User Guide Dell Networking W-Series Instant Access Point 6.2.1.0-3.
Copyright © 2013 Aruba Networks, Inc. Aruba Networks trademarks include , Aruba Networks®, Aruba ® Wireless Networks , the registered Aruba the Mobile Edge Company logo, and Aruba Mobility Management System®. Dell™, the DELL™ logo, and PowerConnect™ are trademarks of Dell Inc. All rights reserved. Specifications in this manual are subject to change without notice. Originated in the USA. All other trademarks are the property of their respective owners.
Contents Contents 3 About this Guide 23 Intended Audience 23 Related Documents 23 Conventions 23 Contacting Support 24 About Dell W-Instant 25 Dell W-Instant Overview 25 Supported Devices 25 Dell W-Instant UI 26 Dell W-Instant CLI 26 What is New in Dell W-Instant 6.2.1.0-3.
Logging into the Dell W-Instant UI 35 Viewing Connectivity Summary 35 Language 35 Main Window 36 Banner 36 Search 36 Tabs 36 Networks Tab 36 Access Points Tab 37 Clients Tab 37 Links 4 | Contents 38 New Version Available 38 System 38 RF 40 Security 40 Maintenance 41 Help 42 More 42 VPN 42 IDS 43 Wired 44 Services 44 DHCP Server 45 Support 46 Logout 47 Monitoring 47 Info 47 RF Dashboard 48 RF Trends 50 Usage Trends 51 Mobility Trail 55 Spectrum
IDS 59 Configuration 60 AirGroup 60 W-AirWave Setup 61 Pause/Resume 61 Views Basic Configuration Procedures Updating IP Address of a W-IAP 61 63 63 In the Dell W-Instant UI 63 In the CLI 64 Modifying the W-IAP Name 64 In the Dell W-Instant UI 64 In the CLI 64 Updating Location Details of a W-IAP 64 In the Dell W-Instant UI 64 In the CLI 64 Configuring External Antenna 65 EIRP and Antenna Gain 65 Configuring Antenna Gain 65 In the Dell W-Instant UI 65 In the CLI 66 Upg
Disabling Auto Join Mode Adding a W-IAP to the Network 68 Removing a W-IAP from the Network 69 Configuring a Preferred Band 69 In the Dell W-Instant UI 69 In the CLI 69 Configuring Radio Profiles for a W-IAP 69 Configuring ARM Assigned Radio Profiles for a W-IAP 69 Configuring Radio Profiles Manually for a W-IAP 70 In the CLI 70 Configuring Inter-user Bridging and Local Routing 70 In the Dell W-Instant UI 70 In the CLI 71 Configuring Uplink for a W-IAP 71 In the Dell W-Instant UI
Mesh Points Setting up Instant Mesh Network Wireless Network Profiles Understanding Wireless Network Profiles Network Types Configuring WLAN Settings for an SSID Profile 76 76 77 77 77 78 In the Dell W-Instant UI 78 In the CLI 80 Configuring VLAN Settings for a WLAN SSID Profile 81 VLAN Pooling 81 Configuring VLAN Settings for an SSID Profile 81 In the Dell W-Instant UI 81 In the CLI 82 Configuring Security Settings for a WLAN SSID Profile Configuring Security Settings for an Employee or V
In the CLI Editing a WLAN SSID Profile 92 Deleting a WLAN SSID Profile 92 Uplink Configuration Uplink Interfaces Ethernet Uplink Configuring PPPoE Uplink Profile 93 93 94 95 In the Dell W-Instant UI 95 In the CLI 95 3G/4G Uplink 96 Types of Modems 96 Configuring Cellular Uplink Profiles 98 In the Dell W-Instant UI 98 In the CLI 99 Wi-Fi Uplink 100 Configuring a Wi-Fi Uplink Profile Uplink Preferences and Switching Enforcing Uplinks 100 101 102 In the Dell W-Instant UI 102 In the CL
Wired Profiles Configuring a Wired Profile 107 107 Configuring Wired Settings 107 In the Dell W-Instant UI 107 In the CLI 108 Configuring VLAN for a Wired Profile 108 In the Dell W-Instant UI 108 In the CLI 109 Configuring Security Settings for a Wired Profile Configuring Security Settings for a Wired Employee Network 109 109 In the Dell W-Instant UI 109 In the CLI 110 Configuring Security Settings for a Wired Guest Network 110 In the Dell W-Instant UI 110 In the CLI 111 Configurin
Internal RADIUS Server 117 Authentication Termination on W-IAP 118 Supported VSAs 118 Understanding Encryption Types 121 WPA and WPA2 122 Recommended Authentication and Encryption Combinations 122 Understanding Authentication Survivability 123 Configuring Authentication Servers 125 Configuring an External Server for Authentication 125 In the Dell W-Instant UI 125 In the CLI 128 Enabling RADIUS Server Support 129 In the Dell W-Instant UI 129 In the CLI 129 Configuring Authenticati
In the Dell W-Instant UI 135 In the CLI 135 Configuring MAC Authentication with 802.1X Authentication Configuring MAC and 802.1X Authentication for a Wireless Network Profile 135 135 In the Dell W-Instant UI 135 In the CLI 136 Configuring MAC and 802.
In the Dell W-Instant UI 147 In the CLI 147 Configuring Walled Garden Access In the Dell W-Instant UI 148 In the CLI 148 Configuring WISPr Authentication 148 In the Dell W-Instant UI 149 In the CLI 149 Blacklisting Clients 150 Blacklisting Users Dynamically 150 Authentication Failure Blacklisting 150 Session Firewall Based Blacklisting 150 Configuring Blacklist Duration 150 In the Dell W-Instant UI 150 In the CLI 150 Blacklisting Clients Manually 151 Adding a Client to the Blac
In the CLI 159 Configuring Source NAT 159 Enabling Source NAT 160 Configuring Source-Based Routing 160 Examples for Access Rules 160 Allow POP3 Service to a Particular Server 160 Allow TCP Service to a Particular Network 161 Deny FTP Service except to a Particular Server 161 Deny bootp Service except to a Particular Network 161 Configuring ALG Protocols 162 In the Dell W-Instant UI 162 In the CLI 163 Configuring Firewall Settings for Protection from ARP Attacks 163 In the Dell W-In
Configuring VLAN Assignment Rules 170 Understanding VLAN Assignment 170 Vendor Specific Attributes (VSA) 170 VLAN Derivation Rule 171 User Role 172 VLANs Created for an SSID 172 Configuring VLAN Derivation Rules 172 In the Dell W-Instant UI 172 In the CLI 173 Example 173 Configuring a User Role for VLAN Derivation 173 Creating a User VLAN Role 173 In the Dell W-Instant UI 173 In the CLI 174 Assigning User VLAN Roles to a Network Profile 174 In the Dell W-Instant UI 174 In the
Converting a W-IAP to Hybrid W-IAP 186 In the Dell W-Instant UI 186 In the CLI 186 Converting a W-IAP to a Spectrum Monitor 186 In the Dell W-Instant UI 186 In the CLI 187 Adaptive Radio Management ARM Overview 189 189 Channel or Power Assignment 189 Voice Aware Scanning 189 Load Aware Scanning 189 Band Steering Mode 189 Spectrum Load Balancing 189 Airtime Fairness Mode 190 Access Point Control 190 Monitoring the Network with ARM 190 ARM Metrics 191 Configuring ARM Features o
Configuring Distributed DHCP Scopes 208 In the Dell W-Instant UI 208 In the CLI 210 Example 211 Configuring Local, Local,L3, and Centralized,L2 DHCP Scopes In the Dell W-Instant UI 211 In the CLI 213 Example 213 Configuring DHCP Server for Client IP Assignment 214 In the Dell W-Instant UI 214 In the CLI 214 VPN Configuration 217 Understanding VPN Features 217 Configuring a Tunnel from Virtual Controller to Dell Networking W-Series Mobility Controller 217 Configuring an IPSec VPN Tu
IAP-VPN Scalability Limits 230 OSPF Configuration 230 VPN Configuration 231 Whitelist Database Configuration 232 Controller Whitelist Database 232 External Whitelist Database 232 VPN Local Pool Configuration 232 Role Assignment for the Authenticated W-IAPs 232 VPN Profile Configuration 233 Viewing Branch Status Example W-Airwave Integration and Management W-AirWave Features 233 233 235 235 Image Management 235 W-IAP and Client Monitoring 235 Template-based Configuration 235 Trend
AirGroup Solution 247 AirGroup Features 248 CPPM and ClearPass Guest Features 249 AirGroup Components 249 Configuring AirGroup for Dell W-Instant Enabling or Disabling AirGroup 249 In the Dell W-Instant UI 249 In the CLI 250 Configuring AirGroup and CPPM interface in Dell W-Instant 251 Creating a RADIUS Server 252 Assign a Server to AirGroup 252 Configure CPPM to Enforce Registration 252 Change of Authorization (CoA) Real Time Location Server Configuration Configuring RTLS 252 253 2
Configuring a Domain Profile 261 Configuring an Operator-friendly Profile 262 Configuring a Connection Capability Profile 262 Configuring an Operating Class Profile 262 Configuring a WAN Metrics Profile 262 Creating a Hotspot Profile 263 Associating an Advertisement Profile to a Hotspot Profile 265 Creating a WLAN SSID and Associating Hotspot Profile 265 Sample Configuration Lawful Intercept and CALEA Integration CALEA Integration and Lawful Intercept Compliance CALEA Server Integration 26
In the Dell W-Instant UI 277 In the CLI 277 Backing up and Restoring W-IAP Configuration Data Viewing Current Configuration 277 Backing up Configuration Data 277 Restoring Configuration 278 Converting a W-IAP to a Remote AP and Campus AP 278 Converting a W-IAP to Remote AP 278 Converting a W-IAP using CLI 280 Converting a W-IAP to Campus AP 281 Converting a W-IAP to Standalone Mode 281 Converting a W-IAP using CLI 282 Resetting a Remote AP or Campus AP to a W-IAP 282 Rebooting the W-
Configuring SNMP 290 Creating community strings for SNMPv1 and SNMPv2 Using Dell W-Instant UI 290 Creating community strings for SNMPv3 Using Dell W-Instant UI 290 Configuring SNMP Community Strings in the CLI 291 Configuring SNMP Traps 292 In the Dell W-Instant UI 292 In the CLI 292 Configuring TFTP Dump Server 292 In the Dell W-Instant UI 292 In the CLI 292 Configuring a Syslog Server 293 In the Dell W-Instant UI 293 In the CLI 294 Running Debug Commands from the Dell W-Instant U
Chapter 1 About this Guide This User Guide describes the features supported by Dell W-Instant and provides detailed instructions for setting up and configuring Instant network. Intended Audience This guide is intended for customers who configure and use Dell W-Instant. Related Documents In addition to this document, the Dell W-Instant product documentation includes the following: l Dell Networking W-Series Instant 6.2.1.0-3.4 Quick Start Guide l Dell Networking W-Series Instant 6.2.1.0-3.
Indicates a risk of damage to your hardware or loss of data. Indicates a risk of personal injury or death. Contacting Support Website Support Main Website dell.com Support Website dell.com/support Documentation Website dell.com/support/manuals 24 | About this Guide Dell Networking W-Series Instant 6.2.1.0-3.
Chapter 2 About Dell W-Instant This chapter provides the following information: l Dell W-Instant Overview l What is New in Dell W-Instant 6.2.1.0-3.4 Dell W-Instant Overview Dell W-Instant virtualizes Mobility Controller capabilities on 802.11 access points (APs), creating a feature-rich enterprise-grade wireless LAN (WLAN) that combines affordability and configuration simplicity. Dell W-Instant is a simple, easy to deploy turn-key WLAN solution consisting of one or more APs.
For information on the complete list of the countries supported by the W-IAP-ROW type, see Regulatory Domain on page 299. Dell W-Instant UI The Dell W-Instant User Interface (UI) provides a standard web based interface that allows you to configure and monitor a Wi-Fi network. Dell W-Instant UI is accessible through a standard web browser from a remote management console or workstation and can be launched using the following browsers: l Internet Explorer 8 or later l Safari 6.
Table 2: New Features in 6.2.1.0-3.4 Feature Description Updates to the PPPoE interface configuration This feature allows you to configure a Local,L3 DHCP profile as the local interface for PPPoE configuration. Dynamic CPU Management This feature enables the management of resources across different functions performed by a W-IAP Configuring an IPSec VPN Tunnel This feature allows the clients to reconnect to the VPN during a failover. Dell Networking W-Series Instant 6.2.1.0-3.
Chapter 3 Initial Configuration This chapter describes the following procedures: l Setting up Instant Network on page 29 l Logging in to the Dell W-Instant UI on page 31 l Accessing the Instant CLI on page 32 Setting up Instant Network Before installing a W-IAP: l Ensure that you have an Ethernet cable of the required length to connect a W-IAP to the home router. l Ensure that you have one of the following power sources: n IEEE 802.3af/at-compliant Power over Ethernet (PoE) source.
1. Connect a terminal, PC, or workstation running a terminal emulation program to the Console port on the W-IAP. 2. Power on the W-IAP. An autoboot countdown prompt that allows you to interrupt the normal startup process and access apboot is displayed. 3. Click Enter before the timer expires. The W-IAP goes into the apboot mode. 4. In the apboot mode, use the following commands to assign a static IP to the W-IAP. Hit to stop autoboot: 0 apboot> apboot> setenv ipaddr 192.0.2.
To disable the provisioning network: 1. Connect a terminal or PC/workstation running a terminal emulation program to the Console port on the W-IAP. 2. Configure the terminal or terminal emulation program to use the following communication settings: Table 3: Terminal Communication Settings Baud Rate Data Bits Parity Stop Bits Flow Control 9600 8 None 1 None 3. Power on the W-IAP. An autoboot countdown prompt that allows you to interrupt the normal startup process and access apboot is displayed. 4.
The Country Code window is displayed for the W-IAP-ROW (Rest of World) variants when you log in to the Dell WInstant UI for the first time. You can specify a country code by selecting an appropriate option from the Please Specify the Country Code drop-down list. Figure 2 Specifying a Country Code . For the complete list of the country codes supported by the W-IAP-ROW variant type, see Regulatory Domain on page 299.
Although automatic completion is supported for some commands such as configure terminal, the complete exit and end commands must be entered at command prompt. Applying Configuration Changes Each command processed by the Virtual Controller is applied on all the slaves in a cluster. The changes configured in a CLI session are saved in the CLI context. The CLI does not support the configuration data exceeding the 4K buffer size in a CLI session.
