Instant supports the use of 3G/4G USB modems to provide Internet backhaul to an W-Instant network. The 3G/4G USB modems extend client connectivity to places where an Ethernet uplink is not feasible. This enables the IAP3WN to choose the available network in an area automatically. NOTE: The 3G and 4G LTE USB modems can be provisioned on IAP3WN and W-IAP108/109.
Modem Type Supported 3G Modems l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l Auto-detect + ISP/country l l l l l l l l l l l l l U300 (Franklin wireless) U301 (Franklin wireless) USB U760 for Virgin (Novatel) USB U720 (Novatel/Qualcomm) UM175 (Pantech) UM150 (Pantech) UMW190(Pantech) SXC-1080 (Qualcomm) Globetrotter ICON 225 UMG181 NTT DoCoMo L-05A (LG FOMA L05A) NTT DoCoMo L-02A ZTE WCDMA Technologies MSM (MF668?) Fivespot (ZTE) c-motech CNU-600 ZTE AC2736 SEC-8089 (Ep
Modem Type Supported 3G Modems l l l l l l l l l l l l l l l l No auto-detect l l ZTE MF637 (Orange in Israel) Huawei E180, E1692,E1762 (Optus (Aus)) Huawei E1731 (Airtel-3G (India)) Huawei E3765 (Vodafone (Aus)) Huawei E3765 (T-Mobile (Germany) Huawei E1552 (SingTel) Huawei E1750 (T-Mobile (Germany)) UGM 1831 (TMobile) Huawei D33HW (EMOBILE(Japan)) Huawei GD01 (EMOBILE(Japan)) Huawei EC150 (Reliance NetConnect+ (India)) KDDI DATA07(Huawei) (KDDI (Japan)) Huawei E353 (China Unicom) Huawei EC167 (China T
g. Enter the password used to dial the ISP in the USB password text box. h. Enter the parameter used to switch modem from storage mode to modem mode in the USB mode switch text box. NOTE: The parameter details are available from the manufacturer of your modem or from your IT administrator. Figure 142 - Provisioning 3G/4G Uplink— Manually NOTE: You must reboot the W-IAP after manually provisioning the W-IAP.
Wi-Fi Uplink The Wi-Fi uplink is supported for all the W-IAP models but only the master W-IAP uses this uplink. The Wi-Fi allows uplink to open, PSK-CCMP, and PSK-TKIP SSIDs. l l For single radio W-IAPs, the radio serves wireless clients and the Wi-Fi uplink. For dual radio W-IAPs, both radios can be used to serve clients but only one of them can be used for the Wi-Fi uplink. NOTE: When the Wi-Fi uplink is in use, the client IP is assigned by the internal DHCP server.
1. Plug an Ethernet cable to allow the W-IAP to get the IP address. 2. Provision the W-IAP for 3G/4G or Wi-Fi uplink (Refer to the above sections). Uplink Management W-Instant allows you to set preferences for uplink preemption and switchover. The following figure shows the fields in the Dell W-Series Instant UI, which can be used for configuring the uplink preferences. Figure 146 - Uplink Preference Enforce Uplink This feature forces the W-IAP to use a specific uplink.
NOTE: This feature is automatically enabled when a VPN is configured in the W-IAP. When this feature is enabled, the W-IAP monitors the VPN status. When VPN status is down for 3 minutes, the uplink switches over (if low priority uplink is detected, and the uplink preference is set to none. Uplink Switching Based on Internet Connectivity Status W-Instant supports switching uplinks based on Internet connectivty status.
a. Enter the PPPoE service name provided to you by your service provider in the Service name field. b. In the CHAP secret and Retype fields, enter the CHAP secret and confirm it. c. Enter the user name for the PPPoE connection in the User field. d. In the Password and Retype fields, enter the PPPoE password and confirm it. 4. Click OK. 5. Reboot the IW-IAP for the configuration to take effect. Figure 147 - PPPoE Settings Dell PowerConnect W-Series Instant Access Point 6.2.0.0-3.2.0.
| Uplink Configuration Dell PowerConnect W-Series Instant Access Point 6.2.0.0-3.2.0.
Chapter 23 Dell PowerConnect W-AirWave Integration and Management Dell PowerConnect W-AirWave is a powerful and easy-to-use network operations system that manages Dell wireless, wired, and remote access networks, as well as wired and wireless infrastructures from a wide range of third-party manufacturers. With its easy-to-use interface, Dell PowerConnect W-AirWave provides real-time monitoring, proactive alerts, historical reporting, and fast, efficient troubleshooting.
enterprise policies. It alerts you whenever a violation is detected and automatically repairs the misconfigured device. Figure 148 - Template-based Configuration Trending Reports Dell PowerConnect W-AirWave saves up to 14 months of actionable information, including network performance data and user roaming patterns, so you can analyze how network usage and performance trends have changed over time.
