Concept Guide
Table Of Contents
- About this Guide
- About Instant
- Setting up a W-IAP
- Automatic Retrieval of Configuration
- Instant User Interface
- Initial Configuration Tasks
- Customizing W-IAP Settings
- Modifying the W-IAP Host Name
- Configuring Zone Settings on a W-IAP
- Specifying a Method for Obtaining IP Address
- Configuring External Antenna
- Configuring Radio Profiles for a W-IAP
- Configuring Uplink VLAN for a W-IAP
- Changing the W-IAP Installation Mode
- Changing USB Port Status
- Master Election and Virtual Controller
- Adding a W-IAP to the Network
- Removing a W-IAP from the Network
- VLAN Configuration
- IPv6 Support
- Wireless Network Profiles
- Configuring Wireless Network Profiles
- Configuring Fast Roaming for Wireless Clients
- Configuring Modulation Rates on a WLAN SSID
- Multi-User-MIMO
- Management Frame Protection
- Disabling Short Preamble for Wireless Client
- Editing Status of a WLAN SSID Profile
- Editing a WLAN SSID Profile
- Deleting a WLAN SSID Profile
- Wired Profiles
- Captive Portal for Guest Access
- Understanding Captive Portal
- Configuring a WLAN SSID for Guest Access
- Configuring Wired Profile for Guest Access
- Configuring Internal Captive Portal for Guest Network
- Configuring External Captive Portal for a Guest Network
- Configuring Facebook Login
- Configuring Guest Logon Role and Access Rules for Guest Users
- Configuring Captive Portal Roles for an SSID
- Configuring Walled Garden Access
- Authentication and User Management
- Managing W-IAP Users
- Supported Authentication Methods
- Supported EAP Authentication Frameworks
- Configuring Authentication Servers
- Understanding Encryption Types
- Configuring Authentication Survivability
- Configuring 802.1X Authentication for a Network Profile
- Enabling 802.1X Supplicant Support
- Configuring MAC Authentication for a Network Profile
- Configuring MAC Authentication with 802.1X Authentication
- Configuring MAC Authentication with Captive Portal Authentication
- Configuring WISPr Authentication
- Blacklisting Clients
- Uploading Certificates
- Roles and Policies
- DHCP Configuration
- Configuring Time-Based Services
- Dynamic DNS Registration
- VPN Configuration
- IAP-VPN Deployment
- Adaptive Radio Management
- Deep Packet Inspection and Application Visibility
- Voice and Video
- Services
- Configuring AirGroup
- Configuring a W-IAP for RTLS Support
- Configuring a W-IAP for Analytics and Location Engine Support
- Managing BLE Beacons
- Clarity Live
- Configuring OpenDNS Credentials
- Integrating a W-IAP with Palo Alto Networks Firewall
- Integrating a W-IAP with an XML API Interface
- CALEA Integration and Lawful Intercept Compliance
- Cluster Security
- W-IAP Management and Monitoring
- Uplink Configuration
- Intrusion Detection
- Mesh W-IAP Configuration
- Mobility and Client Management
- Spectrum Monitor
- W-IAP Maintenance
- Monitoring Devices and Logs
- Hotspot Profiles
- ClearPass Guest Setup
- IAP-VPN Deployment Scenarios
- Acronyms and Abbreviations
225 | VPN Configuration Dell Networking W-Series Instant 6.5.1.0-4.3.1.0 | User Guide
Supported VPN Protocols
Instant supports the following VPN protocols for remote access:
VPNProtocol Description
Dell IPsec IPsec is a protocol suite that secures IP communications by authenticating and encrypting each IP
packet of a communication session.
You can configure an IPsec tunnel to ensure that the data flow between the networks is
encrypted. However, you can configure a split-tunnel to encrypt only the corporate traffic.
When IPsec is configured, ensure that you add the W-IAP MAC addresses to the whitelist
database stored on the controller or an external server. IPsec supports Local, L2, and L3 modes
of IAP-VPN operations.
NOTE: The W-IAPs support IPsec only with Dell controllers.
Layer-2 (L2)
GRE
Generic Routing Encapsulation (GRE) is a tunnel protocol for encapsulating multicast, broadcast,
and L2 packets between a GRE-capable device and an endpoint. W-IAPs support the configuration
of L2 GRE (Ethernet over GRE)tunnel with a Dell controller to encapsulate the packets sent and
received by the W-IAP.
You can use the GRE configuration for L2 deployments when there is no encryption requirement
between the W-IAP and controller for client traffic.
W-IAPs support two types of GRE configuration:
l Manual GRE—The manual GRE configuration sends unencrypted client traffic with an
additional GRE headerand does not support failover. When manual GRE is configured on the
W-IAP, ensure that the GRE tunnel settings are enabled on the controller.
l Aruba GRE—With Aruba GRE, no configuration on the controller is required except for adding
the W-IAP MAC addresses to the whitelist database stored on the controller or an external
server. Aruba GRE reduces manual configuration when Per-AP tunnel configuration is
required and supports failover between two GRE endpoints.
NOTE: W-IAPs support manual and Aruba GRE configuration only for L2 mode of operations.
Aruba GREconfiguration is supported only on Dell controllers.
L2TPv3 The Layer 2 Tunneling Protocol version 3 (L2TPv3) feature allows the W-IAP to act as an L2TP
Access Concentrator (LAC) and tunnel all wireless client's L2 traffic from the W-IAP to L2TP
Network Server (LNS). In a Centralized, L2 model, the VLAN on the corporate side is extended to
remote branch sites. Wireless clients associated with a W-IAP gets the IP address from the DHCP
server running on LNS. For this, the W-IAP has to transparently allow DHCP transactions through
the L2TPv3 tunnel.
Table 49: VPN Protocols
Configuring a Tunnel from a W-IAP to a Mobility Controller
W-IAP supports the configuration of tunneling protocols such as Generic Routing Encapsulation (GRE), IPsec,
and L2TPv3. This section describes the procedure for configuring VPN host settings on a W-IAP to enable
communication with a controller in a remote location:
l Configuring an IPsec Tunnel on page 226
l Configuring an L2-GRETunnel on page 227
l Configuring an L2TPv3 Tunnel on page 230