Table 4: Sequence-Sensitive Commands Sequence-Sensitive Command Corresponding no command rule {permit |deny | src-nat | dst-nat { | }}[
Chapter 4 Dell W-Series Instant User Interface This chapter describes the following Dell W-Instant UI elements: l Login Screen l Main Window Login Screen The Dell W-Instant Login page allows you to: l Log in to the Dell W-Instant UI l View Dell W-Instant Network Connectivity summary l View the Dell W-Instant UI in a specific language Logging into the Dell W-Instant UI To log in to the Dell W-Instant UI, enter the following credentials: l Username— admin l Password— admin The Dell W-Instant UI
Main Window On logging into Instant, the Instant UI Main Window is displayed. The following figure shows the Dell W-Instant main window: Figure 3 Dell W-Instant Main Window The main window consists of the following elements: l Banner l Search l Tabs l Links l Views Banner The banner is a horizontal rectangle that appears at the top left corner of the Dell W-Instant main window. It displays the company name, logo, and Virtual Controller's name.
The expanded view displays the following information about each Wi-Fi network: l Name (SSID) — Name of the network. l Clients — Number of clients that are connected to the network. l Type — Type of network type such as Employee, Guest, or Voice. l Band — Band in which the network is broadcast: 2.4 GHz band, 5 GHz band, or both. l Authentication Method — Authentication method required to connect to the network. l Key Management — Authentication key type.
l OS — Operating system that runs on the client. l Network — The network to which the client is connected. l Access Point — W-IAP to which the client is connected. l Channel — The client operating channel. l Type — Type of the Wi-Fi client: A, G, AN, or GN. l Role — Role assigned to the client. l Signal — Current signal strength of the client, as detected by the AP. l Speed (mbps) — Current speed at which data is transmitted.
n For information about NTP Server configuration, see Configuring an NTP Server on page 71. n For information about Auto join mode, Terminal Access, LED display, TFTP Dump Server, and Deny inter user bridging, see W-IAP Management on page 277. l Admin — Allows you to configure administrator credentials for access to the Virtual Controller Management User Interface. You can also configure W-AirWave in this tab.
RF The RF link displays a window for configuring Adaptive Radio Management (ARM) and Radio features. l ARM — Allows you to view or configure channel and power settings for all the W-IAPs in the network. For information about ARM configuration, see ARM Overview on page 189. l Radio — Allows you to view or configure radio settings for 2.4 GHz and the 5 GHz radio profiles. For information about Radio, see Configuring Radio Settings for a W-IAP on page 195.
Figure 6 Security Window - Default View Maintenance The Maintenance link displays a window that allows you to maintain the Wi-Fi network. The Maintenance window consists of the following tabs: l About—Displays the name of the product, build time, W-IAP model name, the Dell W-Instant version, Website address of Dell, and Copyright information. l Configuration— Displays the following details: n Current Configuration — Displays the current configuration details.
Figure 7 Maintenance Window - Default View Help The Help link allows you to view a short description or definition of selected terms and fields in the UI windows or dialogs. To activate the context-sensitive help: 1. Click the Help link at the top right corner of Instant main window. 2. Click any text or term displayed in green italics to view its description or definition. 3. To disable the help mode, click Done.
Figure 8 VPN - Default View IDS The IDS window allows you to configure wireless intrusion detection and protection levels. The following figures show the IDS window: Figure 9 IDS Window: Intrusion Detection Dell Networking W-Series Instant 6.2.1.0-3.
Figure 10 IDS Window: Intrusion Protection For more information on wireless intrusion detection and protection, see Detecting and Classifying Rogue APs on page 199. Wired The Wired window allows you to configure a wired network profile. See Wired Profiles on page 107 for more information. The following figure shows the Wired window: Figure 11 Wired Window Services The Services window allows you to configure services such as AirGroup, RTLS, and OpenDNS.
l AirGroup — Allows you to configure the AirGroup and AirGroup services. For more information, see AirGroup Configuration on page 245. l RTLS — Allows you to integrate W-AirWave Management platform or third-party Real Time Location Server such as Aeroscout Real Time Location Server with Dell W-Instant. For more information, see Real Time Location Server Configuration on page 253. l OpenDNS— Allows you to configure support for OpenDNS business solutions, which require an OpenDNS (www.opendns.
Figure 13 DHCP Servers Window For more information, see DHCP Configuration on page 207. Support The Support consists of the following fields: l Command— Allows you to select a support command for execution. l Target—Displays a list of W-IAPs in the network. l Run— Allows you to execute the selected command for a specific W-IAP or all W-IAPs and view logs. l Auto Run— Allows you to configure a schedule for automatic execution of a support command for a specific WIAP or all W-IAPs.
Figure 14 Support Window Logout The Logout link allows you to log out of the Dell W-Instant UI. Monitoring The Monitoring link displays the Monitoring pane for the Instant network. Use the down arrow right side of these links to compress or expand the monitoring pane.
Table 5: Contents of the Info Section in the Instant Main Window Name Description l l l l l Info section in Client view Master— Displays the IP address of the Access Point acting as Virtual Controller. OpenDNS Status— Displays the OpenDNS status. If the OpenDNS status indicates as Not Connected, ensure that the network connection is up and appropriate credentials are configured for OpenDNS. Uplink type — Displays the type of uplink configured on the W-IAP: for example, Ethernet or 3G.
The W-IAP names appear as links. When a W-IAP is clicked, the W-IAP configuration information is displayed in the Info section and the RF Dashboard section is displayed at the bottom left corner of the Instant main window.
RF Trends The RF Trends section displays the following graphs for the selected client: Figure 16 Signal Graph Figure 17 Frames Graph Figure 18 Speed Graph 50 | Dell W-Series Instant User Interface Dell Networking W-Series Instant 6.2.1.0-3.
Figure 19 Throughput Graph Usage Trends The Usage Trends displays the following graphs: l Clients — In the default view, the Clients graph displays the number of clients that were associated with the Virtual Controller in the last 15 minutes. In Network or Instant Access Points view, this graph displays the number of clients that were associated with the selected network or W-IAP in the last 15 minutes.
Table 7: Network View — Graphs and Monitoring Procedures Graph Name Description l Throughput Monitoring Procedure number of clients associated with the Virtual Controller for the last 15 minutes. To see the exact number of clients in the Dell W-Instant network at a particular time, hover the cursor over the graph line. which you want to check the client association. The Network view appears. 3. Study the Clients graph in the Usage Trends pane.
Table 8: Access Point View — Usage Trends and Monitoring Procedures Graph Name Description Monitoring Procedure IAP view appears. 3. Study the CPU Utilization graph in the Overview pane. For example, the graph shows that the CPU utilization of the W-IAP is 30% at 12:09 hours. Neighboring Clients The Neighboring Clients graph shows the number of clients not connected to the selected AP, but heard by it.
Table 8: Access Point View — Usage Trends and Monitoring Procedures Graph Name Description Monitoring Procedure To see an enlarged view, click the graph. The enlarged view provides Last, Minimum, Maximum, and Average statistics for the incoming and outgoing traffic throughput of the W-IAP for the last 15 minutes. To see the exact throughput of the selected W-IAP at a particular time, hover the cursor over the graph line.
Table 9: Client View — RF Trends Graphs and Monitoring Procedures Graph Name Throughput Description Monitoring Procedure To see an enlarged view, click the graph. The enlarged view shows Last, Minimum, Maximum, and Average statistics of the client for the last 15 minutes. To see the exact speed at a particular time, move the cursor over the graph line. view appears. This is the default view. 2. In the Clients tab, click the IP address of the client for which you want to monitor the speed.
each channel seen by the spectrum monitor radio, including the maximum AP power, interference and the Signalto-Noise and Interference Ratio (SNIR). Spectrum monitors display spectrum analysis data seen on all channels in the selected band, and hybrid W-IAPs display data from the one channel they are monitoring. For more information on spectrum monitoring, see Spectrum Monitor on page 181. Alerts Alerts are generated when a user encounters problems while accessing or connecting to a network.
Table 10: Types of Alerts Type of Alert Description Information Displayed Fault History The Fault History alerts occur in the event of a system fault. The Fault History displays the following information: l Time— Displays the system time when an event occurs. l Number— Indicates the number of sequence. l Cleared by— Displays the module which cleared this fault. l Description— Displays the event details.
Table 11: Alerts list Type Code Description Details Corrective Actions 100101 Internal error The W-IAP has encountered an internal error for this client. Contact the Dell customer support team. 100102 Unknown SSID in association request The W-IAP cannot allow this client to associate, because the association request received contains an unknown SSID. Identify the client and check its Wi-Fi driver and manager software.
Table 11: Alerts list Type Code Description Details Corrective Actions 100309 RADIUS server authentication failure The W-IAP cannot authenticate this client using 802.1X , because the RADIUS server rejected the authentication credentials (password and so on) provided by the client. Ascertain the correct authentication credentials and log in again.
Figure 25 Intrusion Detection For more information on the intrusion detection feature, see Intrusion Detection on page 199. Configuration The Configuration link provides an overall view of your Virtual Controller configuration. The following figure shows the Virtual Controller configuration details displayed on clicking the Configuration link. Figure 26 Configuration Link AirGroup This AirGroup link provides an overall view of your AirGroup configuration. Click each field to view or edit the settings.
Figure 27 AirGroup Link W-AirWave Setup Dell Networking W-AirWave is a solution for managing rapidly changing wireless networks. When enabled, WAirWave allows you to manage the Instant network. For more information on W-AirWave, see W-Airwave Integration and Management on page 235. The W-AirWave status is displayed at the bottom of the Instant main window. If the W-AirWave status is Not Set Up, click the Set Up Now link to configure W-AirWave. The System window appears with Admin tab selected.
Chapter 5 Basic Configuration Procedures This chapter describes the following basic W-IAP deployment methods and configuration tasks: l Updating IP Address of a W-IAP on page 63 l Modifying the W-IAP Name on page 64 l Updating Location Details of a W-IAP on page 64 l Configuring External Antenna on page 65 l Upgrading a W-IAP on page 66 l Adding a W-IAP to the Network on page 68 l Removing a W-IAP from the Network on page 69 l Enabling Terminal Access on page 68 l Enabling Auto Join Mode o
3. Select either the Get IP address from DHCP server or Specify statically option. If you have selected the Specify statically option, perform the following steps: a. Enter the new IP address for the W-IAP in the IP address text box. b. Enter the subnet mask of the network in the Netmask text box. c. Enter the IP address of the default gateway in the Default gateway text box. d. Enter the IP address of the DNS server in the DNS server text box. e. Enter the domain name in the Domain name text box. 4.
Configuring External Antenna If your W-IAP has external antenna connectors, you need to configure the transmit power of the system. The configuration must ensure that the system’s Equivalent Isotropically Radiated Power (EIRP) is in compliance with the limit specified by the regulatory authority of the country in which the W-IAP is deployed. You can also measure or calculate additional attenuation between the device and antenna before configuring the antenna gain.
2. In the Edit Access Point window, select External Antenna to configure the antenna gain value. This option is available only for access points that support external antennas, for example, W-IAP134or W-IAP92. 3. Enter the antenna gain values in dBm for the 2.4GHz and 5GHz bands. 4. Click OK.
1. Go to Maintenance>Automatic>Check for New Version. After the image check is completed, one of the following messages appears: n No new version available — If there is no new version available. n Image server timed out — Connection or session between the image server and the W-IAP is timed out. n Image server failure — If the image server does not respond. n A new image version found — If a new image version is found. 2.
Image Upgrade Progress ---------------------Mac IP Address ----------d8:c7:c8:c4:42:98 10.17.101.1 Auto reboot :enable Use external URL :disable AP Class -------Orion Status -----image-ok Image Info ---------image file Error Detail -----------none Enabling Terminal Access You can enable terminal access to a W-IAP by using the Dell W-Instant UI or CLI. In the Dell W-Instant UI 1. In the Instant main window, click the System link. The System window appears. 2.
1. In the Access Points tab, click the New link. The New Access Point window is displayed. 2. In the New Access Point window, enter the MAC address for the new W-IAP. 3. Click OK. Removing a W-IAP from the Network You can remove a W-IAP from the network only if the Auto Join Mode feature is disabled. To remove a W-IAP from the network: 1. In the Access Points tab, click the W-IAP to delete. An x appears against the W-IAP. 2. Click x to confirm the deletion.
5. Select the Adaptive radio management assigned option under the bands that are applicable to the W-IAP configuration. 6. Click OK. Configuring Radio Profiles Manually for a W-IAP To manually configure radio settings: 1. In the Access Points tab, click the AP for which you want to enable ARM. The edit link appears. 2. Click the edit link. The Edit Access Point window appears. 3. Click the Radio tab. 4. Ensure that an appropriate mode is selected.
1. In the Instant main window, click the System link. The System window appears. 2. In the General tab of System window, click Show advanced options to display the advanced options. l From the Deny inter user bridging drop-down menu, select Enabled to prevent traffic between two clients connected to the same W-IAP. l From the Deny local routing drop-down menu, select Enabled to prevent local routing traffic between two clients connected to the same W-IAP.
The Network Time Protocol (NTP) helps obtain the precise time from a server and regulate the local time in each network element. If NTP server is not configured in the Instant network, a W-IAP reboot may lead to variation in time data. The NTP server is set to pool.ntp.org by default. You can configure an NTP server by using the Dell W-Instant UI or the CLI. In the Dell W-Instant UI To configure an NTP server: 1. Click System link at the top right corner of the Dell W-Instant UI.
Chapter 6 Virtual Controller Configuration This chapter provides the following information: l Virtual Controller Overview l Virtual Controller IP Address Configuration Virtual Controller Overview Dell W-Instant does not require an external Mobility Controller to regulate and manage the Wi-Fi network. Instead, one W-IAP in every network assumes the role of Virtual Controller.
W-IAP becomes a Virtual Controller, it sends three Address Resolution Protocol (ARP) messages with the static IP address and its MAC address to update the network ARP cache. Configuring IP Address for Virtual Controller You can configure the Virtual Controller name and IP address using Dell W-Instant UI or CLI. In the Dell W-Instant UI 1. Click the System link at top right corner of the Instant main window. The System window appears. 2. Click the Show advanced options link.
Chapter 7 Mesh W-IAP Configuration This chapter provides the following information: l Mesh Network Overview on page 75 l Setting up Instant Mesh Network on page 76 Mesh Network Overview The Dell W-Instant secure enterprise mesh solution is an effective way to expand network coverage for outdoor and indoor enterprise environments without any wires. As traffic traverses across mesh W-IAPs, the mesh network automatically reconfigures around broken or blocked paths.