RF Visualization Support for Dell W-Instant Dell PowerConnect W-AirWave supports RF visualization for Dell W-Instant. The VisualRF module provides a real-time picture of the actual radio environment of your wireless network and the ability to plan the wireless coverage of new sites. VisualRF uses sophisticated RF fingerprinting to accurately display coverage patterns and calculate the location of every Instant device in range.
About Shared Key The Shared Secret key is used by the administrator to manually authorize the first Virtual Controller for an organization. Any string is acceptable. Entering the Organization String and AMP Information into the W-IAP 1. Click the Dell PowerConnect W-AirWave Set Up Now link in the bottom-middle region of the Dell W-Series Instant UI window. The Settings window with the Dell PowerConnect WAirWave tab selected appears. Figure 150 - Configuring Dell PowerConnect W-AirWave 2.
indicate the, master controller or the local controller. For W-IAP, this can be used to define the Dell PowerConnect W-AirWave IP, group and password. 1. From a server running Windows Server 2008 navigate to Server Manager > Roles > DHCP sever > domain DHCP Server > IPv4. 2. Right-click on IPv4 and select Set Predefined Options. Figure 151 - Instant and DHCP options for Dell PowerConnect W-AirWave— Set Predefined Options 3.
Figure 152 - W-Instant and DHCP options for Dell PowerConnect W-AirWave— Predefined Options and Values 4. Navigate to Server Manager and select Server Options in the IPv4 window. (This sets the value globally. Use options on a per-scope basis to override the global options.) 5. Right-click on Server Options and select the configuration options. 210 | Dell PowerConnect W-Series Instant Access Point 6.2.0.0-3.2.0.
Figure 153 - W-Instant and DHCP options for Dell PowerConnect W-AirWave— Server Options 6. Select 060 Dell W-Instant AP in the Server Options window and enter DellInstantAP in the String Value. Figure 154 - W-Instant and DHCP options for Dell PowerConnect W-AirWave—060 Dell W- Instant AP in Server Options 7. Select 043 Vendor Specific Info and enter a value for airwave-orgn, airwave-ip, airwave-key in the ASCII field (for example: tme-instant-store1,10.169.240.8, Dell123).
Figure 155 - W-Instant and DHCP options for Dell PowerConnect W-AirWave— 043 Vendor Specific Info This creates a DHCP option 60 and 43 on a global basis. You can do the same on a per-scope basis. The per-scope option overrides the global option.
This method describes how to set up a DHCP server to send option 43 with Dell PowerConnect W-AirWave information to Dell W-Instant W-IAP. This section assumes that option 43 is sent per scope because option 60 is being shared by other devices as well. NOTE: This scope should be specific to Instant, and the PXE devices that use options 60 and 43 should not connect to the subnet defined by this scope.
Figure 158 - Dell PowerConnect W-AirWave — New Group Figure 159 - Dell PowerConnect W-AirWave —Monitor 214 | Dell PowerConnect W-Series Instant Access Point 6.2.0.0-3.2.0.
Chapter 24 AirGroup Introducing AirGroup AirGroup™ capabilities are available as a feature in Dell WLANs where Wi-Fi data is distributed among W-Instant APs. AirGroup is a unique enterprise-class capability that leverages zero configuration networking to enable Bonjour® services like Apple® AirPrint and AirPlay from mobile devices in an efficient manner. Bonjour, the trade name for the zeroconf implementation introduced by Apple, is the most common example.
WLANs and Bonjour In large universities and enterprise networks, it is common for Bonjour-capable devices to connect to the network across VLANs. As a result, user devices such as an iPad on a specific VLAN cannot discover the Apple TV that resides on another VLAN. Broadcast and multicast traffic are usually filtered out from a wireless LAN network to preserve the airtime and battery life. This inhibits the performance of Bonjour services as they rely on multicast traffic.
Features Dell W-Instant Deployment Models Limit multicast mDNS traffic on the network Yes Yes VLAN based mDNS service policy enforcement Yes Yes User-role based mDNS service policy enforcement Yes Yes Portal to self register personal leaves No Yes Device owner based policy enforcement No Yes Location based policy enforcement No Yes Shared user list based policy enforcement No Yes Shared role list based policy enforcement No Yes AirGroup Features l l l l l l AirGroup sends unicast
Figure 160 - AirGroup Architecture As seen in the image above, the W-IAP1 discovers Air Printer (P1) and W-IAP3 discovers Apple TV (TV1). W-IAP1 advertises information about its connected P1 device to the other W-IAPs i.e W-IAP2 andW-IAP3. Similarly, W-IAP3 advertises TV1 device to W-IAP1 and W-IAP2. This type of distributed architecture allows any W-IAPs to respond to its connected devices locally.
Figure 161 - AirGroup Enables Personal Device Sharing Use Case: Higher Education Wireless LAN Figure 162 shows a higher-education environment with shared, local, and personal services available to mobile devices. With AirGroup, context-based policies determine which Bonjour services are visible to an end-user’s mobile device.
