User Guide Dell Networking W-Series ArubaOS 6.5.
Copyright Information © Copyright 2016 Hewlett Packard Enterprise Development LP. Dell™, the DELL™ logo, and PowerConnect™ are trademarks of Dell Inc. All rights reserved. Specifications in this manual are subject to change without notice. Originated in the USA. All other trademarks are the property of their respective owners. Open Source Code This product includes code licensed under the GNU General Public License, the GNU Lesser General Public License, and/or certain other open source licenses.
Contents Contents Revision History About this Guide 3 19 21 What's New In ArubaOS 6.5.
Replacing a Controller on a Multi-Controller Network 68 Configuring Control Plane Security after Upgrading 72 Troubleshooting Control Plane Security 73 Software Licenses Getting Started with ArubaOS Licenses 75 License Types and Usage 75 Licensing Best Practices and Limitations 78 Centralized Licensing Overview 79 Configuring Centralized Licensing 85 Installing a License 86 Deleting a License 88 Monitoring and Managing Centralized Licenses 88 Network Configuration Parameters 92 Campu
Filtering an IPv6 Extension Header (EH) 134 Configuring a Captive Portal over IPv6 135 Working with IPv6 Router Advertisements (RAs) 135 RADIUS Over IPv6 138 TACACS Over IPv6 140 DHCPv6 Server 140 Understanding ArubaOS Supported Network Configuration for IPv6 Clients 143 Understanding ArubaOS Authentication and Firewall Features that Support IPv6 144 Managing IPv6 User Addresses 149 Understanding IPv6 Exceptions and Best Practices 150 Link Aggregation Control Protocol 152 Understanding
Managing the Internal Database 189 Configuring Server Groups 192 Assigning Server Groups 198 Configuring Authentication Timers 202 Authentication Server Load Balancing 203 MAC-based Authentication Configuring MAC-Based Authentication 204 Configuring Clients 205 Branch Controller Config for Controllers 6| Contents 204 207 Branch Deployment Features 208 Scalable Site-to-Site VPN Tunnels 209 Layer-3 Redundancy for Branch Controller Masters 209 WAN Failure (Authentication) Survivability
Sample Configurations 267 Performing Advanced Configuration Options for 802.1X 283 Application Single Sign-On Using L2 Authentication 284 Device Name as User Name for Non-802.1X Authentication 286 Stateful and WISPr Authentication 287 Working With Stateful Authentication 287 Working With WISPr Authentication 288 Understanding Stateful Authentication Best Practices 288 Configuring Stateful 802.
Creating and Installing an Internal Captive Portal 326 Creating Walled Garden Access 335 Enabling Captive Portal Enhancements 336 Netdestination for AAAA Records 341 Virtual Private Networks 342 Planning a VPN Configuration 342 Working with VPN Authentication Profiles 346 Configuring a Basic VPN for L2TP/IPsec 348 Configuring a VPN for L2TP/IPsec with IKEv2 353 Configuring a VPN for Smart Card Clients 357 Configuring a VPN for Clients with User Passwords 358 Configuring Remote Access V
Virtual AP Profiles 409 Changing a Virtual AP Forwarding Mode 417 Radio Resource Management (802.11k) 418 BSS Transition Management (802.11v) 426 Fast BSS Transition ( 802.
Working with Intrusion Detection 480 Configuring Intrusion Protection 492 Configuring the WLAN Management System 496 Understanding Client Blacklisting 500 Working with WIP Advanced Features 503 Configuring TotalWatch 503 Administering TotalWatch 505 Tarpit Shielding Overview 506 Configuring Tarpit Shielding 507 Access Points 10| Contents 508 Important Points to Remember 508 Basic Functions and Features 510 AP Settings Triggering a Radio Restart 511 Naming and Grouping APs 513 Un
Recording Consolidated AP-Provisioned Information 575 Service Tag 577 Secure Enterprise Mesh 578 Mesh Overview Information 578 Mesh Configuration Procedures 578 Understanding Mesh Access Points 578 Understanding Mesh Links 580 Understanding Mesh Profiles 582 Understanding Remote Mesh Portals (RMPs) 586 Understanding the AP Boot Sequence 587 Mesh Deployment Solutions 588 Mesh Deployment Planning 590 Configuring Mesh Cluster Profiles 592 Creating and Editing Mesh Radio Profiles 597
Configuring VRRP Redundancy 626 RSTP 634 Understanding RSTP Migration and Interoperability 634 Working with Rapid Convergence 634 Configuring RSTP 635 Troubleshooting RSTP 637 PVST+ 639 Understanding PVST+ Interoperability and Best Practices 639 Enabling PVST+ in the CLI 639 Enabling PVST+ in the WebUI 640 Link Layer Discovery Protocol 641 Important Points to Remember 641 LLDP Overview 641 Configuring LLDP 642 Monitoring LLDP Configuration 643 IP Mobility 647 Understanding De
Palo Alto Networks Firewall Integration 672 Limitation 672 Preconfiguration on the PAN Firewall 672 Configuring PAN Firewall Integration 674 Remote Access Points 678 About Remote Access Points 678 Configuring the Secure Remote Access Point Service 680 Deploying a Branch/Home Office Solution 686 Enabling Remote AP Advanced Configuration Options 692 Understanding Split Tunneling 708 Understanding Bridge 714 Provisioning Wi-Fi Multimedia 718 Reserving Uplink Bandwidth 718 Provisioning
Viewing Spectrum Analysis Data 779 Recording Spectrum Analysis Data 780 Troubleshooting Spectrum Analysis 783 Dashboard Monitoring WAN 785 Performance 786 Usage 787 Potential Issues 788 Traffic Analysis 788 AirGroup 810 Security 811 UCC 811 Controller 813 WLANs 815 Access Points 816 Clients 816 Firewall 817 Management Access 14| Contents 785 824 Configuring Certificate Authentication for WebUI Access 824 Secure Shell (SSH) 825 WebUI Session Timer 826 Enabling RADIUS
Configuring SNMP 851 Enabling Capacity Alerts 853 Configuring Logging 854 Enabling Guest Provisioning 857 Managing Files on the Controller 873 Setting the System Clock 876 ClearPass Profiling with IF-MAP 878 Whitelist Synchronization 879 Downloadable Regulatory Table 880 802.11u Hotspots 883 Hotspot 2.0 Pre-Deployment Information 883 Hotspot Profile Configuration Tasks 883 Hotspot 2.0 Overview 883 Configuring Hotspot 2.
Configuring Local Controllers 914 Uplink Monitoring and Management 916 Voice and Video Voice and Video License Requirements 918 Configuring Voice and Video 918 Working with QoS for Voice and Video 927 Unified Communication and Collaboration 936 Understanding Extended Voice and Video Features 956 Advanced Voice Troubleshooting 982 AirGroup 989 Zero Configuration Networking 989 AirGroup Solution 989 AirGroup Deployment Models 993 Features Supported in AirGroup 994 ClearPass Policy Ma
Viewing Branch Status External Services Interface 1038 1040 Sample ESI Topology 1040 Understanding the ESI Syslog Parser 1042 Configuring ESI 1045 Sample Route-Mode ESI Topology 1052 Sample NAT-mode ESI Topology 1056 Understanding Basic Regular Expression (BRE) Syntax 1061 External User Management 1064 Overview 1064 How the ArubaOS XML API Works 1064 Creating an XML Request 1064 XML Response 1067 Using the XML API Server 1071 Sample Scripts 1076 Behavior and Defaults 1082 Und
Acronyms and Terms 18| Contents 1113 Acronyms 1113 Terms 1120 Dell Networking W-Series ArubaOS 6.5.
Revision History The following table provides the revision history of this document. Table 1: Revision History Revision Revision 02 Revision 01 Dell Networking W-Series ArubaOS 6.5.x | User Guide Change Description Updated the following: l Branch Deployment Features on page 208. l Note in Web Content on page 796. l Controller License Capacity on page 77 Initial release.
About this Guide This User Guide describes the features supported in Dell Networking W-Series ArubaOS 6.5.x and provides instructions and examples to configure Dell controllers and access points (APs). This guide is intended for system administrators responsible for configuring and maintaining wireless networks and assumes administrator knowledge in Layer 2 and Layer 3 networking technologies. This chapter covers the following topics: l What's New In ArubaOS 6.5.
Table 2: New Features in ArubaOS 6.5.0.0 Feature Description Support for multi-version licensing, which allows centralized licensing clients to run a different version of ArubaOS than the primary and backup licensing servers. If a license is introduced in a newer version of ArubaOS, the primary and backup licensing servers set can still distribute licenses to licensing clients running an older version of ArubaOS, even if the licensing client does not recognize the newer license type.
Table 2: New Features in ArubaOS 6.5.0.0 Feature Description Enabling PortFast A new parameter is introduced to enable PortFast/PortFast on Trunk to reduce the time taken for wired clients connected to an AP to detect the link before they send data traffic. HP Platform interoperability HP TPM based switches can now inter-operate with the Dell controllers and create the IKE / IPSec tunnels.