The mesh portal reboots after 5 minutes when it loses its uplink connectivity to a wired network. Mesh Points The mesh point establishes an all-wireless path to the mesh portal. The mesh point provides traditional WLAN services such as client connectivity, intrusion detection system (IDS) capabilities, user role association, and Quality of Service (QoS) for LAN-to-mesh communication to clients and performs mesh backhaul/network connectivity. Mesh point also supports LAN bridging.
Chapter 8 Wireless Network Profiles This chapter provides the following information: l Understanding Wireless Network Profiles on page 77 l Configuring WLAN Settings for an SSID Profile on page 78 l Configuring VLAN Settings for a WLAN SSID Profile on page 81 l Configuring Security Settings for a WLAN SSID Profile on page 82 l Configuring Access Rules for a WLAN SSID Profile on page 90 l Editing Status of a WLAN SSID Profile on page 91 l Configuring Additional WLAN SSIDs on page 91 l Editing
Configuring WLAN Settings for an SSID Profile You can configure WLAN settings using Dell W-Instant UI or CLI. In the Dell W-Instant UI To configure WLAN settings: 1. In the Networks tab of the Instant main window, click the New link. The New WLAN window appears. The following figure shows the contents of WLAN Settings tab: Figure 29 WLAN Settings Tab 2. Enter a name that uniquely identifies a wireless network in the Name (SSID) text box. 3.
l Specify the DTIM interval. The DTIM interval indicates the delivery traffic indication message (DTIM) period in beacons, which can be configured for every WLAN SSID profile. The DTIM interval determines how often the should deliver the buffered broadcast and multicast frames to associated clients in the powersave mode. The default value is 1, which means the client checks for buffered data on the W-IAP at every beacon. You can also configure a higher DTIM value for power saving.
l Voice WMM share — Allocates bandwidth for voice traffic generated from the incoming and outgoing voice communication. In a non-WMM or hybrid environment, where some clients are not WMM-capable, you can allocate higher values for Best effort WMM share and Voice WMM share to allocate a higher bandwidth to clients transmitting best effort and voice traffic. e.
(Instant Access Point)(SSID Profile)# max-clients-threshold (Instant Access Point)(SSID Profile)# end (Instant Access Point)# commit apply Configuring VLAN Settings for a WLAN SSID Profile VLAN configuration is required for networks with more devices and broadcast traffic on a WLAN. Based on the network type and its requirements, you can configure the VLAN settings. VLAN Pooling In a single W-IAP cluster, a large number of clients can be assigned to the same VLAN.
2. Select any for the following options for Client IP assignment: l l Virtual Controller assigned—On selecting this option, the client obtains the IP address from the Virtual Controller. The Virtual Controller creates a private subnet and VLAN on the W-IAP for the wireless clients. The network address translation for all client traffic that goes out of this interface is carried out at the source. This setup eliminates the need for complex VLAN and IP address management for a multi-site wireless network.
l Configuring Security Settings for Guest Network If you are creating a new SSID profile, configure the WLAN and VLAN settings before defining security settings. For more information, see Configuring WLAN Settings for an SSID Profile on page 78 and Configuring VLAN Settings for a WLAN SSID Profile on page 81. Configuring Security Settings for an Employee or Voice Network You can configure security settings for an employee or voice network by using the Dell W-Instant UI or CLI.
l Dynamic WEP with 802.1X 2. If you do not want to use a session key from the RADIUS Server to derive pair wise unicast keys, set Session Key for LEAP to Enabled. This is required for old printers that use dynamic WEP through Lightweight Extensible Authentication Protocol (LEAP) authentication. The Session Key for LEAP feature is Disabled by default. 3. To terminate the EAP portion of 802.1X authentication on the W-IAP instead of the RADIUS server, set Termination to Enabled.
l Perform MAC authentication before 802.1X — Select this check box to use 802.1X authentication only when the MAC authentication is successful. l MAC authentication fail-thru — On selecting this check box, the 802.1X authentication is attempted when the MAC authentication fails. 10. Click Upload Certificate and browse to upload a certificate file for the internal server. For more information on certificates, see Uploading Certificates on page 151. 11. Click Next to configure access rules.
3. To configure MAC authentication, set MAC authentication to Enabled. When Enabled, configure at least one RADIUS server for authentication server. 4. Configure an authentication server by using the Authentication server 1 drop-down list: l Select an authentication server from the list if an external servers are already configured.
Figure 33 Security Tab: Open To configure settings for the open security level: 1. To enable MAC authentication, select Enabled from the MAC authentication drop-down list. When Enabled, configure at least one RADIUS server for authentication server. a. Select a required type of authentication server option from the Authentication server 1 drop-down list. l New— If you select this option, an external RADIUS server has to be configured to authenticate the users.
(Instant Access (Instant Access (Instant Access (Instant Access (Instant Access (Instant Access (Instant Access (Instant Access (Instant Access (Instant Access (Instant Access association} (Instant Access (Instant Access (Instant Access (Instant Access (Instant Access (Instant Access (Instant Access Point)(SSID Point)(SSID Point)(SSID Point)(SSID Point)(SSID Point)(SSID Point)(SSID Point)(SSID Point)(SSID Point)(SSID Point)(SSID Profile)# Profile)# Profile)# Profile)# Profile
1. Select any of the following options for the Splash Page Type drop-down: l Internal - Authenticated l Internal - Acknowledged l External-RADIUS l External - Authentication Text l None The guest users are required to accept the terms and conditions and enter a username and password on the captive portal page. If you are configuring a splash page, ensure that the users who are required to use the captive portal authentication are added to the user database.
(Instant Access Point)# commit apply Configuring Access Rules for a WLAN SSID Profile If you are creating a new SSID profile, complete the WLAN Settings and configure VLAN and security parameters, before defining access rules. For more information, see Configuring WLAN Settings for an SSID Profile on page 78, Configuring VLAN Settings for a WLAN SSID Profile on page 81, and Configuring Security Settings for a WLAN SSID Profile on page 82.
To configure a pre-authentication role: (Instant (Instant (Instant (Instant Access Access Access Access Point)(config)# wlan ssid-profile Point)(SSID Profile)# set-role-pre-auth Point)(SSID Profile)# end Point)# commit apply To configure machine and user authentication roles (Instant Access Point)(config)# wlan ssid-profile (Instant Access Point)(SSID Profile)# set-role-machine-auth
The number of SSIDs that become active on each W-IAP depends on the W-IAP platform. Enabling the Extended SSID Enabling the Extended SSID option disables mesh. You can configure additional SSIDs by using the Dell W-Instant UI or CLI. In the Dell W-Instant UI 1. Click the System link at top right corner of the Instant main window. 2. Click the Show advanced options link. 3. In the General tab, select Enabled from the Extended SSID drop-down list. 4. Click OK. 5.
Chapter 9 Uplink Configuration This chapter provides the following information: l Uplink Interfaces on page 93 l Ethernet Uplink on page 94 l 3G/4G Uplink on page 96 l Wi-Fi Uplink on page 100 l Uplink Preferences and Switching on page 101 Uplink Interfaces Dell W-Instant network supports Ethernet, 3G and 4G USB modems, and the Wi-Fi uplink to provide access to the corporate Instant network.
Ethernet Uplink The Ethernet 0 port on a W-IAP is enabled as an uplink port by default. You can view the type of uplink and the status of the uplink in the Dell W-Instant UI in the Info tab. Figure 35 Uplink Status Ethernet uplink supports the following types of configuration in this Instant release. n PPPoE n DHCP n Static IP 94 | Uplink Configuration Dell Networking W-Series Instant 6.2.1.0-3.
You can use PPPoE for your uplink connectivity in both W-IAP and IAP-VPN deployments. PPPoE is supported only in a single AP deployment. Uplink redundancy with the PPPoE link is not supported. When the Ethernet link is up, it is used as a PPPoE or DHCP uplink. After the PPPoE settings are configured, PPPoE has the highest priority for the uplink connections.
(Instant Access Point)(pppoe-uplink-profile)# pppoe-unnumbered-local-l3-dhcp-profile (Instant Access Point)(pppoe-uplink-profile)# end (Instant Access Point)# commit apply To view the PPPoE configuration: (Instant Access Point)# show pppoe config PPPoE Configuration ------------------Type ---User Password Service name CHAP secret Unnumbered dhcp profile Value ----testUser 3c28ec1b82d3eef0e65371da2f39c4d49803e5b2bc88be0c internet03 8e87644deda9364100719e017f88ebce dhcpProfile1 To view the PP
Table 15: List of Supported 3G Modems Modem Type Supported 3G Modems l l l l l l l l l l l l l l l l l l l l l l l l l l l Auto-detect + ISP/country l l l l l l l l l l l l l l l l l l l l l l l l l l l Dell Networking W-Series Instant 6.2.1.0-3.
Table 15: List of Supported 3G Modems Modem Type Supported 3G Modems l l l l l l l l l l l l l l No auto-detect l l Huawei E1731 (Airtel-3G (India)) Huawei E3765 (Vodafone (Aus)) Huawei E3765 (T-Mobile (Germany) Huawei E1552 (SingTel) Huawei E1750 (T-Mobile (Germany)) UGM 1831 (TMobile) Huawei D33HW (EMOBILE(Japan)) Huawei GD01 (EMOBILE(Japan)) Huawei EC150 (Reliance NetConnect+ (India)) KDDI DATA07(Huawei) (KDDI (Japan)) Huawei E353 (China Unicom) Huawei EC167 (China Telecom) Huawei E367 (Vodafone (UK)
l For 4G — Enter the type of 4G modem in the 4G USB type text box. c. Enter the device ID of modem in the USB dev text box. d. Enter the TTY port of the modem in the USB tty text box. e. Enter the parameter to initialize the modem in the USB init text box. f. Enter the parameter to dial the cell tower in the USB dial text box. g. Enter the username used to dial the ISP in the USB user text box. h. Enter the password used to dial the ISP in the USB password text box. i.
(Instant (Instant (Instant (Instant Access Access Access Access Point)(cellular-uplink-profile)# usb-init Point)(cellular-uplink-profile)# usb-dial Point)(cellular-uplink-profile)# end Point)# commit apply To view the cellular configuration: (Instant Access Point)# show cellular config USB Plugged in: Vendor_ID=0 Product_ID=0 cellular configure -----------------Type Value -------4g-usb-type pantech-lte usb-type usb-dev test usb-tty usb-init usb-user usb-passwd
l If the Wi-Fi uplink is used on the 5 GHz band, mesh is disabled. The two links are mutually exclusive. l For W-IAPs to connect to an ArubaOS based WLAN using Wi-Fi uplink, the mobility controller must run ArubaOS 6.2.1.0 or later. To provision aW-IAP with the Wi-Fi Uplink, complete the following steps: 1. If you are configuring a Wi-Fi uplink after restoring factory settings on a W-IAP, connect the W-IAP to an Ethernet cable to allow the W-IAP to get the IP address. Otherwise, go to step 2. 2.
l Enforcing Uplinks on page 102 l Setting an Uplink Priority on page 102 l Enabling Uplink Preemption on page 103 l Switching Uplinks Based on VPN and Internet Availability on page 103 l Viewing Uplink Status and Configuration on page 104 Enforcing Uplinks The following configuration conditions apply to the uplink enforcement: l When an uplink is enforced, the W-IAP uses the specified uplink regardless of uplink preemption configuration and the current uplink status.
(Instant Access Point)(uplink)# uplink-priority {cellular | ethernet | [port ]|wifi } (Instant Access Point)(uplink)# end (Instant Access Point)# commit apply For example, to set a priority for Ethernet uplink: (Instant Access Point)(uplink)# uplink-priority ethernet port 0 1 (Instant Access Point)(uplink)# end (Instant Access Point)# commit apply Enabling Uplink Preemption The following configuration conditions apply to uplink preemption: l Pre
when the VPN connection is not available for 3 minutes, the uplink switches to another available connection (if a low priority uplink is detected and the uplink preference is set to none). Switching Uplinks Based on Internet Availability You can configure Dell W-Instant to switch uplinks based on Internet availability. When the uplink switchover based on Internet availability is enabled, the W-IAP continuously sends ICMP packets to some well-known Internet servers.
-------- -------- -----eth0 UP 0 Yes Wifi-sta LOAD 6 No 3G/4G INIT 7 No Internet failover :disable Max allowed test packet loss:10 Secs between test packets :30 VPN failover timeout (secs) :180 ICMP pkt sent :0 ICMP pkt lost :0 Continuous pkt lost :0 VPN down time :0 Instant Access Point# show uplink config Uplink preemption :enable Uplink enforce :none Ethernet uplink bond0 :DHCP Internet failover :disable Max allowed test packet loss:10 Secs between test packets :30 VPN failover timeout (secs) :180 Dell
Chapter 10 Wired Profiles This chapter describes the following procedures: l Configuring a Wired Profile on page 107 l Assigning a Profile to Ethernet Ports on page 114 l Understanding Hierarchical Deployment on page 112 l Configuring Wired Bridging on Ethernet 0 on page 113 l Editing a Wired Profile on page 114 l Deleting a Wired Profile on page 114 Configuring a Wired Profile To configure a wired profile using Dell W-Instant UI, complete the following procedures: 1.
c. Speed/Duplex — Ensure that appropriate values are selected for Speed/Duplex. Contact your network administrator if you need to assign speed and duplex parameters. d. POE — Set POE to Enabled to enable Power over Ethernet. The E2 port on W-IAP3WNP supports Power Sourcing Equipment (PSE) to supply power to any compliant 802.3af powered (class 0-4) device. W-IAP155Psupports PSE for 802.3af powered device (class 0-4) on one port (E1 or E2), or 802.3at powered DC IN (Power Socket) on two ports (E1 and E2). e.
all client traffic that goes through this interface. The Virtual Controller can also assign a guest VLAN to a wired client. l Network Assigned: Select this option to allow the clients to receive an IP address from the network to which the Virtual Controller is connected. On selecting this option, the New button to create a VLAN is displayed. Create a new VLAN if required. c. If the Trunk mode is selected: l Specify the Allowed VLAN, enter a list of comma separated digits or ranges 1,2,5 or 1-4, or all.
1. Configure the following parameters in the Security tab. l MAC authentication — To enable MAC authentication, select Enabled. The MAC authentication is disabled by default. l 802.1X authentication — To enable 802.1X authentication, select Enabled. l MAC authentication fail-thru — To enable authentication fail-thru, select Enabled. When this feature is enabled, 802.1X authentication is attempted when MAC authentication fails.