Table 38 - Dell W-Instant, Dell PowerConnect W-ClearPass Policy Manager, and Dell PowerConnect W-ClearPass Guest Requirements Component Minimum Version Dell W-Instant 6.2.0.0-3.2.0.0 Dell PowerConnect W-ClearPass Guest software 3.9.7 AirGroup Services plugin 0.8.7 Dell PowerConnect W-ClearPass Policy Manager software 5.2 Configuring AirGroup on W-Instant Configuring AirGroup and its service requires that you enable the AirGroup feature. WIAP AirGroup supports two default services i.e.
n Enforce Clear Pass registering— When enabled, only devices registered with CPPM will be discovered by Bonjour devices, based on the CPPM policy. Figure 163 - Enabling AirGroup Disallow Role By default, an AirGroup service is accessible by all user roles configured in your W-IAP cluster. The disallow role option selectively prevents specified user roles from accessing AirGroup services.
Figure 164 - AirPrint Disallowed Roles 1. In the Enable Air Print section of the Instant UI, select Edit . The Air Print Disallowed Roles window appears. 2. Use the arrow keys to move the available roles to the selected window and vice versa. 3. Click OK to apply the selected roles as disallowed roles. Disallow VLAN By default, an AirGroup service is accessible by users or devices in all VLANs configured in your WIAP cluster.
Configuring AirGroup-CPPM Interface in W-Instant Configure the AirGroup and CPPM interface to allow an AirGroup W-IAP and CPPM to exchange information regarding device sharing, and location. The configuration options define the RADIUS server that is used by the AirGroup RADIUS client. The following steps are required for this configuration: 1. Create a RADIUS server. 2. Assign a server to AirGroup. 3. Configure CPPM to enforce registration.
Retry count— Specify a number between 1 and 5. Indicates the maximum number of authentication requests that are sent to server group, and the default value is 3 requests. n RFC 3576— When enabled, the Access Points process RFC 3576-compliant Change of Authorization (CoA) messages from the RADIUS server. n Air Group CoA port— Indicates that the AirGroup CoA is sent on a different port than the standard CoA port. The default value is 5999. n NAS IP address— Enter the Virtual Controller IP address.
Configure CPPM to Enforce Registration When enabled, only devices registered with CPPM will be discovered by Bonjour devices, based on the CPPM policy. Change of Authorization (CoA) CoA only server is Dell PowerConnect W-ClearPass Guest server which allows guest users to register their devices. To configure the CoA only server follow the steps below: 1. Navigate to the PEF link at the top right corner of the Dell W-Series Instant UI and click New.
AirGroup Monitoring This link provides an overall view of your AirGroup Bonjour services. Click on each of the features to view or edit the settings. Figure 169 - AirGroup Link AirGroup consists of the following fields: l l l l l l l l l l l MAC — Displays the MAC address of the AirGroup server. IP — Displays the IP address of the AirGroup Server's. Host Name — Displays the machine name or hostname of the AirGroup server.
l l l l l l AP AirGroup Debug Statistics— Displays the debug statistics for the selected W-IAP(s). AP AirGroup Servers— Displays information about the Bonjour devices which supports AirPrint and AirPlay services for the selected W-IAP(s). AP AirGroup User— Displays IP/MAC address, device name, VLAN, type of connection of the Bonjour devices for the selected W-IAP(s). VC AirGroup Service— Displays the bonjour services supported for the selected W-IAP(s).
| AirGroup Dell PowerConnect W-Series Instant Access Point 6.2.0.0-3.2.0.
Chapter 25 Monitoring Monitor the Dell W-Instant network, W-IAPs, Wi-Fi networks, and clients in the network using one or all of the following views: l l l l "Virtual Controller View" on page 229 "Network View" on page 232 "Dell W-Instant Access Point View" on page 235 "Client View" on page 243 This section provides information about the parameters that can be monitored using these views. It also provides procedures to monitor these parameters.
Monitoring Link This link is selected by default and the following sections are displayed. These sections provide information about the Virtual Controller and allow you to monitor the network. l l l Info RF Dashboard Usage Trends Info The Info section displays the following information about the Virtual Controller: l l l l l l l l l Name— Displays the Virtual Controller name. Country Code— Displays the Country in which the Virtual Controller is operating.
Figure 172 - Clients Graph l Throughput Graph Figure 173 - Throughput Graph For more information about the graphs in the Virtual Controller view and for monitoring procedures, see Table 39. Table 39 - Virtual Controller View — Graphs and Monitoring Procedures Graph Name Description Monitoring Procedure Clients The Clients graph shows the number of clients associated with the Virtual Controller for the last 15 minutes. To see an enlarged view, click the graph.
