User Guide Dell Networking W-Series Instant Access Point 6.3.1.1-4.
Copyright © 2013 Aruba Networks, Inc. Aruba Networks trademarks include , Aruba Networks®, Aruba Wireless Networks®, the registered Aruba the Mobile Edge Company logo, and Aruba Mobility Management System®. Dell™, the DELL™ logo, and PowerConnect™ are trademarks of Dell Inc. All rights reserved. Specifications in this manual are subject to change without notice. Originated in the USA. All other trademarks are the property of their respective owners.
Contents Contents 3 About this Guide 25 Intended Audience 25 Related Documents 25 Conventions 25 Contacting Dell 26 About Dell W-Instant 27 Dell W-Instant Overview 27 Supported Devices 27 Dell W-Instant UI 28 Dell W-Instant CLI 28 What is New in Dell W-Instant 6.3.1.1-4.
Logging into the Dell W-Instant UI 38 Viewing Connectivity Summary 38 Language 38 Main Window 39 Banner 39 Search 39 Tabs 39 Networks Tab 40 Access Points Tab 40 Clients Tab 40 Links 4 | Contents 41 New Version Available 41 System 41 RF 43 Security 44 Maintenance 45 Help 46 More 46 VPN 46 IDS 47 Wired 48 Services 48 DHCP Server 49 Support 50 Logout 51 Monitoring 51 Info 51 RF Dashboard 53 RF Trends 54 Usage Trends 55 Mobility Trail 59 Spectrum
IDS 63 Configuration 64 AirGroup 64 W-AirWave Setup 65 Pause/Resume 65 Views Initial Configuration Tasks Updating IP Address of a W-IAP 65 67 67 In the Dell W-Instant UI 67 In the CLI 68 Modifying the W-IAP Name 68 In the Dell W-Instant UI 68 In the CLI 68 Updating Location Details of a W-IAP 68 In the Dell W-Instant UI 68 In the CLI 68 Configuring External Antenna 69 EIRP and Antenna Gain 69 Configuring Antenna Gain 69 In the Dell W-Instant UI 69 In the CLI 70 Upgrad
In the Dell W-Instant UI 73 In the CLI 73 Enabling Auto Join Mode 73 Disabling Auto Join Mode 73 Adding a W-IAP to the Network 73 Removing a W-IAP from the Network 74 Configuring a Preferred Band 74 In the Dell W-Instant UI 74 In the CLI 74 Configuring Radio Profiles for a W-IAP 74 Configuring ARM Assigned Radio Profiles for a W-IAP 74 Configuring Radio Profiles Manually for W-IAP 75 In the CLI 75 Configuring Inter-user Bridging and Local Routing 76 In the Dell W-Instant UI 76
Virtual Controller Configuration 81 Virtual Controller Overview 81 Master Election Protocol 81 Preference to a W-IAP with 3G/4G Card 81 Preference to a W-IAP with Non-Default IP 81 Manual Provisioning of Master W-IAP Provisioning a W-IAP as a Master W-IAP 81 82 In the Dell W-Instant UI 82 In the CLI 82 Virtual Controller IP Address Configuration Configuring IP Address for Virtual Controller 82 82 In the Dell W-Instant UI 82 In the CLI 83 Wireless Network Profiles Understanding Wireless
In the Dell W-Instant UI 96 In the CLI 97 Opportunistic Key Caching 97 Configuring a W-IAP for OKC Roaming 98 In the Dell W-Instant UI 98 In the CLI 98 Editing Status of a WLAN SSID Profile 98 In the Dell W-Instant UI 99 In the CLI 99 Configuring Additional WLAN SSIDs 99 Enabling the Extended SSID 99 In the Dell W-Instant UI 99 In the CLI 100 Editing a WLAN SSID Profile 100 Deleting a WLAN SSID Profile 100 Wired Profiles 101 Configuring a Wired Profile 101 Configuring Wired
In the Dell W-Instant UI 107 In the CLI 107 Assigning a Profile to Ethernet Ports 107 In the Dell W-Instant UI 107 In the CLI 107 Editing a Wired Profile 107 Deleting a Wired Profile 108 Captive Portal for Guest Access 109 Understanding Captive Portal 109 Types of Captive Portal 109 Walled Garden 110 Configuring a WLAN SSID for Guest Access 110 In the Dell W-Instant UI 110 In the CLI 112 Configuring Wired Profile for Guest Access 113 In the Dell W-Instant UI 113 In the CLI 1
In the Dell W-Instant UI 121 In the CLI 121 Configuring Captive Portal Roles for an SSID 122 In the Dell W-Instant UI 123 In the CLI 124 Configuring Walled Garden Access 125 In the Dell W-Instant UI 125 In the CLI 125 Disabling Captive Portal Authentication 125 User Management 127 W-IAP Users 127 Configuring Administrator Credentials for the Virtual Controller Interface 127 In the Dell W-Instant UI 127 In the CLI 128 Configuring Guest Management Interface Administrator Credential
Understanding Encryption Types 140 WPA and WPA2 140 Recommended Authentication and Encryption Combinations 140 Understanding Authentication Survivability 141 Configuring Authentication Servers 143 Configuring an External Server for Authentication 143 In the Dell W-Instant UI 143 In the CLI 146 Configuring Dynamic RADIUS Proxy Parameters Enabling Dynamic RADIUS Proxy 147 147 In the Dell W-Instant UI 147 In the CLI 148 Configuring Dynamic RADIUS Proxy Parameters for Authentication Server
In the Dell W-Instant UI 153 In the CLI 153 Configuring MAC Authentication with 802.1X Authentication 154 Configuring MAC and 802.1X Authentication for a Wireless Network Profile In the Dell W-Instant UI 154 In the CLI 154 Configuring MAC and 802.
Roles and Policies Firewall Configuration Configuring ALG Protocols 163 163 163 In the Dell W-Instant UI 163 In the CLI 164 Configuring Firewall Settings for Protection from ARP Attacks 165 In the Dell W-Instant UI 165 In the CLI 165 Managing Inbound Traffic Configuring Management Subnets 166 166 In the Dell W-Instant UI 166 In the CLI 167 Configuring Restricted Access to Corporate Network 167 In the Dell W-Instant UI 167 In the CLI 167 Access Control List Rules Configuring Access Ru
Creating a User Role 174 In the Dell W-Instant UI 174 In the CLI 175 Assigning Bandwidth Contracts to User Roles 175 Assigning Bandwidth Contracts in the Dell W-InstantUI 175 Assigning a bandwidth contract using Dell W-Instant CLI: 175 Configuring Machine and User Authentication Roles 176 In the Dell W-Instant UI 176 In the CLI 176 Configuring Derivation Rules 177 Understanding Role Assignment Rule 177 RADIUS VSA Attributes 177 MAC-Address Attribute 177 Roles Based on Client Authen
In the CLI Assigning User VLAN Roles to a Network Profile 184 184 In the Dell W-Instant UI 184 In the CLI 185 Uplink Configuration Uplink Interfaces Ethernet Uplink Configuring PPPoE Uplink Profile 186 186 187 188 In the Dell W-Instant UI 188 In the CLI 188 3G/4G Uplink 189 Types of Modems 189 Configuring Cellular Uplink Profiles 191 In the Dell W-Instant UI 191 In the CLI 192 Wi-Fi Uplink 193 Configuring a Wi-Fi Uplink Profile Uplink Preferences and Switching Enforcing Uplinks 19
Mobility and Client Management Layer-3 Mobility Overview 199 Configuring L3-Mobility 200 Home Agent Load Balancing 200 Configuring a Mobility Domain for Dell W-Instant 200 In the Dell W-Instant UI 200 In the CLI 201 Spectrum Monitor 202 Understanding Spectrum Data 202 Device List 202 Non Wi-Fi Interferers 203 Channel Details 205 Channel Metrics 206 Spectrum Alerts 207 Configuring Spectrum Monitors and Hybrid W-IAPs Converting a W-IAP to a Hybrid W-IAP 207 207 In the Dell W-Instan
Configuring ARM Features on a W-IAP 212 In the Dell W-Instant UI 212 In the CLI 215 Configuring Radio Settings for a W-IAP In the Dell W-Instant UI 217 217 In the CLI 218 Intrusion Detection 220 Detecting and Classifying Rogue APs 220 OS Fingerprinting 220 Configuring Wireless Intrusion Protection and Detection Levels 221 Containment Methods 225 Configuring IDS Using CLI 225 Content Filtering 227 Content Filtering 227 Enabling Content Filtering 227 Enabling Content Filtering for
Configuring Centralized DHCP Scope 233 In the Dell W-Instant UI 233 In the CLI 234 Configuring Local and Local,L3 DHCP Scopes 235 In the Dell W-Instant UI 235 In the CLI 236 Configuring DHCP Server for Client IP Assignment In the Dell W-Instant UI 237 In the CLI 237 VPN Configuration 238 Understanding VPN Features 238 Configuring a Tunnel from a W-IAP to Dell Networking W-Series Mobility Controller 238 Configuring IPSec Tunnel 238 In the Dell W-Instant UI 238 In the CLI 239 Examp
L2/L3 Forwarding Modes 251 IAP-VPN Scalability Limits 252 OSPF Configuration 252 VPN Configuration 254 Whitelist Database Configuration 254 Controller Whitelist Database 254 External Whitelist Database 254 VPN Local Pool Configuration 254 Role Assignment for the Authenticated W-IAPs 254 VPN Profile Configuration 255 Viewing Branch Status Example W-Airwave Integration and Management W-AirWave Features 255 255 257 257 Image Management 257 W-IAP and Client Monitoring 257 Template-ba
AirGroup Configuration 267 AirGroup Overview 267 AirGroup with Dell W-Instant 268 AirGroup Solution 269 AirGroup Features 270 CPPM and ClearPass Guest Features 271 AirGroup Components 271 AirGroup Services 271 Configuring AirGroup and AirGroup Services on a W-IAP 272 In the Dell W-Instant UI 272 In the CLI 273 Configuring AirGroup and CPPM interface in Dell W-Instant 274 Creating a RADIUS Server 274 Assign a Server to AirGroup 274 Configure CPPM to Enforce Registration 274 Chan
Lawful Intercept and CALEA Integration CALEA Integration and Lawful Intercept Compliance CALEA Server Integration 280 280 280 Traffic Flow from IAP to CALEA Server 280 Traffic Flow from IAP to CALEA Server through VPN 281 Client Traffic Replication Configuring W-IAPs for CALEA Integration 282 282 Creating a CALEA Profile 282 In the Dell W-Instant UI 283 In the CLI 283 Creating an Access Rule for CALEA 283 In the Dell W-Instant UI 283 In the CLI 284 Verifying the configuration 284 Examp
Configuring a Connection Capability Profile 293 Configuring an Operating Class Profile 293 Configuring a WAN Metrics Profile 293 Creating a Hotspot Profile 294 Associating an Advertisement Profile to a Hotspot Profile 296 Creating a WLAN SSID and Associating Hotspot Profile 296 Sample Configuration 297 Extended Voice and Video 300 QoS for Microsoft Office OCS and Apple Facetime 300 Microsoft OCS 300 Apple Facetime 300 Dynamic CPU Management Dynamic CPU Management 301 Configuring for
Resetting a Remote AP or Campus AP to a W-IAP 307 Rebooting the W-IAP 308 Monitoring Devices and Logs Configuring SNMP 309 309 SNMP Parameters for W-IAP 309 Configuring SNMP 310 Creating community strings for SNMPv1 and SNMPv2 Using Dell W-Instant UI 310 Creating community strings for SNMPv3 Using Dell W-Instant UI 310 Configuring SNMP Community Strings in the CLI 311 Configuring SNMP Traps 312 In the Dell W-Instant UI 312 In the CLI 312 Configuring a Syslog Server 312 In the Dell W-
Chapter 1 About this Guide This User Guide describes the features supported by Dell Networking W-Series Instant Access Point (W-IAP) and provides detailed instructions for setting up and configuring Dell W-Instant network. Intended Audience This guide is intended for customers who configure and use Dell W-Instant.
The following informational icons are used throughout this guide: Indicates helpful suggestions, pertinent information, and important things to remember. Indicates a risk of damage to your hardware or loss of data. Indicates a risk of personal injury or death. Contacting Dell Table 2: Support Information Support Main Website dell.com Contact Information dell.com/contactdell Support Website dell.com/support Documentation Website dell.
Chapter 2 About Dell W-Instant This chapter provides the following information: l Dell W-Instant Overview l What is New in Dell W-Instant 6.3.1.1-4.0 Dell W-Instant Overview Dell W-Instant virtualizes Dell Networking W-Series Mobility Controller capabilities on 802.11 access points (APs), creating a feature-rich enterprise-grade wireless LAN (WLAN) that combines affordability and configuration simplicity. Dell W-Instant is a simple, easy to deploy turn-key WLAN solution consisting of one or more APs.
All W-IAPs except W-IAP224, W-IAP225, W-IAP114, and W-IAP115 are available as the following variants: l W-IAP-US (United States) l W-IAP-JP (Japan) l W-IAP-RW (Rest of World) The W-IAP224, W-IAP225, W-IAP114, and W-IAP115 are available as the following variants: l W-IAP-US (United States) l W-IAP-RW. The RW variant also includes JP variants.
Table 3: New Features in 6.3.1.1-4.0 Feature Description The administrators can also set per user bandwidth to provide a specific bandwidth for each user connecting to the SSID or wired profile. Support for 802.11r Roaming and Fast BSS Transition Dell W-Instant supports 802.11r roaming standard. As part of the 802.11r implementation, Dell W-Instant supports the Fast BSS Transition protocol.
Table 3: New Features in 6.3.1.1-4.0 Feature Description Provisioning a W-IAP as a master W-IAP Dell W-Instant now allows you to manually provision a W-IAP as a master W-IAP, based on network-specific parameters such as the physical location of the Virtual Controller. Support for Automatic Configuration of the GRE Tunnel Dell W-Instant now allows the automatic configuration of GRE tunnel from a W-IAP to Dell Mobility Controller.
Check with your local Dell sales representative on device availability for your region. Dell Networking W-Series Instant 6.3.1.1-4.
Chapter 3 Setting up a W-IAP This chapter describes the following procedures: l Setting up Dell W-Instant Network on page 32 l Logging in to the Dell W-Instant UI on page 34 l Accessing the Dell W-Instant CLI on page 35 Setting up Dell W-Instant Network Before installing a W-IAP: l Ensure that you have an Ethernet cable of the required length to connect a W-IAP to the home router. l Ensure that you have one of the following power sources: n IEEE 802.
1. Connect a terminal, PC, or workstation running a terminal emulation program to the Console port on the W-IAP. 2. Power on the W-IAP. An autoboot countdown prompt that allows you to interrupt the normal startup process and access apboot is displayed. 3. Click Enter before the timer expires. The W-IAP goes into the apboot mode. 4. In the apboot mode, use the following commands to assign a static IP to the W-IAP. Hit to stop autoboot: 0 apboot> apboot> setenv ipaddr 192.0.2.
To disable the provisioning network: 1. Connect a terminal or PC/workstation running a terminal emulation program to the Console port on the W-IAP. 2. Configure the terminal or terminal emulation program to use the following communication settings: Table 5: Terminal Communication Settings Baud Rate Data Bits Parity Stop Bits Flow Control 9600 8 None 1 None 3. Power on the W-IAP. An autoboot countdown prompt that allows you to interrupt the normal startup process and access apboot is displayed. 4.
The Country Code window is displayed for the W-IAP-ROW (Rest of World) variants when you log in to the Dell WInstant UI for the first time. You can specify a country code by selecting an appropriate option from the Please Specify the Country Code drop-down list. Figure 2 Specifying a Country Code . For the complete list of the country codes supported by the W-IAP-ROW variant type, see Regulatory Domain on page 320.
Applying Configuration Changes Each command processed by the Virtual Controller is applied on all the slaves in a cluster. The changes configured in a CLI session are saved in the CLI context. The CLI does not support the configuration data exceeding the 4K buffer size in a CLI session. Therefore, it is recommended that you configure fewer changes at a time and apply the changes at regular intervals.