2. Configure the authentication parameters based on the Splash Page Type selected. For more information, see Configuring Captive Portal Authentication on page 137. 3. Click Next to configure access rules.
If Enforce Machine Authentication is enabled, both the device and the user must be authenticated for the role assignment rule to apply. 2. Click Finish.
l One downlink port configured on a private VLAN without authentication for connecting to slave APs. Ensure that the downlink port configured in a private VLAN is not used for any wired client connection. Other downlink ports can be used for connecting to the wired clients. The following figure illustrates a hierarchical deployment scenario: Figure 37 Hierarchical Deployment Configuring Wired Bridging on Ethernet 0 Instant supports wired bridging on the Ethernet 0 port of a W-IAP.
Assigning a Profile to Ethernet Ports You can assign profiles to Ethernet ports using Dell W-Instant UI or CLI. In the Dell W-Instant UI To assign profiles to Ethernet ports: 1. Click the Wired link under More at the top right corner of the Dell W-Instant main window. The Wired window is displayed. 2. To assign an Ethernet downlink profile to Ethernet 0 port: a. Ensure that the wired bridging on the port is enabled. For more information, see Configuring Wired Bridging on Ethernet 0 on page 113. b.
Chapter 11 Authentication This chapter provides the following information: l Understanding Authentication Methods on page 115 l Supported Authentication Servers on page 117 l Understanding Encryption Types on page 121 l Understanding Authentication Survivability on page 123 l Configuring Authentication Servers on page 125 l Configuring Authentication Parameters for Virtual Controller Management Interface on page 129 l Configuring Users on page 131 l Configuring 802.
authentication is attempted. If 802.1X authentication is successful, the client is assigned an 802.1X authentication role. If 802.1X authentication fails, the client is assigned a deny-all role or mac-auth-only role. n MAC authentication only role - Allows you to create a mac-auth-only role to allow role-based access rules when MAC authentication is enabled for 802.1X authentication. The mac-auth-only role is assigned to a client when the MAC authentication is successful and 802.1X authentication fails.
Supported Authentication Servers Based on the security requirements, you can configure internal or external RADIUS servers.
l EAP-PEAP (MSCHAPv2)— EAP-PEAP is an 802.1X authentication method that uses server-side public key certificates to authenticate clients with server. The PEAP authentication creates an encrypted SSL / TLS tunnel between the client and the authentication server. Exchange of information is encrypted and stored in the tunnel ensuring the user credentials are kept secure.
l Acct-Output-Packets l Acct-Session-Id l Acct-Session-Time l Acct-Status-Type l Acct-Terminate-Cause l Acct-Tunnel-Packets-Lost l Add-Port-To-IP-Address l Aruba-AP-Group l Aruba-AP-Name l Aruba-AS-Credential-Hash l Aruba-AS-User-Name l Aruba-Admin-Role l Aruba-AirGroup-Device-Type l Aruba-AirGroup-Shared-Role l Aruba-AirGroup-Shared-User l Aruba-AirGroup-User-Name l Aruba-Auth-Survivability l Aruba-CPPM-Role l Aruba-Device-Type l Aruba-Essid-Name l Aruba-Framed-IPv6
l Connect-Info l Connect-Rate l Crypt-Password l DB-Entry-State l Digest-Response l Domain-Name l EAP-Message l Error-Cause l Event-Timestamp l Exec-Program l Exec-Program-Wait l Expiration l Fall-Through l Filter-Id l Framed-AppleTalk-Link l Framed-AppleTalk-Network l Framed-AppleTalk-Zone l Framed-Compression l Framed-IP-Address l Framed-IP-Netmask l Framed-IPX-Network l Framed-IPv6-Pool l Framed-IPv6-Prefix l Framed-IPv6-Route l Framed-Interface-Id l Fra
l Message-Auth l NAS-IPv6-Address l NAS-Port-Type l Password l Password-Retry l Port-Limit l Prefix l Prompt l Rad-Authenticator l Rad-Code l Rad-Id l Rad-Length l Reply-Message l Revoke-Text l Server-Group l Server-Name l Service-Type l Session-Timeout l Simultaneous-Use l State l Strip-User-Name l Suffix l Termination-Action l Termination-Menu l Tunnel-Assignment-Id l Tunnel-Client-Auth-Id l Tunnel-Client-Endpoint l Tunnel-Connection-Id l Tunnel-Med
Instant supports the following types of encryption: l WEP —Wired Equivalent Privacy (WEP) is an authentication method where all users share the same key. WEP is not secure as other encryption types such as TKIP. l TKIP —Temporal Key Integrity Protocol (TKIP) uses the same encryption algorithm as WEP. However, TKIP is more secure and has an additional message integrity check (MIC).
Network Type Authentication Encryption Guest Network Captive Portal None Voice Network or Handheld devices 802.1X or PSK as supported by the device AES if possible, TKIP or WEP if necessary (combine with security settings assigned for a user role). Understanding Authentication Survivability The authentication survivability feature supports authorization survivability against remote link failure for Mobility Controllers when working with Dell Networking W-ClearPass Policy Manager (CPPM).
Figure 39 802.1X Authentication using cached credentials The following figure illustrates a scenario where the CPPM link is available again. The W-IAP sends the RADIUSRequest message to the CPPM server directly for client authentication. 124 | Authentication Dell Networking W-Series Instant 6.2.1.0-3.
Figure 40 802.1X Authentication when CPPM is reachable again You can enable authentication survivability for a wireless network profile when configuring enterprise security parameters. For more information, see Configuring Security Settings for a WLAN SSID Profile on page 82.
Figure 41 New Authentication Server Window 3. Configure any of the following types of server: l RADIUS Server — To configure a RADIUS server, specify the attributes described in the following table: Table 19: RADIUS Server Configuration Parameters Parameter Description Name Enter the name of the new external RADIUS server. IP address Enter the IP address of the external RADIUS server. Auth port Enter the authorization port number of the external RADIUS server. The default port number is 1812.
Parameter Description RFC 3576 Select Enabled to allow the APs to process RFC 3576-compliant Change of Authorization (CoA) and disconnect messages from the RADIUS server. Disconnect messages cause a user session to be terminated immediately, whereas the CoA messages modify session authorization attributes such as data filters. NAS IP address Enter the Virtual Controller IP address. The NAS IP address is the Virtual Controller IP address that is sent in data packets.
Table 21: CPPM Server Configuration Parameters for AirGroupCoA Parameter Description Name Enter the name of the server. IP address Enter the IP address of the server. Air Group CoA port Enter a port number for sending AirGroup CoA on a different port than on the standard CoA port. The default value is 5999. Shared key Enter a shared key for communicating with the external RADIUS server. Retype key Re-enter the shared key. 4. Click OK.
(Instant (Instant (Instant (Instant (Instant (Instant Access Access Access Access Access Access Point)(Auth Server )# Point)(Auth Server )# Point)(Auth Server # Point)(Auth Server )# Point)(Auth Server )# Point)# commit apply ip key cppm-rfc3576-port cppm-rfc3576-only end Enabling RADIUS Server Support You can enable RADIUS Server Support using Dell W-Instant UI or CLI.
Figure 42 Admin Tab: Management Authentication Parameters 3. Under Local, select any of the following options from the Authentication drop-down list: l Internal— Select this option to specify a single set of user credentials. Enter the Username and Password for accessing the Virtual Controller Management User Interface. l RADIUS Server— Specify one or two RADIUS servers to authenticate clients. If two servers are configured, users can use them in primary or backup mode or load balancing mode.
Configuring Users The Dell W-Instant user database consists of a list of guest and employee users. Addition of a user involves specifying a login credentials for a user. The login credentials for these users are provided outside the Dell W-Instant system. A guest user can be a visitor who is temporarily using the enterprise network to access the Internet.
7. To edit user settings: a. Select the user to modify under Users b. Click Edit to modify user settings. c. Click OK. 8. To delete a user: a. In the Users section, select the username to delete b. Click Delete. c. Click OK. 9. To delete all or multiple users at a time: a. Select the usernames that you want to delete b. Click Delete All. c. Click OK. Deleting a user only removes the user record from the user database, and will not disconnect the online user associated with the username.
In the Dell W-Instant UI To enable 802.1X authentication for a wireless network: 1. In the Network tab, click New to create a new network profile or select an existing profile for which you want to enable 802.1X authentication and click edit. 2. In the Edit or New WLAN window, ensure that all required WLAN and VLAN attributes are defined, and then click Next. 3. In the Security tab, specify the following parameters for the Enterprise security level: a.
2. Click New under Wired Networks to create a new network or select an existing profile for which you want to enable 802.1X authentication and then click Edit. 3. In the New Wired Network or the Edit Wired Network window, ensure that all the required Wired and VLAN attributes are defined, and then click Next. 4. In the Security tab, select Enabled from the 802.1X authentication drop-down list. 5. Specify the type of authentication server to use and configure other required parameters.
(Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant Access Access Access Access Access Access Access Access Access Point)(SSID Profile )# Point)(SSID Profile )# Point)(SSID Profile )# Point)(SSID Profile )# Point)(SSID Profile )# Point)(SSID Profile )# Point)(SSID Profile )# Point)(SSID Profile )# Point)# commit apply type { | | } mac-authentication external-server auth-server auth-server <
1. In the Network tab, click New to create a new network profile or select an existing profile for which you want to enable MAC and 802.1X authentication and click edit. 2. In the Edit or New WLAN window, ensure that all required WLAN and VLAN attributes are defined, and then click Next. 3. In the Security tab, ensure that the required parameters for MAC authentication and 802.1X authentication are configured. 4. Select the Perform MAC authentication before 802.1X check box to use 802.
(Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant Access Access Access Access Access Access Access Access Point)(wired ap profile Point)(wired ap profile Point)(wired ap profile Point)(wired ap profile Point)(wired ap profile Point)(wired ap profile Point)(wired ap profile Point)# commit apply )# )# )# )# )# )# )# mac-authentication dot1x l2-auth-failthrough auth-server server-l
l Internal - Acknowledged b. Select Enabled from the WISPr drop-down list to enable the WISPr authentication for Internal Authenticated splash page. For more information on WISPr authentication, see Configuring WISPr Authentication on page 148. c. Select Enabled from the MAC authentication drop-down list to enable the MAC authentication. For information on MAC authentication, see Configuring MAC Authentication for a Network Profile on page 134. d.
In the Instant UI To configure internal captive portal authentication for a wired profile: 1. Click the Wired link under More at the top right corner of the Dell W-Instant main window. The Wired window is displayed. 2. Click New under Wired Networks to create a new network or select an existing profile for which you want to enable 802.1X authentication and then click Edit. 3.
The customized splash page design applies to all SSID splash pages. You can customize a splash page for internal captive portal using Dell W-Instant UI or CLI. In the Dell W-Instant UI 1. Select an existing wireless or wired profile. Depending on the network profile selected, the Edit or Edit Wired Network window is displayed. You can also customize splash page design in the Security tab of New WLAN and New Wired Network windows when configuring a new profile. 2.
Configuring External Captive Portal Authentication for a Network Profile You can configure external captive portal authentication for a network profile when adding or editing a guest network using Dell W-Instant UI or CLI. In the Dell W-Instant UI 1. Select an existing wireless or wired profile. Depending on the network profile selected, the Edit or Edit Wired Network window is displayed.
Table 22: External Captive Portal Configuration Parameters Parameter Description Disable if uplink type is Select the type of the uplink to exclude. External Splash Page Specify the following parameters: IP or hostname— Enter the IP address or the hostname of the external splash page server. l URL— Enter the URL for the external splash page server.
(Instant Access Point)(External Captive Portal)# server-fail-through (Instant Access Point)(External Captive Portal)# end (Instant Access Point)# commit apply To enable automatic whitelisting of URLs: (Instant (Instant (Instant (Instant Access Access Access Access Point)(config)# wlan external-captive-portal Point)(External Captive Portal)# no auto-whitelist-disable Point)(External Captive Portal)# end Point)# commit apply Disabling Captive Portal Authentication To disable captive portal authentication,
b. Enter /page_name.php in the URL field. This URL must correspond to the Page Name configured in the ClearPass Guest RADIUS Web Login page. For example, if the Page Name is Dell, the URL should be /Dell.php in the Instant UI. c. Enter the Port number (generally should be 80). The ClearPass Guest server uses this port for HTTP services. d. To create an external RADIUS server, select New from the Authentication server 1 drop-down list.
Figure 44 Captive Portal Rule for Internal Acknowledged Splash Page Figure 45 Captive Portal Rule for External Authentication Text Splash Page Table 23: New Access Rule Configuration Parameters Field Description Rule type Select Captive Portal from the drop-down list. Splash Page Type Select any of following attributes: l Select Internal to configure a rule for internal captive portal authentication. l Select External to configure a rule for external captive portal authentication.
Field Description l l l l l asks for user credentials or email, depending on the splash page type configured To change the color of the splash page, click the Splash page rectangle and select the required color from the Background Color palette. To change the welcome text, click the first square box in the splash page, type the required text in the Welcome text box, and click OK. Ensure that the welcome text does not exceed 127 characters.
l If the captive portal splash page type is Internal-Acknowledged or External-Authentication Text and MAC authentication is enabled, a server configuration page is displayed. l If the captive portal splash page type is none, MAC authentication is disabled. l MAC authentication only role— You can use the WLAN wizard to configure the mac-auth-only role in the rolebased access rule configuration section when MAC authentication is enabled with captive portal authentication.
Configuring Walled Garden Access On the Internet, a walled garden typically controls access to web content and services. The Walled garden access is required when an external captive portal is used. For example, a hotel environment where the unauthenticated users are allowed to navigate to a designated login page (for example, a hotel website) and all its contents. The users who do not sign up for the Internet service can view the “allowed” Websites (typically hotel property Websites).
These smart clients enable client authentication and roaming between hotspots by embedding iPass Generic Interface Specification (GIS) redirect, authentication, and logoff messages within HTML messages that are sent to the W-IAP. WISPr authentication is supported only for the Internal - Authenticated and External - RADIUS Server captive portal authentication.
(Instant Access Point)# commit apply Blacklisting Clients The client blacklisting denies connection to the blacklisted clients. When a client is blacklisted, it is not allowed to associate with a W-IAP in the network. If a client is connected to the network when it is blacklisted, a deauthentication message is sent to force client disconnection.