Graph Name Description Monitoring Procedure outgoing traffic is displayed in green. Outgoing traffic is shown above the median line. l Incoming traffic — Throughput for incoming traffic is displayed in blue. Incoming traffic is shown below the median line. To see an enlarged view, click the graph. l The enlarged view provides Last, Minimum, Maximum, and Average statistics for the incoming and outgoing traffic throughput of the Virtual Controller for the last 15 minutes.
Figure 174 - Network View Info The Info section displays the following information about the selected network: l l l l l l Name— Name of the network. Band— Band in which the network is broadcast: 2.4 GHz band, 5 GHz band, or both. Type— Network type: Employee, Guest, or Voice. IP Assignment— Source of IP address for the client. Access— The level of access control for this network. Security level— The type of user authentication and data encryption for this network.
Figure 176 - Throughput Graph For more information about the graphs in the network view and for monitoring procedures, see Table 40. Table 40 - Network View — Graphs and Monitoring Procedures Graph Name Description Monitoring Procedure Clients The Clients graph shows the number of clients associated with the network for the last 15 minutes. To see an enlarged view, click the graph.
Dell W-Instant Access Point View All W-IAPs in the Dell W-Instant network are listed in the Access Points tab. Click the W-IAP that you want to monitor. Access Point view for that W-IAP appears. Similar to the Virtual Controller view, the Access Point view also has three tabs— Networks, Access Points, and Clients.
Overview The Overview section displays the common RF metrics for the selected access point over the last 15 minutes. The following graphs are displayed for the selected W-IAP: l Neighboring APs Figure 178 - Neighboring APs Graph l CPU Utilization Figure 179 - CPU Utilization Graph l Neighboring Clients Figure 180 - Neighboring Clients Graph l 236 | Monitoring Memory Free (MB) Dell PowerConnect W-Series Instant Access Point 6.2.0.0-3.2.0.
Figure 181 - Memory free Graph l Clients Figure 182 - Clients Graph l Throughput (bps) Figure 183 - Throughput Graph For more information about the graphs in the instant access point view and or monitoring procedures, see Table 41.
Graph Name CPU Utilization Neighboring Clients Memory free (MB) 238 | Monitoring Description Monitoring Procedure connected to the network. Rogue APs: An unauthorized AP that is plugged into the wired side of the network. To see the number of different types of neighboring APs for the last 15 minutes, hover the cursor over the respective graph lines. 2. In the Access Points tab, click the W-IAP for which you want to monitor the client association. The W-IAP view appears. 3.
Graph Name Description Monitoring Procedure Clients The Clients graph shows the number of clients associated with the selected W-IAP for the last 15 minutes. To see an enlarged view, click the graph. The enlarged view provides Last, Minimum, Maximum, and Average statistics for the number of clients associated with the W-IAP for the last 15 minutes. To see the exact number of clients associated with the selected W-IAP at a particular time, hover the cursor over the graph line.
Figure 185 - 2.4 GHz Management Frames (fps) Graph l Drops (fps) Figure 186 - Drops (fps) Graph l Noise Floor (dBm) Figure 187 - Noise Floor (dBm) Graph l 2.4 GHz Mgmt Frames Figure 188 - 2.4 GHz Management Frames (fps) Graph 240 | Monitoring Dell PowerConnect W-Series Instant Access Point 6.2.0.0-3.2.0.
l Errors (fps) Graph Figure 189 - Errors (fps) Graph To see the graphs for the 5 GHz band, click the 5 GHz link. For more information about the graphs in the instant access point view and for monitoring procedures, see Table 42. Table 42 - Dell W-Instant Access Point View — RF Trends Graphs and Monitoring Procedures Graph Name Description Utilization The Utilization graph shows the radio utilization percentage of the access point for the last 15 minutes. To see an enlarged view, click the graph.
Graph Name Description Monitoring Procedure shown above the median line. Incoming frames — Incoming frame traffic is displayed in blue. It is shown below the median line. To see an enlarged view, click the graph. The enlarged view provides Last, Minimum, Maximum, and Average statistics for the incoming and outgoing frames. To see the exact utilization percent at a particular time, hover the cursor over the graph line. view. 2.
Graph Name Frames Errors Description Monitoring Procedure in and out of the radio in the 2.4 GHz band for the last 15 minutes. Note that the scale for the Y-axis is logarithmic. To see the exact number of management frames per second at a particular time, hover the cursor over the graph lines. last 15 minutes, 1. Log in to the Dell W-Series Instant UI. The Virtual Controller view appears. This is the default view. 2.
Figure 190 - Client View Info The Info section provides the following information about the selected W-IAP: l l l l l l l l Name— Name of the selected client. IP Address— IP address of the client. MAC Address— MAC Address of the client. OS— Operating System that is running on the client. Network— Network to which the client is connected to. Access Point— W-IAP to which the client is connected to. Channel— Channel that the client is using. Type— Channel type that the client is broadcasting on.
l Frames Figure 192 - Frames Graph l Speed Figure 193 - Speed Graph l Throughput Figure 194 - Throughput Graph For more information about RF trends graphs in the client view and for monitoring procedures, see Table 43. Dell PowerConnect W-Series Instant Access Point 6.2.0.0-3.2.0.