Table 6: Sequence-Sensitive Commands Sequence-Sensitive Command Corresponding no command rule {permit |deny | src-nat | dst-nat { | }}[
Chapter 4 Dell W-Instant User Interface This chapter describes the following Dell W-Instant UI elements: l Login Screen l Main Window Login Screen The Dell W-Instant login page allows you to: l Log in to the Dell W-Instant UI.
You can also select the required language option from the Languages drop-down located at the bottom left corner of the Dell W-Instant main window. Main Window On logging into Instant, the Instant UI Main Window is displayed.
Networks Tab This tab displays a list of Wi-Fi networks that are configured in the Instant network. The network names are displayed as links. The expanded view displays the following information about each Wi-Fi network: l Name (SSID) — Name of the network. l Clients — Number of clients that are connected to the network. l Type — Type of network type such as Employee, Guest, or Voice. l Band — Band in which the network is broadcast: 2.4 GHz band, 5 GHz band, or both.
l Name — User name of the client or guest users if available. l IP Address — IP address of the client. l MAC Address — MAC address of the client. l OS — Operating system that runs on the client. l Network — The network to which the client is connected. l Access Point — W-IAP to which the client is connected. l Channel — The client operating channel. l Type — Type of the Wi-Fi client: A, G, AN, or GN. l Role — Role assigned to the client.
l General— Allows you to configure, view or edit the Name, IP address, NTP Server, and other W-IAP settings for the Virtual Controller. n For information about Virtual Controller configuration, see Virtual Controller Configuration on page 81. n For information about NTP Server configuration, see Configuring an NTP Server on page 76. n For information about Auto join mode, Terminal Access, LED display, TFTP Dump Server, and Deny inter user bridging, see W-IAP Management on page 303.
Figure 5 System Window RF The RF link displays a window for configuring Adaptive Radio Management (ARM) and Radio features. l ARM — Allows you to view or configure channel and power settings for all the W-IAPs in the network. For information about ARM configuration, see ARM Overview on page 210. l Radio — Allows you to view or configure radio settings for 2.4 GHz and the 5 GHz radio profiles. For information about Radio, see Configuring Radio Settings for a W-IAP on page 217.
Figure 6 RF Window Security The Security link displays a window with the following tabs: l Authentication Servers— Use this window to configure an external RADIUS server for a wireless network. See Configuring an External Server for Authentication on page 143 for more information. l Users for Internal Server— Use this window to populate the system’s internal authentication server with users.
Figure 7 Security Window - Default View Maintenance The Maintenance link displays a window that allows you to maintain the Wi-Fi network. The Maintenance window consists of the following tabs: l About—Displays the name of the product, build time, W-IAP model name, the Dell W-Instant version, Website address of Dell, and Copyright information. l Configuration— Displays the following details: n Current Configuration — Displays the current configuration details.
Figure 8 Maintenance Window - Default View Help The Help link allows you to view a short description or definition of selected terms and fields in the UI windows or dialogs. To activate the context-sensitive help: 1. Click the Help link at the top right corner of Dell W-Instant main window. 2. Click any text or term displayed in green italics to view its description or definition. 3. To disable the help mode, click Done.
Figure 9 VPN window for IPSec Configuration IDS The IDS window allows you to configure wireless intrusion detection and protection levels. The following figures show the IDS window: Figure 10 IDS Window: Intrusion Detection 47 | Dell W-Instant User Interface Dell Networking W-Series Instant 6.3.1.1-4.
Figure 11 IDS Window: Intrusion Protection For more information on wireless intrusion detection and protection, see Detecting and Classifying Rogue APs on page 220. Wired The Wired window allows you to configure a wired network profile. See Wired Profiles on page 101 for more information. The following figure shows the Wired window: Figure 12 Wired Window Services The Services window allows you to configure services such as AirGroup, RTLS, and OpenDNS.
l RTLS — Allows you to integrate W-AirWave Management platform or third-party Real Time Location Server such as Aeroscout Real Time Location Server with Dell W-Instant. For more information, see Integration with Security and Location Services Applications on page 275. The RTLS tab also allows you to integrate W-IAP with the Analytics and Location Engine (ALE). For more information about configuring a W-IAP for ALE integration, see Configuring a W-IAP for Analytics and Location Engine Support on page 275.
Figure 14 DHCP Servers Window For more information, see DHCP Configuration on page 230. Support The Support consists of the following fields: l Command— Allows you to select a support command for execution. l Target—Displays a list of W-IAPs in the network. l Run— Allows you to execute the selected command for a specific W-IAP or all W-IAPs and view logs. l Auto Run— Allows you to configure a schedule for automatic execution of a support command for a specific WIAP or all W-IAPs.
Figure 15 Support Window Logout The Logout link allows you to log out of the Dell W-Instant UI. Monitoring The Monitoring link displays the Monitoring pane for the Dell W-Instant network. Use the down arrow to the right side of these links to compress or expand the monitoring pane.
Table 7: Contents of the Info Section in the Dell W-Instant Main Window Name Description l l l l l l l l Info section in Client view Master— Displays the IP address of the Access Point acting as Virtual Controller. OpenDNS Status— Displays the OpenDNS status. If the OpenDNS status indicates as Not Connected, ensure that the network connection is up and appropriate credentials are configured for OpenDNS. Uplink type — Displays the type of uplink configured on the W-IAP: for example, Ethernet or 3G.
RF Dashboard The RF Dashboard section lists the W-IAPs that exceed the utilization, noise, or error threshold. It also shows the clients with low speed or signal strength in the network and the RF information for the W-IAP to which the client is connected. The W-IAP names are displayed as links. When a W-IAP is clicked, the W-IAP configuration information is displayed in the Info section and the RF Dashboard section is displayed at the bottom left corner of the Dell WInstant main window.
Icon Name Description To view the noise floor graph of a W-IAP, click the noise icon next to the W-IAP in the Noise column. 5 Errors icon Displays the errors for the W-IAPs. Depending on the errors, color of the lines on the Errors icon changes from Green > Yellow > Red. l Green— Errors are less than 5000 frames per second. l Orange— Errors are between 5000-10000 frames per second. l Red— Errors are more than 10000 frames per second.
Figure 19 Speed Graph Figure 20 Throughput Graph Usage Trends The Usage Trends displays the following graphs: l Clients — In the default view, the Clients graph displays the number of clients that were associated with the Virtual Controller in the last 15 minutes. In Network or Instant Access Points view, this graph displays the number of clients that were associated with the selected network or W-IAP in the last 15 minutes.
Figure 21 Usage Trends Section in the Monitoring Pane The following table describes the graphs displayed in the Network view: Table 9: Network View — Graphs and Monitoring Procedures Graph Name Description Monitoring Procedure Clients The Clients graph shows the number of clients associated with the network for the last 15 minutes. To see an enlarged view, click the graph.
Table 10: Access Point View — Usage Trends and Monitoring Procedures Graph Name Description Monitoring Procedure Neighboring APs The Neighboring APs graph shows the number of APs heard by the selected WIAP: l Valid APs: An AP that is part of the enterprise providing WLAN service. l Interfering APs: An AP that is seen in the RF environment but is not connected to the network. l Rogue APs: An unauthorized AP that is plugged into the wired side of the network.
Table 10: Access Point View — Usage Trends and Monitoring Procedures Graph Name Description Monitoring Procedure Clients The Clients graph shows the number of clients associated with the selected W-IAP for the last 15 minutes. To see an enlarged view, click the graph. The enlarged view provides Last, Minimum, Maximum, and Average statistics for the number of clients associated with the W-IAP for the last 15 minutes.
Table 11: Client View — RF Trends Graphs and Monitoring Procedures Graph Name Description Monitoring Procedure Frames The Frames Graph shows the In and Out frame rate per second of the client for the last 15 minutes. It also shows data for the Retry In and Retry Out frames. l Outgoing frames — Outgoing frame traffic is displayed in green. It is shown above the median line. l Incoming frames — Incoming frame traffic is displayed in blue. It is shown below the median line.
l Association Time— The time at which the selected client was associated with a particular W-IAP. The Dell W-Instant UI shows the client and W-IAP association over the last 15 minutes. l Access Point— The W-IAP name with which the client was associated. Mobility information about the client is reset each time it roams from one W-IAP to another.
The Alerts link displays the following types of alerts: l Client Alerts l Active Faults l Fault History Table 12: Types of Alerts Type of Alert Description Information Displayed Client Alerts The Client alerts occur when clients are connected to the Dell W-Instant network. A client alert displays the following fields: l Timestamp— Displays the time at which the client alert was recorded. l MAC address— Displays the MAC address of the client which caused the alert.
Figure 24 Fault History Figure 25 Active Faults The following table displays a list of alerts that are generated on the Dell W-Instant network: Table 13: Alerts list Type Code Description Details Corrective Actions 100101 Internal error The W-IAP has encountered an internal error for this client. Contact the Dell customer support team. 100102 Unknown SSID in association request The W-IAP cannot allow this client to associate, because the association request received contains an unknown SSID.
Table 13: Alerts list Type Code Description Details Corrective Actions 100105 Maximum capacity reached on W-IAP The W-IAP has reached maximum capacity and cannot accommodate any more clients. Consider expanding capacity by installing additional W-IAPs or balance load by relocating W-IAPs. 100206 Invalid MAC Address The W-IAP cannot authenticate this client because the client's MAC address is not valid. This condition may be indicative of a misbehaving client.
l n Channel— Displays the channel in which the foreign AP is operating. n Type— Displays the Wi-Fi type of the foreign AP. n Last seen— Displays the time when the foreign AP was last detected in the network. n Where— Provides information about the W-IAP that detected the foreign AP. Click the pushpin icon to view the information. Foreign Clients Detected— Lists the clients that are not controlled by the Virtual Controller.
l IP — Displays the IP address of the AirGroup servers. l Host Name — Displays the machine name or hostname of the AirGroup servers. l Service— Displays the type of the services such as AirPlay or AirPrint. l VLAN— Displays VLAN details of the AirGroup servers. l Wired/Wireless — Displays if the AirGroup server is connected via wired or wireless interface. l Role —Displays the user role if the server is connected through 802.1X authentication.
n Links— Monitoring, Client Alerts, and IDS. The Spectrum link is visible if you have configured the W-IAP as a spectrum monitor. These links allow you to monitor the Dell W-Instant network. For more information about these links, see Monitoring on page 51, IDS on page 63, Alerts on page 60, and Spectrum Monitor on page 202. l Network view— The Network view provides information that is necessary to monitor a selected wireless network.
Chapter 5 Initial Configuration Tasks This chapter describes the following basic W-IAP deployment methods and configuration tasks: l Updating IP Address of a W-IAP on page 67 l Modifying the W-IAP Name on page 68 l Updating Location Details of a W-IAP on page 68 l Configuring External Antenna on page 69 l Upgrading a W-IAP on page 70 l Adding a W-IAP to the Network on page 73 l Removing a W-IAP from the Network on page 74 l Enabling Terminal Access on page 73 l Enabling Auto Join Mode on p
3. Select either the Get IP address from DHCP server or Specify statically option. If you have selected the Specify statically option, perform the following steps: a. Enter the new IP address for the W-IAP in the IP address text box. b. Enter the subnet mask of the network in the Netmask text box. c. Enter the IP address of the default gateway in the Default gateway text box. d. Enter the IP address of the DNS server in the DNS server text box. e. Enter the domain name in the Domain name text box. 4.
Configuring External Antenna If your W-IAP has external antenna connectors, you need to configure the transmit power of the system. The configuration must ensure that the system’s Equivalent Isotropically Radiated Power (EIRP) is in compliance with the limit specified by the regulatory authority of the country in which the W-IAP is deployed. You can also measure or calculate additional attenuation between the device and antenna before configuring the antenna gain.
2. In the Edit Access Point window, select External Antenna to configure the antenna gain value. This option is available only for access points that support external antennas, for example, W-IAP134 or W-IAP92. 3. Enter the antenna gain values in dBm for the 2.4GHz and 5GHz bands. 4. Click OK.
2. Enter the HTTP proxy server's IP address and the port number. 3. If you do not want the HTTP proxy to be applied for a particular host, click New to enter that IP address or domain name of that host under exceptions list. In the CLI (Instant (Instant (Instant (Instant Access Access Access Access Point)(config)# proxy server 192.0.2.1 8080 Point)(config)# proxy exception 192.0.2.
n Image server timed out — Connection or session between the image server and the W-IAP is timed out. n Image server failure — If the image server does not respond. n A new image version found — If a new image version is found. 2. If a new version is found, the Upgrade Now button becomes available and the version number is displayed. 3. Click Upgrade Now. The W-IAP downloads the image from the server, saves it to flash and reboots.
Image Upgrade Progress ---------------------Mac IP Address ----------d8:c7:c8:c4:42:98 10.17.101.1 Auto reboot :enable Use external URL :disable AP Class -------Orion Status -----image-ok Image Info ---------image file Error Detail -----------none Enabling Terminal Access When terminal access is enabled, you can access the Dell W-Instant CLI through SSH or Telnet server. You can enable terminal access to a W-IAP by using the Dell W-Instant UI or CLI. In the Dell W-Instant UI 1.
After a W-IAP is connected to the network, if the Auto Join Mode feature is enabled, the W-IAP inherits the configuration from the Virtual Controller and is listed in the Access Points tab. If the Auto Join Mode is disabled, perform the following steps to add a W-IAP to the network: 1. In the Access Points tab, click the New link. The New Access Point window is displayed. 2. In the New Access Point window, enter the MAC address for the new W-IAP. 3. Click OK.
2. Click the edit link. The edit window for modifying W-IAP details is displayed. 3. Click the Radio tab. The Radio tab details are displayed. 4. Ensure that an appropriate mode is selected. 5. Select the Adaptive radio management assigned option under the bands that are applicable to the W-IAP configuration. 6. Click OK. Configuring Radio Profiles Manually for W-IAP To manually configure radio settings: 1. In the Access Points tab, click the AP for which you want to enable ARM. The edit link is displayed.
Configuring Inter-user Bridging and Local Routing You can configure inter-user bridging and local routing by using the Dell W-Instant UI or CLI. In the Dell W-Instant UI To prevent inter-user bridging and local routing: 1. In the Dell W-Instant main window, click the System link. The System window is displayed. 2. In the General tab of System window, click Show advanced options to display the advanced options.
l Trace and track security gaps, network usage, and troubleshoot network issues. l Map event on one network element to a corresponding event on another. l Maintain accurate time for billing services and similar. The Network Time Protocol (NTP) helps obtain the precise time from a server and regulate the local time in each network element. If NTP server is not configured in the Dell W-Instant network, a W-IAP reboot may lead to variation in time data. The NTP server is set to pool.ntp.org by default.
Chapter 6 Mesh W-IAP Configuration This chapter provides the following information: l Mesh Network Overview on page 78 l Setting up Dell W-Instant Mesh Network on page 79 Mesh Network Overview The Dell Networking W-Series Instant Access Point secure enterprise mesh solution is an effective way to expand network coverage for outdoor and indoor enterprise environments without any wires. As traffic traverses across mesh W-IAPs, the mesh network automatically reconfigures around broken or blocked paths.
The mesh portal reboots after 5 minutes when it loses its uplink connectivity to a wired network. Mesh Points The mesh point establishes an all-wireless path to the mesh portal. The mesh point provides traditional WLAN services such as client connectivity, intrusion detection system (IDS) capabilities, user role association, and Quality of Service (QoS) for LAN-to-mesh communication to clients and performs mesh backhaul/network connectivity. Mesh point also supports LAN bridging.
Chapter 7 VLAN Configuration VLAN configuration is required for networks with more devices and broadcast traffic on a WLAN SSID or wired profile. Based on the network type and its requirements, you can configure the VLANs for a WLAN SSID or wired port profile. For more information on VLAN configuration for a WLAN SSID and wired port profile, see Configuring VLAN Settings for a WLAN SSID Profile on page 88 and Configuring VLAN for a Wired Profile on page 102.
