Dell PowerConnect W-Series Instant Access Point 6.1.3.4-3.1.0.
Copyright © 2012 Aruba Networks, Inc. Aruba Networks trademarks include , Aruba Networks®, Aruba Wireless Networks®, the registered Aruba the Mobile Edge Company logo, and Aruba Mobility Management System®. Dell™, the DELL™ logo, and PowerConnect™ are trademarks of Dell Inc. All rights reserved. Specifications in this manual are subject to change without notice. Originated in the USA. All other trademarks are the property of their respective owners.
Contents About this Guide ..................................................................................................................................................... 11 Dell PowerConnect W-Instant Access Point Overview............................................................. 11 Supported Devices................................................................................................................... 11 Objective ........................................................................
Views .......................................................................................................................................... 42 Chapter 3 Wireless Network.............................................................................................................. 43 Network Types.................................................................................................................................. 43 Employee Network ..........................................................
Manual ............................................................................................................................... 90 Automatic .......................................................................................................................... 92 Chapter 6 Layer-3 Mobility ................................................................................................................. 93 Overview ...................................................................................
Connect .................................................................................................................................... 126 Creating a Web Login page in the Dell PowerConnect W-ClearPass GuestConnect 126 Configuring the RADIUS Server in Instant ................................................................. 126 MAC Authentication....................................................................................................................... 127 Configuring MAC Authentication....
Chapter 17 Adaptive Radio Management........................................................................................ 159 ARM Features ................................................................................................................................. 159 Channel or Power Assignment............................................................................................. 159 Voice Aware Scanning..........................................................................................
Intrusion Detection System .................................................................................................. 190 Wireless Intrusion Detection System (WIDS) Event Reporting to Dell PowerConnect WAirWave ................................................................................................................................... 190 RF Visualization Support for Dell Instant ............................................................................
VPN Configuration.......................................................................................................................... 227 Routing Profile Configuration ............................................................................................... 228 DHCP Server Configuration .................................................................................................. 229 NAT DHCP Configuration ......................................................................................
| Contents Dell PowerConnect W-Series Instant Access Point 6.1.3.4-3.1.0.
About this Guide Dell PowerConnect W-Instant Access Point Overview Dell PowerConnect W-Instant virtualizes Dell Mobility Controller capabilities on 802.11n access points (APs), creating a feature-rich enterprise-grade wireless LAN (WLAN) that combines affordability and configuration simplicity. Dell Instant is a simple, easy to deploy turn-key WLAN solution consisting of one or more access points.
Conventions The following conventions are used throughout this manual to emphasize important concepts: Table 1 Conventions Type Style Description Italics This style is used to emphasize important terms and provide cross-references to other books. Screen input and output This style is used to illustrate: Screen output On screen system prompt Filenames, software devices, and specific commands Bold This style is used to emphasize Instant UI elements.
Chapter 1 Initial Configuration This chapter provides information that is required to setup Dell PowerConnect W-Series Instant Access Point and access the Instant User Interface. Initial Setup This section provides a pre-installation checklist and describes the initial procedures required to set up Dell Instant. Pre-Installation Checklist Before installing the Instant Access Point (IAP), make sure that you have the following: Ethernet cable of required length to connect the IAP to the home router.
4. “Login into Instant User Interface” on page 16 5. “Specifying the Country Code” on page 16 — Skip this step, if you are installing the IAP in United States, Japan or Israel. Connecting the IAP to a Power Source Based on the type of the power source that is used, perform one of the following steps to connect the IAP to the power source: PoE switch— Connect the ENET port of the IAP to the appropriate port on the PoE switch.
Figure 1 Connecting to a provisioning Wi-Fi Network — Microsoft Windows Figure 2 Connecting to a provisioning Wi-Fi Network — Mac OS Disabling the Provisioning Wi-Fi Network The provisioning network is enabled by default. Instant provides the option to disable the provisioning network in apboot. Use this option when you do not want the default SSID instant to appear in your network. To disable the provisioning network: 1.
Login into Instant User Interface Launch a web browser and navigate to instant.dell-pcw.com (or any URL or web address). In the login screen, enter the following credentials: Username— admin Password— admin Figure 3 Instant User Interface Login Screen When you use a provisioning Wi-Fi network to connect to the internet, all browser requests are directed to the Instant user interface. For example, if you enter www.example.com in the address field, you will be directed to the Instant user interface.
IAP Cluster IAPs in the same VLAN automatically find each other and form a single functioning network managed by a Virtual Controller. NOTE: Moving an IAP from one cluster to another requires a factory reset of the IAP that is being moved. See Chapter 5, “Managing IAPs” on page 71 for more information. Dell PowerConnect W-Series Instant Access Point 6.1.3.4-3.1.0.
| Initial Configuration Dell PowerConnect W-Series Instant Access Point 6.1.3.4-3.1.0.
Chapter 2 Instant User Interface The Instant User Interface (UI) provides a standard web based interface that allows you to configure and monitor a Wi-Fi network. It is accessible through a standard web browser from a remote management console or workstation. JavaScript must be enabled on the web browser to view the Instant UI.
Banner The banner is a horizontal grey rectangle that appears at the top left corner of the Instant UI. It displays the company name, logo, and Virtual Controller's name. Search Administrators can search an IAP, client, or a network using a simple Search window in the Instant UI. This Search option helps fill in the blank when you type in a word and suggested matches are automatically displayed in a dynamic list. The list is more relevant and detailed when more number of keywords are typed in.
Access Points Tab If the Auto Join Mode feature is enabled, a list of enabled and active IAPs in the Dell Instant network is displayed in the Access Points tab. The IAP names are displayed as links. If the Auto Join Mode feature is disabled, a New link appears. Click on this link to add a new IAP to the network. If an IAP is configured and not active, its MAC Address is displayed in red. The expanded view displays the following information about each IAP: Name— Name of the access point.
Speed (mbps)— Data transfer speed. Figure 8 Client Tab— Compressed View and Expanded View Links The following links allow you to configure the features and settings for the Instant network. Each of these links are explained in the subsequent sections.
Settings This link displays the Settings window. The Settings consists of the following tabs: Figure 9 Settings Link NOTE: Use the Show/Hide Advanced option on the bottom-left of the Settings window to view or hide the advanced options. General— View or edit the Name, IP address, NTP Server, and DHCP server settings of the Virtual Controller. For information about Virtual Controller settings and NTP Server, see Chapter 9, “Virtual Controller” and Chapter 8, “NTP Server” .
Figure 10 RTLS SNMP— View or specify SNMP agent settings. See Chapter 19, “SNMP” for more information. OpenDNS— Instant supports OpenDNS business solutions which requires an OpenDNS (opendns.com) account comprising a username and a password. These credentials will be used by Instant to access OpenDNS to provide enterprise-level content filtering. 24 | Instant User Interface Dell PowerConnect W-Series Instant Access Point 6.1.3.4-3.1.0.
Figure 11 OpenDNS NOTE: For OpenDNS to work, enable Content Filtering feature while creating a new network. Click New in the Networks tab and then select Enabled from the Content filtering drop-down list. Uplink— View or configure uplink settings. See Chapter 22, “Uplink Configuration” for more information. Enterprise Domains— This tab indicates all the DNS domain names valid on the enterprise network which is used to determine how client DNS requests should be routed.
Figure 12 RF ARM — View or assign channel and power settings for all the IAPs in the network. For information about ARM (Adaptive Radio Management), see “ARM Features” on page 159. Radio — View or configure radio settings for 2.4GHz and the 5GHz radio profiles. For information about Radio, see “Configuring Radio Profiles in Instant” on page 163. PEF This link displays the following features.
Users for Internal Server— Use this window to populate the system’s internal authentication server with users. This list will be used by networks for which per-user authorization is specified using the Virtual Controller’s internal authentication server. For more information about users, see Chapter 28, “User Database” . Roles— This window displays all the roles defined for all the Networks and the Access Rules lists the permissions for each role. For more information, see “User Roles” on page 137.
Figure 15 VPN Wired Specify the desired profile for each port of the IAP. See Chapter 21, “Ethernet Downlink” for more information. Figure 16 Wired Maintenance This link displays the Maintenance window. The Maintenance window allows you to maintain the Wi-Fi network. It consists of the following tabs: About— Displays the Build Time, IAP model name, Dell Instant OS version, Web address of Dell and Copyright information. Configuration— Displays the current configuration of the network.
Restore Configuration— Click Restore Configuration to browse and locate the backup file to restore. Reboot the IAP for the changes to take effect. Certificates — Displays information about the current certificate installed in the network. Provides an interface to upload new certificates and to set a passphrase for the certificates. For more information, see “Certificates” on page 129. Firmware — Displays the current firmware version and provides options to upgrade to a new firmware version.
Support This link displays the Support window. It consists of the following fields: Command— Provides various options for which you can generate support logs. Target— Provides a list of IAPs in the network. Run— Click this to generate the support log for the selected option and IAP. Auto Run— The selected commands run on the selected APs according to the specified time schedule. Filter— Enter a string and click to display the filtered content of any command.
AP CPU Utilization— Displays utilization of CPU for the selected IAP. AP Current Time— Displays current time of the selected IAP. AP Current Timezone— Displays current time zone of the selected IAP. AP Log All— Displays all logs of the selected IAP. AP Log Debug— Displays logs about the selected IAP. AP Log Network— Displays network logs of the selected IAP. AP Log Security— Displays security logs of the selected IAP. AP Log System— Displays system logs of the selected IAP.
VC Application Services— Displays the details of application services of the selected IAP, which includes protocol number, port number. VC Global Alerts— Displays all the alerts about client of the selected IAP. VC Global Statistics— Displays the flow information and signal strength of the selected IAP. VC Local User Database— Displays the user configuration of the selected IAP. VC Radius Attributes— Displays the RADIUS attributes of the selected IAP.
ARM History— Displays the channel history and power changes due to Adaptive Radio Management (ARM) for the selected IAP. ARM Neighbors— Displays the ARM settings for the selected IAP's neighbors. ARM RF Summary— Displays the state and statistics for all channels being monitored by the selected IAP. ARM Scan Times— Displays AM channel scan times for the selected IAP. OpenDNS Configuration and Status— Displays configuration and status about open dns server.
Figure 21 Monitoring on Instant UI Info Displays the configuration information of the Virtual Controller by default. In a Network View, this section displays configuration information of the selected network. Similarly, in an Instant Access Point View or Client View, this section displays the configuration information of the selected IAP or the client. Figure 22 Info Section in the Monitoring Pane RF Dashboard Allows you to view trouble spots in the network.
Orange— Signal strength is between 15-20 decibels. Red— Signal strength is less than 15 decibels. To view the signal graph for a client, click on the signal bar against the client in the Signal column. Speed— Displays the data transfer speed of the client. Depending on the data transfer speed of the client, the color of the Signal bar changes from Green > Orange > Red. Green— Data transfer speed is more than 50 percent of the maximum speed supported by the client.
