User Guide Dell Networking W-Series Instant 6.4.3.1-4.2.0.
Copyright © 2015 Aruba Networks, Inc. Aruba Networks trademarks include , Aruba Networks®, Aruba Wireless Networks®, the registered Aruba the Mobile Edge Company logo, and Aruba Mobility Management System®. Dell™, the DELL™ logo, and PowerConnect™ are trademarks of Dell Inc. All rights reserved. Specifications in this manual are subject to change without notice. Originated in the USA. All other trademarks are the property of their respective owners.
Contents About this Guide 27 Intended Audience 27 Related Documents 27 Conventions 27 Contacting Dell 28 About Instant 29 Instant Overview 29 Supported AP Platforms 29 Instant UI 31 Instant CLI 32 What is New in this Release 32 Support for New W-IAP Devices 34 No Support for W-IAP92/93 35 Setting up a W-IAP Setting up Instant Network 36 36 Connecting a W-IAP 36 Assigning an IP address to the W-IAP 36 Assigning a Static IP Connecting to a Provisioning Wi-Fi Network 37 37 W-
Pre-requisites 43 Configuring Managed Mode Parameters 44 Example Verifying the Configuration 45 Instant User Interface 47 Login Screen 47 Viewing Connectivity Summary 47 Language 47 Logging into the Instant UI 47 Main Window 48 Banner 48 Search 48 Tabs 48 Networks Tab 49 Access Points Tab 49 Clients Tab 50 Links 4| 45 50 New Version Available 50 System 51 RF 51 Security 51 Maintenance 52 More 52 VPN 53 IDS 53 Wired 54 Services 55 DHCP Server 56 Support
Usage Trends 61 Mobility Trail 67 Client Match 67 AppRF 68 Spectrum 68 Alerts 69 IDS 73 AirGroup 74 Configuration 74 W-AirWave Setup 75 Pause/Resume 75 Views Initial Configuration Tasks Basic Configuration Tasks Modifying the W-IAP Name 75 77 77 77 In the Instant UI 78 In the CLI 78 Updating Location Details of a W-IAP 78 In the Instant UI 78 In the CLI 78 Configuring a Preferred Band 78 In the Instant UI 78 In the CLI 78 Configuring Virtual Controller IP Address 7
In the Instant UI 80 In the CLI 80 Additional Configuration Tasks Configuring Virtual Controller Network Settings 81 In the Instant UI 81 In the CLI 82 Configuring Auto Join Mode Enabling or Disabling Auto Join Mode 82 82 In the Instant UI 82 In the CLI 83 Configuring Terminal Access 83 In the Instant UI 83 In the CLI 83 Configuring Console Access 83 In the Instant UI 83 In the CLI 83 Configuring LED Display 84 In the Instant UI 84 In the CLI 84 Configuring Additional WLAN
In the Instant UI 88 In the CLI 88 Configuring Zone Settings on a W-IAP 88 In the Instant UI 88 In the CLI 89 Specifying a Method for Obtaining IP Address 89 In the Instant UI 89 In the CLI 89 Configuring External Antenna 89 EIRP and Antenna Gain 89 Configuring Antenna Gain 90 In the Instant UI 90 In the CLI 90 Configuring Radio Profiles for a W-IAP 90 Configuring ARM Assigned Radio Profiles for a W-IAP 91 Configuring Radio Profiles Manually for W-IAP 91 In the CLI 92 Confi
VLAN Configuration 96 VLAN Pooling 96 Uplink VLAN Monitoring and Detection on Upstream Devices 96 Wireless Network Profiles 97 Configuring Wireless Network Profiles 97 Network Types 97 Configuring WLAN Settings for an SSID Profile 98 In the Instant UI 98 In the CLI 101 Configuring VLAN Settings for a WLAN SSID Profile 102 In the Instant UI 102 In the CLI 103 Configuring Security Settings for a WLAN SSID Profile Configuring Security Settings for an Employee or Voice Network 104 In t
BSS Transition Management (802.11v) Configuring a WLAN SSID for 802.
Types of Captive Portal 127 Walled Garden 128 Configuring a WLAN SSID for Guest Access 128 In the Instant UI 128 In the CLI 132 Configuring Wired Profile for Guest Access 133 In the Instant UI 133 In the CLI 134 Configuring Internal Captive Portal for Guest Network In the Instant UI 135 In the CLI 137 wConfiguring External Captive Portal for a Guest Network 138 External Captive Portal Profiles 138 Creating a Captive Portal Profile 138 In the Instant UI 138 In the CLI 139 Config
Example Configuring Captive Portal Roles for an SSID 146 147 In the Instant UI 147 In the CLI 149 Configuring Walled Garden Access 150 In the Instant UI 150 In the CLI 150 Disabling Captive Portal Authentication Authentication and User Management Managing W-IAP Users Configuring W-IAP Users 150 152 152 153 In the Instant UI 153 In the CLI 154 Configuring Authentication Parameters for Management Users 154 In the Instant UI 154 In the CLI 155 Adding Guest Users through the Guest Ma
Configuring an External Server for Authentication 164 In the Instant UI 164 In the CLI 168 Enabling RADIUS Communication over TLS 169 Configuring RadSec Protocol 169 In the UI 169 In the CLI 170 Associate the Server Profile with a Network Profile 170 In the CLI 170 Configuring Dynamic RADIUS Proxy Parameters 171 Enabling Dynamic RADIUS Proxy 171 In the Instant UI 171 In the CLI 171 Configuring Dynamic RADIUS Proxy Parameters 171 In the Instant UI 171 In the CLI 172 Associate
In the Instant UI 178 In the CLI 178 Configuring MAC Authentication for Wired Profiles 179 In the Instant UI 179 In the CLI 179 FConfiguring MAC Authentication with 802.1X Authentication Configuring MAC and 802.1X Authentication for a Wireless Network Profile 179 180 In the Instant UI 180 In the CLI 180 Configuring MAC and 802.
Roles and Policies 189 Firewall Policies 189 Access Control List Rules 189 Configuring ACL Rules for Network Services 189 In the Instant UI 190 In the CLI 191 Example 191 Configuring Network Address Translation Rules 192 Configuring a Source NAT Access Rule 192 In the Instant UI 192 In the CLI 193 Configuring Source-Based Routing 193 Configuring a Destination NAT Access Rule 193 In the Instant UI 193 In the CLI 194 Configuring ALG Protocols 194 In the Instant UI 194 In the
In the CLI Enabling Content Filtering for a Wired Profile 201 201 In the Instant UI 201 In the CLI 201 Configuring Enterprise Domains 201 In the Instant UI 201 In the CLI 201 Configuring URL Filtering Policies 202 In the Instant UI 202 In the CLI 202 Example 203 Creating Custom Error Page for Web Access Blocked by AppRF Policies Creating a List of Error Page URLs 203 203 In the Instant UI 203 In the CLI 203 Configuring ACL Rules to Redirect Users to a Specific URL 203 In the UI
In the Instant UI 207 In the CLI 208 Example 208 Understanding VLAN Assignment 208 Vendor Specific Attributes 209 VLAN Assignment Based on Derivation Rules 210 User Role 211 VLANs Created for an SSID 211 Configuring VLAN Derivation Rules 211 In the Instant UI 211 In the CLI 212 Example 212 Using Advanced Expressions in Role and VLAN Derivation Rules Configuring a User Role for VLAN Derivation 213 Creating a User VLAN Role 214 In the Instant UI 214 In the CLI 214 Assigning Use
VPN Configuration 225 Understanding VPN Features 225 Supported VPN Protocols 226 Configuring a Tunnel from a W-IAP to Dell Networking W-Series Mobility Controller Configuring an IPSec Tunnel 226 227 In the Instant UI 227 In the CLI 228 Example 228 Configuring an L2-GRE Tunnel Configuring Manual GRE Parameters 228 228 In the Instant UI 229 In the CLI 229 Configuring Dell GRE Parameters 230 In the Instant UI 230 In the CLI 231 Configuring an L2TPv3 Tunnel 231 In the Instant UI 232
Configuring W-IAP and Controller for IAP-VPN Operations 242 Configuring a W-IAP network for IAP-VPN operations 242 Defining the VPN host settings 243 Configuring Routing Profiles 243 Configuring DHCP Profiles 243 Configuring an SSID or Wired Port 244 Enabling Dynamic RADIUS Proxy 244 Configuring Enterprise Domains 244 Configuring a Controller for IAP-VPN Operations OSPF Configuration 245 VPN Configuration 246 Whitelist Database Configuration 246 VPN Local Pool Configuration 247 Role
In the CLI 254 Access Point Control 254 In the Instant UI 254 In the CLI 256 Verifying ARM Configuration Configuring Radio Settings In the Instant UI In the CLI Deep Packet Inspection and Application Visibility 256 257 257 258 260 Deep Packet Inspection 260 Enabling Application Visibility 260 In the Instant UI 260 In the CLI 260 Application Visibility 261 Application Category Charts 261 Application Charts 262 Web Categories Charts 264 Web Reputation Charts 265 Configuring ACL R
QoS for Microsoft Office Lync 274 Microsoft Office Lync 275 Services 276 AirGroup Configuration 276 Multicast DNS and Bonjour® Services 277 DLNA UPnP Support 278 AirGroup Features 279 AirGroup Services 280 AirGroup Components 281 CPPM and ClearPass Guest Features 281 Configuring AirGroup and AirGroup Services on a W-IAP In the Instant UI 282 In the CLI 283 Configuring AirGroup and CPPM interface in Instant 284 Creating a RADIUS Server 284 Assign a Server to AirGroup 284 Configu
In the CLI Integrating a W-IAP with an XML API interface 289 289 Integration with Instant 290 Configuring a W-IAP for XML API integration 290 In the Instant UI 290 In the CLI 290 CALEA Integration and Lawful Intercept Compliance CALEA Server Integration 290 291 Traffic Flow from IAP to CALEA Server 291 Traffic Flow from IAP to CALEA Server through VPN 291 Client Traffic Replication 292 Configuring a W-IAP for CALEA Integration 292 Creating a CALEA Profile 292 In the Instant UI 293 In
Configuring W-AirWave Information 299 In the Instant UI 299 In the CLI 299 Configuring for W-AirWave Discovery through DHCP 299 Enabling DNS-based Discovery of the Provisioning AMP server 300 Standard DHCP option 60 and 43 on Windows Server 2008 300 Alternate Method for Defining Vendor-Specific DHCP Options 304 Uplink Configuration 306 Uplink Interfaces 306 Ethernet Uplink 306 Configuring PPPoE Uplink Profile 307 In the Instant UI 307 In the CLI 308 Cellular Uplink 308 Configurin
Intrusion Detection 318 Detecting and Classifying Rogue APs 318 OS Fingerprinting 318 Configuring Wireless Intrusion Protection and Detection Levels 319 Containment Methods 323 Configuring IDS Using CLI 324 Mesh W-IAP Configuration Mesh Network Overview Mesh W-IAPs 326 326 326 Mesh Portals 326 Mesh Points 327 Setting up Instant Mesh Network 327 Configuring Wired Bridging on Ethernet 0 for Mesh Point 327 In the Instant UI 328 In the CLI 328 Mobility and Client Management 329 Layer
Converting a W-IAP to a Spectrum Monitor 338 In the Instant UI 338 In the CLI 339 W-IAP Maintenance 340 Upgrading a W-IAP 340 Upgrading a W-IAP and Image Server 340 Image Management Using W-AirWave 340 Image Management Using Cloud Server 340 Configuring HTTP Proxy on a W-IAP 340 In the Instant UI 340 In the CLI 341 Upgrading a W-IAP Using Automatic Image Check 341 Upgrading to a New Version Manually 342 Upgrading an Image Using CLI 342 Backing up and Restoring W-IAP Configuration
In the Instant UI 354 In the CLI 354 Configuring a Syslog Server 355 In the Instant UI 355 In the CLI 356 Configuring TFTP Dump Server 356 In the Instant UI 356 In the CLI 357 Running Debug Commands from the UI Hotspot Profiles Understanding Hotspot Profiles 357 361 361 Generic Advertisement Service (GAS) 361 Access Network Query Protocol (ANQP) 362 Hotspot 2.
ClearPass Guest Setup 376 Testing 379 Troubleshooting 379 IAP-VPN Deployment Scenarios 380 Scenario 1—IPSec: Single Datacenter Deployment with No Redundancy 381 Topology 381 AP Configuration 381 AP Connected Switch Configuration 383 Datacenter Configuration 384 Scenario 2—IPSec: Single Datacenter with Multiple Controllers for Redundancy 385 Topology 385 AP Configuration 386 AP Connected Switch Configuration 388 Datacenter Configuration 388 Scenario 3—IPSec: Multiple Datacenter De
Chapter 1 About this Guide This User Guide describes the features supported by Dell Networking W-Series Instant Access Point (W-IAP) and provides detailed instructions for setting up and configuring the Instant network. Intended Audience This guide is intended for administrators who configure and use W-IAPs.
Style Type Description In the command examples, italicized text within angle brackets represents items that you should replace with information appropriate to your specific situation. For example: # send In this example, you would type “send” at the system prompt exactly as shown, followed by the text of the message you wish to send. Do not type the angle brackets. [Optional] Command examples enclosed in brackets are optional. Do not type the brackets.
Chapter 2 About Instant This chapter provides the following information: l Instant Overview l What is New in this Release Instant Overview Instant virtualizes Dell Networking W-Series Mobility Controller capabilities on 802.11 access points (APs), creating a feature-rich enterprise-grade wireless LAN (WLAN) that combines affordability and configuration simplicity. Instant is a simple, easy to deploy turn-key WLAN solution consisting of one or more APs.
W-IAP Platform Minimum Instant Version W-IAP108/109 6.2.0.0-3.2.0.0 or later W-IAP3WN/3WNP 6.1.3.1-3.0.0.0 or later W-IAP104 6.1.3.1-3.0.0.0 or later W-IAP175AC/175P 6.1.3.1-3.0.0.0 or later W-IAP134/135 6.1.2.3-2.0.0.0 or later W-IAP105 5.0.3.0-1.0.0.0 or later W-IAP92/93 5.0.3.0-1.0.0.0 to 6.4.2.0-4.1.1.0 Each W-IAP model has a minimum required version as shown in Table 3.
W-IAP Model (Reg Domain) W-IAP###US (US only) W-IAP###-JP (Japan only) W-IAP### W-IAP###-RW (Worldwide except US and Japan) (Worldwide except US) W-IAP274/275 Yes No Yes No W-IAP224/225 Yes No Yes No W-IAP114/115 Yes No Yes No W-IAP103 Yes No Yes No W-IAP175P/175AC Yes Yes No Yes W-IAP134/135 Yes Yes No Yes W-IAP108/109 Yes Yes No Yes W-IAP155/155P Yes Yes No Yes W-IAP3WN/3WNP Yes Yes No Yes W-IAP104/105 Yes Yes No Yes For information on regulatory do
Instant CLI The Instant Command Line Interface (CLI) is a text-based interface accessible through a Secure Shell (SSH) session. SSH access requires that you configure an IP address and a default gateway on the W-IAP and connect the WIAP to your network. This is typically performed when the Instant network on a W-IAP is set up. What is New in this Release The following feature was introduced in Instant 6.4.3.1-4.2.0.0: Table 5: New Features Feature Description Mesh Configuration support on 802.
Table 5: New Features Feature Description Captive portal support for web servers with HTTP proxy configured W-IAPs now support the configuration of ports that match your browser configuration. If your browser has a proxy configuration, you can configure a captive portal proxy server or a global proxy server in the guest SSIDs for captive portal clients. Configurable ESSID in WLAN profile W-IAPs now support the configuration of the ESSID profile names along with the Name (SSID) field in WLAN wizard.
Table 5: New Features Feature Description configuration file. Configuring Multiple Exclusion Ranges of IP Subnets W-IAPs now allow you to configure multiple exclusion ranges of IP subnets in a local, l2 DHCP profile. Based on the size of the subnet and the configured exclusion range, the IP addresses before and after the defined range are excluded.
Table 6: New Hardware Platforms AP Platform Description W-IAP205H The W-IAP205H is a high-performance, dual-radio wireless and wired access point for small business, hospitality, and branch deployments. This device combines highperformance wireless mobility with Gigabit wired local access to deliver secure network access to dormitories, hotel rooms, classrooms, medical clinics, and multitenant environments.
Chapter 3 Setting up a W-IAP This chapter describes the following procedures: l Setting up Instant Network on page 36 l Logging in to the Instant UI on page 38 l Accessing the Instant CLI on page 40 Setting up Instant Network Before installing a W-IAP: l Ensure that you have an Ethernet cable of the required length to connect a W-IAP to the home router. l Ensure that you have one of the following power sources: n IEEE 802.3af/at-compliant Power over Ethernet (PoE) source.
Assigning a Static IP To assign a static IP to a W-IAP: 1. Connect a terminal, PC, or workstation running a terminal emulation program to the Console port on the W-IAP. 2. Power on the W-IAP. An autoboot countdown prompt that allows you to interrupt the normal startup process and access apboot is displayed. 3. Click Enter before the timer expires. The W-IAP goes into the apboot mode. 4. In the apboot mode, use the following commands to assign a static IP to the W-IAP.
Disabling the Provisioning Wi-Fi Network The provisioning network is enabled by default. Instant provides the option to disable the provisioning network through the console port. Use this option only when you do not want the default SSID instant to be broadcast in your network. To disable the provisioning network: 1. Connect a terminal or PC/workstation running a terminal emulation program to the Console port on the WIAP. 2.
When you use a provisioning Wi-Fi network to connect to the Internet, all browser requests are directed to the Instant UI. For example, if you enter example.com in the address field, you are directed to the Instant UI. You can change the default login credentials after the first login. Regulatory Domains The IEEE 802.11/b/g/n Wi-Fi networks operate in the 2.4 GHz spectrum and IEEE 802.11a/n operates in the 5.0 GHz spectrum. The spectrum is divided into channels. The 2.
Accessing the Instant CLI Instant supports the use of Command Line Interface (CLI) for scripting purposes. When you make configuration changes on a master W-IAP in the CLI, all associated W-IAPs in the cluster inherit these changes and subsequently update their configurations. By default, you can access the CLI from the serial port or from an SSH session. You must explicitly enable Telnet access on the W-IAP to access the CLI through a Telnet session.
To revert to the earlier configuration, use the following command in the privileged mode.
Table 8: Sequence-Sensitive Commands Sequence-Sensitive Command Corresponding no command auth-server no auth-server Dell Networking W-Series Instant 6.4.3.1-4.2.0.
Chapter 4 Automatic Retrieval of Configuration This section provides the following information l Managed Mode Operations l Pre-requisites l Configuring Managed Mode Parameters l Verifying the Configuration Managed Mode Operations W-IAPs support managed mode operations to retrieve the configuration file from a server through the File Transfer Protocol (FTP) or FTP over Secure Sockets Layer (FTPS), and automatically update the W-IAP configuration.