Chapter 8 Virtual Controller Configuration This chapter provides the following information: l Virtual Controller Overview l Virtual Controller IP Address Configuration Virtual Controller Overview Dell W-Instant does not require an external Mobility Controller to regulate and manage the Wi-Fi network. Instead, one W-IAP in every network assumes the role of Virtual Controller.
Provisioning a W-IAP as a Master W-IAP You can provision a W-IAP as a master W-IAP by using the Dell W-Instant UI or CLI. In the Dell W-Instant UI 1. In the Access Points tab, click the W-IAP to modify. The edit link is displayed. 2. Click the edit link. The edit window for modifying W-IAP details is displayed. 3. Select Enabled from Preferred master drop-down. This option is disabled by default. Figure 31 W-IAP Settings—Provisioning Master W-IAP 4. Click OK.
3. In the General tab, enter the appropriate IP address in the Virtual Controller IP text box. The IP configured for the Virtual Controller can be in the same subnet as W-IAP or can be in a different subnet. If the Virtual Controller IP is in a different subnet, configure the Virtual Controller mask, gateway, and VLAN as described in the following steps: a. Enter subnet mask details in the Virtual Controller Netmask text box. b. Enter a gateway address in the Virtual Controller Gateway text box. c.
Chapter 9 Wireless Network Profiles This chapter provides the following information: l Understanding Wireless Network Profiles on page 84 l Configuring WLAN Settings for an SSID Profile on page 85 l Configuring VLAN Settings for a WLAN SSID Profile on page 88 l Configuring Security Settings for a WLAN SSID Profile on page 89 l Configuring Access Rules for a WLAN SSID Profile on page 94 l Configuring Support for Fast Roaming of Clients on page 96 l Editing Status of a WLAN SSID Profile on page
Configuring WLAN Settings for an SSID Profile You can configure WLAN settings using Dell W-Instant UI or CLI. In the Dell W-Instant UI To configure WLAN settings: 1. In the Networks tab of the Dell W-Instant main window, click the New link. The New WLAN window is displayed. The following figure shows the contents of WLAN Settings tab: Figure 32 WLAN Settings Tab 2. Enter a name that uniquely identifies a wireless network in the Name (SSID) text box. 3.
Table 17: WLAN Configuration Parameters Parameter Description l directly to the associated client. Disabled— When set to Disabled, all broadcast and multicast traffic is forwarded. DTIM interval The DTIM interval indicates the delivery traffic indication message (DTIM) period in beacons, which can be configured for every WLAN SSID profile. The DTIM interval determines how often the W-IAP should deliver the buffered broadcast and multicast frames to associated clients in the powersave mode.
Table 17: WLAN Configuration Parameters Parameter Description In a non-WMM or hybrid environment, where some clients are not WMM-capable, you can allocate higher values for Best effort WMM share and Voice WMM share to allocate a higher bandwidth to clients transmitting best effort and voice traffic. Content filtering Select Enabled to route all DNS requests for the non-corporate domains to OpenDNS on this network. Band Select a value to specify the band at which the network transmits radio signals.
(Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant Access Access Access Access Access Access Access Access Point)(SSID Profile )# Point)(SSID Profile )# Point)(SSID Profile )# Point)(SSID Profile )# Point)(SSID Profile )# Point)(SSID Profile )# Point)(SSID Profile )# Point)# commit apply content-filtering hide-ssid inactivity-timeout work-without-uplink local-probe-req-thresh max-clients-threshold en
l Default— On selecting this option, the client obtains the IP address in the same subnet as the W-IAPs. By default, the client VLAN is assigned to the native VLAN on the wired network. l Static— On selecting this option, you need to specify a single VLAN, a comma separated list of VLANS, or a range of VLANs for all clients on this network. Select this option for configuring VLAN pooling.
In the Dell W-Instant UI To configure security settings for an employee or voice network: 1. In the Security tab, specify any of the following types of security levels by moving the slider to a desired level: l Enterprise—On selecting enterprise security level, the authentication options applicable to the enterprise network are displayed. l Personal — On selecting personal security level, the authentication options applicable to the personalized network are displayed.
Figure 36 Security Tab: Open 2. Based on the security level specified, specify the following parameters: Table 18: Configuration Parameters for WLAN Security Settings Security Level Type Parameter Description Key Management For Enterprise security level, select any of the following options from the Key management drop-down list: l WPA-2 Enterprise l Both (WPA-2 & WPA) l WPA Enterprise l Dynamic WEP with 802.
Table 18: Configuration Parameters for WLAN Security Settings Parameter Security Level Type Description 1. Select an appropriate value for WEP key size from the WEP key size drop-down list. You can specify 64-bit or 128-bit . 2. Select an appropriate value for Tx key from the Tx Key drop-down list. You can specify 1, 2, 3, or 4. 3. Enter an appropriate WEP key and reconfirm. 802.11r roaming To enable 802.11r roaming, select Enabled from the 802.11r roaming dropdown.
Table 18: Configuration Parameters for WLAN Security Settings Parameter Description Security Level Type Accounting To enable accounting, select Enabled from the Accounting drop-down list. On setting this option to Enabled, APs post accounting information to the RADIUS server at the specified Accounting interval. Enterprise, Personal, and Open security levels. Authentication survivability To enable authentication survivability, set Authentication survivability to Enabled.
(Instant Access (Instant Access (Instant Access (Instant Access (Instant Access (Instant Access (Instant Access (Instant Access association} (Instant Access (Instant Access (Instant Access (Instant Access (Instant Access (Instant Access (Instant Access Point)(SSID Point)(SSID Point)(SSID Point)(SSID Point)(SSID Point)(SSID Point)(SSID Point)(SSID Profile Profile Profile Profile Profile Profile Profile Profile )# )# )# )# )# )# )# )# external-server server-
You can configure up to 64 access rules for an employee, voice , or guest network using the Dell W-Instant UI or CLI. In the Dell W-Instant UI To configure access rules for an employee or voice network: 1. In the Access Rules tab, set slider to any of the following types of access control: l Unrestricted— Select this to set unrestricted access to the network. l Network-based— Set the slider to Network-based to set common rules for all users in a network.
(Instant Access Point)(SSID Profile )# set-role-machine-auth (Instant Access Point)(SSID Profile )# end (Instant Access Point)# commit apply To configure unrestricted access: (Instant (Instant (Instant (Instant Access Access Access Access Point)(config)# wlan ssid-profile Point)(SSID Profile )# set-role-unrestricted Point)(SSID Profile )# end Point)# commit apply Configuring Support for Fast Roaming of Clients Dell
Figure 37 WLAN Security Settings—Enterprise Tab 4. Set 802.11r roaming to Enabled. 802.11r roaming can also be enabled for Personal and Open security levels. 5. Click Next and then click Finish. In the CLI To enable 802.
Configuring a W-IAP for OKC Roaming You can enable OKC roaming for WLAN SSID by using Dell W-Instant UI or CLI. In the Dell W-Instant UI 1. Navigate to the WLAN wizard (click Network>New or Network> Select the WLAN SSID>edit). 2. Click the Security tab. 3. Slide to Enterprise security level. On selecting a security level, the authentication options applicable to Enterprise network are displayed. 4. Select the WPA-2 Enterprise or Both (WPA-2 & WPA) option from the Key management drop-down list.
In the Dell W-Instant UI To modify the status of a WLAN SSID profile: 1. In the Networks tab, select the network that you want to edit. The edit link is displayed. 2. Click the edit link. The Edit network window is displayed. 3. Select or clear the Disable SSID check box to disable or enable the SSID. The SSID is enabled by default. 4. Click Next or the tab name to move to the next tab. 5. Click Finish to save the modifications.
In the CLI To enable the extended SSIDs: (Instant Access Point)(config)# extended-ssid (Instant Access Point)(config)# end (Instant Access Point)# commit apply Editing a WLAN SSID Profile To edit a WLAN SSID profile: 1. In the Networks tab, select the network that you want to edit. The edit link is displayed. 2. Click the edit link. The Edit network window is displayed. 3. Modify the required settings. Click Next to move to the next tab. 4. Click Finish to save the modifications.
Chapter 10 Wired Profiles This chapter describes the following procedures: l Configuring a Wired Profile on page 101 l Assigning a Profile to Ethernet Ports on page 107 l Understanding Hierarchical Deployment on page 106 l Configuring Wired Bridging on Ethernet 0 on page 106 l Editing a Wired Profile on page 107 l Deleting a Wired Profile on page 108 Configuring a Wired Profile The wired profile configuration for employee network involves the following procedures: 1.
a. Name— Specify a name for the profile. b. Primary Usage — Select Employee or Guest. c. Speed/Duplex — Ensure that appropriate values are selected for Speed/Duplex. Contact your network administrator if you need to assign speed and duplex parameters. d. POE — Set POE to Enabled to enable Power over Ethernet. The E2 port on W-IAP3WNP supports Power Sourcing Equipment (PSE) to supply power to any compliant 802.3af powered (class 0-4) device. W-IAP155P supports PSE for 802.
l Access — Select this mode to allow the port to carry a single VLAN specified as the native VLAN. l Trunk — Select this mode to allow the port to carry packets for multiple VLANs specified as allowed VLANs. b. Specify any of the following values for Client IP Assignment: l Virtual Controller Assigned: Select this option to allow the Virtual Controller to assign IP addresses to the wired clients.
In the Dell W-Instant UI To configure security parameters for an employee network: 1. Configure the following parameters in the Security tab. l MAC authentication — To enable MAC authentication, select Enabled. The MAC authentication is disabled by default. l 802.1X authentication — To enable 802.1X authentication, select Enabled. l MAC authentication fail-thru — To enable authentication fail-thru, select Enabled. When this feature is enabled, 802.
l Role-based— Allows the users to obtain access based on the roles assigned to them. l Unrestricted— Allows the users to obtain unrestricted access on the port. l Network-based— Allows the users to be authenticated based on access rules specified for a network. b. If the Role-based access control is selected, perform the following steps: Under Roles, select an existing role for which you want apply the access rules, or click New and add the required role.
To configure unrestricted access: (Instant (Instant (Instant (Instant Access Access Access Access Point)(config)# wired-port-profile Point)(wired ap profile )# set-role-unrestricted Point)(wired ap profile )# end Point)# commit apply Understanding Hierarchical Deployment A W-IAP130 Series or W-IAP3WN (with more than one wired port) can be connected to the downlink wired port of another W-IAP (ethX).
Enabling wired bridging on this port of a W-IAP makes the port available as a downlink wired bridge and allows client access through the port. You can also use the port to connect a wired device when a 3G uplink is used. You can configure support for wired bridging on the Ethernet 0 port of a W-IAP using Dell W-Instant UI or CLI. In the Dell W-Instant UI To configure Ethernet bridging: 1. In the Access Points tab, click the W-IAP to modify. The edit link is displayed. 2. Click the edit link.
1. Click the Wired link under More at the top right corner of the Dell W-Instant main window. The Wired window is displayed. 2. In the Wired window, select the wired profile to modify. 3. Click Edit. The Edit Wired Network window is displayed. 4. Modify the required settings. 5. Click Finish to save the modifications. Deleting a Wired Profile To delete a wired profile: 1. Click the Wired link under More at the top right corner of the Dell W-Instant main window. The Wired window is displayed. 2.
Chapter 11 Captive Portal for Guest Access This chapter provides the following information: l Understanding Captive Portal on page 109 l Configuring a WLAN SSID for Guest Access on page 110 l Configuring Wired Profile for Guest Access on page 113 l Configuring Internal Captive Portal for Guest Network on page 115 l Configuring External Captive Portal for a Guest Network on page 117 l Configuring External Captive Portal Authentication Using ClearPass Guest on page 120 l Configuring Guest Logon
Walled Garden The administrators can also control the resources that the guest users can access and the amount of bandwidth or air time they can use at any given time. When an external Captive portal is used, the administrators can configure a walled garden, which determines access to the URLs requested by the guest users. For example, a hotel environment where the unauthenticated users are allowed to navigate to a designated login page (for example, a hotel website) and all its contents.
Parameters Description DMO channel utilization threshold Specify a value to set a threshold for DMO channel utilization. With DMO, the WIAP converts multicast streams into unicast streams as long as the channel utilization does not exceed this threshold. The default value is 90% and the maximum threshold value is 100%. When the threshold is reached or exceeds the maximum value, the W-IAP sends multicast traffic over the wireless link.
Parameters Description Disable SSID Select to the checkbox to disable the SSID. On selecting this check box, the SSID is disabled, but not removed from the network. By default, all SSIDs are enabled. Can be used without Uplink Select the checkbox if you do not want the SSID users to use uplink. Max clients threshold Specify the maximum number of clients that can be configured for each BSSID on a WLAN in the text box. You can specify a value within the range of 0 to 255. The default value is 64.
(Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant Access Access Access Access Access Access Access Access Access Access Access Access Access Access Access Access Access Access Access Access Access Access Access Point)(SSID Point)(SSID Point)(SSID Point)(SSID Point)(SSID Point)(SSID Point)(SSID Point)(SSID Point)(SSID Point)(SSID Point)(SSID Point)(SSI
f. Content Filtering— To ensure that all DNS requests to non-corporate domains on this wired network are sent to OpenDNS, select Enabled for Content Filtering. g. Uplink — Select Enabled to configure uplink on this wired profile. If Uplink is set to Enabled and this network profile is assigned to a specific port, the port will be enabled as Uplink port. For more information on assigning a wired network profile to a port, see Assigning a Profile to Ethernet Ports on page 107. 4. Click Next.
(Instant Access Point)(config)# wired-port-profile (Instant Access Point)(wired ap profile )# set-vlan {equals| not-equals| star ts-with| ends-with| contains| matches-regular-expression} | value-of} Configuring Internal Captive Portal for Guest Network In the Internal Captive Portal type, an internal server is used for hosting the Captive portal service.
Parameter Description Accounting mode (Applicable for WLAN SSIDs only.) Select an accounting mode from Accounting mode for posting accounting information at the specified Accounting interval. When the accounting mode is set to Authentication, the accounting starts only after client authentication is successful and stops when the client logs out of the network.
(Instant (Instant (Instant (Instant Access Access Access Access Point) (wired ap profile "")# auth-server Point) (wired ap profile "")# radius-reauth-interval Point) (wired ap profile "")# end Point)# commit apply To customize internal captive portal splash page: (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant Access Access Access Access Access Access Access Access Access Access Access Point)(config)# wlan captive-
Table 21: Captive Portal Profile Configuration Parameters Parameter Description Name Enter a name for the profile. Type Select any one of the following types of authentication: l l Radius Authentication - Select this option to enable user authentication against a RADIUS server. Authentication Text - Select this option to specify an authentication text. The specified text will be returned by the external server after a successful user authentication.
Configuring an SSID or Wired Profile to Use External Captive Portal Authentication You can configure external captive portal authentication for a network profile when adding or editing a guest network using Dell W-Instant UI or CLI. In the Dell W-Instant UI 1. Navigate to the WLAN wizard or Wired window. l To configure external Captive portal authentication for a WLAN SSID, in the Network tab, click New to create a new network profile or edit to modify an existing profile.
Table 22: External Captive Portal Configuration Parameters Parameter Description is Encryption Select Enabled to configure encryption settings and specify the encryption parameters. 5. Click Next to continue and then click Finish to apply the changes.
a. Enter the IP address of the ClearPass Guest server in the IP or hostname field. Obtain the ClearPass Guest IP address from your system administrator. b. Enter /page_name.php in the URL field. This URL must correspond to the Page Name configured in the ClearPass Guest RADIUS Web Login page. For example, if the Page Name is Dell, the URL should be /Dell.php in the Dell W-Instant UI. c. Enter the Port number (generally should be 80). The ClearPass Guest server uses this port for HTTP services. d. Click OK.
