Dell Networking W-Series Instant User Guide 6.4.2.0-4.1.
Copyright © 2014 Aruba Networks, Inc. Aruba Networks trademarks include , Aruba Networks®, Aruba ® Wireless Networks , the registered Aruba the Mobile Edge Company logo, and Aruba Mobility Management System®. Dell™, the DELL™ logo, and PowerConnect™ are trademarks of Dell Inc. All rights reserved. Specifications in this manual are subject to change without notice. Originated in the USA. All other trademarks are the property of their respective owners.
Contents About this Guide 26 Intended Audience 26 Related Documents 26 Conventions 26 Contacting Dell 27 About Instant 28 Instant Overview 28 Supported Devices 28 Instant UI 29 Instant CLI 30 What is New in Instant 6.4.2.0-4.1.
Viewing Connectivity Summary 41 Language 42 Main Window 42 Banner 42 Search 42 Tabs 42 Networks Tab 43 Access Points Tab 43 Clients Tab 44 Links 4| 44 New Version Available 45 System 45 RF 46 Security 47 Maintenance 48 More 49 VPN 49 IDS 50 Wired 51 Services 51 DHCP Server 52 Support 53 Help 54 Logout 54 Monitoring 54 Info 54 RF Dashboard 56 RF Trends 58 Usage Trends 58 Mobility Trail 64 Client Match 64 AppRF 65 Spectrum 65 Alerts 66 IDS
AirGroup 71 Configuration 71 W-AirWave Setup 72 Pause/Resume 72 Views Initial Configuration Tasks Basic Configuration Tasks Modifying the W-IAP Name 72 73 73 73 In the Instant UI 74 In the CLI 74 Updating Location Details of a W-IAP 74 In the Instant UI 74 In the CLI 74 Configuring a Preferred Band 74 In the Instant UI 74 In the CLI 74 Configuring Virtual Controller IP Address 74 In the Instant UI 75 In the CLI 75 Configuring a Timezone 75 In the Instant UI 75 In the CL
Enabling or Disabling Auto Join Mode In the Instant UI 78 In the CLI 78 Configuring Terminal Access 79 In the Instant UI 79 In the CLI 79 Configuring Console Access 79 In the Instant UI 79 In the CLI 79 Configuring LED Display 79 In the Instant UI 80 In the CLI 80 Configuring Additional WLAN SSIDs Enabling the Extended SSID 80 80 In the Instant UI 80 In the CLI 80 Preventing Inter-user Bridging 81 In the Instant UI 81 In the CLI 81 Preventing Local Routing between Clients
In the CLI Configuring External Antenna 84 85 EIRP and Antenna Gain 85 Configuring Antenna Gain 85 In the Instant UI 85 In the CLI 86 Configuring Radio Profiles for a W-IAP 86 Configuring ARM Assigned Radio Profiles for a W-IAP 86 Configuring Radio Profiles Manually for W-IAP 86 In the CLI 87 Configuring Uplink VLAN for a W-IAP 87 In the Instant UI 87 In the CLI 88 Master Election and Virtual Controller Master Election Protocol 88 88 Preference to a W-IAP with 3G/4G Card 88 Prefe
In the Instant UI 97 In the CLI 98 Configuring Security Settings for a WLAN SSID Profile Configuring Security Settings for an Employee or Voice Network In the Instant UI In the CLI Configuring Access Rules for a WLAN SSID Profile 99 99 104 105 In the Instant UI 106 In the CLI 106 Configuring Fast Roaming for Wireless Clients Opportunistic Key Caching Configuring a W-IAP for OKC Roaming In the Instant UI In the CLI Fast BSS Transition (802.11r Roaming) Configuring a W-IAP for 802.
Wired Profiles Configuring a Wired Profile Configuring Wired Settings 113 113 113 In the Instant UI 113 In the CLI 114 Configuring VLAN for a Wired Profile 115 In the Instant UI 115 In the CLI 115 Configuring Security Settings for a Wired Profile Configuring Security Settings for a Wired Employee Network 116 116 In the Instant UI 116 In the CLI 116 Configuring Access Rules for a Wired Profile 117 In the Instant UI 117 In the CLI 118 Assigning a Profile to Ethernet Ports 118 In the
In the CLI 131 Configuring External Captive Portal for a Guest Network External Captive Portal Profiles 132 Creating a Captive Portal Profile 132 In the Instant UI 133 In the CLI 133 Configuring an SSID or Wired Profile to Use External Captive Portal Authentication In the Instant UI 134 134 In the CLI 135 Configuring External Captive Portal Authentication Using ClearPass Guest 136 Creating a Web Login page in ClearPass Guest 136 Configuring RADIUS Server in Instant UI 136 Configuring Gue
Configuring Users for Internal Database of a W-IAP 147 In the Instant UI 147 In the CLI 148 Configuring the Read-Only Administrator Credentials 149 In the Instant UI 149 In the CLI 149 Adding Guest Users through the Guest Management Interface Understanding Authentication Methods 149 150 802.1X authentication 150 MAC authentication 150 MAC authentication with 802.1X authentication 150 Captive Portal Authentication 151 MAC authentication with Captive Portal authentication 151 802.
Configuring Dynamic RADIUS Proxy Parameters 165 Enabling Dynamic RADIUS Proxy 165 In the Instant UI 165 In the CLI 165 Configuring Dynamic RADIUS Proxy Parameters for Authentication Servers In the Instant UI 165 In the CLI 166 Associate the Authentication Servers with an SSID or Wired Profile In the CLI 166 166 Configuring 802.1X Authentication for a Network Profile Configuring 802.
Configuring WISPr Authentication 173 In the Instant UI 173 In the CLI 174 Blacklisting Clients 174 Blacklisting Clients Manually 174 Adding a Client to the Blacklist 175 In the Instant UI 175 In the CLI 175 Blacklisting Users Dynamically 175 Authentication Failure Blacklisting 175 Session Firewall Based Blacklisting 175 Configuring Blacklist Duration 175 In the Instant UI 175 In the CLI 176 Uploading Certificates 177 Loading Certificates through Instant UI 177 Loading Certifi
In the Instant UI 186 In the CLI 186 Configuring Firewall Settings for Protection from ARP Attacks In the Instant UI 186 In the CLI 187 Managing Inbound Traffic 188 Configuring Inbound Firewall Rules 188 In the Instant UI 188 In the CLI 190 Example 190 Configuring Management Subnets 190 In the Instant UI 190 In the CLI 191 Configuring Restricted Access to Corporate Network 191 In the Instant UI 191 In the CLI 191 Content Filtering Enabling Content Filtering Enabling Content Fil
In the Instant UI 196 In the CLI: 196 Configuring Machine and User Authentication Roles 196 In the Instant UI 197 In the CLI 197 Configuring Derivation Rules Understanding Role Assignment Rule 197 197 RADIUS VSA Attributes 197 MAC-Address Attribute 197 Roles Based on Client Authentication 198 DHCP Option and DHCP Fingerprinting 198 Creating a Role Derivation Rule 198 In the Instant UI 198 In the CLI 199 Example 199 Understanding VLAN Assignment 200 Vendor Specific Attributes 2
In the Instant UI 206 In the CLI 208 Configuring a Centralized DHCP Scope 209 In the Instant UI 209 In the CLI 211 Configuring Local, Local, L2 and Local, L3 DHCP Scopes In the Instant UI 212 In the CLI 213 Configuring the Default DHCP Scope for Client IP Assignment 214 In the Instant UI 214 In the CLI 215 VPN Configuration 216 Understanding VPN Features 216 Configuring a Tunnel from a W-IAP to Dell Networking W-Series Mobility Controller 216 Configuring an IPSec Tunnel 216 In th
IAP-VPN Forwarding Modes 230 Local or NAT Mode 230 L2 Switching Mode 230 Distributed L2 Mode 230 Centralized L2 Mode 231 L3 Routing Mode 231 Distributed L3 mode 231 Centralized L3 Mode 231 Configuring W-IAP and Controller for IAP-VPN Operations 231 Configuring a W-IAP network for IAP-VPN operations 231 Defining the VPN host settings 232 Configuring Routing Profiles 232 Configuring DHCP Profiles 232 Configuring an SSID or Wired Port 233 Enabling Dynamic RADIUS Proxy 233 Configur
In the Instant UI 240 In the CLI 240 Airtime Fairness Mode 241 In the Instant UI 241 In the CLI 241 Client Match 241 In the Instant UI 242 In the CLI 243 Access Point Control 243 In the Instant UI 243 In the CLI 245 Verifying ARM Configuration 245 Configuring Radio Settings for a W-IAP 246 In the Instant UI 246 In the CLI 247 Deep Packet Inspection and Application Visibility Deep Packet Inspection 249 Enabling Application Visibility 249 In the Instant UI 249 In the CLI 2
Voice and Video Wi-Fi Multimedia Traffic Management Configuring WMM for Wireless Clients 260 260 261 In the Instant UI 261 In the CLI 261 Configuring WMM-DSCP Mapping 261 In the Instant UI 262 In the CLI 262 QoS for Microsoft Office Lync Microsoft Office Lync Services AirGroup Configuration 262 263 264 264 Multicast DNS and Bonjour® Services 265 DLNA UPnP Support 266 AirGroup Features 267 AirGroup Services 268 AirGroup Components 269 CPPM and ClearPass Guest Features Configuring Ai
Verifying ALE Configuration on a W-IAP 275 Configuring OpenDNS Credentials 275 In the Instant UI 275 In the CLI 276 Integrating a W-IAP with Palo Alto Networks Firewall 276 Integration with Instant 276 Configuring a W-IAP for PAN integration 276 In the Instant UI 276 In the CLI 277 Integrating a W-IAP with an XML API interface 277 Integration with Instant 278 Configuring a W-IAP for XML API integration 278 In the Instant UI 278 In the CLI 278 CALEA Integration and Lawful Intercep
Trending Reports 285 Intrusion Detection System 285 Wireless Intrusion Detection System (WIDS) Event Reporting to W-AirWave 286 RF Visualization Support for Instant 286 PSK-based and Certificate-based Authentication 286 Configurable Port for W-IAP and W-AirWave Management Server Communication 286 Configuring Organization String 287 Shared Key 287 Configuring W-AirWave Information 287 In the Instant UI 287 In the CLI 288 Configuring for W-AirWave Discovery through DHCP 288 Standard DH
In the CLI 304 Switching Uplinks Based on VPN and Internet Availability Switching Uplinks Based on VPN Status 304 Switching Uplinks Based on Internet Availability 304 In the Instant UI 304 In the CLI 305 Viewing Uplink Status and Configuration 305 Intrusion Detection 307 Detecting and Classifying Rogue APs 307 OS Fingerprinting 307 Configuring Wireless Intrusion Protection and Detection Levels 308 Containment Methods 312 Configuring IDS Using CLI 313 Mesh W-IAP Configuration 315 Me
Channel Metrics 325 Spectrum Alerts 326 Configuring Spectrum Monitors and Hybrid W-IAPs Converting a W-IAP to a Hybrid W-IAP 326 326 In the Instant UI 327 In the CLI 327 Converting a W-IAP to a Spectrum Monitor 327 In the Instant UI 327 In the CLI 328 W-IAP Maintenance Upgrading a W-IAP Upgrading a W-IAP and Image Server 329 329 329 Image Management Using W-AirWave 329 Image Management Using Cloud Server 329 Configuring HTTP Proxy on a W-IAP 329 In the Instant UI 329 In the CLI 33
SNMP Parameters for W-IAP 340 Configuring SNMP 341 Creating community strings for SNMPv1 and SNMPv2 Using Instant UI 341 Creating community strings for SNMPv3 Using Instant UI 342 Configuring SNMP Community Strings in the CLI 342 Configuring SNMP Traps 343 In the Instant UI 343 In the CLI 343 Configuring a Syslog Server 344 In the Instant UI 344 In the CLI 345 Configuring TFTP Dump Server 345 In the Instant UI 345 In the CLI 346 Running Debug Commands from the UI 346 Support Co
Configuring an Operating Class Profile 359 Configuring a WAN Metrics Profile 360 Creating a Hotspot Profile 360 Associating an Advertisement Profile to a Hotspot Profile 362 Creating a WLAN SSID and Associating Hotspot Profile 363 Sample Configuration ClearPass Guest Setup 364 366 Testing 369 Troubleshooting 369 IAP-VPN Deployment Scenarios Scenario 1—IPSec: Single Datacenter Deployment with No Redundancy 370 371 Topology 371 AP Configuration 371 AP Connected Switch Configuration 37
Chapter 1 About this Guide This User Guide describes the features supported by Dell Networking W-Series Instant Access Point (W-IAP) and provides detailed instructions for setting up and configuring the Instant network. Intended Audience This guide is intended for administrators who configure and use W-IAPs.
Style Type Description In the command examples, italicized text within angle brackets represents items that you should replace with information appropriate to your specific situation. For example: # send In this example, you would type “send” at the system prompt exactly as shown, followed by the text of the message you wish to send. Do not type the angle brackets. [Optional] Command examples enclosed in brackets are optional. Do not type the brackets.
Chapter 2 About Instant This chapter provides the following information: l Instant Overview l What is New in Instant 6.4.2.0-4.1.1 Instant Overview Instant virtualizes Dell Networking W-Series Mobility Controller capabilities on 802.11 access points (APs), creating a feature-rich enterprise-grade wireless LAN (WLAN) that combines affordability and configuration simplicity. Instant is a simple, easy to deploy turn-key WLAN solution consisting of one or more APs.
The following table provides the variants supported for each IAP model: Table 3: Supported W-IAP Variants W-IAP Model (Reg Domain) W-IAP###US (US only) W-IAP###-JP (Japan only) W-IAP###-RW (Worldwide except US) W-IAP### (Worldwide except US and Japan) W-IAP103 Yes No Yes No W-IAP104/105 Yes Yes No Yes W-IAP114/115 Yes No Yes No W-IAP134/135 Yes Yes No Yes W-IAP175P/175AC Yes Yes No Yes W-IAP3WN/3WNP Yes Yes No Yes W-IAP108/109 Yes Yes No Yes W-IAP155/155P Yes Yes
If the Instant UI is launched through an unsupported browser, a warning message is displayed along with a list of recommended browsers. However, the users are allowed to login using the Continue login link on the Login page. To view the Instant UI, ensure that the JavaScript is enabled on the web browser. The Instant UI logs out automatically if the window is inactive for 15 minutes.
Chapter 3 Setting up a W-IAP This chapter describes the following procedures: l Setting up Instant Network on page 31 l Logging in to the Instant UI on page 33 l Accessing the Instant CLI on page 38 Setting up Instant Network Before installing a W-IAP: l Ensure that you have an Ethernet cable of the required length to connect a W-IAP to the home router. l Ensure that you have one of the following power sources: n IEEE 802.3af/at-compliant Power over Ethernet (PoE) source.
Assigning a Static IP To assign a static IP to a W-IAP: 1. Connect a terminal, PC, or workstation running a terminal emulation program to the Console port on the W-IAP. 2. Power on the W-IAP. An autoboot countdown prompt that allows you to interrupt the normal startup process and access apboot is displayed. 3. Click Enter before the timer expires. The W-IAP goes into the apboot mode. 4. In the apboot mode, use the following commands to assign a static IP to the W-IAP.
Disabling the Provisioning Wi-Fi Network The provisioning network is enabled by default. Instant provides the option to disable the provisioning network through the console port. Use this option only when you do not want the default SSID instant to be broadcast in your network. To disable the provisioning network: 1. Connect a terminal or PC/workstation running a terminal emulation program to the Console port on the WIAP. 2.
When you use a provisioning Wi-Fi network to connect to the Internet, all browser requests are directed to the Instant UI. For example, if you enter example.com in the address field, you are directed to the Instant UI. You can change the default login credentials after the first login. Regulatory Domains The IEEE 802.11/b/g/n Wi-Fi networks operate in the 2.4 GHz spectrum and IEEE 802.11a/n operates in the 5.0 GHz spectrum. The spectrum is divided into channels. The 2.
Code Country Name CN China CO Colombia CR Costa Rica CS Serbia and Montenegro CY Cyprus CZ Czech Republic DE Germany DK Denmark DO Dominican Republic DZ Algeria EC Ecuador EE Estonia EG Egypt ES Spain FI Finland FR France GB United Kingdom GR Greece GT Guatemala HK Hong Kong HN Honduras ID Indonesia IE Ireland IN India IS Iceland IT Italy Dell Networking W-Series Instant 6.4.2.0-4.1.
Code Country Name JM Jamaica JO Jordan JP Japan KE Kenya KR Republic of Korea (South Korea) KW Kuwait LB Lebanon LI Liechtenstein LI Liechtenstein LK Sri Lanka LT Lithuania LU Luxembourg MA Morocco MU Mauritius MX Mexico NL Netherlands NO Norway NZ New Zealand OM Oman PA Panama PE Peru PH Philippines PK Islamic Republic of Pakistan PL Poland PR Puerto Rico 36 | Setting up a W-IAP Dell Networking W-Series Instant 6.4.2.0-4.1.
Code Country Name PT Portugal QA Qatar RO Romania RU Russia SA Saudi Arabia SG Singapore SI Slovenia SK Slovak Republic SV El Salvador TH Thailand TN Tunisia TR Turkey TT Trinidad and Tobago TW Taiwan UA Ukraine US United States UY Uruguay VE Venezuela VN Vietnam ZA South Africa Specifying Country Code This procedure is applicable to the W-IAP-RW (Rest of World) variants only. Skip this step if you are installing W-IAP in the United States and Japan.
Figure 2 Specifying a Country Code . For the complete list of the country codes supported by the W-IAP-RW variant type, see Country Code on page 34. Accessing the Instant CLI Instant supports the use of Command Line Interface (CLI) for scripting purposes. When you make configuration changes on a master W-IAP in the CLI, all associated W-IAPs in the cluster inherit these changes and subsequently update their configurations. By default, you can access the CLI from the serial port or from an SSH session.
Applying Configuration Changes Each command processed by the Virtual Controller is applied on all the slaves in a cluster. The changes configured in a CLI session are saved in the CLI context. The CLI does not support the configuration data exceeding the 4K buffer size in a CLI session. Therefore, it is recommended that you configure fewer changes at a time and apply the changes at regular intervals.
Table 8: Sequence-Sensitive Commands Sequence-Sensitive Command Corresponding no command rule {permit |deny | src-nat | dst-nat { | }}[
Chapter 4 Instant User Interface This chapter describes the following Instant UI elements: l Login Screen l Main Window Login Screen The Instant login page allows you to: l Log in to the Instant UI. l View Instant Network Connectivity summary l View the Instant UI in a specific language Logging into the Instant UI To log in to the Instant UI, enter the following credentials: l Username— admin l Password— admin The Instant UI main window is displayed.