Configuring Managed Mode Parameters To enable the automatic configuration, perform the steps described in the following table: Table 9: Managed Mode Commands Steps Command 1. Start a CLI session to configure the managed-mode profile for automatic configuration. (Instant AP)(config)# managed-mode-profile 2. Enable automatic configuration Or Specify the user credentials.
Table 9: Managed Mode Commands Steps Command 6. Configure the day and time at which the W-IAPs can poll the configuration files from the server. (Instant AP) (managed-mode-profile)# sync-time day
- hour min window Based on the expected frequency of configuration changes and maintenance window, you can set the configuration synchronization timeline. l day
- — Indicates day, for example to configure Sunday as the day, specify 01.
If the configuration settings retrieved in the configuration file are incomplete, W-IAPs reboot with the earlier configuration. 46 | Automatic Retrieval of Configuration Dell Networking W-Series Instant 6.4.3.1-4.2.0.
Chapter 5 Instant User Interface This chapter describes the following Instant UI elements: l Login Screen l Main Window Login Screen The Instant login page allows you to: l View Instant Network Connectivity summary l View the Instant UI in a specific language l Log in to the Instant UI Viewing Connectivity Summary The login page also displays the connectivity status to the Instant network.
Main Window On logging into Instant, the Instant UI Main Window is displayed. The following figure shows the Instant main window: Figure 4 Instant Main Window The main window consists of the following elements: l Banner l Search l Tabs l Links l Views Banner The banner is a horizontal rectangle that appears at the top left corner of the Instant main window. It displays the company name, logo, and Virtual Controller's name.
Networks Tab This tab displays a list of Wi-Fi networks that are configured in the Instant network. The network names are displayed as links. The expanded view displays the following information about each WLAN SSID: l Name—Name of the network. l Clients—Number of clients that are connected to the network. l Type—Type of network type such as Employee, Guest, or Voice. l Band—Band in which the network is broadcast: 2.4 GHz band, 5 GHz band, or both.
Clients Tab This tab displays a list of clients that are connected to the Instant network. The client names are displayed as links. The expanded view displays the following information about each client: l Name—User name of the client or guest users if available. l IP Address—IP address of the client. l MAC Address—MAC address of the client. l OS—Operating system that runs on the client. l ESSID—The ESSID to which the client is connected. l Access Point—to which the client is connected.
System This link displays the System window. The System window consists of the following tabs: Use the Show/Hide Advanced option at the bottom of the System window to view or hide the advanced options. l General— Allows you to configure, view or edit the Name, IP address, NTP Server, and other W-IAP settings for the Virtual Controller.
l Roles— Use this tab to view the roles defined for all the Networks. The Access Rules part allows you to configure permissions for each role. For more information, see Configuring User Roles on page 204 and Configuring ACL Rules for Network Services on page 189. l Blacklisting— Use this tab to blacklist clients. For more information, see Blacklisting Clients on page 183.
l VPN l IDS l Wired l Services l DHCP Server l Support VPN The VPN window allows you to define communication settings with a remote Controller. See VPN Configuration on page 225 for more information. The following figure shows an example of the IPSec configuration options available in the VPN window: Figure 5 VPN window for IPSec Configuration IDS The IDS window allows you to configure wireless intrusion detection and protection levels.
Figure 6 IDS Window: Intrusion Detection Figure 7 IDS Window: Intrusion Protection For more information on wireless intrusion detection and protection, see Detecting and Classifying Rogue APs on page 318. Wired The Wired window allows you to configure a wired network profile. See Wired Profiles on page 119 for more information. The following figure shows the Wired window: 54 | Instant User Interface Dell Networking W-Series Instant 6.4.3.1-4.2.0.
Figure 8 Wired Window Services The Services window allows you to configure services such as AirGroup, RTLS, and OpenDNS. The Services window consists of the following tabs: l AirGroup—Allows you to configure the AirGroup and AirGroup services. For more information, see AirGroup Configuration on page 276. l RTLS—Allows you to integrate W-AirWave Management platform or third-party Real Time Location Server such as Aeroscout Real Time Location Server with Instant.
The following figure shows the default view of the Services window: Figure 9 Services Window: Default View DHCP Server The DHCP Servers window allows you to configure various DHCP modes. The following figure shows the contents of the DHCP Servers window: Figure 10 DHCP Servers Window For more information, see DHCP Configuration on page 215. Support The Support consists of the following fields: l Command— Allows you to select a support command for execution.
l Auto Run— Allows you to configure a schedule for automatic execution of a support command for a specific W-IAP or all W-IAPs. l Filter—Allows you to filter the contents of a command output. l Clear—Clears the command output displayed after a command is executed. l Save— Allows you to save the support command logs as an HTML or text file. For more information on support commands, see Running Debug Commands from the UI on page 357.
Table 10: Contents of the Info Section in the Instant Main Window Name Description Info section in Virtual Controller view The Info section in the Virtual Controller view displays the following information: Info section in Network view l Name— Displays the Virtual Controller name. l Country Code— Displays the Country in which the Virtual Controller is operating. l Virtual Controller IP address— Displays the IP address of the Virtual Controller.
Table 10: Contents of the Info Section in the Instant Main Window Name Info section in Client view Description l Mode—Displays the mode in which the AP is configured to operate. l Spectrum—Displays the status of the spectrum monitor. l Clients—Number of clients associated with the W-IAP. l Type—Displays the model number of the W-IAP. l Zone—Displays AP zone details. l CPU Utilization—Displays the CPU utilization in percentage. l Memory Free—Displays the memory availability of the W-IAP in MB.
Table 11: RF Dashboard Icons Icon Name Description 1 Signal Icon Displays the signal strength of the client. Depending on the signal strength of the client, the color of the lines on the Signal bar changes from Green > Orange > Red. l Green— Signal strength is more than 20 decibels. l Orange— Signal strength is between 15-20 decibels. l Red— Signal strength is less than 15 decibels. To view the signal graph for a client, click on the signal icon next to the client in the Signal column.
RF Trends The RF Trends section displays the following graphs for the selected AP and the client. To view the details on the graphs, click the graphs and hover the mouse on a data point: Figure 12 RF Trends for Access Point Figure 13 RF Trends for Clients Usage Trends The Usage Trends displays the following graphs: l Clients—In the default view, the Clients graph displays the number of clients that were associated with the Virtual Controller in the last 15 minutes.
Figure 14 Usage Trends Graphs in the Default View 62 | Instant User Interface Dell Networking W-Series Instant 6.4.3.1-4.2.0.
The following table describes the graphs displayed in the Network view: Table 12: Network View—Graphs and Monitoring Procedures Graph Name Description Monitoring Procedure Clients The Clients graph shows the number of clients associated with the network for the last 15 minutes. To check the number of clients associated with the network for the last 15 minutes, To see an enlarged view, click the graph.
The following table describes the graphs displayed in the Access Point view: Table 13: Access Point View—Usage Trends and Monitoring Procedures Graph Name Description Monitoring Procedure Neighboring APs The Neighboring APs graph shows the number of APs heard by the selected WIAP: To check the neighboring APs detected by the W-IAP for the last 15 minutes, l Valid APs: An AP that is part of the enterprise providing WLAN service.
Table 13: Access Point View—Usage Trends and Monitoring Procedures Graph Name Description Monitoring Procedure 2. On the Access Points tab, click the W-IAP for which you want to monitor the client association. The W-IAP view is displayed. 3. Study the Memory free graph in the Overview pane. For example, the graph shows that the free memory of the W-IAP is 64 MB at 12:13 hours. Clients The Clients graph shows the number of clients associated with the selected W-IAP for the last 15 minutes.
The following table describes the RF trends graphs available in the client view: Table 14: Client View—RF Trends Graphs and Monitoring Procedures Graph Name Signal Description Monitoring Procedure The Signal graph shows the signal strength of the client for the last 15 minutes. It is measured in decibels. To monitor the signal strength of the selected client for the last 15 minutes, To see an enlarged view, click the graph.
Table 14: Client View—RF Trends Graphs and Monitoring Procedures Graph Name Description To see the exact speed at a particular time, move the cursor over the graph line. Throughput The Throughput Graph shows the throughput of the selected client for the last 15 minutes. l l Outgoing traffic—Throughput for outgoing traffic is displayed in green. Outgoing traffic is shown above the median line. Incoming traffic—Throughput for incoming traffic is displayed in blue.
The following figure shows the client distribution details for an AP radio. Figure 15 Client Distribution on AP Radio On clicking a client in the Clients tab and the Client Match link, a graph is drawn with real-time data points for an AP radio map. When you hover the mouse on the graph, details such as RSSI, channel utilization details, and client count on each channel are displayed.
seen on all channels in the selected band, and hybrid W-IAPs display data from the one channel they are monitoring. For more information on spectrum monitoring, see Spectrum Monitor on page 332. Alerts Alerts are generated when a user encounters problems while accessing or connecting to a network. The alerts that are generated can be categorized as follows: l 802.11 related association and authentication failure alerts l 802.
Table 15: Types of Alerts Type of Alert Client Alerts Active Faults Fault History Description Information Displayed The Client alerts occur when clients are connected to the Instant network. A client alert displays the following fields: The Active Faults occur in the event of a system fault. The Fault History alerts occur in the event of a system fault. l Timestamp— Displays the time at which the client alert was recorded.
Figure 19 Fault History Figure 20 Active Faults The following table displays a list of alerts that are generated in the W-IAP network: Table 16: Alerts list Type and Description Code Description Details Corrective Actions 100101 Internal error The AP has encountered an internal error for this client. Contact the Dell customer support team. 100102 Unknown SSID in association request The AP cannot allow this client to associate because the association request received contains an unknown SSID.
Table 16: Alerts list Type and Description Code Description Details Corrective Actions 100104 Unsupported 802.11 rate The AP cannot allow this client to associate because it does not support the 802.11 rate requested by this client. Check the configuration on the WIAP to see if the desired rate can be supported; if not, consider replacing the W-IAP with another model that can support the rate.
Table 16: Alerts list Type and Description Code Description Details Corrective Actions 100410 Integrity check failure in encrypted message The AP cannot receive data from this client because the integrity check of the received message (MIC) has failed. Recommend checking the encryption setting on the client and on the AP. Check the encryption setting on the client and on the W-IAP. 100511 DHCP request timed out This client did not receive a response to its DHCP request in time.
n Last seen— Displays the time when the foreign client was last detected in the network. n Where— Provides information about the W-IAP that detected the foreign client. Click the pushpin icon to view the information. The following figure shows an example for the intrusion detection log. Figure 21 Intrusion Detection For more information on the intrusion detection feature, see Intrusion Detection on page 318. AirGroup This AirGroup link provides an overall view of your AirGroup configuration.
Figure 23 Configuration Link W-AirWave Setup W-AirWave is a solution for managing rapidly changing wireless networks. When enabled, W-AirWave allows you to manage the Instant network. For more information on W-AirWave, see Managing a W-IAP from W-AirWave on page 296. The W-AirWave status is displayed at the bottom of the Instant main window. If the W-AirWave status is Not Set Up, click the Set Up Now link to configure W-AirWave. The System> Admin window is displayed.
l Client view— The Client view provides information that is necessary to monitor a selected client. In the Client view, all the clients in the Instant network are listed in the Clients tab. Click the IP address of the client that you want to monitor. Client view for that client is displayed. For more information on the graphs and the views, see Monitoring on page 57. 76 | Instant User Interface Dell Networking W-Series Instant 6.4.3.1-4.2.0.
Chapter 6 Initial Configuration Tasks This chapter describes the general configuration tasks to perform when a W-IAP is set up.
In the Instant UI 1. Navigate to System>General. 2. Specify the name of W-IAP in the Name text box. 3. Click OK. In the CLI To change the name: (Instant AP)# name Updating Location Details of a W-IAP You can update the physical location details of a W-IAP by using the Instant UI or CLI. The system location details are used for retrieving information through the SNMP sysLocation MIB object. In the Instant UI To update location details: 1. Navigate to System>General. 2.
You can configure the Virtual Controller name and IP address using the Instant UI or CLI. In the Instant UI 1. Navigate to System>General. 2. Enter the IP address in Virtual Controller IP. 3. Click OK. In the CLI To configure the Virtual Controller Name and IP address: (Instant AP)(config)# virtual-controller-ip (Instant AP)(config)# end (Instant AP)# commit apply Configuring a Timezone You can configure a time zone in which the W-IAP must operate by using the Instant or the CLI.
By default, the W-IAP tries to connect to pool.ntp.org to synchronize time. A different NTP server can be configured either from the UI. It can also be provisioned through the DHCP option 42. If the NTP server is configured, it takes precedence over the DHCP option 42 provisioned value. The NTP server provisioned through the DHCP option 42 is used if no server is configured. The default server pool.ntp.org is used if no NTP server is configured or provisioned through DHCP option 42..
l Configuring Auto Join Mode on page 82 l Configuring Terminal Access on page 83 l Configuring Console Access on page 83 l Configuring LED Display on page 84 l Configuring Additional WLAN SSIDs on page 84 l Preventing Inter-user Bridging on page 85 l Preventing Local Routing between Clients on page 86 l Enabling Dynamic CPU Management on page 86 The following figure shows the additional configuration options available under the System>General tab: Configuring Virtual Controller Network Sett
2. To customize the virtual controller network settings, select Custom from the Virtual Controller network settings drop-down list. The fields for configuring virtual controller netmask, gateway, VLAN, and DNS IP are displayed. 3. Enter subnet mask details in Virtual Controller Netmask. 4. Enter a gateway address in Virtual Controller Gateway. 5. To configure a DNS IP address, enter the DNS IP address in Virtual Controller DNS.
1. Navigate to System>General>Show advanced options. 2. Select Disabled or Enabled from the Auto join mode drop-down list to deny or allow APs to join the network. 3. Click OK.
(Instant (Instant (Instant (Instant AP)(config)# console AP)(console)# enable AP)(console)# end AP)# commit apply To disable console access: (Instant (Instant (Instant (Instant AP)(config)# console AP)(console)# disable AP)(console)# end AP)# commit apply To view the console settings: (Instant AP)# show console-settings Configuring LED Display The LED display is always in the Enabled mode during the a W-IAP reboot. You can enable or disable LED Display for a W-IAP using the Instant UI or CLI.
Enabling the Extended SSID Extended SSID is enabled by default in the factory default settings of APs. This disables mesh in the factory default settings. You can configure additional SSIDs by using the Instant UI or CLI. In the Instant UI 1. Navigate to System>General>Show advanced options link. 2. On the General tab, select Enabled from the Extended SSID drop-down list. 3. Click OK. 4. Reboot the W-IAP to apply the changes.
Preventing Local Routing between Clients If you have security and traffic management policies defined in upstream devices, you can disable routing traffic between two clients connected to the same W-IAP on different VLANs. When local routing is disabled, the clients can connect to the Internet but cannot communicate with each other, and the routing traffic between the clients is sent to the upstream device to make the forwarding decision. You can disable local routing through the Instant UI or CLI.
In the CLI (Instant AP)(config)# dynamic-cpu-mgmt {auto| enable| disable} Dell Networking W-Series Instant 6.4.3.1-4.2.0.
Chapter 7 Customizing W-IAP Settings This chapter describes the procedures for configuring settings that are specific to a W-IAP in the cluster.
2. Click the edit link. The edit window for modifying W-IAP details is displayed. 3. Specify the AP zone in Zone. 4. Click OK. In the CLI To change the name: (Instant AP)# zone Specifying a Method for Obtaining IP Address You can either specify a static IP address or allow the W-IAP to obtain an IP address from the DHCP server. By default, the W-IAPs obtain IP address from the DHCP server. You can specify a static IP address for the W-IAP by using the Instant UI or CLI. In the Instant UI 1.
Table 17: Formula Variable Definitions Formula Element Description EIRP Limit specific for each country of deployment Tx RF Power RF power measured at RF connector of the unit GA Antenna gain FL Feeder loss Example For example, the maximum gain that can be configured on a W-IAP134 with AP-ANT-1F dual-band and omnidirectional antenna is as follows: Table 18: Maximum Antenna Gains Frequency Band Gain (dBi) 2.4-2.5 GHz 2.0dBi 4.9–5.875GHz 5.
Configuring ARM Assigned Radio Profiles for a W-IAP To enable ARM assigned radio profiles: 1. On the Access Points tab, click the W-IAP to modify. The edit link is displayed. 2. Click the edit link. The edit window for modifying W-IAP details is displayed. 3. Click the Radio tab. The Radio tab details are displayed. 4. Select the Access mode. 5. Select the Adaptive radio management assigned option under the bands that are applicable to the WIAP configuration. 6. Click OK.
4. Click OK. In the CLI To configure a radio profile: (Instant AP)# wifi0-mode {||} (Instant AP)# wifi1-mode {||} If the access mode is configured, you can configure the channel and transmission power by running the following commands: (Instant AP)# a-channel (Instant AP)# g-channel Configuring Uplink VLAN for a W-IAP Instant supports a management VLAN for the uplink traffic on a W-IAP.
In the Instant UI To change the USB port status: 1. From the Access Points tab, click the W-IAP to modify. The edit link is displayed. 2. Click the edit link. The edit window for modifying W-IAP details is displayed. 3. Click the Uplink tab. 4. Set the port status by selecting any of the following options: l Disabled—To disable the port status. l Enabled—To re-enable the port status. 5. Click OK. 6. Reboot the W-IAP.
l When a W-IAP without 3G/4G card is already elected as the Virtual Controller and is up for more than 5 minutes, the Virtual Controller will not be replaced until it goes down. W-IAP135 is preferred over W-IAP105 when a Virtual Controller is elected. Preference to a W-IAP with Non-Default IP The Master Election Protocol prefers a W-IAP with non-default IP, when electing a Virtual Controller for the Instant network during initial startup.
In the CLI To provision a W-IAP as a master W-IAP: (Instant AP)# iap-master To verify if the W-IAP is provisioned as master IAP: (Instant AP)# show ap-env Antenna Type:Internal Iap_master:1 Adding a W-IAP to the Network To add a W-IAP to the Instant network, assign an IP address. For more information, see Assigning an IP address to the W-IAP on page 36.
Chapter 8 VLAN Configuration VLAN configuration is required for networks with more devices and broadcast traffic on a WLAN SSID or wired profile. Based on the network type and its requirements, you can configure the VLANs for a WLAN SSID or wired port profile. For more information on VLAN configuration for a WLAN SSID and wired port profile, see Configuring VLAN Settings for a WLAN SSID Profile on page 102 and Configuring VLAN for a Wired Profile on page 120.
Chapter 9 Wireless Network Profiles This chapter provides the following information: l Configuring Wireless Network Profiles on page 97 l Configuring Fast Roaming for Wireless Clients on page 113 l Editing Status of a WLAN SSID Profile on page 117 l Editing a WLAN SSID Profile on page 117 l Deleting a WLAN SSID Profile on page 118 Configuring Wireless Network Profiles During start up, a wireless client searches for radio signals or beacon frames that originate from the nearest WIAP.