Figure 24 Usage Trends Section in the Monitoring Pane For more information about the graphs and monitoring procedures, see Chapter 24, “Monitoring” . Spectrum The spectrum link displays the spectrum data that is collected by a hybrid AP or by an IAP that has enabled spectrum monitor. The spectrum data is not reported to the VC.
Figure 26 Channel Metrics for the 2.4 GHz Radio Channel 5 GHz This graph shows channel utilization information such as, channel quality, availability and utilization metrics as seen by a spectrum monitor for the 5 GHz radio band. The data displayed includes percentage of Quality, Availability, Wi-Fi utilization, and Interference utilization. Figure 27 Channel Metrics for the 5 GHz Radio Channel Channel Details When you hover your mouse over a channel, the channel details or the summary of the 802.
Alerts Alerts are generated when a user faces problems while accessing or connecting to the Wi-Fi network. The Alerts link appears in red if there are any Client Alerts, or Active Faults. NOTE: New alerts will be generated for an incomplete DHCP transaction of a client. Figure 29 Alerts Link Client Alerts These alerts occur when clients are connected to the Instant network. A client alert consists of the following fields: Timestamp— Displays the time at which the client alert was recorded.
Figure 30 Client Alerts Fault History These alerts occur in the event of a system fault. A Fault History consists of the following fields: Time— Displays the system time when an event occurs. Number— Indicates the number of sequence. Cleared by— Displays the module which cleared this fault. Description— Displays the event details. Figure 31 Fault History Active Faults These alerts occur in the event of a system fault.
Figure 32 Active Faults For more information about alerts, see Chapter 25, “Alert Types and Management” . IDS This link displays a list of foreign APs and foreign clients that are detected in the network. It consists of the following sections: Foreign Access Points Detected— Lists the APs that are not controlled by the Virtual Controller. The following information is displayed for each foreign AP: Mac address— Displays the Mac address of the foreign AP.
Figure 33 Intrusion Detection on Instant UI Configuration This link provides an overall view of your Virtual Controller configuration. Click on each of the features to view or edit the settings. Figure 34 Configuration Language The language links are provided in the login screen to allow users to select the preferred language before logging in to the Instant UI. In addition, this link is also located at the bottom left corner of the Instant UI.
Figure 35 Dell PowerConnect W-AirWave Setup Link – Dell PowerConnect W-AirWave Configuration Pause/Resume The Pause/Resume link is located at the bottom right corner of the Instant UI. The Instant UI is automatically refreshed after every 15 seconds by default. Click the Pause link to pause the automatic refreshing of the Instant UI. When the automatic Instant UI refreshing is paused, the Pause link changes to Resume. Click the Resume link to resume automatic refreshing.
Chapter 3 Wireless Network In a Wireless LAN (WLAN), laptops, desktops, PDAs, and other computer peripherals are connected to each other without any network cables. These network elements or clients use radio signals to communicate with each other. Wireless networks are set up based on the IEEE 802.11 standards. The IEEE 802.11 is a set of standards that are categorized based on the radio wave frequency and the data transfer rate. For more information about the IEEE 802.11 standards, see Table 4.
Adding an Employee Network This section provides the procedure to add an employee network. 1. In the Networks tab, click the New link. The New WLAN window appears. Figure 36 Adding an Employee Network — WLAN Settings Tab 2. In the WLAN Settings tab, perform the following steps: a. Name (SSID)— Enter a name that uniquely identifies a wireless network. b. Primary usage— Select Employee (this is selected by default) from the Primary usage options.
Dynamic multicast optimization— When Enabled, the IAP converts multicast streams into unicast streams over the wireless link. DMO enhances the quality and reliability of streaming video, while preserving the bandwidth available to non-video clients. DMO channel utilization threshold— When dynamic multicast optimization is enabled, the IAP converts multicast streams into multicast unicast streams as long as the channel utilization does not exceed this threshold.
5. Select the required Client IP assignment option — Virtual Controller assigned and Network assigned. Table 5 Conditions for Client IP and VLAN assignment If then You select Virtual Controller assigned The client gets the IP address from the Virtual Controller. The Virtual Controller creates a private subnet and VLAN on the IAP for the wireless clients. The Virtual Controller NATs all traffic that passes out of this interface.
Table 6 Conditions for Adding an Employee Network— Security Tab If then, You select the Enterprise security level Perform the following steps: 1. Select the required key options from the Key management drop-down list. Available options are: WPA-2 Enterprise WPA Enterprise Both (WPA-2 & WPA) Dynamic WEP with 802.1x Use Session Key for LEAP— Use the Session Key for LEAP instead of using Session Key from the RADIUS Server to derive pair wise unicast keys.
Table 6 Conditions for Adding an Employee Network— Security Tab (Continued) If then, You want to use the default security level, Personal Perform the following steps: 1. Select the required key options from the Key management drop-down list. Available options are: WPA-2 Personal WPA Personal Both (WPA-2 & WPA) Static WEP If you have selected Static WEP, do the following: Select appropriate WEP key size from the WEP key size drop-down list. Available options are 64-bit and 128-bit.
Figure 39 Employee Security Tab— Personal Table 7 Conditions for Adding an Employee Network— Security Tab If then, You select the Open security level 1. Select the required MAC authentication from the MAC authentication dropdown list. Available options are— Enabled and Disabled When Enabled, user must configure at least one RADIUS server for authentication server. See “MAC Authentication” on page 127 for further details. 2.
Figure 40 Employee Security Tab— Open 8. Click Next to continue. 9. Use the Access Rules page to specify optional access rules for this network. 1. Network-based— Set the slider to Network-based if you want the same rules to apply to all users. The Allow any to all destinations access rule is enabled by default. This rule allows traffic to all destinations. Instant Firewall treats packets based on the first rule matched. For more information, see Chapter 14, “Instant Firewall” .
10. Click Finish. The network is added and listed in the Networks tab. Figure 41 Adding an Employee Network— Access Rules Tab 11. Click Finish. The network is added and listed in the Networks tab. Voice Network Use the Voice network type when you want devices that provide only voice services like handsets or only applications that require voice-like prioritization need connectivity. Dell PowerConnect W-Series Instant Access Point 6.1.3.4-3.1.0.
Adding a Voice Network This section provides the procedure to add a voice network. 1. In the Networks tab, click the New link. The New WLAN Settings window appears. Figure 42 Adding a Voice Network— WLAN SettingsTab 2. In the WLAN Settings tab, perform the following steps: a. Name (SSID)— Enter a name that uniquely identifies a wireless network. b. Primary usage— Select Voice from the Primary usage options.
DMO channel utilization threshold— When dynamic multicast optimization is enabled, the IAP converts multicast streams into multicast unicast streams as long as the channel utilization does not exceed this threshold. The default value is 90 and the maximum threshold value is 100%. If the threshold value exceeds the maximum value, then the IAP sends multicast traffic over the wireless link. b. Bandwidth Limits— You can specify three types of bandwidth limits.
Figure 43 Voice Security Tab— Enterprise 54 | Wireless Network Dell PowerConnect W-Series Instant Access Point 6.1.3.4-3.1.0.
Table 9 Conditions for Adding a Voice Network— Security Tab If then, You select the Enterprise security level Perform the following steps: 1. Select the required key options from the Key management drop-down list. Available options are: WPA-2 Enterprise WPA Enterprise Both (WPA-2 & WPA) Dynamic WEP with 802.1x Use Session Key for LEAP: Use the Session Key for LEAP instead of using Session Key from the RADIUS Server to derive pair wise unicast keys.
Table 9 Conditions for Adding a Voice Network— Security Tab (Continued) If then, You want to use the default security level, Personal Perform the following steps: 1. Select the required key options from the Key management drop-down list. Available options are: WPA-2 Personal WPA Personal Both (WPA-2 & WPA) 1. Static WEP— If you have selected Static WEP, then do the following: Select appropriate WEP key size from the WEP key size drop-down list. Available options are 64-bit and 128-bit.
Table 9 Conditions for Adding a Voice Network— Security Tab (Continued) If then, You select the Open security level 1. Select the required MAC authentication from the MAC authentication drop-down list. Available options are— Enabled and Disabled When Enabled, user must configure at least one RADIUS server for authentication server. See “MAC Authentication” on page 127 for further details. 2. Authentication server 1— Select the required Authentication server option from the drop-down list.
Figure 44 Adding a Voice Network— Access Rules Tab 9. Click Finish. The network is added and listed in the Networks tab. Guest Network The Guest wireless network is created for guests, visitors, contractors, and any non-employee users who will use the enterprise Wi-Fi network. The Virtual Controller assigns the IP address for the guest clients. Captive portal or passphrase based authentication methods can be set for this wireless network. Typically, a guest network is an unencrypted network.
Adding a Guest Network This section provides the procedure to add a guest network. Figure 45 Adding a Guest Network— WLAN Settings Tab 1. In the Networks tab, click the New link. The WLAN Settings window appears. 2. In the WLAN Settings tab, perform the following steps: a. Name (SSID)— Enter a name that uniquely identifies a wireless network. b. Primary usage— Select Guest from the Primary usage options.
DMO channel utilization threshold—When dynamic multicast optimization is enabled, the IAP converts multicast streams into multicast unicast streams as long as the channel utilization does not exceed this threshold. The default value is 90 and the maximum threshold value is 100%. If the threshold value exceeds the maximum value, then the IAP sends multicast traffic over the wireless link. b. Bandwidth Limits— You can specify three types of bandwidth limits.
7. This tab allows you to configure the captive portal page and encryption for the Guest network. Select one of the following splash page type: Table 11 Conditions for Adding a Guest Network— Security Tab Splash Page Type Description and steps to set up Internal — Authenticated The user has to accept the terms and conditions and enter a username and password on the captive portal page.
Table 11 Conditions for Adding a Guest Network— Security Tab (Continued) Splash Page Type Description and steps to set up External— RADIUS Server An external server will be used to display the splash page to the user. If this option is selected, then do the following: External splash page IP or hostname— Enter the IP or hostname of the external server in the IP or hostname text box. URL— Enter the URL of the captive portal page in the URL text box.
Figure 46 Adding a Guest Network — Splash Page Settings 5. Select Enabled from the Encryption drop-down list and perform the following steps (these steps are optional): a. Select the required key management option from the Key management drop-down list. Available options are: WPA-2 Personal WPA Personal Both (WPA-2 & WPA) b. Passphrase format — Specify either an alphanumeric or a hexadecimal string. Ensure that the hexadecimal string must be exactly 64 digits in length. c.
Figure 47 Configuring a Splash Page — Encryption Settings NOTE: You can customize the captive portal page using double-byte characters. Traditional Chinese, Simplified Chinese, and Korean are a few languages that use double-byte characters. Click on the banner, term, or policy in the Splash Page Visuals to modify the text in the red box. These fields accept double-byte characters or a combination of English and double-byte characters. 6.