Language The Language drop-down lists the languages and allows users to select their preferred language before logging in to the Instant UI. A default language is selected based on the language preferences in the client desktop operating system or browser. If Instant cannot detect the language, then English is used as the default language. You can also select the required language option from the Languages drop-down located at the bottom left corner of the Instant main window.
n Access Points Tab— Provides information about the W-IAPs configured in the Instant network. n Clients Tab— Provides information about the clients in the Instant network. Each tab appears in a compressed view by default. The number of networks, W-IAPs, or clients in the network precedes the tab names. The individual tabs can be expanded or collapsed by clicking on the tabs. The list items in each tab can be sorted by clicking the triangle icon next to the heading labels.
l Noise (dBm)—Noise floor of the channel. An edit link is displayed on clicking the W-IAP name. For details about editing W-IAP settings see Customizing W-IAP Settings on page 83. Clients Tab This tab displays a list of clients that are connected to the Instant network. The client names are displayed as links. The expanded view displays the following information about each client: l Name—User name of the client or guest users if available. l IP Address—IP address of the client.
New Version Available This link is displayed in the top right corner of the Instant main window only if a new image version is available on the image server and W-AirWave is not configured. For more information about the New version available link and its functions, see Upgrading a W-IAP on page 329. System This link displays the System window. The System window consists of the following tabs: Use the Show/Hide Advanced option at the bottom of the System window to view or hide the advanced options.
Figure 5 System Window RF The RF link displays a window for configuring Adaptive Radio Management (ARM) and Radio features. l ARM—Allows you to view or configure channel and power settings for all the W-IAPs in the network. For information about ARM configuration, see ARM Overview on page 239. l Radio—Allows you to view or configure radio settings for 2.4 GHz and the 5 GHz radio profiles. For information about Radio, see Configuring Radio Settings for a W-IAP on page 246.
Figure 6 RF Window Security The Security link displays a window with the following tabs: l Authentication Servers— Use this tab to configure an external RADIUS server for a wireless network. For more information, see Configuring an External Server for Authentication on page 160. l Users for Internal Server— Use this tab to populate the system’s internal authentication server with users.
Figure 7 Security Window - Default View Maintenance The Maintenance link displays a window that allows you to maintain the Wi-Fi network. The Maintenance window consists of the following tabs: l About—Displays the name of the product, build time, W-IAP model name, the Instant version, website address of Dell, and Copyright information. l Configuration— Displays the following details: n Current Configuration—Displays the current configuration details.
Figure 8 Maintenance Window - Default View More The More link allows you to select the following options: l VPN l IDS l Wired l Services l DHCP Server l Support VPN The VPN window allows you to define communication settings with a remote Controller. See VPN Configuration on page 216 for more information. The following figure shows an example of the IPSec configuration options available in the VPN window: Dell Networking W-Series Instant 6.4.2.0-4.1.
Figure 9 VPN window for IPSec Configuration IDS The IDS window allows you to configure wireless intrusion detection and protection levels. The following figures show the IDS window: Figure 10 IDS Window: Intrusion Detection 50 | Instant User Interface Dell Networking W-Series Instant 6.4.2.0-4.1.
Figure 11 IDS Window: Intrusion Protection For more information on wireless intrusion detection and protection, see Detecting and Classifying Rogue APs on page 307. Wired The Wired window allows you to configure a wired network profile. See Wired Profiles on page 113 for more information. The following figure shows the Wired window: Figure 12 Wired Window Services The Services window allows you to configure services such as AirGroup, RTLS, and OpenDNS.
l RTLS—Allows you to integrate W-AirWave Management platform or third-party Real Time Location Server such as Aeroscout Real Time Location Server with Instant. For more information, see Configuring a W-IAP for RTLS Support on page 272. The RTLS tab also allows you to integrate W-IAP with the Analytics and Location Engine (ALE). For more information about configuring a W-IAP for ALE integration, see Configuring a W-IAP for Analytics and Location Engine Support on page 274.
Figure 14 DHCP Servers Window For more information, see DHCP Configuration on page 206. Support The Support consists of the following fields: l Command— Allows you to select a support command for execution. l Target—Displays a list of W-IAPs in the network. l Run— Allows you to execute the selected command for a specific W-IAP or all W-IAPs and view logs. l Auto Run— Allows you to configure a schedule for automatic execution of a support command for a specific W-IAP or all W-IAPs.
Figure 15 Support Window Help The Help link allows you to view a short description or definition of selected terms and fields in the UI windows or dialogs. To activate the context-sensitive help: 1. Click the Help link at the top right corner of Instant main window. 2. Click any text or term displayed in green italics to view its description or definition. 3. To disable the help mode, click Done. Logout The Logout link allows you to log out of the Instant UI.
Table 9: Contents of the Info Section in the Instant Main Window Name Description Info section in Virtual Controller view The Info section in the Virtual Controller view displays the following information: Info section in Network view l Name— Displays the Virtual Controller name. l Country Code— Displays the Country in which the Virtual Controller is operating. l Virtual Controller IP address— Displays the IP address of the Virtual Controller.
Table 9: Contents of the Info Section in the Instant Main Window Name Description for rogue APs in the background. l Info section in Client view In Monitor mode, the W-IAP acts as a dedicated monitor, scanning all channels for rogue APs and clients. l Spectrum—Displays the status of the spectrum monitor. l Clients—Number of clients associated with the W-IAP. l Type—Displays the model number of the W-IAP. l Zone—Displays AP zone details.
The following table describes the icons available on the RF Dashboard pane: Table 10: RF Dashboard Icons Icon Name Description 1 Signal Icon Displays the signal strength of the client. Depending on the signal strength of the client, the color of the lines on the Signal bar changes from Green > Orange > Red. l Green— Signal strength is more than 20 decibels. l Orange— Signal strength is between 15-20 decibels. l Red— Signal strength is less than 15 decibels.
Table 10: RF Dashboard Icons Icon Name Description 4 Noise icon Displays the noise floor details for the W-IAPs. Noise is measured in decibels/meter. Depending on the noise floor, the color of the lines on the Noise icon changes from Green > Orange > Red. l Green— Noise floor is more than 87 dBm. l Orange— Noise floor is between 80 dBm-87 dBm. l Red— Noise floor is less than 80 dBm. To view the noise floor graph of a W-IAP, click the noise icon next to the W-IAP in the Noise column.
l Clients—In the default view, the Clients graph displays the number of clients that were associated with the Virtual Controller in the last 15 minutes. In Network or Access Points view, this graph displays the number of clients that were associated with the selected network or W-IAP in the last 15 minutes. l Throughput— In the default view, the Throughput graph displays the incoming and outgoing throughput traffic for the Virtual Controller in the last 15 minutes.
Table 11: Network View—Graphs and Monitoring Procedures Graph Name Description Monitoring Procedure Clients The Clients graph shows the number of clients associated with the network for the last 15 minutes. To check the number of clients associated with the network for the last 15 minutes, To see an enlarged view, click the graph.
Table 12: Access Point View—Usage Trends and Monitoring Procedures Graph Name Description Monitoring Procedure Neighboring APs The Neighboring APs graph shows the number of APs heard by the selected WIAP: To check the neighboring APs detected by the W-IAP for the last 15 minutes, l Valid APs: An AP that is part of the enterprise providing WLAN service. l Interfering APs: An AP that is seen in the RF environment but is not connected to the network.
Table 12: Access Point View—Usage Trends and Monitoring Procedures Graph Name Description Monitoring Procedure 2. On the Access Points tab, click the W-IAP for which you want to monitor the client association. The W-IAP view is displayed. 3. Study the Memory free graph in the Overview pane. For example, the graph shows that the free memory of the W-IAP is 64 MB at 12:13 hours. Clients The Clients graph shows the number of clients associated with the selected W-IAP for the last 15 minutes.
Table 13: Client View—RF Trends Graphs and Monitoring Procedures Graph Name Signal Description Monitoring Procedure The Signal graph shows the signal strength of the client for the last 15 minutes. It is measured in decibels. To monitor the signal strength of the selected client for the last 15 minutes, To see an enlarged view, click the graph. The enlarged view provides Last, Minimum, Maximum, and Average signal statistics of the client for the last 15 minutes.
Table 13: Client View—RF Trends Graphs and Monitoring Procedures Graph Name Throughput Description Monitoring Procedure The Throughput Graph shows the throughput of the selected client for the last 15 minutes. To monitor the errors for the client for the last 15 minutes, l l Outgoing traffic—Throughput for outgoing traffic is displayed in green. Outgoing traffic is shown above the median line. Incoming traffic—Throughput for incoming traffic is displayed in blue.
Figure 20 Client Distribution on AP Radio On clicking a client in the Clients tab and the Client Match link, a graph is drawn with real-time data points for an AP radio map. When you hover the mouse on the graph, details such as RSSI, channel utilization details, and client count on each channel are displayed.
For more information on spectrum monitoring, see Spectrum Monitor on page 321. Alerts Alerts are generated when a user encounters problems while accessing or connecting to a network. The alerts that are generated can be categorized as follows: l 802.11 related association and authentication failure alerts l 802.1X related mode and key mismatch, server, and client time-out failure alerts l IP address related failures - Static IP address or DHCP related alerts.
Table 14: Types of Alerts Type of Alert Client Alerts Active Faults Fault History Description Information Displayed The Client alerts occur when clients are connected to the Instant network. A client alert displays the following fields: The Active Faults occur in the event of a system fault. The Fault History alerts occur in the event of a system fault. l Timestamp— Displays the time at which the client alert was recorded.
Figure 24 Fault History Figure 25 Active Faults The following table displays a list of alerts that are generated in the W-IAP network: Table 15: Alerts list Type Code Description Details Corrective Actions 100101 Internal error The W-IAP has encountered an internal error for this client. Contact the Dell customer support team. 100102 Unknown SSID in association request The W-IAP cannot allow this client to associate, because the association request received contains an unknown SSID.
Table 15: Alerts list Type Code Description Details Corrective Actions 100104 Unsupported 802.11 rate The W-IAP cannot allow this client to associate because it does not support the 802.11 rate requested by this client. Check the configuration on the WIAP to see if the desired rate can be supported; if not, consider replacing the W-IAP with another model that can support the rate.
Table 15: Alerts list Type Code Description Details Corrective Actions 100309 RADIUS server authentication failure The W-IAP cannot authenticate this client using 802.1X , because the RADIUS server rejected the authentication credentials (password and so on) provided by the client. Ascertain the correct authentication credentials and log in again.
Figure 26 Intrusion Detection For more information on the intrusion detection feature, see Intrusion Detection on page 307. AirGroup This AirGroup link provides an overall view of your AirGroup configuration. Click each field to view or edit the settings. l MAC—Displays the MAC address of the AirGroup servers. l IP—Displays the IP address of the AirGroup servers. l Host Name—Displays the machine name or hostname of the AirGroup servers.
W-AirWave Setup W-AirWave is a solution for managing rapidly changing wireless networks. When enabled, W-AirWave allows you to manage the Instant network. For more information on W-AirWave, see Managing a W-IAP from W-AirWave on page 284. The W-AirWave status is displayed at the bottom of the Instant main window. If the W-AirWave status is Not Set Up, click the Set Up Now link to configure W-AirWave. The System> Admin window is displayed.
Chapter 5 Initial Configuration Tasks This chapter describes the general configuration tasks to perform when a W-IAP is set up.
In the Instant UI 1. Navigate to System>General. 2. Specify the name of W-IAP in the Name text box. 3. Click OK. In the CLI To change the name: (Instant AP)# name Updating Location Details of a W-IAP You can update the physical location details of a W-IAP by using the Instant UI or CLI. The system location details are used for retrieving information through the SNMP sysLocation MIB object. In the Instant UI To update location details: 1. Navigate to System>General. 2.
You can configure the Virtual Controller name and IP address using the Instant UI or CLI. In the Instant UI 1. Navigate to System>General. 2. Enter the IP address in Virtual Controller IP. 3. Click OK. In the CLI To configure the Virtual Controller Name and IP address: (Instant AP)(config)# virtual-controller-ip (Instant AP)(config)# end (Instant AP)# commit apply Configuring a Timezone You can configure a time zone in which the W-IAP must operate by using the Instant or the CLI.
By default, the W-IAP tries to connect to pool.ntp.org to synchronize time. A different NTP server can be configured either from the UI. It can also be provisioned through the DHCP option 42. If the NTP server is configured, it takes precedence over the DHCP option 42 provisioned value. The NTP server provisioned through the DHCP option 42 is used if no server is configured. The default server pool.ntp.org is used if no NTP server is configured or provisioned through DHCP option 42.
l Configuring Auto Join Mode on page 78 l Configuring Terminal Access on page 79 l Configuring Console Access on page 79 l Configuring LED Display on page 79 l Configuring Additional WLAN SSIDs on page 80 l Preventing Inter-user Bridging on page 81 l Preventing Local Routing between Clients on page 81 l Enabling Dynamic CPU Management on page 82 The following figure shows the additional configuration options available under the System>General tab: Configuring Virtual Controller VLAN The IP
4. Enter Virtual Controller VLAN in Virtual Controller VLAN. Ensure that Virtual Controller VLAN is not the same as native VLAN of the W-IAP. 5. Click OK. In the CLI To configure the Virtual Controller Name and IP address: (Instant AP)(config)# virtual-controller-vlan (Instant AP)(config)# end (Instant AP)# commit apply Configuring Auto Join Mode The auto join mode feature allows W-IAPs to automatically discover the Virtual Controller and join the network.
Configuring Terminal Access When terminal access is enabled, you can access the Instant CLI through SSH or Telnet server. The terminal access is enabled by default. You can enable or disable terminal access to a W-IAP by using the Instant UI or CLI. In the Instant UI 1. Navigate to System>General>Show advanced options. 2. Select Disabled or Enabled from the Terminal access drop-down list. 3. To enable Telnet server based access, select Enabled from the Telnet server drop-down list. 4. Click OK.
You can enable or disable LED Display for a W-IAP using the Instant UI or CLI. In the Instant UI To enable or disable LED display for all W-IAPs in a cluster, perform the following steps: 1. Navigate to System > General > Show advanced options. 2. From the LED Display drop-down list, select Enabled to enable LED display or Disabled to turn off the LED display. 3. Click OK.
(Instant AP)(config)# extended-ssid (Instant AP)(config)# end (Instant AP)# commit apply Preventing Inter-user Bridging If you have security and traffic management policies defined in upstream devices, you can disable bridging traffic between two clients connected to the same AP on the same VLAN.
To deny local routing for the WLAN SSID clients: (Instant (Instant (Instant (Instant AP)(config)# wlan ssid-profile AP) (SSID Profile )# deny-local-routing AP) (SSID Profile )# end AP)# commit apply Enabling Dynamic CPU Management W-IAPs perform various functions such as wireless client connectivity and traffic flows, wired client connectivity and traffic flows, wireless security, network management, and location tracking.
Chapter 6 Customizing W-IAP Settings This chapter describes the procedures for configuring settings that are specific to a W-IAP in the cluster.
2. Click the edit link. The edit window for modifying W-IAP details is displayed. 3. Specify the AP zone in Zone. 4. Click OK. In the CLI To change the name: (Instant AP)# zone Specifying a Method for Obtaining IP Address You can either specify a static IP address or allow the W-IAP to obtain an IP address from the DHCP server. By default, the W-IAPs obtain IP address from the DHCP server. You can specify a static IP address for the W-IAP by using the Instant UI or CLI. In the Instant UI 1.
(Instant AP)# ip-address Configuring External Antenna If your W-IAP has external antenna connectors, you need to configure the transmit power of the system. The configuration must ensure that the system’s Equivalent Isotropically Radiated Power (EIRP) is in compliance with the limit specified by the regulatory authority of the country in which the W-IAP is deployed.
2. In the Edit Access Point window, select External Antenna to configure the antenna gain value. This option is available only for access points that support external antennas, for example, W-IAP134. 3. Enter the antenna gain values in dBm for the 2.4GHz and 5GHz bands. 4. Click OK.
Table 18: W-IAP Radio Modes Mode Description Access In Access mode, the AP serves clients, while also monitoring for rogue APs in the background. If the Access mode is selected, perform the following actions: 1. Select Administrator assigned in 2.4 GHz and 5 GHz band sections. 2. Select appropriate channel number from the Channel drop-down list for both 2.4 GHz and 5 GHz band sections. 3. Enter appropriate transmit power value in the Transmit power text box in 2.4 GHz and 5 GHz band sections.
1. On the Access Points tab, click the W-IAP to modify. The edit link is displayed. 2. Click the edit link. The edit window for modifying W-IAP details is displayed. 3. Click the Uplink tab. 4. Specify the VLAN in the Uplink Management VLAN field. 5. Click OK. 6. Reboot the W-IAP.
Preference to a W-IAP with Non-Default IP The Master Election Protocol prefers a W-IAP with non-default IP, when electing a Virtual Controller for the Instant network during initial startup. If there are more than one W-IAP with non-default IPs in the network, all W-IAPs with default IP will automatically reboot and the DHCP process is used to assign new IP addresses.
Iap_master:1 Adding a W-IAP to the Network To add a W-IAP to the Instant network, assign an IP address. For more information, see Assigning an IP address to the W-IAP on page 31. After a W-IAP is connected to the network, if the Auto Join Mode feature is enabled, the W-IAP inherits the configuration from the Virtual Controller and is listed in the Access Points tab. If the Auto Join Mode is disabled, perform the following steps to add a W-IAP to the network: 1. On the Access Points tab, click the New link.
Chapter 7 VLAN Configuration VLAN configuration is required for networks with more devices and broadcast traffic on a WLAN SSID or wired profile. Based on the network type and its requirements, you can configure the VLANs for a WLAN SSID or wired port profile. For more information on VLAN configuration for a WLAN SSID and wired port profile, see Configuring VLAN Settings for a WLAN SSID Profile on page 96 and Configuring VLAN for a Wired Profile on page 115.
Chapter 8 Wireless Network Profiles This chapter provides the following information: l Configuring Wireless Network Profiles on page 92 l Configuring Fast Roaming for Wireless Clients on page 107 l Editing Status of a WLAN SSID Profile on page 111 l Editing a WLAN SSID Profile on page 111 l Deleting a WLAN SSID Profile on page 112 Configuring Wireless Network Profiles During start up, a wireless client searches for radio signals or beacon frames that originate from the nearest WIAP.
In the Instant UI To configure WLAN settings: 1. In the Networks tab of the Instant main window, click the New link. The New WLAN window is displayed. The following figure shows the contents of the WLAN Settings tab: Figure 33 WLAN Settings Tab 2. Enter a name that uniquely identifies a wireless network in the Name (SSID) text box. The SSID Name may contain any special character except for ' and ". 3.