Configuring WLAN Settings for an SSID Profile You can configure WLAN settings using the Instant UI or CLI. In the Instant UI To configure WLAN settings: 1. In the Networks tab of the Instant main window, click the New link. The New WLAN window is displayed. The following figure shows the contents of the WLAN Settings tab: Figure 27 WLAN Settings Tab 2. Enter a name that uniquely identifies a wireless network in the Name (SSID) text box.
Table 20: WLAN Configuration Parameters Parameter Description Broadcast filtering Select any of the following values: l All—When set to All, the W-IAP drops all broadcast and multicast frames except DHCP and ARP, IGMP group queries, and IPv6 neighbor discovery protocols.
Table 20: WLAN Configuration Parameters Parameter Description The following constraints apply to the zone configuration: Bandwidth Limits Wi-Fi Multimedia (WMM) traffic management l A W-IAP can belong to only one zone and only one zone can be configured on an SSID. l If an SSID belongs to a zone, all W-IAPs in this zone can broadcast this SSID. If no W-IAP belongs to the zone configured on the SSID, the SSID is not broadcast.
Table 20: WLAN Configuration Parameters Parameter Description Inactivity timeout Specify an interval for session timeout in seconds, minutes or hours. If a client session is inactive for the specified duration, the session expires and the users are required to log in again. You can specify a value within the range of 60-86400 seconds or up to 24 hours for a client session. The default value is 1000 seconds.
(Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant AP)(SSID Profile )# AP)(SSID Profile )# AP)(SSID Profile )# AP)(SSID Profile )# AP)(SSID Profile )# AP)(SSID Profile )# AP)(SSID Profile )# AP)(SSID Profile )# AP)(SSID Profile )# AP)(SSID Profile )# AP)(SSID Profile )# AP)(SSID Profile )# AP)# commit apply wmm-video-share wmm-voice-dscp wmm-voice-share <
3. Based on the type client IP assignment mode selected, you can configure the VLAN assignment for clients as described in the following table: Table 21: IP and VLAN Assignment for WLAN SSID Clients Client IP Assignment Client VLAN Assignment Virtual Controller assigned If Virtual Controller assigned is selected for client IP assignment, the Virtual Controller creates a private subnet and VLAN on the W-IAP for the wireless clients.
(Instant AP)(SSID Profile )# enforce-dhcp (Instant AP)(SSID Profile )# end (Instant AP)# commit apply To create a new VLAN assignment rule: (Instant AP)(config)# wlan ssid-profile (Instant AP)(SSID Profile )# set-vlan {{contains|ends-with|equals|matchesregular-expression|not-equals|starts-with} |value-of} (Instant AP)(SSID Profile )# end (Instant AP)# commit apply Configuring Security Settings for a WLAN SSID Profile This section describes the pro
Figure 29 Security Tab: Enterprise Figure 30 Security Tab: Personal Dell Networking W-Series Instant 6.4.3.1-4.2.0.
Figure 31 Security Tab: Open 2. Based on the security level specified, specify the following parameters: 106 | Wireless Network Profiles Dell Networking W-Series Instant 6.4.3.1-4.2.0.
Table 22: Configuration Parameters for WLAN Security Settings in an Employee or Voice Network Security Parameter Description Level Type Key Management For Enterprise security level, select any of the following options from the Key management drop-down list: l WPA-2 Enterprise l WPA Enterprise l Both (WPA-2 & WPA) l Dynamic WEP with 802.1X—If you do not want to use a session key from the RADIUS Server to derive pair wise unicast keys, set Session Key for LEAP to Enabled.
Table 22: Configuration Parameters for WLAN Security Settings in an Employee or Voice Network Security Parameter Description Level Type reduce the number of exchange packets between the W-IAP and authentication server. NOTE: Instant supports the configuration of primary and backup authentication servers in an EAP termination enabled SSID. NOTE: If you are using LDAP for authentication, ensure that AP termination is configured to support EAP.
Table 22: Configuration Parameters for WLAN Security Settings in an Employee or Voice Network Security Parameter Description Level Type Blacklisting To enable blacklisting of the clients with a specific number of authentication failures, select Enabled from the Blacklisting drop-down list and specify a value for Max authentication failures. The users who fail to authenticate the number of times specified in Max authentication failures field are dynamically blacklisted.
Table 22: Configuration Parameters for WLAN Security Settings in an Employee or Voice Network Security Parameter Description Level Type Uppercase support Set to Enabled to allow the W-IAP to use uppercase letters in MAC address string for MAC authentication. NOTE: This option is available only if MAC authentication is enabled. Enterprise , Personal, and Open security levels. Upload Certificate Click Upload Certificate and browse to upload a certificate file for the internal server.
(Instant AP)(SSID Profile )# mac-authentication (Instant AP)(SSID Profile )# l2-auth-failthrough (Instant AP)(SSID Profile )# auth-survivability (Instant AP)(SSID Profile )# radius-accounting (Instant AP)(SSID Profile )# radius-accounting-mode {user-association| userauthentication} (Instant AP)(SSID Profile )# radius-interim-accounting-interval (Instant AP)(SSID Profile )# radius-reauth-interval (Instant AP)(SSID Profile )# max-authenticati
Profile on page 98, Configuring VLAN Settings for a WLAN SSID Profile on page 102, and Configuring Security Settings for a WLAN SSID Profile on page 104. You can configure up to 128 access rules for an employee, voice , or guest network using the Instant UI or CLI. In the Instant UI To configure access rules for an employee or voice network: 1. In the Access Rules tab, set slider to any of the following types of access control: l Unrestricted— Select this option to set unrestricted access to the network.
To configure machine and user authentication roles (Instant (Instant (Instant (Instant AP)(config)# wlan ssid-profile AP)(SSID Profile )# set-role-machine-auth AP)(SSID Profile )# end AP)# commit apply To configure unrestricted access: (Instant (Instant (Instant (Instant AP)(config)# wlan ssid-profile AP)(SSID Profile )# set-role-unrestricted AP)(SSID Profile )# end AP)# commit apply Example The following example configures access rules fo
In the Instant UI 1. Navigate to the WLAN wizard (click Network>New or Network> Select the WLAN SSID>edit). 2. Click the Security tab. 3. Slide to Enterprise security level. On selecting a security level, the authentication options applicable to Enterprise network are displayed. 4. Select the WPA-2 Enterprise or Both (WPA-2 & WPA) option from the Key management drop-down list. When any of these encryption types is selected, Opportunistic Key Caching (OKC) is enabled by default. 5.
Fast BSS Transition is operational only if the wireless client supports 802.11r standard. If the client does not support 802.11r standard, it falls back to the normal WPA2 authentication method. Configuring a W-IAP for 802.11r support You can configure 802.11r support for a WLAN SSID by using the Instant UI or CLI. In the Instant UI 1. Navigate to the WLAN wizard (click Network>New or Network> Select the WLAN SSID>edit). 2. Click the Security tab. 3. Under Fast Roaming, select the 802.11r checkbox. 4.
Beacon Report Requests and Probe Responses The beacon request frame is sent by an AP to request a client to report the list of beacons heard by the client on all channels. l The beacon request is sent using the radio measurement request action frame. l It is sent only to those clients that have the capability to generate beacon reports. The clients indicate their capabilities through the RRM enabled capabilities IE sent in the association request frames.
In the Instant UI 1. Navigate to the WLAN wizard (click Network>New or Network> Select the WLAN SSID>edit). 2. Click the Security tab. 3. Under Fast Roaming, Select the 802.11v checkbox. 4. Click Next and then click Finish. In the CLI To enable 802.
4. Click Finish to save the changes. Deleting a WLAN SSID Profile To delete a WLAN SSID profile: 1. In the Networks tab, click the network that you want to delete. A x link is displayed against the network to be deleted. 2. Click x. A delete confirmation window is displayed. 3. Click Delete Now. 118 | Wireless Network Profiles Dell Networking W-Series Instant 6.4.3.1-4.2.0.
Chapter 10 Wired Profiles This chapter describes the following procedures: l Configuring a Wired Profile on page 119 l Assigning a Profile to Ethernet Ports on page 124 l Editing a Wired Profile on page 124 l Deleting a Wired Profile on page 124 l Link Aggregation Control Protocol on page 125 l Understanding Hierarchical Deployment on page 126 Configuring a Wired Profile The Ethernet ports allow third-party devices such as VoIP phones or printers (which support only wired connections) to connec
information on assigning a wired network profile to a port, see Assigning a Profile to Ethernet Ports on page 124. c. Spanning Tree—Select the Spanning Tree checkbox to enable Spanning Tree Protocol (STP) on the wired profile. STP ensures that there are no loops in any bridged Ethernet network and operates on all downlink ports, regardless of forwarding mode. STP will not operate on the uplink port and is supported only on W-IAPs with three or more ports.
l Specify the Allowed VLAN, enter a list of comma separated digits or ranges 1,2,5 or 1-4, or all. The Allowed VLAN refers to the VLANs carried by the port in Access mode. l If the Client IP Assignment is set to Network Assigned, specify a value for Native VLAN. A VLAN that does not have a VLAN ID tag in the frames is referred to as Native VLAN. You can specify a value within the range of 1-4093. d.
l l n New—On selecting this option, an external RADIUS server must be configured to authenticate the users. For information on configuring an external server, see Configuring an External Server for Authentication on page 164.Authentication and User Management on page 152 n Internal server— If an internal server is selected, add the clients that are required to authenticate with the internal RADIUS server. Click the Users link to add the users.
a. Select any of the following types of access control: l Role-based— Allows the users to obtain access based on the roles assigned to them. l Unrestricted— Allows the users to obtain unrestricted access on the port. l Network-based— Allows the users to be authenticated based on access rules specified for a network. b.
(Instant AP)(wired ap profile )# set-role-machine-auth (Instant AP)(wired ap profile )# end (Instant AP)# commit apply To configure unrestricted access: (Instant (Instant (Instant (Instant AP)(config)# wired-port-profile AP)(wired ap profile )# set-role-unrestricted AP)(wired ap profile )# end AP)# commit apply Assigning a Profile to Ethernet Ports You can assign profiles to Ethernet ports using the Instant UI or CLI.
1. Click the Wired link under More at the top right corner of the Instant main window. The Wired window is displayed. 2. In the Wired window, select the wired profile to delete. 3. Click Delete. The wired profile is deleted. Link Aggregation Control Protocol The W-IAP220 Series and W-IAP270 Series support the IEEE 802.11ac standard for high-performance WLAN. To support maximum traffic, port aggregation is required as it increases throughput and enhances reliability.
Understanding Hierarchical Deployment A W-IAP130 Series or W-IAP3WN (with more than one wired port) can be connected to the downlink wired port of another W-IAP (ethX). A W-IAP with a single Ethernet port (like W-IAP90 or W-IAP100 series devices) can be provisioned to use Ethernet bridging, so that Ethernet 0 port is converted to a downlink wired port. You can also form a W-IAP network by connecting the downlink port of an AP to other APs.
Chapter 11 Captive Portal for Guest Access This chapter provides the following information: l Understanding Captive Portal on page 127 l Configuring a WLAN SSID for Guest Access on page 128 l Configuring Wired Profile for Guest Access on page 133 l Configuring Internal Captive Portal for Guest Network on page 135 l wConfiguring External Captive Portal for a Guest Network on page 138 l Configuring Facebook Login on page 143 l Configuring External Captive Portal Authentication Using ClearPass Gu
l External captive portal— For external captive portal authentication, an external portal on the cloud or on a server outside the enterprise network is used. Walled Garden The administrators can also control the resources that the guest users can access and the amount of bandwidth or air time they can use at any given time. When an external captive portal is used, the administrators can configure a walled garden, which determines access to the URLs requested by the guest users.
Table 23: WLAS SSID Configuration Parameters for Guest Network Parameters Description Broadcast/Multicast Select any of the following values under Broadcast filtering: l All—When set to All, the W-IAP drops all broadcast and multicast frames except DHCP and ARP, IGMP group queries, and IPv6 neighbor discovery protocols.
Parameters Description Zone Specify the zone for the SSID. When the zone is defined in SSID profile and if the same zone is defined on a W-IAP, the SSID is created on that W-IAP. For more information on configuring zone details on a W-IAP, see Configuring Zone Settings on a W-IAP on page 88. The following constraints apply to the zone configuration: Bandwidth Limits Wi-Fi Multimedia (WMM) traffic management l A W-IAP can belong to only one zone and only one zone can be configured on an SSID.
Parameters Description Content filtering Set to Enabled to route all DNS requests for the non-corporate domains to OpenDNS on this network. Band Select a value to specify the band at which the network transmits radio signals. You can set the band to 2.4 GHz, 5 GHz, or All. The All option is selected by default. Inactivity timeout Specify a timeout interval. If a client session is inactive for the specified duration, the session expires and the users are required to log in again.
Table 24: IP and VLAN Assignment for WLAN SSID Clients Client IP Assignment Client VLAN Assignment Virtual Controller assigned If the Virtual Controller assigned is selected for client IP assignment, the Virtual Controller creates a private subnet and VLAN on the W-IAP for the wireless clients. The network address translation for all client traffic that goes out of this interface is carried out at the source.
(Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID Profile Profile Profile Profile Profile Profile Profile Profile Profile Profile Profile Profile Profile Profile Profile )# )# )# )# )# )# )# )# )# )# )# )# )#
downlink ports, regardless of forwarding mode. STP will not operate on the uplink port and is supported only on W-IAPs with three or more ports. By default Spanning Tree is disabled on wired profiles. 4. Click Next. The VLAN tab details are displayed. 5. Enter the following information. a. Mode—You can specify any of the following modes: l Access—Select this mode to allow the port to carry a single VLAN specified as the native VLAN.
Configuring Internal Captive Portal for Guest Network For internal captive portal authentication, an internal server is used for hosting the captive portal service. You can configure internal captive portal authentication when adding or editing a guest network created for wireless or wired profile through the Instant UI or CLI. In the Instant UI 1. Navigate to the WLAN wizard or Wired window.
Parameter Description l Select New for configuring a new external RADIUS or LDAP server for authentication. Load balancing Select Enabled to enable load balancing if two authentication servers are used. Reauth interval Select a value to allow the APs to periodically reauthenticate all associated and authenticated clients. Blacklisting If you are configuring a wireless network profile, select Enabled to enable blacklisting of the clients with a specific number of authentication failures.
Parameter Description Disable if uplink type is To exclude uplink, select an uplink type. Encryption Select Enabled to configure encryption parameters. Select an encryption and configure passphrase. (Applicable for WLAN SSIDs only.) Splash Page Design Under Splash Page Visuals, use the editor to specify text and colors for the initial page that will be displayed to the users when they connect to the network.
(Instant (Instant (Instant (Instant (Instant AP) (wired ap profile AP) (wired ap profile AP) (wired ap profile AP) (wired ap profile AP)# commit apply )# )# )# )# mac-authentication auth-server radius-reauth-interval end To customize internal captive portal splash page: (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant AP)(config)# wlan captive-portal AP)(Captive Portal)# authenticated AP)(Captive Portal)# back
Table 26: Captive Portal Profile Configuration Parameters Parameter Description Name Enter a name for the profile. Type Select any one of the following types of authentication: l Radius Authentication - Select this option to enable user authentication against a RADIUS server. l Authentication Text - Select this option to specify an authentication text. The specified text will be returned by the external server after a successful user authentication.
(Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant AP)(External Captive AP)(External Captive AP)(External Captive AP)(External Captive AP)(External Captive AP)(External Captive AP)(External Captive AP)(External Captive AP)(External Captive AP)# commit apply Portal)# Portal)# Portal)# Portal)# Portal)# Portal)# Portal)# Portal)# Portal)# port url https redirect-url server-fail-through no auto-whitelist-disable server-offload prevent-frame-overlay e
Table 27: External Captive Portal Configuration Parameters Parameter Description Uppercase support Set to Enabled to allow the W-IAP to use uppercase letters in MAC address string for MAC authentication. NOTE: This option is available only if MAC authentication is enabled. Authentication server To configure an authentication server, select any of the following options: l If the server is already configured, select the server from the list. l To create new external RADIUS server, select New.
(Instant AP)(SSID Profile )# mac-authentication (Instant AP)(SSID Profile )# max-authentication-failures (Instant AP)(SSID Profile )# auth-server (Instant Access Point (SSID Profile )# radius-accounting (Instant Access Point (SSID Profile )# radius-interim-accounting-interval (Instant Access Point (SSID Profile )# radius-accounting-mode {user-association|userauthentication} (Instant AP)(SSID Profile )# wpa-passphrase (Instant AP)(SSI
Creating a Web Login page in ClearPass Guest The ClearPass Guest Visitor Management Appliance provides a simple and personalized user interface through which operational staff can quickly and securely manage visitor network access. With ClearPass Guest, the users can have a controlled access to a dedicated visitor management user database. Through a customizable web portal, the administrators can easily create an account, reset a password or set an expiry time for visitors.
l Accessing the Portal Page Setting up a Facebook Page To enable integration with the W-IAP, ensure that you have a Facebook page created as a local business with a valid location. For information on: l Creating a Facebook page, see the online help available at https://www.facebook.com/help l Setting up and using Facebook Wi-Fi service, see https://www.facebook.
3. Select the Facebook page. 4. Under Bypass Mode, select any of the following options: l Skip Check-in link—When selected, the users are not presented with your business Facebook page, but are allowed to access the Internet by clicking the Skip Check-in link. l Require Wi-Fi code—When selected, the users are assigned a Wi-Fi code to gain access to the Facebook page. 5. Customize the session length and terms of service if required. 6. Click Save Settings.
authentication for an SSID with the 802.1X authentication method. For more information, see Configuring Captive Portal Roles for an SSID on page 147. n Create a role assignment rule. For more information, see Configuring Derivation Rules on page 206. Instant supports role derivation based on the DHCP option for captive portal authentication.
(Instant permit (Instant permit (Instant (Instant (Instant deny (Instant deny (Instant (Instant AP)(Access Rule "WirelessRule")# rule any any match webcategory training-and-tools AP)(Access Rule "WirelessRule")# rule any any match webreputation well-known-sites AP)(Access Rule "WirelessRule")# rule any any match webreputation safe-sites permit AP)(Access Rule "WirelessRule")# rule any any match webreputation benign-sites permit AP)(Access Rule "WirelessRule")# rule any any match webreputation suspicious-si
Figure 33 Captive Portal Rule for Internal Acknowledged Splash Page Figure 34 Captive Portal Rule for External Captive Portal profile Table 29: Captive Portal Rule Configuration Parameters Field Description Rule type Select Captive Portal from the drop-down list. Splash Page Type Select any of the following attributes: Internal l Select Internal to configure a rule for internal captive portal authentication. l Select External to configure a rule for external captive portal authentication.