Figure 48 Adding a Guest Network — Access Rules Tab 7. Click Finish. The network is added and listed in the Networks tab. Editing a Network To edit a network: 1. In the Networks tab, select the network that you want to edit. The edit link appears. 2. Click the edit link. The Edit network window appears. 3. Make the required changes in any of the tabs. Click Next or the tab name to move to the next tab. 4. Click Finish. Deleting a Network To delete a network: 1.
IAP92, W-IAP93, W-IAP134, and W-IAP135 devices support up to 16 SSIDs. After you enable this option, the number of SSIDs that become active on each IAP depends on the IAP platform. NOTE: Enabling the Extended SSID option disables mesh. Enabling the Extended SSID option To enable the extended SSID option: 1. Click the Settings link at the upper right corner of the Instant WebUI. 2. Click the Show advanced options link. 3. In the General tab, select Enabled from the Extended SSID drop-down list. 4. Click OK.
Chapter 4 Mesh Network The Dell PowerConnect W-Instant secure enterprise mesh solution is an effective way to expand network coverage for outdoor and indoor enterprise environments without any wires. As traffic traverses across mesh IAPs, the mesh network automatically reconfigures around broken or blocked paths. This self-healing feature provides increased reliability and redundancy— the network continues to operate if an IAP stops functioning or a connection fails.
the user. The mesh points will authenticate to the mesh portal and establish a link that is secured using Advanced Encryption Standard (AES) encryption. NOTE: The mesh portal will reboot after 5 minutes when it loses Ethernet connectivity to a wired network. Mesh Points The mesh point (MP), is an IAP that establishes an all-wireless path to the mesh portal.
4. Type instant.dell-pcw.com in the browser. 5. Click I understand the risks and Add exception to ignore the certificate warnings that the client does not recognize the certificate authority. Figure 51 Untrusted Connection Window 6. In the login screen as shown in Figure 52, enter the following credentials: Username— admin Password— admin Figure 52 Login Window 7. Create a new SSID and wpa-2 personal keys with unrestricted or network based access rules. Select any permit for basic connectivity.
Figure 53 Mesh Portal NOTE: The IAPs in US or JP regulatory domain which are in factory default state scans for several minutes after booting. An IAP mesh point in factory default state automatically joins the portal if only a single Instant mesh network is found. In addition, the auto-join feature must be enabled in the existing network. NOTE: The IAP mesh point will get an IP address from the same DHCP pool as the portal, and this DHCP request goes through the portal.
Chapter 5 Managing IAPs This chapter describes the Preferred band, Auto join mode, Terminal Access, LED display, and Syslog server features in Dell Instant. In addition, the chapter provides procedures for adding and removing IAPs, editing the IAP settings, and upgrading the firmware on the IAP using the Instant UI. Preferred Band At the top right corner of Instant UI, click the Settings link. The Settings window appears. 1. In the Settings window, click the General tab. 2. Select the Preferred band (2.
Figure 54 Disabling Auto Join Mode 3. Click OK. Terminal Access To enable or disable the telnet access to the IAP's CLI, navigate to Settings > Advanced > Terminal access. 72 | Managing IAPs Dell PowerConnect W-Series Instant Access Point 6.1.3.4-3.1.0.
Figure 55 Terminal Access NOTE: Instant does not support configuration using CLI. LED Display Administrators have the ability to turn off LED for all IAPs in an Instant network. Go to Settings > Advanced > LED Display to enable or disable the LEDs. When Disabled, all the LEDs are turned off. Use this option in environments where LEDs can be a distraction. Dell PowerConnect W-Series Instant Access Point 6.1.3.4-3.1.0.
Figure 56 LED Display NOTE: The LED display is always in Enabled mode while rebooting the IAP. TFTP Dump Server Enter the IP address of a TFTP server to store core dump files. 74 | Managing IAPs Dell PowerConnect W-Series Instant Access Point 6.1.3.4-3.1.0.
Figure 57 TFTP Dump Server Extended SSID You can increase the number of SSIDs or networks that can be created by enabling the extended SSID option. To enable this feature, navigate to Settings > General and click Show advanced options in the Instant UI. Dell PowerConnect W-Series Instant Access Point 6.1.3.4-3.1.0.
Figure 58 Extended SSID Deny Inter User Bridging and Deny Local Routing To enable or disable these features, navigate to Settings > General in the Instant UI. Deny inter user bridging — This feature allows you to deny traffic between two clients which are directly connected to the same IAP or are on the same Instant network. Deny local routing— This feature allows you to deny local routing traffic between clients which are connected to the same IAP or are on the same Instant network.
Figure 59 Deny Inter User Bridging and Deny Inter User Routing Terminal Access To enable or disable the telnet access to the IAP's CLI, go to Settings > Advanced > Terminal access. Figure 60 Terminal Access NOTE: Instant does not support configuration using CLI. Dell PowerConnect W-Series Instant Access Point 6.1.3.4-3.1.0.
Syslog Server To specify a Syslog Server for sending syslog messages to the external servers, navigate to Settings > click Show advanced options > Syslog Server in the UI and update the following fields. Syslog server— Enter the IP address of the server to send system logs to. Syslog level— For a global level configuration, select one of the logging levels from the standard list of syslog levels. The default value is Notice.
Table 12 Logging Levels Logging Level Description Warning Warning messages. Notice Significant events of a non-critical and normal nature. Informational Messages of general interest to system users. Debug Messages containing information useful for debugging. Adding an IAP to the Network To add an IAP to the Dell Instant network, assign an IP address. For more information, see “Assigning an IP Address to the IAP” on page 14.
Editing IAP Settings This section explains the following IAP settings: Name IP Address Adaptive Radio Management (ARM) Configuration Wired Bridging on Ethernet 0 Port Uplink Management VLAN Migrating from a Virtual Controller Managed Network to Mobility Controller Managed Network Changing IAP Name To change the IAP name: 1. In the Access Points tab, click on the IAP that you want to rename. Figure 64 Editing IAP Settings 2. Click the edit link. Figure 65 Changing IAP Name 3.
Figure 66 Configuring IAP Settings — Connectivity Tab 3. Select either the Get IP address from DHCP server or Specify statically option. If you have selected the Specify statically option, then perform the following steps: 1. Enter the new IP address for the IAP in the IP address text box. 2. Enter the netmask of the network in the Netmask text box. 3. Enter the IP address of the default gateway in the Default gateway text box. 4. Enter the IP address of the DNS server in the DNS server text box. 5.
2. Click the edit link. An Edit AP window appears. 3. In the Edit AP window, select the Radio tab. 4. Select Adaptive radio management assigned. Figure 68 Configuring IAP Radio Settings Mode — Access 5. Click OK. For more information about ARM, see “Adaptive Radio Management” on page 159. Configuring Uplink Management VLAN Instant supports a management VLAN for the uplink traffic on an IAP.
Figure 69 Configuring Wired Bridging on Ethernet 0 of an IAP Enabling wired bridging on this port of the IAP makes the port available as a downlink wired bridge and allows client access via the port. You can also use the port to connect a wired device when a 3G uplink is used. NOTE: Reboot the IAP after the bridging is set for the configuration to take effect. Migrating to a Mobility Controller Managed Network An IAP can be provisioned as a Campus AP (CAP) or Remote AP (RAP) in a controller-based network.
If there is no response from the cloud server or Dell PowerConnect W-AirWave, the IAP comes up in Dell Instant mode. NOTE: A description of the firmware image cloud server can be found in the section named Firmware Image Server in Cloud Network, within this chapter. NOTE: A mesh point cannot be converted to RAP because mesh does not support VPN connection. An IAP can be converted to an ArubaOS Campus AP and ArubaOS Remote AP only if the controller is running ArubaOS 6.1.4 or later.
To convert an IAP to RAP, follow the instructions below: 1. Navigate to the Maintenance tab in the top right corner of the Instant UI. 2. Click the Convert tab. Figure 70 Maintenance — Convert Tab Figure 71 Convert options 3. Select Remote APs managed by a Mobility Controller from the drop-down list. 4. Enter the hostname (fully qualified domain name) or the IP address of the controller in the Hostname or IP Address of Mobility Controller text box.
7. After conversion, the IAP will be managed by the Mobility Controller which has been specified in the Instant UI. NOTE: In order for the RAP conversion to work, ensure that you configure the Instant AP in the controller white-list and enable the FTP service on the controller. NOTE: If the VPN setup fails and an error message pops up, please click OK, copy the error logs and share them with your Dell support engineer. Converting an IAP to CAP To convert an IAP to Campus AP, do the following: 1.
Figure 74 Standalone AP Conversion 3. Select Standalone AP from the drop-down list. 4. Select the Access Point from the drop-down list. 5. Click Convert Now to complete the conversion. 6. After the conversion the Access Point specified in the Instant UI will operate in standalone mode. Converting back to an IAP The reset button located on the rear of an IAP can be used to reset the IAP to factory default settings.
Figure 75 Rebooting the IAP 3. In the IAP list, select the IAP that you want to reboot and click Reboot selected Access Point. To reboot all the IAPs in the network, click Reboot All. 4. The Confirm Reboot for IAP window appears. Click Reboot Now to proceed. Figure 76 Confirm Reboot message 5. The Reboot in Progress message appears indicating that the reboot is in progress. Figure 77 Reboot In Progress 6. The Reboot Successful message appears once the process is complete.
Firmware Image Server in Cloud Network The image check feature allows the IAP to discover new software image versions on a cloud-based image server hosted by Dell. The location of the image server is fixed and cannot be changed by the user. Dell takes care of managing the image server, and ensures that the image server is loaded with latest versions of ArubaOS software for its products.
Figure 80 New Version Available After you confirm, the AP downloads the new software image from the server, saves it to flash, and reboots. Depending on the progress and success of the upgrade, one of the following messages will be displayed: Upgrading — While image upgrading is in progress. Upgrade successful —When the upgrading is successful. Upgrade fail —When the upgrading fails. Upgrading to New Version To manually check for a new firmware image version: Manual 1.
Figure 81 Single class or Multi-class IAP Networks Firmware Upgrade Figure 82 Mixed IAP Network Firmware Upgrade Image file— Select to directly upload an image file. This method is only available for single-class IAPs. Example: DellInstant_Orion_6.1.3.4-3.1.0.0_33353 Example: DellInstant_Cassiopeia_6.1.3.4-3.1.0.
ftp://10.64.147.8/DellInstant_Orion_6.1.3.4-3.1.0.0_xxxx HTTP: http://10.64.160.42/DellInstant_Cassiopeia_6.1.3.4-3.1.0.0_xxxx http://10.64.160.42/DellInstant_Orion_6.1.3.4-3.1.0.0_xxxx 2. 2. Click Upgrade Now to upgrade the IAP to the newer version. Automatic 1. Click Check for New Version to automatically check for images on the Dell image server in the cloud. The field is replaced with the Image Check in Progress message.