Table 43 - Client View — RF Trends Graphs and Monitoring Procedures Graph Name Description Monitoring Procedure Signal The Signal graph shows the signal strength of the client for the last 15 minutes. It is measured in decibels. To see an enlarged view, click the graph. The enlarged view provides Last, Minimum, Maximum, and Average signal statistics for the client fr the last 15 minutes. To see the exact signal strength at a particular time, hover the cursor over the graph line.
Graph Name Description line. Throughput The Throughput Graph shows the throughput for the selected client for the last 15 minutes. l Outgoing traffic — Throughput for outgoing traffic is displayed in green. Outgoing traffic is shown above the median line. l Incoming traffic — Throughput for incoming traffic is displayed in blue. Incoming traffic is shown below the median line. To see an enlarged view, click the graph.
| Monitoring Dell PowerConnect W-Series Instant Access Point 6.2.0.0-3.2.0.
Chapter 26 Alert Types and Management Alert Types Alerts are generated when a user encounters problems accessing or connecting to the Wi-Fi network. These alerts enable you to troubleshoot the problems. The alerts that are generated on Dell W-Instant can be categorized as follows: l l l 802.11 related association and authentication failure alerts. 802.1X related mode and key mismatch, server, and client time-out failure alerts. IP address related failure - Static IP address or DHCP related alerts.
Type Code 100307 Description Client blocked due to repeated authentication failures Details Corrective Actions authenticate this client because the client's MAC address is not valid. indicative of a misbehaving client. Try to locate the client device and check its hardware and software. The W-IAP is temporarily blocking the 802.1X authentication request from this client because the credentials provided have been rejected by the RADIUS server too many times. Identify the client and check its 802.
Chapter 27 Policy Enforcement Firewall Dell’s Policy Enforcement Firewall (PEF) module for Dell W-Instant provides identity-based controls to enforce application-layer security, prioritization, traffic forwarding, and network performance policies for wired and wireless networks. The PEF window displays the external/internal authentication servers, currently defined roles for all the networks, blacklisted clients and to enable or disable the protocols for ALG.
Figure 196 - Users for Internal Server To add a user: 1. 2. 3. 4. Enter the username in the Username text box. Enter the password in the Password text box and reconfirm Select appropriate network type from the Type drop-down list. Click Add and click OK. The users are listed in the Users list. See "User Database" on page 269 for more information. Roles This window consists of the following options: l Roles— This table displays all the roles defined for all the networks.
Figure 197 - Roles Extended Voice and Video Functionalities W-Instant has the added ability to identify and prioritize voice and video traffic from applications like Microsoft Office Communications Server (OCS) and Apple Facetime. Figure 198 - Classify Media QoS for Microsoft Office OCS and Apple Facetime Voice and video devices use a signaling protocol to establish, control, and terminate voice and video calls.These control or signaling sessions are usually permitted using pre-defined ACLs.
classify-media option enabled to identify the voice or video flow based on a deep packet inspection and analysis of the actual traffic. Microsoft OCS Microsoft Office Communications Server (OCS) uses Session Initiation Protocol (SIP) over TLS to establish, control, and terminate voice and video calls. Apple Facetime When an Apple device starts a Facetime video call, it initiates a TCP session to the Apple Facetime server over port 5223, then sends SIP signaling messages over a non-default port.
Figure 199 - Classify Media —Microsoft Lync Figure 200 - Classify Media —Apple Facetime Client Blacklisting The client blacklisting denies connectivity to the blacklisted clients. When a client is blacklisted in an Dell W-IAP, the client is not allowed to associate with the W-IAP in the network. If a client is connected to the network when it is blacklisted, a deauthentication message is sent to force the client to disconnect. Dell PowerConnect W-Series Instant Access Point 6.2.0.0-3.2.0.
Figure 201 - Client Blacklisting Types of Client Blacklisting l l l The following types of client blacklisting can be generated in an W-Instant: Manual Blacklisting Dynamic Blacklisting n Authentication Failure Blacklisting n Session Firewall Based Blacklisting Manual Blacklisting Manual blacklisting is the simplest way to add a client to the blacklist. In manual blacklisting, the MAC address of the client has to be known to the user. These clients would be added into a permanent blacklist.
Figure 202 - Manual Blacklisting 4. Click Ok. The Blacklisted Since tab displays the time at which the current blacklisting started for the client. 5. To delete a client from the manual blacklist, select the MAC Address of the client under the Manual Blacklisting window and then click Delete. Dynamic Blacklisting The clients can be blacklisted dynamically when they exceed the authentication failure threshold or a blacklisting rule was triggered as part of the authentication process.