Field Description l Specify the URL to which you want to redirect the guest users. l To upload a custom logo, click Upload your own custom logo Image, browse the image file, and click upload image. l To preview the captive portal page, click Preview. If External is selected, perform the following steps: External l Select a profile from the Captive portal profile drop-down list.
Configuring Walled Garden Access On the Internet, a walled garden typically controls access to web content and services. The Walled garden access is required when an external captive portal is used. For example, a hotel environment where the unauthenticated users are allowed to navigate to a designated login page (for example, a hotel website) and all its contents. The users who do not sign up for the Internet service can view the allowed websites (typically hotel property websites).
You can also customize splash page design on the Security tab of New WLAN (WLAN wizard) and New Wired Network (wired profile window) when configuring a new profile. 2. Navigate to the Security tab. 3. Select None from the Splash page type drop-down list. Although the splash page is disabled, you can enable MAC authentication, configure authentication servers, set accounting parameters, blacklist clients based on MAC authentication failures, and configure encryption keys for authorized access. 4.
Chapter 12 Authentication and User Management This chapter provides the following information: l Managing W-IAP Users on page 152 l Supported Authentication Methods on page 156 l Supported Authentication Servers on page 159 l Understanding Encryption Types on page 173 l Configuring Authentication Survivability on page 174 l Configuring Authentication Servers on page 159 l Configuring 802.
Configuring W-IAP Users The Instant user database consists of a list of guest and employee users. The addition of a user involves specifying a login credentials for a user. The login credentials for these users are provided outside the Instant system. A guest user can be a visitor who is temporarily using the enterprise network to access the Internet.
a. Select the user to modify under Users b. Click Edit to modify user settings. c. Click OK. 8. To delete a user: a. In the Users section, select the username to delete b. Click Delete. c. Click OK. 9. To delete all or multiple users at a time: a. Select the user names that you want to delete b. Click Delete All. c. Click OK. Deleting a user only removes the user record from the user database, and will not disconnect the online user associated with the user name.
Type of the User Authentication Options Steps to Follow Local administrator Internal Select Internal if you want to specify a single set of user credentials. If using an internal authentication server: 1. Specify a Username and Password. 2. Retype the password to confirm. Authentication server View Only Guest Registration Only Internal—Select this option to specify a single set of user credentials. Select the RADIUS or TACACS authentication servers.
To configure a user with read-only privilege: (Instant AP)(config)# mgmt-user [password] read-only To configure management authentication settings: (Instant (Instant (Instant (Instant AP)(config)# AP)(config)# AP)(config)# AP)(config)# mgmt-auth-server mgmt-auth-server mgmt-auth-server-load-balancing mgmt-auth-server-local-backup To enable TACACS accounting: (Instant AP)(config)# mgmt-accounting command all Adding Guest Users through the Guest Management Interface To add
802.1X authentication 802.1X is an IEEE standard that provides an authentication framework for WLANs. 802.1X uses the Extensible Authentication Protocol (EAP) to exchange messages during the authentication process. The authentication protocols that operate inside the 802.1X framework include EAP-Transport Layer Security (EAP-TLS), Protected EAP (PEAP), and EAP-Tunneled TLS (EAP-TTLS). These protocols allow the network to authenticate the client while also allowing the client to authenticate the network.
MAC authentication with Captive Portal authentication You can enforce MAC authentication for captive portal clients. For more information configuring a W-IAP to use MAC authentication with captive portal authentication, see hConfiguring MAC Authentication with Captive Portal Authentication on page 181. 802.1X authentication with Captive Portal Role This authentication mechanism allows you to configure different captive portal settings for clients on the same SSID. For example, you can configure an 802.
Authentication Termination on W-IAP W-IAPs support EAP termination for enterprise WLAN SSIDs. The EAP termination can reduce the number of exchange packets between the W-IAP and the authentication servers. Instant allows Extensible Authentication Protocol (EAP) termination for Protected Extensible Authentication Protocol (PEAP)-Generic Token Card (PEAPGTC) and Protected Extensible Authentication Protocol-Microsoft Challenge Authentication Protocol version 2 (PEAP-MSCHAV2).
External RADIUS Server In the external RADIUS server, the IP address of the Virtual Controller is configured as the NAS IP address. Instant RADIUS is implemented on the Virtual Controller, and this eliminates the need to configure multiple NAS clients for every W-IAP on the RADIUS server for client authentication. Instant RADIUS dynamically forwards all the authentication requests from a NAS to a remote RADIUS server.
l Add-Port-To-IP-Address l Aruba-AP-Group l Aruba-AP-IP-Address l Aruba-AS-Credential-Hash l Aruba-AS-User-Name l Aruba-Admin-Role l Aruba-AirGroup-Device-Type l Aruba-AirGroup-Shared-Group l Aruba-AirGroup-Shared-Role l Aruba-AirGroup-Shared-User l Aruba-AirGroup-User-Name l Aruba-AirGroup-Version l Aruba-Auth-SurvMethod l Aruba-Auth-Survivability l Aruba-CPPM-Role l Aruba-Device-Type l Aruba-Essid-Name l Aruba-Framed-IPv6-Address l Aruba-Location-Id l Aruba-Mdps-Devi
l CHAP-Challenge l Callback-Id l Callback-Number l Chargeable-User-Identity l Class l Connect-Info l Connect-Rate l Crypt-Password l DB-Entry-State l Digest-Response l Domain-Name l EAP-Message l Error-Cause l Event-Timestamp l Exec-Program l Exec-Program-Wait l Expiration l Fall-Through l Filter-Id l Framed-AppleTalk-Link l Framed-AppleTalk-Network l Framed-AppleTalk-Zone l Framed-Compression l Framed-IP-Address l Framed-IP-Netmask l Framed-IPX-Network l
l Location-Information l Login-IP-Host l Login-IPv6-Host l Login-LAT-Node l Login-LAT-Port l Login-LAT-Service l Login-Service l Login-TCP-Port l Menu l Message-Auth l NAS-IPv6-Address l NAS-Port-Type l Operator-Name l Password l Password-Retry l Port-Limit l Prefix l Prompt l Rad-Authenticator l Rad-Code l Rad-Id l Rad-Length l Reply-Message l Requested-Location-Info l Revoke-Text l Server-Group l Server-Name l Service-Type l Session-Timeout l Simu
l Tunnel-Server-Auth-Id l Tunnel-Server-Endpoint l Tunnel-Type l User-Category l User-Name l User-Vlan l Vendor-Specific l fw_mode l dhcp-option l dot1x-authentication-type l mac-address l mac-address-and-dhcp-options TACACS Servers You can now configure a TACACS+ server as the authentication server to authenticate and authorize all types of management users, and account user sessions.
1. Navigate to Security>Authentication Servers. The Security window is displayed. 2. To create a new server, click New. A window for specifying details for the new server is displayed. 3. Configure parameters based on the type of sever. l RADIUS—To configure a RADIUS server, specify the attributes described in the following table: Table 31: RADIUS Server Configuration Parameters Parameter Description Name Enter a name for the server.
Parameter Description NOTE: If you do not enter the IP address, the Virtual Controller IP address is used by default when Dynamic RADIUS Proxy is enabled. NAS Identifier Allows you to configure strings for RADIUS attribute 32, NAS Identifier, to be sent with RADIUS requests to the RADIUS server. Dead Time Specify a dead time for authentication server in minutes.
Parameter Description Filter Specify the filter to apply when searching for a user in the LDAP database. The default filter string is (objectclass=*). Key Attribute Specify the attribute to use as a key while searching for the LDAP server. For Active Directory, the value is sAMAccountName Timeout Enter a value between 1 and 30 seconds. The default value is 5. Retry count Enter a value between 1 and 5. The default value is 3.
Table 34: CPPM Server Configuration Parameters for AirGroup CoA Parameter Description Name Enter the name of the server. Server address Enter the host name or IP address of the server. Air Group CoA port Enter a port number for sending AirGroup CoA on a different port than on the standard CoA port. The default value is 5999. Shared key Enter a shared key for communicating with the external RADIUS server. Retype key Re-enter the shared key. 4. Click OK.
(Instant (Instant (Instant (Instant (Instant AP)(LDAP Server )# AP)(LDAP Server )# AP)(LDAP Server )# AP)(LDAP Server )# AP)# commit apply timeout retry-count deadtime end To configure a TACACS+ server: (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant AP)(config)# wlan AP)(TACACS Server AP)(TACACS Server AP)(TACACS Server AP)(TACACS Server AP)(TACACS Server AP)(TACACS Server AP)(TACACS Server tac
e. To allow the APs to process RFC 3576-compliant Change of Authorization (CoA) and disconnect messages from the RADIUS server, set RFC 3576 to Enabled. Disconnect messages cause a user session to be terminated immediately, whereas the CoA messages modify session authorization attributes such as data filters. f. If RFC 3576 is enabled, specify an AirGroup CoA port if required. g. Enter the NAS IP address. h.
Configuring Dynamic RADIUS Proxy Parameters The RADIUS server can be deployed at different locations and VLANs. In most cases, a centralized RADIUS or local server is used to authenticate users. However, some user networks can use a local RADIUS server for employee authentication and a centralized RADIUS based captive portal server for guest authentication. To ensure that the RADIUS traffic is routed to the required RADIUS server, the dynamic RADIUS proxy feature must be enabled.
2. To create a new server, click New and configure the required RADIUS server parameters as described in Table 31. 3. Ensure that the following dynamic RADIUS proxy parameters are configured: l DRP IP— IP address to be used as source IP for RADIUS packets l DRP Mask—Subnet mask of the DRP IP address. l DRP VLAN—VLAN in which the RADIUS packets are sent. l DRP Gateway—Gateway IP address of the DRP VLAN. 4. Click OK.
(Instant AP)(config)# wlan ssid-profile (Instant AP)(SSID Profile # auth-server (Instant AP)(SSID Profile # end ((Instant AP)# commit apply To associate an authentication server to a wired profile: (Instant (Instant (Instant (Instant AP)(config)# wired-port-profile AP)(wired ap profile )# auth-server AP)(wired ap profile )# end AP)# commit apply Understanding Encryption Types Encryption is the process of converting data into a cryptic format or c
l Personal—Personal is also called Pre-Shared Key (PSK). In this type, a unique key is shared with each client in the network. Users have to use this key to securely log in to the network. The key remains the same until it is changed by authorized personnel. You can also configure key change intervals . l Enterprise—Enterprise is more secure than WPA Personal. In this type, every client automatically receives a unique encryption key after securely logging on to the network.
Enabling Authentication Survivability You can enable authentication survivability for a wireless network profile through the UI or CLI. In the Instant UI To configure authentication survivability for a wireless network: 1. On the Network tab, click New to create a new network profile or select an existing profile for which you want to enable authentication survivability and click edit. 2.
Configuring 802.1X Authentication for a Network Profile The Instant network supports internal RADIUS server and external RADIUS server for 802.1X authentication. The steps involved in 802.1X authentication are as follows: 1. The NAS requests authentication credentials from a wireless client. 2. The wireless client sends authentication credentials to the NAS. 3. The NAS sends these credentials to a RADIUS server. 4.
In the CLI To configure 802.
l Configuring MAC Authentication for Wireless Network Profiles on page 178 l Configuring MAC Authentication for Wired Profiles on page 179 Configuring MAC Authentication for Wireless Network Profiles You can configure MAC authentication for a wired profile in the Instant UI or CLI. In the Instant UI To enable MAC Authentication for a wireless network: 1.
(Instant AP)# commit apply Configuring MAC Authentication for Wired Profiles You can configure MAC authentication for a wired profile in the Instant UI or CLI. In the Instant UI To enable MAC authentication for a wired profile: 1. Click the Wired link under More at the top right corner of the main window. The Wired window is displayed. 2. Click New under Wired Networks to create a new network or select an existing profile for which you want to enable MAC authentication and then click Edit. 3.
Configuring MAC and 802.1X Authentication for a Wireless Network Profile You can configure MAC authentication with 802.1X authentication for wireless network profile using the Instant UI or CLI. In the Instant UI To configure both MAC and 802.1X authentication for a wireless network: 1. On the Network tab, click New to create a new network profile or select an existing profile for which you want to enable MAC and 802.1X authentication and click edit. 2.
5. Specify the type of authentication server to use and configure other required parameters. For more information on configuration parameters, see Configuring Security Settings for a Wired Profile on page 121 6. Click Next to define access rules, and then click Finish to apply the changes. In the CLI To enable MAC and 802.
(Instant AP)(SSID Profile )# end (Instant AP)# commit apply To configure MAC authentication with captive portal authentication for a wired profile: (Instant (Instant (Instant (Instant (Instant external (Instant (Instant (Instant AP)(config)# wired-port-profile AP)(wired ap profile )# type AP)(wired ap profile )# mac-authentication AP)(wired ap profile )# captive-portal AP)(wired ap profile )# captive-portal { [exclude-uplink ] | [Profile
10.Click OK to apply the changes. The WISPr RADIUS attributes and configuration parameters are specific to the RADIUS server used by your ISP for the WISPr authentication. Contact your ISP to determine these values. You can find a list of ISO and ITU country and area codes at the ISO and ITU websites (iso.org and itu.int). A Boingo smart client uses a NAS identifier in the format _ for location identification.
(Instant AP)# commit apply To view the blacklisted clients: (Instant AP)# show blacklist-client Blacklisted Clients ------------------MAC Reason Timestamp Remaining time(sec) AP name --- ------ --------- ------------------- ------00:1c:b3:09:85:15 user-defined 17:21:29 Permanent - Blacklisting Users Dynamically The clients can be blacklisted dynamically when they exceed the authentication failure threshold or when a blacklisting rule is triggered as part of the authentication process.
Blacklist Time :60 Auth Failure Blacklist Time :60 Manually Blacklisted Clients ---------------------------MAC Time --- ---Dynamically Blacklisted Clients ------------------------------MAC Reason Timestamp Remaining time(sec) AP IP --- ------ --------- ------------------- ----Dyn Blacklist Count :0 185 | Authentication and User Management Dell Networking W-Series Instant 6.4.3.1-4.2.0.
Uploading Certificates A certificate is a digital file that certifies the identity of the organization or products of the organization. It is also used to establish your credentials for any web transactions. It contains the organization name, a serial number, expiration date, a copy of the certificate-holder's public key, and the digital signature of the certificateissuing authority so that a recipient can ensure that the certificate is real.
(Instant AP)# copy tftp {cpserver cert format {p12|pem}| radsec {ca|cert } format pem |system {1xca format {der|pem}| 1xcert format pem}} To download RadSec certificates: (Instant AP)# download-cert radsec ftp://192.0.2.7 format pem [psk ] (Instant AP)# ownload-cert radsecca ftp://192.0.2.
Figure 39 Server Certificate 4. After you upload the certificate, navigate to Groups, click the Instant Group and then select Basic. The Group name is displayed only if you have entered the Organization name in the Instant UI. For more information, see Configuring Organization String on page 299 for further information. Figure 40 Selecting the Group The Virtual Controller Certificate section displays the certificates (CA cert and Server). 5. Click Save to apply the changes only to W-AirWave.
Chapter 13 Roles and Policies This chapter describes the procedures for configuring user roles, role assignment, and firewall policies. l Firewall Policies on page 189 l Content Filtering on page 200 l Configuring User Roles on page 204 l Configuring Derivation Rules on page 206 Firewall Policies Instant firewall provides identity-based controls to enforce application-layer security, prioritization, traffic forwarding, and network performance policies for wired and wireless networks.
l Configuring access rules based on application and application categories, see Configuring ACL Rules for Application and Application Categories on page 266. l Configuring access rules based on web categories and web reputation, see Configuring Web Policy Enforcement Service on page 269. In the Instant UI To configure ACL rules for a user role: 1. Navigate to Security > Roles. The Roles tab contents are displayed.
Table 37: Access Rule Configuration Parameters Service Category Description specify the IP address and netmask for the destination network. l except to a network—Access is allowed or denied to networks other than the specified network. After selecting this option, specify the IP address and netmask of the destination network. l to domain name—Access is allowed or denied to the specified domains. After selecting this option, specify the domain name in the Domain Name text box.
(Instant AP)(Access Rule "employee")# match udp 21 21 deny (Instant AP)(Access Rule "employee")# (Instant AP)(Access Rule "employee")# (Instant AP)(Access Rule "employee")# (Instant AP)(Access Rule "employee")# (Instant AP)# commit apply rule 192.0.2.2 255.255.255.0 192.0.2.7 255.255.255.0 rule 192.0.2.2 255.255.255.0 match 6 631 631 permit rule 192.0.2.8 255.255.255.255 invert 6 21 21 deny rule 192.0.2.1 255.255.255.
In the CLI To configure source NAT access rule: (Instant AP)(config)# wlan access-rule (Instant AP)(Access Rule "")# rule src-nat (Instant AP)(Access Rule "")# end (Instant AP)# commit apply Configuring Source-Based Routing To allow different forwarding policies for different SSIDs, you can configure source-based routing.
f. If required, enable other parameters such as Log, Blacklist, Classify media, Disable scanning, DSCP tag, and 802.1p priority. g. Click OK. 5. Click Finish.
To view the ALG configuration: (Instant AP)# show alg Current ALG ----------ALG Status --- -----sccp Disabled sip Enabled ua Enabled vocera Enabled Configuring Firewall Settings for Protection from ARP Attacks You can configure firewall settings to protect the network against attacks using the Instant UI or CLI. In the Instant UI To configure firewall settings: 1. Click the Security link at the top right corner of Instant main window. 2. Click the Firewall Settings tab.
To view the attack statistics (Instant AP)# show attack stats attack counters -------------------------------------Counter Value ------- ------arp packet counter 0 drop bad arp packet counter 0 dhcp response packet counter 0 fixed bad dhcp packet counter 0 send arp attack alert counter 0 send dhcp attack alert counter 0 arp poison check counter 0 garp send check counter 0 Managing Inbound Traffic Instant now supports an enhanced inbound firewall by allowing the configuration of firewall rules and managemen
Figure 43 Inbound Firewall Rules - New Rule Window 3. Configure the following parameters: Table 38: Inbound Firewall Rule Configuration Parameters Parameter Description Action Select any of following actions: l Select Allow to allow access users based on the access rule. l Select Deny to deny access to users based on the access rule. l Select Destination-NAT to allow changes to destination IP address. l Select Source-NAT to allow changes to the source IP address.
Table 38: Inbound Firewall Rule Configuration Parameters Parameter Description server. l to a network—Traffic to the specified network is allowed, denied, or the IP address is translated at the source or destination as defined in the rule. After selecting this option, specify the IP address and netmask for the destination network. l except to a network—Access is allowed or denied to networks other than the specified network.