Chapter 6 Layer-3 Mobility IAPs form a single Instant network when they are in the same L2 domain. As the number of clients increase, multiple subnets are required to avoid broadcast overhead. In such a scenario, a client should be allowed to roam away from the Instant network to which it first connected (home network) to another Instant network supporting the same WLAN access parameters (foreign network) and continue its existing sessions.
If client subnet discovery fails on association due to some reason, the foreign AP identifies its subnet when it sends out the first L3 packet. If the subnet is not a local subnet and belongs to another Instant network, the client is treated as an L3 roamed client and all its traffic is forwarded to the home network via a GRE tunnel. Configuring a mobility domain To configure a mobility domain, you have to specify the list of all Instant networks that form the mobility domain.
d. Enter the home VC IP address for this subnet in the Virtual Controller IP text box. Figure 85 Add Subnets Information 6. Click OK. Figure 86 Example Layer-3 Configuration Dell PowerConnect W-Series Instant Access Point 6.1.3.4-3.1.0.
Home Agent Load Balancing Home Agent Load Balancing is required in large networks where multiple tunnels might terminate on a single border or lobby AP and overload it. When load balancing is enabled, the VC assigns the home AP for roamed clients by using a round robin policy. With this policy, the load for the APs acting as Home Agents for roamed clients is uniformly distributed across the Instant cluster. By default, home agent load balancing is disabled.
Chapter 7 Spectrum Monitor Wireless networks operate in environments with electrical and radio frequency devices that can interfere with network communications. Microwave ovens, cordless phones, and even adjacent Wi-Fi networks are all potential sources of continuous or intermittent interference.
Figure 88 Configuring a Hybrid IAP 3. To enable a spectrum monitor on the 802.11g radio band, in the 2.4 GHz radio profile, select Enabled from the Background Spectrum Monitoring drop-down list. 4. To enable a spectrum monitor on the 802.11a radio band, in the 5 GHz radio profile, select Enabled from the Background Spectrum Monitoring drop-down list. 5. Click OK. Converting an IAP to a Spectrum Monitor You can configure an IAP to function as a standalone spectrum monitor.
Figure 89 Configuring a Spectrum Monitor By default, spectrum monitoring is perfomed on the 5 GHz - higher band. 7. To enable spectrum monitoring for any other band for the 5 GHz radio: a. Click the RF link at the upper right corner of the Instant WebUI. b. Click Show advanced options to view the Radio tab. c. For the 5 GHz radio, specify the spectrum band you want that radio to monitor by selecting Lower, Middle, or Higher from the Standalone spectrum band drop-down list. d. Click OK.
Spectrum Data The spectrum data is collected by each IAP spectrum monitor and hybrid AP. The spectrum data is not reported to the VC. The Spectrum link is visible in the Instant WebUI only if you have enabled the spectrum monitoring feature.
Table 15 Device Summary and Channel Information (Continued) Column Description Channels-affected Radio channels affected by the wireless device. Signal-strength Strength of the signal sent from the device, in dBm. Duty-cycle Device duty cycle. This value represents the percent of time the device broadcasts a signal. Add-time Time at which the device was first detected. Update-time Time at which the device’s status was updated.
Table 16 Non-Wi-Fi Interferer Types Non-Wi-Fi Interferer Description Microwave (Inverter) Some newer-model microwave ovens have the inverter technology to control the power output and these microwave ovens may have a duty cycle close to 100%. These microwave ovens are classified as Microwave (Inverter). Dual-magnetron industrial microwave ovens with higher duty cycle may also be classified as Microwave (Inverter).
Channel Details When you hover your mouse over a channel, the channel details or the summary of the 802.11a or 802.11g channels seen by a spectrum monitor is displayed. You can view the aggregate data for each channel seen by the spectrum monitor radio, including the maximum AP power, interference and the signal-to-noise-and interference Ratio (SNIR). SNIR is the ratio of signal strength to the combined levels of interference and noise on that channel.
| Spectrum Monitor Dell PowerConnect W-Series Instant Access Point 6.1.3.4-3.1.0.
Chapter 8 NTP Server For successful and proper communication between various elements in a network, time synchronization between the elements and across the network is critical. Following are the uses of time synchronization: Trace and track security gaps, network usage, and troubleshoot network issues. Map event on one network element to a corresponding event on another. Maintain accurate time for billing services and similar.
| NTP Server Dell PowerConnect W-Series Instant Access Point 6.1.3.4-3.1.0.
Chapter 9 Virtual Controller Dell Instant does not require an external controller to regulate and manage the Wi-Fi network. Any IAP in the Dell Instant network dynamically takes up the role of a Virtual Controller (VC) without impacting the network. It coordinates, stores, and distributes all the settings required to provide a centralized functionality to regulate and manage the Wi-Fi network. The Virtual Controller also functions like any other AP with full RF scalability.
3. Enter the appropriate IP address in the Virtual Controller IP text box. Configuring the DHCP Server The DHCP Server is the built-in server, used for networks which have Client IP Assignment set to Virtual Controller Assigned. The default size of the IP address pool has been increased to 512. You can customize the DHCP pool's subnet and address range if you need to provide simultaneous access to more number of clients. The largest address pool supported is 2048.
Chapter 10 Authentication Authentication Methods in Dell Instant Authentication is a process of identifying a user by having them to provide a valid username and password. Clients can also be authenticated based on their MAC addresses. The following authentication methods are supported in Dell Instant: 802.1X Authentication Captive Portal MAC Authentication 802.1X Authentication 802.1X is a method for authenticating the identity of a user before providing network access to the user.
Controller (the client certificate must be signed by a known CA) before the user name is checked on the authentication server. EAP-TTLS (MSCHAPv2)— The Extensible Authentication Protocol-Tunneled Transport Layer Security (EAP-TTLS) method uses server-side certificates to set up authentication between clients and servers. However, the actual authentication is performed using passwords. EAP-PEAP (MSCHAPv2)— Protected Extensible Authentication Protocol (PEAP) is an 802.
3. Use the VLAN tab, to specify how the clients on this network will get their IP address and VLAN. 4. Click Next to continue. 5. In the Security tab, slide the bar to Enterprise and update the following fields: a. Key Management— Select the type of key for encryption and authentication. b. Termination— Select Enabled to terminate the EAP portion of 802.1x authentication on the access point instead of RADIUS server. c.
Retry count— Enter a value between 1 and 5. The default value is 3. Figure 97 Configuring an External RADIUS Server 6. Click OK after updating the fields. 7. Reauth interval — When set to a value greater than zero, the Access Points will periodically reauthenticate all associated and authenticated clients. 8. Blacklisting— Select Enabled if you want clients to be blacklisted after a certain number of authentication failures.
Figure 98 Enabling Instant RADIUS 3. Click OK. RADIUS Server Authentication with VSA An external RADIUS server authenticates network users and returns to the IAP the vendor-specific attribute (VSA) that contains the name of the network role for the user. The authenticated user is placed into the management role specified by the VSA.
Add-Port-To-IP-Address Aruba-AP-Group Aruba-Admin-Role Aruba-Essid-Name Aruba-Location-Id Aruba-Named-User-Vlan Aruba-Port-Id Aruba-Priv-Admin-User Aruba-Template-User Aruba-User-Role Aruba-User-Vlan CHAP-Challenge Callback-Id Callback-Number Class Connect-Info Connect-Rate Crypt-Password DB-Entry-State Digest-Response Domain-Name EAP-Message Error-Cause Event-Timestamp Exec-Program Exec-Program-Wait E
Group Group-Name Hint Huntgroup-Name Idle-Timeout Login-IP-Host Login-LAT-Node Login-LAT-Port Login-LAT-Service Login-Service Login-TCP-Port Menu Message-Auth NAS-Port-Type Password Password-Retry Port-Limit Prefix Prompt Rad-Authenticator Rad-Code Rad-Id Rad-Length Reply-Message Revoke-Text Server-Group Server-Name Service-Type Session-Timeout Simultaneous-Use State Strip-User-Name
Tunnel-Private-Group-Id Tunnel-Server-Auth-Id Tunnel-Server-Endpoint Tunnel-Type User-Category User-Name User-Vlan Vendor-Specific Management Authentication Settings Use this page to specify authentication for access to the Virtual Controller Management user interface. 1. Navigate to the Settings link in the Instant UI. 2. Select the Admins tab. 3.
company's network usage policy in the web page. Two types of captive portal authentication are supported on Dell Instant: Internal Captive Portal External Captive Portal Internal Captive Portal In the Internal Captive Portal type, an internal server is used to host the captive portal service. Internal captive portal authentication is classified as follows: Internal Authenticated— To gain access to the wireless network, a user must authenticate in the captive portal page.
Figure 100 Configuring Captive Portal when Adding A Guest Network The appearance of a splash page can be customized as required. For information on customizing a splash page, see “Customizing a Splash Page” on page 120. 6. Select InternalServer from the Auth server 1 drop-down list to authenticate user credentials at run time. 7. Reauth interval — When set to a value greater than zero, the Access Points will periodically reauthenticate all associated and authenticated clients. 8.
1. In the Network tab, click the network for which you want to configure internal captive portal authentication. The edit link for the network appears. 2. Click the edit link. The Edit window for the network appears. 3. Navigate to the Security tab and select one of the following options for the splash page type: a. Internal — Authenticated b. Internal — Acknowledged c. External — RADIUS Server d. External — Authentication Text e. None See “Guest Network” on page 58 for more information.
RADIUS server. For information on configuring external RADIUS server, see “External RADIUS Server” on page 110. 7. Click Next and then click Finish. Figure 102 Configuring Internal Captive Portal with External Radius Server Authentication Customizing a Splash Page A splash page is a web page that is displayed to a guest user when they are trying to access the internet. The appearance of a splash page can be customized as required.
Figure 103 Customizing a Splash Page 4. Click Next and then click Finish. NOTE: You can customize the captive portal page using double-byte characters. Traditional Chinese, Simplified Chinese, and Korean are a few languages that use double-byte characters. Click on the banner, term, or policy in the Splash Page Visuals to modify the text in the red box. These fields accept double-byte characters or a combination of English and double-byte characters.
Figure 104 Disabling Captive Portal Authentication 4. Click Next and then click Finish. External Captive Portal Dell Instant supports external captive portal authentication. The external portal can be on the cloud or on a server outside the enterprise network. Configuring External Captive Portal Authentication when Adding a Guest Network To configure external captive portal authentication when adding a guest network, perform the following steps: 1. In the Network tab, click the New link.
Figure 105 Configuring External Captive Portal when Adding a Guest Network Figure 106 External Captive Portal when Adding a Guest Network - External Authentication text 6. Authentication server 1: Select New and update the fields for the external RADIUS server to authenticate user credentials at runtime. Refer to “Configuring an External RADIUS Server” on page 110 for more details on server settings. 7.
Navigate to PEF > Blacklisting in the WebUI to specify the duration of the blacklisting on the Blacklisting tab of the PEF window. 10. Walled garden — Click on the link to open the Walled Garden window. The walled garden directs the user’s navigation within particular areas to allow access to a selection of websites or prevent access to other websites. For more information, see “Walled Garden Access” on page 128. 11. Click Next to continue and then click Finish.