Table 2: New Features in ArubaOS 6.5.0.0 Feature Description Static IP Management Enhancement Starting from ArubaOS 6.5.0.0, the ZTP feature is enhanced to support 16 VLANs (Static IP Management) per managed node as against just four in the earlier versions of ArubaOS. Support for VIA-Published Subnets This new feature allows controllers to accept the subnets published by VIA clients. This feature is disabled by default. Wi-Fi Calling ArubaOS 6.5.0.0 supports Wi-Fi Calling in the controller.
Table 3: New Hardware Platforms in ArubaOS 6.5.0.0 Check with your local Dell sales representative on new controllers and access points availability in your country. Hardware W-7008 Description The W-7008 controller is a wireless LAN controller that connects, controls, and intelligently integrates wireless APs and Air Monitors into a wired LAN system. The W-7008 controller includes the following specifications: l 8 Ethernet ports l 1 console port l 1 USB 2.0 port l 1 USB 3.
Table 3: New Hardware Platforms in ArubaOS 6.5.0.0 Check with your local Dell sales representative on new controllers and access points availability in your country. Hardware Description l IEEE 802.11a/b/g/n/ac spectrum monitor l Compatible with IEEE 802.3at power sources l Centralized management, configuration, and upgrades l Integrated Bluetooth Low Energy (BLE) radio For more information, see the 330 Series Wireless Access Point Installation Guide.
In addition to the wizards, the WebUI includes a dashboard that provides enhanced visibility into your wireless network’s performance and usage. This allows you to easily locate and diagnose WLAN issues. For details on the WebUI Dashboard, see Dashboard Monitoring. CLI The CLI is a text-based interface accessible from a local console connected to the serial port on the controller or through a Telnet or Secure Shell (SSH) session.
l l There is an inactivity timeout for the CLI sessions. When an administrator initiates a remote session (inner) from the controller’s SSH session (outer), and the remote session takes more time than the inactivity timeout session, the outer session times out although the inner session is active. The administrator has to log back in to the outer session once logged off from the inner session. Designated telnet client control keys do not work for remote telnet sessions.
The following informational icons are used throughout this guide: Indicates helpful suggestions, pertinent information, and important things to remember. Indicates a risk of damage to your hardware or loss of data. Indicates a risk of personal injury or death. Contacting Dell Table 6: Contact Information Web Site Support Main Website dell.com Contact Information dell.com/contactdell Support Website dell.com/support Documentation Website dell.com/support/manuals Dell Networking W-Series ArubaOS 6.
Chapter 1 The Basic User-Centric Networks This chapter describes how to connect a Dell controller and Dell AP to your wired network. After completing the tasks described in this chapter, see Access Points on page 508 for information on configuring APs.
2. Connect the uplink port on the controller to the switch or router interface. By default, all ports on the controller are access ports and will carry traffic for a single VLAN. 3. Deploy APs. The APs will use the Aruba Discovery Protocol (ADP) to locate the controller. 4. Configure the SSID(s) with VLAN 1 as the assigned VLAN for all users.
l Set the default gateway to the IP address of the interface of the upstream router to which you will connect the controller. 2. Connect the uplink port on the controller to the switch or router interface. 3. Deploy APs. The APs will use DNS or DHCP to locate the controller. 4. Configure VLANs for the wireless subnetworks on the controller. 5. Configure SSIDs with the VLANs assigned for each wireless subnetwork. Each wireless client VLAN must be configured on the controller with an IP address.
layer-2 switch or router through a trunk port that carries traffic for all wireless client VLANs. An upstream router functions as the default gateway for the wireless users. This deployment scenario does not use VLAN 1 to connect to the layer-2 switch or router through the trunk port. The initial setup prompts you for the IP address and default gateway for VLAN 1; use the default values. In later steps, you configure the appropriate VLAN to connect to the switch or router as well as the default gateway.
Subnets from Controllers on page 32For more information, see Configuring a VLAN to Connect to the Network on page 40. Optionally, configure the primary and secondary uplinks. This step applies only if you have the redundant cellular link. 8. Configure ports for the controller. For more information, see Configuring Ports on page 105. Connect the Controller to the Network To connect the controller to the wired network, run the initial setup to configure administrative information for the controller.
n Enter the VLAN 1 IP address in a browser window to start the WebUI. n WebUI Wizards. This chapter and the user guide in general focus on CLI and standard WebUI configuration examples. However, basic controller configuration and WLAN/LAN creation can be completed using the alternative wizards from within the WebUI. If you wish to use a configuration wizard, navigate to Configuration > Wizards, click on the desired wizard, and follow the imbedded help instructions within the wizard.
if the number of MAC addresses exceeds the maximum limit set for the port, the new MAC entries are dropped. The switchport port-security command is enhanced to include parameters for setting the levels of security and autorecovery interval time. You can set appropriate values for the level parameter to log a warning message Max bridge entries limit hit on the port # in syslog and/or to shut down the port. For level, the default value is logging.
0/0/1 0/0/2 0/0/3 0/0/4 0/0/5 PortMode -------Access Access Access Access Access Access GE GE GE GE GE Speed ----1 Gbps Auto Auto Auto Auto Auto Enabled Enabled Enabled Enabled Enabled Duplex -----Full Auto Auto Auto Auto Auto Down Down Down Down Down N/A N/A N/A N/A N/A Yes Yes Yes Yes Yes Disabled Disabled Disabled Disabled Disabled SecurityError ------------No No No No No No The SecurityError column in the output displays the error corresponding to the port.
Table 9: LCD Panel Mode: LED Mode Function/Menu Options Displays Administrative LED MODE: ADM - displays whether the port is administratively enabled or disabled. Duplex LED MODE: DPX - displays the duplex mode of the port. Speed LED MODE: SPD - displays the speed of the port. Exit Idle Mode EXIT IDLE MENU Table 10: LCD Panel Mode: Status Function/Menu Options Display Output ArubaOS Version ArubaOS X.X.X.X PSU Status Displays status of the power supply unit.
Function/Menu Options Display Output System Reboot Allows you to reboot the controller. Reboot [no | yes] System Halt Allows you to halt the controller. Halt [no | yes] Exit Maintenance Menu EXIT MAINTENANCE Using the LCD and USB Drive You can upgrade your image or upload a saved configuration by using your USB drive and your LCD commands. For more information on copying and transferring ArubaOS image and configuration files, see Managing Files on the Controller on page 873 Upgrading an Image 1.
media-eject Disable media eject menu on LCD system-halt Disable system halt menu on LCD system-reboot Disable system reboot menu on LCD upgrade-image Disable image upgrade menu on LCD upload-config Disable config upload menu on LCD To display the current LCD functionality from the command line, use the following command: (host) (config) #show lcd-menu Configuring a VLAN to Connect to the Network You must follow the instructions in this section only if you need to configure a trunk port between the control
You can create, update, and delete a VLAN pool using the WebUI or the CLI. See Creating a Named VLAN on page 102. Use the CLI to add existing VLAN IDS to a pool. (host) (config) #vlan-name (host) (config) #vlan mygroup To confirm the VLAN pool status and mappings assignments, use the show vlan mapping command: (host) #show vlan mapping Assigning and Configuring the Trunk Port The following procedures configures a Gigabit Ethernet port as trunk port.
In the CLI To configure the default gateway: ip default-gateway |{import cell|dhcp|pppoe}|{ipsec } Configuring the Loopback IP Address for the Controller You must configure a loopback address if you are not using a VLAN ID address to connect the controller to the network (see Deployment Scenario #3: APs on Multiple Different Subnets from Controllers on page 32). After you configure or modify a loopback address, you must reboot the controller.
Enter y to reboot the controller or n to cancel. System will now restart! ... Restarting system. To verify that the controller is accessible on the network, ping the loopback address from a workstation on the network. Configuring the System Clock You can manually set the clock on the controller, or configure the controller to use a Network Time Protocol (NTP) server to synchronize its system clock with a central time source.
Configuring Your User-Centric Network Configuring your controller and AP is done through either the Web User Interface (WebUI) or the command line interface (CLI). l WebUI is accessible through a standard Web browser from a remote management console or workstation. The WebUI includes configuration wizards that step you through easy-to-follow configuration tasks. Each wizard has embedded online help.
Procedure Overview The procedure to replace a backup or active master controller is comprised of the following tasks: 1. Change the VRRP Priorities for a Redundant Master Pair on page 45 2. Back Up the Flash File System on page 45 3. Stage the New Controller on page 46 4. Add Licenses to the New Controller on page 46 5. Backup Newly Installed Licenses on page 47 6. Import and Restore Flash Backup on page 47 7. Restore Licenses on page 48 8. Reboot the Controller on page 48 9.