(Instant AP)(inbound-firewall)# end (Instant AP)# commit apply Configuring Management Subnets You can configure subnets to ensure that the W-IAP management is carried out only from these subnets. When the management subnets are configured, Telnet, SSH, and UI access is restricted to these subnets only. You can configure management subnets by using the Instant UI or CLI. In the Instant UI To configure management subnets: 1. Navigate to Security > Inbound Firewall.
2. Select Enabled from the Restrict Corporate Access. 3. Click OK. In the CLI To configure restricted management access: (Instant AP)(config) # restrict-corp-access (Instant AP)(config) # end (Instant AP)# commit apply Content Filtering The content filtering feature allows you to route DNS request to the OpenDNS platform and create content filtering policies.
In the CLI To enable content filtering on a WLAN SSID: (Instant (Instant (Instant (Instant AP)(config)# wlan ssid-profile AP)(SSID Profile )# content-filtering AP)(SSID Profile )# end AP)# commit apply Enabling Content Filtering for a Wired Profile To enable content filtering for a wired profile, perform the following steps: In the Instant UI 1. Click the Wired link under More at the top right corner of the main window. The Wired window is displayed. 2.
Configuring URL Filtering Policies You can configure URL filtering policies to block certain categories of websites based on your organization specifications by defining ACL rules either through the Instant UI or CLI. In the Instant UI 1. Navigate to Security >Roles. 2. Select any WLAN SSID or wired profile role, and click New in the Access Rules section. The New Rule window appears. 3. Select the rule type as Access Control. 4. To set an access policy based on the web category: a.
(Instant AP)# commit apply Example (Instant (Instant (Instant permit (Instant permit (Instant (Instant (Instant AP)(config)# wlan access-rule URLFilter AP) (Access Rule "URLFilter")# rule any any match webcategory gambling deny AP) (Access Rule "URLFilter")# rule any any match webcategory training-and-tools AP) (Access Rule "URLFilter")# rule any any match webreputation trustworthy-sites AP) (Access Rule "URLFilter")# rule any any match webreputation suspicious-sites deny AP) (Access Rule "URLFilter")# en
Configuring User Roles Every client in the Instant network is associated with a user role that determines the network privileges for a client, the frequency of reauthentication, and the applicable bandwidth contracts. Instant allows you to configuration of up to 32 user roles. If the number of roles exceed 32, an error message is displayed.
In the Instant UI 1. Click the Security at the top right corner of Instant main window. The Security window is displayed. 2. Click the Roles tab. The Roles tab contents are displayed. 3. Create a new role or select an existing role. 4. Under Access Rules, click New. The New Rule window is displayed. 5. Select Bandwidth Contract from the Rule Type drop-down list. 6. Specify the downstream and upstream rates in Kbps. If the assignment is specific for each user, select the Peruser checkbox. 7. Click OK. 8.
In the Instant UI To configure machine authentication with role-based access control: 1. In the Access tab of the WLAN wizard (New WLAN or Edit ) or wired profile configuration window (New Wired Network or Edit Wired Network), under Roles, create Machine auth only and User auth only roles. 2. Configure access rules for these roles by selecting the role, and applying the rule. For more information on configuring access rules, see Configuring ACL Rules for Network Services on page 189. 3.
Roles Based on Client Authentication The user role can be the default user role configured for an authentication method, such as 802.1X authentication. For each authentication method, you can configure a default role for clients who are successfully authenticated using that method. DHCP Option and DHCP Fingerprinting The DHCP fingerprinting allows you to identify the operating system of a device by looking at the options in the DHCP frame.
3. Under Role Assignment Rules, click New. The New Role Assignment window allows you to define a match method by which the string in Operand is matched with the attribute value returned by the authentication server. 4. Select the attribute from the Attribute drop-down list that the rule it matches against. The list of supported attributes includes RADIUS attributes, dhcp-option, dot1x-authentication-type, mac-address, and mac-address-and-dhcp-options.
l If VLANs are configured for a WLAN SSID or an Ethernet port profile, the VLAN for the client can be derived before the authentication, from the rules configured for these profiles. l If a rule derives a specific VLAN, it is prioritized over the user roles that may have a VLAN configured. l The user VLANs can be derived from the default roles configured for 802.1X authentication or MAC authentication.
Figure 47 Configure VSA on a RADIUS Server VLAN Assignment Based on Derivation Rules When an external RADIUS server is used for authentication, the RADIUS server may return a reply message for authentication. If the RADIUS server supports return attributes, and sets an attribute value to the reply message, the W-IAP can analyze the return message and match attributes with a user pre-defined VLAN derivation rule. If the rule is matched, the VLAN value defined by the rule is assigned to the user.
User Role If the VSA and VLAN derivation rules are not matching, then the user VLAN can be derived by a user role. VLANs Created for an SSID If the VSA and VLAN derivation rules are not matching, and the User Role does not contain a VLAN, the user VLAN can be derived by VLANs configured for an SSID or Ethernet port profile. Configuring VLAN Derivation Rules The VLAN derivation rules allow administrators to assign a VLAN to the W-IAP clients based on the attributes returned by the RADIUS server.
5. Enter the string to match in the String field. 6. Select the appropriate VLAN ID from the VLAN drop-down list. 7. Click OK. 8. Ensure that the required security and access parameters are configured. 9. Click Finish to apply the changes.
Operator Description \b Matches the words that begin and end with the given expression. For example, \bdown matches downlink, linkdown, shutdown. \B Matches the middle of a word. For example, \Bvice matches services, devices, serviceID, deviceID, and so on. ^ Matches the characters at starting position in a string. For example, ^bcd matches bcde or bcdf, but not abcd. [^] Matches any characters that are not listed between the brackets. For example, [^u]link matches downlink, link, but not uplink.
Creating a User VLAN Role You can create a user role for VLAN derivation using the Instant UI or CLI. In the Instant UI To configure a user role for VLAN derivation: 1. Click the Security link at the top right corner of the Instant main window. 2. Click the Roles tab. The Roles tab contents are displayed. 3. Under Roles, click New. 4. Enter a name for the new role and click OK. 5. Under Access rules, click New. 6. Select the Rule type as VLAN assignment. 7. Enter the ID of the VLAN in the VLAN ID text box.
Chapter 14 DHCP Configuration This chapter provides the following information: l Configuring DHCP Scopes on page 215 l Configuring the Default DHCP Scope for Client IP Assignment on page 222 Configuring DHCP Scopes The virtual controller supports different modes of DHCP address assignment. With each DHCP address assignment mode, various client traffic forwarding modes are associated. For more information on client traffic forwarding modes for IAP-VPN, see IAP-VPN Forwarding Modes on page 240.
3. Based on type of DHCP scope selected, configure the following parameters: Table 40: Local DHCP Mode Configuration Parameters Name Description Name Enter a name for the DHCP scope. Type Select any of the following options: l Local—On selecting Local, the DHCP server for local branch network is used for keeping the scope of the subnet local to the W-IAP. In the NAT mode, the traffic is forwarded through the IPSec tunnel or the uplink.
(Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant AP)(DHCP Profile )# AP)(DHCP Profile )# AP)(DHCP Profile )# AP)(DHCP Profile )# AP)(DHCP Profile )# AP)(DHCP Profile )# AP)(DHCP Profile )# AP)(DHCP Profile )# AP)(DHCP Profile )# AP)# commit apply server-type server-vlan subnet subnet-mask dns-serv
You can configure distributed DHCP scopes such as Distributed, L2 or Distributed,L3 by using the Instant UI or CLI. In the Instant UI To configure distributed DHCP scopes such as Distributed,L2 or Distributed,L3: 1. Click More > DHCP Server. The DHCP Server window is displayed. 2. To configure a distributed DHCP mode, click New under Distributed DHCP Scopes. The New DHCP Scope window is displayed. The following figure shows the contents of the New DHCP Scope window.
Table 41: Distributed DHCP Mode Configuration Parameters Name Description Default router If Distributed, L2 is selected for type of DHCP scope, specify the IP address of the default router. DNS Server If required, specify the IP address of a DNS server. Domain Name If required, specify the domain name. Lease Time Specify a lease time for the client in minutes within a range of 2–1440 minutes. The default value is 720 minutes. IP Address Range Specify a range of IP addresses to use.
(Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant AP)(DHCP Profile )# AP)(DHCP Profile )# AP)(DHCP Profile )# AP)(DHCP Profile )# AP)(DHCP Profile )# AP)(DHCP Profile )# AP)(DHCP Profile )# AP)(DHCP Profile )# AP)# commit apply client-count dns-server domain-name lease-time ip-range reserve {first|last}
Table 42: Centralized DHCP Mode Configuration Parameters Name Description Name Enter a name for the DHCP scope. Type Set the type as follows: l Centralized,L2 for the centralized,L2 profile l Centralized,L3 for the centralized,L3 profile VLAN Specify a VLAN ID. To use this subnet, ensure that the VLAN ID specified here is assigned to an SSID profile.
The following table describes the behavior of the DHCP Relay Agent and Option 82 in the W-IAP.
You can configure a domain name, DNS server, and DHCP server for client IP assignment using the Instant UI or CLI. In the Instant UI 1. Navigate to More > DHCP Server. The DHCP Server tab contents are displayed. Figure 51 DHCP Servers Window 2. Enter the domain name of the client in the Domain name text box. 3. Enter the IP addresses of the DNS servers separated by a comma(,) in the DNS server (s) text box. 4. Enter the duration of the DHCP lease in the Lease time text box.
DHCP DHCP DHCP DHCP DHCP Subnet :192.0.2.0 Netmask :255.255.255.0 Lease Time(m) :20 Domain Name :example.com DNS Server :192.0.2.1 224 | DHCP Configuration Dell Networking W-Series Instant 6.4.3.1-4.2.0.
Chapter 15 VPN Configuration This chapter describes the following VPN configuration procedures: l Understanding VPN Features on page 225 l Configuring a Tunnel from a W-IAP to Dell Networking W-Series Mobility Controller on page 226 l Configuring Routing Profiles on page 237 Understanding VPN Features As W-IAPs use a Virtual Controller architecture, the W-IAP network does not require a physical controller to provide the configured WLAN services.
Supported VPN Protocols Instant support the following VPN protocols for remote access: Table 44: VPN Protocols VPN Protocol Description Dell IPsec IPsec is a protocol suite that secures IP communications by authenticating and encrypting each IP packet of a communication session. You can configure an IPsec tunnel to ensure that to ensure that the data flow between the networks is encrypted. However, you can configure a split-tunnel to encrypt only the corporate traffic.
Configuring an IPSec Tunnel An IPsec tunnel is configured to ensure that the data flow between the networks is encrypted. When configured, the IPSec tunnel to the controller secures corporate data. You can configure an IPSec tunnel from Virtual Controller using the Instant UI or CLI. In the Instant UI To configure a tunnel using the IPSec protocol: 1. Click the More > VPN link at the top right corner of the Instant UI. The Tunneling window is displayed. 2.
6. Click Next to create routing profiles. When the IPsec tunnel configuration is completed, the packets that are sent from and received by a W-IAP are encrypted.
For information on the GRE tunnel configuration on the controller, see ArubaOSUser Guide. In the Instant UI To configure a GRE tunnel in the UI: 1. Click the More > VPN link at the top right corner of the Instant UI. The Tunneling window is displayed. 2. Select Manual GRE from the Protocol drop-down list. 3. Specify the following parameters. A sample configuration is shown in Figure 53. a. Enter an IP address or the FQDN for the main VPN/GRE endpoint. b. Enter a value for the GRE type parameter. c.
(host)(config-tunnel)# tunnel destination (host)(config-tunnel)# trusted (host)(config-tunnel)# tunnel vlan Configuring Dell GRE Parameters The automatic GRE feature uses the IPSec connection between the W-IAP and controller to send the control information for setting up a GRE tunnel.
Figure 54 Dell GRE Configuration 6. Click Next to continue.
l l If the primary LNS is down, it fails over to the backup LNS. L2TPv3 has one tunnel profile and under this, one primary peer and a backup peer are configured. If the primary tunnel creation fails or if the primary tunnel gets deleted, the backup starts. The following two failover modes are supported: n Preemptive: In this mode, if the primary comes up when the backup is active, the backup tunnel is deleted and the primary tunnel resumes as an active tunnel.
Figure 56 Tunnel Configuration b. Enter the primary server IP address. c. Enter the remote end backup tunnel IP address. This is an optional field and is required only when backup server is configured. d. Enter the remote end UDP port number. The default value is 1701. e. Enter the interval at which the hello packets are sent through the tunnel. The default value is 60 seconds. f. Select the message digest as MD5 or SHA used for message authentication. g. Enter a shared key for the message digest.
d. Select the cookie length and enter a cookie value corresponding to the length. By default, the cookie length is not set. e. Specify the remote end ID. f. If required, enable default l2 specific sublayer in the L2TP session. g. Click OK. 5. Click Next to continue.
(Instant (Instant (Instant 5 (Instant (Instant AP)(L2TPv3 Session Profile "test_session")# cookie len 4 value 12345678 AP)(L2TPv3 Session Profile "test_session")# l2tpv3 tunnel test_tunnel AP)(L2TPv3 Session Profile "test_session")# tunnel-ip 1.1.1.1 mask 255.255.255.
created by admin: YES, tunnel mode: LAC, persist: YES local host name: Instant-C4:42:98 peer tunnel id: 1842732147, host name: aruba1600pop636635.hsbtst2.
peer profile: NOT SET session profile: NOT SET trace flags: PROTOCOL FSM API AVPDATA FUNC XPRT DATA SYSTEM CLI To view L2TPv3 system statistics: (Instant AP)# show l2tpv3 system statistics L2TP counters:Total messages sent: 99, received: 194, retransmitted: 0 illegal: 0, unsupported: 0, ignored AVPs: 0, vendor AVPs: 0 Setup failures: tunnels: 0, sessions: 0 Resource failures: control frames: 0, peers: 0 tunnels: 0, sessions: 0 Limit exceeded errors: tunnels: 0, sessions: 0 Frame errors: short frames: 0, wr
Figure 58 Tunneling— Routing 3. Update the following parameters: l Destination— Specify the destination network that is reachable through the VPN tunnel. This defines the IP or subnet that must reach through the IPsec tunnel. Traffic to the IP or subnet defined here will be forwarded through the IPsec tunnel. l Netmask— Specify the subnet mask to the destination defined for Destination. l Gateway— Specify the gateway to which traffic must be routed.
Chapter 16 IAP-VPN Deployment This section provides the following information: l Understanding IAP-VPN Architecture on page 239 l Configuring W-IAP and Controller for IAP-VPN Operations on page 242 Understanding IAP-VPN Architecture The IAP-VPN architecture includes the following two components: l W-IAPs at branch sites l Controller at the datacenter The master W-IAP at the branch acts as the VPN endpoint and the controller at the datacenter acts as the VPN concentrator.
l Branches—The number of IAP-VPN branches that can be terminated on a given controller platform. l Routes—The number of L3 routes supported on the controller. l L3 mode and NAT mode users—The number of trusted users supported on the controller. There is no scale impact on the controller. They are limited only by the number of clients supported per W-IAP. l L2 mode users—The number of L2 mode users are limited to 128000 for W-7220/W-7240 and 64000 across all platforms.
Distributed L2 Mode In this mode, the W-IAP assigns an IP address from the configured subnet and forwards traffic to both corporate and non-corporate destinations. Clients receive the corporate IP with Virtual Controller as the DHCP server. The default gateway for the client still resides in the datacenter and hence this mode is an L2 extension of corporate VLAN to remote site. Either the controller or an upstream router can be the gateway for the clients.
DHCP Scope and VPN Forwarding Modes Mapping The following table provides a summary of the DHCP scope and VPN forwarding modes mapping: Table 46: DHCP Scope and VPN Forwarding Modes Matrix Local Local Local Centralized Centralized Distributed Distributed L2 L3 L2 L3 L2 L3 DHCP server Virtual Controller Virtual Controller Virtual Controller DHCP Server in the Datacenter DHCP Server in the Datacenter and VC acts as a relay agent Virtual Controller Virtual Controller Default Gateway for cli
5. Enabling Dynamic RADIUS Proxy 6. Configuring Enterprise Domains Defining the VPN host settings The VPN endpoint on which a master W-IAP terminates its VPN tunnel is considered as the host. A master AP in a W-IAP network can be configured with a primary and backup host to provide VPN redundancy. You can define VPN host settings through More>VPN>Controller in the UI. You can configure the following VPN profiles for the IAP-VPN operations.
deployment is not on a VLAN or subnet that is in centralized or distributed L2 mode of operation. For information on hierarchical mode of deployment, see Understanding Hierarchical Deployment on page 126. Configuring an SSID or Wired Port For a client to connect to the IAP-VPN network, an SSID or wired port profile on a W-IAP must be configured with appropriate IAP-VPN mode of operation.
l Branch Status Verification This section describes the configuration procedures to perform on the controller for generic use cases. For information on specific deployment scenarios, see IAP-VPN Deployment Scenarios on page 380. ArubaOS 6.3 or later is the recommended version to run on the controllers for the IAP-VPN configuration. The IAP-VPN configuration is not supported on W-600 Series controllers.
0.0.0.15 0.0.0.15 0.0.0.15 N/A N/A N/A N/A N/A N/A N/A NSSA NSSA NSSA AS_EXTERNAL AS_EXTERNAL AS_EXTERNAL AS_EXTERNAL AS_EXTERNAL AS_EXTERNAL AS_EXTERNAL 51.41.41.128 53.43.43.32 54.44.44.16 12.12.2.0 12.12.12.0 12.12.12.32 50.40.40.0 51.41.41.128 53.43.43.32 54.44.44.16 9.9.9.9 9.9.9.9 9.9.9.9 9.9.9.9 9.9.9.9 9.9.9.9 9.9.9.9 9.9.9.9 9.9.9.9 9.9.9.
a. Open the Active Directory and Computers window, add a new user and specify the MAC address (without the colon delimiter) of the W-IAP for the user name and password. b. Right-click the user that you have just created and click Properties. c. On the Dial-in tab, select Allow access in the Remote Access Permission section and click OK. d. Repeat Step a through Step b for all W-IAPs. 2. Define the remote access policy in the Internet Authentication Service: a.
Branch Status Verification To view the details of the branch information connected to the controller, execute the show iap table command. Example This example shows the details of the branches connected to the controller: (host) #show iap table long IAP Branch Table ---------------Name VC MAC Address Status Inner IP Assigned Subnet Assigned Vlan ---- -------------- ------ -------- --------------- ------------Tokyo-CB:D3:16 6c:f3:7f:cc:42:f8 DOWN 0.0.0.0 Paris-CB:D3:16 6c:f3:7f:cc:3d:04 UP 10.15.207.140 10.
Parameter Description Assigned Vlan Displays the VLAN ID assigned to the branch. Key Displays the key for the branch, which is unique to each branch. Bid(Subnet Name) Displays the Branch ID (BID) of the subnet. l In the example above, the controller displays bid-per-subnet-per-branch i.e., for "LA" branch, BID "2" for the ip-range "10.15.205.0-10.15.205.250" with client count per branch "5"). If a branch has multiple subnets, it can have multiple BIDs.