Table 19: WLAN Configuration Parameters Parameter Description Broadcast filtering Select any of the following values: DTIM interval l All—When set to All, the W-IAP drops all broadcast and multicast frames except DHCP and ARP, igmp-group queries, and IPv6 neighbor discovery protocols.
Table 19: WLAN Configuration Parameters Parameter Description The following constraints apply to the zone configuration: Bandwidth Limits Wi-Fi Multimedia (WMM) traffic management l A W-IAP can belong to only one zone and only one zone can be configured on an SSID. l If an SSID belongs to a zone, all W-IAPs in this zone can broadcast this SSID. If no W-IAP belongs to the zone configured on the SSID, the SSID is not broadcast.
Table 19: WLAN Configuration Parameters Parameter Description without Uplink Max clients threshold Specify the maximum number of clients that can be configured for each BSSID on a WLAN. You can specify a value within the range of 0 to 255. The default value is 64. Local probe request threshold Specify a threshold value to limit the number of incoming probe requests.
You can configure VLAN settings for an SSID profile using the Instant UI or CLI. In the Instant UI To configure VLAN settings for an SSID: 1. In the VLAN tab of the New WLAN window, perform the following steps. The following figure displays the contents of the VLAN tab. Figure 34 VLAN Tab 2. Select any for the following options for Client IP assignment: l Virtual Controller assigned—On selecting this option, the client obtains the IP address from the Virtual Controller.
Table 20: IP and VLAN Assignment for WLAN SSID Clients Client IP Assignment Client VLAN Assignment Virtual Controller assigned If the Virtual Controller assigned is selected for client IP assignment, the Virtual Controller creates a private subnet and VLAN on the W-IAP for the wireless clients. The network address translation for all client traffic that goes out of this interface is carried out at the source.
To create a new VLAN assignment rule: (Instant AP)(config)# wlan ssid-profile (Instant AP)(SSID Profile )# set-vlan {{contains|ends-with|equals|matchesregular-expression|not-equals|starts-with} |value-of} (Instant AP)(SSID Profile )# end (Instant AP)# commit apply Configuring Security Settings for a WLAN SSID Profile The following procedures are described in this section: l Configuring Security Settings for an Employee or Voice Network on page 99 For informa
Figure 36 Security Tab: Personal Figure 37 Security Tab: Open 2. Based on the security level specified, specify the following parameters: Dell Networking W-Series Instant 6.4.2.0-4.1.
Table 21: Configuration Parameters for WLAN Security Settings in an Employee or Voice Network Security Level Parameter Description Key Management For Enterprise security level, select any of the following options from the Key management drop-down list: Type l WPA-2 Enterprise l Both (WPA-2 & WPA) l WPA Enterprise l Dynamic WEP with 802.1X—If you do not want to use a session key from the RADIUS Server to derive pair wise unicast keys, set Session Key for LEAP to Enabled.
Table 21: Configuration Parameters for WLAN Security Settings in an Employee or Voice Network Parameter Security Level Description Type NOTE: Instant supports the configuration of primary and backup authentication servers in an EAP termination enabled SSID. NOTE: If you are using LDAP for authentication, ensure that AP termination is configured to support EAP.
Table 21: Configuration Parameters for WLAN Security Settings in an Employee or Voice Network Parameter Security Level Description Type To use a separate accounting server and an authentication server, choose Use separate servers. The accounting server is distinguished from the authentication server specified for the SSID profile. To disable the accounting function, choose Disabled. Authentication survivability To enable authentication survivability, set Authentication survivability to Enabled.
Table 21: Configuration Parameters for WLAN Security Settings in an Employee or Voice Network Parameter Description Uppercase support Set to Enabled to allow the W-IAP to use uppercase letters in MAC address string for MAC authentication. Security Level Type NOTE: This option is available only if MAC authentication is enabled. Enterprise, Personal, and Open security levels. Upload Certificate Click Upload Certificate and browse to upload a certificate file for the internal server.
(Instant AP)(SSID Profile )# external-server (Instant AP)(SSID Profile )# server-load-balancing (Instant AP)(SSID Profile )# blacklist (Instant AP)(SSID Profile )# mac-authentication (Instant AP)(SSID Profile )# l2-auth-failthrough (Instant AP)(SSID Profile )# auth-survivability (Instant AP)(SSID Profile )# radius-accounting (Instant AP)(SSID Profile )# radius-accounting-mode {user-association| userauthentication} (Instant AP)(SSID Profile )# radius-inte
If you are creating a new SSID profile, complete the WLAN Settings and configure VLAN and security parameters, before defining access rules. For more information, see Configuring WLAN Settings for an SSID Profile on page 92, Configuring VLAN Settings for a WLAN SSID Profile on page 96, and Configuring Security Settings for a WLAN SSID Profile on page 99. You can configure up to 128 access rules for an employee, voice , or guest network using the Instant UI or CLI.
(Instant AP)(SSID Profile )# set-role-pre-auth (Instant AP)(SSID Profile )# end (Instant AP)# commit apply To configure machine and user authentication roles (Instant AP)(config)# wlan ssid-profile (Instant AP)(SSID Profile )# set-role-machine-auth (Instant AP)(SSID Profile )# end (Instant AP)# commit apply To configure unrestricted access: (Instant (Instant (Instant (Instant AP)(config)# wlan
Configuring a W-IAP for OKC Roaming You can enable OKC roaming for WLAN SSID by using Instant UI or CLI. In the Instant UI 1. Navigate to the WLAN wizard (click Network>New or Network> Select the WLAN SSID>edit). 2. Click the Security tab. 3. Slide to Enterprise security level. On selecting a security level, the authentication options applicable to Enterprise network are displayed. 4. Select the WPA-2 Enterprise or Both (WPA-2 & WPA) option from the Key management drop-down list.
As part of the 802.11r implementation, Instant supports the Fast BSS Transition protocol. The Fast BSS Transition mechanism reduces client roaming delay when a client transitions from one BSS to another within the same cluster. This minimizes the time required to resume data connectivity when a BSS transition happens. Fast BSS Transition is operational only if the wireless client supports 802.11r standard. If the client does not support 802.
l Extended Capabilities IE - The extended capabilities IE carries information about the capabilities of an IEEE 802.11 station. Beacon Report Requests and Probe Responses The beacon request frame is sent by an AP to request a client to report the list of beacons heard by the client on all channels. l The beacon request is sent using the radio measurement request action frame. l It is sent only to those clients that have the capability to generate beacon reports.
Configuring a WLAN SSID for 802.11v Support You can enable 802.11v support on a WLAN SSID by using the Instant UI or CLI. In the Instant UI 1. Navigate to the WLAN wizard (click Network>New or Network> Select the WLAN SSID>edit). 2. Click the Security tab. 3. Under Fast Roaming, Select the 802.11v checkbox. 4. Click Next and then click Finish. In the CLI To enable 802.
2. Click the edit link. The Edit network window is displayed. 3. Modify the settings as required. Click Next to move to the next tab. 4. Click Finish to save the changes. Deleting a WLAN SSID Profile To delete a WLAN SSID profile: 1. In the Networks tab, click the network that you want to delete. A x link is displayed against the network to be deleted. 2. Click x. A delete confirmation window is displayed. 3. Click Delete Now. Dell Networking W-Series Instant 6.4.2.0-4.1.
Chapter 9 Wired Profiles This chapter describes the following procedures: l Configuring a Wired Profile on page 113 l Assigning a Profile to Ethernet Ports on page 118 l Editing a Wired Profile on page 119 l Deleting a Wired Profile on page 119 l Link Aggregation Control Protocol on page 119 l Understanding Hierarchical Deployment on page 120 Configuring a Wired Profile The Ethernet ports allow third-party devices such as VoIP phones or printers (which support only wired connections) to connect
Figure 38 New Wired Network Window: Wired Settings Window 3. Click the Wired Settings tab and enter the following information: a. Name— Specify a name for the profile. b. Primary Usage—Select Employee or Guest. c. Speed/Duplex—Ensure that appropriate values are selected for Speed/Duplex. Contact your network administrator if you need to assign speed and duplex parameters. d. POE—Set POE to Enabled to enable Power over Ethernet.
(Instant (Instant (Instant (Instant (Instant (Instant AP)(wired ap profile AP)(wired ap profile AP)(wired ap profile AP)(wired ap profile AP)(wired ap profile AP)# commit apply )# )# )# )# )# poe uplink-enable content-filtering spanning-tree end Configuring VLAN for a Wired Profile If you are creating a new wired profile, complete the Wired Settings procedure before configuring VLAN. For more information, see Configuring Wired Settings on page 113.
(Instant AP)(wired ap profile )# end (Instant AP)# commit apply To configure a new VLAN assignment rule: (Instant AP)(config)# wired-port-profile (Instant AP)(wired ap profile )# set-vlan {equals| not-equals| starts-with| ends-with| contains| matches-regular-expression} | value-of} (Instant AP)(wired ap profile )# end (Instant AP)# commit apply Configuring Security Settings for a Wired Profile If you are creating a new wired profile, complete the Wir
(Instant AP)# commit apply Configuring Access Rules for a Wired Profile The Ethernet ports allow third-party devices such as VoIP phones or printers (that support only wired connections) to connect to the wireless network. You can also configure an Access Control List (ACL) for additional security on the Ethernet downlink. If you are creating a new wired profile, complete the Wired Settings and configure VLAN and security parameters, before defining access rules.
In the CLI To configure access rules for a wired profile: (Instant (Instant (Instant (Instant AP)(config)# wired-port-profile AP)(wired ap profile )# access-rule-name AP)(wired ap profile )# end AP)# commit apply To configure role assignment rules: (Instant AP)(config)# wired-port-profile (Instant AP)(wired ap profile )# set-role {{equals| not-equal| starts-with| ends-with| contains| matches-regular-expression} | value-of} (Instant AP)(wire
(Instant AP)(config)# enet4-port-profile (Instant AP)(config)# end (Instant AP)# commit apply Editing a Wired Profile To edit a wired profile: 1. Click the Wired link under More at the top right corner of the Instant main window. The Wired window is displayed. 2. In the Wired window, select the wired profile to modify. 3. Click Edit. The Edit Wired Network window is displayed. 4. Modify the required settings. 5. Click Finish to save the modifications.
----------- --------- --------- --------- ----------- ----------Up slow 2 17 1 70:81:05:11:3e:80 Slave Interface Status ---------------------Slave I/f Name Permanent MAC Addr Link Status Member of LAG Link Fail Count -------------- ------------------ ----------- ------------- --------------eth0 6c:f3:7f:c6:76:6e Up Yes 0 eth1 6c:f3:7f:c6:76:6f Up Yes 0 Traffic Sent on Enet Ports -------------------------Radio Num Enet 0 Tx Count Enet 1 Tx Count --------- --------------- --------------0 0 0 1 0 0 non-wifi 2
Figure 39 Hierarchical Deployment Dell Networking W-Series Instant 6.4.2.0-4.1.
Chapter 10 Captive Portal for Guest Access This chapter provides the following information: l Understanding Captive Portal on page 122 l Configuring a WLAN SSID for Guest Access on page 123 l Configuring Wired Profile for Guest Access on page 128 l Configuring Internal Captive Portal for Guest Network on page 130 l Configuring External Captive Portal for a Guest Network on page 132 l Configuring External Captive Portal Authentication Using ClearPass Guest on page 136 l Configuring Guest Logon
l External captive portal— For external captive portal authentication, an external portal on the cloud or on a server outside the enterprise network is used. Walled Garden The administrators can also control the resources that the guest users can access and the amount of bandwidth or air time they can use at any given time. When an external captive portal is used, the administrators can configure a walled garden, which determines access to the URLs requested by the guest users.
Table 22: WLAS SSID Configuration Parameters for Guest Network Parameters Description Broadcast/Multicast Select any of the following values under Broadcast filtering: l All—When set to All, the W-IAP drops all broadcast and multicast frames except DHCP and ARP. l ARP—When set to ARP, the W-IAP converts ARP requests to unicast and send frames directly to the associated client. l Disabled— When set to Disabled, all broadcast and multicast traffic is forwarded.
Parameters Description The following constraints apply to the zone configuration: Bandwidth Limits Wi-Fi Multimedia (WMM) traffic management l A W-IAP can belong to only one zone and only one zone can be configured on an SSID. l If an SSID belongs to a zone, all W-IAPs in this zone can broadcast this SSID. If no W-IAP belongs to the zone configured on the SSID, the SSID is not broadcast. l If an SSID does not belong to any zone, all W-IAPs can broadcast this SSID.
Parameters Description Disable SSID Select to the checkbox to disable the SSID. On selecting this checkbox, the SSID is disabled, but not removed from the network. By default, all SSIDs are enabled. Can be used without Uplink Select the checkbox if you do not want the SSID users to use uplink. Max clients threshold Specify the maximum number of clients that can be configured for each BSSID on a WLAN in the text box. You can specify a value within the range of 0 to 255. The default value is 64.
Table 23: IP and VLAN Assignment for WLAN SSID Clients Client IP Assignment Client VLAN Assignment Virtual Controller assigned If the Virtual Controller assigned is selected for client IP assignment, the Virtual Controller creates a private subnet and VLAN on the W-IAP for the wireless clients. The network address translation for all client traffic that goes out of this interface is carried out at the source.
(Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID Profile Profile Profile Profile Profile Profile Profile Profile Profile Profile Profile Profile Profile Profile Profile )# )# )# )# )# )# )# )# )# )# )# )# )#
downlink ports, regardless of forwarding mode. STP will not operate on the uplink port and is supported only on W-IAPs with three or more ports. By default Spanning Tree is disabled on wired profiles. 4. Click Next. The VLAN tab details are displayed. 5. Enter the following information. a. Mode—You can specify any of the following modes: l Access—Select this mode to allow the port to carry a single VLAN specified as the native VLAN.
Configuring Internal Captive Portal for Guest Network In the Internal captive Portal type, an internal server is used for hosting the captive portal service. You can configure internal captive portal authentication when adding or editing a guest network created for wireless or wired profile through the Instant UI or CLI. In the Instant UI 1. Navigate to the WLAN wizard or Wired window.
Parameter Description Accounting mode Select an accounting mode from Accounting mode for posting accounting information at the specified accounting interval. When the accounting mode is set to Authentication, the accounting starts only after client authentication is successful and stops when the client logs out of the network. If the accounting mode is set to Association, the accounting starts when the client associates to the network successfully and stops when the client is disconnected.
(Instant AP)(SSID Profile )# radius-reauth-interval (Instant AP)(SSID Profile )# end (Instant AP)# commit apply To configure internal captive portal for a wired profile: (Instant AP) (config)# wired-port-profile (Instant AP) (wired ap profile )# type (Instant AP) (wired ap profile )# captive-portal {| } exclude-uplink {3G|4G|Wifi|Ethernet} (Instant AP) (wired ap profile )# mac-authentication (Instant AP) (w
In the Instant UI 1. Click Security>External Captive Portal. 2. Click New. The New pop-up window is displayed. 3. Specify values for the following parameters: Table 25: Captive Portal Profile Configuration Parameters Parameter Description Name Enter a name for the profile. Type Select any one of the following types of authentication: l Radius Authentication - Select this option to enable user authentication against a RADIUS server.
(Instant (Instant (Instant (Instant (Instant (Instant (Instant AP)(External Captive AP)(External Captive AP)(External Captive AP)(External Captive AP)(External Captive AP)(External Captive AP)# commit apply Portal)# Portal)# Portal)# Portal)# Portal)# Portal)# url https redirect-url server-fail-through no auto-whitelist-disable end Configuring an SSID or Wired Profile to Use External Captive Portal Authentication You can configure external captive portal authentication for a network profile
Table 26: External Captive Portal Configuration Parameters Parameter Description Accounting mode Select an accounting mode from Accounting mode for posting accounting information at the specified Accounting interval. When the accounting mode is set to Authentication, the accounting starts only after client authentication is successful and stops when the client logs out of the network.
(Instant AP)# commit apply Configuring External Captive Portal Authentication Using ClearPass Guest You can configure Instant to point to ClearPass Guest as an external Captive Portal server. With this configuration, the user authentication is performed by matching a string in the server response and RADIUS server (either ClearPass Guest or a different RADIUS server).
l A guest role – This role is assigned after user authentication. l A captive-portal role - This role can be assigned to any network such as empolyee, voice, or guest. When the user is assigned with this role, a splash page is displayed after opening a browser and the users may need to authenticate. You can configure up to 128 access rules for guest user roles through the Instant UI or CLI. In the Instant UI To configure roles and access rules for the guest network: 1.
To configure a pre-authentication role: (Instant (Instant (Instant (Instant AP)(config)# wlan ssid-profile AP)(SSID Profile # set-role-pre-auth AP)(SSID Profile # end AP)# commit apply To configure machine and user authentication roles (Instant AP)(config)# wlan ssid-profile (Instant AP)(SSID Profile # set-role-machine-auth (Instant AP)(SSID Profile # end (Instant AP)# commit apply To c
To enforce the Captive Portal role, use the Instant UI or CLI. In the Instant UI To create a captive portal role: 1. Select an SSID profile from the Networks tab. The Edit window is displayed. 2. On the Access tab, slide to Role-based access control by using the scroll bar. 3. Select a role or create a new one if required. 4. Click New to add a new rule. The New Rule window is displayed. 5. In the New Rule window, specify the following parameters.
Field Description initial page that would be displayed to users connecting to the network. The initial page asks for user credentials or email, depending on the splash page type configured External l To change the color of the splash page, click the Splash page rectangle and select the required color from the Background Color palette. l To change the welcome text, click the first square box in the splash page, type the required text in the Welcome text box, and then click OK.
8. Click Finish. The client can connect to this SSID after authenticating with username and password. After a successful user login, the captive portal role is assigned to the client.
In the CLI To create a Walled Garden access: (Instant (Instant (Instant (Instant (Instant AP)(config)# wlan walled-garden AP)(Walled Garden)# white-list AP)(Walled Garden)# black-list AP)(Walled Garden)# end AP)# commit apply Disabling Captive Portal Authentication To disable captive portal authentication, perform the following steps: 1. Select a wireless or wired profile. Depending on the network profile selected, the Edit or Edit Wired Network window is displayed.
Chapter 11 Authentication and User Management This chapter provides the following information: l Managing W-IAP Users on page 143 l Understanding Authentication Methods on page 150 l Supported Authentication Servers on page 152 l Understanding Encryption Types on page 157 l Support for Authentication Survivability on page 158 l Configuring Authentication Servers on page 160 l Configuring 802.