Figure 107 Configuring External Captive Portal Authentication when Editing a Guest Network 6. Redirect URL— Specify a redirect URL if you want to override the user's original request and redirect them to another URL. Splash page type — External- RADIUS Server a. Authentication server 1: Click Edit to modify the external RADIUS servers settings. Refer to “Configuring an External RADIUS Server” on page 110 for more details on server settings. b.
d. Redirect URL— Specify a redirect URL if you want to override the user's original request and redirect them to another URL. 7. Click Next and click Finish. External Captive Portal Authentication using Dell PowerConnect W-ClearPass GuestConnect You can now configure Instant to point to Dell PowerConnect W-ClearPass GuestConnect (formerly known as Amigopod) as an external Captive Portal server.
9. Login to the network with the username and password specified used while configuring the RADIUS server in step d. MAC Authentication Media Access Control (MAC) authentication is used to authenticate devices based on their physical MAC addresses. It is an early form of filtering. MAC authentication requires that the MAC address of a machine must match a manually defined list of addresses.
Walled Garden Access On the Internet, a walled garden typically controls a user’s access to web content and services. The walled garden directs the user’s navigation within particular areas to allow access to a selection of websites or prevent access to other websites. Creating a Walled Garden Access Walled garden access is needed when an external captive portal is used.
blacklist is accessed by an unauthenticated user, Instant AP will send an HTTP 403 response to the client with a simple error message. If the requested URL neither appears on the blacklist or whitelist list then the request is redirected to the external captive portal. 4. Select the domain name/URL and click Edit to modify or Delete to remove the entry from the list. 5. Click OK to apply the changes.
Loading Certificates using Instant WebUI To load a certificate in the Instant UI, perform the following steps: 1. Navigate to the Maintenance > Certificates page. Figure 110 Loading Certificates 2. Click Upload New Certificate and the New Certificate window appears. Figure 111 New Certificate 3. Select the Certificate type— CA certificate and Server certificate from the drop-down list.
Loading Certificates using Dell PowrConnect W-AirWave You can now manage Instant AP certificates using the Dell PowrConnect W-AirWave Management server (AMP). The AMP directly provision the certificates for basic certificate verification (i.e certificate type, format, version, serial number etc) before accepting the certificate and uploading to an IAP network. The AMP packages the text of the certificate into an HTTPS message and sends it to the Virtual Controller of the IAP network.
Figure 113 CA Certificate Figure 114 Server Certificate 4. After you upload the certificate, go to Groups, click on the Instant Group and then select Basic. The Group name will appear only if you have entered the Organization name in the Instant Web UI. Refer to Entering the Organization String and AMP Information into the IAP for further information. Figure 115 Selecting the Group 132 | Authentication Dell PowerConnect W-Series Instant Access Point 6.1.3.4-3.1.0.
5. The Virtual Controller Certificate section will display the certificates (CA cert and Server) as highlighted in the figure below. Figure 116 Virtual Controller Certificate 6. Click Save to apply the changes only to Dell PowrConnect W-AirWave. Click Save and Apply to apply the changes to the Instant AP. NOTE: To unselect the certificate options, click Revert. Dell PowerConnect W-Series Instant Access Point 6.1.3.4-3.1.0.
| Authentication Dell PowerConnect W-Series Instant Access Point 6.1.3.4-3.1.0.
Chapter 11 Encryption Encryption Types Supported in Dell Instant Encryption is the process of converting data into an undecipherable format or code when it is transmitted on a network. Encryption prevents unauthorized use of the data. The following encryption types are supported in Dell Instant: WEP Though WEP is an authentication method, it is also an encryption algorithm where all users typically share the same key.
Understanding WPA and WPA2 The Wi-Fi Alliance created the Wi-Fi Protected Access (WPA) and WPA2 certifications to describe the 802.11i standard. The standard was written to replace WEP, which was found to have numerous security flaws. It was taking longer than expected to complete the standard, so WPA was created based on a draft of 802.11i, which allowed people to move forward quickly to create more secure WLANs. WPA2 encompasses the full implementation of the 802.11i standard.
Chapter 12 Role Derivation Every client in a Dell Instant network is associated with a user role, which determines the client’s network privileges, how often it must re-authenticate, and which bandwidth contracts are applicable. This chapter describes creating and assigning roles using the Instant UI. User Roles This section describes how to create a new user role. Figure 117 Access Tab - Instant User Role Settings Creating a New User Role To create a new user role: 1.
Figure 118 Creating a New User Role 8. Click OK. The Allow any to all destinations access rule is enabled by default. This rule allows traffic to all destinations. To create new access rules, see “Examples for Access Rules” on page 150. 9. Assign pre-authentication role— Use this option if you want to allow some access to users even before they are authenticated. 10.
2. Select the attribute from the Attribute drop-down list that the rule will match against. The list of supported attributes includes RADIUS attributes (see “List of supported VSA” on page 113), DHCPOption, and 802.1X-Authentication-Type. 3. Select the operator from the Operator drop-down list. The following types of operators are supported: contains—To check if the attribute contains the operand value. Is the role— To check if the role is same as the operand value.
Table 21 Validated DHCP Fingerprint Device DHCP Option DHCP Fingerprint Windows 7/Vista Desktop Option 55 37010f03062c2e2f1f2179f92b Windows XP(SP3, Home, Professional) Option 55 37010f03062c2e2f1f21f92b Windows Mobile Option 60 3c4d6963726f736f66742057696e646f77732 0434500 Windows 7 Phone Option 55 370103060f2c2e2f Apple Mac OSX Option 55 370103060f775ffc2c2e2f 802.1X-Authentication-Type IAP allows you to use client 802.
Chapter 13 User VLAN Derivation User VLAN Derivation Instant allows you to assign user VLAN through user attributes. When external RADIUS authentication server is used for authentication, the user VLAN can be derived from Vendor Specific Attributes (VSA). The user VLAN can be derived in 802.
Figure 121 Configure VSA on a Radius Server VLAN Derivation Rule When an external radius server is used for authentication, the radius server may return reply message for authentication. If the radius server support return attributes, and set attribute value to reply message, IAP can analyze the return message and match attributes with user pre-defined vlan derivation rule. If matched we can use rule defined vlan value as vlan to assign user.
Enter the following information: Attribute— Select the attribute returned by the radius server during authentication. Operator— Select an operator for matching the string. String— Enter the string to match. VLAN— Enter the VLAN to be assigned. 4. Click OK. Figure 123 Configuring VLAN Derivation Rules on an IAP User Role If the VSA and VLAN derivation rules are not matched the user VLAN can be derived by an user role. Configuring a User Role 1.
Figure 124 Configuring VLAN Derivation using the User Role To use a defined user VLAN role, perform the following steps: 1. Select a network on the Instant UI and click on the edit link. 2. Select the Access tab 3. Under role-based, select the defined role. 4. Select the access rule for the defined role from the list of Access rules. 5. Click the New button under the New Role Assignment window. 6. Select the attribute from the Attribute drop-down list. 7.
SSID Profile If the VSA, VLAN derivation, and the User Role rules are not matched the user VLAN can be derived by the SSID profile. Configuring VLAN Derivation Rules Using SSID Profile To configure VLAN derivation rules on an IAP, perform the following steps: 1. Select a network on the Instant UI and click on the edit link. 2. Select the VLAN tab and check the static radio button under the client VLAN assignment. 3. Enter the ID of the VLAN in the VLAN ID textbox. 4. Click OK.
| User VLAN Derivation Dell PowerConnect W-Series Instant Access Point 6.1.3.4-3.1.0.
Chapter 14 Instant Firewall A firewall is a system designed to prevent unauthorized internet users from accessing a private network connected to the internet. It defines access rules and monitors all data entering or leaving the network and blocks data that does not satisfy the specified security policies. Dell Instant implements a Instant Firewall feature that uses a simplified firewall policy language.
Figure 127 Access Tab - Instant Firewall Settings Service Options Table 22 lists the set of service options available in the Instant UI. You can allow or deny access to any or all of these services depending on your requirements. Table 22 Network Service Options Service Description any Access is allowed or denied to all services. custom Available options are TCP, UDP, and Other. If you select the TCP or UDP options, enter appropriate port numbers.
Table 22 Network Service Options (Continued) Service Description ike Internet Key Exchange kerberos Computer network authentication protocol l2tp Layer 2 Tunneling Protocol lpd-tcp Line Printer Daemon protocol-Transmission Control Protocol lpd-udp Line Printer Daemon protocol-User Datagram Protocol msrpc-tcp Microsoft Remote Procedure Call-Transmission Control Protocol msrpc-udp Microsoft Remote Procedure Call-User Datagram Protocol netbios-dgm Network Basic Input/Output System-Datagram Ser
Table 23 Destination Options (Continued) Destination Description To a particular server Access is allowed or denied to a particular server. You have to specify the IP address of the server. Except to a particular server Access is allowed or denied to servers other than the specified server. You have to specify the IP address of the server. To a network Access is allowed or denied to a network. You have to specify the IP address and netmask for the network.
Figure 128 Defining Rule — Allow TCP Service to a Particular Network e. Click OK. 6. Click Finish. Allow POP3 Service to a Particular Server 1. Click the New link in the Networks tab. To define the access rule to an existing network, click the network. The edit link appears. Click the edit link and navigate to the Access tab. 2. In the WLAN Settings tab, enter the appropriate information and click Next to continue. 3.
Figure 129 Defining Rule — Allow POP3 Service to a Particular Server Deny FTP Service except to a Particular Server 1. Click the New link in the Networks tab. To define the access rule to an existing network, click the network. The edit link appears. Click the edit link and navigate to the Access tab. 2. In the WLAN Settings tab, enter the appropriate information and click Next to continue. 3. Use the VLAN tab, to specify how the clients on this network will get their IP address and VLAN.
Figure 130 Defining Rule — Deny FTP Service Except to a Particular Server Deny bootp Service except to a Particular Network 1. Click the New link in the Networks tab. To define the access rule to an existing network, click the network. The edit link appears. Click the edit link and navigate to the Access tab. 2. In the WLAN Settings tab, enter the appropriate information. and click Next to continue. 3. Use the VLAN tab, to specify how the clients on this network will get their IP address and VLAN.
Figure 131 Defining Rule — Deny bootp Service Except to a Network 154 | Instant Firewall Dell PowerConnect W-Series Instant Access Point 6.1.3.4-3.1.0.
Chapter 15 Content Filtering The Content Filtering feature allows you to create internet access policies that allow or deny user access to websites based on website categories and security ratings. This feature is useful to: Prevent known malware hosts from accessing your wireless network. Improve employee productivity by limiting access to certain websites. Reduce bandwidth consumption significantly.