(Instant Access Point)# show blacklist-client config Blacklist Time :60 Auth Failure Blacklist Time :60 Manually Blacklisted Clients ---------------------------MAC Time --- ---Dynamically Blacklisted Clients ------------------------------MAC Reason Timestamp Remaining time(sec) --- ------ --------- ------------------Dyn Blacklist Count :0 AP IP ----- Blacklisting Clients Manually Manual blacklisting adds the MAC address of a client to the blacklist. These clients are added into a permanent blacklist.
l CA certificate: PEM or DER format This section describes the following procedures: l Loading Certificates using Dell W-Instant UI on page 152 l Loading Certificates using W-AirWave on page 153 Loading Certificates using Dell W-Instant UI To load a certificate in the Dell W-Instant UI: 1. Click the Maintenance link at the top right corner of the Instant main window. 2. Click the Certificates tab. The Certificates tab contents are displayed.
Loading Certificates using W-AirWave You can manage certificates using the W-AirWave. The AMP directly provisions the certificates and performs basic certificate verification (such as certificate type, format, version, serial number and so on), before accepting the certificate and uploading to a W-IAP network. The AMP packages the text of the certificate into an HTTPS message and sends it to the Virtual Controller.
Figure 50 Selecting the Group The Virtual Controller Certificate section displays the certificates (CA cert and Server). 5. Click Save to apply the changes only to W-AirWave. Click Save and Apply to apply the changes to the W-IAP. 6. To clear the certificate options, click Revert. 154 | Authentication Dell Networking W-Series Instant 6.2.1.0-3.
Chapter 12 Roles and Policies This chapter describes the procedures for configuring user roles, role assignment, and firewall policies.
Service Description custom Available options are TCP, UDP, and Other. If you select the TCP or UDP options, enter appropriate port numbers. If you select the Other option, enter the appropriate ID. adp Application Distribution Protocol bootp Bootstrap Protocol dhcp Dynamic Host Configuration Protocol dns Domain Name Server esp Encapsulating Security Payload ftp File Transfer Protocol gre Generic Routing Encapsulation h323-tcp H.323-Transmission Control Protocol h323-udp H.
Service Description pptp Point-to-Point Tunneling Protocol rtsp Real Time Streaming Protocol sccp Skinny Call Control Protocol sip Session Initiation Protocol sip-tcp Session Initiation Protocol-Transmission Control Protocol sip-udp Session Initiation Protocol-User Datagram Protocol smb-tcp Server Message Block-Transmission Control Protocol smb-udp Server Message Block-User Datagram Protocol smtp Simple mail transfer protocol snmp Simple network management protocol snmp-trap Simple ne
QoS for Microsoft Office OCS and Apple Facetime Voice and video devices use a signaling protocol to establish, control, and terminate voice and video calls. These control or signaling sessions are usually permitted using pre-defined ACLs. If the control signaling packets are encrypted, the W-IAP cannot determine the dynamic ports are used for voice or video traffic.
Table 27: Access Rule Configuration Parameters Field Description Rule type Select a rule type, for example Access control from the drop-down list. Action Select any of following attributes: l Select Allow to allow access users based on the access rule. l Select Deny to deny access to users based on the access rule. l Select Destination-NAT to allow changes to destination IP address. l Select Source-NAT to allow changes to the source IP address.
You can also configure source based routing to allow client traffic on one SSID to reach the Internet through the corporate network, while the other SSID can be used as an alternate uplink. Enabling Source NAT To enable source NAT: 1. Select an existing wireless or wired profile. Depending on the network profile selected, the Edit or Edit Wired Network window is displayed.
a. Select Allow from the Action drop-down list. b. Select pop3 from the Service drop-down list. c. Select to a particular server from the Destination drop-down list and enter appropriate IP address in the IP text box. d. Click OK. 4. Click Finish. Allow TCP Service to a Particular Network To allow TCP service to a particular server: 1. Select an existing wireless or wired profile. Depending on the network profile selected, the Edit or Edit Wired Network window is displayed.
1. Select an existing wireless or wired profile. Depending on the network profile selected, the Edit or Edit Wired Network window is displayed. You can also configure access rules in the Access tab of the New WLAN and New Wired Network windows when configuring a new profile. 2. In the Access tab, slide to Network-based using the scroll bar to specify access rules for the network. 3. Click New to add a new rule. The New Rule window is displayed. a. Select Deny from the Action drop-down list.
4. Click OK. When the protocols for ALG are Disabled the changes do not take effect affect until the existing user sessions are expired. Reboot the W-IAP and the client, or wait for few minutes for changes to affect.
3. To configure protection against security attacks, select the following check boxes: l Select Drop bad ARP to enable the W-IAP to drop the fake ARP packets. l Select Fix malformed DHCP to the W-IAP to fix the malformed DHCP packets. l Select ARP poison check to enable the W-IAP to trigger an alert notifying the user about the ARP poisoning that may have been caused by the rogue APs. 4. Click OK.
arp packet counter drop bad arp packet counter dhcp response packet counter fixed bad dhcp packet counter send arp attack alert counter send dhcp attack alert counter arp poison check counter garp send check counter 0 0 0 0 0 0 0 0 Using Advanced Expressions in Role and VLAN Derivation Rules For complex policies of role and VLAN derivation using device DHCP fingerprints, you can use a regular expression to match against the combined string of the MAC address and the DHCP options.
Operator Description | Matches the character patterns on either side of the vertical bar. You can use this expression to construct a series of options. \< Matches the beginning of the word. For example, \ Matches the end of the word. For example, \>list matches blacklist, whitelist, and so on. {n} Where n is an integer" Matches the declared element exactly the n times. For example, {2}link matches uplink, but not downlink.
In the CLI To configure user roles and access rules: (Instant Access Point)(config)# wlan access-rule (Instant Access Point)(Access Rule )# rule {permit |deny | src-nat | dst-nat { | }} [] Configuring Machine and User Authentication Roles You can assign different rights to clients based on whether their hardware device supports machine authentication.
l Understanding Role Assignment Rules on page 168 l Extended Voice and Video Functionality on page 157 l Creating a Role Derivation Rule on page 168 Understanding Role Assignment Rules MAC-Address Attribute The first three octets in a MAC address are known as Organizationally Unique Identifier (OUI), and are purchased from the Institute of Electrical and Electronics Engineers, Incorporated (IEEE) Registration Authority.
You can create a role assignment rules by using the Dell W-Instant UI or CLI. In the Dell W-Instant UI 1. In the WLAN (Network>New>New WLAN or Network>edit>Edit ) window or Wired Network configuration (Wired>New>New Wired Network or Wired>Edit>Edit Wired Network) window, click the Access tab. 2. Under Role Assignment Rules, click New.
Configuring VLAN Assignment Rules This section describes the following procedures: l Understanding VLAN Assignment on page 170 l Configuring VLAN Derivation Rules on page 172 l Configuring a User Role for VLAN Derivation on page 173 Understanding VLAN Assignment You can assign VLANs to a client based on the following configuration conditions: l The default VLAN configured for the WLAN can be assigned to a client.
Figure 52 Configure VSA on a RADIUS Server VLAN Derivation Rule When an external RADIUS server is used for authentication, the RADIUS server may return a reply message for authentication. If the RADIUS server supports return attributes, and sets an attribute value to the reply message, the W-IAP can analyze the return message and match attributes with a user pre-defined VLAN derivation rule. If the rule is matched, the VLAN value defined by the rule is assigned to the user.
User Role If the VSA and VLAN derivation rules are not matching, then the user VLAN can be derived by a user role. VLANs Created for an SSID If the VSA and VLAN derivation rules are not matching, and the User Role does not contain a VLAN, the user VLAN can be derived by VLANs configured for an SSID or Ethernet port profile.
l matches-regular-expression — The rule is applied only if the attribute value matches the regular expression pattern specified in Operand. This operator is available only if the mac-address-and-dhcp-options attribute is selected in the Attribute drop-down. The mac-address-and-dhcp-options attribute and matchesregular-expression are applicable only for the WLAN clients. 5. Enter the string to match in the String field. 6. Select the appropriate VLAN ID from the VLAN drop-down list. 7. Click OK. 8.
Figure 55 Configuring User Role for VLAN Derivation 8. Click OK. In the CLI To create a VLAN role: (Instant (Instant (Instant (Instant Access Access Access Access Point)(config)# wlan access-rule Point)(Access Rule )# vlan 200 Point)(Access Rule )# end Point)# commit apply Assigning User VLAN Roles to a Network Profile You can configure user VLAN roles for a network profile using Dell W-Instant UI or CLI. In the Dell W-Instant UI To assign a user VLAN role: 1.
Figure 56 User VLAN Role Assignment 4. Click OK. In the CLI To assign VLAN role to a WLAN profile: (Instant Access Point)(config)# wlan ssid-profile (Instant Access Point)(SSID Profile )# set-role {{equals | not-equals | starts-with | ends-with |contains }|value-of} (Instant Access Point)(SSID Profile )# end (Instant Access Point)# commit apply Dell Networking W-Series Instant 6.2.1.
Chapter 13 Mobility and Client Management This chapter provides the following information: l Layer-3 Mobility Overview on page 177 l Configuring L3-Mobility on page 178 Layer-3 Mobility Overview W-IAPs form a single Instant network when they are in the same Layer-2 (L2) domain. As the number of clients increase, multiple subnets are required to avoid broadcast overhead.
Each foreign AP has only one home AP per Instant network to avoid duplication of broadcast traffic. Separate GRE tunnels are created for each foreign AP / home AP pair. If a peer AP is a foreign AP for one client and a home AP for another, two separate GRE tunnels are used to handle L3 roaming traffic between these APs. If client subnet discovery fails on association due to some reason, the foreign AP identifies its subnet when it sends out the first L3 packet.
Figure 58 L3 Mobility Window 1. Select Enabled from the Home agent load balancing drop-down list. By default, home agent load balancing is disabled. 2. Click New in the Virtual Controller IP Addresses section, add the IP address of a Virtual Controller that is part of the mobility domain, and click OK. 3. Repeat Step 2 to add the IP addresses of all Virtual Controllers that form the L3 mobility domain. 4. Click New in the Subnets section and specify the following: a.
Chapter 14 Spectrum Monitor This chapter provides the following information: l Understanding Spectrum Data on page 181 l Configuring Spectrum Monitors and Hybrid W-IAP to Hybrid W-IAPs on page 186 Understanding Spectrum Data Wireless networks operate in environments with electrical and radio frequency devices that can interfere with network communications. Microwave ovens, cordless phones, and even adjacent Wi-Fi networks are all potential sources of continuous or intermittent interference.
Device Summary and Channel Information shows the details of the information that is displayed: Table 29: Device Summary and Channel Information Column Description Type Device type.
Non Wi-Fi Interferer Description Fixed Frequency (Cordless Phones) Some cordless phones use a fixed frequency to transmit data (much like the fixed frequency video devices). These devices are classified as Fixed Frequency (Cordless Phones). Fixed Frequency (Video) Video transmitters that continuously transmit video on a single frequency are classified as Fixed Frequency (Video). These devices typically have close to a 100% duty cycle.
Ratio (SNIR). SNIR is the ratio of signal strength to the combined levels of interference and noise on that channel. Spectrum monitors display spectrum data seen on all channels in the selected band, and hybrid APs display data from the one channel they are monitoring. Figure 60 Channel Details Channel Details Information shows the information that you can view in the channel details graph. Table 31: Channel Details Information Column Description Channel An 802.11a or 802.11g radio channel.
spectrum monitors can display data for all channels in their selected band, hybrid APs display data for their one monitored channel only. To view this graph, click 2.4 GHz in the Spectrum section of the dashboard. Figure 61 Channel Metrics for the 2.4 GHz Radio Channel To view this graph, click 5 GHz in the Spectrum section of the dashboard. Figure 62 Channel Metrics for the 5 GHz Radio Channel Channel Metrics shows the information displayed in the channel metrics graph.
Configuring Spectrum Monitors and Hybrid W-IAP to Hybrid W-IAPs A W-IAP can be provisioned to function as a spectrum monitor or as a hybrid W-IAP. The radios on groups of APs can be converted to dedicated spectrum monitors or hybrid APs via the AP group’s 802.11a and 802.11g radio profiles. Converting a W-IAP to Hybrid W-IAP You can convert all W-IAPs in an Instant network into a hybrid W-IAPs by selecting the Background spectrum monitoring option in the Dell W-Instant network’s 802.11a and 802.
3. Click the Radio tab. 4. From the Access Mode drop-down list, select Spectrum Monitor. 5. Click OK. 6. Reboot the W-IAP for the changes to affect. 7. To enable spectrum monitoring for any other band for the 5 GHz radio: a. Click the RF link at the upper right corner of the Dell W-Instant UI. b. Click Show advanced options to view the Radio tab. c.
Chapter 15 Adaptive Radio Management This chapter provides the following information: l ARM Overview on page 189 l Configuring ARM Features on a W-IAP on page 191 l Configuring Radio Settings for a W-IAP on page 195 ARM Overview Adaptive Radio Management (ARM) is a radio frequency management technology that optimizes WLAN performance even in the networks with highest traffic by dynamically and intelligently choosing the best 802.
With this feature, the client load for an AP is determined based on the value specified for the SLB threshold. When the client load on an AP reaches or exceeds the SLB threshold in comparison to its neighbors, or if a neighboring AP on another channel does not have any clients, load balancing is enabled on that AP, to allow clients to connect to an available or less loaded channel.
ARM Metrics ARM computes coverage and interference metrics for each valid channel and chooses the best performing channel and transmit power settings for each W-IAP RF environment. Each W-IAP gathers other metrics on its ARMassigned channel to provide a snapshot of the current RF health state. Configuring ARM Features on a W-IAP You can configure ARM features such as band steering, spectrum load balancing, and airtime fairness mode either using Dell W-Instant UI or CLI.
Table 33: Band Steering Mode - Configuration Parameters Parameter Description Prefer 5 GHz Select this option to use band steering in 5 GHz mode. On selecting this, the W-IAP steers the client to 5 GHz band (if the client is 5 GHz capable), but allows the client connection on the 2.4 GHz band if the client persistently attempts for 2.4 GHz association. Force 5 GHz Select this option to enforce 5 GHz band steering mode on the W-IAPs.
6. For Access Point Control, specify the following parameters: Table 36: Access Point Control - Configuration Parameters Parameter Description Customize Valid Channels Select this check box to customize valid channels for 2,4 GHz and 5 GHz. By default, the AP uses valid channels as defined by the Country Code (regulatory domain). On selecting the Customize Valid Channels check box, a list of valid channels for both 2.4.GHz and 5 GHz are displayed.