(host) #backup flash Please wait while we tar relevant files from flash... Please wait while we compress the tar file... File flashbackup.tar.gz created successfully on flash. Please copy it out of the switch and delete it when done. (active_host) #dir -rw-r--r-1 root root 17338 Dec 6 08:34 default.cfg drwxr-xr-x 4 root root 1024 Dec 6 08:34 fieldCerts -rw-r--r-1 root root 21760 Dec 6 09:29 flashbackup.tar.gz drwx-----2 root root 1024 Dec 5 08:20 tpm (host) #copy flash: flashbackup.tar.
(host) #license add Backup Newly Installed Licenses Use the license export command in the command-line interface or click Export Database in the Configuration > Network > Controller > License Management page of the WebUI to back up the newly installed licenses to the backup license database. Do not reboot the controller at the end of this step. Do not save the configuration or write it to memory. Reboot only after the flash memory and the licenses have been restored.
Restore Licenses Issue the license import command in the command-line interface or click Import Database in the Configuration > Network > Controller > License Management page of the WebUI to import licenses from the license database to the new controller. (host) #license import Do not save the configuration or write to memory at the end of this step.
Because the physical ports don't match, the port trust is removed by default, and needs to be re-enabled. In the example below, the Trusted column shows that the port trust is disabled for all ports.
Chapter 2 Control Plane Security ArubaOS supports secure IPsec communications between a controller and campus or remote APs using publickey self-signed certificates created by each master controller. The controller certifies its APs by issuing them certificates. If the master controller has any associated local controllers, the master controller sends a certificate to each local controller, which in turn sends certificates to their own associated APs.
l 2615 l 2915 l 8200 These HP platforms are running version k.16.02.
In the WebUI 1. Navigate to Configuration > Network > Controller. 2. Select the Control Plane Security tab. 3. Configure the following control plane security parameters: Table 12: Control Plane Security Parameters Parameter Description Control Plane Security Select enable or disable to turn the control plane security feature on or off. This feature is enabled by default.
Figure 4 Control Plane Security Settings In the CLI Use the commands below to configure control plane security via the command line interface on a standalone or master controller. Descriptions of the individual parameters are listed in Table 12, above.
Figure 5 Control Plane Security Settings 4. Click Entries in the upper right corner of the whitelist status window. 5. Click New. 6. Define the following parameters for each AP you want to add to the AP whitelist. Table 13: AP Whitelist Parameters Parameter Description Campus AP whitelist configuration parameters AP MAC Address MAC address of campus AP that supports secure communications to and from its controller. AP Group Name of the AP group to which the campus AP is assigned.
In the CLI To add an AP to the campus AP whitelist: (host) #whitelist-db cpsec add mac-address ap-group ap-name description To add an AP to the remote AP whitelist: (host) #whitelist-db rap add mac-address ap-group ap-name description full-name remote-ip Viewing AP Whitelist Status The WebUI displays either a status of the selected AP whitelist or a table of entries in the selected AP whitelist
Table 14: Whitelist Status Information Status Entry Description restored. Revoked entries Number of entries in the campus AP whitelist that has been manually revoked. Marked for deletion entries Number of entries in the campus AP whitelist that has been marked for deletion, but not removed from the Remote AP whitelist. Remote AP whitelist configuration parameters Total entries Number of entries in the Remote AP whitelist.
Table 15: Additional Campus AP Status Information Parameter Cert Type State Description The type of certificate used by the campus AP. l switch-cert: The campus AP is using a certificate signed by the controller. l factory-cert: The campus AP is using a factory-installed certificate. The state of a campus AP. l unapproved-no-cert: The campus AP has no certificate and is not approved. l unapproved-factory-cert: The campus AP has a pre-installed certificate which is not approved.
certified-factory-cert| unapproved-factory-cert| unapproved-no-cert} (host) #show whitelist-db cpsec-status (host) #show whitelist-db rap apgroup apname fullname long mac-address page start (host) #show whitelist-db rap-status Modifying an AP in the Campus AP Whitelist Use the following procedures to modify the AP group, AP name, certificate type, state, description, and revoked status of an AP in the campus AP whitelist.
(host) #whitelist-db cpsec modify mac-address ap-group ap-name cert-type {switch-cert|factory-cert} description mode {disable|enable} revoke-text state {approved-ready-for-cert|certified-factory-cert} Revoking an AP from the Campus AP Whitelist You can revoke an invalid or rogue AP either by modifying its revoke status (as described in Modifying an AP in the Campus AP Whitelist) or by directly revoking it from the campus AP whitelist without modifying
want to locate in these fields, then click Search. The campus AP whitelist displays a list of APs that match your search criteria. Select the checkbox of the AP that you want to delete, then click Delete. In the CLI To delete an AP from the campus AP whitelist: (host) #whitelist-db cpsec del mac-address Purging a Campus AP Whitelist Before adding a new local controller to a network using control plane security, purge the campus AP whitelist on the new controller.
a. Navigate to Configuration > Security > Authentication > Servers. b. Select Radius Server to display the CPPM Server List. c. To configure a CPPM server, enter the name for the server and click Add. d. Select the name to configure server parameters. Select the Mode check box to activate the authentication server. e. Click Apply. 2. Create a server group that contains the CPPM server. 3. Navigate to Configuration > All Profile Management > Wireless LAN > VPN Authentication > default-rap > Server Group. 4.
Table 16: Control Plane Security Whitelists Controller Role Campus AP Whitelist Master Controller Whitelist Local Controller Whitelist On a (standalone) master controller with no local controllers: The campus AP whitelist contains entries for the secure campus APs associated with that controller. The master controller whitelist is empty, and does not appear in the WebUI. The local controller whitelist is empty, and does not appear in the WebUI.
changes to the other controllers on the network. If all other controllers on the network have successfully received and acknowledged all whitelist changes made on that controller, every entry in the sequencenumber column in the local controller or master controller whitelists has the same value as the sequence number displayed in the AP Whitelist Sync Status field.
Table 17: Master and Local Controller Whitelist Information Field Description l Null Update Count The remote sequence number on a local controller should be the same as the sequence number on the master controller. The number of times the controller checked its campus AP whitelist and found nothing to synchronize with the other controller. The controller compares its control plane security whitelist against whitelists on other controllers every two minutes by default.
disconnected from the network. To clear a local controller whitelist entry on a master controller that is still connected to the network, select that individual whitelist entry and delete it using the delete option. In the WebUI To purge a controller whitelist: 1. Navigate to Configuration > Controller. 2. Select the Control Plane Security tab. 3. To clear the Local Controller whitelist: In the Local Switch List For AP Whitelist Sync section, click Purge. Or, 4.
To create a controller cluster, you must first define the root master controller and set an IPsec key or select a certificate for communications between the cluster root and cluster members. You must use the command-line interface to configure certificate authentication for cluster members. The WebUI supports cluster authentication using IPsec keys only. If your master and local controllers use a pre-shared key for authentication, they create the IPsec tunnel using IKEv1.
and secure communications between that member and the cluster root using an IPsec key, factory-installed certificate, or custom certificate. In the WebUI To create a cluster member: 1. Access the WebUI of the cluster member controller, and navigate to Configuration > Controller. 2. Click the Cluster Setting tab. 3. For the cluster role, select Member. 4. In the Controller IP Address field, enter the IP address of the root controller in the cluster. 5.
Table 18: CLI Commands to Display Cluster Settings Command show cluster-switches Description When you issue this command from the cluster root, the output of this command displays the IP address of the VLAN the cluster member uses to connect to the cluster root. If you issue this command from a cluster member, the output of this command displays the IP address of the VLAN the cluster root uses to connect to the cluster member.
Replacing a Local Controller Use the following procedure to replace a local controller in a single-master network: 1. Disconnect the local controller from the network. 2. If you plan on moving the local controller to another location on the network, purge the campus AP whitelist on the controller. Access the command-line interface on the old local controller and issue the whitelist-db cpsec purge command.
5. APs are now no longer able to securely communicate with the controller using their current key, and must obtain a new certificate. Access the campus AP whitelist on any local controller, and change all APs in a “certified” state to an “approved” state. The new master controller sends the approved APs new certificates. The APs reboot and create new IPsec tunnels to their controller using the new certificate key.
5. Remove the cluster master from the cluster root’s master controller list by accessing the command-line interface on the cluster root and issuing the whitelist-db cpsec-master-switch-list del mac-address command. This step is very important. Unused local controller entries in the local controller whitelist can significantly increase network traffic and reduce controller memory resources. 6. Remove the old cluster member from the network.
If a cluster root controller does not have any cluster master or local controllers, you must recreate the campus AP whitelist on the cluster root by turning on automatic certificate provisioning or manually reentering the campus AP whitelist entries. Replacing a Redundant Cluster Root Controller Best practices is to use a backup controller with your cluster root controller.