The content filtering configuration applies to all the IAPs in the Dell Instant network and the service is enabled or disabled globally across all the wireless networks that are configured in the Dell Instant. Enterprise Domains The Enterprise Domain Names displays all the DNS domain names that are valid on the enterprise network. This list is used to determine how client DNS requests should be routed.
Chapter 16 OS Fingerprinting The OS Fingerprinting feature gathers information about the client that is connected to the Dell Instant network to find the operating system that the client is running on. The following is a list of advantages of this feature: Identifying rogue clients— Helps to identify clients that are running on forbidden operating systems. Identifying outdated operating systems— Helps to locate outdated and unexpected OS in the company network.
| OS Fingerprinting Dell PowerConnect W-Series Instant Access Point 6.1.3.4-3.1.0.
Chapter 17 Adaptive Radio Management Adaptive Radio Management (ARM) is a radio frequency management technology that optimizes WLAN performance even in the networks with highest traffic by dynamically and intelligently choosing the best 802.11 channel and transmitting power for each IAP in its current RF environment. ARM works with all standard clients, across all operating systems, while remaining in compliance with the IEEE 802.11 standards.
Disabled— Disabled means that the clients selects which band to use. Airtime Fairness Mode This feature provides equal access to all clients on the wireless medium, regardless of client type, capability, or operating system, thus delivering uniform performance to all clients. This feature prevents some clients from monopolizing resources at the expense of other clients. NOTE: Reboot the IAP after configuring the radio profile settings in order for the changes to take effect.
Min Transmit Power This indicates the minimum effective isotropic radiated power (EIRP) from 3 to 33 dBm in 3 dBm increments. You may also specify a special value of 127 dBm for regulatory maximum to disable power adjustments for environments such as outdoor mesh links. Higher power level settings may be constrained by local regulatory requirements and AP capabilities.
Configuring Administrator Assigned Radio Settings for IAP Adaptive Radio Management (ARM) is enabled on Dell Instant by default. It automatically assigns appropriate channel and power settings for the IAPs. To manually configure radio settings: 1. In the Access Points tab, click the AP for which you want to enable ARM. The edit link appears. 2. Click the edit link. The Edit AP window appears. 3. Click the Radio tab. Figure 136 Configuring Administrator Assigned Radio Settings for IAP 4.
Table 24 Mode, Spectrum and AP Operation (Continued) Mode Spectrum AP Operation Monitor Enabled AP does not provide access service to clients. 5. Select Administrator assigned in 2.4 GHz and 5 GHz band sections. 6. Select appropriate channel number from the Channel drop-down list for both 2.4 GHz and 5 GHz band sections. 7. Enter appropriate transmit power value in the Transmit power text box in 2.4 GHz and 5 GHz band sections. 8. Click OK.
Table 25 Radio Profile Configuration Parameters (Continued) Parameter Description Beacon interval Enter the Beacon period (60ms to 500ms) for the IAP in msec. This indicates how often the 802.11 beacon management frames are transmitted by the access point. The default value is 100 msec. Interference immunity level Select to increase the immunity level to improve performance in high-interference environments. The default immunity level is 2.
Chapter 18 Intrusion Detection System Intrusion Detection System (IDS) is a feature that monitors the network for the presence of unauthorized IAPs and clients. It also logs information about the unauthorized IAPs and clients, and generates reports based on the logged information.
Four levels of detection can be configured in the WIP Detection page— Off, Low, Medium, and High (as shown in Figure 139). Figure 139 Wireless Intrusion Protection— Detection The following table describes the detection policies that are enabled in Infrastructure Detection Custom settings box.
Table 26 Infrastructure Detection Policies (Continued) Detection Level Detection Policy High Detect AP Impersonation Detect Adhoc Networks Detect Valid SSID Misuse Detect Wireless Bridge Detect 802.11 40MHz intolerance settings Detect Active 802.
Three levels of detection can be configured in the WIP Protection page— Off, Low, and High (as shown in Figure 140). Figure 140 Wireless Intrusion Protection— Protection The following table describes the detection policies that are enabled in Infrastructure Protection Custom settings field.
Containment Methods You can enable wired and wireless containments to prevent unauthorized stations from connecting to your Instant network. Instant supports the following types of containment mechanisms: Wired containment— When enabled, Dell PowerConnect W-Series Instant Access Points will generate ARP packets on the wired network to contain wireless attacks.
| Intrusion Detection System Dell PowerConnect W-Series Instant Access Point 6.1.3.4-3.1.0.
Chapter 19 SNMP Dell Instant supports versions 1, 2c, and 3 of Simple Network Management Protocol (SNMP) for reporting purposes only. In other words, SNMP cannot be used for setting values in a Dell system in the current IAP. SNMP Parameters for IAP You can configure the following parameters for IAP.
Figure 142 Creating Community Strings for SNMPV1 and SNMPV2 Follow the procedure below to create, edit, and delete users for SNMPV3. 1. In the Settings tab click the SNMP tab. 2. Click New in the Users for SNMPV3 box. 3. Enter the name of the user in the Name text box. 4. Select the type of authentication protocol from the Auth protocol drop-down list. 5. Enter the authentication password in the Password text box and retype the password in the Retype text box. 6.
Figure 143 Creating Users for SNMPV3 SNMP Traps Dell Instant supports the configuration of external trap receivers in the Instant UI. Only the IAP acting as the Virtual Controller will generate traps. The OID of the traps is 1.3.6.1.4.1.14823.2.3.3.1.200.2.X. Figure 144 SNMP Traps Dell PowerConnect W-Series Instant Access Point 6.1.3.4-3.1.0.
To configure an SNMP trap receiver: 1. Enter a name in the SNMP Engine ID text box.It indicates the name of the SNMP agent on the access point. SNMPV3 agent has an engine ID that uniquely identifies the agent in the device and is unique to that internal network. 2. Click New and update the following fields: a. IP Address— Enter the IP Address of the new SNMP Trap receiver. b. Version— Select the SNMP version— v1, v2c, v3 from the drop-down list.
Chapter 20 Hierarchical Deployment In earlier releases of Dell Instant, an IAP could be connected to another IAP via the uplink port through a wired switch. If there is no wired infrastructure (Ethernet connection with a L3 NAT router), then multiple IAPs could not be deployed. An W-IAP130 series or RAP-3WN AP (with more than one wired port) can now be connected to the downlink wired port of another IAP (ethX).
| Hierarchical Deployment Dell PowerConnect W-Series Instant Access Point 6.1.3.4-3.1.0.
Chapter 21 Ethernet Downlink Ethernet Downlink Overview The ethernet downlink ports allow third party devices such as VOIP phones or printers (which support only wired connection) to connect to the wireless network. Additionally, an Access Control List (ACL) can be configured for added security on the ethernet downlink. NOTE: This release of Instant supports only the OpenAuth mechanism. Ethernet Downlink Profile Parameters To create a new ethernet downlink profile: 1.
3. Click the VLAN tab or click Next and enter the following information: Table 32 Ethernet Downlink Profile Parameters— VLAN Tab Field Description Mode In Access mode the port carries a single VLAN, specified as the Native VLAN. In Trunk mode the port carries packets for multiple VLANs, specified as the Allowed VALN. Native VLAN Specifies the VLAN carried by the port in Access mode. Allowed VLANs Specifies the VLAN carried by the port in Trunk mode.
Figure 148 Ethernet Profile Configuration - Security Tab 5. Click the Access tab and configure the access rule for the profile. Table 34 Ethernet Downlink Profile Parameters— Access Tab Field Description Access Rules Unrestricted— User gets unrestricted access on the port. Network-based— User is authenticated using the access rules defined here. The following figure displays the access parameters of the Ethernet profile configuration: Figure 149 Ethernet Profile Configuration - Access Tab 6.
The following figure displays the parameters of the access rule configuration: Figure 150 Access Rule Parameters 7. Click Finish to configure the new network profile. 8. To edit an Ethernet downlink profile, select the configured Ethernet downlink profile and click the Edit button below the Wired Networks window. 9. To delete an Ethernet downlink profile, select the configured Ethernet downlink profile and click the Delete button below the Wired Networks window.
Chapter 22 Uplink Configuration Uplink Configuration Overview The Dell PowerConnect W-Instant supports 3G USB modems for the corporate Instant network. The 3G USB modems can be used to extend the connectivity to places where Ethernet uplink cannot be configured. By using this, the client traffic can reach the internet and the corporate network. It also provides a reliable backup link for the Ethernet based Instant network.
Figure 153 Uplink Status The user can view the type of uplink and the status of the uplink in the Instant UI under Info tab. Figure 154 Uplink Status 3G/4G Uplink Instant now supports the use of 3G/4G USB modems to provide internet backhaul to an Instant network. The 3G/ 4G USB modems extend client connectivity to places where an Ethernet uplink is not feasible. This enables the RAP-3 to choose the available network in an area automatically.
Table 36 List of Supported 3G Modems Modem Type Supported 3G Modems True Auto Detect True Auto Detect (continued) USBConnect 881 (Sierra 881U) Quicksilver (Globetrotter ICON 322) UM100C (UTstarcom) Icon 452 Aircard 250U (Sierra) USB 598 (Sierra) U300 (Franklin wireless) U301 (Franklin wireless) USB U760 for Virgin (Novatel) USB U720 (Novatel/Qualcomm) UM175 (Pantech) UM150 (Pantech) UMW190(Pantech) SXC-1080 (Qualcomm) Globetrotter ICO
Table 36 List of Supported 3G Modems (Continued) Modem Type Supported 3G Modems Auto-detect + ISP/country No auto-detect Sierra USB-306 (HK CLS/1010 (HK)) Sierra 306/308 (Telstra (Aus)) Sierra 503 PCIe (Telstra (Aus)) Sierra 312 (Telstra (Aus)) Aircard USB 308 (AT&T's Shockwave) Compass 597(Sierra) (Sprint) U597 (Sierra) (Verizon) Tstick C597(Sierra) (Telecom(NZ)) Ovation U727 (Novatel) (Sprint) USB U727 (Novatel) (V
2. Select the Uplink tab. Under 3G/4G tab, enter the parameters: a. Enter the type of the 3G/4G modem driver type: To provision 3G modem, enter the type of 3G modem in the USB type text box. To provision 4G modem, enter the type of 4G modem in the 4G USB type text box. NOTE: This release of Instant supports only the Pantech UML 290 4G card and is a True Auto Detect modem. b. Enter the identifier of the modem device in the USB dev text box. c. Enter the TTY port of the modem in the USB tty text box.
Provisioning a 3G/4G Switch Network To provision a 3G/4G switch network, provide the driver type for the 3G modem in the USB type text box and the driver type for 4G modem in the 4G USB type text box and click OK. Figure 157 3G/4G Switch Network Uplink Switchover The default priority for uplink switchover is Ethernet and then 3G/4G. The IAP has the ability to switch to the lower priority uplink if the current uplink is down. NOTE: IAP reboot is not required for uplink swtichover process.