(Instant (Instant (Instant (Instant (Instant Access Access Access Access Access Point)(ARM)# spectrum-load-balancing calc-interval Point)(ARM)# spectrum-load-balancing nb-matching Point)(ARM)# spectrum-load-balancing calc-threshold Point)(ARM)# end Point)# commit apply To view ARM configuration: (Instant Access Point)# show arm config Minimum Transmit Power Maximum Transmit Power Band Steering Mode Client Aware Scanning Wide Channel Bands Air Time Fairness Mode Spectrum
165 36+ 44+ 52+ 60+ 149+ 157+ enable enable enable disable disable enable enable Configuring Radio Settings for a W-IAP You can configure 2.4 GHz and 5 GHz radio settings for a W-IAP either using Dell W-Instant UI or CLI. In the Dell W-Instant UI To configure radio settings: 1. Click the RF link at the top right corner of the Instant main window. 2. Click Show advanced options. The advanced options are displayed. 3. Click the Radio tab. 4. Under the channel 2.4.
Parameter Description Channel switch announcement count Specify the count to indicate the number of channel switching announcements that must be sent before switching to a new channel. This allows associated clients to recover gracefully from a channel change.
Channel Switch Announcement Count:2 MAX Distance:600 Channel Reuse Type:disable Channel Reuse Threshold:0 Background Spectrum Monitor:disable Standalone Spectrum Band:5ghz-upper Dell Networking W-Series Instant 6.2.1.0-3.
Chapter 16 Intrusion Detection The Intrusion Detection System (IDS) is a feature that monitors the network for the presence of unauthorized WIAPs and clients. It also logs information about the unauthorized W-IAPs and clients, and generates reports based on the logged information. The IDS feature in the Dell W-Instant network enables you to detect rogue APs, interfering APs, and other devices that can potentially disrupt network operations.
l Windows Server l Windows XP l Windows ME l OS-X l iPhone l iOS l Android l Blackberry l Linux Configuring Wireless Intrusion Protection and Detection Levels WIP offers a wide selection of intrusion detection and protection features to protect the network against wireless threats. Like most other security-related features of the Dell network, the WIP can be configured on the W-IAP.
Figure 65 Wireless Intrusion Detection The following table describes the detection policies enabled in the Infrastructure Detection Custom settings field. Table 38: Infrastructure Detection Policies Detection Level Detection Policy Off Rogue Classification Low l l l l Medium l l High l l l l l l l l l l l l Dell Networking W-Series Instant 6.2.1.0-3.
Table 38: Infrastructure Detection Policies Detection Level Detection Policy l l l l l l l Detect Malformed Frame— HT IE Detect Malformed Frame— Association Request Detect Malformed Frame— Auth Detect Overflow IE Detect Overflow EAPOL Key Detect Beacon Wrong Channel Detect devices with invalid MAC OUI The following table describes the detection policies enabled in the Client Detection Custom settings field.
Figure 66 Wireless Intrusion Protection The following table describes the protection policies that are enabled in the Infrastructure Protection Custom settings field.
Containment Methods You can enable wired and wireless containments to prevent unauthorized stations from connecting to your Dell WInstant network. Dell W-Instant supports the following types of containment mechanisms: l Wired containment— When enabled, Dell W-Instant Access Points generate ARP packets on the wired network to contain wireless attacks.
(Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant Access Access Access Access Access Access Access Access Access Access
Chapter 17 DHCP Configuration This chapter provides the following information: l Understanding DHCP Assignment Modes on page 207 l Configuring DHCP Scopes on page 208 l Configuring DHCP Server for Client IP Assignment on page 214 Understanding DHCP Assignment Modes The Virtual Controller supports different modes of DHCP address assignment. With each DHCP address assignment mode, various client traffic forwarding modes are associated.
Configuring DHCP Scopes You can configure Distributed,L2, Distributed,L3, Local or NAT DHCP, Local,L3, and Centralized L2 DHCP scopes using the Dell W-Instant UI or CLI. This section describes the following procedures: l Configuring Distributed DHCP Scopes on page 208 l Configuring Local, Local,L3, and Centralized,L2 DHCP Scopes on page 211 Configuring Distributed DHCP Scopes Instant allows you to configure the DHCP address assignment for the branches connected to the corporate network through VPN.
Figure 69 New DHCP Scope: Distributed DHCP Mode 3. Based on type of distributed DHCP scope, configure the following parameters: Table 42: Distributed DHCP Mode: Configuration Parameters Name Description Name Enter a name for the DHCP scope. Type Select any of the following options: Distributed, L2— On selecting Distributed, L2, the Virtual Controller acts as the DHCP Server but the default gateway is in the data center. Traffic is bridged into VPN tunnel.
Table 42: Distributed DHCP Mode: Configuration Parameters Name Description l performed to ensure that the specified ranges of IP address are in the same subnet as the default router and subnet mask. The configured IP range is divided into blocks based on the configured client count. For Distributed,L3 mode, you can configure any discontiguous IP ranges. The configured IP range is divided into multiple IP subnets that are sufficient to accommodate the configured client count.
(Instant (Instant (Instant (Instant Access Access Access Access Point)(DHCP Profile)# reserve {first | last} Point)(DHCP Profile)# option Point)(DHCP Profile)# end Point))# commit apply Example (Instant Access Point)(config)# ip dhcp prof-dhcp (Instant Access Point) (DHCP Profile "prof-dhcp")# server-type DistibutedL2 (Instant Access Point) (DHCP Profile "prof-dhcp")# server-vlan 5 (Instant Access Point) (DHCP Profile "prof-dhcp")# subnet-m
Table 43: DHCP Mode: Configuration Parameters Name Description l l keeping the scope of the subnet local to the W-IAP. In the NAT mode, the traffic is forwarded through the IPSec tunnel or the uplink. Local, L3—On selecting Local, L3, the Virtual Controller acts as a DHCP server and gateway. In this mode, the a W-IAP routes the packets sent by clients and also adds a route on the controller, after the VPN tunnel is set up during the registration of the subnet.
Table 44: DHCP Relay and Option 82 DHCP Relay Option 82 Behavior Enabled Enabled DHCP packet relayed with the ALU-specific Option 82 string Enabled Disabled DHCP packet relayed without the ALU-specific Option 82 string Disabled Enabled DHCP packet not relayed, but broadcast with the ALU-specific Option 82 string Disabled Disabled DHCP packet not relayed, but broadcast without the ALU-specific Option 82 string In the CLI To configure Local DHCP scope: (Instant (Instant (Instant (Instant (Insta
(Instant Access Point)(DHCP Profile "prof-dhcp")# option 176 "MCIPADD=10.72.80.34,MCPORT=1719, TFTPSRVR=10.80.0.5,L2Q=1,L2QVLAN=2,L2QAUD=5,L2QSIG=3" (Instant Access Point)(DHCP Profile "prof-dhcp")# end (Instant Access Point))# commit apply Configuring DHCP Server for Client IP Assignment The DHCP server is a built-in server, used for networks in which clients are assigned IP address by the Virtual Controller.
DHCP DHCP DHCP DHCP Netmask Lease Time(m) Domain Name DNS Server :255.255.255.0 :20 :example.com :192.0.2.1 Dell Networking W-Series Instant 6.2.1.0-3.
Chapter 18 VPN Configuration This chapter describes the following VPN configuration procedures: l Understanding VPN Features on page 217 l Configuring a Tunnel from Virtual Controller to Dell Networking W-Series Mobility Controller on page 217 l Configuring Routing Profiles on page 227 Understanding VPN Features The Virtual Private Networks (VPN) feature enables the W-IAP, acting as the Virtual Controller, to create a VPN tunnel to aDell Networking W-Series Mobility Controller in your corporate offic
Figure 71 IPSec Configuration 2. Select IPSec from the Protocol drop-down list. The packets are sent and received with encryption. 3. Enter the IP address or fully qualified domain name for the main VPN/IPSec endpoint in the Primary host field. 4. Enter the IP address or fully qualified domain name for the backup VPN/IPSec endpoint in the Backup host field. This entry is optional. 5.
(Instant Access Point)(config)# vpn reconnect-time-on-failover (Instant Access Point)(config)# end (Instant Access Point)# commit apply Example (Instant (Instant (Instant (Instant Access Access Access Access Point)(config)# Point)(config)# Point)(config)# Point)(config)# vpn vpn vpn vpn primary 192.0.2.18 backup 192.0.2.
---------- ---------------------------- ------------------------- ----------------------------- ---------- ----------------- -------------- ----------distl2 Distributed,L2 2 10.15.205.0 255.255.255.0 0.0.0.0 10.15.205.254 5 10.13.6.110,10.1.1.50 arubanetworks.com 86400 OFF 0.0.0.0 None dist-l3 Distributed,L3 3 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 5 10.13.6.110,10.1.1.50 arubanetworks.com 85800 OFF 0.0.0.0 None local Local 200 172.16.200.1 255.255.255.0 0.0.0.0 0.0.0.0 0 10.13.6.110,10.1.1.50 arubanetworks.
ipsec ipsec ipsec ipsec ipsec ipsec ipsec backup backup backup backup backup backup backup tunnel tunnel tunnel tunnel tunnel tunnel tunnel peer address peer tunnel ip ap tunnel ip current sm status tunnel status tunnel retry times tunnel uptime :10.0.0.63 :0.0.0.0 :0.0.0.0 :Retrying :Down :5 :0 Configuring a GRE Tunnel You can configure an GRE tunnel from Virtual Controller using Dell W-Instant UI or CLI. In the Dell W-Instant UI 1.
To view VPN configuration details: Instant Access Point# show vpn config Configuring an L2TPv3 Tunnel The Layer 2 Tunneling Protocol version 3 (L2TPv3) feature allows IAP to act as L2TP Access Concentrator (LAC) and tunnel all wireless clients L2 traffic from AP to L2TP Network Server (LNS). In a centralized L2 model, the VLAN on the corporate side are extended to remote branch sites. Wireless clients associated to IAP gets the IP address from the DHCP server running on LNS.
a. Enter the tunnel name to be used for tunnel creation. Figure 74 Tunnel Configuration b. Enter the primary server IP address. c. Enter the remote end backup tunnel IP address. This is an optional field and required only when backup server is configured d. Enter the remote end UDP port number. The default value is 1701. e. Enter the interval at which the hello packets are sent through the tunnel. The default value is 60 seconds. f. Select the message digest as MD5 or SHA used for message authentication.
d. Select the cookie length and enter a cookie value corresponding to the length. By default, the cookie length is not set. e. Click OK. 5. Click Next to continue.
(Instant Access Point) (config) # l2tpv3 session test_session (Instant Access Point) (L2TPv3 Session Profile "test_session")# cookie len 4 value 12345678 (Instant Access Point) (L2TPv3 Session Profile "test_session")# l2tpv3 tunnel test_tunnel (Instant Access Point) (L2TPv3 Session Profile "test_session")# tunnel-ip 1.1.1.1 mask 255.255.255.
Tunnel 858508253, from 10.13.11.29 to 10.13.11.157:state: ESTABLISHED created at: Jul 2 04:58:25 2013 administrative name: 'test_tunnel' (primary) created by admin: YES, tunnel mode: LAC, persist: YES local host name: Instant-C4:42:98 peer tunnel id: 1842732147, host name: aruba1600pop636635.hsbtst2.
do pmtu discovery: OFF, mtu: 1460 framing capability: SYNC ASYNC bearer capability: DIGITAL ANALOG use tiebreaker: OFF peer profile: NOT SET session profile: NOT SET trace flags: PROTOCOL FSM API AVPDATA FUNC XPRT DATA SYSTEM CLI To view L2TPv3 system statistics: (Instant Access Point)# show l2tpv3 system statistics L2TP counters:Total messages sent: 99, received: 194, retransmitted: 0 illegal: 0, unsupported: 0, ignored AVPs: 0, vendor AVPs: 0 Setup failures: tunnels: 0, sessions: 0 Resource failures: con
Figure 76 Tunneling— Routing 3. Update the following parameters: l Destination— Specify the destination network that is reachable through the VPN tunnel. l Netmask— Specify the subnet mask of network that is reachable through the VPN tunnel. l Gateway— Specify the gateway to which traffic must be routed. This IP address must be the controller IP address on which the VPN connection is terminated. 4. Click OK. 5. Click Finish.
Chapter 19 IAP-VPN Configuration Dell Networking W-Series controllers provide an ability to terminate the IPSec and GRE VPN tunnels from the WIAP and provide corporate connectivity to the branch network. This section describes the following topics: l Overview on page 229 l VPN Configuration on page 231 l Viewing Branch Status on page 233 Overview This section provides a brief summary of the features supported by the controllers to allow VPN termination from a W-IAP.
IAP-VPN Scalability Limits ArubaOS provides enhancements to the scalability limits for the IAP-VPN branches terminating on the controller.
(host) # show ip ospf rapng-vpn aggregated-routes (host) #show ip ospf rapng-vpn aggregate-routes 100.100.2.0 255.255.255.0 Contributing routes of RAPNG VPN aggregate route -----------------------------------------------Prefix Mask Next-Hop Cost ------ ---- -------- ---100.100.2.64 255.255.255.224 5.5.0.10 10 To view all the redistributed routes: (host) #show ip ospf database OSPF Database Table ------------------Area ID LSA Type Link ID -------------------0.0.0.15 ROUTER 9.9.9.9 0.0.0.
Whitelist Database Configuration The whitelist database is a list of the MAC addresses of the W-IAPs that are allowed to establish VPN connections with the Mobility Controller. This list can be either stored in the Mobility Controller or on an external server.
VPN Profile Configuration The VPN profile configuration defines the server used to authenticate the W-IAP (internal or an external server) and the role assigned to the IAP after successful authentication. (host) (config) #aaa authentication vpn default-iap (host) (VPN Authentication Profile "default-iap") #server-group default (host) (VPN Authentication Profile "default-iap") #default-role iaprole For information about the VPN profile configuration on the W-IAP, see VPN Configuration on page 217.
Parameter Description Assigned Subnet Displays the subnet mask assigned to the branch. Assigned Vlan Displays the VLAN ID assigned to the branch. Key Displays the key for the branch, which is unique to each branch. Bid(Subnet Name) Displays the Branch ID (BID) of the subnet. l In the example above, the controller displays bid-per-subnet-per-branch i.e., for "LA" branch, BID "2" for the ip-range "10.15.205.0-10.15.205.250" with client count per branch "5").
Chapter 20 W-Airwave Integration and Management This chapter provides the following information: l W-AirWave Features on page 235 l Configuring W-AirWave on page 237 W-AirWave Features W-AirWave is a powerful tool and easy-to-use network operations system that manages Dell wireless, wired, and remote access networks, as well as wired and wireless infrastructures from a wide range of third-party manufacturers.