Configuring Authentication Parameters for Management Users Instant now allows you to configure a TACACS+ Server as the authentication server to support authentication and accounting privileges for management users. TACACS+ server allows a remote access server to communicate with an authentication server to determine if the user has access to the network. In Instant, the users can create several TACACS+ server profiles, out of which one or two of the servers can be specified to authenticate management users.
Table 29: TACACS+ Server Configuration Parameters Parameter Description IP address Enter the IP address of the TACACS+ server. Auth Port Enter the TCP IP port used by the server. The default port number is 49. Shared Key Enter the secret key of your choice to authenticate communication between the TACACS+ client and server. Retype Key Re-enter the secret key you have specified as the Shared Key. Timeout Enter a number between 1 and 30 seconds to indicate the timeout period for TACACS+ requests.
Figure 43 Admin Tab: Management Authentication Parameters 3. Under Local, select any of the following options from the Authentication drop-down list: l Internal— Select this option to specify a single set of user credentials. Enter the Username and Password for accessing the Virtual Controller Management User Interface. l Authentication Server— Specify one or two authentication servers to authenticate clients.
(Instant (Instant (Instant (Instant AP)(config)# mgmt-auth-server-load-balancing AP)(config)# mgmt-auth-server-local-backup AP)(config)# end AP)# commit apply To configure management authentication settings: (Instant (Instant (Instant (Instant (Instant (Instant AP)(config)# mgmt-auth-server AP)(config)# mgmt-auth-server AP)(config)# mgmt-auth-server-load-balancing AP)(config)# mgmt-auth-server-local-backup AP)(config)# end AP)# commit apply Configuring Guest Management Interface Admi
1. Click the Security at the top right corner of Instant main window. 2. Click Users for Internal Server. The following figure shows the contents of the Users for Internal Server tab. Figure 44 Adding a User 3. Enter the username in the Username text box. 4. Enter the password in the Password text box and reconfirm. 5. Select a type of network from the Type drop-down list. 6. Click Add and click OK. The users are listed in the Users list. 7. To edit user settings: a.
(Instant AP)(config)# user radius (Instant AP)(config)# end (Instant AP)# commit apply To configure a guest user: (Instant AP)(config)# user portal (Instant AP)(config)# end (Instant AP)# commit apply Configuring the Read-Only Administrator Credentials You can assign the read-only privilege to an admin user by using the Instant UI or CLI. In the Instant UI 1. Click the System link at top right corner of the Instant main window. The System window is displayed.
5. Click OK. Understanding Authentication Methods Authentication is a process of identifying a user by through a valid username and password or based on their MAC addresses. The following authentication methods are supported in Instant: l 802.1X authentication l MAC authentication l MAC authentication with 802.1X authentication l Captive Portal Authentication l MAC authentication with Captive Portal authentication l 802.1X authentication with Captive Portal Role l WISPr authentication 802.
client when the MAC authentication is successful and 802.1X authentication fails. If 802.1X authentication is successful, the mac-auth-only role is overwritten by the final role. The mac-auth-only role is primarily used for wired clients. l L2 authentication fall-through - Allows you to enable the l2-authentication-fallthrough mode. When this option is enabled, the 802.1X authentication is allowed even if the MAC authentication fails. If this option is disabled, 802.1X authentication is not allowed.
Supported EAP Authentication Frameworks The following EAP authentication frameworks are supported in the Instant network: l EAP-TLS— The Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) method supports the termination of EAP-TLS security using the internal RADIUS server . The EAP-TLS requires both server and certification authority (CA) certificates installed on the W-IAP.
In 6.4.0.2-4.1 release, you can configure TACACS+ server for authenticating management users. For more information, on management users and TACACS+ server based authentication, see Configuring Authentication Parameters for Management Users . Internal RADIUS Server Each W-IAP has an instance of free RADIUS server operating locally. When you enable the internal RADIUS server option for the network, the client on the W-IAP sends a RADIUS packet to the local IP address.
l Acct-Multi-Session-Id l Acct-Output-Gigawords l Acct-Output-Octets l Acct-Output-Packets l Acct-Session-Id l Acct-Session-Time l Acct-Status-Type l Acct-Terminate-Cause l Acct-Tunnel-Packets-Lost l Add-Port-To-IP-Address l Aruba-AP-Group l Aruba-AP-IP-Address l Aruba-AS-Credential-Hash l Aruba-AS-User-Name l Aruba-Admin-Role l Aruba-AirGroup-Device-Type l Aruba-AirGroup-Shared-Group l Aruba-AirGroup-Shared-Role l Aruba-AirGroup-Shared-User l Aruba-AirGroup-User-Name
l Aruba-Template-User l Aruba-User-Group l Aruba-User-Role l Aruba-User-Vlan l Aruba-WorkSpace-App-Name l Authentication-Sub-Type l Authentication-Type l CHAP-Challenge l Callback-Id l Callback-Number l Chargeable-User-Identity l Class l Connect-Info l Connect-Rate l Crypt-Password l DB-Entry-State l Digest-Response l Domain-Name l EAP-Message l Error-Cause l Event-Timestamp l Exec-Program l Exec-Program-Wait l Expiration l Fall-Through l Filter-Id l Fram
l Group l Group-Name l Hint l Huntgroup-Name l Idle-Timeout l Location-Capable l Location-Data l Location-Information l Login-IP-Host l Login-IPv6-Host l Login-LAT-Node l Login-LAT-Port l Login-LAT-Service l Login-Service l Login-TCP-Port l Menu l Message-Auth l NAS-IPv6-Address l NAS-Port-Type l Operator-Name l Password l Password-Retry l Port-Limit l Prefix l Prompt l Rad-Authenticator l Rad-Code l Rad-Id l Rad-Length l Reply-Message l Requested
l Tunnel-Assignment-Id l Tunnel-Client-Auth-Id l Tunnel-Client-Endpoint l Tunnel-Connection-Id l Tunnel-Medium-Type l Tunnel-Preference l Tunnel-Private-Group-Id l Tunnel-Server-Auth-Id l Tunnel-Server-Endpoint l Tunnel-Type l User-Category l User-Name l User-Vlan l Vendor-Specific Dynamic Load Balancing between Two Authentication Servers You can configure two authentication servers to serve as a primary and backup RADIUS server and enable load balancing between these servers.
WPA and WPA2 WPA is created based on a draft of 802.11i, which allowed users to create more secure WLANs. WPA2 encompasses the full implementation of the 802.11i standard. WPA2 is a superset that encompasses the full WPA feature set. The following table summarizes the differences between the two certifications: Table 30: WPA and WPA2 Features Certification Authentication WPA l PSK l IEEE 802.1X with Extensible Authentication Protocol (EAP) l PSK l IEEE 802.
The authentication survivability feature supports a survivable authentication framework against the remote link failure when working with the external authentication servers. When enabled, this feature allows the WIAPs to authenticate the previously connected clients against the cached credentials if the connection to the authentication server is temporarily lost.
l For EAP-PEAP authentication, ensure that the CPPM 6.0.2 or later version is used for authentication. For EAP-TLS authentication, any external or third-party server can be used. l For EAP-TLS authentication, ensure that the server and CA certificates from the authentication servers are uploaded on W-IAP. For more information, see Uploading Certificates on page 177.
Figure 46 New Authentication Server Window 3. Configure any of the following types of server: l RADIUS Server—To configure a RADIUS server, specify the attributes described in the following table: Table 32: RADIUS Server Configuration Parameters Parameter Description Name Enter the name of the new external RADIUS server. IP address Enter the IP address of the external RADIUS server. Auth port Enter the authorization port number of the external RADIUS server. The default port number is 1812.
Parameter Description Timeout Specify a timeout value in seconds. The value determines the timeout for one RADIUS request. The W-IAP retries to send the request several times (as configured in the Retry count), before the user gets disconnected. For example, if the Timeout is 5 seconds, Retry counter is 3, user is disconnected after 20 seconds. The default value is 5 seconds. Retry count Specify a number between 1 and 5.
Table 33: LDAP Server Configuration Parameters Parameter Description Name Enter the name of the LDAP server. IP address Enter the IP address of the LDAP server. Auth port Enter the authorization port number of the LDAP server. The default port number is 389.
Parameter Description Shared key Enter a shared key for communicating with the external RADIUS server. Retype key Re-enter the shared key. 4. Click OK. The CPPM server acts as a RADIUS server and asynchronously provides the AirGroup parameters for the client device including shared user, role, and location. To assign the RADIUS authentication server to a network profile, select the newly added server when configuring security settings for a wireless or wired network profile.
(Instant AP)(Auth Server )# cppm-rfc3576-only (Instant AP)(Auth Server )# end (Instant AP)# commit apply Configuring Dynamic RADIUS Proxy Parameters The RADIUS server can be deployed at different locations and VLANs. In most cases, a centralized RADIUS or local server is used to authenticate users. However, some user networks can use a local RADIUS server for employee authentication and a centralized RADIUS based captive portal server for guest authentication.
2. To create a new server, click New and configure the required RADIUS server parameters as described in Table 32. 3. Ensure that the following dynamic RADIUS proxy parameters are configured: l DRP IP— IP address to be used as source IP for RADIUS packets l DRP Mask—Subnet mask of the DRP IP address. l DRP VLAN—VLAN in which the RADIUS packets are sent. l DRP Gateway—Gateway IP address of the DRP VLAN. 4. Click OK.
(Instant AP)(SSID Profile # auth-server (Instant AP)(SSID Profile # end ((Instant AP)# commit apply To associate an authentication server to a wired profile: (Instant (Instant (Instant (Instant AP)(config)# wired-port-profile AP)(wired ap profile )# auth-server AP)(wired ap profile )# end AP)# commit apply Configuring 802.1X Authentication for a Network Profile The Instant network supports internal RADIUS server and external RADIUS server for 802.
authentication server and terminates the outer layers of the EAP protocol, only relaying the innermost layer to the external RADIUS server. 6. Specify the type of authentication server to use and configure other required parameters. You can also configure two different authentication servers to function as primary and backup servers when termination is enabled. For more information on RADIUS authentication configuration parameters, see Configuring an External Server for Authentication on page 160. 7.
(Instant AP) (wired ap profile )# end (Instant AP)# commit apply Configuring MAC Authentication for a Network Profile MAC authentication can be used alone or it can be combined with other forms of authentication such as WEP authentication. However, it is recommended that you do not use the MAC-based authentication.
(Instant (Instant (Instant (Instant (Instant (Instant AP)(SSID Profile )# AP)(SSID Profile )# AP)(SSID Profile )# AP)(SSID Profile )# AP)(SSID Profile )# AP)# commit apply auth-server auth-server server-load-balancing radius-reauth-interval end To add users for MAC authentication based on internal authentication server: (Instant AP)(config)# user [] [portal| radius] (Instant AP)(config)# end (Instant AP)# commit ap
(Instant AP)(config)# end (Instant AP)# commit apply Configuring MAC Authentication with 802.1X Authentication This section describes the following procedures: l Configuring MAC and 802.1X Authentication for a Wireless Network Profile on page 171 l Configuring MAC and 802.1X Authentication for Wired Profiles on page 171 Configuring MAC and 802.1X Authentication for a Wireless Network Profile You can configure MAC authentication with 802.
2. Click New under Wired Networks to create a new network or select an existing profile for which you want to enable MAC authentication and then click Edit. 3. In the New Wired Network or the Edit Wired Network window, ensure that all the required Wired and VLAN attributes are defined, and then click Next. 4. On the Security tab, enable the following options: l Select Enabled from the MAC authentication drop-down list. l Select Enabled from the 802.1X authentication drop-down list.
2. On the Access tab, specify the following parameters for a network with Role-Based rules: a. Select the Enforce Machine Authentication checkbox when MAC authentication is enabled for Captive Portal. If the MAC authentication fails, the Captive Portal authentication role is assigned to the client. b. For wireless network profile, select Enforce MAC Auth Only Role checkbox when MAC authentication is enabled for Captive Portal.
Figure 47 Configuring WISPr Authentication 4. Enter the ISO Country Code for the WISPr Location ID in the ISO Country Code text box. 5. Enter the E.164 Area Code for the WISPr Location ID in the E.164 Area Code text box. 6. Enter the operator name of the Hotspot in the Operator Name text box. 7. Enter the E.164 Country Code for the WISPr Location ID in the E.164 Country Code text box. 8. Enter the SSID/Zone section for the WISPr Location ID in the SSID/Zone text box. 9.
Adding a Client to the Blacklist You can add a client to the blacklist manually using the Instant UI or CLI. In the Instant UI 1. Click the Security link from the top right corner of the Instant main window. 2. Click the Blacklisting tab. 3. Under the Manual Blacklisting, click New. 4. Enter the MAC address of the client to be blacklisted in the MAC address to add text box. 5. Click OK. The Blacklisted Since tab displays the time at which the current blacklisting has started for the client. 6.
5. For PEF rule blacklisted time, enter the duration in seconds after which the clients can be blacklisted due to an ACL rule trigger. You can configure a maximum number of authentication failures by the clients, after which a client must be blacklisted.
Uploading Certificates A certificate is a digital file that certifies the identity of the organization or products of the organization. It is also used to establish your credentials for any web transactions. It contains the organization name, a serial number, expiration date, a copy of the certificate-holder's public key, and the digital signature of the certificateissuing authority so that a recipient can ensure that the certificate is real.
7. If you have selected Auth Server or Captive portal server type, enter a passphrase in Passphrase and reconfirm. If the certificate does not include a passphrase, there is no passphrase required. 8. Click Browse and select the appropriate certificate file, and click Upload Certificate. The Certificate Successfully Installed message is displayed.. The W-IAP database can have only one authentication server and one captive portal server certificate at any point in time.
Figure 50 Server Certificate 4. After you upload the certificate, navigate to Groups, click the Instant Group and then select Basic. The Group name is displayed only if you have entered the Organization name in the Instant UI. For more information, see Configuring Organization String on page 287 for further information. Figure 51 Selecting the Group The Virtual Controller Certificate section displays the certificates (CA cert and Server). 5. Click Save to apply the changes only to W-AirWave.
Chapter 12 Roles and Policies This chapter describes the procedures for configuring user roles, role assignment, and firewall policies. l Firewall Policies on page 180 l Content Filtering on page 192 l Configuring User Roles on page 195 l Configuring Derivation Rules on page 197 Firewall Policies Instant firewall provides identity-based controls to enforce application-layer security, prioritization, traffic forwarding, and network performance policies for wired and wireless networks.
l Configuring Inbound Firewall Rules on page 188 l Configuring Access Rules for Application and Application Categories on page 255 l Configuring Web Policy Enforcement on page 258 Configuring Access Rules for Network Services This section describes the procedure for configuring ACLs to control access to network services. For information on: l Configuring access rules based on application and application categories, see Configuring Access Rules for Application and Application Categories on page 255.
Table 35: Access Rule Configuration Parameters Service Category Network Description Select a service from the list of available services. You can allow or deny access to any or all of the following services based on your requirement: l any—Access is allowed or denied to all services. l custom—Available options are TCP, UDP, and Other. If you select the TCP or UDP options, enter appropriate port numbers. If you select the Other option, enter the appropriate ID.
Table 35: Access Rule Configuration Parameters Service Category Disable scanning Description l Video: Priority 5 (Critical) l Voice: Priority 6 (Internetwork Control) Select Disable scanning checkbox to disable ARM scanning when this rule is triggered. The selection of the Disable scanning applies only if ARM scanning is enabled, For more information, see Configuring Radio Settings for a W-IAP on page 246.
Configuring a Source NAT Access Rule The source NAT action in access rules allows the user to override the routing profile entries. For example, when a routing profile is configured to use 0.0.0.0/0, the client traffic in L3 mode access on an SSID destined to the corporate network is sent to the tunnel. When an access rule is configured with Source NAT action, the users can specify the service, protocol, or destination to which the source NAT is applied.
1. Ensure that an L3 subnet with the netmask, gateway, VLAN, and IP address is configured. For more information on configuring L3 subnet, see Configuring L3-Mobility on page 319. 2. Ensure that the source IP address is associated with the IP address configured for the L3 subnet. 3. Create an access rule for the SSID profile with Source NAT action as described in Configuring Source-Based Routing on page 184. The source NAT pool is configured and source based routing entry is created.
In the Instant UI To enable or disable ALG protocols: 1. Click the Security link at the top right corner of Instant main window. 2. Click the Firewall Settings tab. The Firewall Settings tab contents are displayed. The following figure shows the contents of the Firewall Settings tab: Figure 52 Firewall Settings—ALG Protocols 3. Select Enabled from the corresponding drop-down lists to enable SIP, VOCERA, Alcatel NOE, and Cisco skinny protocols. 4. Click OK.
2. Click the Firewall Settings tab. The Firewall Settings tab contents are displayed. 3. To configure protection against security attacks, select the following checkboxes: l Select Drop bad ARP to enable the W-IAP to drop the fake ARP packets. l Select Fix malformed DHCP to the W-IAP to fix the malformed DHCP packets. l Select ARP poison check to enable the W-IAP to trigger an alert notifying the user about the ARP poisoning that may have been caused by the rogue APs.
Managing Inbound Traffic Instant now supports an enhanced inbound firewall by allowing the configuration of firewall rules and management subnets, and restricting corporate access through an uplink switch.
Table 36: Inbound Firewall Rule Configuration Parameters Parameter Description Action Select any of following actions: l Select Allow to allow access users based on the access rule. l Select Deny to deny access to users based on the access rule. l Select Destination-NAT to allow changes to destination IP address. l Select Source-NAT to allow changes to the source IP address. The destination-nat and source-nat actions apply only to the network services rules.
Table 36: Inbound Firewall Rule Configuration Parameters Parameter Description Log Select this checkbox if you want a log entry to be created when this rule is triggered. Instant supports firewall based logging function. Firewall logs on the W-IAPs are generated as security logs. Blacklist Select the Blacklist checkbox to blacklist the client when this rule is triggered. The blacklisting lasts for the duration specified as Auth failure blacklist time on the Blacklisting tab of the Security window.
Figure 55 Firewall Settings—Management Subnets 2. To add a new management subnet: l Enter the subnet address in Subnet. l Enter the subnet mask in Mask. l Click Add. 3. To add multiple subnets, repeat step 2. 4. Click OK.
Content Filtering The content filtering feature allows you to route DNS request to the OpenDNS platform and create content filtering policies. With content filter, you can: l Allow all DNS requests to the non-corporate domains on a wireless or wired network to be sent to the open DNS server. When the OpenDNS credentials are configured, the W-IAP uses these credentials to access OpenDNS to provide enterprise-level content filtering.