Table 19: Control Plane Security Upgrade Strategies Automatically send Certificates to Campus APs Manually Certify Campus APs 1. Access the control plane security window and enable both the control plane security feature and the auto certificate provisioning option. Next, specify whether you want all associated campus APs to automatically receive a certificate, or if you want to certify only those APs within a defined range of IP addresses. 1.
AP to verify that it is not compromised. If an AP is in this state due to connectivity problems, then the AP recovers and is taken out of this hold state as soon as connectivity is restored. Disabling Control Plane Security If you disable control plane security on a standalone or local controller, all APs connected to that controller reboot then reconnect to the controller over a clear channel.
Chapter 3 Software Licenses ArubaOS supports a variety of optional add-on licenses that enhance the base OS, and provide advanced features including as wireless intrusion protection, advanced cryptography, policy-based traffic management and controls, web content classification and stateful user firewalls. ArubaOS supports a centralized licensing architecture, which allows a group of connected controllers to share a pool of licenses.
Table 20: Usage per License License Usage Basis What Consumes One License AP AP An AP license is required for each operational LANconnected, mesh, or remote AP, or that is advertising at least one BSSID (virtual-AP) ACR Client Session This license enables ArubaOS Advanced Cryptography (ACR) features. A license is required for each active client termination using Suite-B algorithms or protocols.
Table 21: Sharable Licenses vs Controller-Specific Licenses Sharable via a Licensing Pool Controller-Specific License AP CSS ACR PEFV PEFNG PoE RF Protect xSec WebCC Evaluation vs Permanent Licenses Each license can be either an evaluation or permanent license. A permanent license permanently enables the desired software module on a specific Dell controller. You obtain permanent licenses through the sales order process only. Permanent software license keys are sent to you via email.
Table 22: Controller AP Capacity Controller Total AP Count W-7210 512 W-7220 1024 W-7240 2048 W-7240XM 2048 W-7205 256 W-7030 64 W-7024 32 W-7010 32 W-7008 16 W-7005 16 Licensing Best Practices and Limitations l l l l When calculating AP licenses, determine the normal AP load of your controller and add a backup load in case of failure. A reasonable estimate when calculating user licenses is 20 users per AP.
l l When you apply evaluation license keys on a controller, abnormal tampering of the device’s system clock (such as setting back the system clock) results in the disabling of software licensed modules and their supported features. This can affect network services.
l Primary and Backup Licensing Servers l Communication between the License Server and License Clients l Replacing a Controller l Failover Behaviors l Configuring Centralized Licensing Primary and Backup Licensing Servers Centralized licensing allows the primary and backup licensing server controllers to share a single set of licenses. If you do not enable this feature, the master and backup master controller each require separate, identical license sets.
information in this table is then shared with all client controllers as a pool of available licenses. When a client controller uses a license in the available pool, it communicates this change to the licensing server master controller, which updates the table before synchronizing it with the other clients. Client controllers do not share information about built-in licenses to the licensing server.
Figure 11 License Pool Reflecting Used licenses Supported Topologies The following table describes the controller topologies supported by this feature. 82| Software Licenses Dell Networking W-Series ArubaOS 6.5.
Table 23: Centralized Licensing Topologies Topology Example All controllers are master controllers. The master and standby licensing servers must be defined. A single master controller is connected to one or more local controllers . Only the master controller can be a license server. A local controller can only be license client, not a license server. A master and standby master are connected to one or more local controllers .
version licensing feature is not supported in a topology where a single licensing server or a pair of primary and backup licensing servers are connected to one or more local controllers. Replacing a Controller If you need to replace the controller acting as a license server, the keys installed on the previous license server must be regenerated and added to the new license server.
Configuring Centralized Licensing The steps to configure centralized licensing on your network vary, depending upon whether you are enabling this feature in a network with a master-local controller topology, or in a network where all controllers are configured as masters. Before you enable this feature, you must ensure that the controllers are able to properly communicate with the licensing master. Once you have identified your deployment type, follow the steps in the appropriate section below.
4. Click Apply. If you are deploying centralized licensing on a cluster of master controllers, you must define the IP address that the licensing clients in the cluster use to access the licensing server. 5. Access the WebUI of a licensing client, navigate to Configuration > Controller and select the Centralized Licenses tab. 6. Select Enable Centralized Licensing. 7. In the License Server IP field, enter the IP address the client will use to connect to the licensing server.
4. Enter the software license key using one of the following procedures: l l l Navigate to the Configuration > Network > Controller > System Settings page of the ArubaOS WebUI and select the License tab. Enter the software license key and click Apply (see Applying the Software License Key in the WebUI on page 88). Launch the License Wizard from the Configuration tab of the WebUI and click New.
If you are a first time user of the licensing site, you can use the software license certificate ID number to log in and request a new user account. If you already have a user account, log in to the site with your login credentials. 1. Select Activate a Certificate. 2. Enter the certificate ID number and the system serial number of your controller. 3. Review the license agreement and select Yes to accept the agreement. 4. Click Activate it.
Table 24: License Server Table Data Column Description Service Type Type of license on the licensing server. Aggregate Licenses Number of licenses in the licensing table on the licensing server. Used Licenses Total number of licenses of each license type reported as used by the licensing clients or licensing server. Remaining Licenses Total number of remaining licenses available in the licensing table.
Table 26: License Clients(s) Usage Table Data Column Description Hostname Name of the licensing client controller. IP Address IP address of the licensing client controller. AP Total number of AP licenses used by a licensing client associated with this controller. PEF Total number of Policy Enforcement Firewall (PEF) licenses used by a licensing client associated with this controller. RF Protect Total number of RFProtect licenses used by a licensing client associated with this controller.
License Heartbeat Table This table displays the license heartbeat statistics between the license server and the license client. Table 28: License Heartbeat Table Data Column Description IP address IP address of the licensing client. HB Req Heartbeat requests sent from the licensing client. HB Resp Heartbeat responses received from the license server. Total Missed Total number of heartbeats that were not received by the licensing client.
Chapter 4 Network Configuration Parameters The following topics in this chapter describe some basic network configuration steps that must be performed on the controller: l Campus WLAN Workflow on page 92 l Configuring VLANs on page 101 l Configuring VLANs on page 101 l Configuring Ports on page 105 l Configuring Static Routes on page 108 l Configuring the Loopback IP Address on page 108 l Configuring the Controller IP Address on page 109 l Configuring GRE Tunnels on page 110 l Jumbo Frame
! (host)(config) #aaa server-group "THR-DOT1X-SERVER-GROUP-WPA2" auth-server Internal ! (host)(config) #aaa profile "THR-AAA-PROFILE-WPA2" dot1x-default-role "THR-ROLE-NAME-WPA2" dot1x-server-group "THR-DOT1X-SERVER-GROUP-WPA2" ! (host)(config) #wlan ssid-profile "THR-SSID-PROFILE-WPA2" essid "THR-WPA2" opmode wpa2-aes ! (host)(config) #wlan virtual-ap "THR-VIRTUAL-AP-PROFILE-WPA2" ssid-profile "THR-SSID-PROFILE-WPA2" aaa-profile "THR-AAA-PROFILE-WPA2" vlan 60 ! (host)(config) #ap-group "THRHQ1-STANDARD" vi
6. VLAN from DHCP option 77 UDR (wired clients) 7. VLAN from MAC-based Authentication default role 8. VLAN from Server Derivation Rule (SDR) role during MAC-based Authentication 9. VLAN from SDR during MAC-based Authentication 10.VLAN from Vendor Specific Attributes (VSA) role during MAC-based Authentication 11.VLAN from VSA during MAC-based Authentication 12.VLAN from Microsoft Tunnel attributes during MAC-based Authentication 13.VLAN from 802.1X default role 14.VLAN from SDR role during 802.1X 15.
Configuring a VLAN to Receive a Dynamic Address In a branch office, you can connect a controller to an uplink switch or server that dynamically assigns IP addresses to connected devices. For example, you can connect the controller to a DSL or cable modem, or a broadband remote access server (BRAS). The following figure shows a branch office where a controller connects to a cable modem. VLAN 1 has a static IP address, while VLAN 2 has a dynamic IP address assigned via DHCP or PPPoE from the uplink device.
Figure 13 Assigning VLAN Uplink Priority—Active-Standby Configuration 5. Click Apply.
In the CLI In this example, a PPoE service name, username, and password are assigned, and the interface VLAN 14 has an uplink priority of 3: (host)(config) #interface vlan 14 ip address pppoe (host)(config) #interface vlan 14 (host)(config) #interface vlan 14 (host)(config) #interface vlan 14 (host)(config) #uplink wired vlan ip ip ip 14 pppoe-service-name pppoe-username pppoe-password ***** priority 3 Default Gateway from DHCP/PPPoE You can specify that the router IP address ob
dns-server import netbios-name-server import network 10.1.1.0 255.255.255.0 Configuring Source NAT to Dynamic VLAN Address When a VLAN interface obtains an IP address through DHCP or PPPoE, a NAT pool (dynamic-srcnat) and a session ACL (dynamic-session-acl) are automatically created which reference the dynamically-assigned IP addresses. This allows you to configure policies that map private local addresses to the public address(es) provided to the DHCP or PPPoE client.