(Instant Access Point)(Access Rule )# rule {permit |deny | src-nat | dst-nat { | }}[] (Instant Access Point)(Access Rule )# end (Instant Access Point)# commit apply To configure access control based on the SSID: (Instant (Instant (Instant (Instant Access Access Access Access Point)(config)# wlan ssid-profile Point)(SSID Profile # set-role-by-ssid Point)(SSID Profile # end Poi
In the Dell W-Instant UI To create a Captive portal role: 1. Select an SSID profile from the Networks tab. The Edit window is displayed. 2. In the Access tab, slide to Role-based access control by using the scroll bar. 3. Select a role or create a new if required. 4. Click New to add a new rule. The New Rule window is displayed. 5. In the New Rule window, specify the following parameters.
Field Description l l l l l l External page that would be displayed to users connecting to the network. The initial page asks for user credentials or email, depending on the splash page type configured To change the color of the splash page, click the Splash page rectangle and select the required color from the Background Color palette. To change the welcome text, click the first square box in the splash page, type the required text in the Welcome text box, and click OK.
(Instant Access Point)(Access Rule )# end (Instant Access Point)# commit apply Configuring Walled Garden Access On the Internet, a walled garden typically controls access to web content and services. The Walled garden access is required when an external Captive portal is used. For example, a hotel environment where the unauthenticated users are allowed to navigate to a designated login page (for example, a hotel website) and all its contents.
You can also customize splash page design in the Security tab of New WLAN and New Wired Network windows when configuring a new profile. 2. Navigate to the Security tab. 3. Select None from the Splash page type drop-down list. 4. Click Next and then click Finish to apply the changes. 126 | Captive Portal for Guest Access Dell Networking W-Series Instant 6.3.1.1-4.
Chapter 12 User Management This chapter provides the following information: l W-IAP Users on page 127 l Configuring Administrator Credentials for the Virtual Controller Interface on page 127 l Configuring Guest Management Interface Administrator Credentials on page 129 l Configuring Users for Internal Database of a W-IAP on page 129 l Configuring the Read-Only Administrator Credentials on page 131 l Adding Guest Users through the Guest Management Interface on page 131 W-IAP Users The W-IAP user
2. Click the Admin tab. The Admin tab details are displayed. The following figure shows the contents of the Admin tab: Figure 42 Admin Tab: Management Authentication Parameters 3. Under Local, select any of the following options from the Authentication drop-down list: l Internal— Select this option to specify a single set of user credentials. Enter the Username and Password for accessing the Virtual Controller Management User Interface. a. Specify a Username and Password. b.
(Instant Access Point)# commit apply Configuring Guest Management Interface Administrator Credentials You can configure guest administrator credentials in the Dell W-Instant UI or CLI. In the Dell W-Instant UI 1. Click the System link at top right corner of the Dell W-Instant main window. The System window is displayed. 2. Click the Admin tab. The Admin tab details are displayed. 3. Under Guest Registration Only: a. Specify a Username and Password. b. Retype the password to confirm. 4. Click OK.
Figure 43 Adding a User 3. Enter the username in the Username text box. 4. Enter the password in the Password text box and reconfirm. 5. Select a type of network from the Type drop-down list. 6. Click Add and click OK. The users are listed in the Users list. 7. To edit user settings: a. Select the user to modify under Users b. Click Edit to modify user settings. c. Click OK. 8. To delete a user: a. In the Users section, select the username to delete b. Click Delete. c. Click OK. 9.
To configure a guest user: (Instant Access Point)(config)# user (Instant Access Point)(config)# end (Instant Access Point)# commit apply portal Configuring the Read-Only Administrator Credentials You can assign the read-only privilege to an admin user by using the Dell W-Instant UI or CLI. In the Dell W-Instant UI 1. Click the System link at top right corner of the Dell W-Instant main window. The System window is displayed. 2. Click the Admin tab.
5. Click OK. 132 | User Management Dell Networking W-Series Instant 6.3.1.1-4.
Chapter 13 Authentication This chapter provides the following information: l Understanding Authentication Methods on page 133 l Supported Authentication Servers on page 134 l Understanding Encryption Types on page 140 l Understanding Authentication Survivability on page 141 l Configuring Authentication Servers on page 143 l Configuring Authentication Parameters for Virtual Controller Management Interface on page 149 l Configuring 802.
successful, the mac-auth-only role is overwritten by the final role. The mac-auth-only role is primarily used for wired clients. n L2 authentication fall-through - Allows you to enable the l2-authentication-fallthrough mode. When this option is enabled, the 802.1X authentication is allowed even if the MAC authentication fails. If this option is disabled, 802.1X authentication is not allowed. The l2-authentication-fallthrough mode is disabled by default.
External RADIUS Server In the external RADIUS server, the IP address of the Virtual Controller is configured as the NAS IP address. Dell WInstant RADIUS is implemented on the Virtual Controller, and this eliminates the need to configure multiple NAS clients for every W-IAP on the RADIUS server for client authentication. Dell W-Instant RADIUS dynamically forwards all the authentication requests from a NAS to a remote RADIUS server.
Dell does not recommend the use of LEAP authentication method, because it does not provide any resistance to network attacks. Authentication Termination on W-IAP Dell W-Instant allows Extensible Authentication Protocol (EAP) termination for Protected Extensible Authentication Protocol (PEAP)-Generic Token Card (PEAP-GTC) and Protected Extensible Authentication Protocol-Microsoft Challenge Authentication Protocol version 2 (PEAP-MSCHAV2).
l Aruba-AP-Name l Aruba-AS-Credential-Hash l Aruba-AS-User-Name l Aruba-Admin-Role l Aruba-AirGroup-Device-Type l Aruba-AirGroup-Shared-Role l Aruba-AirGroup-Shared-User l Aruba-AirGroup-User-Name l Aruba-Auth-Survivability l Aruba-CPPM-Role l Aruba-Device-Type l Aruba-Essid-Name l Aruba-Framed-IPv6-Address l Aruba-Location-Id l Aruba-Mdps-Device-Iccid l Aruba-Mdps-Device-Imei l Aruba-Mdps-Device-Name l Aruba-Mdps-Device-Product l Aruba-Mdps-Device-Serial l Aruba-Mdps-
l Digest-Response l Domain-Name l EAP-Message l Error-Cause l Event-Timestamp l Exec-Program l Exec-Program-Wait l Expiration l Fall-Through l Filter-Id l Framed-AppleTalk-Link l Framed-AppleTalk-Network l Framed-AppleTalk-Zone l Framed-Compression l Framed-IP-Address l Framed-IP-Netmask l Framed-IPX-Network l Framed-IPv6-Pool l Framed-IPv6-Prefix l Framed-IPv6-Route l Framed-Interface-Id l Framed-MTU l Framed-Protocol l Framed-Route l Framed-Routing l Full
l Message-Auth l NAS-IPv6-Address l NAS-Port-Type l Operator-Name l Password l Password-Retry l Port-Limit l Prefix l Prompt l Rad-Authenticator l Rad-Code l Rad-Id l Rad-Length l Reply-Message l Requested-Location-Info l Revoke-Text l Server-Group l Server-Name l Service-Type l Session-Timeout l Simultaneous-Use l State l Strip-User-Name l Suffix l Termination-Action l Termination-Menu l Tunnel-Assignment-Id l Tunnel-Client-Auth-Id l Tunnel-Client-En
Understanding Encryption Types Encryption is the process of converting data into a cryptic format or code when it is transmitted on a network. Encryption prevents unauthorized use of the data. Dell W-Instant supports the following types of encryption: l WEP —Wired Equivalent Privacy (WEP) is an authentication method where all users share the same key. WEP is not secure as other encryption types such as TKIP. l TKIP —Temporal Key Integrity Protocol (TKIP) uses the same encryption algorithm as WEP.
Table 26: Recommended Authentication and Encryption Combinations Network Type Authentication Encryption Employee 802.1X AES Guest Network Captive Portal None Voice Network or Handheld devices 802.1X or PSK as supported by the device AES if possible, TKIP or WEP if necessary (combine with security settings assigned for a user role).
If both the W-IAP to which the client was associated and the CPPM are not available, the client will be not be able to reauthenticate until the CPPM server is available again. Figure 46 802.1X Authentication using cached credentials The following figure illustrates a scenario where the CPPM link is available again. The W-IAP sends the RADIUSRequest message to the CPPM server directly for client authentication. 142 | Authentication Dell Networking W-Series Instant 6.3.1.1-4.
Figure 47 802.1X Authentication when CPPM is reachable again You can enable authentication survivability for a wireless network profile when configuring enterprise security parameters. For more information, see Configuring Security Settings for a WLAN SSID Profile on page 89.
Figure 48 New Authentication Server Window 3. Configure any of the following types of server: l RADIUS Server — To configure a RADIUS server, specify the attributes described in the following table: Table 27: RADIUS Server Configuration Parameters Parameter Description Name Enter the name of the new external RADIUS server. IP address Enter the IP address of the external RADIUS server. Auth port Enter the authorization port number of the external RADIUS server. The default port number is 1812.
Parameter Description RFC 3576 Select Enabled to allow the APs to process RFC 3576-compliant Change of Authorization (CoA) and disconnect messages from the RADIUS server. Disconnect messages cause a user session to be terminated immediately, whereas the CoA messages modify session authorization attributes such as data filters. NAS IP address Enter the Virtual Controller IP address. The NAS IP address is the Virtual Controller IP address that is sent in data packets.
l Parameter Description Timeout Enter a value between 1 and 30 seconds. The default value is 5. Retry count Enter a value between 1 and 5. The default value is 3. CPPM Server for AirGroup CoA — To configure a CPPM server used for AirGroup CoA (Change of Authorization), select the CoA only check box. The RADIUS server is automatically selected. Table 29: CPPM Server Configuration Parameters for AirGroupCoA Parameter Description Name Enter the name of the server.
(Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant Access Access Access Access Access Access Access Access Access Access Access Point)(LDAP Server )# Point)(LDAP Server )# Point)(LDAP Server )# Point)(LDAP Server )# Point)(LDAP Server )# Point)(LDAP Server )# Point)(LDAP Server )# Point)(LDAP Server )# Point)(LDAP Server )# Point)(LDA
In the CLI To enable the dynamic RADIUS proxy feature: (Instant Access Point)(config)# dynamic-radius-proxy (Instant Access Point)(config)# end (Instant Access Point)# commit apply Configuring Dynamic RADIUS Proxy Parameters for Authentication Servers You can configure DRP parameters for the authentication server by using the Dell W-Instant UI or CLI. In the Dell W-Instant UI 1. Click the Security>Authentication Servers. 2.
7. To assign the RADIUS authentication server to a network profile, select the newly added server when configuring security settings for a wireless or wired network profile. You can also add an external RADIUS server by selecting New for Authentication Server when configuring a WLAN or wired profile. For more information, see Configuring Security Settings for a WLAN SSID Profile on page 89 and Configuring Security Settings for a Wired Profile on page 103.
Figure 49 Admin Tab: Management Authentication Parameters 3. Under Local, select any of the following options from the Authentication drop-down list: l Internal— Select this option to specify a single set of user credentials. Enter the Username and Password for accessing the Virtual Controller Management User Interface. l RADIUS Server— Specify one or two RADIUS servers to authenticate clients. If two servers are configured, users can use them in primary or backup mode or load balancing mode.
The steps involved in 802.1X authentication are as follows: 1. The NAS requests authentication credentials from a wireless client. 2. The wireless client sends authentication credentials to the NAS. 3. The NAS sends these credentials to a RADIUS server. 4. The RADIUS server checks the user identity and authenticates the client if the user details are available in its database. The RADIUS server sends an Access-Accept message to the NAS.
(Instant ic-wep} (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant Access Point)(SSID Profile )# opmode {wpa2-aes|wpa-tkip|wpa-tkip,wpa2-aes|dynam Access Access Access Access Access Access Access Access Access Access Point)(SSID Profile )# leap-use-session-key Point)(SSID Profile )# termination Point)(SSID Profile )# external-server Point)(SSID Profile )# auth-server Point)(SSID Profile )# radius-reauth-interval
Configuring MAC Authentication for Wireless Network Profiles You can configure MAC authentication for a wired profile in the Dell W-Instant UI or CLI. In the Dell W-Instant UI To enable MAC Authentication for a wireless network: 1. In the Network tab, click New to create a new network profile or select an existing profile for which you want to enable MAC authentication and click edit. 2.
(Instant (Instant (Instant (Instant (Instant (Instant Access Access Access Access Access Access Point)(wired ap profile Point)(wired ap profile Point)(wired ap profile Point)(wired ap profile Point)(wired ap profile Point)# commit apply )# )# )# )# )# auth-server auth-server server-load-balancing radius-reauth-interval end Configuring MAC Authentication with 802.
1. Click the Wired link under More at the top right corner of the Dell W-Instant main window. The Wired window is displayed. 2. Click New under Wired Networks to create a new network or select an existing profile for which for which you want to enable MAC authentication and then click Edit. 3. In the New Wired Network or the Edit Wired Network window, ensure that all the required Wired and VLAN attributes are defined, and then click Next. 4.
2. In the Access tab, specify the following parameters for a network with Role-Based rules: a. Select the Enforce Machine Authentication check box when MAC authentication is enabled for Captive Portal. If the MAC authentication fails, the Captive Portal authentication role is assigned to the client. b. For wireless network profile, select Enforce MAC Auth Only Role check box when MAC authentication is enabled for Captive Portal.
3. Click WISPr tab. The WISPr tab contents are displayed. The following figure shows the WISPr tab contents: Figure 50 Configuring WISPr Authentication 4. Enter the ISO Country Code for the WISPr Location ID in the ISO Country Code text box. 5. Enter the E.164 Area Code for the WISPr Location ID in the E.164 Area Code text box. 6. Enter the operator name of the Hotspot in the Operator Name text box. 7. Enter the E.164 Country Code for the WISPr Location ID in the E.164 Country Code text box. 8.
Blacklisting Clients Manually Manual blacklisting adds the MAC address of a client to the blacklist. These clients are added into a permanent blacklist. These clients are not allowed to connect to the network unless they are removed from the blacklist. Adding a Client to the Blacklist You can add a client to the blacklist manually using Dell W-Instant UI or CLI. In the Dell W-Instant UI 1. Click the Security link from the top right corner of the Dell W-Instant main window. 2. Click the Blacklisting tab.
3. Under Dynamic Blacklisting: 4. For Auth failure blacklist time, duration in seconds after which the clients that exceed the authentication failure threshold must be blacklisted. 5. For PEF rule blacklisted time, enter the duration in seconds after which the clients can be blacklisted due to an ACL rule trigger. You can configure a maximum number of authentication failures by the clients, after which a client must be blacklisted.
Loading Certificates using Dell W-Instant UI To load a certificate in the Dell W-Instant UI: 1. Click the Maintenance link at the top right corner of the Dell W-Instant main window. 2. Click the Certificates tab. The Certificates tab contents are displayed. The following figure shows the Certificates window: Figure 51 Maintenance Window: Certificates Tab 3. To upload a certificate, click Upload New Certificate. The New Certificate window is displayed. 4. Browse and select the file to upload. 5.
1. Navigate to Device Setup > Certificate and then click Add to add a new certificate. The Certificate window is displayed. 2. Enter the certificate Name, and click Choose File to browse and upload the certificate. Figure 52 Loading Certificate via W-AirWave 3. Select the appropriate Format that matches the certificate file name. Select Server Cert for certificate Type, and provide the passphrase if you want to upload a Server certificate.
Figure 54 Selecting the Group The Virtual Controller Certificate section displays the certificates (CA cert and Server). 5. Click Save to apply the changes only to W-AirWave. Click Save and Apply to apply the changes to the W-IAP. 6. To clear the certificate options, click Revert. 162 | Authentication Dell Networking W-Series Instant 6.3.1.1-4.
Chapter 14 Roles and Policies This chapter describes the procedures for configuring user roles, role assignment, and firewall policies.
Figure 55 Firewall Settings—ALG Protocols 3. Select Enabled from the corresponding drop-down lists to enable SIP, VOCERA, Alcatel NOE, and Cisco skinny protocols. 4. Click OK. When the protocols for ALG are Disabled the changes do not take effect affect until the existing user sessions are expired. Reboot the W-IAP and the client, or wait for few minutes for changes to affect.