In the Instant UI 1. Click the Wired link under More at the top right corner of the main window. The Wired window is displayed. 2. In the Wired window, select the wired profile to modify. 3. Click Edit. The Edit Wired Network window is displayed. 4. In the Wired Settings tab, select Enabled from the Content Filtering drop-down list and click Next to continue.
4. To set an access policy based on the web category: a. Under Services, select Web category and expand the Web categories drop-down. Figure 56 b. Select the categories to which you want to deny or allow access. You can also search for a web category and select the required option. c. From the Action drop-down, select Allow or Deny as required. d. Click OK. 5. To filter access based on the security ratings of the website: a. Select Web reputation under Services. b.
Configuring User Roles Every client in the Instant network is associated with a user role that determines the network privileges for a client, the frequency of reauthentication, and the applicable bandwidth contracts. Instant allows you to configuration of up to 32 user roles. If the number of roles exceed 32, an error message is displayed.
In the Instant UI 1. Click the Security at the top right corner of Instant main window. The Security window is displayed. 2. Click the Roles tab. The Roles tab contents are displayed. 3. Create a new role or select an existing role. 4. Under Access Rules, click New. The New Rule window is displayed. 5. Select Bandwidth Contract from the Rule Type drop-down list. 6. Specify the downstream and upstream rates in Kbps. If the assignment is specific for each user, select the Peruser checkbox. 7. Click OK. 8.
In the Instant UI To configure machine authentication with role-based access control: 1. In the Access tab of the WLAN wizard (New WLAN or Edit ) or wired profile configuration window (New Wired Network or Edit Wired Network), under Roles, create Machine auth only and User auth only roles. 2. Configure access rules for these roles by selecting the role, and applying the rule. For more information on configuring access rules, see Configuring Access Rules for Network Services on page 181. 3.
W-IAPs use the OUI part of a MAC address to identify the device manufacturer and can be configured to assign a desired role for users who have completed 802.1X authentication and MAC authentication. The user role can be derived from the user attributes after a client associates with an AP. You can configure rules that assign a user role to clients that match a MAC address based criteria. For example, you can assign a voice role to any client with a MAC address starting a0:a1:a2.
l To configure access rules for a wired profile, More > Wired. In the Wired window, click New under Wired Networks to create a new network or click Edit to select an existing profile. 2. Click the Access tab. 3. Under Role Assignment Rules, click New. The New Role Assignment window allows you to define a match method by which the string in Operand is matched with the attribute value returned by the authentication server. 4.
Understanding VLAN Assignment You can assign VLANs to a client based on the following configuration conditions: l The default VLAN configured for the WLAN can be assigned to a client. l If VLANs are configured for a WLAN SSID or an Ethernet port profile, the VLAN for the client can be derived before the authentication, from the rules configured for these profiles. l If a rule derives a specific VLAN, it is prioritized over the user roles that may have a VLAN configured.
Figure 58 Configure VSA on a RADIUS Server VLAN Assignment Based on Derivation Rules When an external RADIUS server is used for authentication, the RADIUS server may return a reply message for authentication. If the RADIUS server supports return attributes, and sets an attribute value to the reply message, the W-IAP can analyze the return message and match attributes with a user pre-defined VLAN derivation rule. If the rule is matched, the VLAN value defined by the rule is assigned to the user.
User Role If the VSA and VLAN derivation rules are not matching, then the user VLAN can be derived by a user role. VLANs Created for an SSID If the VSA and VLAN derivation rules are not matching, and the User Role does not contain a VLAN, the user VLAN can be derived by VLANs configured for an SSID or Ethernet port profile. Configuring VLAN Derivation Rules The users are assigned to a VLAN based on the attributes returned by the RADIUS server after the users authenticate.
l matches-regular-expression—The rule is applied only if the attribute value matches the regular expression pattern specified in Operand. This operator is available only if the mac-address-and-dhcpoptions attribute is selected in the Attribute drop-down list. The mac-address-and-dhcp-options attribute and matches-regular-expression are applicable only for the WLAN clients. 5. Enter the string to match in the String field. 6. Select the appropriate VLAN ID from the VLAN drop-down list. 7. Click OK. 8.
Operator Description . Matches any character. For example, l..k matches lack, lark, link, lock, look, Lync and so on. \ Matches the character that follows the backslash. For example, \192.\.0\.. matches IP addresses ranges that starting with 192.0, such as 192.0.1.1. The expression looks only for the single characters that match. [] Matches any one character listed between the brackets. For example, [bc]lock matches block and clock. \b Matches the words that begin and end with the given expression.
Configuring a User Role for VLAN Derivation This section describes the following procedures: l Creating a User VLAN Role on page 205 l Assigning User VLAN Roles to a Network Profile on page 205 Creating a User VLAN Role You can create a user role for VLAN derivation using the Instant UI or CLI. In the Instant UI To configure a user role for VLAN derivation: 1. Click the Security link at the top right corner of the Instant main window. 2. Click the Roles tab. The Roles tab contents are displayed. 3.
Chapter 13 DHCP Configuration This chapter provides the following information: l Configuring DHCP Scopes on page 206 l Configuring the Default DHCP Scope for Client IP Assignment on page 214 Configuring DHCP Scopes The virtual controller supports different modes of DHCP address assignment. With each DHCP address assignment mode, various client traffic forwarding modes are associated. For more information on client traffic forwarding modes for IAP-VPN, see IAP-VPN Forwarding Modes on page 230.
Figure 61 New DHCP Scope: Distributed DHCP Mode 3. Based on the type of distributed DHCP scope, configure the following parameters: Table 38: Distributed DHCP Mode Configuration Parameters Name Description Name Enter a name for the DHCP scope. Type Select any of the following options: l Distributed, L2— On selecting Distributed, L2, the Virtual Controller acts as the DHCP Server but the default gateway is in the data center. Traffic is bridged into VPN tunnel.
Table 38: Distributed DHCP Mode Configuration Parameters Name Description Lease Time Specify a lease time for the client in minutes. IP Address Range Specify a range of IP addresses to use. To add another range, click the + icon. You can specify up to four different ranges of IP addresses. l For Distributed, L2 mode, ensure that all IP ranges are in the same subnet as the default router.
(Instant AP)# commit apply To configure Distributed,L3 DHCP scope: (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant AP)(config)# ip dhcp AP)(DHCP Profile )# ip dhcp server-type AP)(DHCP Profile )# server-vlan AP)(DHCP Profile )# client-count AP)(DHCP Profile )# dns-server AP)(DHCP Profile )# domain-name AP)(
Table 39: Centralized DHCP Mode Configuration Parameters Name Description Name Enter a name for the DHCP scope. Type Set the type as follows: l Centralized,L2 for the centralized,L2 profile l Centralized,L3 for the centralized,L3 profile VLAN Specify a VLAN ID. To use this subnet, ensure that the VLAN ID specified here is assigned to an SSID profile.
The following table describes the behavior of the DHCP Relay Agent and Option 82 in the W-IAP.
When using a local DHCP scope in a W-IAP cluster, ensure that the VLANs configured for this DHCP scope is allowed in the uplink switch. In a single W-IAP network, when using a client DHCP scope for wired clients, ensure that client VLAN is not added in the allowed VLAN list for the port to which the W-IAP E0 port is connected. In the Instant UI To configure a Local or Local, L3 DHCP scope: 1. Click More > DHCP Server. The DHCP Server window is displayed. 2.
Table 41: Local DHCP Mode Configuration Parameters Name Description Domain Name If required, specify the domain name for the Local, Local, L2, and Local, L3 scopes. Lease Time Specify a lease time for the client in minutes. Option Specify the type and a value for the DHCP option. You can configure the organization-specific DHCP options supported by the DHCP server. For example, 176, 242, and 161. To add multiple DHCP options, click the + icon. 4. Click OK.
Configuring the Default DHCP Scope for Client IP Assignment The DHCP server is a built-in server, used for networks in which clients are assigned IP address by the Virtual Controller. You can customize the DHCP pool subnet and address range to provide simultaneous access to more number of clients. The largest address pool supported is 2048. The default size of the IP address pool is 512.
8. Click OK to apply the changes. In the CLI To configure a DHCP pool: (Instant (Instant (Instant (Instant (Instant (Instant AP)(config)# ip dhcp pool AP)(DHCP)# domain-name AP)(DHCP)# dns-server AP)(DHCP)# lease-time AP)(DHCP)# subnet AP)(DHCP)# subnet-mask To view the DHCP database: (Instant AP)# show ip dhcp database DHCP DHCP DHCP DHCP DHCP Subnet :192.0.2.0 Netmask :255.255.255.0 Lease Time(m) :20 Domain Name :example.
Chapter 14 VPN Configuration This chapter describes the following VPN configuration procedures: l Understanding VPN Features on page 216 l Configuring a Tunnel from a W-IAP to Dell Networking W-Series Mobility Controller on page 216 l Configuring Routing Profiles on page 227 Understanding VPN Features As W-IAPs use a Virtual Controller architecture, the W-IAP network does not require a physical controller to provide the configured WLAN services.
2. Select Aruba IPSec from the Protocol drop-down list. 3. Enter the IP address or fully qualified domain name (FQDN) for the primary VPN/IPSec endpoint in the Primary host field. 4. Enter the IP address or FQDN for the backup VPN/IPSec endpoint in the Backup host field. This entry is optional. When you specify the primary and backup host details, the other fields are displayed. 5. Specify the following parameters. A sample configuration is shown in Figure 63. a.
(Instant (Instant (Instant (Instant (Instant AP)(config)# vpn monitor-pkt-lost-cnt AP)(config)# vpn reconnect-user-on-failover AP)(config)# vpn reconnect-time-on-failover AP)(config)# end AP)# commit apply Example (Instant (Instant (Instant (Instant AP)(config)# AP)(config)# AP)(config)# AP)(config)# vpn vpn vpn vpn primary 192.0.2.18 backup 192.0.2.
5. Specify the following parameters. A sample configuration is shown in Figure 64. a. To allow the VPN tunnel to switch back to the primary host when it becomes available again, select Enabled from the Preemption drop-down list. This step is optional. b. If Preemption is enabled, specify a value in seconds for Hold time. When preemption is enabled and the primary host comes up, the VPN tunnel switches to the primary host after the specified hold time. The default value for Hold time is 600 seconds. c.
In the CLI To enable automatic configuration of the GRE tunnel: (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant AP)(config)# vpn gre-outside AP)(config)# vpn primary AP)(config)# vpn backup <> AP)(config)# vpn fast-failover AP)(config)# vpn hold-time AP)(config)# vpn preemption AP)(config)# vpn monitor-pkt-send-freq AP)(config)# vpn monitor-pkt-lost-cnt AP)(config)# vpn reconnect-use
Figure 65 Manual GRE Configuration 4. Click Next to continue. When the GRE tunnel configuration is completed on both the W-IAP and Controller, the packets sent from and received by a W-IAP are encapsulated, but not encrypted.
l n Preemptive: In this mode, if the primary comes up when the backup is active, the backup tunnel is deleted and the primary tunnel resumes as an active tunnel. If you configure the tunnel to be preemptive, and when the primary tunnel goes down, it starts the persistence timer which tries to bring up the primary tunnel. n Non-Preemptive: In this mode, when the backup tunnel is established after the primary tunnel goes down, it does not make the primary tunnel active again.
Figure 67 Tunnel Configuration b. Enter the primary server IP address. c. Enter the remote end backup tunnel IP address. This is an optional field and is required only when backup server is configured. d. Enter the remote end UDP port number. The default value is 1701. e. Enter the interval at which the hello packets are sent through the tunnel. The default value is 60 seconds. f. Select the message digest as MD5 or SHA used for message authentication. g. Enter a shared key for the message digest.
d. Select the cookie length and enter a cookie value corresponding to the length. By default, the cookie length is not set. e. Specify the remote end ID. f. If required, enable default l2 specific sublayer in the L2TP session. g. Click OK. 5. Click Next to continue.
(Instant (Instant (Instant 5 (Instant (Instant AP)(L2TPv3 Session Profile "test_session")# cookie len 4 value 12345678 AP)(L2TPv3 Session Profile "test_session")# l2tpv3 tunnel test_tunnel AP)(L2TPv3 Session Profile "test_session")# tunnel-ip 1.1.1.1 mask 255.255.255.
created by admin: YES, tunnel mode: LAC, persist: YES local host name: Instant-C4:42:98 peer tunnel id: 1842732147, host name: aruba1600pop636635.hsbtst2.
peer profile: NOT SET session profile: NOT SET trace flags: PROTOCOL FSM API AVPDATA FUNC XPRT DATA SYSTEM CLI To view L2TPv3 system statistics: (Instant AP)# show l2tpv3 system statistics L2TP counters:Total messages sent: 99, received: 194, retransmitted: 0 illegal: 0, unsupported: 0, ignored AVPs: 0, vendor AVPs: 0 Setup failures: tunnels: 0, sessions: 0 Resource failures: control frames: 0, peers: 0 tunnels: 0, sessions: 0 Limit exceeded errors: tunnels: 0, sessions: 0 Frame errors: short frames: 0, wr
Figure 69 Tunneling— Routing 3. Update the following parameters: l Destination— Specify the destination network that is reachable through the VPN tunnel. This defines the IP or subnet that must reach through the IPsec tunnel. Traffic to the IP or subnet defined here will be forwarded through the IPsec tunnel. l Netmask— Specify the subnet mask to the destination defined for Destination. l Gateway— Specify the gateway to which traffic must be routed.
Chapter 15 IAP-VPN Deployment This section provides the following information: l Understanding IAP-VPN Architecture on page 229 l Configuring W-IAP and Controller for IAP-VPN Operations on page 231 Understanding IAP-VPN Architecture The IAP-VPN architecture includes the following two components: l W-IAPs at branch sites l Controller at the datacenter The master W-IAP at the branch acts as the VPN endpoint and the controller at the datacenter acts as the VPN concentrator.
l Branches—The number of IAP-VPN branches that can be terminated on a given controller platform. l Routes—The number of L3 routes supported on the controller. l L3 mode and NAT mode users—The number of trusted users supported on the controller. There is no scale impact on the controller. They are limited only by the number of clients supported per W-IAP. l L2 mode users—The number of L2 mode users are limited to 128000 for W-7220/W-7240 and 64000 across all platforms.
clients. Client traffic destined to datacenter resources is forwarded by the Master AP (through the IPSec tunnel) to the client's default gateway in the datacenter. Centralized L2 Mode The centralized L2 mode extends the corporate VLAN or broadcast domain to remote branches. The DHCP server and the gateway for the clients reside in the datacenter. Either the controller or an upstream router can be the gateway for the clients.
6. Configuring Enterprise Domains Defining the VPN host settings The VPN endpoint on which a master W-IAP terminates its VPN tunnel is considered as the host. A master AP in a W-IAP network can be configured with a primary and backup host to provide VPN redundancy. You can define VPN host settings through More>VPN>Controller in the UI. You can configure the following VPN profiles for the IAP-VPN operations.
Configuring an SSID or Wired Port For a client to connect to the IAP-VPN network, an SSID or wired port profile on a W-IAP must be configured with appropriate IAP-VPN mode of operation. The VLAN configuration in an SSID or wired port profile determines whether an SSID or wired port is configured for the IAP-VPN operations. To configure an SSID or wired port for a specific IAP-VPN mode, the VLAN ID defined in the SSID or wired port profile must match the VLAN ID defined in the DHCP profile configuration.
information on specific deployment scenarios, see IAP-VPN Deployment Scenarios on page 370. ArubaOS 6.3 or later is the recommended version to run on the controllers for the IAP-VPN configuration. The IAP-VPN configuration is not supported on W-600 Series controllers. OSPF Configuration Open Shortest Path First (OSPF) is a dynamic Interior Gateway routing Protocol (IGP) based on IETF RFC 2328. The premise of OSPF is that the shortest or fastest routing path is used.
0.0.0.15 N/A N/A N/A N/A N/A N/A N/A NSSA AS_EXTERNAL AS_EXTERNAL AS_EXTERNAL AS_EXTERNAL AS_EXTERNAL AS_EXTERNAL AS_EXTERNAL 54.44.44.16 12.12.2.0 12.12.12.0 12.12.12.32 50.40.40.0 51.41.41.128 53.43.43.32 54.44.44.16 9.9.9.9 9.9.9.9 9.9.9.9 9.9.9.9 9.9.9.9 9.9.9.9 9.9.9.9 9.9.9.
b. Right-click the user that you have just created and click Properties. c. On the Dial-in tab, select Allow access in the Remote Access Permission section and click OK. d. Repeat Step a through Step b for all W-IAPs. 2. Define the remote access policy in the Internet Authentication Service: a. In the Internet Authentication Service window, select Remote Access Policies. b. Launch the wizard to configure a new remote access policy. c.
Branch Status Verification To view the details of the branch information connected to the controller, execute the show iap table command. Example This example shows the details of the branches connected to the controller: (host) #show iap table long IAP Branch Table ---------------Name VC MAC Address Status Inner IP Assigned Subnet Assigned Vlan ---- -------------- ------ -------- --------------- ------------Tokyo-CB:D3:16 6c:f3:7f:cc:42:f8 DOWN 0.0.0.0 Paris-CB:D3:16 6c:f3:7f:cc:3d:04 UP 10.15.207.140 10.
Parameter Description Assigned Vlan Displays the VLAN ID assigned to the branch. Key Displays the key for the branch, which is unique to each branch. Bid(Subnet Name) Displays the Branch ID (BID) of the subnet. l In the example above, the controller displays bid-per-subnet-per-branch i.e., for "LA" branch, BID "2" for the ip-range "10.15.205.0-10.15.205.250" with client count per branch "5"). If a branch has multiple subnets, it can have multiple BIDs.
Chapter 16 Adaptive Radio Management This chapter provides the following information: l ARM Overview on page 239 l Configuring ARM Features on a W-IAP on page 240 l Configuring Radio Settings for a W-IAP on page 246 ARM Overview Adaptive Radio Management (ARM) is a radio frequency management technology that optimizes WLAN performance even in the networks with highest traffic by dynamically and intelligently choosing the best 802.
Configuring ARM Features on a W-IAP This section describes the following procedures for configuring ARM features: l Band Steering on page 240 l Airtime Fairness Mode on page 241 l Client Match on page 241 l Access Point Control on page 243 Band Steering The band steering feature assigns the dual-band capable clients to the 5 GHz band on dual-band W-IAPs.
Airtime Fairness Mode The airtime fairness feature provides equal access to all clients on the wireless medium, regardless of client type, capability, or operating system, thus delivering uniform performance to all clients. This feature prevents the clients from monopolizing resources. You can configure airtime fairness mode parameters through the Instant UI or CLI. In the Instant UI 1.