Figure 77 Template-based Configuration Trending Reports W-AirWave saves up to 14 months of actionable information, including network performance data and user roaming patterns, so you can analyze how network usage and performance trends have changed over time. It also provides detailed capacity reports with which you can plan the capacity and appropriate strategies for your organization. Intrusion Detection System W-AirWave provides advanced, rules-based rogue classification.
Figure 78 Adding a W-IAP in VisualRF Configuring W-AirWave Before configuring the W-AirWave, ensure that you have the following information: l IP address of the W-AirWave server. l Shared key for service authorization, assigned by the W-AirWave administrator.
Configuring W-AirWave Information You can configure W-AirWave information using Dell W-Instant UI or CLI. In the Dell W-Instant UI 1. Click the W-AirWave Set Up Now link in the bottom-middle region of the Dell W-Instant UI window. The System window is displayed with the W-AirWave parameters in the Admin tab. Figure 79 Configuring W-AirWave 2. Enter the name of your organization in the Organization name text box.
Configuring for W-AirWave Discovery through DHCP The W-AirWave can be discovered through DHCP server. You can configure this only if W-AirWave was not configured earlier or if you have deleted the precedent configuration. On the DHCP server, the format for option 60 is " InstantAP", and the format for option 43 is “ams-ip,ams-key”.
Figure 81 Dell W-Instant and DHCP options for W-AirWave: Predefined Options and Values 5. Navigate to Server Manager and select Server Options in the IPv4 window. (This sets the value globally. Use options on a per-scope basis to override the global options.) 6. Right-click Server Options and select the configuration options. 240 | W-Airwave Integration and Management Dell Networking W-Series Instant 6.2.1.0-3.
Figure 82 Dell W-Instant and DHCP options for W-AirWave: Server Options 7. Select 060 Dell Instant AP in the Server Options window and enter DellInstantAP in the String Value. Figure 83 Dell W-Instant and DHCP options for W-AirWave—060 W-IAP in Server Options 8. Select 043 Vendor Specific Info and enter a value for airwave-orgn, airwave-ip, airwave-key in the ASCII field (for example: tme-instant-store1,, Dell123). Dell Networking W-Series Instant 6.2.1.0-3.
Figure 84 Dell W-Instant and DHCP options for W-AirWave— 043 Vendor Specific Info This creates a DHCP option 60 and 43 on a global basis. You can do the same on a per-scope basis. The per-scope option overrides the global option.
the DHCP clients information about certain services such as PXE. In such an environment, the standard DHCP options 60 and 43 cannot be used for Dell APs. This method describes how to set up a DHCP server to send option 43 with W-AirWave information to Dell WInstant W-IAP. This section assumes that option 43 is sent per scope, because option 60 is being shared by other devices as well.
Figure 87 W-AirWave — New Group Figure 88 W-AirWave —Monitor 244 | W-Airwave Integration and Management Dell Networking W-Series Instant 6.2.1.0-3.
Chapter 21 AirGroup Configuration This chapter provides the following information: l AirGroup Overview on page 245 l AirGroup with Instant on page 246 l Configuring AirGroup for Dell W-Instant on page 249 l Configuring AirGroup and CPPM interface in Dell W-Instant on page 251 AirGroup Overview AirGroup is a unique enterprise-class capability that leverages zero configuration networking to enable Bonjour® services such as Apple® AirPrint and AirPlay from mobile devices in an efficient manner.
Figure 89 - AirGroup Architecture AirGroup is not supported on a 3G uplink. AirGroup with Instant AirGroup capabilities are available as a feature in Dell WLANs where Wi-Fi data is distributed among Dell W-Instant APs. When a Dell WLAN is powered by Dell W-Instant and CPPM, AirGroup begins to function. An AirGroup device can be registered by an administrator or a guest user. 1.
Figure 90 AirGroup Enables Personal Device Sharing AirGroup Solution In large universities and enterprise networks, it is common for Bonjour-capable devices to connect to the network across VLANs. As a result, user devices such as an iPad on a specific VLAN cannot discover an Apple TV that resides on another VLAN. As the addresses used by the protocol are link-scope multicast addresses, each query or advertisement can only be forwarded on its respective VLAN, but not across different VLANs.
Table 47: AirGroup Filtering Options Features Dell W-Instant Deployment Models Device owner based policy enforcement No Yes Location based policy enforcement No Yes Shared user list based policy enforcement No Yes Shared role list based policy enforcement No Yes AirGroup also enables context awareness for services across the network: l AirGroup is aware of personal devices. For example, an Apple TV in a dorm room can be associated with the student who owns it.
l Allow or block mDNS services based on user roles. l Allow or block mDNS services based on VLANs. l Match users’ devices, such as iPads, to their closest Bonjour devices, such as printers. This requires CPPM support. CPPM and ClearPass Guest Features CPPM and ClearPass Guest support the following features: l Registration portal for WLAN users to register their personal devices such as Apple TVs and printers.
Figure 92 AirGroup Configuration 3. Select the Enable Air Group check box. The AirGroup configuration parameters are displayed. 4. Select Enable Guest Bonjour multicast to allow the users to use Bonjour services enabled in a guest VLAN. When this check box is enabled, the Bonjour devices are visible only in the guest VLAN and AirGroup will not discover or enforce policies in guest VLAN. 5. Select the Enable Air Group across mobility domains check box to enable Inter cluster mobility.
(Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant Access Access Access Access Access Access Access Access Access Point)(airgroup)# cppm enforce-registration Point)(airgroup)# cppm-server Point)(airgroup)# cppm-server-dead-time Point)(airgroup)# cppm-query-interval Point)(airgroup)# disallow-vlan Point)(airgroup)# enable-guest-multicast Point)(airgroup)# multi-swarm Point)(airgroup)# end Point)# commit apply To configure AirGroup Serv
The AirGroup configuration with CPPM involves the following steps: 1. Create a RADIUS service 2. Assign a Server to AirGroup 3. Configure CPPM to Enforce Registration Creating a RADIUS Server You can configure an external RADIUS Security window. For more information on the configuring CPPM server, see Configuring an External Server for Authentication on page 125. You can also create a RADIUS server in the Air Group window.
Chapter 22 Real Time Location Server Configuration This chapter describes the procedure for configuring Real Time Location Server (RTLS). Configuring RTLS Dell W-Instant supports the real-time tracking of devices when integrated with W-AirWave Management Platform, or third-party Real Time Location Server such as Aeroscout Real Time Location Server. With the help of the RTLS, the devices can be monitored in real-time or through history. You can configure RTLS using Dell W-Instant UI or CLI.
3. Select the Include unassociated stations check box to send reports on the stations that are not associated to any W-IAP to the Aeroscout RTLS server. 4. Click OK.
Chapter 23 Hotspot Profiles This chapter describes the following procedures: l Understanding Hotspot Profiles on page 255 l Configuring Hotspot Profiles on page 256 l Sample Configuration on page 266 In the current release, Instant supports the hotspot profile configuration only through the CLI. Understanding Hotspot Profiles Hotspot 2.0 is a Wi-Fi Alliance specification based on the 802.
Access Network Query Protocol (ANQP) ANQP provides a range of information, such as IP address type and availability, roaming partners accessible through a hotspot, and the Extensible Authentication Protocol (EAP) method supported for authentication, for a query and response protocol. The ANQP Information Elements (IEs) provide additional data that can be sent from an WIAP to the client to identify the W-IAP's network and service provider.
3. Associate the required ANQP and H2QP advertisement profiles created in step 1 to the hotspot profile created in step 2. 4. Create a SSID Profile with enterprise security and WPA2 encryption settings and associate the SSID with the hotspot profile created in step 2. Creating Advertisement Profiles for Hotspot Configuration A hotspot profile contains one or several advertisement profiles.
l peap—To use protected Extensible Authentication Protocol. The associated numeric value is 25. l crypto-card— To use crypto card authentication. The associated numeric value is 28. l peapmschapv2— To use PEAP with Microsoft Challenge Handshake Authentication Protocol version 2 (MSCHAPV2). The associated numeric value is 29. l eap-aka—To use EAP for UMTS Authentication and Key Agreement. The associated numeric value is 50.
(Instant (Instant (Instant (Instant (Instant (Instant (Instant Access Access Access Access Access Access Access Point)(venue-name )# Point)(venue-name )# Point)(venue-name )# Point)(venue-name )# Point)(venue-name )# Point)(venue-name )# Point)# commit apply venue-name venue-group venue-type venue-lang-code enable end You can specify any of the following venue groups and the corresponding venue types: Table 50: Venue Types Venue G
Venue Group Associated Venue Type Value mercantile l The associated numeric value is 6. l l l l l residential l The associated numeric value is 7. l l l l unspecified—The associated numeric value is 0. retail-store—The associated numeric value is 1. grocery-market—The associated numeric value is 2. auto-service-station—The associated numeric value is 3. shopping-mall—The associated numeric value is 4. gas-station—The associated numeric value is 5 unspecified—The associated numeric value is 0.
Configuring a Roaming Consortium Profile You can configure a roaming consortium profile to send the roaming consortium information as an ANQP IE in a GAS query response.
Configuring an Operator-friendly Profile You can configure the operator-friendly name profile to define the identify the operator.
l Downlink speed —Indicates the WAN downlink speed in Kbps. l Uplink load—Indicates the percentage of the WAN uplink currently utilized. The default value of 0 to indicates that the downlink speed is unknown or unspecified. l Uplink speed—Indicates the WAN uplink speed in Kbps. l Load duration—Indicates the duration in seconds during which the downlink utilization is measured. l Symmetric links—Indicates if the uplink and downlink have the same speed.
Table 51: Hotspot Configuration Parameters Parameter Description l l l emergency-services —This network is limited to accessing emergency services only. The corresponding integer value for this network type is 5. test — This network is used for test purposes only. The corresponding integer value for this network type is 14. wildcard —This network indicates a wildcard network. The corresponding integer value for this network type is 15.
Table 51: Hotspot Configuration Parameters Parameter Description l l l l l outdoor residential storage utility-and-misc vehicular By default, the business venue group is used. venue-type Specify a venue type to be advertised in the ANQP IEs from W-IAPs associated with this hotspot profile. For more information about the supported venue types for each venue group, see Table 50.
(Instant Access Point)(SSID Profile)# set-vlan {equals|not-equals| startswith| ends-with| contains} | value-of} (Instant Access Point)(SSID Profile)# opmode {wpa2-aes|wpa-tkip,wpa2-aes} (Instant Access Point)(SSID Profile)# blacklist (Instant Access Point)(SSID Profile)# mac-authentication (Instant Access Point)(SSID Profile)# l2-auth-failthrough (Instant Access Point)(SSID Profile)# termination (Instant Access Point)(SSID Profile)# ex
(Instant Access Point)(domain-name "dn1")# exit (Instant (Instant (Instant (Instant Access Access Access Access Point)(config)# hotspot h2qp-oper-name-profile on1 Point)(operator-friendly-name"on1")# op-lang-code eng Point) operator-friendly-name"on1")# op-fr-name OperatorFriendlyName Point) (operator-friendly-name"on1")# exit Step 2: Creating a hotspot profile (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (
(Instant (Instant (Instant (Instant 268 | Hotspot Profiles Access Access Access Access Point)(SSID Profile)# set-role-by-ssid Point)(SSID Profile )# hotspot-profile hs1 Point)(SSID Profile)# end Point)# commit apply Dell Networking W-Series Instant 6.2.1.0-3.
Chapter 24 Lawful Intercept and CALEA Integration This chapter provides the following information: l CALEA Integration and Lawful Intercept Compliance on page 269 l Configuring W-IAPs for CALEA Integration on page 271 CALEA Integration and Lawful Intercept Compliance Lawful Intercept (LI) allows the Law Enforcement Agencies (LEA) to perform an authorized electronic surveillance. Depending on the country of operation, the service providers (SPs) are required to support LI in their respective networks.
Figure 94 IAP to CALEA Server Traffic Flow from IAP to CALEA Server through VPN You can also deploy CALEA server with Controller and configure an additional IPSec tunnel for corporate access. When CALEA server is configured with Controller, the client traffic is replicated by the slave IAP and client data is encapsulated by GRE on slave, and routed to the master IAP. The master IAP sends the IPsec client traffic to Controller.
Figure 95 IAP to CALEA Server through VPN Ensure that IPSec tunnel is configured if the client data has to be routed to the ISP or CALEA server through VPN. For more information on configuring IPSec, see Configuring an IPSec VPN Tunnel on page 217. Client Traffic Replication Client traffic is replicated in the following ways: l Through RADIUS VSA— In this method, the client traffic is replicated by using RADIUS VSA to assign clients to a CALEA related user role.
In the Dell W-Instant UI To configure a CALEA profile: 1. Click More>Services at the top right corner of the Instant main window. 2. Click CALEA. The CALEA tab details are displayed. 3. Specify the following parameters: l IP address— Specify the IP address of the CALEA server. l Encapsulation type— Specify the encapsulation type. The current release of Dell W-Instant supports GRE only. l is supported. l GRE type— Specify the GRE type.
4. Select CALEA. 5. Click OK. 6. Create a role assignment rule if required. 7. Click Finish.
(Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant Access Access Access Access Access Access Access Access Access Access Point)(SSID Point)(SSID Point)(SSID Point)(SSID Point)(SSID Point)(SSID Point)(SSID Point)(SSID Point)(SSID Point)(SSID Profile"Calea-Test")# Profile"Calea-Test")# Profile"Calea-Test")# Profile"Calea-Test")# Profile"Calea-Test")# Profile"Calea-Test")# Profile"Calea-Test")# Profile"Calea-Test")# Profile"Calea-Test")# Profile"Calea-Test")# rf-band
Chapter 25 Dynamic CPU Management This chapter provides the following information: l Dynamic CPU Management on page 275 l Configuring for Dynamic CPU Management on page 275 Dynamic CPU Management W-IAPs perform various functions such as wireless client connectivity and traffic flows, wired client connectivity and traffic flows, wireless security, network management, and location tracking. Like with any network element, aWIAP can be subject to heavy loads.
Chapter 26 W-IAP Management This section provides information on the following procedures: l Configuring LED Display on page 277 l Backing up and Restoring W-IAP Configuration Data on page 277 l Converting a W-IAP to a Remote AP and Campus AP on page 278 l Resetting a Remote AP or Campus AP to a W-IAP on page 282 l Rebooting the W-IAP on page 282 Configuring LED Display The LED display is always in the Enabled mode during the a W-IAP reboot.