Configuring Firewall Settings for Protection from ARP Attacks You can configure firewall settings to protect the network against attacks using Dell W-Instant using Dell W-Instant UI or CLI. In the Dell W-Instant UI To configure firewall settings: 1. Click the Security link at the top right corner of Dell W-Instant main window. 2. Click the Firewall Settings tab. The Firewall Settings tab contents are displayed. 3.
fix-dhcp poison-check Enabled Enabled To view the attack statistics (Instant Access Point)# show attack stats attack counters -------------------------------------Counter ------arp packet counter drop bad arp packet counter dhcp response packet counter fixed bad dhcp packet counter send arp attack alert counter send dhcp attack alert counter arp poison check counter garp send check counter Value ------0 0 0 0 0 0 0 0 Managing Inbound Traffic Instant now supports enhanced inbound firewall by allowing the
Figure 57 Firewall Settings—Management Subnets 2. To add a new management subnet: l Enter the subnet address in Subnet. l Enter the subnet mask in Mask. l Click Add. 3. To add multiple subnets, repeat step 2. 4. Click OK.
Access Control List Rules You can use Access Control List (ACL) rules to either permit or deny data packets passing through the W-IAP. You can also limit packets or bandwidth available to a set of user roles by defining access rules. By adding custom rules, you can block or allow access based on the service or application, source or destination IP addresses. You can create access rules to allow or block data packets that match the criteria defined in an access rule.
Table 30: Access Rule Configuration Parameters Field Description l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l Destination bootp— Bootstrap Protocol cfgm-tcp— cups—Common UNIX Printing System dhcp—Dynamic Host Configuration Protocol dns—Domain Name Server esp—Encapsulating Security Payload ftp—File Transfer Protocol gre—Generic Routing Encapsulation h323-tcp—H.323-Transmission Control Protocol h323-udp— H.
Table 30: Access Rule Configuration Parameters Field Description l l l To a network—Access is allowed or denied to a network. After selecting this option, specify the IP address and netmask for the destination network. Except to a network—Access is allowed or denied to networks other than the specified network. After selecting this option, specify the IP address and netmask of the destination network. To domain name—Access is allowed or denied to the specified domains.
Configuring a Source NAT Access Rule The source NAT action in access rules allows the user to override the routing profile entries. For example, when a routing profile is configured to use 0.0.0.0/0 , the client traffic on an SSID in L3 mode access to the corporate network is sent to the tunnel. When an access rule is configured with Source NAT action, the users can specify the service, protocol, or destination to which the source NAT is applied.
3. Create an access rule for the SSID profile with Source NAT action as described in Configuring Source-Based Routing on page 171. The source NAT pool is configured and source based routing entry is created. Configuring a Destination NAT Access Rule Instant supports configuration of the destination NAT rule, which can be used to redirect traffic to the specified IP address and destination port. Destination-NAT configuration is supported only in the bridge mode without VPN.
Allow POP3 Service to a Particular Server To configure POP3 service to a particular server: 1. Select an existing wireless or wired profile. Depending on the network profile selected, the Edit or Edit Wired Network window is displayed. You can also configure access rules in the Access tab of the New WLAN and New Wired Network windows when configuring a new profile. 2. In the Access tab, slide to Network-based using the scroll bar to specify access rules for the network. 3.
3. Click New to add a new rule. The New Rule window is displayed. a. Select Deny from the Action drop-down list. b. Select ftp from the Service drop-down list. c. Select except to a particular server from the Destination drop-down list and enter appropriate IP address in the IP text box. d. Click OK. 4. Click Finish. Deny bootp Service except to a Particular Network To define deny bootp service access rule except to a network: 1. Select an existing wireless or wired profile.
You can also create a user role when configuring wireless or wired network profiles.
(Instant Access Point)(config)# wlan access-rule (Instant Access Point) (Access Rule )# bandwidth-limit {downstream | upstream | peruser { downstream | upstream }} (Instant Access Point) (Access Rule )# end (Instant Access Point) # commit apply To associate the access rule to a wired profile: (Instant (Instant (Instant (Instant Access Access Access Access Point)(config)# Point)(wired ap Point)(wired ap Point) # commit wired-port-profile profile )#
Configuring Derivation Rules Dell W-Instant allows you to configure role and VLAN derivation-rules. You can configure these rules to assign a user role or VLAN to the clients connecting to an SSID or a wired profile. Understanding Role Assignment Rule When an SSID or wired profile is created, a default role for the clients connecting this SSID or wired profile is assigned. You can assign a user role to the clients connecting to an SSID by any of the following methods.
Device DHCP Option DHCP Fingerprint Windows XP(SP3, Home, Professional) Option 55 37010f03062c2e2f1f21f92b Windows Mobile Option 60 3c4d6963726f736f66742057696e646f777320434500 Windows 7 Phone Option 55 370103060f2c2e2f Apple Mac OSX Option 55 370103060f775ffc2c2e2f Creating a Role Derivation Rule You can configure rules for determining the role that is assigned for each authenticated client.
When Enforce Machine Authentication is enabled, both the device and the user must be authenticated for the role assignment rule to apply.
Figure 58 RADIUS Access-Accept packets with VSA Figure 59 Configure VSA on a RADIUS Server VLAN Assignment Based on Derivation Rules When an external RADIUS server is used for authentication, the RADIUS server may return a reply message for authentication. If the RADIUS server supports return attributes, and sets an attribute value to the reply message, the W-IAP can analyze the return message and match attributes with a user pre-defined VLAN derivation rule.
Figure 60 Configuring RADIUS Attributes on the RADIUS Server User Role If the VSA and VLAN derivation rules are not matching, then the user VLAN can be derived by a user role. VLANs Created for an SSID If the VSA and VLAN derivation rules are not matching, and the User Role does not contain a VLAN, the user VLAN can be derived by VLANs configured for an SSID or Ethernet port profile.
Figure 61 VLAN Assignment Rule Window 3. Select the attribute from the Attribute drop-down list. The list of supported attributes includes RADIUS attributes, dhcp-option, dot1x-authentication-type, mac-address, and mac-address-and-dhcp-options. For information on a list of RADIUS attributes, see RADIUS Server Authentication with VSA on page 135. 4. Select the operator from the Operator drop-down list.
(Instant Access Point)(SSID Profile "Profile1")# set-vlan mac-address-and-dhcp-options matche s-regular-expression ..link 100 (Instant Access Point)(SSID Profile "Profile1")# end (Instant Access Point)# commit apply Using Advanced Expressions in Role and VLAN Derivation Rules For complex policies of role and VLAN derivation using device DHCP fingerprints, you can use a regular expression to match against the combined string of the MAC address and the DHCP options.
Operator Description \> Matches the end of the word. For example, \>list matches blacklist, whitelist, and so on. {n} Where n is an integer" Matches the declared element exactly the n times. For example, {2}link matches uplink, but not downlink. {n,} Where n is an integer" Matches the declared element at n times. For example, {2,}ink matches downlink, but not uplink.
3. Click New under the New Role Assignment and configure the following parameters: a. Select the attribute from the Attribute drop-down list. b. Select the operator to match from the Operator drop-down list. c. Enter the string to match in the String text box. d. Select the role to be assigned from the Role text box. The following figure shows an example for the VLAN role assignment: Figure 62 User VLAN Role Assignment 4. Click OK.
Chapter 15 Uplink Configuration This chapter provides the following information: l Uplink Interfaces on page 186 l Ethernet Uplink on page 187 l 3G/4G Uplink on page 189 l Wi-Fi Uplink on page 193 l Uplink Preferences and Switching on page 195 Uplink Interfaces Dell W-Instant network supports Ethernet, 3G and 4G USB modems, and the Wi-Fi uplink to provide access to the corporate Instant network.
Ethernet Uplink The Ethernet 0 port on a W-IAP is enabled as an uplink port by default. You can view the type of uplink and the status of the uplink in the Dell W-Instant in the Info tab. Figure 64 Uplink Status Ethernet uplink supports the following types of configuration in this Instant release. n PPPoE n DHCP n Static IP 187 | Uplink Configuration Dell Networking W-Series Instant 6.3.1.1-4.
You can use PPPoE for your uplink connectivity in both W-IAP and IAP-VPN deployments. PPPoE is supported only in a single AP deployment. Uplink redundancy with the PPPoE link is not supported. When the Ethernet link is up, it is used as a PPPoE or DHCP uplink. After the PPPoE settings are configured, PPPoE has the highest priority for the uplink connections.
(Instant Access Point)(pppoe-uplink-profile)# pppoe-unnumbered-local-l3-dhcp-profile (Instant Access Point)(pppoe-uplink-profile)# end (Instant Access Point)# commit apply To view the PPPoE configuration: (Instant Access Point)# show pppoe config PPPoE Configuration ------------------Type ---User Password Service name CHAP secret Unnumbered dhcp profile Value ----testUser 3c28ec1b82d3eef0e65371da2f39c4d49803e5b2bc88be0c internet03 8e87644deda9364100719e017f88ebce dhcpProfile1 To view the
Table 32: List of Supported 3G Modems Modem Type Supported 3G Modems l l l l l l l l l l l l l l l l l l l l l l l l l l l Auto-detect + ISP/country l l l l l l l l l l l l l l l l l l l l l l l l l l l Dell Networking W-Series Instant 6.3.1.1-4.
Table 32: List of Supported 3G Modems Modem Type Supported 3G Modems l l l l l l l l l l l l l l No auto-detect l l Huawei E1731 (Airtel-3G (India)) Huawei E3765 (Vodafone (Aus)) Huawei E3765 (T-Mobile (Germany) Huawei E1552 (SingTel) Huawei E1750 (T-Mobile (Germany)) UGM 1831 (TMobile) Huawei D33HW (EMOBILE(Japan)) Huawei GD01 (EMOBILE(Japan)) Huawei EC150 (Reliance NetConnect+ (India)) KDDI DATA07(Huawei) (KDDI (Japan)) Huawei E353 (China Unicom) Huawei EC167 (China Telecom) Huawei E367 (Vodafone (UK)
l For 4G — Enter the type of 4G modem in the 4G USB type text box. c. Enter the device ID of modem in the USB dev text box. d. Enter the TTY port of the modem in the USB tty text box. e. Enter the parameter to initialize the modem in the USB init text box. f. Enter the parameter to dial the cell tower in the USB dial text box. g. Enter the username used to dial the ISP in the USB user text box. h. Enter the password used to dial the ISP in the USB password text box. i.
(Instant (Instant (Instant (Instant Access Access Access Access Point)(cellular-uplink-profile)# usb-init Point)(cellular-uplink-profile)# usb-dial Point)(cellular-uplink-profile)# end Point)# commit apply To view the cellular configuration: (Instant Access Point)# show cellular config USB Plugged in: Vendor_ID=0 Product_ID=0 cellular configure -----------------Type Value -------4g-usb-type pantech-lte usb-type usb-dev test usb-tty usb-init usb-user usb-passwd
l If the Wi-Fi uplink is used on the 5 GHz band, mesh is disabled. The two links are mutually exclusive. l For W-IAPs to connect to an Dell W-Instant based WLAN using Wi-Fi uplink, the mobilitycontroller must run Dell W-Instant 6.2.1.0 or later. To provision a with the Wi-Fi Uplink, complete the following steps: 1. If you are configuring a Wi-Fi uplink after restoring factory settings on a W-IAP, connect the W-IAP to an Ethernet cable to allow the W-IAP to get the IP address. Otherwise, go to step 2. 2.
Uplink Preferences and Switching This topic describes the following procedures: l Enforcing Uplinks on page 195 l Setting an Uplink Priority on page 195 l Enabling Uplink Preemption on page 196 l Switching Uplinks Based on VPN and Internet Availability on page 196 l Viewing Uplink Status and Configuration on page 198 Enforcing Uplinks The following configuration conditions apply to the uplink enforcement: l When an uplink is enforced, the W-IAP uses the specified uplink regardless of uplink preem
In the CLI To set an uplink priority: (Instant Access Point)(config)# uplink (Instant Access Point)(uplink)# uplink-priority {cellular | ethernet |[po rt ]|wifi } (Instant Access Point)(uplink)# end (Instant Access Point)# commit apply For example, to set a priority for Ethernet uplink: (Instant Access Point)(uplink)# uplink-priority ethernet port 0 1 (Instant Access Point)(uplink)# end (Instant Access Point)# commit apply Enabling Uplink Preempt
l If the current uplink is 3G or Wi-Fi, and Ethernet has a physical link, the W-IAP periodically suspends user traffic to try and connect to the VPN on the Ethernet. If the W-IAP succeeds, the W-IAP switches to Ethernet. If the WIAP does not succeed, it restores the VPN connection to the current uplink. Uplink switching based on VPN status is automatically enabled if VPN is configured on the W-IAP. However, you can specify the duration in VPN failover timeout field to wait for an uplink switch.
Viewing Uplink Status and Configuration To view the uplink status and configuration in the CLI: Instant Access Point# show uplink status Uplink preemption :enable Uplink enforce :none Ethernet uplink bond0 :DHCP Uplink Table -----------Type State Priority In Use -------- -------- -----eth0 UP 0 Yes Wifi-sta LOAD 6 No 3G/4G INIT 7 No Internet failover :disable Max allowed test packet loss:10 Secs between test packets :30 VPN failover timeout (secs) :180 ICMP pkt sent :0 ICMP pkt lost :0 Continuous pkt lost :
Chapter 16 Mobility and Client Management This chapter provides the following information: l Layer-3 Mobility Overview on page 199 l Configuring L3-Mobility on page 200 Layer-3 Mobility Overview W-IAPs form a single Dell W-Instant network when they are in the same Layer-2 (L2) domain. As the number of clients increase, multiple subnets are required to avoid broadcast overhead.
Each foreign AP has only one home AP per Dell W-Instant network to avoid duplication of broadcast traffic. Separate GRE tunnels are created for each foreign AP / home AP pair. If a peer AP is a foreign AP for one client and a home AP for another, two separate GRE tunnels are used to handle L3 roaming traffic between these APs. If client subnet discovery fails on association due to some reason, the foreign AP identifies its subnet when it sends out the first L3 packet.
Figure 66 L3 Mobility Window 1. Select Enabled from the Home agent load balancing drop-down list. By default, home agent load balancing is disabled. 2. Click New in the Virtual Controller IP Addresses section, add the IP address of a Virtual Controller that is part of the mobility domain, and click OK. 3. Repeat Step 2 to add the IP addresses of all Virtual Controllers that form the L3 mobility domain. 4. Click New in the Subnets section and specify the following: a.
Chapter 17 Spectrum Monitor This chapter provides the following information: l Understanding Spectrum Data on page 202 l Configuring Spectrum Monitors and Hybrid W-IAPs on page 207 Understanding Spectrum Data Wireless networks operate in environments with electrical and radio frequency devices that can interfere with network communications. Microwave ovens, cordless phones, and even adjacent Wi-Fi networks are all potential sources of continuous or intermittent interference.
Figure 67 Device List Device Summary and Channel Information shows the details of the information that is displayed: Table 34: Device Summary and Channel Information Column Description Type Device type.
Table 35: Non Wi-Fi Interferer Types Non Wi-Fi Interferer Description Bluetooth Any device that uses the Bluetooth protocol to communicate in the 2.4 GHz band is classified as a Bluetooth device. Bluetooth uses a frequency hopping protocol. Fixed Frequency (Audio) Some audio devices such as wireless speakers and microphones also use fixed frequency to continuously transmit audio. These devices are classified as Fixed Frequency (Audio).
Non Wi-Fi Interferer Generic Interferer Description Any non-frequency hopping device that does not fall into one of the other categories described in this table is classified as a Generic Interferer. For example a Microwave-like device that does not operate in the known operating frequencies used by the Microwave ovens may be classified as a Generic Interferer. Similarly wide-band interfering devices may be classified as Generic Interferers.
Column Description Max Interference (dBm) Signal strength of the non Wi-Fi device that has the highest signal strength. SNIR (db) The ratio of signal strength to the combined levels of interference and noise on that channel. This value is calculated by determining the maximum noise-floor and interference-signal levels, and then calculating how strong the desired signal is above this maximum.