Chapter 17 Adaptive Radio Management This chapter provides the following information: l ARM Overview on page 250 l Configuring ARM Features on a W-IAP on page 251 l Configuring Radio Settings on page 257 ARM Overview Adaptive Radio Management (ARM) is a radio frequency management technology that optimizes WLAN performance even in the networks with highest traffic by dynamically and intelligently choosing the best 802.11 channel and transmitting power for each W-IAP in its current RF environment.
Configuring ARM Features on a W-IAP This section describes the following procedures for configuring ARM features: l Band Steering on page 251 l Airtime Fairness Mode on page 252 l Client Match on page 252 l Access Point Control on page 254 Band Steering The band steering feature assigns the dual-band capable clients to the 5 GHz band on dual-band W-IAPs.
Airtime Fairness Mode The airtime fairness feature provides equal access to all clients on the wireless medium, regardless of client type, capability, or operating system, thus delivering uniform performance to all clients. This feature prevents the clients from monopolizing resources. You can configure airtime fairness mode parameters through the Instant UI or CLI. In the Instant UI 1.
When the client match feature is enabled on a W-IAP, the W-IAP measures the RF health of its associated clients. In the current release, the client match feature is supported only within a W-IAP cluster.
Table 50: Client Match Configuration Parameters Parameter Description Client match Select Enabled to enable the Client match feature on APs. When enabled, client count will be balanced among all the channels in the same band. For more information, see ARM Overview on page 250. By default, the client match feature is disabled. NOTE: When client match is enabled, ensure that Scanning is enabled. CM calculating interval Specify a value for the calculating interval of Client match.
Table 51: Access Point Control - Configuration Parameters Parameter Description Customize Valid Channels Select this checkbox to customize valid channels for 2,4 GHz and 5 GHz. By default, the AP uses valid channels as defined by the Country Code (regulatory domain). On selecting the Customize Valid Channels checkbox, a list of valid channels for both 2.4.GHz and 5 GHz are displayed. The valid channel customization feature is disabled by default..
3. Click OK.
5.0 GHz Channels ---------------Channel Status ------- -----36 enable 40 enable 44 enable 48 enable 52 enable 56 enable 60 enable 64 enable 149 enable 153 enable 157 enable 161 enable 165 enable 36+ enable 44+ enable 52+ disable 60+ disable 149+ enable 157+ enable 36E enable 52E enable 149E enable Configuring Radio Settings You can configure 2.4 GHz and 5 GHz radio settings for a W-IAP either using the Instant UI or CLI. In the Instant UI To configure radio settings: 1.
Parameter Description Interference immunity level Select to increase the immunity level to improve performance in highinterference environments. The default immunity level is 2. l Level 0— no ANI adaptation. l Level 1— Noise immunity only. This level enables power-based packet detection by controlling the amount of power increase that makes a radio aware that it has received a packet. l Level 2— Noise and spur immunity.
(Instant AP)(RF dot11 g Radio Profile)# min-tx-power (Instant AP)(RF dot11 g Radio Profile)# end (Instant AP)# commit apply To configure 5 GHz radio settings: (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant AP)(config)# rf dot11a-radio-profile AP)(RF dot11a Radio Profile)# beacon-interval AP)(RF dot11a Radio Profile)# legacy-mode AP)(RF dot11a Radio Profile)# spectrum-monitor AP)(RF dot11a Radio Profile)# spectrum-ban
Chapter 18 Deep Packet Inspection and Application Visibility This chapter provides the following information: l Deep Packet Inspection on page 260 l Enabling Application Visibility on page 260 l Application Visibility on page 261 l Configuring ACL Rules for Application and Application Categories on page 266 l Configuring Web Policy Enforcement Service on page 269 Deep Packet Inspection AppRF is Dell's custom built Layer 7 firewall capability.
(Instant AP)(config)# dpi (Instant AP)(config)# end (Instant AP)# commit apply Application Visibility The AppRF graphs are based on Deep Packet Inspection (DPI) application and Web Policy Enforcement service, which provides application traffic summary for the client devices associated with a W-IAP. The AppRF link above the activity panel of the dashboard is displayed only if AppRF visibility is enabled in the System window.
Figure 61 Application Categories List - Client View Figure 62 Application Category Chart - AP View Application Charts The application chart displays details on the client traffic towards the applications. On clicking in the rectangle area, you can view the following graphs and toggle between the chart and list views. Dell Networking W-Series Instant 6.4.3.1-4.2.0.
Figure 63 Application Chart - Client View Figure 64 Application List - Client View 263 | Deep Packet Inspection and Application Visibility Dell Networking W-Series Instant 6.4.3.1-4.2.0.
Figure 65 Application Chart - AP View Web Categories Charts The web categories chart displays details about the client traffic to the web categories. On clicking in the rectangle area, you can view the following graphs and toggle between the chart and list views. Figure 66 Web Categories Chart - Client View Figure 67 Web Categories List - Client View Dell Networking W-Series Instant 6.4.3.1-4.2.0.
Figure 68 Web Categories Chart - AP View Web Reputation Charts The web reputation chart displays details about the client traffic to the URLs with that are assigned a security score. On clicking in the rectangle area, you can view the following graphs and toggle between the chart and list views. Figure 69 Web Reputation Chart - Client View Figure 70 Web Reputation List - Client View 265 | Deep Packet Inspection and Application Visibility Dell Networking W-Series Instant 6.4.3.1-4.2.0.
Figure 71 Web Reputation Chart - AP View Configuring ACL Rules for Application and Application Categories This section describes the procedure for configuring access rules based on application and application categories. The Application and Application rules utilize the on-board DPI engine. For information on: l Configuring access rules to control access to network services, see Configuring ACL Rules for Network Services on page 189.
Table 53: Access Rule Configuration Parameters Service Category Description Application Select the applications to which you want to allow or deny access.
Table 53: Access Rule Configuration Parameters Service Category Description l Select Destination-NAT to allow changes to destination IP address. l Select Source-NAT to allow changes to the source IP address. The destination-nat and source-nat actions apply only to the network services rules. Destination Select a destination option for the access rules for network services, applications, and application categories.
(Instant AP)(Access Rule )#rule {app {permit|deny} |appcategory }[
n Trustworthy - These are well known sites with strong security practices and may not expose the user to security risks. There is a very low probability that the user will be exposed to malicious links or payloads. n Low risk - These are benign sites and may not expose the user to security risks. There is a low probability that the user will be exposed to malicious links or payloads. n Moderate risk - These are generally benign sites, but may pose a security risk.
(Instant AP) (Access Rule "URLFilter")# end (Instant AP)# commit apply 271 | Deep Packet Inspection and Application Visibility Dell Networking W-Series Instant 6.4.3.1-4.2.0.
Chapter 19 Voice and Video This chapter the steps required to configure voice and video services on a W-IAP for Voice over IP (VoIP) devices, including Session Initiation Protocol (SIP), Spectralink Voice Priority (SVP), H323, SCCP, Vocera, and Alcatel NOE phones, clients running Microsoft OCS, and Apple devices running the Facetime application.
Configuring WMM for Wireless Clients You can configure WMM for wireless clients by using the UI or CLI. In the Instant UI 1. Navigate to the WLAN wizard (click Network>New or Network> Select the WLAN SSID>edit). 2. Click Show advanced options under WLAN Settings. 3. Specify a percentage value for the following WMM access categories in the corresponding Share field. You can allocate a higher bandwidth for voice and video traffic than other types of traffic based on the network profile.
DSCP Value WMM Access Category 32 Video 40 48 Voice 56 By customizing WMM AC mappings, all packets received are matched against the entries in the mapping table and prioritized accordingly. The mapping table contains information for upstream (client to W-IAP) and downstream (W-IAP to client) traffic. You can configure different WMM to DSCP mapping values for each WMM AC when configuring an SSID profile either in the Instant UI or CLI. In the Instant UI 1.
Microsoft Office Lync Microsoft Office Lync uses Session Initiation Protocol (SIP) over TLS to establish, control, and terminate voice and video calls. The following is an example of the QoS configuration for Microsoft Lync.
Chapter 20 Services This chapter provides information on how to configure following services on a W-IAP: l AirGroup l Real Time Location Server (RTLS) l Analytics and Location Engine (ALE) l OpenDNS l Communications Assistance for Law Enforcement Act (CALEA) l Palo Alto Network Firewall l XML-API Server AirGroup Configuration AirGroup provides a unique enterprise-class capability that leverages zero configuration networking to enable AirGroup services from mobile devices in an efficient manne
The following figure illustrates how AirGroup enables personal sharing of Apple devices: Figure 73 AirGroup Enables Personal Device Sharing AirGroup is not supported on a 3G and PPPoE uplinks. Multicast DNS and Bonjour® Services Bonjour is the trade name for the zero configuration implementation introduced by Apple. It is supported by most of the Apple product lines, including the Mac OS X operating system, iPhone, iPod Touch, iPad, Apple TV, and AirPort Express.
Figure 74 Bonjour Services and AirGroup Architecture For a list of supported Bonjour services, see AirGroup Services on page 280. DLNA UPnP Support In addition to the mDNS protocol, W-IAPs now support Universal Plug and Play (UPnP) and DLNA (Digital Living Network Alliance) enabled devices. DLNA is a network standard derived from UPnP, which enables devices to discover the services available in a network. DLNA also provides the ability to share data between the Windows or Android based multimedia devices.
Figure 75 DLNA UPnP Services and AirGroup Architecture For a list of supported DLNA services, see AirGroup Services on page 280. AirGroup Features AirGroup supports the following features: l Sends unicast responses to mDNS or DLNA queries and reduces the traffic footprint. l Ensures cross-VLAN visibility and availability of AirGroup devices and services. l Allows or blocks AirGroup services for all users. l Allows or blocks AirGroup services based on user roles.
Figure 76 AirGroup in a Higher-Education Environment When AirGroup discovers a new device, it interacts with CPPM to obtain the shared attributes such as shared location and role. However, the current versions of W-IAPs do not support the enforcement of shared location policy. AirGroup Services AirGroup supports zero configuration services. The services are pre-configured and are available as part of the factory default configuration.
AirGroup Components AirGroup leverages key elements of the Dell solution portfolio including operating system software for Instant, CPPM, and the VLAN-based or role-based filtering options offered by the AirGroup services. The components that make up the AirGroup solution include the Instant, CPPM, and ClearPass Guest.
l Operator-defined personal AirGroup to specify a list of other users who can share devices with the operator. l Administrator defined username, user role, and location attributes for shared devices. Configuring AirGroup and AirGroup Services on a W-IAP You can configure AirGroup services, using the Instant UI or CLI. In the Instant UI To enable AirGroup and its services: 1. Click the More > Services link at the top right corner of the Instant main window. 2. Click the Air Group tab.
Instant supports the use of upto 6 custom services. 8. Based on the services configured, you can block any user roles from accessing an AirGroup service and restrict the AirGroup servers connected to a specific set of VLANs from being discovered . The user roles and VLANs marked as disallowed are prevented from accessing the corresponding AirGroup service. You can create a list of disallowed user roles and VLANs for all AirGroup services configured on the W-IAP.
To verify the AirGroup configuration status: (Instant AP)# show airgroup status Configuring AirGroup and CPPM interface in Instant Configure the Instant and CPPM interface to allow an AirGroup W-IAP and CPPM to exchange information regarding device sharing, and location. The configuration options define the RADIUS server that is used by the AirGroup RADIUS client. The AirGroup configuration with CPPM involves the following steps: 1. Create a RADIUS service 2. Assign a Server to AirGroup 3.
1. Click the More > Services link at the top right corner of the Instant main window. The Services window is displayed. 2. Click the RTLS tab. The following figure shows the contents of the RTLS tab. 3. Under Aruba, select the RTLS check-box to integrate Instant with the W-AirWave Management Platform or Ekahau Real Time Location Server. Figure 78 RTLS Window 4. Specify the IP address and port to which the location reports must be sent. 5. Specify the shared secret key in the Passphrase text box. 6.
Configuring a W-IAP for Analytics and Location Engine Support The Analytics and Location Engine (ALE) is designed to gather client information from the network, process it and share it through a standard API. The client information gathered by ALE can be used for analyzing a client’s internet behavior for business such as shopping preferences. ALE includes a location engine that calculates the associated and unassociated device location every 30 seconds by default.
Figure 79 Services Window —ALE Integration 4. Specify the ALE server name or IP address. 5. Specify the reporting interval within the range of 6–60 seconds. The W-IAP sends messages to the ALE server at the specified interval. The default interval is 30 seconds. 6. Click OK.
In the CLI To configure OpenDNS credentials: (Instant AP)(config)# opendns (Instant AP)(config)# end (Instant AP)# commit apply Integrating a W-IAP with Palo Alto Networks Firewall Palo Alto Networks (PAN) next-generation firewall offers contextual security for all users for safe enabling of applications. A simple firewall beyond basic IP address or TCP port numbers only provides a subset of the enhanced security required for enterprises to secure their networks.
Figure 80 Services Window - Network Integration Tab 3. Select the Enable checkbox to enable PAN firewall. 4. Specify the user name and password. Ensure that you provide user credentials of the PAN firewall administrator. 5. Enter the PAN firewall IP address. 6. Enter the port number within the range of 1—65535. The default port is 443. 7. Click OK.
Integration with Instant The XML API interface allows you to send specific XML commands to a W-IAP from an external server. These XML commands can be used to customize W-IAP client entries. You can use the XML API interface to add, delete, authenticate, query, or blacklist a user or a client. The user authentication is supported only for users authenticated by captive portal authentication and not for the dot1x-authentication users.
In the United States, SPs are required to ensure LI compliance based on Communications Assistance for Law Enforcement Act (CALEA) specifications. Instant supports CALEA integration in a hierarchical and flat topology, mesh W-IAP network, the wired and wireless networks. Enable this feature only if lawful interception is authorized by a law enforcement agency.
Figure 82 IAP to CALEA Server through VPN Ensure that IPSec tunnel is configured if the client data has to be routed to the ISP or CALEA server through VPN. For more information on configuring IPSec, see Configuring an IPSec Tunnel on page 227. Client Traffic Replication Client traffic is replicated in the following ways: l Through RADIUS VSA— In this method, the client traffic is replicated by using the RADIUS VSA to assign clients to a CALEA related user role.
In the Instant UI To configure a CALEA profile: 1. Click More > Services at the top right corner of the Instant main window. 2. Click CALEA. The CALEA tab details are displayed. 3. Specify the following parameters: l IP address— Specify the IP address of the CALEA server. l Encapsulation type— Specify the encapsulation type. The current release of Instant supports GRE only. l GRE type— Specify the GRE type. l MTU— Specify a size for the maximum transmission unit (MTU) within the range of 68—1500.
5. Click OK. 6. Create a role assignment rule if required. 7. Click Finish.
(Instant (Instant (Instant (Instant (Instant (Instant (Instant AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID AP)(SSID Profile"Calea-Test")# Profile"Calea-Test")# Profile"Calea-Test")# Profile"Calea-Test")# Profile"Calea-Test")# Profile"Calea-Test")# Profile"Calea-Test")# inactivity-timeout 1000 broadcast-filter none dmo-channel-utilization-threshold 90 local-probe-req-thresh 0 max-clients-threshold 64 end commit apply To verify the configuration: (Instant AP)# show calea config calea-ip :10.0.0.
Chapter 21 W-IAP Management and Monitoring This chapter provides information on managing and monitoring W-IAPs from the the W-AirWave management server. Managing a W-IAP from W-AirWave W-AirWave is a powerful tool and easy-to-use network operations system that manages Dell wireless, wired, and remote access networks, as well as wired and wireless infrastructures from a wide range of third-party manufacturers.
Read/Write, the Instant UI is in read-only mode. If W-AirWave Management Level is set to Monitoronly+Firmware Upgrades mode, the Instant UI changes to the read-write mode. Template-based Configuration W-AirWave automatically creates a configuration template based on any of the existing W-IAPs, and it applies that template across the network as shown in the following figure. It audits every device on an ongoing basis to ensure that configurations never vary from the enterprise policies.
The WIDS report cites the number of IDS events for devices that have experienced the most instances in the prior 24 hours and provides links to support additional analysis or configuration in response. RF Visualization Support for Instant W-AirWave supports RF visualization for Instant. The VisualRF module provides a real-time picture of the actual radio environment of your wireless network and the ability to plan the wireless coverage of new sites.
Configuring Organization String The Organization string is a set of colon-separated strings created by the W-AirWave administrator to accurately represent the deployment of each W-IAP. This string is defined by the installation personnel on the site.
On the DHCP server, the format for option 60 is “ InstantAP“, and the two formats for option 43 are “,,” and “,” . If you use the ,, format, the PSK-based authentication is used to access the W-AirWave Management Platform server.
3. Select DHCP Standard Options in the Option class drop-down list and then click Add. 4. Enter the following information: n Name— Instant n Data Type— String n Code—60 n Description—Instant AP Figure 86 Instant and DHCP options for W-AirWave: Predefined Options and Values 5. Navigate to Server Manager and select Server Options in the IPv4 window. (This sets the value globally. Use options on a per-scope basis to override the global options.) 6.
Figure 87 Instant and DHCP options for W-AirWave: Server Options 7. Select 060 Dell Instant AP in the Server Options window and enter DellInstantAP in the String Value. Figure 88 Instant and DHCP options for W-AirWave—060 W-IAP in Server Options 8. Select 043 Vendor Specific Info and enter a value for either of the following in ASCII field: l l airwave-orgn, airwave-ip, airwave-key; for example: Dell,192.0.2.20, 12344567 airwave-orgn, airwave-domain; for example: Dell, dell.support.
Figure 89 Instant and DHCP options for—043 Vendor Specific Info This creates a DHCP option 60 and 43 on a global basis. You can do the same on a per-scope basis. The perscope option overrides the global option. Figure 90 Instant and DHCP options for W-AirWave: Scope Options 303 | W-IAP Management and Monitoring Dell Networking W-Series Instant 6.4.3.1-4.2.0.
Alternate Method for Defining Vendor-Specific DHCP Options This section describes how to add vendor-specific DHCP options for Instant APs in a network that already uses DHCP options 60 and 43 for other services. Some networks use DHCP standard options 60 and 43 to provide the DHCP clients information about certain services such as PXE. In such an environment, the standard DHCP options 60 and 43 cannot be used for W-IAPs.
Figure 92 W-AirWave—New Group Figure 93 W-AirWave —Monitor 305 | W-IAP Management and Monitoring Dell Networking W-Series Instant 6.4.3.1-4.2.0.
Chapter 22 Uplink Configuration This chapter provides the following information: l Uplink Interfaces on page 306 l Ethernet Uplink on page 306 l Cellular Uplink on page 308 l Wi-Fi Uplink on page 312 l Uplink Preferences and Switching on page 313 Uplink Interfaces Instant network supports Ethernet, 3G and 4G USB modems, and the Wi-Fi uplink to provide access to the corporate Instant network.