When the client match feature is enabled on a W-IAP, the W-IAP measures the RF health of its associated clients. In the current release, the client match feature is supported only within a W-IAP cluster.
Table 46: Client Match Configuration Parameters Parameter Description Client match Select Enabled to enable the Client match feature on APs. When enabled, client count will be balanced among all the channels in the same band. For more information, see ARM Overview on page 239. By default, the client match feature is disabled. NOTE: When client match is enabled, ensure that Scanning is enabled. CM calculating interval Specify a value for the calculating interval of Client match.
Table 47: Access Point Control - Configuration Parameters Parameter Description Customize Valid Channels Select this checkbox to customize valid channels for 2,4 GHz and 5 GHz. By default, the AP uses valid channels as defined by the Country Code (regulatory domain). On selecting the Customize Valid Channels checkbox, a list of valid channels for both 2.4.GHz and 5 GHz are displayed. The valid channel customization feature is disabled by default..
3. Click OK.
5.0 GHz Channels ---------------Channel Status ------- -----36 enable 40 enable 44 enable 48 enable 52 enable 56 enable 60 enable 64 enable 149 enable 153 enable 157 enable 161 enable 165 enable 36+ enable 44+ enable 52+ disable 60+ disable 149+ enable 157+ enable 36E enable 52E enable 149E enable Configuring Radio Settings for a W-IAP You can configure 2.4 GHz and 5 GHz radio settings for a W-IAP either using the Instant UI or CLI. In the Instant UI To configure radio settings: 1.
Parameter Description Interference immunity level Select to increase the immunity level to improve performance in highinterference environments. The default immunity level is 2. l Level 0— no ANI adaptation. l Level 1— Noise immunity only. This level enables power-based packet detection by controlling the amount of power increase that makes a radio aware that it has received a packet. l Level 2— Noise and spur immunity.
(Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant AP)(RF dot11a Radio Profile)# legacy-mode AP)(RF dot11a Radio Profile)# spectrum-monitor AP)(RF dot11a Radio Profile)# spectrum-band AP)(RF dot11a Radio Profile)# dot11h AP)(RF dot11a Radio Profile)# interference-immunity AP)(RF dot11a Radio Profile)# max-distance AP)(RF dot11a Radio Profile)# csa-count AP)(RF dot11 g Radio Profile)# end AP)# commit apply To view the radio configuration: (Instan
Chapter 17 Deep Packet Inspection and Application Visibility This chapter provides the following information: l Deep Packet Inspection on page 249 l Enabling Application Visibility on page 249 l Application Visibility on page 250 l Configuring Access Rules for Application and Application Categories on page 255 l Configuring Web Policy Enforcement on page 258 Deep Packet Inspection AppRF is Dell's custom built Layer 7 firewall capability.
Application Visibility The AppRF graphs are based on Deep Packet Inspection (DPI) application and Web Policy Enforcement service, which provides application traffic summary for the client devices associated with a W-IAP. The AppRF link above the activity panel of the dashboard is displayed only if AppRF visibility is enabled in the System window.
Figure 72 Application Categories List - Client View Figure 73 Application Category Chart - AP View Application Charts The application chart displays details on the client traffic towards the applications. On clicking in the rectangle area, you can view the following graphs and toggle between the chart and list views. Dell Networking W-Series Instant 6.4.2.0-4.1.
Figure 74 Application Chart - Client View Figure 75 Application List - Client View 252 | Deep Packet Inspection and Application Visibility Dell Networking W-Series Instant 6.4.2.0-4.1.
Figure 76 Application Chart - AP View Web Categories Charts The web categories chart displays details about the client traffic to the web categories. On clicking in the rectangle area, you can view the following graphs and toggle between the chart and list views. Figure 77 Web Categories Chart - Client View Figure 78 Web Categories List - Client View Dell Networking W-Series Instant 6.4.2.0-4.1.
Figure 79 Web Categories Chart - AP View Web Reputation Charts The web reputation chart displays details about the client traffic to the URLs with that are assigned a security score. On clicking in the rectangle area, you can view the following graphs and toggle between the chart and list views. Figure 80 Web Reputation Chart - Client View Figure 81 Web Reputation List - Client View 254 | Deep Packet Inspection and Application Visibility Dell Networking W-Series Instant 6.4.2.0-4.1.
Figure 82 Web Reputation Chart - AP View Configuring Access Rules for Application and Application Categories This section describes the procedure for configuring access rules based on application and application categories. The Application and Application rules utilize the on-board DPI engine. For information on: l Configuring access rules to control access to network services, see Configuring Access Rules for Network Services on page 181.
Table 49: Access Rule Configuration Parameters Service Category Description Application Select the applications to which you want to allow or deny access.
Table 49: Access Rule Configuration Parameters Service Category Description l Select Destination-NAT to allow changes to destination IP address. l Select Source-NAT to allow changes to the source IP address. The destination-nat and source-nat actions apply only to the network services rules. Destination Select a destination option for the access rules for network services, applications, and application categories.
(Instant AP)(Access Rule )#rule {app {permit|deny} |appcategory }[
n Trustworthy - These are well known sites with strong security practices and may not expose the user to security risks. There is a very low probability that the user will be exposed to malicious links or payloads. n Low risk - These are benign sites and may not expose the user to security risks. There is a low probability that the user will be exposed to malicious links or payloads. n Moderate risk - These are generally benign sites, but may pose a security risk.
Chapter 18 Voice and Video This chapter the steps required to configure voice and video services on a W-IAP for Voice over IP (VoIP) devices, including Session Initiation Protocol (SIP), Spectralink Voice Priority (SVP), H323, SCCP, Vocera, and Alcatel NOE phones, clients running Microsoft OCS, and Apple devices running the Facetime application.
Configuring WMM for Wireless Clients You can configure WMM for wireless clients by using the UI or CLI. In the Instant UI 1. Navigate to the WLAN wizard (click Network>New or Network> Select the WLAN SSID>edit). 2. Click Show advanced options under WLAN Settings. 3. Specify a percentage value for the following WMM access categories in the corresponding Share field. You can allocate a higher bandwidth for voice and video traffic than other types of traffic based on the network profile.
DSCP Value WMM Access Category 32 Video 40 48 Voice 56 By customizing WMM AC mappings, all packets received are matched against the entries in the mapping table and prioritized accordingly. The mapping table contains information for upstream (client to W-IAP) and downstream (W-IAP to client) traffic. You can configure different WMM to DSCP mapping values for each WMM AC when configuring an SSID profile either in the Instant UI or CLI. In the Instant UI 1.
Microsoft Office Lync Microsoft Office Lync uses Session Initiation Protocol (SIP) over TLS to establish, control, and terminate voice and video calls. The following is an example of the QoS configuration for Microsoft Lync.
Chapter 19 Services This chapter provides information on how to configure following services on a W-IAP: l AirGroup l Real Time Location Server (RTLS) l Analytics and Location Engine (ALE) l OpenDNS l Communications Assistance for Law Enforcement Act (CALEA) l Palo Alto Network Firewall l XML-API Server AirGroup Configuration AirGroup provides a unique enterprise-class capability that leverages zero configuration networking to enable AirGroup services from mobile devices in an efficient manne
Figure 84 AirGroup Enables Personal Device Sharing AirGroup is not supported on a 3G and PPPoE uplinks. Multicast DNS and Bonjour® Services Bonjour is the trade name for the zero configuration implementation introduced by Apple. It is supported by most of the Apple product lines, including the Mac OS X operating system, iPhone, iPod Touch, iPad, Apple TV, and AirPort Express. Apple AirPlay and AirPrint services are based on the Bonjour protocol and are essential services in campus Wi-Fi networks.
Figure 85 Bonjour Services and AirGroup Architecture For a list of supported Bonjour services, see AirGroup Services on page 268. DLNA UPnP Support In addition to the mDNS protocol, W-IAPs now support Universal Plug and Play (UPnP) and DLNA (Digital Living Network Alliance) enabled devices. DLNA is a network standard derived from UPnP, which enables devices to discover the services available in a network. DLNA also provides the ability to share data between the Windows or Android based multimedia devices.
Figure 86 DLNA UPnP Services and AirGroup Architecture For a list of supported DLNA services, see AirGroup Services on page 268. AirGroup Features AirGroup supports the following features: l Sends unicast responses to mDNS or DLNA queries and reduces the traffic footprint. l Ensures cross-VLAN visibility and availability of AirGroup devices and services. l Allows or blocks AirGroup services for all users. l Allows or blocks AirGroup services based on user roles.
Figure 87 AirGroup in a Higher-Education Environment When AirGroup discovers a new device, it interacts with CPPM to obtain the shared attributes such as shared location and role. However, the current versions of W-IAPs do not support the enforcement of shared location policy. AirGroup Services AirGroup supports zero configuration services. The services are pre-configured and are available as part of the factory default configuration.
AirGroup Components AirGroup leverages key elements of the Dell solution portfolio including operating system software for Instant, CPPM, and the VLAN-based or role-based filtering options offered by the AirGroup services. The components that make up the AirGroup solution include the Instant, CPPM, and ClearPass Guest.
l Registration portal for WLAN administrators to register shared devices. l Operator-defined personal AirGroup to specify a list of other users who can share devices with the operator. l Administrator defined username, user role, and location attributes for shared devices. Configuring AirGroup and AirGroup Services on a W-IAP You can configure AirGroup services, using the Instant UI or CLI. In the Instant UI To enable AirGroup and its services: 1.
services are selected. Instant supports the use of upto 6 custom services. 8. Based on the services configured, you can block any user roles from accessing an AirGroup service and restrict the AirGroup servers connected to a specific set of VLANs from being discovered . The user roles and VLANs marked as disallowed are prevented from accessing the corresponding AirGroup service. You can create a list of disallowed user roles and VLANs for all AirGroup services configured on the W-IAP.
(Instant AP)# commit apply To verify the AirGroup configuration status: (Instant AP)# show airgroup status Configuring AirGroup and CPPM interface in Instant Configure the Instant and CPPM interface to allow an AirGroup W-IAP and CPPM to exchange information regarding device sharing, and location. The configuration options define the RADIUS server that is used by the AirGroup RADIUS client. The AirGroup configuration with CPPM involves the following steps: 1. Create a RADIUS service 2.
In the Instant UI To configure Aruba RTLS: 1. Click the More > Services link at the top right corner of the Instant main window. The Services window is displayed. 2. Click the RTLS tab. The following figure shows the contents of the RTLS tab. 3. Under Aruba, select the RTLS check-box to integrate Instant with the W-AirWave Management Platform or Ekahau Real Time Location Server. Figure 89 RTLS Window 4. Specify the IP address and port to which the location reports must be sent. 5.
Configuring a W-IAP for Analytics and Location Engine Support The Analytics and Location Engine (ALE) is designed to gather client information from the network, process it and share it through a standard API. The client information gathered by ALE can be used for analyzing a client’s internet behavior for business such as shopping preferences. ALE includes a location engine that calculates the associated and unassociated device location every 30 seconds by default.
Figure 90 Services Window —ALE Integration 4. Specify the ALE server name or IP address. 5. Specify the reporting interval within the range of 6–60 seconds. The W-IAP sends messages to the ALE server at the specified interval. The default interval is 30 seconds. 6. Click OK.
In the CLI To configure OpenDNS credentials: (Instant AP)(config)# opendns (Instant AP)(config)# end (Instant AP)# commit apply Integrating a W-IAP with Palo Alto Networks Firewall Palo Alto Networks (PAN) next-generation firewall offers contextual security for all users for safe enabling of applications. A simple firewall beyond basic IP address or TCP port numbers only provides a subset of the enhanced security required for enterprises to secure their networks.
Figure 91 Services Window - Network Integration Tab 3. Select the Enable checkbox to enable PAN firewall. 4. Specify the user name and password. Ensure that you provide user credentials of the PAN firewall administrator. 5. Enter the PAN firewall IP address. 6. Enter the port number within the range of 1—65535. The default port is 443. 7. Click OK.
Integration with Instant The XML API interface allows users to send specific XML commands to a W-IAP from an external server. These XML commands can be used to customize W-IAP client entries. You can use the XML API interface to add, delete, authenticate, query, or blacklist a user or a client. The user authentication is supported only for users authenticated by Captive Portal authentication and not for the dot1x-authentication users.
CALEA Integration and Lawful Intercept Compliance Lawful Intercept (LI) allows the Law Enforcement Agencies (LEA) to perform an authorized electronic surveillance. Depending on the country of operation, the service providers (SPs) are required to support LI in their respective networks. In the United States, SPs are required to ensure LI compliance based on Communications Assistance for Law Enforcement Act (CALEA) specifications.
Traffic Flow from IAP to CALEA Server through VPN You can also deploy the CALEA server with the controller and configure an additional IPSec tunnel for corporate access. When CALEA server is configured with the controller, the client traffic is replicated by the slave W-IAP and client data is encapsulated by GRE on slave, and routed to the master W-IAP. The master IAP sends the IPsec client traffic to the controller.
2. If a replication role must be assigned through the RADIUS VSA, create an access rule and assign the access rule to a WLAN SSID or wired profile. 3. Verify the configuration. Creating a CALEA Profile You can create a CALEA profile by using the Instant UI or CLI. In the Instant UI To configure a CALEA profile: 1. Click More > Services at the top right corner of the Instant main window. 2. Click CALEA. The CALEA tab details are displayed. 3.
1. To add the CALEA access rule to an existing profile, select an existing wireless (Networks tab > edit) or wired (More > Wired > Edit) profile. To add the access rule to a new profile, click New under Network tab and create a WLAN profile, or click More>Wired>New and create a wired port profile. 2. On the Access tab, select the role for which you want create the access rule. 3. Under Access Rules, click New. The New Rule window is displayed. 4. Select CALEA. 5. Click OK. 6.
(Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID Profile"Calea-Test")# Profile"Calea-Test")# Profile"Calea-Test")# Profile"Calea-Test")# Profile"Calea-Test")# Profile"Calea-Test")# Profile"Calea-Test")# Profile"Calea-Test")# Profile"Calea-Test")# Profile"Calea-Test")# Profile"Calea-Test")
Chapter 20 W-IAP Management and Monitoring This chapter provides information on W-IAP management and monitoring from: l W-AirWave management server Managing a W-IAP from W-AirWave W-AirWave is a powerful tool and easy-to-use network operations system that manages Dell wireless, wired, and remote access networks, as well as wired and wireless infrastructures from a wide range of third-party manufacturers.
only+Firmware Upgrades as management modes. When the Management level is set to Manage Read/Write, the Instant UI is in read-only mode. If W-AirWave Management Level is set to Monitoronly+Firmware Upgrades mode, the Instant UI changes to the read-write mode. Template-based Configuration W-AirWave automatically creates a configuration template based on any of the existing W-IAPs, and it applies that template across the network as shown in the following figure.
Wireless Intrusion Detection System (WIDS) Event Reporting to W-AirWave W-AirWave supports Wireless Intrusion Detection System (WIDS) Event Reporting, which is provided by Instant. This includes WIDS classification integration with the RAPIDS (Rogue Access Point Detection Software) module. RAPIDS is a powerful and easy-to-use tool for automatic detection of unauthorized wireless devices. It supports multiple methods of rogue detection and uses authorized wireless APs to report other devices within range.
The following is an example for configuring the port number of the W-AirWave management server: 24:de:c6:cf:63:60# conf t 24:de:c6:cf:63:60 (config) # ams-ip 10.65.182.15:65535 24:de:c6:cf:63:60 (config) # end 24:de:c6:cf:63:60# commit apply Configuring Organization String The Organization string is a set of colon-separated strings created by the W-AirWave administrator to accurately represent the deployment of each W-IAP. This string is defined by the installation personnel on the site.
Figure 97 Configuring W-AirWave 2. Enter the name of your organization in the Organization name text box. The name defined for organization is displayed under the Groups tab in the W-AirWave user interface. 3. Enter the IP address or domain name of the W-AirWave server in the AirWave server text box. 4. Enter the IP address or domain name of a backup W-AirWave server in the AirWave backup server text box. The backup server provides connectivity when the primary server is down.
If you use the , format, the W-IAP resolves the domain name into two IP address as W-AirWave Primary W-AirWave Backup, and then W-IAP starts a certificate-based authentication with W-AirWave Management platform server, instead of the PSK login. For option 43, when you choose to enter the domain name, the IP address and key are not available.
Figure 99 Instant and DHCP options for W-AirWave: Predefined Options and Values 5. Navigate to Server Manager and select Server Options in the IPv4 window. (This sets the value globally. Use options on a per-scope basis to override the global options.) 6. Right-click Server Options and select the configuration options. Dell Networking W-Series Instant 6.4.2.0-4.1.
Figure 100 Instant and DHCP options for W-AirWave: Server Options 7. Select 060 Dell Instant AP in the Server Options window and enter DellInstantAP in the String Value. Figure 101 Instant and DHCP options for W-AirWave—060 W-IAP in Server Options 8. Select 043 Vendor Specific Info and enter a value for either of the following in ASCII field: l l airwave-orgn, airwave-ip, airwave-key; for example: Dell,192.0.2.20, 12344567 airwave-orgn, airwave-domain; for example: Dell, dell.support.
Figure 102 Instant and DHCP options for—043 Vendor Specific Info This creates a DHCP option 60 and 43 on a global basis. You can do the same on a per-scope basis. The perscope option overrides the global option. Figure 103 Instant and DHCP options for W-AirWave: Scope Options Dell Networking W-Series Instant 6.4.2.0-4.1.
Alternate Method for Defining Vendor-Specific DHCP Options This section describes how to add vendor-specific DHCP options for Instant APs in a network that already uses DHCP options 60 and 43 for other services. Some networks use DHCP standard options 60 and 43 to provide the DHCP clients information about certain services such as PXE. In such an environment, the standard DHCP options 60 and 43 cannot be used for W-IAPs.
Figure 105 W-AirWave—New Group Figure 106 W-AirWave —Monitor Dell Networking W-Series Instant 6.4.2.0-4.1.
Chapter 21 Uplink Configuration This chapter provides the following information: l Uplink Interfaces on page 295 l Ethernet Uplink on page 295 l Cellular Uplink on page 297 l Wi-Fi Uplink on page 301 l Uplink Preferences and Switching on page 302 Uplink Interfaces Instant network supports Ethernet, 3G and 4G USB modems, and the Wi-Fi uplink to provide access to the corporate Instant network.
Figure 108 Uplink Status Ethernet uplink supports the following types of configuration in this Instant release. n PPPoE n DHCP n Static IP You can use PPPoE for your uplink connectivity in both W-IAP and IAP-VPN deployments. PPPoE is supported only in a single AP deployment. Uplink redundancy with the PPPoE link is not supported. When the Ethernet link is up, it is used as a PPPoE or DHCP uplink. After the PPPoE settings are configured, PPPoE has the highest priority for the uplink connections.