Do not enable the NAT translation for inbound traffic option for VLAN 1, as this will prevent IPsec connectivity between the controller and its IPsec peers. Sample Configuration In the following example, the controller operates within an enterprise network. VLAN 1 is the outside VLAN, and traffic from VLAN 6 is source NATed using the IP address of the controller. The IP address assigned to VLAN 1 is used as the controller’s IP address; thus traffic from VLAN 6 would be source NATed to 66.1.131.
ip nat outside Inter-VLAN Routing On the controller, you can map a VLAN to a layer-3 subnetwork by assigning a static IP address and a netmask, or by configuring a DHCP or PPPoE server to provide a dynamic IP address and netmask to the VLAN interface. The controller, acting as a layer-3 switch, routes traffic between VLANs that are mapped to IP subnetworks; this forwarding is enabled by default. In Figure 15, VLAN 200 and VLAN 300 are assigned the IP addresses 2.1.1.1/24 and 3.1.1.1/24, respectively.
Configuring VLANs The controller operates as a layer-2 switch that uses a VLAN as a broadcast domain. As a layer-2 switch, the controller requires an external router to route traffic between VLANs. The controller can also operate as a layer3 switch that can route traffic between VLANs defined on the controller. You can configure one or more physical ports on the controller to be members of a VLAN.
2. In the VLAN Range pop-up window, enter a range of VLANs you want to create at once. For example, to add VLAN IDs numbered 200-300 and 302-350, enter 200-300, 302-350. 3. Click OK. 4. To add physical ports to a VLAN, click Edit next to the VLAN you want to configure and click the port in the Port Selection section. 5. Click Apply. In the CLI Use the following commands: (host)(config) #vlan (host)(config) #vlan range 200-300,302-350 Creating a Named VLAN You can create, update, and delete a named VLAN.
The Hash assignment type means that the VLAN assignment is based on the station MAC address. The Even assignment type is based on an even distribution of named VLAN assignments. The Even named VLAN assignment type maintains a dynamic latest usage level of each VLAN ID in the named VLAN . Therefore, as users age out, the number of available addresses increases. This leads to a more even distribution of addresses. The Even type is only supported in tunnel and decrypt-tunnel modes.
You cannot modify a VLAN name, so choose the name carefully. Named VLANs (single VLAN IDs or multiple VLAN IDs) can only be assigned to tunnel mode VAP’s and wired profiles. They can also be assigned to user roles, user rule derivation, server derivation, and VSA for tunnel and bridge mode. For tunnel mode, named VLANs that have the assignment type “hash” and “even” are supported. For bridge mode only, named VLANs with the assignment type “hash” are supported.
To show entries in the VLAN bandwidth contracts MAC exception list execute the following command: (host)(config) #show vlan-bwcontract-explist internal Optimizing VLAN Broadcast and Multicast Traffic Broadcast and Multicast (BCMC) traffic from APs, remote APs, or distributions terminating on the same VLAN floods all VLAN member ports. This causes critical bandwidth wastage, especially when the APs are connected to an L3 cloud where the available bandwidth is limited or expensive.
For a trunk port, specify whether the port will carry traffic for all VLANs configured on the controller or for specific VLANs only. You can also specify the native VLAN for the port. A trunk port uses 802.1q tags to mark frames for specific VLANs, However, frames on a native VLAN are not tagged. Classifying Traffic as Trusted or Untrusted You can classify wired traffic based not only on the incoming physical port and channel configuration, but also on the VLAN associated with the port and channel.
5. From the VLAN ID drop-down list, select the VLAN ID whose traffic will be carried by this port. 6. In the Enter VLAN(s) section, clear the Trusted check box to make the VLAN untrusted. The default is trusted (checked). 7. In the VLAN Firewall Policy drop-down list, select the policy through which VLAN traffic must pass. You can select a policy for both trusted and untrusted VLANs. 8.
9. To designate the policy through which VLAN traffic must pass, click New under the Session Firewall Policy field. 10.Enter the VLAN ID or select it from the associated drop-down list. Then select the policy, through which the VLAN traffic must pass, from the Policy drop-down list and click Add. Both the selected VLAN and the policy appear in the Session Firewall Policy field. 11.When you are finished listing VLANs and policies, click Cancel. 12.Click Apply.
In the WebUI 1. Navigate to the Configuration > Network > Controller > System Settings page and locate the Loopback Interface section. 2. Modify the IP Address as required. 3. Click Apply. If you are use the loopback IP address to access the WebUI, changing the loopback IP address will result in loss of connectivity. It is recommended that you use one of the VLAN interface IP addresses to access the WebUI. 4.
2. Locate the Controller IP Details section. 3. Select the address you want to set the Controller IP to from the VLAN ID drop-down list. This list contains only VLAN IDs that have statically assigned IP addresses. If you have previously configured a loopback interface IP address, then it will also appear in this list. Dynamically assigned IP addresses such as DHCP/PPPOE do not display. 4. Click Apply. Any change in the controller’s IP address requires a reboot. 5.
Figure 17 Layer-2 GRE Tunnel The traffic flow illustrated by Figure 17 is as follows: 1. The frame enters the source controller (Controller-1) on VLAN 101. The frame is bridged through Controller-1 into the Layer-2 GRE tunnel. 2. The frame is encapsulated in a GRE packet. 3. The GRE packet enters the network on VLAN 10, is routed across the network to the destination controller (Controller-2), and then exits the network on VLAN 20.
Layer-3 Tunnel Traffic FLow The traffic flow illustrated by Figure 18 and Figure 19 is as follows: 1. The frame enters the source controller (Controller-1) on VLAN 101. The IP packet within the frame is routed through Controller-1 into the Layer-3 GRE tunnel. 2. The IP packet is encapsulated in a GRE packet. 3. The GRE packet enters the network on VLAN 10, is routed across the network to destination controller (Controller-2), and then exits the network on VLAN 20.
Figure 21 Layer-2 GRE Tunnel UI Configuration for Controller-1 4. Enter the corresponding GRE tunnel values for this controller to configure Controller-1 based on the network shown in Figure 17. 5. (Optional) Select Enable Heartbeats to enable tunnel keepalive heartbeats. For more information on this feature, see Configuring Tunnel Keepalives on page 119 6. Click Apply. 7. Next, log into Controller-2 and navigate to Configuration > Network > IP > GRE Tunnels. 8.
Controller-2 Configuration (Controller-2) (config) # interface tunnel 202 description “IPv4 Layer-2 GRE 202" tunnel mode gre 1 tunnel source vlan 20 tunnel destination 10.10.10.249 tunnel keepalive trusted tunnel vlan 101 Configuring a Layer-3 GRE Tunnel for IPv4 or IPv6 In the WebUI The following steps describe the procedure configure an IPv4 Layer-3 GRE tunnel for Controller-1 and Controller-2 via the WebUI. 1. Log into Controller-1. 2. Navigate to Configuration > Network > IP > GRE Tunnels.
Figure 23 Layer-3 IPv4 GRE Tunnel UI Configuration for Controller-1 4. Click the IP Version drop-down list and select IPv4 or IPv6. 5. Enter the corresponding GRE tunnel values for the controller. l l To configure an IPv4 GRE tunnel , use the values for Controller-1 based on the network shown in Figure 18. To configure an IPv6 GRE tunnel , use the values for Controller-1 based on the network shown in Figure 19.
l To create an IPv6 L3 GRE tunnel ure an IPv6 GRE tunnel , use the values for Controller-2 as shown in Figure 19. 12.(Optional for an IPv4 GRE Tunnel) Click the Route ACL name drop-down list and select the name of a routing access control list (ACL) to attach a route ACL to inbound traffic on the L3 GRE tunnel interface. 13.(Optional for IPv4 or IPv6 GRE Tunnels) Select Enable Heartbeats to enable tunnel keepalive heartbeats. 14.Click Apply.
About Configuring Static Routes You can configure a static route that specifies the IP address of a tunnel as the next-hop for traffic for a specific destination. See Configuring Static Routes on page 108 for detailed information on how to configure a static route. While redirecting traffic into a Layer-3 GRE tunnel via a static route, be sure to use the controller's tunnel IP address as the next-hop, instead of providing the destination controller's tunnel IP address.
Figure 25 Adding a New Firewall Policy 3. Enter the Policy Name. 4. For Policy Type, specify Session (the default). 5. To create a new policy rule, scroll to the Rules section and click Add. Figure 26 Specifying Firewall Rules a. Specify the IP Version. b. Configure the Source, Destination, and Service/Application for the rule. c. For Action, select redirect to tunnel. d. Enter the Tunnel ID. e. Configure any additional options. 6. When satisfied with the settings, click Add, then click Apply.