Column Description Quality(%) Current relative quality of selected channels in the 2.4 GHz or 5 GHz radio bands, as determined by the percentage of packet retries, the current noise floor, and the duty cycle for non Wi-Fi devices on that channel. Availability(%) The percentage of the channel currently available for use. Utilization(%) The percentage of the channel being used. WiFi Util(%) The percentage of the channel currently being used by Wi-Fi devices.
To configure 5 GHz radio settings: (Instant Access Point)(config)# rf dot11a-radio-profile (Instant Access Point)(RF dot11a Radio Profile)# spectrum-monitor Converting a W-IAP to a Spectrum Monitor In spectrum mode, spectrum monitoring is performed on entire bands. However for the 5 GHz radio, spectrum monitoring is performed on only one of the three bands: l 5 GHz - lower l 5 GHz - middle l 5 GHz - higher By default, spectrum monitoring is performed on a higher band of the 5 GHz radio.
5.0 GHz: Legacy Mode:disable Beacon Interval:100 802.11d/802.11h:disable Interference Immunity Level:2 Channel Switch Announcement Count:0 Channel Reuse Type:disable Channel Reuse Threshold:0 Background Spectrum Monitor:disable Standalone Spectrum Band:5ghz-upper 209 | Spectrum Monitor Dell Networking W-Series Instant 6.3.1.1-4.
Chapter 18 Adaptive Radio Management This chapter provides the following information: l ARM Overview on page 210 l Configuring ARM Features on a W-IAP on page 212 l Configuring Radio Settings for a W-IAP on page 217 ARM Overview Adaptive Radio Management (ARM) is a radio frequency management technology that optimizes WLAN performance even in the networks with highest traffic by dynamically and intelligently choosing the best 802.
Legacy 802.11a/b/g access points do not support the client match feature. When client match is enabled on 802.11n capable access points, the client match feature overrides any settings configured for the legacy bandsteering, station handoff assist or load balancing features. 802.11ac-capable access points do not support the legacy bandsteering, station hand off or load balancing settings, so these access points must be managed using client match.
configured on an AP is not supported by the AP model, this value is reduced to the highest supported power setting. The default value is for minimum transmit power is 18 dBm. l Maximum Transmit Power — This indicates the maximum Effective Isotropic Radiated Power (EIRP) from 3 to 33 dBm in 3 dBm increments. Higher power level settings may be constrained by local regulatory requirements and AP capabilities.
Figure 71 RF Window - ARM Tab 3. Configure the following parameters for Band steering mode: Table 38: Band Steering Mode - Configuration Parameters Parameter Description Prefer 5 GHz Select this option to use band steering in 5 GHz mode. On selecting this, the W-IAP steers the client to 5 GHz band (if the client is 5 GHz capable), but allows the client connection on the 2.4 GHz band if the client persistently attempts for 2.4 GHz association.
4. For Airtime fairness mode, specify any of the following values: Table 39: Airtime Fairness Mode - Configuration Parameters Parameter Description Default Access Select this option to provide access based on client requests. When Air Time Fairness is set to default access, per user and per SSID bandwidth limits are not enforced. Fair Access Select this option to allocate Airtime evenly across all the clients.
Table 41: Access Point Control - Configuration Parameters Parameter Description Customize Valid Channels Select this check box to customize valid channels for 2,4 GHz and 5 GHz. By default, the AP uses valid channels as defined by the Country Code (regulatory domain). On selecting the Customize Valid Channels check box, a list of valid channels for both 2.4.GHz and 5 GHz are displayed. The valid channel customization feature is disabled by default.
(Instant Access red Access>} (Instant Access (Instant Access (Instant Access (Instant Access (Instant Access (Instant Access (Instant Access (Instant Access (Instant Access (Instant Access Point)(ARM)# air-time-fairness-mode {| | |<2GHz>||} Point)(ARM)# scanning Point)(ARM)# client-match calc-interval Point)(ARM)# client-match calc-threshold Point)(ARM)# client-match nb-matching <
40 44 48 52 56 60 64 149 153 157 161 165 36+ 44+ 52+ 60+ 149+ 157+ 36E 52E 149E enable enable enable enable enable enable enable enable enable enable enable enable enable enable disable disable enable enable enable enable enable Configuring Radio Settings for a W-IAP You can configure 2.4 GHz and 5 GHz radio settings for a W-IAP either using Dell W-Instant UI or CLI. In the Dell W-Instant UI To configure radio settings: 1. Click the RF link at the top right corner of the Dell W-Instant main window. 2.
Parameter Description OFDM packets, and is the default setting for the Noise Immunity feature. Level 3— Level 2 settings and weak OFDM immunity. This level minimizes false detects on the radio due to interference, but may also reduce radio sensitivity. This level is recommended for environments with a high-level of interference related to 2.4 GHz appliances such as cordless phones. l Level 4— Level 3 settings, and FIR immunity.
Channel Switch Announcement Count:0 MAX Distance:600 Channel Reuse Type:disable Channel Reuse Threshold:0 Background Spectrum Monitor:disable 5.0 GHz: Legacy Mode:enable Beacon Interval:100 802.11d/802.11h:enable Interference Immunity Level:2 Channel Switch Announcement Count:2 MAX Distance:600 Channel Reuse Type:disable Channel Reuse Threshold:0 Background Spectrum Monitor:disable Standalone Spectrum Band:5ghz-upper 219 | Adaptive Radio Management Dell Networking W-Series Instant 6.3.1.1-4.
Chapter 19 Intrusion Detection The Intrusion Detection System (IDS) is a feature that monitors the network for the presence of unauthorized WIAPs and clients. It also logs information about the unauthorized W-IAPs and clients, and generates reports based on the logged information. The IDS feature in the Dell W-Instant network enables you to detect rogue APs, interfering APs, and other devices that can potentially disrupt network operations.
l Windows Server l Windows XP l Windows ME l OS-X l iPhone l iOS l Android l Blackberry l Linux Configuring Wireless Intrusion Protection and Detection Levels WIP offers a wide selection of intrusion detection and protection features to protect the network against wireless threats. Like most other security-related features of the Dell network, the WIP can be configured on the W-IAP.
Figure 73 Wireless Intrusion Detection The following table describes the detection policies enabled in the Infrastructure Detection Custom settings field. Table 43: Infrastructure Detection Policies Detection Level Detection Policy Off Rogue Classification Low l l l l Medium l l High l l l l l l l l l l l l Dell Networking W-Series Instant 6.3.1.1-4.
Table 43: Infrastructure Detection Policies Detection Level Detection Policy l l l l l l l Detect Malformed Frame— HT IE Detect Malformed Frame— Association Request Detect Malformed Frame— Auth Detect Overflow IE Detect Overflow EAPOL Key Detect Beacon Wrong Channel Detect devices with invalid MAC OUI The following table describes the detection policies enabled in the Client Detection Custom settings field.
Figure 74 Wireless Intrusion Protection The following table describes the protection policies that are enabled in the Infrastructure Protection Custom settings field.
Containment Methods You can enable wired and wireless containments to prevent unauthorized stations from connecting to your Dell WInstant network. Dell W-Instant supports the following types of containment mechanisms: l Wired containment— When enabled, Dell W-Instant Access Points generate ARP packets on the wired network to contain wireless attacks.
(Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant Access Access Access Access Access Access Access Access Access Access
Chapter 20 Content Filtering This chapter provides the following information: l Content Filtering on page 227 l Enabling Content Filtering on page 227 l Configuring Enterprise Domains on page 228 l Configuring OpenDNS Credentials on page 228 Content Filtering The Content Filtering feature allows you to create Internet access policies that allow or deny user access to Websites based on Website categories and security ratings.
(Instant Access Point)(SSID Profile )# end (Instant Access Point)# commit apply Enabling Content Filtering for a Wired Profile To enable content filtering for a wired profile, perform the following steps: In the Dell W-Instant UI 1. Click the Wired link under More at the top right corner of the Dell W-Instant main window. The Wired window is displayed. 2. In the Wired window, select the wired profile to modify. 3. Click Edit. The Edit Wired Network window is displayed. 4.
In the Dell W-Instant UI To configure OpenDNS credentials: 1. Click More> Services>OpenDNS. The OpenDNS tab contents are displayed. 2. Enter the Username and Password to enable access to OpenDNS. 3. Click OK to apply the changes. In the CLI To configure OpenDNS credentials: (Instant Access Point)(config)# opendns (Instant Access Point)(config)# end (Instant Access Point)# commit apply Dell Networking W-Series Instant 6.3.1.1-4.
Chapter 21 DHCP Configuration This chapter provides the following information: l Configuring DHCP Scopes on page 230 l Configuring DHCP Server for Client IP Assignment on page 237 Configuring DHCP Scopes The Virtual Controller supports different modes of DHCP address assignment. With each DHCP address assignment mode, various client traffic forwarding modes are associated. For more information client traffic forwarding modes for IAP-VPN, see L2/L3 Forwarding Modes on page 251.
Figure 76 New DHCP Scope: Distributed DHCP Mode 3. Based on type of distributed DHCP scope, configure the following parameters: Table 47: Distributed DHCP Mode: Configuration Parameters Name Description Name Enter a name for the DHCP scope. Type Select any of the following options: Distributed, L2— On selecting Distributed, L2, the Virtual Controller acts as the DHCP Server but the default gateway is in the data center. Traffic is bridged into VPN tunnel.
Table 47: Distributed DHCP Mode: Configuration Parameters Name Description l performed to ensure that the specified ranges of IP address are in the same subnet as the default router and subnet mask. The configured IP range is divided into blocks based on the configured client count. For Distributed,L3 mode, you can configure any discontiguous IP ranges. The configured IP range is divided into multiple IP subnets that are sufficient to accommodate the configured client count.
(Instant (Instant (Instant (Instant (Instant Access Access Access Access Access Point)(DHCP Profile )# ip-range Point)(DHCP Profile )# reserve {first | last} Point)(DHCP Profile )# option Point)(DHCP Profile )# end Point))# commit apply Configuring Centralized DHCP Scope The Centralized DHCP scope supports L2 and L3 clients.
Table 48: DHCP Mode: Configuration Parameters Name Description requests. Helper address Enter the IP address of the DHCP server. VLAN IP Specify the VLAN IP address of the DHCP relay server. VLAN Mask Specify the VLAN subnet mask of the DHCP relay server. Option82 This option is available only if Centralized is selected. Select Alcatel to enable DHCP Option 82 to allow clients to send DHCP packets with the Option 82 string. The Option 82 string is available only in the Alcatel (ALU) format.
(Instant Access Point))# commit apply Configuring Local and Local,L3 DHCP Scopes You can configure Local and Local,L3 DHCP scopes by using the Dell W-Instant UI or CLI. l Local — In this mode, the Virtual Controller acts as both the DHCP Server and the default gateway. The configured subnet and the corresponding DHCP scope are independent of subnets configured in other W-IAP clusters.
Table 50: DHCP Mode: Configuration Parameters Name Description VLAN Specify a VLAN ID. To use this subnet, ensure that the VLAN ID specified here is assigned to an SSID profile. For more information on SSID profile configuration, see Configuring VLAN Settings for a WLAN SSID Profile on page 88 and Configuring VLAN for a Wired Profile on page 102 Network Specify the network to use. Net Mask If Local or Local,L3 is selected, specify the subnet mask.
Configuring DHCP Server for Client IP Assignment The DHCP server is a built-in server, used for networks in which clients are assigned IP address by the Virtual Controller. You can customize the DHCP pool subnet and address range to provide simultaneous access to more number of clients. The largest address pool supported is 2048. The default size of the IP address pool is 512.
Chapter 22 VPN Configuration This chapter describes the following VPN configuration procedures: l Understanding VPN Features on page 238 l Configuring a Tunnel from a W-IAP to Dell Networking W-Series Mobility Controller on page 238 l Configuring Routing Profiles on page 249 Understanding VPN Features As W-IAPs use a Virtual Controller architecture, the W-IAP network does not require a physical controller to provide the configured WLAN services.
3. Enter the IP address or fully qualified domain name (FQDN) for the main VPN/IPSec endpoint in the Primary host field. 4. Enter the IP address or FQDN for the backup VPN/IPSec endpoint in the Backup host field. This entry is optional. When you specify the primary and backup host details, the other fields are displayed 5. Specify the following parameters. A sample configuration is shown in Figure 79. a.
(Instant (Instant (Instant (Instant Access Access Access Access Point)(config)# vpn reconnect-user-on-failover Point)(config)# vpn reconnect-time-on-failover Point)(config)# end Point)# commit apply (Instant (Instant (Instant (Instant Access Access Access Access Point)(config)# Point)(config)# Point)(config)# Point)(config)# (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant Access Access Access Access Access Access Access Access Access Access Point
a. To allow the VPN tunnel to switch back to the primary host when it becomes available again, select Enabled from the Preemption drop-down list. This step is optional. b. If Preemption is enabled, specify a value in seconds for Hold time. When preemption is enabled and the primary host comes up, the VPN tunnel switches to the primary host after the specified hold time. The default value for Hold time is 600 seconds. c.
In the CLI To enable automatic configuration of the GRE tunnel: (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant Access Access Access Access Access Access Access Access Access Access Access Access Point)(config)# vpn gre-outside Point)(config)# vpn primary Point)(config)# vpn backup <> Point)(config)# vpn fast-failover Point)(config)# vpn hold-time Point)(config)# vpn preemption Point)(config)# vpn moni
Figure 81 Manual GRE Configuration 4. Click Next to continue. When the GRE tunnel configuration is completed on both the W-IAP and Controller, the packets sent from and received by a W-IAP are encapsulated, but not encrypted.
n W-IAP109 n W-IAP135 You can configure an L2TPv3 tunnel from Virtual Controller using Dell W-Instant UI or CLI. In the Dell W-Instant UI 1. Click the More>VPN link at the top right corner of the Dell W-Instant UI. The Tunneling window is displayed. Figure 82 L3TPv3 Tunneling 2. Select L2TPv3 from the Protocol drop-down list. 3. Configure the tunnel profile: a. Enter the tunnel name to be used for tunnel creation. Figure 83 Tunnel Configuration b. Enter the primary server IP address. c.
f. Select the message digest as MD5 or SHA used for message authentication. g. Enter a shared key for the message digest. This key should match with the tunnel end point shared key. h. If required, select the failover mode as Primary or Backup (when backup server is available). i. Specify a value for tunnel MTU value if required. The default value is 1460. j. Click OK. 4. Configure the session profile: a. Enter the session name to be used for session creation. Figure 84 Session Configuration b.
(Instant Access Point) (L2TPv3 Tunnel Profile )# secret-key (Instant Access Point)(config)# end (Instant Access Point)# commit apply To configure a L2TPv3 session: (Instant Access Point)(config)# l2tpv3 session (Instant Access Point) (L2TPv3 Tunnel Profile <2tpv3_session_profile>)# cookie len value (Instant Access Point) (L2TPv3 Tunnel Profile <2tpv3_session_profile>)# l2tpv3 tunnel
To view L2TPv3 global configuration: (Instant Access Point)# show l2tpv3 global parameter L2TPV3 Global configuration --------------------------Host Name ---------Instant-C4:42:98 To view L2TPV3 session status: (Instant Access Point)# show l2tpv3 session status Session 1821009927 on tunnel 858508253:type: LAC Incoming Call, state: ESTABLISHED created at: Jul 2 04:58:45 2013 administrative name: 'test_session' (primary) created by admin: YES, peer session id: 12382 session profile name: test_session_primary
data rx packets: 0, rx bytes: 0, rx errors: 0 data tx packets: 6, tx bytes: 588, tx errors: 0 establish retries: 0 To view L2TPv3 tunnel config: (Instant Access Point)# show l2tpv3 tunnel config Tunnel profile test_tunnel_primary l2tp host name: Instant-C4:42:98 local UDP port: 1701 peer IP address: 10.0.0.