Figure 158 Uplink Preference NOTE: Uplink preferences can be set manually. This forces the IAP to use that uplink. Switchover and preemption do not work in this configuration. PPPoE Point-to-Point Protocol over Ethernet (PPPoE) is a method of connecting to the internet typically used with DSL services where the client connects to the DSL modem. You can use PPPoE for your uplink connectivity in both normal IAP and VPN IAP deployments. PPPoE is supported only in a single AP deployment.
Figure 159 PPPoE Settings 188 | Uplink Configuration Dell PowerConnect W-Series Instant Access Point 6.1.3.4-3.1.0.
Chapter 23 Dell PowerConnect W-AirWave Integration and Management Dell PowerConnect W-AirWave is a powerful and easy-to-use network operations system that manages Dell wireless, wired, and remote access networks, as well as wired and wireless infrastructures from a wide range of third-party manufacturers. With its easy-to-use interface, Dell PowerConnect W-AirWave provides real-time monitoring, proactive alerts, historical reporting, and fast, efficient troubleshooting.
Template-based Configuration Dell PowerConnect W-AirWave automatically creates a configuration template based on any of the existing IAPs, and it applies that template across the network as shown in Figure 160. It audits every device on an ongoing basis to ensure that configurations never vary from the enterprise policies. It alerts you whenever a violation is detected and automatically repairs the misconfigured device.
RF Visualization Support for Dell Instant Dell PowerConnect W-AirWave supports RF visualization for Dell Instant. The VisualRF module is an add-on to the AirWave Wireless Management Suite that provides a real-time picture of the actual radio environment of your wireless network and the ability to plan the wireless coverage of new sites. VisualRF uses sophisticated RF fingerprinting to accurately display coverage patterns and calculate the location of every Instant device in range.
About Shared Key The Shared Secret key is used by the administrator to manually authorize the first Virtual Controller for an organization. Any string is acceptable. Entering the Organization String and AMP Information into the IAP 1. Click the Dell PowerConnect W-AirWave Set Up Now link in the bottom-middle region of the Instant UI. The Settings box with the Dell PowerConnect W-AirWave tab selected appears. Figure 162 Configuring Dell PowerConnect W-AirWave 2.
Figure 163 Instant and DHCP options for Dell PowerConnect W-AirWave— Set Predefined Options 3. Select DHCP Standard Options in the Option class drop-down list and then click Add.Enter the following information: Name— Dell Instant Data Type— String Code— 60 Description— Dell Instant AP Figure 164 Instant and DHCP options for Dell PowerConnect W-AirWave— Predefined Options and Values 4. Go to Server Manager and select Server Options in the IPv4 window. (This sets the value globally.
Figure 165 Instant and DHCP options for Dell PowerConnect W-AirWave— Server Options 6. Select 060 Dell Instant AP in the Server Options window and enter Dell InstantAP in the String Value. Figure 166 Instant and DHCP options for Dell PowerConnect W-AirWave—060 Dell Instant AP in Server Options 7. Select 043 Vendor Specific Info and enter a value for airwave-orgn, airwave-ip, airwave-key in the ASCII field (for example: tme-instant-store1, 10.169.240.8, Dell123).
Figure 167 Instant and DHCP options for Dell PowerConnect W-AirWave— 043 Vendor Specific Info This creates a DHCP option 60 and 43 on a global basis. You can do the same on a per scope basis. The per scope option will override the global option.
This method describes how to set up a DHCP server to send option 43 with Dell PowerConnect W-AirWave information to Dell Instant IAP. This section assumes that option 43 will be sent per scope since option 60 is being shared by other devices as well. NOTE: This scope should be specific to instant and the PXE devices that use options 60 and 43 should not connect to the subnet defined by this scope.
Figure 170 Dell PowerConnect W-AirWave — New Group Figure 171 Dell PowerConnect W-AirWave —Monitor Dell PowerConnect W-Series Instant Access Point 6.1.3.4-3.1.0.
| Dell PowerConnect W-AirWave Integration and Management Dell PowerConnect W-Series Instant Access Point 6.1.3.4-3.1.0.
Chapter 24 Monitoring Monitor the Dell Instant network, IAPs, Wi-Fi networks, and clients in the network for various parameters using one or all of the following views: Virtual Controller View Network View Instant Access Point View Client View This chapter provides information about the parameters that can be monitored using these views. It also provides procedures to monitor these parameters. Virtual Controller View The Virtual Controller view is the default view.
Monitoring Link This link is selected by default and the following sections are displayed. These sections provide information about the Virtual Controller and allow you to monitor the network. Info RF Dashboard Usage Trends Info The Info section displays the following information about the Virtual Controller: Name— Displays the Virtual Controller name. Country Code— Displays the Country in which the Virtual Controller is operating.
Figure 173 Clients Graph Throughput Graph Figure 174 Throughput Graph For more information about the graphs in the Virtual Controller view and for monitoring procedures, see Table 37. Table 37 Virtual Controller View — Graphs and Monitoring Procedures Graph Name Description Monitoring Procedure Clients The Clients graph shows the number of clients associated with the Virtual Controller for the last 15 minutes. To see an enlarged view, click the graph.
Table 37 Virtual Controller View — Graphs and Monitoring Procedures (Continued) Graph Name Description Monitoring Procedure Throughput The Throughput graph shows the throughput of all networks and IAPs associated with the Virtual Controller for the last 15 minutes. Outgoing traffic — Throughput for outgoing traffic is displayed in green. Outgoing traffic is shown above the median line. Incoming traffic — Throughput for incoming traffic is displayed in blue.
Figure 175 Network View Info The Info section displays the following information about the selected network: Name— Name of the network. Band— Band in which the network is broadcast: 2.4 GHz band, 5.4 GHz band, or both. Type— Network type: Employee, Guest, or Voice. IP Assignment— Source of IP address for the client. Access— The level of access control for this network. Security level— The type of user authentication and data encryption for this network.
Figure 177 Throughput Graph For more information about the graphs in the network view and for monitoring procedures, see Table 38. Table 38 Network View — Graphs and Monitoring Procedures Graph Name Description Monitoring Procedure Clients The Clients graph shows the number of clients associated with the network for the last 15 minutes. To see an enlarged view, click the graph.
RF Trends Figure 178 Instant Access Point View Info The Info section provides the following information about the selected IAP: Name— Displays the name of the selected IAP. IP Address— Displays the IP address of the IAP. Mode— Displays the mode type. In Access mode the IAP serves clients, while also monitoring for rogue APs in the background. In Monitor mode, the IAP acts as a dedicated monitor, scanning all channels for rogue APs and clients.
Figure 179 Neighboring APs Graph CPU Utilization Figure 180 CPU Utilization Graph Neighboring Clients Figure 181 Neighboring Clients Graph Memory Free (MB) Figure 182 Memory free Graph 206 | Monitoring Clients Dell PowerConnect W-Series Instant Access Point 6.1.3.4-3.1.0.
Figure 183 Clients Graph Throughput (bps) Figure 184 Throughput Graph For more information about the graphs in the instant access point view and or monitoring procedures, see Table 39. Table 39 Instant Access Point View — Usage Trends and Monitoring Procedures Graph Name Description Monitoring Procedure Neighboring APs The Neighboring APs graph shows the number of APs heard by the selected IAP: Valid APs: An AP that is part of the enterprise providing WLAN service.
Table 39 Instant Access Point View — Usage Trends and Monitoring Procedures (Continued) Graph Name Description Monitoring Procedure Neighboring Clients The Neighboring Clients graph shows the number of clients not connected to the selected AP, but heard by it: Valid: Any client that successfully authenticates with a valid AP and passes encrypted traffic is classified as a valid client. Interfering: A client associated to any AP and is not valid.
Figure 185 Utilization Graph 2.4 GHz Frames (fps) Figure 186 2.4 GHz Frames (fps) Graph Drops (fps) Figure 187 Drops (fps) Graph Noise Floor (dBm) Figure 188 Noise Floor (dBm) Graph 2.4 GHz Mgmt Frames Dell PowerConnect W-Series Instant Access Point 6.1.3.4-3.1.0.
Figure 189 2.4 GHz Mgmt Frames (fps) Graph Errors (fps) Graph Figure 190 Errors (fps) Graph To see the graphs for the 5 GHz band, click the 5 GHz link. For more information about the graphs in the instant access point view and for monitoring procedures, see Table 40.
Table 40 Instant Access Point View — RF Trends Graphs and Monitoring Procedures (Continued) Graph Name Description Monitoring Procedure 2.4 GHz Frames The 2.4 GHz Frames graph shows the In and Out frame rate per second for the radio in 2.4 GHz band for the last 15 minutes. Outgoing frames — Outgoing frame traffic is displayed in green. It is shown above the median line. Incoming frames — Incoming frame traffic is displayed in blue. It is shown below the median line.
Table 40 Instant Access Point View — RF Trends Graphs and Monitoring Procedures (Continued) Graph Name Description Monitoring Procedure Errors The Errors graph shows the errors that occurred while receiving the frames for the last 15 minutes. The errors are measured in frames per second. To see an enlarged view, click the graph. The enlarged view provides Last, Minimum, Maximum, and Average statistics for the In and Out frames.
Info The Info section provides the following information about the selected IAP: Name— Name of the selected client. IP Address— IP address of the client. MAC Address— MAC Address of the client. OS— Operating System that is running on the client. Network— Network to which the client is connected to. Access Point— IAP to which the client is connected to. Channel— Channel that the client is using. Type— Channel type that the client is broadcasting on.
Figure 194 Speed Graph Throughput Figure 195 Throughput Graph For more information about RF trends graphs in the client view and for monitoring procedures, see Table 41. Table 41 Client View — RF Trends Graphs and Monitoring Procedures 214 | Monitoring Graph Name Description Monitoring Procedure Signal The Signal graph shows the signal strength of the client for the last 15 minutes. It is measured in decibels. To see an enlarged view, click the graph.
Table 41 Client View — RF Trends Graphs and Monitoring Procedures (Continued) Graph Name Description Monitoring Procedure Frames The Frames Graph shows the In and Out frame rate per second for the client for the last 15 minutes. It also shows data for the Retry In and Retry Out frames. Outgoing frames — Outgoing frame traffic is displayed in green. It is shown above the median line. Incoming frames — Incoming frame traffic is displayed in blue. It is shown below the median line.
Mobility Trail The Mobility Trail section displays the following mobility trail information for the selected client: Association Time— The time at which the selected client was associated with a particular IAP. It shows the client-IAP association for the last 15 minutes. Access Point— IAP name with which the client was associated. NOTE: Mobility information about the client is reset each time it roams from one IAP to another. 216 | Monitoring Dell PowerConnect W-Series Instant Access Point 6.1.3.
Chapter 25 Alert Types and Management Alert Types Alerts are generated when a user encounters problems while accessing or connecting to the Wi-Fi network. These alerts enable you to troubleshoot the problems. The alerts that are generated on Dell Instant can be categorized as follows: 802.11 related association and authentication failure alerts. 802.1X related mode and key mismatch, server, and client time-out failure alerts. IP address related failure - Static IP address or DHCP related alerts.