Configuring Tunnel Keepalives The controller determines the status of a GRE tunnel by sending periodic keepalive frames on the Layer-2 or Layer-3 GRE tunnel. When you enable tunnel keepalives, the tunnel is considered “down” when the keepalives fail repeatedly. If you configure a firewall policy rule to redirect traffic to the tunnel, traffic is not forwarded to the tunnel until it is "up." When the tunnel comes up or goes down, an SNMP trap and logging message is generated.
About GRE Tunnel Groups The controller supports redundancy of Generic Routing Encapsulation (GRE) tunnels for both Layer-2 and Layer-3 GRE tunnels. This feature enables automatic redirection of the user traffic to a standby tunnel when the primary tunnel goes down. A tunnel group is identified by a name or number. You can add multiple tunnels to a tunnel group. Tunnel Group Order The order of the tunnels defined in the tunnel-group configuration specifies their standby precedence.
l A Layer-2 tunnel can only be part of one tunnel group. l A Dell Layer-2 tunnel-group is not interoperable with other vendors. l You must set up Layer-2 tunnel groups between Dell devices only.
+----+------+-----------------------------------------------------+ |SUM/| | | | |CPU | Addr | Description Value | +----+------+-----------------------------------------------------+ | | | | | G | [00] | Current Entries 10 | | G | [02] | High Water Mark 10 | | G | [03] | Maximum Entries 32768 | | G | [04] | Total Entries 31 | | G | [06] | Max link length 1 | +----+------+-----------------------------------------------------+ Datapath Tunnel Table Entries ----------------------------Flags: E - Ether encap, I
jumbo frames are used to get the highest network performance. If this functionality is not supported, the data frames gets fragmented, which reduces the overall throughput of the network and makes the network slow. ArubaOS supports jumbo frames between 11ac APs and both W-7000 Series and W-7200 Series controllersonly.
(host)(config)#no firewall enable-jumbo-frames In this case, the MTU value is considered as 9,216 (default).
Chapter 5 IPv6 Support This chapter describes ArubaOS support for IPv6 features: l Understanding IPv6 Notation on page 125 l Understanding IPv6 Topology on page 125 l Enabling IPv6 on page 126 l Enabling IPv6 Support for Controller and APs on page 126 l Filtering an IPv6 Extension Header (EH) on page 134 l Configuring a Captive Portal over IPv6 on page 135 l Working with IPv6 Router Advertisements (RAs) on page 135 l RADIUS Over IPv6 on page 138 l TACACS Over IPv6 on page 140 l DHCPv6 Se
default gateway in most deployments. However, the controller can be the default gateway by using static routes. The master-local communication always occurs in IPv4. The following image illustrates how IPv6 clients, APs, and controllers communicate with each other in an IPv6 network: Figure 28 IPv6 Topology l The IPv6 controller (MC2) terminates both V4 AP (IPv4 AP) and V6 AP (IPv6 AP). l Client 1 (IPv4 client) terminates to V6 AP and Client 2 (IPv6 client) terminates to V4 AP.
terminate on the IPv6 controller. You can provision an IPv6 AP in the network only if the controller interface is configured with an IPv6 address. An IPv6 AP can serve both IPv4 and IPv6 clients. You must manually configure an IPv6 address on the controller interface to enable IPv6 support.
Features Supported on IPv6 APs? AP Type - CAP Yes AP Type - RAP No AP Type - Mesh Node No IPSEC No CPSec No Wired-AP/Secure-Jack No Fragmentation/Reassembly Yes MTU Discovery Yes Provisioning through Static IPv6 Addresses Yes Provisioning through IPv6 FQDN Master Name Yes Provisioning from WebUI Yes AP boot by Flash Yes AP boot by TFTP No WMM QoS No AP Debug and Syslog Yes ARM & AM Yes WIDS Yes (Limited) CLI support for users & datapath Yes Configuring IPv6 Addresses Yo
You can configure IPv6 interface address using the WebUI or CLI. As per Internet Assigned Numbers Authority (IANA), Dell controllers support the following ranges of IPv6 addresses: l Global unicast—2000::/3 l Unique local unicast—fc00::/7 l Link local unicast—fe80::/10 In the WebUI To Configure Link Local Address 1. Navigate to the Configuration > Network > IP page and select the IP Interfaces tab. 2. Edit a VLAN # and select IP version as IPv6. 3.
Configuring IPv6 Static Neighbors You can configure a static neighbor on a VLAN interface either using the WebUI or the CLI. In the WebUI 1. Navigate to the Configuration > Network > IP page and select the IPv6 Neighbors tab. 2. Click Add and enter the following details of the IPv6 neighbor: l IPV6 Address l Link-layer Addr l VLAN Interface 3. Click Done to apply the configuration.
In the WebUI 1. Navigate to the Configuration > Network > Controller page and select the System Settings tab. 2. Under the Controller IP Details section, select the VLAN Id or the loopback interface Id in the IPv6 Address drop down. 3. Click Apply.
l Query Interval (second): default value is 125 seconds l Query Response Interval (in 1/10 second): default value is 100 (1/10 seconds). 3. Click Apply. To configure the SSM Range: 1. Navigate to Configuration>Network>IP page and select the Multicast tab. 2. In the MLD section, use the SSM Range Start-IP and SSM Range End-IP fields to configure the SSM Range. 3. Click Apply to save your changes.
b. Use the Dynamic Multicast Optimization (DMO) Threshold field to set the maximum number of high-throughput stations in a multicast group. 6. Click Apply to save your changes. In the CLI To verify the DMO configuration, execute the following command: (host) #show wlan virtual-ap Limitations The following are the MLDv2 limitations: l Controller cannot route multicast packets. l For mobility clients mld proxy should be used.
Starting with ArubaOS 6.3, a wired client can connect to the Ethernet interface of an IPv6 enabled AP. You can provision an IPv6 AP using the WebUI or CLI. In the WebUI 1. Navigate to the Configuration > AP Installation> Provision page and select the Provisioning tab. 2. Select an AP and click Provision. 3. Under the Master Discovery section, enter the host controller IP address and the IPv6 address of the master controller. 4.
Configuring a Captive Portal over IPv6 IPv6 is now enabled on the captive portal for user authentication on the Dell controller. For user authentication, use the internal captive portal that is initiated from the controller. A new parameter captive has been added to the IPv6 captive portal session ACL: (host) (config) #ipv6 user alias controller 6 svc-https captive This release does not support external captive portal for IPv6.
Configuring an IPv6 RA on a VLAN You must configure the IPv6 RA functionality on a VLAN for it to send solicited/unsolicited router advertisements on the IPv6 network. You must configure the following for the IPv6 RA to be operational on a VLAN: l IPv6 global unicast address l enable IPv6 RA l IPv6 RA prefix l l l l The advertised IPv6 prefix length must be 64 bits for the stateless address autoconfiguration to be operational. You can configure up to three IPv6 prefixes per VLAN interface.
l l l l l l l l l On Linux systems, clients must run the open rdnssd daemon to support the DNS server option. Windows 7 does not support the DNS server option. RA hop-limit – the IPv6 RA hop-limit value. It is the default value to be placed in the Hop Count field of the IP header for outgoing (unicast) IP packets. RA interval – the maximum and minimum time interval between sending unsolicited multicast router advertisements from the interface, in seconds.
h. Select the DHCP for address check box to enable the hosts to use the DHCP server for address autoconfiguration apart from any addresses auto configured using the RA. i. Enter a value in the RA MTU Option option. The allowed range is 1,280-maximum MTU allowed for the link. j. Select the DHCP for Other Address check box to enable the hosts to use the DHCP server for autoconfiguration of other (non-address) information. k. Select the router preference as High, Medium, or Low. 6. Click Apply.
You can configure the IPv6 host for the RADIUS server using the WebUI or CLI. In the CLI You must enable the enable-ipv6 parameter to configure the RADIUS server in IPv6 mode. (host)(config) #aaa authentication-server radius IPv6 (host)(RADIUS Server "IPv6") #enable-ipv6 Configure an IPv6 address as the host for RADIUS server using the following command: (host)(RADIUS Server "IPv6") #host The parameter can also be a fully qualified domain name that can resolve to an IPv6 address.
4. Click Apply. Radius Accounting for IPv6 Clients Starting from ArubaOS 6.5, customers can monitor bandwidth usage by clients/hosts with IPv6 addresses over Radius Accounting for IPv6 Clients (RADIUS) protocol. The Framed-IPv6-Address attribute is used in accounting start, stop, and interim packets. A host can have multiple IPv6 addresses and all of them are tracked to check the usage for billing purpose. TACACS Over IPv6 ArubaOS provides support for TACACS authentication server over IPv6.