Figure 203 - Dynamic Blacklisting PEF Settings Firewall ALG Configuration Instant firewall now supports the ALG (Application Layer Gateway) functions such as SIP, Vocera, Alcatel NOE, and Cisco Skinny protocols. To enable or disable the protocols for ALG in Dell W-Instant perform the following steps: 1. Select PEF from the top right of the Dell W-Series Instant UI. 2. Select PEF Settings tab. 3.
Firewall-based Logging W-Instant firewall now supports firewall based logging function. The firewall logs on the WInstant APs are generated as syslog messages. Dell PowerConnect W-Series Instant Access Point 6.2.0.0-3.2.0.
| Policy Enforcement Firewall Dell PowerConnect W-Series Instant Access Point 6.2.0.0-3.2.0.
Chapter 28 VPN Configuration The W-IAP supports termination of a VPN tunnel on the Dell controller. VPN features are ideal for: l l l enterprises with many branches that do not have a dedicated VPN connection to the corporate office. branch offices that require multiple APs. individuals working from home, connecting to the VPN.
1. Navigate to the VPN link at the top right corner of the Dell W-Series Instant UI. The Tunneling window appears. 2. Select IPSec from the Protocol drop-down list. 3. If you select GRE from the Protocol drop-down list then the packets are sent and received without encryption. a. GRE type — Enter the value for GRE type parameter. b. Per-AP tunnel — Select Enabled or Disabled from the Per-AP tunnel drop-down list.
Figure 206 - Tunneling— Routing Use the Routing Table to specify policy based on routing into the VPN tunnel. Each routing table entry has a destination, network mask, and default gateway. 1. Click New and update the following parameters. n Destination— Specify the destination network to be routed into the VPN tunnel. n Netmask— Specify the network mask of the network to be routed into the VPN tunnel. n Gateway— Specify the gateway to which traffic should be routed.
Centralized L2— In this mode, the VC does not assign an IP address to the client, but the DHCP traffic is directly forwarded to the controller over the IPSec tunnel and obtains an IP address from either the controller or a DHCP server behind the controller serving the VLAN of the client. However, W-Instant AP does forward client traffic in the same way as the Distributed L2 mode. L3 Routing Mode— In this mode, W-Instant supports L3 routing mode of connection to corporate.
n Lease time— An optional field which defines the lease time for client. Figure 208 - NAT DHCP Configuration 2. Click OK to apply these changes. Distributed L2 DHCP Configuration In Distributed L2 mode, the Virtual Controller acts as the DHCP Server but the default gateway is in the data center. Traffic is bridged into VPN tunnel. 1.
Domain name— An optional field which defines the domain name. n Lease time— An optional field which defines the lease time for client. 2. Click OK to apply these changes. n Figure 209 - Distributed L2 DHCP Configuration Distributed L3 DHCP Configuration In Distributed L3 mode, the Virtual Controller acts as both DHCP Server and default gateway. Traffic is routed into the VPN tunnel. 1.
Figure 210 - Distributed L3 DHCP Configuration Centralized L2 DHCP Configuration In Centralized L2 mode, both the DHCP server and default gateway are in the data center, on the other side of the VPN tunnel. 1. Click New in the DHCP Server window and select Centralized, L2 to configure the following parameters for the Distributed L3 mode DHCP pool: n Name — Name of the subnet (must be unique). n Type— Indicates the type of DHCP server.
Table 46 - DHCP Relay and Option 82 DHCP Relay Option 82 Behavior Enabled Enabled DHCP packet relayed with the ALU-specific Option 82 string Enabled Disabled DHCP packet relayed without the ALU-specific Option 82 string Disabled Enabled DHCP packet not relayed, but broadcasted with the ALU-specific Option 82 string Disabled Disabled DHCP packet not relayed, but broadcasted without the ALU-specific Option 82 string 2. Click OK to apply these changes.
Chapter 29 User Database In Dell W-Instant, the user database consists of a list of guest and employee users. Addition of a user involves specifying a username and password for the user. The login credentials for these users are provided outside the Dell W-Instant system. A guest user can be a visitor who is temporarily using the enterprise network to access the Internet. However, you may not want to share the internal network and the intranet with them.
4. Select appropriate network type from the Type drop-down list. 5. Click Add and click OK. The users are listed in the Users list. Editing User Settings To edit user settings: 1. At the top right corner of the Instant UI, click the Users link. The Users window appears. 2. In the Users section, select the username for which you want to edit the settings and click Edit. The user's details appear on the right side. 3. Edit as required and click OK. Deleting a User To delete a user: 1.