Table 42 Alerts List (Continued) Type Code 100308 Description Details Corrective Actions RADIUS server connection failure The IAP cannot authenticate this client using 802.1X because the RADIUS server did not respond to the authentication request. If the IAP is using the internal RADIUS server, recommend checking the related configuration as well as the installed certificate and passphrase.
Chapter 26 Policy Enforcement Firewall Dell’s Policy Enforcement Firewall (PEF) module for Dell Instant provides identity-based controls to enforce application-layer security, prioritization, traffic forwarding, and network performance policies for wired and wireless networks. The PEF window displays the external/internal authentication servers, currently defined roles for all the networks, blacklisted clients and to enable or disable the protocols for ALG.
Users for Internal Server This section displays the currently defined users for the internal authentication server. Figure 197 Users for Internal Server To add a user: 1. Enter the username in the Username text box. 2. Enter the password in the Password text box and reconfirm. 3. Select appropriate network type from the Type drop-down list. 4. Click Add and click OK. The users are listed in the Users list. See “User Database” on page 235 for more information.
Access Rules— This table lists the permissions for each Role. See Chapter 12, “Role Derivation” for more information. Figure 198 Roles Extended Voice and Video Functionalities Instant has the added ability to identify and prioritize voice and video traffic from applications like Microsoft Office Communications Server (OCS) and Apple Facetime.
cases, the IAP has to use an ACL with the classify-media option enabled to identify the voice or video flow based on a deep packet inspection and analysis of the actual traffic. Microsoft OCS Microsoft Office Communications Server (OCS) uses Session Initiation Protocol (SIP) over TLS to establish, control, and terminate voice and video calls.
Figure 200 Classify Media —Microsoft OCS Figure 201 Classify Media —Apple Facetime Client Blacklisting The client blacklisting denies connectivity to the blacklisted clients. When a client is blacklisted in a Dell IAP, the client is not allowed to associate with the IAP in the network. If a client is connected to the network when it is blacklisted, a deauthentication message will be send to force the client to disconnect. Dell PowerConnect W-Series Instant Access Point 6.1.3.4-3.1.0.
Figure 202 Client Blacklisting Types of Client Blacklisting The following types of client blacklisting can be generated in an Instant: Manual Blacklisting Dynamic Blacklisting Authentication Failure Blacklisting Session Firewall Based Blacklisting Manual Blacklisting Manual blacklisting is the simplest way to add a client to the blacklist. In manual blacklisting, the MAC address of the client has to be known to the user. These clients would be added into a permanent blacklist.
4. Click Ok. The Blacklisted Since tab displays the time at which the current blacklisting started for the client. 5. To delete a client from the manual blacklist, select the MAC Address of the client under the Manual Blacklisting window and then click Delete. Dynamic Blacklisting The clients can be blacklisted dynamically when they exceed the authentication failure threshold or a blacklisting rule was triggered as part of the authentication process.
Figure 205 Enabling ALG Protocols 4. Click OK. NOTE: When the protocols for ALG are Disabled the changes do not take effect until the existing user sessions expire. Reboot the IAP and the client, or wait for few minutes to ensure the changes take effect. Firewall-based Logging Instant firewall now supports firewall based logging function. The firewall logs on the Instant APs are generated as syslog messages. 226 | Policy Enforcement Firewall Dell PowerConnect W-Series Instant Access Point 6.1.3.4-3.1.0.
Chapter 27 VPN Configuration The IAP supports termination of a VPN tunnel on the Dell PowerConnect W controller. VPN features are ideal for: enterprises with many branches that do not have a dedicated VPN connection to the corporate office. branch offices that require multiple APs. individuals working from home, connecting to the VPN.
Controller. The traffic going to the corporate is send via L2 GRE tunnel from the AP itself and does not have to be forwarded through the Virtual Controller. NOTE: By default, the Per-AP tunnel option is disabled. 4. Enter the IP address or fully qualified domain name for the main VPN/GRE endpoint in the Primary host field. 5. Enter the IP address or fully qualified domain name for the backup VPN endpoint in the Backup host field. This entry is optional. 6.
DHCP Server Configuration The Virtual Controller (VC) on an Instant AP enables different DHCP pools (various deployment models) in addition to allocating IP subnets to each branch. The following modes of DHCP server are supported: Local Subnet— In this mode, the VC assigns an IP address from a configured subnet and forwards traffic to both corporate and non-corporate destinations.
VLAN— VLAN ID of the subnet. This needs to be referenced in the SSID configuration to make use of this subnet. Network— Network to be used for this subnet. Netmask— Net mask of the subnet. This along with Network determines the size of the subnet. DNS server— An optional field which defines the DNS server. Domain name— An optional field which defines the domain name. Lease time— An optional field which defines the lease time for client. Figure 209 NAT DHCP Configuration 2.
Domain name— An optional field which defines the domain name. Lease time— An optional field which defines the lease time for client. 2. Click OK to apply these changes. Figure 210 Distributed L2 DHCP Configuration Distributed L3 DHCP Configuration In Distributed L3 mode, the Virtual Controller acts as both DHCP Server and default gateway. Traffic is routed into the VPN tunnel. 1.
Figure 211 Distributed L3 DHCP Configuration Centralized L2 DHCP Configuration In Centralized L2 mode, both the DHCP server and default gateway are in the data center, on the other side of the VPN tunnel. 1. Click New in the DHCP Server window and select Centralized, L2 to configure the following parameters for Distributed L3 mode DHCP pool: Name — Name of the subnet (must be unique). Type— Indicates the type of DHCP server.
Table 44 Ports used by the Apple Facetime Application DHCP Relay Option82 Behavior Enabled Disabled DHCP packet relayed without the ALU-specific Option 82 string Disabled Enabled DHCP packet not relayed, but broadcasted with the ALU-specific Option 82 string Disabled Disabled DHCP packet not relayed, but broadcasted without the ALU-specific Option 82 string 2. Click OK to apply these changes. Figure 212 Centralized L2 DHCP Configuration Dell PowerConnect W-Series Instant Access Point 6.1.3.4-3.
| VPN Configuration Dell PowerConnect W-Series Instant Access Point 6.1.3.4-3.1.0.
Chapter 28 User Database In Dell Instant, the user database consists of a list of guest and employee users. Addition of a user involves specifying a username and password for the user. The login credentials for these users are provided outside the Dell Instant system. A guest user can be a visitor who will be temporarily using the enterprise network to access the internet. However, you would not want to share the internal network and the intranet with them.
Editing User Settings To edit user settings: 1. At the top right corner of the Instant UI, click the Users link. The Users window appears. 2. In the Users section, select the username for which you want to edit the settings and click Edit. The user's details appear on the right side. 3. Edit as required and click OK. Deleting a User To delete a user: 1. At the top right corner of the Instant UI, click the Users link. The Users window appears. 2.
Chapter 29 Regulatory Domain The IEEE 802.11/b/g/n Wi-Fi networks operate in 2.4 GHz and IEEE 802.11a/n operate in 5.0 GHz spectrum. These spectrums are divided into channels. The 2.4 GHz spectrum is divided into 14 overlapping, staggered 20 MHz wireless carrier channels. These channels are spaced 5 MHz apart. The 5 GHz spectrum is divided into more channels. The channels that can be used in a particular country differ based on the regulations of that country.
Country Codes List Table 45 Country Codes List Code Country Name US United States CA Canada JP3 Japan DE Germany NL Netherlands IT Italy PT Portugal LU Luxembourg NO Norway FI Finland DK Denmark CH Switzerland CZ Czech Republic ES Spain GB United Kingdom KR Republic of Korea (South Korea) CN China FR France HK Hong Kong SG Singapore TW Taiwan BR Brazil IL Israel SA Saudi Arabia LB Lebanon AE United Arab Emirates ZA South Africa AR Argentina AU Austr
Table 45 Country Codes List (Continued) Code Country Name IS Iceland IN India IE Ireland KW Kuwait LI Liechtenstein LT Lithuania MX Mexico MA Morocco NZ New Zealand PL Poland PR Puerto Rico SK Slovak Republic SI Slovenia TH Thailand UY Uruguay PA Panama RU Russia KW Kuwait LI Liechtenstein LT Lithuania MX Mexico MA Morocco NZ New Zealand PL Poland PR Puerto Rico SK Slovak Republic SI Slovenia TH Thailand UY Uruguay PA Panama RU Russia EG Egypt
Table 45 Country Codes List (Continued) Code Country Name EC Ecuador HN Honduras KE Kenya UA Ukraine VN Vietnam BG Bulgaria CY Cyprus EE Estonia MU Mauritius RO Romania CS Serbia and Montenegro ID Indonesia PE Peru VE Venezuela JM Jamaica BH Bahrain OM Oman JO Jordan BM Bermuda CO Colombia DO Dominican Republic GT Guatemala PH Philippines LK Sri Lanka SV El Salvador TN Tunisia PK Islamic Republic of Pakistan QA Qatar DZ Algeria 240 | Regulatory Dom
Appendix A Controller Configuration for VPN On the controller, the following configuration is needed to setup an IAP. Whitelist DB Configuration if the Controller is acting as the Whitelist Entry If you decide to use the Controller as the whitelist entry to configure the whitelist database, use the following CLI command: (ArubaW-3400) #local-userdb-ap add mac-address 00:11:22:33:44:55 ap-group test (ArubaW-3400) # The ap-group parameter is not used for any configuration, but needs to be configured.
VPN Local Pool Configuration This pool is used to assign an IP Address to the IAP after successful VPN authentication. (ArubaW-3400) # ip local pool "rapngpool" (ArubaW-3400) # IAP VPN Profile Configuration This defines the server used to authenticate the IAP (internal or an external server) and the role for IAP user. This role is used to define src-nat rule to RADIUS server to allow Dynamic Radius proxy.
(ArubaW-3400) (config) #user-role iaprole (ArubaW-3400) (config-role) #session-acl iaprole (ArubaW-3400) (config-role) # (ArubaW-3400) (ArubaW-3400) (ArubaW-3400) (ArubaW-3400) (ArubaW-3400) (config) #aaa authentication vpn default-iap (VPN Authentication Profile "default-iap") #server-group default (VPN Authentication Profile "default-iap") #default-role iaprole (VPN Authentication Profile "default-iap") #! (config) # Dell PowerConnect W-Series Instant Access Point 6.1.3.4-3.1.0.
| Controller Configuration for VPN Dell PowerConnect W-Series Instant Access Point 6.1.3.4-3.1.0.
Appendix B Abbreviations Abbreviations The following table lists the abbreviations used in this user guide.
Table 46 List of abbreviations (Continued) 246 | Abbreviations Abbreviation Expansion VC Virtual Controller VSA Vendor-Specific Attributes WLAN Wireless Local Area Network Dell PowerConnect W-Series Instant Access Point 6.1.3.4-3.1.0.