DHCP Lease Limit The following table provides the maximum number of DHCP leases (both v4 and v6) supported per controller platform: There is a new enforcement to the existing DHCP limit during configuration. Table 31: DHCP Lease Limits Platform DHCP Lease Limit W-7005 512 W-7010 1024 W-7024 1024 W-7030 2048 W-7205 4096 W-7210 5120 W-7220 10240 W-7240 15360 Configuring DHCPv6 Server You must enable the global DHCPv6 knob for the DHCPv6 functionality to be operational.
5. Select IP Version as IPv6 to create a DHCPv6 pool. 6. Enter a name in Pool Name to configure an IPv6 pool name. 7. Enter an IPv6 address in DNS Servers to configure an IPv6 DNS server. To configure multiple DNS servers, enter the IPv6 addresses separated by space. 8. Enter a value in Domain Name to configure the domain name. 9. Enter the number of days, hours, minutes, and seconds in Lease to configure the lease time. The default value is 12 hours. 10.
To view the DHCPv6 database, use the following command: (host)#show ipv6 dhcp database You can also view the DHCPv6 database for a specific pool, use the following command: (host) (config) #show ipv6 dhcp database [pool ] (host) (config) #show ipv6 dhcp database pool DHCPv6 To view the DHCPv6 binding information, use the following command: (host)# show ipv6 dhcp binding To clear all the DHCPv6 bindings, use the following command: (host)# clear ipv6 dhcp binding To view the DHCPv6 server stati
The controller authenticates the user, applies firewall policies and bridges the 802.3 frame to the IPv6 router. The controller creates entries in the user and session tables. A client can have an IPv4 address and an IPv6 address, but the controller does not relate the states of the IPv4 and the IPv6 addresses on the same client. For example, if an IPv6 user session is active on a client, the controller will delete an IPv4 user session on the same client if the idle timeout for the IPv4 session is reached.
Table 33: IPv6 Firewall Parameters Parameter Monitor Ping Attack (per 30 seconds) Description Number of ICMP pings per 30 second, which if exceeded, can indicate a denial of service attack. Valid range is 1-16384 pings per 30 seconds. Recommended value is 120. Default: No default Monitor TCP SYN Attack rate (per 30 seconds) Number of TCP SYN messages per 30 second, which if exceeded, can indicate a denial of service attack. Valid range is 1-16384 pings per 30 seconds. Recommended value is 960.
Table 33: IPv6 Firewall Parameters Parameter Session Mirror Destination Description Destination (IPv4 address or controller port) to which mirrored session packets are sent. You can configure IPv6 flows to be mirrored with the session ACL “mirror” option. This option is used only for troubleshooting or debugging. Default: N/A Session Idle Timeout Set the time, in seconds, that a non-TCP session can be idle before it is removed from the session table. Specify a value in the range 16–259 seconds.
Table 34: IPv6 Firewall Policy Rule Parameters Field Source (required) Description Source of the traffic: l any: Acts as a wildcard and applies to any source address. l user: This refers to traffic from the wireless client. l host: This refers to traffic from a specific host. When this option is chosen, you must configure the IPv6 address of the host. For example, 2002:d81f:f9f0:1000:c7e:5d61:585c:3ab. l network: This refers to a traffic that has a source IP from a subnet of IP addresses.
Table 34: IPv6 Firewall Policy Rule Parameters Field Description Mirror (optional) Mirrors session packets to a datapath or remote destination specified in the IPv6 firewall function (see “Session Mirror Destination” in Table 33). If the destination is an IP address, it must be an IPv4 IP address. Queue (optional) The queue in which a packet matching this rule should be placed. Select High for higher priority data, such as voice, and Low for lower priority traffic.
c. For Host IP, enter 2002:d81f:f9f0:1000::. d. For Mask, enter 64 as the prefix-length. e. Under Service, select service from the drop-down list. f. Select svc-https from the scrolling list. g. Click Add. . Rules can be reordered using the up and down arrow buttons provided for each rule. 7. Click Apply. The policy is not created until the configuration is applied.
To view user entries for IPv6 clients using the command line interface, use the show user-table command in enable mode. To delete a user entry for an IPv6 client, access the CLI in config mode and use the aaa ipv6 user delete command. For example: (host)(config) #aaa ipv6 user delete 2002:d81f:f9f0:1000:e409:9331:1d27:ef44 Understanding User Roles An IPv6 user or a client can inherit the corresponding IPv4 roles.
Dot1x authentication the administrator/user can configure the source interface appropriately so that it is selected for authentication process. For more information on IPv6 source address selection, see RFC 3848. ArubaOS does not support the following functions for IPv6 clients: l l l The controller offers limited routing services to IPv6 clients, so it is recommended to use an external IPv6 router for a complete routing experience (dynamic routing). VoIP ALG is not supported for IPv6 clients.
Chapter 6 Link Aggregation Control Protocol The ArubaOS implementation of Link Aggregation Control Protocol (LACP) is based on the standards specified in 802.3ad. LACP provides standardized means for exchanging information with partner systems, to form a Link Aggregation Group (LAG). LACP avoids port channel misconfiguration. Two devices (actor and partner) exchange LACP Data Units (DUs) when forming a LAG.
Configuring LACP Two LACP configured devices exchange LACPDUs to form a link aggregation group (LAG). A device is configurable as an active or passive participant. In active mode, the device initiates DUs irrespective of the partner state; passive mode devices respond only to the incoming DUs sent by the partner device. Hence, to form a LAG group between two devices, one device must be an active participant. For detailed information on the LACP commands, see the ArubaOS 6.4.
F - Device is requesting fast LACPDUs A - Device is in active mode P - Device is in passive mode Port ---FE 1/1 FE 1/2 Flags ----SA SA Pri ---1 1 AdminKey -------0x1 0x1 OperKey -------0x1 0x1 State ----0x45 0x45 Num ---0x2 0x3 Status ------DOWN UP In the WebUI Access LACP from the Configuration >Network >Port tabs. Use the drop-down list to enter the LACP values. l LACP Group— the link aggregation group (LAG) number; the range is 0 to 7.
interface fastethernet 1/0 description "FE1/0" trusted vlan 1-4094 lacp group 0 mode active ! interface fastethernet 1/1 description "FE1/1" trusted vlan 1-4094 lacp timeout short lacp group 0 mode active ! interface fastethernet 1/2 description "FE1/2" trusted vlan 1-4094 lacp group 0 mode passive ! 155| Link Aggregation Control Protocol Dell Networking W-Series ArubaOS 6.5.
Chapter 7 OSPFv2 OSPFv2 (Open Shortest Path First) is a dynamic Interior Gateway routing Protocol (IGP) based on IETF RFC 2328. The OSPF uses the shortest or fastest routing path. Dell’s implementation of OSPFv2 allows Dell controllers to deploy effectively in a Layer 3 topology. Dell controllers can act as default gateway for all clients and forward user packets to the upstream router.
l l l l l l In the WLAN scenario, configure the Dell controller and all upstream routers in totally stub area; in the Branch scenario, configure as stub area so that the Branch controller can receive corporate subnets. In the WLAN scenario upstream router, only configure the interface connected to the controller in the same area as the controller. This will minimize the number of local subnet addresses advertised by the upstream router to the controller.
Below is the routing table for Router 2: (router2) #show ip route O O C 10.1.1.0/24 [2/0] via 5.1.1.1 12.1.1.0/24 [2/0] via 5.1.1.1 5.1.1.0 is directly connected, VLAN5 Understanding OSPFv2 by Example using a Branch Scenario The branch office scenario has a number of remote branch offices with controllers talking to a central office via a concentrator/controller using site-to-site VPN tunnels or master-local IPsec tunnels.
M - mgmt, U - route usable, * - candidate default The routing table for the central office controller is below: (host)#show ip route Gateway of last resort is 4.1.1.2 to network 0.0.0.0 O* O O C C C 0.0.0.0/0 [1/0] via 4.1.1.2* 14.1.1.0/24 [1/0] via 30.1.1.1* 15.1.1.0/24 [1/0] via 30.1.1.1* 4.1.1.0 is directly connected, VLAN4 5.1.1.0 is directly connected, VLAN5 20.1.1.0 is directly connected, Tunnel 1 The routing table for Router 1 is below: (router1) #show ip route O O C 14.1.1.0/24 [1/0] via 4.1.1.
Figure 31 Add an OSPF Area 3. Configure the OSPF interface settings in the Configuration screen (Figure 32). If OSPF is enabled, the parameters contain the correct default values. You can edit the OSPF values only when you enable OSPF on the interface. Figure 32 Edit OSPF VLAN Settings OSPF monitoring is available from an IP Routing sub-section (Controller > IP Routing > Routing). Both Static and OSPF routes are available in table format.