Figure 95 Uplink Status Ethernet uplink supports the following types of configuration in this Instant release. n PPPoE n DHCP n Static IP You can use PPPoE for your uplink connectivity in both W-IAP and IAP-VPN deployments. PPPoE is supported only in a single AP deployment. Uplink redundancy with the PPPoE link is not supported. When the Ethernet link is up, it is used as a PPPoE or DHCP uplink. After the PPPoE settings are configured, PPPoE has the highest priority for the uplink connections.
4. To set a local interface for the PPPoE uplink connections, select a value from the Local interface dropdown list. The selected DHCP scope will be used as a local interface on the PPPoE interface and the Local, L3 DHCP gateway IP address as its local IP address. When configured, the local interface acts as an unnumbered PPPoE interface and allows the entire Local, L3 DHCP subnet to be allocated to clients.
l Quicksilver (Globetrotter ICON 322) l UM100C (UTstarcom) l Icon 452 l Aircard 250U (Sierra) l USB 598 (Sierra) l U300 (Franklin wireless) l U301 (Franklin wireless) l USB U760 for Virgin (Novatel) l USB U720 (Novatel/Qualcomm) l UM175 (Pantech) l UM150 (Pantech) l UMW190(Pantech) l SXC-1080 (Qualcomm) l Globetrotter ICON 225 l UMG181 l NTT DoCoMo L-05A (LG FOMA L05A) l NTT DoCoMo L-02A l ZTE WCDMA Technologies MSM (MF668?) l Fivespot (ZTE) l c-motech CNU-600 l ZTE
l USB U727 (Novatel) (Verizon) l USB U760 (Novatel) (Sprint) l USB U760 (Novatel) (Verizon) l Novatel MiFi 2200 (Verizon Mifi 2200) l Huawei E272, E170, E220 (ATT) l Huawei E169, E180,E220,E272 (Vodafone/SmarTone (HK)) l Huawei E160 (O2(UK)) l Huawei E160 (SFR (France)) l Huawei E220 (NZ and JP) l Huawei E176G (Telstra (Aus)) l Huawei E1553, E176 (3/HUTCH (Aus)) l Huawei K4505 (Vodafone/SmarTone (HK)) l Huawei K4505 (Vodafone (UK)) l ZTE MF656 (Netcom (norway)) l ZTE MF636 (HK C
l Huawei E1552 (SingTel) l Huawei E1750 (T-Mobile (Germany)) l UGM 1831 (TMobile) l Huawei D33HW (EMOBILE(Japan)) l Huawei GD01 (EMOBILE(Japan)) l Huawei EC150 (Reliance NetConnect+ (India)) l KDDI DATA07(Huawei) (KDDI (Japan)) l Huawei E353 (China Unicom) l Huawei EC167 (China Telecom) l Huawei E367 (Vodafone (UK)) l Huawei E352s-5 (T-Mobile (Germany)) l Huawei D41HW l ZTE AC2726 The following table lists the supported 4G modems.
(Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant AP)(cellular-uplink-profile)# AP)(cellular-uplink-profile)# AP)(cellular-uplink-profile)# AP)(cellular-uplink-profile)# AP)(cellular-uplink-profile)# AP)(cellular-uplink-profile)# AP)(cellular-uplink-profile)# AP)(cellular-uplink-profile)# AP)(cellular-uplink-profile)# AP)(cellular-uplink-profile)# AP)# commit apply modem-isp usb-auth-type usb-user
l 2.4 GHz (default) l 5 GHz 8. Select a passphrase format from the Passphrase format drop-down list. The following options are available: l 8 - 63 alphanumeric characters l 64 hexadecimal characters Ensure that the hexadecimal password string is exactly 64 digits in length. 9. Enter a pre-shared key (PSK) passphrase in the Passphrase text box and click OK. You can view the W-Fi configuration and uplink status in the CLI.
l When no uplink is enforced and preemption is enabled, and if the current uplink fails, the W-IAP tries to find an available uplink based on the priority configured. If current uplink is active, the W-IAP periodically tries to use a higher priority uplink and switches to the higher priority uplink even if the current uplink is active. You can enforce a specific uplink on a W-IAP by using the Instant UI or CLI. In the Instant UI To enforce an uplink: 1. Click the System > show advanced settings > Uplink.
In the Instant UI 1. Click the System > show advanced settings > Uplink. The Uplink tab contents are displayed. 2. Under Uplink Management, ensure that the Enforce Uplink is set to none. 3. Select Enabled from the Pre-emption drop-down list. 4. Click OK.
2. Under Uplink Management, configure the following parameters: l VPN failover timeout—To configure uplink switching based on VPN status, specify the duration to wait for an uplink switch. The default duration is set to 180 seconds. l Internet failover—To configure uplink switching based on Internet availability, perform the following steps: a. Select Enabled from the Internet failover drop-down list. b.
VPN failover timeout (secs) :180 ICMP pkt sent :0 ICMP pkt lost :0 Continuous pkt lost :0 VPN down time :0 Instant Access Point# show uplink config Uplink preemption :enable Uplink enforce :none Ethernet uplink bond0 :DHCP Internet failover :disable Max allowed test packet loss:10 Secs between test packets :30 VPN failover timeout (secs) :180 317 | Uplink Configuration Dell Networking W-Series Instant 6.4.3.1-4.2.0.
Chapter 23 Intrusion Detection The Intrusion Detection System (IDS) is a feature that monitors the network for the presence of unauthorized W-IAPs and clients. It also logs information about the unauthorized W-IAPs and clients, and generates reports based on the logged information. The IDS feature in the Instant network enables you to detect rogue APs, interfering APs, and other devices that can potentially disrupt network operations.
l Windows 7 l Windows Vista l Windows Server l Windows XP l Windows ME l OS-X l iPhone l iOS l Android l Blackberry l Linux Configuring Wireless Intrusion Protection and Detection Levels WIP offers a wide selection of intrusion detection and protection features to protect the network against wireless threats. Like most other security-related features of the Instant network, the WIP can be configured on the W-IAP.
Figure 97 Wireless Intrusion Detection The following table describes the detection policies enabled in the Infrastructure Detection Custom settings field.
Table 58: Infrastructure Detection Policies Detection Level Detection Policy l Detect AP Flood Attack l Detect Client Flood Attack l Detect Bad WEP l Detect CTS Rate Anomaly l Detect RTS Rate Anomaly l Detect Invalid Address Combination l Detect Malformed Frame— HT IE l Detect Malformed Frame— Association Request l Detect Malformed Frame— Auth l Detect Overflow IE l Detect Overflow EAPOL Key l Detect Beacon Wrong Channel l Detect devices with invalid MAC OUI The following table de
l High Figure 98 Wireless Intrusion Protection The following table describes the protection policies that are enabled in the Infrastructure Protection Custom settings field.
Table 61: Client Protection Policies Protection Level Protection Policy Off All protection policies are disabled Low Protect Valid Station High Protect Windows Bridge Containment Methods You can enable wired and wireless containments to prevent unauthorized stations from connecting to your Instant network. Instant supports the following types of containment mechanisms: l Wired containment— When enabled, W-IAPs generate ARP packets on the wired network to contain wireless attacks.
Figure 99 Containment Methods Configuring IDS Using CLI To configure IDS using CLI: (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant AP)(config)# ids AP)(IDS)# infrastructure-detection-level AP)(IDS)# client-detection-level AP)(IDS)# infrastructure-protection-level AP)(IDS)# client-protection-level AP)(ID
(Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant AP)(IDS)# detect-malformed-htie AP)(IDS)# detect-malformed-assoc-req AP)(IDS)# detect-malformed-frame-auth AP)(IDS)# detect-overflow-ie AP)(IDS)# detect-overflow-eapol-key AP)(IDS)# detect-beacon-wrong-channel AP)(IDS)# detect-invalid-mac-oui AP)(IDS
Chapter 24 Mesh W-IAP Configuration This chapter provides the following information: l Mesh Network Overview on page 326 l Setting up Instant Mesh Network on page 327 l Configuring Wired Bridging on Ethernet 0 for Mesh Point on page 327 Mesh Network Overview The Dell Instant secure enterprise mesh solution is an effective way to expand network coverage for outdoor and indoor enterprise environments without any wires.
The mesh portal broadcasts a mesh services set identifier (MSSID/ mesh cluster name) to advertise the mesh network service to other mesh points in that Instant network. This is not configurable and is transparent to the user. The mesh points authenticate to the mesh portal and establish a link that is secured using Advanced Encryption Standard (AES) encryption. The mesh portal reboots after 5 minutes when it loses its uplink connectivity to a wired network.
In the Instant UI To configure Ethernet bridging: 1. On the Access Points tab, click the W-IAP to modify. The edit link is displayed. 2. Click the edit link. The edit window for modifying W-IAP details is displayed. 3. Click the Uplink tab. 4. Select Enable from the Eth0 Bridging drop-down list. 5. Click OK. 6. Reboot the W-IAP. In the CLI To configure Ethernet bridging: Instant Access Point# enet0-bridging Make the necessary changes to the wired-profile when eth0 is used as the downlink port.
Chapter 25 Mobility and Client Management This chapter provides the following information: l Layer-3 Mobility Overview on page 329 l Configuring L3-Mobility on page 330 Layer-3 Mobility Overview W-IAPs form a single Instant network when they are in the same Layer-2 (L2) domain. As the number of clients increase, multiple subnets are required to avoid broadcast overhead.
When a client first connects to an Instant network, a message is sent to all configured Virtual Controller IP addresses to see if this is an L3 roamed client. On receiving an acknowledgement from any of the configured Virtual Controller IP addresses, the client is identified as an L3 roamed client. If the AP has no GRE tunnel to this home network, a new tunnel is formed to an AP (home AP) from the client's home network.
Figure 101 L3 Mobility Window 4. Select Enabled from the Home agent load balancing drop-down list. By default, home agent load balancing is disabled. 5. Click New in the Virtual Controller IP Addresses section, add the IP address of a Virtual Controller that is part of the mobility domain, and click OK. 6. Repeat Step 2 to add the IP addresses of all Virtual Controllers that form the L3 mobility domain. 7. Click New in the Subnets section and specify the following: a.
Chapter 26 Spectrum Monitor This chapter provides the following information: l Understanding Spectrum Data on page 332 l Configuring Spectrum Monitors and Hybrid W-IAPs on page 338 Understanding Spectrum Data Wireless networks operate in environments with electrical and radio frequency devices that can interfere with network communications. Microwave ovens, cordless phones, and even adjacent Wi-Fi networks are all potential sources of continuous or intermittent interference.
To view the device list, click Spectrum in the dashboard. The following figure shows an example of the device list details. Figure 102 Device List Device Summary and Channel Information shows the details of the information that is displayed: Table 62: Device Summary and Channel Information Column Description Type Device type.
Column Description Duty-cycle Device duty cycle. This value represents the percent of time the device broadcasts a signal. Add-time Time at which the device was first detected. Update-time Time at which the device’s status was updated. Non Wi-Fi Interferers The following table describes each type of non Wi-Fi interferer detected by the spectrum monitor feature.
Non Wi-Fi Interferer Description Frequency Hopper (Xbox) The Microsoft Xbox device uses a frequency hopping protocol in the 2.4 GHz band. These devices are classified as Frequency Hopper (Xbox). Frequency Hopper (Other) When the classifier detects a frequency hopper that does not fall into one of the above categories, it is classified as Frequency Hopper (Other). Some examples include IEEE 802.
Figure 103 Channel Details Channel Details Information shows the information that you can view in the channel details graph. Table 64: Channel Details Information Column Description Channel An 802.11a or 802.11g radio channel. Quality(%) Current relative quality of the channel. Utilization(%) The percentage of the channel being used. Wi-Fi (%) The percentage of the channel currently being used by Wi-Fi devices. Type Device type.
To view this graph, click 2.4 GHz in the Spectrum section of the dashboard. Figure 104 Channel Metrics for the 2.4 GHz Radio Channel To view this graph, click 5 GHz in the Spectrum section of the dashboard. Figure 105 Channel Metrics for the 5 GHz Radio Channel Channel Metrics shows the information displayed in the channel metrics graph. Table 65: Channel Metrics Column Description Channel A 2.4 GHz or 5 GHz radio channel. Quality(%) Current relative quality of selected channels in the 2.
Configuring Spectrum Monitors and Hybrid W-IAPs A W-IAP can be provisioned to function as a spectrum monitor or as a hybrid W-IAP. The radios on groups of APs can be converted to dedicated spectrum monitors or hybrid APs via the AP group’s 802.11a and 802.11g radio profiles. Converting a W-IAP to a Hybrid W-IAP You can convert all W-IAPs in an Instant network into hybrid W-IAPs by selecting the Background spectrum monitoring option in the 802.11a and 802.11g radio profiles of a W-IAP.
1. In the Access Points tab, click the AP that you want to convert to a spectrum monitor. The edit link is displayed. 2. Click the edit link. The Edit Access Point window is displayed. 3. Click the Radio tab. 4. From the Access Mode drop-down list, select Spectrum Monitor. 5. Click OK. 6. Reboot the W-IAP for the changes to affect. 7. To enable spectrum monitoring for any other band for the 5 GHz radio: a. Click the RF link at the upper right corner of the Instant UI. b.
Chapter 27 W-IAP Maintenance This section provides information on the following procedures: l Upgrading a W-IAP on page 340 l Backing up and Restoring W-IAP Configuration Data on page 342 l Converting a W-IAP to a Remote AP and Campus AP on page 344 l Resetting a Remote AP or Campus AP to a W-IAP on page 349 l Rebooting the W-IAP on page 349 Upgrading a W-IAP While upgrading a W-IAP, you can use the image check feature to allow the W-IAP to find new software image versions available on a cloud-ba
Figure 106 Proxy Configuration Window 2. Enter the HTTP proxy server IP address and the port number. 3. If you do not want the HTTP proxy to be applied for a particular host, click New to enter that IP address or domain name of that host under exceptions list. In the CLI (Instant (Instant (Instant (Instant AP)(config)# proxy server 192.0.2.1 8080 AP)(config)# proxy exception 192.0.2.
If the upgrade fails and an error message is displayed, retry upgrading the W-IAP. Upgrading to a New Version Manually If the automatic image check feature is disabled, you can use obtain an image file from a local file system or from a TFTP or HTTP URL. To manually check for a new firmware image version and obtain an image file: 1. Navigate to Maintenance>Firmware. The Firmware window is displayed. 2. Under Manual section, perform the following steps: l Select the Image file option.
Viewing Current Configuration To view the current configuration on the W-IAP: l In the UI, navigate to Maintenance > Configuration > Current Configuration. l In the CLI, enter the following command at the command prompt: (Instant AP)# show running-config Backing up Configuration Data To back up the W-IAP configuration data: 1. Navigate to the Maintenance > Configuration> page. 2. Click Backup Configuration. 3. Click Continue to confirm the backup. The instant.
Converting a W-IAP to a Remote AP and Campus AP This section provides the following information: l Regulatory Domain Restrictions for W-IAP to RAP or CAP Conversion on page 344 l pag Converting a W-IAP to a Remote AP on page 345 l Converting a W-IAP to a Campus AP on page 347 l Converting a W-IAP to Standalone Mode on page 348 l Converting a W-IAP using CLI on page 349 Regulatory Domain Restrictions for W-IAP to RAP or CAP Conversion You can provision a W-IAP as a Campus AP or a Remote AP in a con
Table 66: W-IAP to ArubaOS Conversion W-IAPVariant W-IAP103H W-IAP11x W-IAP228 W-IAP11x and WIAP228 W-IAP228 All other W-IAPs W-IAP Regulatory Domain Controller Regulatory Domain ArubaOS version US Unrestricted IL US Y X X RW X Y Y US Y X X RW X Y Y US Y X X RW X Y Y US Y X X RW X X X US Y X X RW X X X US Y X X Unrestricted X Y X IL X X Y JP X Y X 6.4 or later 6.3.1.3 or later 6.3.1.3 or later 6.3.1.0, 6.3.1.1, and 6.3.1.2 6.
l If a W-IAP entry for the AP is present in the firmware image cloud server, the W-IAP obtains W-AirWave server information from the cloud server and downloads configuration from W-AirWave to operate in the W-IAP mode. l If there is no response from the cloud server or AirGroup is received, the W-IAP comes up in Instant mode. l For more information on firmware image cloud server, see Upgrading a W-IAP on page 340.
Figure 107 Maintenance—Convert Tab 3. Select Remote APs managed by a Mobility Controller from the drop-down list. 4. Enter the hostname (fully qualified domain name) or the IP address of the controller in the Hostname or IP Address of Mobility Controller text box. Contact your local network administrator to obtain the IP address. Ensure that the mobility controller IP Address is reachable by the a W-IAPs. 5. Click Convert Now to complete the conversion.
Figure 108 Converting a W-IAP to Campus AP 3. Select Campus APs managed by a Mobility Controller from the drop-down list. 4. Enter the hostname, Fully Qualified Domain Name (FQDN), or the IP address of the controller in the Hostname or IP Address of Mobility Controller text box. Contact your local administrator to obtain these details. 5. Ensure that the W-IAPs access the mobility controller IP Address. 6. Click Convert Now to complete the conversion.
3. Select Standalone AP from the drop-down list. 4. Select the Access Point from the drop-down list. 5. Click Convert Now to complete the conversion. The a W-IAP now operates in the standalone mode.
Figure 110 Rebooting the W-IAP 3. In the W-IAP list, select the W-IAP that you want to reboot and click Reboot selected Access Point. To reboot all the W-IAPs in the network, click Reboot All. 4. The Confirm Reboot for AP message is displayed. Click Reboot Now to proceed. The Reboot in Progress message is displayed indicating that the reboot is in progress. The Reboot Successful message is displayed after the process is complete.
Chapter 28 Monitoring Devices and Logs This chapter provides the following information: l Configuring SNMP on page 351 l Configuring a Syslog Server on page 355 l Configuring TFTP Dump Server on page 356 l Running Debug Commands from the UI on page 357 Configuring SNMP This section provides the following information: l SNMP Parameters for W-IAP on page 351 l Configuring SNMP on page 352 l Configuring SNMP Traps on page 354 SNMP Parameters for W-IAP Instant supports SNMPv1, SNMPv2c, and SNMPv3
Field Description Authentication protocol password If messages sent on behalf of this user can be authenticated, the (private) authentication key is used with the authentication protocol. This is a string password for MD5 or SHA based on the above-mentioned conditions. Privacy protocol An indication of whether messages sent on behalf of this user can be protected from disclosure, and if so, the type of privacy protocol which is used. This takes the value DES (CBC-DES Symmetric Encryption).