4. To set a local interface for the PPPoE uplink connections, select a value from the Local interface dropdown list. The selected DHCP scope will be used as a local interface on the PPPoE interface and the Local, L3 DHCP gateway IP address as its local IP address. When configured, the local interface acts as an unnumbered PPPoE interface and allows the entire Local, L3 DHCP subnet to be allocated to clients.
l Aircard 250U (Sierra) l USB 598 (Sierra) l U300 (Franklin wireless) l U301 (Franklin wireless) l USB U760 for Virgin (Novatel) l USB U720 (Novatel/Qualcomm) l UM175 (Pantech) l UM150 (Pantech) l UMW190(Pantech) l SXC-1080 (Qualcomm) l Globetrotter ICON 225 l UMG181 l NTT DoCoMo L-05A (LG FOMA L05A) l NTT DoCoMo L-02A l ZTE WCDMA Technologies MSM (MF668?) l Fivespot (ZTE) l c-motech CNU-600 l ZTE AC2736 l SEC-8089 (EpiValley) l Nokia CS-10 l NTT DoCoMo L-08C (LG) l
l Novatel MiFi 2200 (Verizon Mifi 2200) l Huawei E272, E170, E220 (ATT) l Huawei E169, E180,E220,E272 (Vodafone/SmarTone (HK)) l Huawei E160 (O2(UK)) l Huawei E160 (SFR (France)) l Huawei E220 (NZ and JP) l Huawei E176G (Telstra (Aus)) l Huawei E1553, E176 (3/HUTCH (Aus)) l Huawei K4505 (Vodafone/SmarTone (HK)) l Huawei K4505 (Vodafone (UK)) l ZTE MF656 (Netcom (norway)) l ZTE MF636 (HK CSL/1010) l ZTE MF633/MF636 (Telstra (Aus)) l ZTE MF637 (Orange in Israel) l Huawei E180, E16
l Huawei D33HW (EMOBILE(Japan)) l Huawei GD01 (EMOBILE(Japan)) l Huawei EC150 (Reliance NetConnect+ (India)) l KDDI DATA07(Huawei) (KDDI (Japan)) l Huawei E353 (China Unicom) l Huawei EC167 (China Telecom) l Huawei E367 (Vodafone (UK)) l Huawei E352s-5 (T-Mobile (Germany)) l Huawei D41HW l ZTE AC2726 The following table lists the supported 4G modems.
(Instant (Instant (Instant (Instant (Instant (Instant (Instant AP)(cellular-uplink-profile)# AP)(cellular-uplink-profile)# AP)(cellular-uplink-profile)# AP)(cellular-uplink-profile)# AP)(cellular-uplink-profile)# AP)(cellular-uplink-profile)# AP)# commit apply usb-dev usb-tty usb-init usb-dial usb-modeswitch end To switch a modem from the storage mode to modem mode: (Instant AP)(config)# cellular-uplink-profile (Instant AP)(ce
Ensure that the hexadecimal password string is exactly 64 digits in length. 9. Enter a pre-shared key (PSK) passphrase in the Passphrase text box and click OK. You can view the W-Fi configuration and uplink status in the CLI.
2. Under Uplink Management, select the type of uplink from the Enforce Uplink drop-down list. If Ethernet uplink is selected, the Port field is displayed. 3. Specify the Ethernet interface port number. 4. Click OK. The selected uplink is enforced on the W-IAP.
In the CLI To enable uplink preemption: (Instant (Instant (Instant (Instant AP)(config)# uplink AP)(uplink)# preemption AP)(uplink)# end AP)# commit apply Switching Uplinks Based on VPN and Internet Availability The default priority for uplink switchover is Ethernet and then 3G/4G. The W-IAP can switch to the lower priority uplink if the current uplink is down.
a. Select Enabled from the Internet failover drop-down list. b. Specify the required values for the following fields: n Max allowed test packet loss— The maximum number of ICMP test packets that are allowed to be lost to determine if the W-IAP must switch to a different uplink connection. You can specify a value within the range of 1—1000. n Secs between test packets— The frequency at which ICMP test packets are sent.You can specify a value within the range of 1—3600 seconds.
Uplink preemption :enable Uplink enforce :none Ethernet uplink bond0 :DHCP Internet failover :disable Max allowed test packet loss:10 Secs between test packets :30 VPN failover timeout (secs) :180 306 | Uplink Configuration Dell Networking W-Series Instant 6.4.2.0-4.1.
Chapter 22 Intrusion Detection The Intrusion Detection System (IDS) is a feature that monitors the network for the presence of unauthorized W-IAPs and clients. It also logs information about the unauthorized W-IAPs and clients, and generates reports based on the logged information. The IDS feature in the Instant network enables you to detect rogue APs, interfering APs, and other devices that can potentially disrupt network operations.
l Windows 7 l Windows Vista l Windows Server l Windows XP l Windows ME l OS-X l iPhone l iOS l Android l Blackberry l Linux Configuring Wireless Intrusion Protection and Detection Levels WIP offers a wide selection of intrusion detection and protection features to protect the network against wireless threats. Like most other security-related features of the Instant network, the WIP can be configured on the W-IAP.
Figure 110 Wireless Intrusion Detection The following table describes the detection policies enabled in the Infrastructure Detection Custom settings field.
Table 54: Infrastructure Detection Policies Detection Level Detection Policy l Detect AP Flood Attack l Detect Client Flood Attack l Detect Bad WEP l Detect CTS Rate Anomaly l Detect RTS Rate Anomaly l Detect Invalid Address Combination l Detect Malformed Frame— HT IE l Detect Malformed Frame— Association Request l Detect Malformed Frame— Auth l Detect Overflow IE l Detect Overflow EAPOL Key l Detect Beacon Wrong Channel l Detect devices with invalid MAC OUI The following table de
l High Figure 111 Wireless Intrusion Protection The following table describes the protection policies that are enabled in the Infrastructure Protection Custom settings field.
Table 57: Client Protection Policies Protection Level Protection Policy Off All protection policies are disabled Low Protect Valid Station High Protect Windows Bridge Containment Methods You can enable wired and wireless containments to prevent unauthorized stations from connecting to your Instant network. Instant supports the following types of containment mechanisms: l Wired containment— When enabled, W-IAPs generate ARP packets on the wired network to contain wireless attacks.
Figure 112 Containment Methods Configuring IDS Using CLI To configure IDS using CLI: (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant AP)(config)# ids AP)(IDS)# infrastructure-detection-level AP)(IDS)# client-detection-level AP)(IDS)# infrastructure-protection-level AP)(IDS)# client-protection-level AP)(I
(Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant AP)(IDS)# detect-malformed-htie AP)(IDS)# detect-malformed-assoc-req AP)(IDS)# detect-malformed-frame-auth AP)(IDS)# detect-overflow-ie AP)(IDS)# detect-overflow-eapol-key AP)(IDS)# detect-beacon-wrong-channel AP)(IDS)# detect-invalid-mac-oui AP)(IDS
Chapter 23 Mesh W-IAP Configuration This chapter provides the following information: l Mesh Network Overview on page 315 l Setting up Instant Mesh Network on page 316 l Configuring Wired Bridging on Ethernet 0 for Mesh Point on page 316 Mesh Network Overview The Dell Instant secure enterprise mesh solution is an effective way to expand network coverage for outdoor and indoor enterprise environments without any wires.
The mesh portal broadcasts a mesh services set identifier (MSSID/ mesh cluster name) to advertise the mesh network service to other mesh points in that Instant network. This is not configurable and is transparent to the user. The mesh points authenticate to the mesh portal and establish a link that is secured using Advanced Encryption Standard (AES) encryption. The mesh portal reboots after 5 minutes when it loses its uplink connectivity to a wired network.
In the Instant UI To configure Ethernet bridging: 1. On the Access Points tab, click the W-IAP to modify. The edit link is displayed. 2. Click the edit link. The edit window for modifying W-IAP details is displayed. 3. Click the Uplink tab. 4. Select Enable from the Eth0 Bridging drop-down list. 5. Click OK. 6. Reboot the W-IAP. In the CLI To configure Ethernet bridging: Instant Access Point# enet0-bridging Make the necessary changes to the wired-profile when eth0 is used as the downlink port.
Chapter 24 Mobility and Client Management This chapter provides the following information: l Layer-3 Mobility Overview on page 318 l Configuring L3-Mobility on page 319 Layer-3 Mobility Overview W-IAPs form a single Instant network when they are in the same Layer-2 (L2) domain. As the number of clients increase, multiple subnets are required to avoid broadcast overhead.
When a client first connects to an Instant network, a message is sent to all configured Virtual Controller IP addresses to see if this is an L3 roamed client. On receiving an acknowledgement from any of the configured Virtual Controller IP addresses, the client is identified as an L3 roamed client. If the AP has no GRE tunnel to this home network, a new tunnel is formed to an AP (home AP) from the client's home network.
Figure 114 L3 Mobility Window 4. Select Enabled from the Home agent load balancing drop-down list. By default, home agent load balancing is disabled. 5. Click New in the Virtual Controller IP Addresses section, add the IP address of a Virtual Controller that is part of the mobility domain, and click OK. 6. Repeat Step 2 to add the IP addresses of all Virtual Controllers that form the L3 mobility domain. 7. Click New in the Subnets section and specify the following: a.
Chapter 25 Spectrum Monitor This chapter provides the following information: l Understanding Spectrum Data on page 321 l Configuring Spectrum Monitors and Hybrid W-IAPs on page 326 Understanding Spectrum Data Wireless networks operate in environments with electrical and radio frequency devices that can interfere with network communications. Microwave ovens, cordless phones, and even adjacent Wi-Fi networks are all potential sources of continuous or intermittent interference.
Figure 115 Device List Device Summary and Channel Information shows the details of the information that is displayed: Table 58: Device Summary and Channel Information Column Description Type Device type.
Non Wi-Fi Interferers The following table describes each type of non Wi-Fi interferer detected by the spectrum monitor feature. Table 59: Non Wi-Fi Interferer Types Non Wi-Fi Interferer Description Bluetooth Any device that uses the Bluetooth protocol to communicate in the 2.4 GHz band is classified as a Bluetooth device. Bluetooth uses a frequency hopping protocol.
Non Wi-Fi Interferer Description Microwave Common residential microwave ovens with a single magnetron are classified as a Microwave. These types of microwave ovens may be used in cafeterias, break rooms, dormitories and similar environments. Some industrial, healthcare or manufacturing environments may also have other equipment that behave like a microwave and may also be classified as a Microwave device.
Column Description Channel An 802.11a or 802.11g radio channel. Quality(%) Current relative quality of the channel. Utilization(%) The percentage of the channel being used. Wi-Fi (%) The percentage of the channel currently being used by Wi-Fi devices. Type Device type. Total nonwifi (%) The percentage of the channel currently being used by non Wi-Fi devices. Known APs Number of valid APs identified on the radio channel.
Figure 118 Channel Metrics for the 5 GHz Radio Channel Channel Metrics shows the information displayed in the channel metrics graph. Table 61: Channel Metrics Column Description Channel A 2.4 GHz or 5 GHz radio channel. Quality(%) Current relative quality of selected channels in the 2.4 GHz or 5 GHz radio bands, as determined by the percentage of packet retries, the current noise floor, and the duty cycle for non Wi-Fi devices on that channel.
In the hybrid mode, spectrum monitoring is performed only on the home channel. In other words, if the apchannel width is 80Mhz, spectrum monitoring is performed for 80mhz. If the channel width is 40, spectrum monitoring is performed for 40Mhz channel. In a dedicated air monitor mode, APs perform spectrum monitoring on all channels. You can convert W-IAPs in a Instant network to hybrid mode using the Instant UI or CLI. In the Instant UI To convert a W-IAP to a hybrid W-IAP: 1.
d. Click OK. In the CLI To convert a W-IAP to a spectrum monitor: (Instant AP)# wifi0-mode {||} (Instant AP)# wifi1-mode {||} To enable spectrum monitoring for any other band for the 5 GHz radio: (Instant AP)(config)# rf dot11a-radio-profile Instant Access Point (RF dot11a Radio Profile)# spectrum-band To view the radio configuration: Instant Access Point# show radio config 2.4 GHz: Legacy Mode:disable Beacon Interval:100 802.
Chapter 26 W-IAP Maintenance This section provides information on the following procedures: l Upgrading a W-IAP on page 329 l Backing up and Restoring W-IAP Configuration Data on page 331 l Converting a W-IAP to a Remote AP and Campus AP on page 333 l Resetting a Remote AP or Campus AP to a W-IAP on page 338 l Rebooting the W-IAP on page 338 Upgrading a W-IAP While upgrading a W-IAP, you can use the image check feature to allow the W-IAP to find new software image versions available on a cloud-ba
Figure 119 Proxy Configuration Window 2. Enter the HTTP proxy server's IP address and the port number. 3. If you do not want the HTTP proxy to be applied for a particular host, click New to enter that IP address or domain name of that host under exceptions list. In the CLI (Instant (Instant (Instant (Instant AP)(config)# proxy server 192.0.2.1 8080 AP)(config)# proxy exception 192.0.2.
If the upgrade fails and an error message is displayed, retry upgrading the W-IAP. Upgrading to a New Version Manually If the automatic image check feature is disabled, you can use obtain an image file from a local file system or from a TFTP or HTTP URL. To manually check for a new firmware image version and obtain an image file: 1. Navigate to Maintenance>Firmware. The Firmware window is displayed. 2. Under Manual section, perform the following steps: l Select the Image file option.
Viewing Current Configuration To view the current configuration on the W-IAP: l In the UI, navigate to Maintenance > Configuration > Current Configuration. l In the CLI, enter the following command at the command prompt: (Instant AP)# show running-config Backing up Configuration Data To back up the W-IAP configuration data: 1. Navigate to the Maintenance > Configuration> page. 2. Click Backup Configuration. 3. Click Continue to confirm the backup. The instant.
Converting a W-IAP to a Remote AP and Campus AP This section provides the following information: l Regulatory Domain Restrictions for W-IAP to RAP or CAP Conversion on page 333 l Converting a W-IAP to a Remote AP on page 334 l Converting a W-IAP to a Campus AP on page 336 l Converting a W-IAP to Standalone Mode on page 337 l Converting a W-IAP using CLI on page 338 Regulatory Domain Restrictions for W-IAP to RAP or CAP Conversion You can provision a W-IAP as a Campus AP or a Remote AP in a control
Table 62: W-IAP to ArubaOS AP Conversion ArubaOS Version on Controller 6.3.1.3 IAP-22x IAP-27x W-IAP11x IAP-20x IAP-21x W-IAP103 US RW US RW US RW US US RW US RW US Unrestricted JP IL US Y X — — Y X — — — — — Y X X X Unrestricted X Y — — X Y — — — — — X Y Y X Controller All Other W-IAPs Regulatory Domain RW — (for JP only) 6.
l If the W-IAP does not get W-AirWave information through DHCP provisioning, it tries provisioning through a firmware image server in the cloud by sending a serial number MAC address. If an entry for the W-IAP is present in the firmware image cloud server and is provisioned as a W-IAP > Remote AP, the firmware image cloud server responds with mobility controller IP address, AP group, and AP type.
1. Click the Maintenance link in the Instant main window. 2. Click the Convert tab. The Convert tab contents are displayed. Figure 120 Maintenance—Convert Tab 3. Select Remote APs managed by a Mobility Controller from the drop-down list. 4. Enter the hostname (fully qualified domain name) or the IP address of the controller in the Hostname or IP Address of Mobility Controller text box. Contact your local network administrator to obtain the IP address.
Figure 121 Converting a W-IAP to Campus AP 3. Select Campus APs managed by a Mobility Controller from the drop-down list. 4. Enter the hostname, Fully Qualified Domain Name (FQDN), or the IP address of the controller in the Hostname or IP Address of Mobility Controller text box. Contact your local administrator to obtain these details. 5. Ensure that the W-IAPs access the mobility controller IP Address. 6. Click Convert Now to complete the conversion.
Converting a W-IAP using CLI To convert a W-IAP (Instant AP)# convert-aos-ap Resetting a Remote AP or Campus AP to a W-IAP The reset button located on the rear of a W-IAP can be used to reset the W-IAP to factory default settings. To reset a W-IAP, perform the following steps: 1. Power off the W-IAP. 2. Press and hold the reset button using a small and narrow object such as a paperclip. 3. Power on the W-IAP without releasing the reset button.
3. In the W-IAP list, select the W-IAP that you want to reboot and click Reboot selected Access Point. To reboot all the W-IAPs in the network, click Reboot All. 4. The Confirm Reboot for AP message is displayed. Click Reboot Now to proceed. The Reboot in Progress message is displayed indicating that the reboot is in progress. The Reboot Successful message is displayed after the process is complete.
Chapter 27 Monitoring Devices and Logs This chapter provides the following information: l Configuring SNMP on page 340 l Configuring a Syslog Server on page 344 l Configuring TFTP Dump Server on page 345 l Running Debug Commands from the UI on page 346 Configuring SNMP This section provides the following information: l SNMP Parameters for W-IAP on page 340 l Configuring SNMP on page 341 l Configuring SNMP Traps on page 343 SNMP Parameters for W-IAP Instant supports SNMPv1, SNMPv2c, and SNMPv3
Field Description Authentication protocol password If messages sent on behalf of this user can be authenticated, the (private) authentication key is used with the authentication protocol. This is a string password for MD5 or SHA based on the above-mentioned conditions. Privacy protocol An indication of whether messages sent on behalf of this user can be protected from disclosure, and if so, the type of privacy protocol which is used. This takes the value DES (CBC-DES Symmetric Encryption).
3. Click New. 4. Enter the string in the New Community String text box. 5. Click OK. 6. To delete a community string, select the string, and click Delete. Creating community strings for SNMPv3 Using Instant UI To create community strings for SNMPv3: 1. Click System link at the top right corner of the Instant main window. The system window is displayed. 2. Click the Monitoring tab. The SNMP configuration parameters displayed in the Monitoring tab. 3. Click New in the Users for SNMPV3 box.
Engine ID:D8C7C8C44298 Community Strings ----------------Name ---SNMPv3 Users -----------Name Authentication Type Encryption Type ---- ------------------- --------------SNMP Trap Hosts --------------IP Address Version Name Port Inform ---------- ------- ---- ---- ------ Configuring SNMP Traps Instant supports the configuration of external trap receivers. Only the W-IAP acting as the Virtual Controller generates traps.