SCCRP SCCCN STOPCCN RESERVED1 HELLO OCRQ OCRP OCCN ICRQ ICRP ICCN RESERVED2 CDN WEN SLI 1 0 0 0 95 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 95 0 0 0 1 0 1 0 0 0 0 Configuring Routing Profiles Dell W-Instant can terminate a single VPN connection on a Dell Networking W-Series Mobility Controller. The Routing profile defines the corporate subnets which need to be tunneled through IPSec.
4. Click OK. 5. Click Finish. In the CLI (Instant (Instant (Instant (Instant Access Access Access Access Point)(config)# routing-profile Point)(Routing-profile)# route Point)(Routing-profile)# end Point)# commit apply Dell Networking W-Series Instant 6.3.1.1-4.
Chapter 23 IAP-VPN Configuration Dell Networking W-Series controllers provide an ability to terminate the IPSec and GRE VPN tunnels from the WIAP and provide corporate connectivity to the branch network. This section describes the following topics: l Overview on page 251 l VPN Configuration on page 254 l Viewing Branch Status on page 255 Overview This section provides a brief summary of the features supported by the controllers to allow VPN termination from a W-IAP.
IAP-VPN Scalability Limits Dell W-Instant provides enhancements to the scalability limits for the IAP-VPN branches terminating on the controller.
To verify the details of configured aggregated route, use the following command: (host) # show ip ospf rapng-vpn aggregated-routes (host) #show ip ospf rapng-vpn aggregate-routes 100.100.2.0 255.255.255.0 Contributing routes of RAPNG VPN aggregate route -----------------------------------------------Prefix Mask Next-Hop Cost ------ ---- -------- ---100.100.2.64 255.255.255.224 5.5.0.
VPN Configuration The following VPN configuration steps on the controller, enable W-IAPs to terminate their VPN connection on the controller: Whitelist Database Configuration The whitelist database is a list of the MAC addresses of the W-IAPs that are allowed to establish VPN connections with the Mobility Controller. This list can be either stored in the Mobility Controller or on an external server.
(host) (host) (host) (host) (host) (config-sess-iaprole)#any host any src-nat (config-sess-iaprole)#any any any permit (config-sess-iaprole)#! (config) #user-role iaprole (config-role) #session-acl iaprole VPN Profile Configuration The VPN profile configuration defines the server used to authenticate the W-IAP (internal or an external server) and the role assigned to the IAP after successful authentication.
Parameter Description VC MAC Address Displays the MAC address of the Virtual Controller of the branch. Status Displays the current status of the branch (UP/DOWN). Inner IP Displays the internal VPN IP of the branch. Assigned Subnet Displays the subnet mask assigned to the branch. Assigned Vlan Displays the VLAN ID assigned to the branch. Key Displays the key for the branch, which is unique to each branch. Bid(Subnet Nam e) Displays the Branch ID (BID) of the subnet.
Chapter 24 W-Airwave Integration and Management This chapter provides the following information: l W-AirWave Features on page 257 l Configuring W-AirWave on page 259 W-AirWave Features W-AirWave is a powerful tool and easy-to-use network operations system that manages Dell wireless, wired, and remote access networks, as well as wired and wireless infrastructures from a wide range of third-party manufacturers.
Figure 86 Template-based Configuration Trending Reports W-AirWave saves up to 14 months of actionable information, including network performance data and user roaming patterns, so you can analyze how network usage and performance trends have changed over time. It also provides detailed capacity reports with which you can plan the capacity and appropriate strategies for your organization. Intrusion Detection System W-AirWave provides advanced, rules-based rogue classification.
Figure 87 Adding a W-IAP in VisualRF PSK-based and Certificate-based Authentication On the DHCP server, two formats for option 43 are supported: l ,,— If you choose this format, the W-IAP authenticates the W-AirWave Management Platform server using the Pre-Shared Key (PSK) login process.
l Folder— "Org" (under the Top folder in AMP) l Configuration Group— "Org" You can also assign additional strings to create a hierarchy of sub folders under the folder named "Org". For example: n subfolder1 for a folder under the "Org" folder n subfolder2 for a folder under subfolder1 Shared Key The Shared Secret key is an optional field used by the administrator to manually authorize the first Virtual Controller for an organization. Any string is acceptable.
In the CLI To configure W-AirWave information in Dell W-Instant: (Instant (Instant (Instant (Instant (Instant (Instant Access Access Access Access Access Access Point)(config)# organization Point)(config)# ams-ip Point)(config)# ams-backup-ip Point)(config)# ams-key Point)(config)# end Point)# commit apply Configuring for W-AirWave Discovery through DHCP The W-AirWave can be discovered through DHCP server.
3. Select DHCP Standard Options in the Option class drop-down list and then click Add. 4. Enter the following information: n Name— Dell W-Instant n Data Type— String n Code—60 n Description—Dell W-Instant AP Figure 90 Dell W-Instant and DHCP options for W-AirWave: Predefined Options and Values 5. Navigate to Server Manager and select Server Options in the IPv4 window. (This sets the value globally. Use options on a per-scope basis to override the global options.) 6.
Figure 91 Dell W-Instant and DHCP options for W-AirWave: Server Options 7. Select 060 Dell Instant AP in the Server Options window and enter DellInstantAP in the String Value. Figure 92 Dell W-Instant and DHCP options for W-AirWave—060 W-IAP in Server Options 8. Select 043 Vendor Specific Info and enter a value for either of the following in ASCII field: l l airwave-orgn, airwave-ip, airwave-key; for example: Dell,192.0.2.20, 12344567 airwave-orgn, airwave-domain; for example: Dell, dell.support.
Figure 93 Dell W-Instant and DHCP options for W-AirWave— 043 Vendor Specific Info This creates a DHCP option 60 and 43 on a global basis. You can do the same on a per-scope basis. The per-scope option overrides the global option.
the DHCP clients information about certain services such as PXE. In such an environment, the standard DHCP options 60 and 43 cannot be used for Dell APs. This method describes how to set up a DHCP server to send option 43 with W-AirWave information to Dell WInstant W-IAP. This section assumes that option 43 is sent per scope, because option 60 is being shared by other devices as well.
Figure 96 W-AirWave — New Group Figure 97 W-AirWave —Monitor 266 | W-Airwave Integration and Management Dell Networking W-Series Instant 6.3.1.1-4.
Chapter 25 AirGroup Configuration This chapter provides the following information: l AirGroup Overview on page 267 l AirGroup with Dell W-Instant on page 268 l Configuring AirGroup and AirGroup Services on a W-IAP on page 272 l Configuring AirGroup and CPPM interface in Dell W-Instant on page 274 AirGroup Overview AirGroup is a unique enterprise-class capability that leverages zero configuration networking to enable Bonjour® services such as Apple® AirPrint and AirPlay from mobile devices in an eff
Figure 98 - AirGroup Architecture AirGroup is not supported on a 3G uplink. AirGroup with Dell W-Instant AirGroup capabilities are available as a feature in Dell WLANs where Wi-Fi data is distributed among Dell W-Instant APs. When a Dell WLAN is powered by Dell W-Instant and CPPM, AirGroup begins to function. An AirGroup device can be registered by an administrator or a guest user. 1.
Figure 99 AirGroup Enables Personal Device Sharing AirGroup Solution In large universities and enterprise networks, it is common for Bonjour-capable devices to connect to the network across VLANs. As a result, user devices such as an iPad on a specific VLAN cannot discover an Apple TV that resides on another VLAN. As the addresses used by the protocol are link-scope multicast addresses, each query or advertisement can only be forwarded on its respective VLAN, but not across different VLANs.
Table 53: AirGroup Filtering Options Features Dell W-Instant Deployment Models Device owner based policy enforcement No Yes Location based policy enforcement No Yes Shared user list based policy enforcement No Yes Shared role list based policy enforcement No Yes AirGroup also enables context awareness for services across the network: l AirGroup is aware of personal devices. For example, an Apple TV in a dorm room can be associated with the student who owns it.
l Allow or block mDNS services based on user roles. l Allow or block mDNS services based on VLANs. l Match users’ devices, such as iPads, to their closest Bonjour devices, such as printers. This requires CPPM support. CPPM and ClearPass Guest Features CPPM and ClearPass Guest support the following features: l Registration portal for WLAN users to register their personal devices such as Apple TVs and printers.
Configuring AirGroup and AirGroup Services on a W-IAP You can configure AirGroup services, using Dell W-Instant UI or CLI. In the Dell W-Instant UI To enable AirGroup and its services: 1. Click the More>Services link at the top right corner of the Dell W-Instant main window. 2. Click Air Group tab. The Air Group tab details are displayed. 3. Select the Enable Air Group check box. The AirGroup configuration parameters are displayed. Figure 101 AirGroup Configuration 4.
l To select block user roles from accessing an AirGroup service, click the corresponding edit link and select the user roles for which you want to restrict access. By default, an AirGroup service is accessible by all user roles configured in your W-IAP cluster. l To select VLANs from allowing access to an AirGroup service, click the corresponding edit link and select the VLANs to exclude. By default, the AirGroup services are accessible by users or devices in all VLANs configured in your W-IAP cluster.
CPPM Server dead time 100 Seconds AirGroup Service Information ---------------------------Service Status -----------airplay Enabled airprint Disabled itunes Disabled remotemgmt Enabled sharing Disabled chat Enabled allowall Disabled Configuring AirGroup and CPPM interface in Dell W-Instant Configure the Dell W-Instant and CPPM interface to allow an AirGroup W-IAP and CPPM to exchange information regarding device sharing, and location.
Chapter 26 Integration with Security and Location Services Applications This chapter describes the following procedures: l Configuring a W-IAP for Analytics and Location Engine Support on page 275 l Integrating a W-IAP with Palo Alto Networks Firewall on page 277 l Configuring a W-IAP for RTLS Support on page 276 Configuring a W-IAP for Analytics and Location Engine Support The Analytics and Location Engine (ALE) is designed to gather client information from the network, process it and share it throu
Figure 102 Services Window —ALE Integration 4. Specify the ALE server name or IP address. 5. Specify the reporting interval within the range of 6–60 seconds. The W-IAP sends messages to the ALE server at the specified interval. The default interval is 30 seconds. 6. Click OK.
2. Click the RTLS tab. The following figure shows the contents of the RTLS tab. 3. Under Aruba, select the RTLS check box to integrate Dell W-Instant with W-AirWaveManagement platform or Ekahau Real Time Location Server. Figure 103 RTLS Window 4. Specify the IP address and port to which the location reports must be sent. 5. Specify the shared secret key in the Passphrase text box. 6. Specify the frequency at which the Virtual Controller can send updates to the server.
security required for enterprises to secure their networks. In the context of businesses using social networking sites, legacy firewalls are not able to differentiate valid authorized users from casual social networking users. The Palo Alto next-generation firewall is based on user ID, which provides many methods for connecting to sources of identity information and associating them with firewall policy rules.
Figure 104 Services Window - Network Integration Tab 3. Select the Enable checkbox to enable PAN firewall. 4. Specify the user name and password. Ensure that you provide user credentials of the PAN firewall administrator. 5. Enter the PAN firewall IP address. 6. Enter the port number within the range of 1—65535. The default port is 443. 7. Click OK.
Chapter 27 Lawful Intercept and CALEA Integration This chapter provides the following information: l CALEA Integration and Lawful Intercept Compliance on page 280 l Configuring W-IAPs for CALEA Integration on page 282 CALEA Integration and Lawful Intercept Compliance Lawful Intercept (LI) allows the Law Enforcement Agencies (LEA) to perform an authorized electronic surveillance. Depending on the country of operation, the service providers (SPs) are required to support LI in their respective networks.
Figure 105 IAP to CALEA Server Traffic Flow from IAP to CALEA Server through VPN You can also deploy CALEA server with Controller and configure an additional IPSec tunnel for corporate access. When CALEA server is configured with Controller, the client traffic is replicated by the slave W-IAP and client data is encapsulated by GRE on slave, and routed to the master IAP. The master IAP sends the IPsec client traffic to Controller.
Figure 106 IAP to CALEA Server through VPN Ensure that IPSec tunnel is configured if the client data has to be routed to the ISP or CALEA server through VPN. For more information on configuring IPSec, see Configuring IPSec Tunnel on page 238. Client Traffic Replication Client traffic is replicated in the following ways: l Through RADIUS VSA— In this method, the client traffic is replicated by using RADIUS VSA to assign clients to a CALEA related user role.
In the Dell W-Instant UI To configure a CALEA profile: 1. Click More>Services at the top right corner of the Dell W-Instant main window. 2. Click CALEA. The CALEA tab details are displayed. 3. Specify the following parameters: l IP address— Specify the IP address of the CALEA server. l Encapsulation type— Specify the encapsulation type. The current release of Dell W-Instant supports GRE only. l GRE type— Specify the GRE type.
5. Click OK. 6. Create a role assignment rule if required. 7. Click Finish.
(Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant Access Access Access Access Access Access Access Access Access Point)(SSID Point)(SSID Point)(SSID Point)(SSID Point)(SSID Point)(SSID Point)(SSID Point)(SSID Point)(SSID Profile"Calea-Test")# Profile"Calea-Test")# Profile"Calea-Test")# Profile"Calea-Test")# Profile"Calea-Test")# Profile"Calea-Test")# Profile"Calea-Test")# Profile"Calea-Test")# Profile"Calea-Test")# captive-portal disable dtim-period 1 inactivity-timeout 10
Chapter 28 Hotspot Profiles This chapter describes the following procedures: l Understanding Hotspot Profiles on page 286 l Configuring Hotspot Profiles on page 287 l Sample Configuration on page 297 In the current release, Dell W-Instant supports the hotspot profile configuration only through the CLI. Understanding Hotspot Profiles Hotspot 2.0 is a Wi-Fi Alliance specification based on the 802.
Access Network Query Protocol (ANQP) ANQP provides a range of information, such as IP address type and availability, roaming partners accessible through a hotspot, and the Extensible Authentication Protocol (EAP) method supported for authentication, for a query and response protocol. The ANQP Information Elements (IEs) provide additional data that can be sent from an WIAP to the client to identify the W-IAP's network and service provider.
3. Associate the required ANQP and H2QP advertisement profiles created in step 1 to the hotspot profile created in step 2. 4. Create a SSID Profile with enterprise security and WPA2 encryption settings and associate the SSID with the hotspot profile created in step 2. Creating Advertisement Profiles for Hotspot Configuration A hotspot profile contains one or several advertisement profiles.
l eap-ttls—To use EAP-Tunneled Transport Layer Security. The associated numeric value is 21. l peap—To use protected Extensible Authentication Protocol. The associated numeric value is 25. l crypto-card— To use crypto card authentication. The associated numeric value is 28. l peapmschapv2— To use PEAP with Microsoft Challenge Handshake Authentication Protocol version 2 (MSCHAPV2). The associated numeric value is 29. l eap-aka—To use EAP for UMTS Authentication and Key Agreement.
Configuring a Venue Name Profile You configure venue name profile to send venue information as an ANQP IE in a GAS query response.
Venue Group Associated Venue Type Value The associated numeric value is 5. l l l l mercantile l The associated numeric value is 6. l l l l l residential l The associated numeric value is 7. l l l l long-term-care—The associated numeric value is 2. alc-drug-rehab—The associated numeric value is 3. group-home—The associated numeric value is 4. prison-or-jail—The associated numeric value is 5. unspecified—The associated numeric value is 0. retail-store—The associated numeric value is 1.
l http-redirect—When configured, additional information on the network is provided through HTTP/HTTPS redirection. l dns-redirect—When configured, additional information on the network is provided through DNS redirection. This option requires you to specify a redirection URL string as an IP address, FQDN, or URL. Configuring a Roaming Consortium Profile You can configure a roaming consortium profile to send the roaming consortium information as an ANQP IE in a GAS query response.
(Instant Access Point)(domain-name )# end (Instant Access Point)# commit apply Configuring an Operator-friendly Profile You can configure the operator-friendly name profile to define the identify the operator.
l Downlink load— Indicates the percentage of the WAN downlink currently utilized. The default value of 0 indicates that the downlink speed is unknown or unspecified. l Downlink speed —Indicates the WAN downlink speed in Kbps. l Uplink load—Indicates the percentage of the WAN uplink currently utilized. The default value of 0 to indicates that the downlink speed is unknown or unspecified. l Uplink speed—Indicates the WAN uplink speed in Kbps.