3. Click New. 4. Enter the string in the New Community String text box. 5. Click OK. 6. To delete a community string, select the string, and click Delete. Creating community strings for SNMPv3 Using Instant UI To create community strings for SNMPv3: 1. Click System link at the top right corner of the Instant main window. The system window is displayed. 2. Click the Monitoring tab. The SNMP configuration parameters displayed in the Monitoring tab. 3. Click New in the Users for SNMPV3 box.
Engine ID:D8C7C8C44298 Community Strings ----------------Name ---SNMPv3 Users -----------Name Authentication Type Encryption Type ---- ------------------- --------------SNMP Trap Hosts --------------IP Address Version Name Port Inform ---------- ------- ---- ---- ------ Configuring SNMP Traps Instant supports the configuration of external trap receivers. Only the W-IAP acting as the Virtual Controller generates traps.
Configuring a Syslog Server You can specify a syslog server for sending syslog messages to the external servers either by using the Instant UI or CLI. In the Instant UI 1. In the Instant main window, click the System link. The System window is displayed. 2. Click Show advanced options to display the advanced options. 3. Click the Monitoring tab. The Monitoring tab details are displayed. Figure 113 Syslog Server 4.
Table 69: Logging Levels Logging Level Description Emergency Panic conditions that occur when the system becomes unusable. Alert Any condition requiring immediate attention and correction. Critical Any critical conditions such as a hard drive error. Errors Error conditions. Warning Warning messages. Notice Significant events of a non-critical and normal nature. The default value for all Syslog facilities. Informational Messages of general interest to system users.
3. Click the Monitoring tab. The Monitoring tab details are displayed. 4. Enter the IP address of the TFTP server in the TFTP Dump Server text box. 5. Click OK. In the CLI To configure a TFTP server: (Instant AP)(config)# tftp-dump-server (Instant AP)(config)# end (Instant AP)# commit apply Running Debug Commands from the UI To run the debugging commands from the UI: 1. Navigate to More>Support at the top right corner of the Instant main window. The Support window is displayed. 2.
AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP ARP Table Association Table Authentication Frames Auth-Survivability Cache Auth-Survivability Debug Log BSSID Table Captive Portal Domains Captive Portal Auto White List Client Match Status Client Match History Client Match Action Client Match Live Client Match Triggers Client Table Client View Country Codes CPU Details CPU
AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP AP Log Rapper Log Rapper Counter Log Rapper Brief Log Sapd Log Security Log System Log Tunnel Status Management Log Upgrade Log User-Debug Log User Log VPN Tunnel Log Wireless Management Frames Memory Allocation State Dumps Memory Utilization Mesh Counters Mesh Link Mesh Neighbors Monitor Active Laser Beams Monitor AP Table Mo
AP AP AP AP AP AP AP AP VC VC VC VC VC VC VC VC VC VC VC VC VC VC VC VC VC VC VC VC VC VC VC VC VC VC VC VC VC VC VC VC VC VC VC VC VC VC VC VC VC AP VC VC VC VC VC VC VC VC Spectrum client table Spectrum device duty cycle Spectrum non-wifi device history Spectrum non-wifi device table Spectrum non-wifi device log Spectrum number of device Spectrum interference-power table Spectrum status 802.
Chapter 29 Hotspot Profiles This chapter describes the following procedures: l Understanding Hotspot Profiles on page 361 l Configuring Hotspot Profiles on page 363 l Sample Configuration on page 374 In the current release, Instant supports the hotspot profile configuration only through the CLI. Understanding Hotspot Profiles Hotspot 2.0 is a Wi-Fi Alliance specification based on the 802.
An AP can include its service provider Organization Identifier (OI) indicating the service provider identity in beacons and probe responses to clients. When a client recognizes a W-IAP's OI, it attempts to associate to that W-IAP using the security credentials corresponding to that service provider. If the client does not recognize the AP’s OI, the client sends a Generic Advertisement Service (GAS) query to the W-IAP to request more information about the network before associating.
NAI Realm List An NAI Realm profile identifies and describes a NAI realm to which the clients can connect. The NAI realm settings on a W-IAP as an advertisement profile to determine the NAI realm elements that must be included as part of a GAS Response frame. Configuring Hotspot Profiles To configure a hotspot profile, perform the following steps: 1. Create the required ANQP and H2QP advertisement profiles. 2. Create a hotspot profile. 3.
You can specify any of the following EAP methods for the nai-realm-eap-method command: l identity— To use EAP Identity type. The associated numeric value is 1. l notification—To allow the hotspot realm to use EAP Notification messages for authentication. The associated numeric value is 2. l one-time-password—To use Authentication with a single-use password. The associated numeric value is 5. l generic-token-card—To use EAP Generic Token Card (EAP-GTC). The associated numeric value is 6.
Table 70: NAI Realm Profile Configuration Parameters Authentication ID Authentication Value eap-inner-auth The following authentication values apply: l Uses EAP inner authentication type. l reserved— The associated numeric value is 0. l The associated numeric value is 3. l pap—The associated numeric value is 1. l chap—The associated numeric value is 2. l mschap—The associated numeric value is 3. l mschapv2—The associated numeric value is 4.
Table 71: Venue Types Venue Group Associated Venue Type Value unspecified The associated numeric value is 0. assembly l unspecified—The associated numeric value is 0. The associated numeric value is 1. l arena—The associated numeric value is 1. l stadium—The associated numeric value is 2. l passenger-terminal—The associated numeric value is 3. l amphitheater—The associated numeric value is 4. l amusement-park—The associated numeric value is 5.
Venue Group Associated Venue Type Value l long-term-care—The associated numeric value is 2. l alc-drug-rehab—The associated numeric value is 3. l group-home—The associated numeric value is 4. l prison-or-jail—The associated numeric value is 5. mercantile l unspecified—The associated numeric value is 0. The associated numeric value is 6. l retail-store—The associated numeric value is 1. l grocery-market—The associated numeric value is 2.
Configuring a Network Authentication Profile You can configure a network authentication profile to define the authentication type used by the hotspot network.
Configuring an IP Address Availability Profile You can configure the available IP address types to send information on IP address availability as an ANQP IE in a GAS query response.
(Instant AP)(operator-class )# enable (Instant AP)(operator-class )# end (Instant AP)# commit apply Configuring a WAN Metrics Profile You can configure a WAN metrics profile to define information about access network characteristics such as link status and metrics.
The hotspot profile configuration parameters are described in the following table: Table 72: Hotspot Configuration Parameters Parameter Description access-network-type Specify any of the following 802.11u network types. l private—This network is accessible for authorized users only. For example, home networks or enterprise networks that require user authentication. The corresponding integer value for this network type is 0.
Table 72: Hotspot Configuration Parameters Parameter Description hessid Specify a Homogenous Extended Service Set Identifier (HESSID) in a hexadecimal format separated by colons. internet Specify this parameter to allow the W-IAP to send an Information Element (IE) indicating that the network allows Internet access. p2p-cross-connect Specify this parameter to advertise support for P2P Cross Connections. p2p-dev-mgmt Specify this parameter to advertise support for P2P device management.
(Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant AP)(config)# hotspot hs-profile AP)(Hotspot2.0 )# advertisement-protocol AP)(Hotspot2.0 )# advertisement-profile anqp-3gpp AP)(Hotspot2.0 )# advertisement-profile anqp-domain-name AP)(Hotspot2.0 )# advertisement-profile anqp-ip-addr-avail AP)(Hotspot2.
Sample Configuration Step 1 - Creating ANQP and H2QP Advertisement Profile (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant AP)# configure terminal AP)(config)# hotspot anqp-nai-realm-profile nr1 AP)(nai-realm "nr1")# nai-realm-name name1 AP)(nai-realm "nr1")# nai-realm-encoding utf8 AP)(nai-realm "nr1")# nai-realm-eap-method eap-sim AP)(nai-realm "nr1")# nai-realm-auth-id-1 non-eap-inner-auth AP)(nai-realm "nr1")# nai-realm-auth-value-1 mschapv2 AP)(nai-realm "nr1")# nai-ho
(Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant (Instant AP)(Hotspot2.0 "hs1")# AP)(Hotspot2.0 "hs1")# AP)(Hotspot2.0 "hs1")# AP)(Hotspot2.0 "hs1")# AP)(Hotspot2.0 "hs1")# AP)(Hotspot2.0 "hs1")# AP)(Hotspot2.0 "hs1")# AP)(Hotspot2.0 "hs1")# AP)(Hotspot2.
Chapter 30 ClearPass Guest Setup To configure ClearPass Guest: 1. On ClearPass Guest, navigate to Administration > AirGroup Services. 2. Click Configure AirGroup Services. Figure 114 Configure AirGroup Services 3. Click Add a new controller. 4. Update the fields with the appropriate information. Ensure that the port configured matches the CoA port (RFC 3576) set on the W-IAP configuration. 5. Click Save Configuration.
3. Create an AirGroup Administrator. Figure 116 Create an AirGroup Administrator 4. In this example, the password used is test123. Click Add. 5. Now click Add User, and create an AirGroup Operator. Figure 117 Create an AirGroup Operator 6. Click Add to save the user with an AirGroup Operator role. The AirGroup Administrator and AirGroup Operator IDs will be displayed in the Local Users UI screen. 377 | ClearPass Guest Setup Dell Networking W-Series Instant 6.4.3.1-4.2.0.
Figure 118 Local Users UI Screen 7. Navigate to the ClearPass Guest UI and click Logout. The ClearPass Guest Login page is displayed. Use the AirGroup admin credentials to log in. 8. After logging in, click Create Device. Figure 119 Create a Device The following page is displayed. Figure 120 - Register Shared Device For this test, add your AppleTV device name and MAC address but leave all other fields empty. Dell Networking W-Series Instant 6.4.3.1-4.2.0.
9. Click Register Shared Device. Testing To verify the setup: 1. Disconnect your AppleTV and OSX Mountain Lion/iOS 6 devices if they were previously connected to the wireless network. Remove their entries from the controller’s user table using these commands: n Find the MAC address— show user table n Delete the address from the table— aaa user delete mac 00:aa:22:bb:33:cc 2. Reconnect both devices.
Chapter 31 IAP-VPN Deployment Scenarios This section describes the most common IAP-VPN deployments models and provides information to carry out the necessary configuration procedures. The examples in this section refer to more than one DHCP profile and wired port configuration in addition to wireless SSID configuration. All these are optional. In most networks, a single DHCP profile and wireless SSID configuration referring a DHCP profile is sufficient.
Scenario 1—IPSec: Single Datacenter Deployment with No Redundancy This scenario includes the following configuration elements: 1. Single VPN primary configuration using IPSec 2. Split tunneling of client traffic 3. Split tunneling of DNS traffic from clients 4. Distributed L3 and Centralized L2 mode DHCP 5. RADIUS server within corporate network and authentication survivability for branch survivability 6. Wired and wireless users in L2 and L3 modes respectively 7.
Table 75: W-IAP Configuration for Scenario 1—IPSec: Single Datacenter Deployment with No Redundancy Configuration Steps CLI Commands UI Procedure 1. Configure the primary host for VPN with the Public VRRP IP address of the controller. (ap)(config)# vpn primary See Configuring an IPSec Tunnel 2. Configure a routing profile to tunnel all 10.0.0.0/8 subnet traffic to controller. (ap)(config)# routing-profile See Configuring Routing Profiles 3.
Table 75: W-IAP Configuration for Scenario 1—IPSec: Single Datacenter Deployment with No Redundancy Configuration Steps authentication servers and access rules created above and enable authentication survivability.
Datacenter Configuration For information on controller configuration, see Configuring a Controller for IAP-VPN Operations on page 244. Ensure that the upstream router is configured with a static route pointing to the controller for the L3 VLAN. Dell Networking W-Series Instant 6.4.3.1-4.2.0.
Scenario 2—IPSec: Single Datacenter with Multiple Controllers for Redundancy This scenario includes the following configuration elements: l A VRRP instance between the master/standby-master pair, which is configured as the primary VPN IP address. l Tunneling of all traffic to datacenter. l Exception route to bypass tunneling of RADIUS and W-AirWave traffic, which are locally reachable in the branch and the Internet respectively. l All client DNS queries are tunneled to the controller.
l 10.2.2.0/24 is a branch owned subnet, which needs to override global routing profile l 199.127.104.32 is used an example IP address of the W-AirWave server in the Internet AP Configuration The following table provides information on the configuration steps performed through the CLI with example values. For information on the UI procedures, see the topics referenced in the UI Navigation Details column.
Table 76: W-IAP Configuration for Scenario 2—IPSec: Single Datacenter with Multiple controllers for Redundancy Configuration Steps CLI Commands UI Procedure NOTE: The IP range configuration on each branch will be the same. Each W-IAP will derive a smaller subnet based on the client count scope using the Branch ID (BID) allocated by controller. 6. Create authentication servers for user authentication. The example in the next column assumes 802.1X SSID.
Table 76: W-IAP Configuration for Scenario 2—IPSec: Single Datacenter with Multiple controllers for Redundancy Configuration Steps CLI Commands UI Procedure captive portal example. NOTE: The SSID type guest is used in this example to enable configuration of captive portal. However, corporate access through VPN tunnel is still allowed for this SSID because the VLAN associated to this SSID is a VPN enabled VLAN (20 in this example). 8. Create access rule for wired and wireless authentication.
Scenario 3—IPSec: Multiple Datacenter Deployment with Primary and Backup Controllers for Redundancy This scenario includes the following configuration elements: l Multiple controller deployment model with controllers in different datacenters operating as primary/backup VPN with fast-failover and pre-emption enabled. l Split tunneling of traffic. l Split tunneling of client DNS traffic. l Two Distributed L3 mode DHCPs, one each for employee and contractors and one Local mode DHCP server.
l 10.40.0.0/16 subnet is reserved for L3 mode –used by Contractor SSID. l 172.16.20.0/24 subnet is used for NAT mode – used for wired network. l Client count in each branch is 200. l Contractors are only permitted to reach 10.16.0.0/16 network. AP Configuration This section provides information on configuration steps performed through the CLI or the UI. Table 77: W-IAP Configuration for Scenario 3—IPSec: Multiple Datacenter Deployment Configuration Steps CLI Commands 1.
Table 77: W-IAP Configuration for Scenario 3—IPSec: Multiple Datacenter Deployment Configuration Steps CLI Commands UI Procedure (ap)(DHCP profile "l3-dhcp")# client-count 200 Local profile with VLAN 20 (ap)(config)# ip dhcp local (ap)(DHCP profile "local")# (ap)(DHCP profile "local")# (ap)(DHCP profile "local")# (ap)(DHCP profile "local")# 255.255.255.0 (ap)(DHCP profile "local")# (ap)(DHCP profile "local")# 10.1.1.30,10.1.1.50 (ap)(DHCP profile "local")# arubanetworks.
Table 77: W-IAP Configuration for Scenario 3—IPSec: Multiple Datacenter Deployment Configuration Steps CLI Commands UI Procedure Configure a wireless SSID to operate in L3 mode for employee and associate distributed L3 mode VLAN 30 to the WLAN SSID profile.
Table 77: W-IAP Configuration for Scenario 3—IPSec: Multiple Datacenter Deployment Configuration Steps CLI Commands UI Procedure (ap)(Access Rule "wireless-ssid-contractor")# rule 10.16.0.0 255.255.0.0 match any any any permit (ap)(Access Rule "wireless-ssid-contractor")# rule any any match any any any src-nat NOTE: Ensure that you execute the commit apply command in the Instant CLI before saving the configuration and propagating changes across the W-IAP cluster.
Scenario 4—GRE: Single Datacenter Deployment with No Redundancy This scenario includes the following configuration elements: l Single VPN primary configuration using GRE n Aruba GRE, does not require any configuration on the Dell Networking W-Series Mobility Controller that acts as a GRE endpoint. n Manual GRE, which requires GRE tunnels to be explicitly configured on the GRE-endpoint that can be a Dell Networking W-Series Mobility Controller or any device that supports GRE termination.
AP Configuration This section provides information on configuration steps performed through the CLI or the UI. Table 78: W-IAP Configuration for Scenario—GRE: Single Datacenter Deployment with No Redundancy Configuration Steps CLI Commands UI Procedure 1. Configure Aruba GRE or manual GRE Aruba GRE configuration See Enabling Automatic Configuration of GRE Tunnel l l Aruba GRE uses an IPSec tunnel to facilitate controller configuration and requires VPN to be configured.
Table 78: W-IAP Configuration for Scenario—GRE: Single Datacenter Deployment with No Redundancy Configuration Steps CLI Commands UI Procedure 5. Create authentication servers for user authentication. The example in the next column assumes 802.1X SSID. (ap)(config)# wlan auth-server server1 (ap)(Auth Server "server1")# ip 10.2.2.
Table 78: W-IAP Configuration for Scenario—GRE: Single Datacenter Deployment with No Redundancy Configuration Steps CLI Commands UI Procedure Services For WLAN SSID employee roles: (ap)(config)# wlan access-rule wireless-ssid (ap)(Access Rule "wireless-ssid")# rule any any match any any any permit NOTE: Ensure that you execute the commit apply command in the Instant CLI before saving the configuration and propagating changes across the W-IAP cluster.
Terminology Acronyms and Abbreviations The following table lists the abbreviations used in this document.
Table 79: List of abbreviations Abbreviation Expansion NS Name Server NTP Network Time Protocol PEAP Protected Extensible Authentication Protocol PEM Privacy Enhanced Mail PoE Power over Ethernet RADIUS Remote Authentication Dial In User Service VC Virtual Controller VSA Vendor-Specific Attributes WLAN Wireless Local Area Network Glossary The following table lists the terms and their definitions used in this document. Table 80: List of Terms Term Definition 802.
Table 80: List of Terms Term Definition 802.11g Offers transmission over relatively short distances at up to 54 Mbps, compared with the 11 Mbps theoretical maximum of 802.11b. 802.11g operates in the 2.4 GHz band and employs orthogonal frequency division multiplexing (OFDM), the modulation scheme used in 802.11a, to obtain higher data speed. Computers or terminals set up for 802.11g can fall back to speeds of 11 Mbps, so that 802.11b and 802.11g devices can be compatible within a single network. 802.
Table 80: List of Terms Term Definition DNS Server A Domain Name System (DNS) server functions as a phonebook for the Internet and Internet users. It converts human readable computer hostnames into IP addresses and vice-versa. A DNS server stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records.
Table 80: List of Terms Term Definition The choice of endspan or midspan depends on the capabilities of the switch to which the W-IAP is connected. Typically if a switch is in place and does not support PoE, midspan power injectors are used. PPPoE Point-to-Point Protocol over Ethernet (PPPoE) is a method of connecting to the Internet typically used with DSL services where the client connects to the DSL modem.
Table 80: List of Terms Term Definition WEP Wired equivalent privacy (WEP) is a security protocol specified in 802.11b, designed to provide a WLAN with a level of security and privacy comparable to what is usually expected of a wired LAN.