Configuring a Syslog Server You can specify a syslog server for sending syslog messages to the external servers either by using the Instant UI or CLI. In the Instant UI 1. In the Instant main window, click the System link. The System window is displayed. 2. Click Show advanced options to display the advanced options. 3. Click the Monitoring tab. The Monitoring tab details are displayed. Figure 126 Syslog Server 4.
Table 65: Logging Levels Logging Level Description Emergency Panic conditions that occur when the system becomes unusable. Alert Any condition requiring immediate attention and correction. Critical Any critical conditions such as a hard drive error. Errors Error conditions. Warning Warning messages. Notice Significant events of a non-critical and normal nature. The default value for all Syslog facilities. Informational Messages of general interest to system users.
3. Click the Monitoring tab. The Monitoring tab details are displayed. 4. Enter the IP address of the TFTP server in the TFTP Dump Server text box. 5. Click OK. In the CLI To configure a TFTP server: (Instant AP)(config)# tftp-dump-server (Instant AP)(config)# end (Instant AP)# commit apply Running Debug Commands from the UI To run the debugging commands from the UI: 1. Navigate to More>Support at the top right corner of the Instant main window. The Support window is displayed. 2.
l AP ARM Neighbors— Displays the ARM neighbors of the W-IAP. l AP ARM RF Summary— Displays the status and statistics for all channels monitored by the W-IAP. l AP ARM Scan Times— Displays channel scanning information for the W-IAP. l AP ARP Table— Displays the ARP table of the W-IAP. l AP Association Table— Displays information about the W-IAP association. l AP Auth-Survivability cache— Displays the list of 802.1X cached user's information.
l AP Datapath VLAN Table— Displays the VLAN table information such as VLAN memberships inside the datapath including L2 tunnels for the W-IAP. l AP Daylight Saving Time—Displays the Daylight Saving Time configured on the W-IAP. l AP Derivation Rules—Displays the role and VLAN derivation rules configured on a W-IAP. l AP DPI Debug statistics—Displays DPI statistics that can be used for debugging DPI issues. l AP Driver Configuration— Displays driver configuration details of the W-IAP.
l AP Mesh Counters— Displays the mesh counters of the W-IAP. l AP Mesh Link— Displays the mesh link of the W-IAP. l AP Mesh Neighbors— Displays the mesh link neighbors of the W-IAP. l AP Monitor Active Laser Beams— Displays the active laser beam sources for the W-IAP. l AP Monitor AP Table— Displays the list of APs monitored by the W-IAP. l AP Monitor ARP Cache— Displays ARP cache details for the W-IAP. l AP Monitor Client Table— Displays the list of clients monitored by the W-IAP.
l VC About— Displays information such as AP type, build time of image, and image version for the Virtual Controller. l VC Active Configuration— Displays the active configuration of Virtual Controller. l VC Airgroup Service— Displays the Bonjour services supported by the Virtual Controller. l VC Airgroup Status— Displays the status of the AirGroup and CPPM server details configured on the Virtual Controller. l VC Allowed AP Table— Displays the list of allowed APs.
Chapter 28 Hotspot Profiles This chapter describes the following procedures: l Understanding Hotspot Profiles on page 351 l Configuring Hotspot Profiles on page 353 l Sample Configuration on page 364 In the current release, Instant supports the hotspot profile configuration only through the CLI. Understanding Hotspot Profiles Hotspot 2.0 is a Wi-Fi Alliance specification based on the 802.
An AP can include its service provider Organization Identifier (OI) indicating the service provider identity in beacons and probe responses to clients. When a client recognizes a W-IAP's OI, it attempts to associate to that W-IAP using the security credentials corresponding to that service provider. If the client does not recognize the AP’s OI, the client sends a Generic Advertisement Service (GAS) query to the W-IAP to request more information about the network before associating.
NAI Realm List An NAI Realm profile identifies and describes a NAI realm to which the clients can connect. The NAI realm settings on a W-IAP as an advertisement profile to determine the NAI realm elements that must be included as part of a GAS Response frame. Configuring Hotspot Profiles To configure a hotspot profile, perform the following steps: 1. Create the required ANQP and H2QP advertisement profiles. 2. Create a hotspot profile. 3.
You can specify any of the following EAP methods for the nai-realm-eap-method command: l identity— To use EAP Identity type. The associated numeric value is 1. l notification—To allow the hotspot realm to use EAP Notification messages for authentication. The associated numeric value is 2. l one-time-password—To use Authentication with a single-use password. The associated numeric value is 5. l generic-token-card—To use EAP Generic Token Card (EAP-GTC). The associated numeric value is 6.
Table 66: NAI Realm Profile Configuration Parameters Authentication ID Authentication Value eap-inner-auth The following authentication values apply: l Uses EAP inner authentication type. l reserved— The associated numeric value is 0. l The associated numeric value is 3. l pap—The associated numeric value is 1. l chap—The associated numeric value is 2. l mschap—The associated numeric value is 3. l mschapv2—The associated numeric value is 4.
Table 67: Venue Types Venue Group Associated Venue Type Value unspecified The associated numeric value is 0. assembly l unspecified—The associated numeric value is 0. The associated numeric value is 1. l arena—The associated numeric value is 1. l stadium—The associated numeric value is 2. l passenger-terminal—The associated numeric value is 3. l amphitheater—The associated numeric value is 4. l amusement-park—The associated numeric value is 5.
Venue Group Associated Venue Type Value l long-term-care—The associated numeric value is 2. l alc-drug-rehab—The associated numeric value is 3. l group-home—The associated numeric value is 4. l prison-or-jail—The associated numeric value is 5. mercantile l unspecified—The associated numeric value is 0. The associated numeric value is 6. l retail-store—The associated numeric value is 1. l grocery-market—The associated numeric value is 2.
Configuring a Network Authentication Profile You can configure a network authentication profile to define the authentication type used by the hotspot network.
Configuring an IP Address Availability Profile You can configure the available IP address types to send information on IP address availability as an ANQP IE in a GAS query response.
(Instant AP)(operator-class )# enable (Instant AP)(operator-class )# end (Instant AP)# commit apply Configuring a WAN Metrics Profile You can configure a WAN metrics profile to define information about access network characteristics such as link status and metrics.
The hotspot profile configuration parameters are described in the following table: Table 68: Hotspot Configuration Parameters Parameter Description access-network-type Specify any of the following 802.11u network types. l private—This network is accessible for authorized users only. For example, home networks or enterprise networks that require user authentication. The corresponding integer value for this network type is 0.
Table 68: Hotspot Configuration Parameters Parameter Description hessid Specify a Homogenous Extended Service Set Identifier (HESSID) in a hexadecimal format separated by colons. internet Specify this parameter to allow the W-IAP to send an Information Element (IE) indicating that the network allows Internet access. p2p-cross-connect Specify this parameter to advertise support for P2P Cross Connections. p2p-dev-mgmt Specify this parameter to advertise support for P2P device management.
(Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant AP)(config)# hotspot hs-profile AP)(Hotspot2.0 )# advertisement-protocol AP)(Hotspot2.0 )# advertisement-profile anqp-3gpp AP)(Hotspot2.0 )# advertisement-profile anqp-domain-name AP)(Hotspot2.0 )# advertisement-profile anqp-ip-addr-avail AP)(Hotspot2.
Sample Configuration Step 1 - Creating ANQP and H2QP Advertisement Profile (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant AP)# configure terminal AP)(config)# hotspot anqp-nai-realm-profile nr1 AP)(nai-realm "nr1")# nai-realm-name name1 AP)(nai-realm "nr1")# nai-realm-encoding utf8 AP)(nai-realm "nr1")# nai-realm-eap-method eap-sim AP)(nai-realm "nr1")# nai-realm-auth-id-1 non-eap-inner-auth AP)(nai-realm "nr1")# nai-realm-auth-value-1 mschapv2 AP)(nai-realm "nr1")# nai-ho
(Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant AP)(Hotspot2.0 "hs1")# AP)(Hotspot2.0 "hs1")# AP)(Hotspot2.0 "hs1")# AP)(Hotspot2.0 "hs1")# AP)(Hotspot2.0 "hs1")# AP)(Hotspot2.0 "hs1")# AP)(Hotspot2.0 "hs1")# AP)(Hotspot2.0 "hs1")# AP)(Hotspot2.
Chapter 29 ClearPass Guest Setup To configure ClearPass Guest: 1. On ClearPass Guest, navigate to Administration > AirGroup Services. 2. Click Configure AirGroup Services. Figure 127 Configure AirGroup Services 3. Click Add a new controller. 4. Update the fields with the appropriate information. Ensure that the port configured matches the CoA port (RFC 3576) set on the W-IAP configuration. 5. Click Save Configuration.
3. Create an AirGroup Administrator. Figure 129 Create an AirGroup Administrator 4. In this example, the password used is test123. Click Add. 5. Now click Add User, and create an AirGroup Operator. Figure 130 Create an AirGroup Operator 6. Click Add to save the user with an AirGroup Operator role. The AirGroup Administrator and AirGroup Operator IDs will be displayed in the Local Users UI screen. 367 | ClearPass Guest Setup Dell Networking W-Series Instant 6.4.2.0-4.1.
Figure 131 Local Users UI Screen 7. Navigate to the ClearPass Guest UI and click Logout. The ClearPass Guest Login page is displayed. Use the AirGroup admin credentials to log in. 8. After logging in, click Create Device. Figure 132 Create a Device The following page is displayed. Figure 133 - Register Shared Device For this test, add your AppleTV device name and MAC address but leave all other fields empty. Dell Networking W-Series Instant 6.4.2.0-4.1.
9. Click Register Shared Device. Testing To verify the setup: 1. Disconnect your AppleTV and OSX Mountain Lion/iOS 6 devices if they were previously connected to the wireless network. Remove their entries from the controller’s user table using these commands: n Find the MAC address— show user table n Delete the address from the table— aaa user delete mac 00:aa:22:bb:33:cc 2. Reconnect both devices.
Chapter 30 IAP-VPN Deployment Scenarios This section describes the most common IAP-VPN deployments models and provides information to carry out the necessary configuration procedures. The examples in this section refer to more than one DHCP profile and wired port configuration in addition to wireless SSID configuration. All these are optional. In most networks, a single DHCP profile and wireless SSID configuration referring a DHCP profile is sufficient.
Scenario 1—IPSec: Single Datacenter Deployment with No Redundancy This scenario includes the following configuration elements: 1. Single VPN primary configuration using IPSec 2. Split tunneling of client traffic 3. Split tunneling of DNS traffic from clients 4. Distributed L3 and Centralized L2 mode DHCP 5. RADIUS server within corporate network and authentication survivability for branch survivability 6. Wired and wireless users in L2 and L3 modes respectively 7.
Table 71: W-IAP Configuration for Scenario 1—IPSec: Single Datacenter Deployment with No Redundancy Configuration Steps CLI Commands UI Procedure 1. Configure the primary host for VPN with the Public VRRP IP address of the controller. (ap)(config)# vpn primary See Configuring an IPSec Tunnel 2. Configure a routing profile to tunnel all 10.0.0.0/8 subnet traffic to controller. (ap)(config)# routing-profile See Configuring Routing Profiles 3.
Table 71: W-IAP Configuration for Scenario 1—IPSec: Single Datacenter Deployment with No Redundancy Configuration Steps authentication servers and access rules created above and enable authentication survivability.
Datacenter Configuration For information on controller configuration, see Configuring a Controller for IAP-VPN Operations on page 233. Ensure that the upstream router is configured with a static route pointing to the controller for the L3 VLAN. Dell Networking W-Series Instant 6.4.2.0-4.1.
Scenario 2—IPSec: Single Datacenter with Multiple Controllers for Redundancy This scenario includes the following configuration elements: l A VRRP instance between the master/standby-master pair, which is configured as the primary VPN IP address. l Tunneling of all traffic to datacenter. l Exception route to bypass tunneling of RADIUS and W-AirWave traffic, which are locally reachable in the branch and the Internet respectively. l All client DNS queries are tunneled to the controller.
l 10.2.2.0/24 is a branch owned subnet, which needs to override global routing profile l 199.127.104.32 is used an example IP address of the W-AirWave server in the Internet AP Configuration The following table provides information on the configuration steps performed through the CLI with example values. For information on the UI procedures, see the topics referenced in the UI Navigation Details column.
Table 72: W-IAP Configuration for Scenario 2—IPSec: Single Datacenter with Multiple controllers for Redundancy Configuration Steps CLI Commands UI Procedure NOTE: The IP range configuration on each branch will be the same. Each W-IAP will derive a smaller subnet based on the client count scope using the Branch ID (BID) allocated by controller. 6. Create authentication servers for user authentication. The example in the next column assumes 802.1X SSID.
Table 72: W-IAP Configuration for Scenario 2—IPSec: Single Datacenter with Multiple controllers for Redundancy Configuration Steps CLI Commands UI Procedure captive portal example. NOTE: The SSID type guest is used in this example to enable configuration of captive portal. However, corporate access through VPN tunnel is still allowed for this SSID because the VLAN associated to this SSID is a VPN enabled VLAN (20 in this example). 8. Create access rule for wired and wireless authentication.
Scenario 3—IPSec: Multiple Datacenter Deployment with Primary and Backup Controllers for Redundancy This scenario includes the following configuration elements: l Multiple controller deployment model with controllers in different datacenters operating as primary/backup VPN with fast-failover and pre-emption enabled. l Split tunneling of traffic. l Split tunneling of client DNS traffic. l Two Distributed L3 mode DHCPs, one each for employee and contractors and one Local mode DHCP server.
l 10.40.0.0/16 subnet is reserved for L3 mode –used by Contractor SSID. l 172.16.20.0/24 subnet is used for NAT mode – used for wired network. l Client count in each branch is 200. l Contractors are only permitted to reach 10.16.0.0/16 network. AP Configuration This section provides information on configuration steps performed through the CLI or the UI. Table 73: W-IAP Configuration for Scenario 3—IPSec: Multiple Datacenter Deployment Configuration Steps CLI Commands UI Procedure 1.
Table 73: W-IAP Configuration for Scenario 3—IPSec: Multiple Datacenter Deployment Configuration Steps CLI Commands UI Procedure (ap)(DHCP profile "l3-dhcp")# domain-name corpdomain.com (ap)(DHCP profile "l3-dhcp")# client-count 200 Local profile with VLAN 20 (ap)(config)# ip dhcp local (ap)(DHCP profile "local")# (ap)(DHCP profile "local")# (ap)(DHCP profile "local")# (ap)(DHCP profile "local")# 255.255.255.0 (ap)(DHCP profile "local")# (ap)(DHCP profile "local")# 10.1.1.30,10.1.1.
Table 73: W-IAP Configuration for Scenario 3—IPSec: Multiple Datacenter Deployment Configuration Steps CLI Commands UI Procedure Configure a wireless SSID to operate in L3 mode for employee and associate distributed L3 mode VLAN 30 to the WLAN SSID profile.
Table 73: W-IAP Configuration for Scenario 3—IPSec: Multiple Datacenter Deployment Configuration Steps CLI Commands UI Procedure (ap)(Access Rule "wireless-ssid-contractor")# rule 10.16.0.0 255.255.0.0 match any any any permit (ap)(Access Rule "wireless-ssid-contractor")# rule any any match any any any src-nat NOTE: Ensure that you execute the commit apply command in the Instant CLI before saving the configuration and propagating changes across the W-IAP cluster.
Scenario 4—GRE: Single Datacenter Deployment with No Redundancy This scenario includes the following configuration elements: l Single VPN primary configuration using GRE n Aruba GRE, does not require any configuration on the Dell Networking W-Series Mobility Controller that acts as a GRE endpoint. n Manual GRE, which requires GRE tunnels to be explicitly configured on the GRE-endpoint that can be a Dell Networking W-Series Mobility Controller or any device that supports GRE termination.
AP Configuration This section provides information on configuration steps performed through the CLI or the UI. Table 74: W-IAP Configuration for Scenario—GRE: Single Datacenter Deployment with No Redundancy Configuration Steps CLI Commands UI Procedure 1. Configure Aruba GRE or manual GRE Aruba GRE configuration See Enabling Automatic Configuration of GRE Tunnel l l Aruba GRE uses an IPSec tunnel to facilitate controller configuration and requires VPN to be configured.
Table 74: W-IAP Configuration for Scenario—GRE: Single Datacenter Deployment with No Redundancy Configuration Steps CLI Commands UI Procedure 5. Create authentication servers for user authentication. The example in the next column assumes 802.1X SSID. (ap)(config)# wlan auth-server server1 (ap)(Auth Server "server1")# ip 10.2.2.
Table 74: W-IAP Configuration for Scenario—GRE: Single Datacenter Deployment with No Redundancy Configuration Steps CLI Commands UI Procedure Services For WLAN SSID employee roles: (ap)(config)# wlan access-rule wireless-ssid (ap)(Access Rule "wireless-ssid")# rule any any match any any any permit NOTE: Ensure that you execute the commit apply command in the Instant CLI before saving the configuration and propagating changes across the W-IAP cluster.
Terminology Acronyms and Abbreviations The following table lists the abbreviations used in this document.
Table 75: List of abbreviations Abbreviation Expansion NS Name Server NTP Network Time Protocol PEAP Protected Extensible Authentication Protocol PEM Privacy Enhanced Mail PoE Power over Ethernet RADIUS Remote Authentication Dial In User Service VC Virtual Controller VSA Vendor-Specific Attributes WLAN Wireless Local Area Network Glossary The following table lists the terms and their definitions used in this document. Table 76: List of Terms Term Definition 802.
Table 76: List of Terms Term Definition 802.11g Offers transmission over relatively short distances at up to 54 Mbps, compared with the 11 Mbps theoretical maximum of 802.11b. 802.11g operates in the 2.4 GHz band and employs orthogonal frequency division multiplexing (OFDM), the modulation scheme used in 802.11a, to obtain higher data speed. Computers or terminals set up for 802.11g can fall back to speeds of 11 Mbps, so that 802.11b and 802.11g devices can be compatible within a single network. 802.
Table 76: List of Terms Term Definition DNS Server A Domain Name System (DNS) server functions as a phonebook for the Internet and Internet users. It converts human readable computer hostnames into IP addresses and vice-versa. A DNS server stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records.
Table 76: List of Terms Term Definition The choice of endspan or midspan depends on the capabilities of the switch to which the W-IAP is connected. Typically if a switch is in place and does not support PoE, midspan power injectors are used. PPPoE Point-to-Point Protocol over Ethernet (PPPoE) is a method of connecting to the Internet typically used with DSL services where the client connects to the DSL modem.
Table 76: List of Terms Term Definition WEP Wired equivalent privacy (WEP) is a security protocol specified in 802.11b, designed to provide a WLAN with a level of security and privacy comparable to what is usually expected of a wired LAN.