2. Click Backup Configuration. 3. Click Continue to confirm the backup. The instant.cfg containing the W-IAP configuration data is saved in your local file system. 4. To view the configuration that is backed up by the W-IAP, enter the following command at the command prompt: (Instant Access Point)# show backup-config Restoring Configuration To restore configuration: 1. Navigate to the Maintenance > Configuration>page. 2. Click Restore Configuration.
The following table describes the supported W-IAP platforms and minimal ArubaOS version required for the Campus AP or Remote AP conversion. Table 53: W-IAP Platforms and Minimal ArubaOS Versions for W-IAP to Remote AP Conversion W-IAP Platform ArubaOS Version Dell W-Instant Version W-IAP92 6.1.4 or later 1.0 or later W-IAP93 6.1.4 or later 1.0 or later W-IAP104 6.1.4 or later 3.0 or later W-IAP105 6.1.4 or later 1.0 or later W-IAP134 6.1.4 or later 2.0 or later W-IAP135 6.1.4 or later 2.
Figure 96 - Maintenance — Convert Tab Figure 97 - Convert options 3. Select Remote APs managed by a Mobility Controller from the drop-down list. 4. Enter the hostname (fully qualified domain name) or the IP address of the controller in the Hostname or IP Address of Mobility Controller text box. Contact your local network administrator to obtain the IP address. Ensure that the mobility controller IP Address is reachable by the W-IAPs. 5. Click Convert Now to complete the conversion.
Converting a W-IAP to Campus AP To convert a W-IAP to Campus AP, do the following: 1. Click the Maintenance link in the Instant main window. 2. Click the Convert tab. The Convert tab is displayed. Figure 98 - Converting a W-IAP to Campus AP 3. Select Campus APs managed by a Mobility Controller from the drop-down list. 4. Enter the hostname, Fully Qualified Domain Name (FQDN), or the IP address of the controller in the Hostname or IP Address of Mobility Controller text box.
3. Select Standalone AP from the drop-down list. 4. Select the Access Point from the drop-down list. 5. Click Convert Now to complete the conversion. The W-IAP now operates in the standalone mode. Converting a W-IAP using CLI To convert a W-IAP: (Instant Access Point)# convert-aos-ap Resetting a Remote AP or Campus AP to a W-IAP The reset button located on the rear of a W-IAP can be used to reset the W-IAP to factory default settings.
Figure 100 - Rebooting the W-IAP 3. In the W-IAP list, select the W-IAP that you want to reboot and click Reboot selected Access Point. To reboot all the W-IAPs in the network, click Reboot All. 4. The Confirm Reboot for W-IAP is displayed. Click Reboot Now to proceed. The Reboot in Progress message appears indicating that the reboot is in progress. The Reboot Successful message is displayed after the process is complete.
Chapter 27 Content Filtering This chapter provides the following information: l Content Filtering on page 285 l Enabling Content Filtering on page 285 l Configuring Enterprise Domains on page 286 l Configuring OpenDNS Credentials on page 286 Content Filtering The Content Filtering feature allows you to create Internet access policies that allow or deny user access to Websites based on Website categories and security ratings.
(Instant Access Point)(SSID Profile )# end (Instant Access Point)# commit apply Enabling Content Filtering for a Wired Profile To enable content filtering for a wired profile, perform the following steps: In the Dell W-Instant UI 1. Click the Wired link under More at the top right corner of the Dell W-Instant main window. The Wired window appears. 2. In the Wired window, select the wired profile to modify. 3. Click Edit. The Edit Wired Network window is displayed. 4.
In the Dell W-Instant UI To configure OpenDNS credentials: 1. Click More> Services>OpenDNS. The OpenDNS tab contents are displayed. 2. Enter the Username and Password to enable access to OpenDNS. 3. Click OK to apply the changes. In the CLI To configure OpenDNS credentials: (Instant Access Point)(config)# opendns (Instant Access Point)(config)# end (Instant Access Point)# commit apply Dell Networking W-Series Instant 6.2.1.0-3.
Chapter 28 Monitoring Devices and Logs This chapter provides the following information: l Configuring SNMP on page 289 l Configuring a Syslog Server on page 293 l Configuring TFTP Dump Server on page 292 l Running Debug Commands from the Dell W-Instant UI on page 294 Configuring SNMP This section provides the following information: l SNMP Parameters for W-IAP on page 289 l Configuring SNMP on page 290 l Configuring SNMP Traps on page 292 SNMP Parameters for W-IAP Dell W-Instant supports SNMPv
Configuring SNMP This section describes the procedure for configuring SNMPv1, SNMPv2, and SNMPv3 community strings using Dell W-Instant UI or CLI. Creating community strings for SNMPv1 and SNMPv2 Using Dell W-Instant UI To create community strings for SNMPv1 and SNMPv2: 1. Click System link at the top right corner of the Instant main window. The system window is displayed. 2. Click the Monitoring tab. The following figure shows the SNMP configuration parameters displayed in the Monitoring tab.
Figure 102 SNMPv3 User 4. Enter the name of the user in the Name text box. 5. Select the type of authentication protocol from the Auth protocol drop-down list. 6. Enter the authentication password in the Password text box and retype the password in the Retype text box. 7. Select the type of privacy protocol from the Privacy protocol drop-down list. 8. Enter the privacy protocol password in the Password text box and retype the password in the Retype text box. 9. Click OK. 10.
Configuring SNMP Traps Dell W-Instant supports the configuration of external trap receivers. Only the W-IAP acting as the Virtual Controller generates traps. The OID of the traps is 1.3.6.1.4.1.14823.2.3.3.1.200.2.X. You can configure SNMP traps using Dell W-Instant UI or CLI. In the Dell W-Instant UI To configure an SNMP trap receiver: 1. Navigate to System>Show advanced options> Monitoring. The Monitoring window is displayed. 1. Under SNMP Traps, enter a name in the SNMP Engine ID text box.
(Instant Access Point)# commit apply Configuring a Syslog Server You can specify a syslog server for sending syslog messages to the external servers either by using Dell W-Instant UI or CLI. In the Dell W-Instant UI 1. In the Instant main window, click the System link. The System window appears. 2. Click Show advanced options to display the advanced options. 3. Click the Monitoring tab. The Monitoring tab details are displayed. Figure 103 Syslog Server 4.
The following table describes the logging levels in order of severity, from the most to the least severe. Table 55: Logging Levels Logging Level Description Emergency Panic conditions that occur when the system becomes unusable. Alert Any condition requiring immediate attention and correction. Critical Any critical conditions such as a hard drive error. Errors Error conditions. Warning Warning messages. Notice Significant events of a non-critical and normal nature.
4. Click Run. Support Commands You can view the following information for each access point in the Dell W-Instant network using the support window: l AP 3G/4G Status—Displays the cellular status of the W-IAP. l AP 802.1X Statistics— Displays the 802.1X statistics of the W-IAP. l AP Access Rule Table— Displays the list of ACL rules configured on the W-IAP. l AP Active— Displays the list of active APs in Instant network.
l AP Datapath Bridge Table— Displays bridge table entry statistics including MAC address, VLAN, assigned VLAN, Destination and flag information for the W-IAP. l AP Datapath DMO Session— Displays details of a DMO session. l AP Datapath Multicast Table—Displays multicast table statistics for the W-IAP. l AP Datapath Nat Pool—Displays NAT pool details configured in the datapath. l AP Datapath Route Table— Displays route table statistics for the W-IAP.
l AP Log VPN Tunnel Log— Displays VPN tunnel status for the W-IAP. l AP Log Wireless— Displays wireless logs of the W-IAP. l AP Management Frames— Displays the traced 802.11 management frames for the W-IAP. l AP Memory Allocation State Dumps — Displays the memory allocation details for the W-IAP. l AP Memory Utilization— Displays memory utilization of the W-IAP. l AP Mesh Counters— Displays the mesh counters of the W-IAP. l AP Mesh Link— Displays the mesh link of the W-IAP.
l AP Wired Port Settings— Displays wired port configuration details for the W-IAP. l AP Wired User Table—Displays the list of clients associated with the wired network profile configured on the WIAP. l VC 802.1x Certificate— Displays the CA certificate and server certificate for the Virtual Controller. l VC About— Displays information such as AP type, build time of image, and image version for the Virtual Controller.
Chapter 29 Regulatory Domain The IEEE 802.11/b/g/n Wi-Fi networks operate in the 2.4 GHz spectrum and IEEE 802.11a/n operate in the 5.0 GHz spectrum. These spectrums are divided into channels. The 2.4 GHz spectrum is divided into 14 overlapping, staggered 20 MHz wireless carrier channels. These channels are spaced 5 MHz apart. The 5 GHz spectrum is divided into more channels. The channels that can be used in a particular country differ based on the regulations of that country.
Code Country Name BO Bolivia BR Brazil CA Canada CH Switzerland CL Chile CN China CO Colombia CR Costa Rica CS Serbia and Montenegro CY Cyprus CZ Czech Republic DE Germany DK Denmark DO Dominican Republic DZ Algeria EC Ecuador EE Estonia EG Egypt ES Spain FI Finland FR France GB United Kingdom GR Greece GT Guatemala HK Hong Kong HN Honduras ID Indonesia IE Ireland 300 | Regulatory Domain Dell Networking W-Series Instant 6.2.1.0-3.
Code Country Name IN India IS Iceland IT Italy JM Jamaica JO Jordan JP3 Japan KE Kenya KR Republic of Korea (South Korea) KW Kuwait KW Kuwait LB Lebanon LI Liechtenstein LI Liechtenstein LK Sri Lanka LT Lithuania LT Lithuania LU Luxembourg MA Morocco MA Morocco MU Mauritius MX Mexico MX Mexico NL Netherlands NO Norway NZ New Zealand NZ New Zealand OM Oman PA Panama Dell Networking W-Series Instant 6.2.1.0-3.
Code Country Name PA Panama PE Peru PH Philippines PK Islamic Republic of Pakistan PL Poland PL Poland PR Puerto Rico PR Puerto Rico PT Portugal QA Qatar RO Romania RU Russia RU Russia SA Saudi Arabia SG Singapore SI Slovenia SI Slovenia SK Slovak Republic SK Slovak Republic SV El Salvador TH Thailand TH Thailand TN Tunisia TR Turkey TT Trinidad and Tobago TW Taiwan UA Ukraine US United States 302 | Regulatory Domain Dell Networking W-Series Instant
Code Country Name UY Uruguay UY Uruguay VE Venezuela VN Vietnam ZA South Africa Dell Networking W-Series Instant 6.2.1.0-3.
ClearPass Policy Manager Guest Setup To configure Dell Networking W-ClearPass Guest: 1. On Dell Networking W-ClearPass Guest, navigate to Administration > AirGroup Services. 2. Click Configure AirGroup Services. Figure 105 Configure AirGroup Services 3. Click Add a new controller. Figure 106 Add a New Controller for AirGroup Services 4. Update the fields with the appropriate information. Ensure that the port configured matches the CoA port (RFC 3576) set on the W-IAP configuration.
Figure 107 Configure AirGroup Services Controller Settings 5. Click Save Configuration. In order to demonstrate AirGroup, either an AirGroup Administrator or an AirGroup Operator account must be created. 1. Navigate to the Dell Networking W-ClearPass Policy Manager UI, and navigate to Configuration > Identity > Local Users. Figure 108 Configuration > Identity > Local Users Selection 2. Click Add User. 3. Create an AirGroup Administrator.
Figure 109 Create an AirGroup Administrator 4. In this example, the password used is test123. Click Add. 5. Now click Add User, and create an AirGroup Operator. Figure 110 Create an AirGroup Operator 6. Click Add to save the user with an AirGroup Operator role. The AirGroup Administrator and AirGroup Operator IDs will be displayed in the Local Users UI screen. Dell Networking W-Series Instant 6.2.1.0-3.
Figure 111 Local Users UI Screen 7. Navigate to the Dell Networking W-ClearPass Guest UI and click Logout. The ClearPass Guest Login page appears. Use the AirGroup admin credentials to log in. 8. After logging in, click Create Device. Figure 112 Create a Device The following page is displayed. Figure 113 - Register Shared Device For this test, add your AppleTV device name and MAC address but leave all other fields empty. 307 | ClearPass Policy Manager Guest Setup Dell Networking W-Series Instant 6.2.1.
9. Click Register Shared Device. Testing To verify the setup: 1. Disconnect your AppleTV and OSX Mountain Lion/iOS 6 devices if they were previously connected to the wireless network. Remove their entries from the controller’s user table using these commands: n Find the MAC address— show user table n Delete the address from the table— aaa user delete mac 00:aa:22:bb:33:cc 2. Reconnect both devices.
Terminology Acronyms and Abbreviations The following table lists the abbreviations used in this user guide.
Table 58: List of abbreviations Abbreviation Expansion PEAP Protected Extensible Authentication Protocol PEM Privacy Enhanced Mail PoE Power over Ethernet RADIUS Remote Authentication Dial In User Service VC Virtual Controller VSA Vendor-Specific Attributes WLAN Wireless Local Area Network | Terminology Dell Networking W-Series Instant Access Point|User Guide
Glossary The following table lists the terms and their definitions used in this guide. Table 59: List of Terms Term Definition 802.11 An evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and CSMA/CA (carrier sense multiple access with collision avoidance) for path sharing. 802.11a Provides specifications for wireless systems. Networks using 802.
Table 59: List of Terms Term Definition band A specified range of frequencies of electromagnetic radiation. Daylight Saving Time Daylight saving time (DST), also known as summer time, is the practice of advancing clocks, so that evenings have more daylight and mornings have less. Typically clocks are adjusted forward one hour near the start of spring and are adjusted backward in autumn. DHCP The Dynamic Host Configuration Protocol (DHCP) is an auto-configuration protocol used on IP networks.
Table 59: List of Terms Term Definition Midspan— A device can sit between the switch and APs The choice of endspan or midspan depends on the capabilities of the switch to which the W-IAP is connected. Typically if a switch is in place and does not support PoE, midspan power injectors are used. l PPPoE Point-to-Point Protocol over Ethernet (PPPoE) is a method of connecting to the Internet typically used with DSL services where the client connects to the DSL modem.
Table 59: List of Terms Term Definition wireless service provider A company that offers transmission services to users of wireless devices through radio frequency (RF) signals rather than through end-to-end wire communication. wireless local area network (WLAN) A local area network (LAN) that the users access through a wireless connection. 802.11 standards specify WLAN technologies. WLANs are frequently some portion of a wired LAN.