Chapter 30 Regulatory Domain The IEEE 802.11/b/g/n Wi-Fi networks operate in the 2.4 GHz spectrum and IEEE 802.11a/n operate in the 5.0 GHz spectrum. These spectrums are divided into channels. The 2.4 GHz spectrum is divided into 14 overlapping, staggered 20 MHz wireless carrier channels. These channels are spaced 5 MHz apart. The 5 GHz spectrum is divided into more channels. The channels that can be used in a particular country differ based on the regulations of that country.
Code Country Name JP3 Japan DE Germany NL Netherlands IT Italy PT Portugal LU Luxembourg NO Norway FI Finland DK Denmark CH Switzerland CZ Czech Republic ES Spain GB United Kingdom KR Republic of Korea (South Korea) CN China FR France HK Hong Kong SG Singapore TW Taiwan BR Brazil SA Saudi Arabia LB Lebanon AE United Arab Emirates ZA South Africa AR Argentina AU Australia AT Austria 272 | Regulatory Domain Dell PowerConnect W-Series Instant Access Poin
Code Country Name BO Bolivia CL Chile GR Greece IS Iceland IN India IE Ireland KW Kuwait LI Liechtenstein LT Lithuania MX Mexico MA Morocco NZ New Zealand PL Poland PR Puerto Rico SK Slovak Republic SI Slovenia TH Thailand UY Uruguay PA Panama RU Russia KW Kuwait LI Liechtenstein LT Lithuania MX Mexico MA Morocco NZ New Zealand PL Poland Dell PowerConnect W-Series Instant Access Point 6.2.0.0-3.2.0.
Code Country Name PR Puerto Rico SK Slovak Republic SI Slovenia TH Thailand UY Uruguay PA Panama RU Russia EG Egypt TT Trinidad and Tobago TR Turkey CR Costa Rica EC Ecuador HN Honduras KE Kenya UA Ukraine VN Vietnam BG Bulgaria CY Cyprus EE Estonia MU Mauritius RO Romania CS Serbia and Montenegro ID Indonesia PE Peru VE Venezuela JM Jamaica BH Bahrain 274 | Regulatory Domain Dell PowerConnect W-Series Instant Access Point 6.2.0.0-3.2.0.
Code Country Name OM Oman JO Jordan BM Bermuda CO Colombia DO Dominican Republic GT Guatemala PH Philippines LK Sri Lanka SV El Salvador TN Tunisia PK Islamic Republic of Pakistan QA Qatar DZ Algeria Dell PowerConnect W-Series Instant Access Point 6.2.0.0-3.2.0.
| Regulatory Domain Dell PowerConnect W-Series Instant Access Point 6.2.0.0-3.2.0.
Appendix A Controller Configuration for VPN On the controller, the following configuration is needed to setup a W-IAP. Whitelist DB Configuration If you decide to use the Controller as the whitelist entry to configure the whitelist database, use the following CLI command: (Dell3400) #local-userdb-ap add mac-address 00:11:22:33 44:55 ap-group test (Dell3400) # The ap-group parameter is not used for any configuration, but needs to be configured. The parameter can be any valid string.
W-IAP VPN Profile Configuration This defines the server used to authenticate the W-IAP (internal or an external server) and the role for W-IAP user. This role is used to define the src-nat rule to RADIUS server to allow Dynamic RADIUS proxy.
Appendix B Dell PowerConnect W-ClearPass Configuration for AirGroup The purpose of this chapter is to help you configure AirGroup with Dell PowerConnect WClearPass 6.0.1. Dell PowerConnect W-ClearPass Setup 1. On Dell PowerConnect W-ClearPass Guest, navigate to Administration > AirGroup Services. 2. Click Configure AirGroup Services. Figure 214 - Configure AirGroup Services 3. Click Add a new controller. Figure 215 - Add a New Controller for AirGroup Services 4.
NOTE: Ensure that the port configured matches the CoA port (RFC 3576) set on the W-IAP configuration. Figure 216 - Configure AirGroup Services Controller Settings 5. Click Save Configuration. In order to demonstrate AirGroup, either an AirGroup Administrator or an AirGroup Operator account must be created. 1. Navigate to theDell PowerConnect W-ClearPass Policy Manager UI, and navigate to Configuration > Identity > Local Users. Figure 217 - Configuration > Identity > Local Users Selection 2.
Figure 218 - Adding a New Local User in CPPM 3. Create an AirGroup Administrator. Figure 219 - Create an AirGroup Administrator 4. In this example, the password used is test123. Click Add. 5. Now click Add User, and create an AirGroup Operator. Figure 220 - Create an AirGroup Operator 6. Click Add to save the user with an AirGroup Operator role. Dell PowerConnect W-Series Instant Access Point 6.2.0.0-3.2.0.
7. The AirGroup Administrator and AirGroup Operator IDs will be displayed in the Local Users UI screen. Figure 221 - Local Users UI Screen 8. Navigate to the Dell PowerConnect W-ClearPass Guest UI and click Logout. The ClearPass Guest Login page appears. Use the AirGroup admin credentials to log in. 9. After logging in, click Create Device. Figure 222 - Create a Device The following page is displayed.