Table 57: Hotspot Configuration Parameters Parameter Description l l l l personal-device — This network is accessible for personal devices. For example, a laptop or camera configured with a printer for the purpose of printing. The corresponding integer value for this network type is 4. emergency-services —This network is limited to accessing emergency services only. The corresponding integer value for this network type is 5. test — This network is used for test purposes only.
Table 57: Hotspot Configuration Parameters Parameter Description l l l l l l l l factory-and-industrial institutional mercantile outdoor residential storage utility-and-misc vehicular By default, the business venue group is used. venue-type Specify a venue type to be advertised in the ANQP IEs from W-IAPs associated with this hotspot profile. For more information about the supported venue types for each venue group, see Table 56.
(Instant Access Point)(SSID Profile # vlan (Instant Access Point)(SSID Profile # set-vlan {equals|not-equals| starts-wit h| ends-with| contains} | value-of} (Instant Access Point)(SSID Profile # opmode {wpa2-aes|wpa-tkip,wpa2-aes} (Instant Access Point)(SSID Profile # blacklist (Instant Access Point)(SSID Profile # mac-authentication (Instant Access Point)(SSID Profile # l2-auth-failthrough (Instant Access Point)(SSID Profile
(Instant Access Point)(config)# hotspot anqp-domain-name-profile dn1 (Instant Access Point)(domain-name "dn1")# domain-name DomainName (Instant Access Point)(domain-name "dn1")# exit (Instant (Instant (Instant (Instant Access Access Access Access Point)(config)# hotspot h2qp-oper-name-profile on1 Point)(operator-friendly-name"on1")# op-lang-code eng Point) operator-friendly-name"on1")# op-fr-name OperatorFriendlyName Point) (operator-friendly-name"on1")# exit Step 2: Creating a hotspot profile (Instant (
(Instant (Instant (Instant (Instant (Instant (Instant 299 | Hotspot Profiles Access Access Access Access Access Access Point)(SSID Profile "ssidProfile1")# Point)(SSID Profile "ssidProfile1")# Point)(SSID Profile "ssidProfile1")# Point)(SSID Profile "ssidProfile1")# Point)(SSID Profile "ssidProfile1")# Point)# commit apply radius-reauth-interval 20 max-authentication-failures 2 set-role-by-ssid hotspot-profile hs1 end Dell Networking W-Series Instant 6.3.1.1-4.
Chapter 29 Extended Voice and Video Dell W-Instant has the added ability to identify and prioritize voice and video traffic from applications such as Microsoft Office Communications Server (OCS) and Apple Facetime. QoS for Microsoft Office OCS and Apple Facetime Voice and video devices use a signaling protocol to establish, control, and terminate voice and video calls. These control or signaling sessions are usually permitted using pre-defined ACLs.
Chapter 30 Dynamic CPU Management This chapter provides the following information: l Dynamic CPU Management on page 301 l Configuring for Dynamic CPU Management on page 301 Dynamic CPU Management W-IAPs perform various functions such as wireless client connectivity and traffic flows, wired client connectivity and traffic flows, wireless security, network management, and location tracking. Like with any network element, a W-IAP can be subject to heavy loads.
Chapter 31 Link Aggregation Control Protocol for W-IAP220 Series W-IAP220 Series supports the IEEE 802.11ac standard for high-performance WLAN. To support maximum traffic, port aggregation is required as it increases throughput and enhances reliability. To support port aggregation, Dell WInstant supports Link Aggregation Control Protocol (LACP) based on the IEEE 802.3ad standard. 802.
Chapter 32 W-IAP Management This section provides information on the following procedures: l Configuring LED Display on page 303 l Backing up and Restoring W-IAP Configuration Data on page 303 l Converting a W-IAP to a Remote AP and Campus AP on page 304 l Resetting a Remote AP or Campus AP to a W-IAP on page 307 l Rebooting the W-IAP on page 308 Configuring LED Display The LED display is always in the Enabled mode during the a W-IAP reboot.
1. Navigate to the Maintenance > Configuration> page. 2. Click Backup Configuration. 3. Click Continue to confirm the backup. The instant.cfg containing the W-IAP configuration data is saved in your local file system. 4. To view the configuration that is backed up by the W-IAP, enter the following command at the command prompt: (Instant Access Point)# show backup-config Restoring Configuration To restore configuration: 1. Navigate to the Maintenance > Configuration>page. 2. Click Restore Configuration.
A mesh point cannot be converted to Remote AP, because mesh access points do not support VPN connection. A W-IAP can be converted to a Campus AP and Remote AP only if the controller is running Dell W-Instant 6.1.4 or later. The following table describes the supported W-IAP platforms and minimal Dell W-Instant version required for the Campus AP or Remote AP conversion.
Figure 108 - Convert options 3. Select Remote APs managed by a Mobility Controller from the drop-down list. 4. Enter the hostname (fully qualified domain name) or the IP address of the controller in the Hostname or IP Address of Mobility Controller text box. Contact your local network administrator to obtain the IP address. Ensure that the mobility controller IP Address is reachable by the a W-IAPs. 5. Click Convert Now to complete the conversion.
3. Select Campus APs managed by a Mobility Controller from the drop-down list. 4. Enter the hostname, Fully Qualified Domain Name (FQDN), or the IP address of the controller in the Hostname or IP Address of Mobility Controller text box. Contact your local administrator to obtain these details. 5. Ensure that the W-IAPs access the mobility controller IP Address. 6. Click Convert Now to complete the conversion.
3. Power on the W-IAP without releasing the reset button. The power LED flashes within 5 seconds indicating that the reset is completed. 4. Release the reset button. The W-IAP reboots with the factory default settings. All APs have a reset button, except W-IAP175P/175AC. Contact Dell support for resetting these W-IAPs. Rebooting the W-IAP If you encounter any problem with the W-IAPs, you can reboot all W-IAPs or a selected W-IAPs in a network using the Dell W-Instant UI. To reboot a W-IAP: 1.
Chapter 33 Monitoring Devices and Logs This chapter provides the following information: l Configuring SNMP on page 309 l Configuring a Syslog Server on page 312 l Configuring TFTP Dump Server on page 314 l Running Debug Commands from the Dell W-Instant UI on page 315 Configuring SNMP This section provides the following information: l SNMP Parameters for W-IAP on page 309 l Configuring SNMP on page 310 l Configuring SNMP Traps on page 312 SNMP Parameters for W-IAP Dell W-Instant supports SNMPv
Configuring SNMP This section describes the procedure for configuring SNMPv1, SNMPv2, and SNMPv3 community strings using Dell W-Instant UI or CLI. Creating community strings for SNMPv1 and SNMPv2 Using Dell W-Instant UI To create community strings for SNMPv1 and SNMPv2: 1. Click System link at the top right corner of the Dell W-Instant main window. The system window is displayed. 2. Click the Monitoring tab. The following figure shows the SNMP configuration parameters displayed in the Monitoring tab.
Figure 113 SNMPv3 User 4. Enter the name of the user in the Name text box. 5. Select the type of authentication protocol from the Auth protocol drop-down list. 6. Enter the authentication password in the Password text box and retype the password in the Retype text box. 7. Select the type of privacy protocol from the Privacy protocol drop-down list. 8. Enter the privacy protocol password in the Password text box and retype the password in the Retype text box. 9. Click OK. 10.
Configuring SNMP Traps Dell W-Instant supports the configuration of external trap receivers. Only the W-IAP acting as the Virtual Controller generates traps. The OID of the traps is 1.3.6.1.4.1.14823.2.3.3.1.200.2.X. You can configure SNMP traps using Dell W-Instant UI or CLI. In the Dell W-Instant UI To configure an SNMP trap receiver: 1. Navigate to System>Show advanced options> Monitoring. The Monitoring window is displayed. 1. Under SNMP Traps, enter a name in the SNMP Engine ID text box.
Figure 114 Syslog Server 4. In the Syslog server text box, enter the IP address of the server to which you want to send system logs. 5. Select the required values to configure syslog facility levels. Syslog Facility is an information field associated with a syslog message. It is an application or operating system component that generates a log message. The following seven facilities are supported by Syslog: l AP-Debug— Detailed log about the AP device.
Logging Level Description Warning Warning messages. Notice Significant events of a non-critical and normal nature. The default value for all Syslog facilities. Informational Messages of general interest to system users. Debug Messages containing information useful for debugging. 6. Click OK.
Running Debug Commands from the Dell W-Instant UI To run the debugging commands from the Dell W-Instant UI: 1. Navigate to More>Support at the top right corner of the Dell W-Instant main window. The Support window is displayed. 2. Select the required option from the Command drop-down list. 3. Select All Access Points or Instant Access Point(VC) from the Target drop-down list. 4. Click Run.
l AP Crash Info— Displays crash log information (if it exists) for the W-IAP. The stored information is cleared from the flash after the AP reboots. l AP Current Time— Displays the current time configured on the W-IAP. l AP Current Timezone— Displays the current time zone configured on the W-IAP. l AP Datapath ACL Table Allocation— Displays ACL table allocation details for the W-IAP. l AP Datapath ACL Tables— Displays the list of ACL rules configured for the SSID and Ethernet port profiles.
l AP Log Sapd— Displays SAPd logs. l AP Log Security— Displays security logs of the W-IAP. l AP Log System— Displays system logs of the W-IAP. l AP Log Tunnel Status Management—Displays tunnel status. l AP Log Upgrade—Displays image download and upgrade details for the W-IAP. l AP Log User-Debug— Displays user-debug logs of the W-IAP. l AP Log User— Displays user logs of the W-IAP. l AP Log VPN Tunnel Log— Displays VPN tunnel status for the W-IAP.
l AP Shaping Table— Displays shaping information for clients associated with the W-IAP. l AP Sockets— Displays information sockets of the W-IAP. l AP STM Configuration— Displays STM configuration details for each SSID profile configured on the W-IAP. l AP System Status— Displays detailed system status information for the W-IAP. l AP System Summary— Displays the W-IAP configuration. l AP Swarm State—Displays details of the W-IAP cluster to which the AP is connected.
l VC L2TPv3 config —Displays the L2TPv3 configuration status. l VC L2TPv3 tunnel status—Displays the L2TPv3 tunnel status. l VC L2TPv3 tunnel configuration—Displays the L2TPv3 tunnel configuration status. l VC L2TPv3 session status—Displays the L2TPv3 session configuration status. l VC L2TPv3 system wide global statistics — Displays the L2TPv3 system statistics. l VC OpenDNS Configuration and Status— Displays configuration details and status of the OpenDNS server.
Chapter 34 Regulatory Domain The IEEE 802.11/b/g/n Wi-Fi networks operate in the 2.4 GHz spectrum and IEEE 802.11a/n operate in the 5.0 GHz spectrum. The spectrum is divided into channels. The 2.4 GHz spectrum is divided into 14 overlapping, staggered 20 MHz wireless carrier channels. These channels are spaced 5 MHz apart. The 5 GHz spectrum is divided into more channels. The channels that can be used in a particular country differ based on the regulations of that country.
Code Country Name CA Canada CH Switzerland CL Chile CN China CO Colombia CR Costa Rica CS Serbia and Montenegro CY Cyprus CZ Czech Republic DE Germany DK Denmark DO Dominican Republic DZ Algeria EC Ecuador EE Estonia EG Egypt ES Spain FI Finland FR France GB United Kingdom GR Greece GT Guatemala HK Hong Kong HN Honduras ID Indonesia IE Ireland IN India IS Iceland 321 | Regulatory Domain Dell Networking W-Series Instant 6.3.1.1-4.
Code Country Name IT Italy JM Jamaica JO Jordan JP Japan KE Kenya KR Republic of Korea (South Korea) KW Kuwait KW Kuwait LB Lebanon LI Liechtenstein LI Liechtenstein LK Sri Lanka LT Lithuania LT Lithuania LU Luxembourg MA Morocco MA Morocco MU Mauritius MX Mexico MX Mexico NL Netherlands NO Norway NZ New Zealand NZ New Zealand OM Oman PA Panama PA Panama PE Peru Dell Networking W-Series Instant 6.3.1.1-4.
Code Country Name PH Philippines PK Islamic Republic of Pakistan PL Poland PL Poland PR Puerto Rico PR Puerto Rico PT Portugal QA Qatar RO Romania RU Russia RU Russia SA Saudi Arabia SG Singapore SI Slovenia SI Slovenia SK Slovak Republic SK Slovak Republic SV El Salvador TH Thailand TH Thailand TN Tunisia TR Turkey TT Trinidad and Tobago TW Taiwan UA Ukraine US United States UY Uruguay UY Uruguay 323 | Regulatory Domain Dell Networking W-Series Ins
Code Country Name VE Venezuela VN Vietnam ZA South Africa Dell Networking W-Series Instant 6.3.1.1-4.
ClearPass Guest Setup To configure ClearPass Guest: 1. On ClearPass Guest, navigate to Administration > AirGroup Services. 2. Click Configure AirGroup Services. Figure 116 Configure AirGroup Services 3. Click Add a new controller. 4. Update the fields with the appropriate information. Ensure that the port configured matches the CoA port (RFC 3576) set on the W-IAP configuration. 5. Click Save Configuration.
Figure 118 Create an AirGroup Administrator 4. In this example, the password used is test123. Click Add. 5. Now click Add User, and create an AirGroup Operator. Figure 119 Create an AirGroup Operator 6. Click Add to save the user with an AirGroup Operator role. The AirGroup Administrator and AirGroup Operator IDs will be displayed in the Local Users UI screen. 326 | ClearPass Guest Setup Dell Networking W-Series Instant 6.3.1.1-4.
Figure 120 Local Users UI Screen 7. Navigate to the ClearPass Guest UI and click Logout. The ClearPass Guest Login page is displayed. Use the AirGroup admin credentials to log in. 8. After logging in, click Create Device. Figure 121 Create a Device The following page is displayed. Figure 122 - Register Shared Device For this test, add your AppleTV device name and MAC address but leave all other fields empty. Dell Networking W-Series Instant 6.3.1.1-4.
9. Click Register Shared Device. Testing To verify the setup: 1. Disconnect your AppleTV and OSX Mountain Lion/iOS 6 devices if they were previously connected to the wireless network. Remove their entries from the controller’s user table using these commands: n Find the MAC address— show user table n Delete the address from the table— aaa user delete mac 00:aa:22:bb:33:cc 2. Reconnect both devices.
Terminology Acronyms and Abbreviations The following table lists the abbreviations used in this user guide.
Table 65: List of abbreviations Abbreviation Expansion PEAP Protected Extensible Authentication Protocol PEM Privacy Enhanced Mail PoE Power over Ethernet RADIUS Remote Authentication Dial In User Service VC Virtual Controller VSA Vendor-Specific Attributes WLAN Wireless Local Area Network Glossary The following table lists the terms and their definitions used in this guide. Table 66: List of Terms Term Definition 802.
Table 66: List of Terms Term Definition AP An access point (AP) connects users to other users within the network and also can serve as the point of interconnection between the WLAN and a fixed wire network. The number of access points a WLAN needs is determined by the number of users and the size of the network. access point mapping The act of locating and possibly exploiting connections to WLANs while driving around a city or elsewhere.
Table 66: List of Terms Term Definition fixed wireless Wireless devices or systems in fixed locations such as homes and offices. Fixed wireless devices usually derive their electrical power from the utility mains, unlike mobile wireless or portable wireless which tend to be battery-powered. Although mobile and portable systems can be used in fixed locations, efficiency and bandwidth are compromised compared with fixed systems.
Table 66: List of Terms Term Definition Wi-Fi A term for certain types of WLANs. Wi-Fi can apply to products that use any 802.11 standard. Wi-Fi has gained acceptance in many businesses, agencies, schools, and homes as an alternative to a wired LAN. Many airports, hotels, and fast-food facilities offer public access to Wi-Fi networks. WEP Wired equivalent privacy (WEP) is a security protocol specified in 802.