Testing 1. Disconnect your AppleTV and OSX Mountain Lion/iOS 6 devices if they were previously connected to the wireless network. Remove their entries from the controller’s user table using these commands: n Find the MAC address— show user table n Delete the address from the table— aaa user delete mac 00:aa:22:bb:33:cc 2. Reconnect both devices. To limit access to the AppleTV, access the Dell PowerConnect WClearPass Guest UI using either the AirGroup admin or the AirGroup operator credentials.
| Dell PowerConnect W-ClearPass Configuration for AirGroup Dell PowerConnect W-Series Instant Access Point 6.2.0.0-3.2.0.
Appendix C IAP-VPN The IAP-VPN functionality on the controller release provides the ability to terminate VPN and GRE tunnels from the W-Instant AP and provides corporate connectivity to the branch WInstant AP network. VPN features are ideal for: l l l enterprises with many branches that do not have a dedicated VPN connection to the HQ. branch offices that require multiple APs. individuals working from home, connecting to the VPN.
VPN Configuration The following VPN configuration steps on the controller, enable W-IAPs to terminate their VPN connection on the controller: Creating a W-IAP Whitelist Controller Whitelist DB W-IAP whitelist is the list of approved AP’s that can be provisioned on your controller. To create a W-IAP whitelist: 1. Navigate to Configuration > AP Installation (under Wireless) and then click the RAP Whitelist tab on the right side. 2. Click the New button and provide the following details: a.
g. Add new vendor specific attributes and click OK. h. In the IP tab, provide the IP for the RAP and click OK. VPN Local Pool Configuration To configure the VPN Local Pool: 1. Navigate to the Configuration > Advanced Services > VPN Services > IPSec page. 2. Select (check) Enable L2TP. 3. Make sure that only PAP (Password Authentication Protocol) is selected for Authentication Protocols. 4. To configure the L2TP IP pool, click Add in the Address Pools section.
Viewing Branch Status To view the details of the branch information connected to the controller, issue the show command. iap table Example This example shows the details of the branches connected to the controller.
Appendix D Troubleshooting The Support module Dell W-Instant provides CLI commands to view logs for APs. Viewing Logs To view the log information for APs: 1. At the top right corner of Dell W-Series Instant UI, click Support. The Support window appears. 2. Select the required option from the Command drop-down list. For example, AP ARM Configuration. 3. Select All Access Points or a specific W-IAP from the Target drop-down list for which you want to view the AP ARM Configuration. 4. Click Run.
l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l AP ARM History— Displays the channel history and power changes due to Adaptive Radio Management (ARM) for the selected W-IAP. AP ARM Neighbors— Displays the ARM settings for the selected W-IAP's neighbors. AP ARM RF Summary— Displays the state and statistics for all channels being monitored by the selected W-IAP. AP ARM Scan Times— Displays AM channel scan times for the selected W-IAP.
l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l AP IP Route Table— Displays the route table of the selected W-IAP. AP L3 Mobility Datapath AP L3 Mobility Events Log AP L3 Mobility Status AP Log All— Displays all logs of the selected W-IAP. AP Log AP-Debug— Displays logs about the selected W-IAP. AP Log Conversion AP Log Driver AP Log Network— Displays network logs of the selected W-IAP.
l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l AP Processes— Displays the processes of the selected W-IAP. AP Radio 0 Stats— Displays aggregate debug statistics of the selected W-IAP Radio 0. AP Radio 1 Stats— Displays aggregate debug statistics of the selected W-IAP Radio 1. AP RADIUS Statistics— Displays the RADIUS statistics of the selected W-IAP. AP Shaping Table— Displays the VAP statistics of the selected W-IAP.
l l l l l l l l l l l l l VC IDS AP List— Displays the list of W-IAPs monitored by the selected W-IAP. VC IDS Client List— Displays the IDS detected client list of the selected W-IAP. VC Internal DHCP Server Configuration— Displays the configuration of internal DHCP server of the selected W-IAP. VC Local User Database— Displays the user configuration of the selected W-IAP. VC OpenDNS Configuration and Status— Displays configuration and status about OpenDNS server.
| Troubleshooting Dell PowerConnect W-Series Instant Access Point 6.2.0.0-3.2.0.
Appendix E Abbreviations Abbreviations The following table lists the abbreviations used in this user guide.
Abbreviation Expansion NAT Network Address Translation NS Name Server NTP Network Time Protocol PEAP Protected Extensible Authentication Protocol PEM Privacy Enhanced Mail PoE Power over Ethernet RADIUS Remote Authentication Dial In User Service VC Virtual Controller VSA Vendor-Specific Attributes WLAN Wireless Local Area Network 296 | Abbreviations Dell PowerConnect W-Series Instant Access Point 6.2.0.0-3.2.0.