In the WebUI 1. Navigate to the Configuration > Advanced Services > All Profiles > VPN Authentication > default page. 2. (Optional) Regardless of how an authentication server is contacted, the Export VPN IP address as a route option causes any VPN client address to be exported to OSPF using IPC. Note that the Framed-IPAddress attribute is assigned the IP address as long as any server returns the attribute. The Framed-IPAddress value always has a higher priority than the local address pool. 3. Click Apply.
vlan 31 vlan 32 interface gigabitethernet 1/0 description "GE1/0" trusted switchport access vlan 16 ! interface gigabitethernet 1/1 description "GE1/1" trusted switchport access vlan 30 ! interface gigabitethernet 1/2 description "GE1/2" trusted switchport access vlan 31 ! interface gigabitethernet 1/3 description "GE1/3" trusted switchport access vlan 32 ! interface vlan 16 ip address 192.168.16.251 255.255.255.0 ! interface vlan 30 ip address 192.168.30.1 255.255.255.0 ! interface vlan 31 ip address 192.
! interface gigabitethernet 1/0 description "GE1/0" trusted switchport access vlan 20 ! interface gigabitethernet 1/1 description "GE1/1" trusted switchport access vlan 50 ! interface gigabitethernet 1/2 description "GE1/2" trusted switchport access vlan 51 ! interface gigabitethernet 1/3 description "GE1/3" trusted switchport access vlan 52 ! interface vlan 20 ip address 192.168.20.1 255.255.255.0 ! interface vlan 50 ip address 192.168.50.1 255.255.255.0 ! interface vlan 51 ip address 192.168.51.1 255.255.
trusted switchport access vlan 225 ! interface gigabitethernet 1/1 description "GE1/1" trusted switchport access vlan 100 ! interface gigabitethernet 1/2 description "GE1/2" trusted switchport access vlan 68 ! interface vlan 68 ip address 192.168.68.220 255.255.255.0 ! interface vlan 100 ip address 192.168.100.1 255.255.255.0 ! interface vlan 225 ip address 192.168.225.2 255.255.255.0 ! interface tunnel 2003 description "Tunnel Interface" ip address 2.1.0.3 255.0.0.0 tunnel source 192.168.225.
! ip default-gateway 192.168.68.1 ip route 192.168.0.0 255.255.0.0 null 0 router router router router ! ospf ospf router-id 192.168.225.1 ospf area 10.10.10.10 stub ospf redistribute vlan 100,225 Central Office Controller—Backup localip 0.0.0.
ip address 192.168.68.217 vlan 68 tracking vlan 68 sub 40 tracking vlan 100 sub 40 tracking vlan 225 sub 40 no shutdown ! vrrp 2 priority 99 ip address 192.168.225.9 vlan 225 tracking vlan 68 sub 40 tracking vlan 100 sub 40 tracking vlan 225 sub 40 no shutdown ! ip default-gateway 192.168.68.1 ip route 192.168.0.0 255.255.0.0 null 0 ! router ospf router ospf router-id 192.168.225.1 router ospf area 10.10.10.
l RAPNG AP-1 is configured to have a 201.201.203.0/24 L3-distributed network. l RAPNG AP-2 is configured to have a 202.202.202.0/24 L3-distributed network. Observation l l l UP Controller will send Type-5 LSA (External LSA) of VPN route 201.201.203.0/24 to it’s upstream router, Cisco-3750. DOWN Controller will send Type-7 LSA (NSSA) of VPN route 202.202.202.0/24 to it’s upstream router, Cisco-2950. UP Controller will send a Type-4 asbr-summary LSA.
V O C C C C C 201.201.203.0/26 [10/0] ipsec map 202.202.202.0/29 [0/0] via 21.21.21.1* 192.100.2.0/24 is directly connected, VLAN2 10.15.231.184/29 is directly connected, VLAN1 172.16.0.0/24 is directly connected, VLAN3 21.21.21.0/24 is directly connected, VLAN21 5.5.0.2/32 is an ipsec map 10.15.149.30-5.5.0.2 (host) #show ip ospf database OSPF Database Table ------------------Area ID LSA Type Link ID -------------------0.0.0.11 ROUTER 21.21.21.1 0.0.0.11 ROUTER 192.100.2.3 0.0.0.11 NETWORK 21.21.21.1 0.
C C C 22.22.22.0/24 is directly connected, VLAN22 4.4.0.2/32 is an ipsec map 10.15.149.35-4.4.0.2 4.4.0.1/32 is an ipsec map 10.17.87.126-4.4.0.1 (host) #show ip ospf neighbor OSPF Neighbor Table ------------------Neighbor ID Pri State Address ----------- --- ----------25.25.25.1 1 FULL/BDR 22.22.22.1 (host) #show ip ospf database OSPF Database Table ------------------Area ID LSA Type Link ID -------------------0.0.0.10 ROUTER 25.25.25.1 0.0.0.10 ROUTER 192.100.2.2 0.0.0.10 NETWORK 22.22.22.2 0.0.0.
IP Mask Gateway Cost VLAN Flags --------------- --------------- --------------- ---- ---- ----0.0.0.0 0.0.0.0 10.15.149.25 0 0 0.0.0.0 128.0.0.0 192.100.2.3 0 0 T 128.0.0.0 128.0.0.0 192.100.2.3 0 0 T 192.168.10.0 255.255.254.0 192.168.10.1 0 3333 D 201.201.203.0 255.255.255.192 0.0.0.0 0 103 LP 10.15.149.24 255.255.255.248 10.15.149.30 0 1 L 10.15.231.186 255.255.255.255 10.15.149.
(host)# show datapath route Route Table Entries ------------------Flags: L - Local, P - Permanent, T - Tunnel, I - IPsec, M - Mobile, A - ARP, D - Drop IP Mask Gateway Cost VLAN Flags --------------- --------------- --------------- ---- ---- ----0.0.0.0 0.0.0.0 10.15.149.33 0 0 0.0.0.0 128.0.0.0 192.100.2.2 0 0 T 128.0.0.0 128.0.0.0 192.100.2.2 0 0 T 192.168.10.0 255.255.254.0 192.168.10.1 0 3333 D 10.15.149.32 255.255.255.248 10.15.149.35 0 1 L 202.202.202.0 255.255.255.248 0.0.0.0 0 203 LP 10.15.231.
Chapter 8 Tunneled Nodes This chapter describes how to configure a Dell tunneled node, also known as a wired tunneled node. Dell tunneled nodes provide access and security using an overlay architecture.
Figure 34 Tunneled Node Configuration Operation Configuring a Wired Tunneled Node Client ArubaOS does not allow a tunneled-node client and tunneled-node server to co-exist on the same controller at the same time. The controller must be configured as either a tunneled-node client or a tunneled-node server. By default, the controller behaves as a tunneled-node server. However, once tunneled-node-server xxx.xxx.xxx.xxx is configured on the controller, the controller becomes a tunneled-node client.
d. Enter the IP address of the controller in the Wired Access Concentrator Server IP field. e. To enable tunnel loop prevention, click the Enable Wired Access Concentrator Loop Prevention checkbox. f. Click Apply. 3. Access each interface that you want to use, and assign it as a tunneled node port. (host (config) # interface fastethernet n/m (host (config-if) # tunneled-node port 4. Verify the configuration.
Chapter 9 Authentication Servers The ArubaOS software allows you to use an external authentication server or the controller internal user database to authenticate clients who need to access the wireless network.
Figure 35 represents a server group named “Radii” that consists of two RADIUS servers, Radius-1 and Radius-2. The server group is assigned to the server group for 802.1X authentication. Figure 35 Server Group Server names are unique. You can configure the same server in multiple server groups. You must configure the server before you can add it to a server group. If you use the controller’s internal database for user authentication, use the predefined “Internal” server group.
Using the WebUI 1. Navigate to the Configuration > Security > Authentication > Servers page. 2. Select Radius Server to display the Radius Server List. 3. To configure a RADIUS server, enter the name for the server and click Add. 4. Select the name to configure server parameters. Enter the parameters as described in Table 36. Select the Mode check box to activate the authentication server. 5. Click Apply. The configuration does not take effect until you perform this step.
Table 36: RADIUS Server Configuration Parameters Parameter Description Default: 5 seconds NAS ID Network Access Server (NAS) identifier to use in RADIUS packets. NAS IP The NAS IP address to be sent in RADIUS packets from that server. NOTE: If you define a local NAS IP using the Configuration > Security > Authentication > Servers page and also define a global NAS IP using the Configuration > Security > Authentication > Advanced page, the global NAS IP address takes precedence.
Table 36: RADIUS Server Configuration Parameters Parameter Service-type of FRAMEDUSER Description Send the service-type as FRAMED-USER instead of LOGIN-USER. For more information, see RADIUS Service-Type Attribute on page 179. Default: Disabled Radsec Enable or disable RADIUS over TLS for this server. Default: Disabled Radsec Trusted CA Name Enter the trusted CA name to be used to verify this server. Radsec Server Cert Name Enter the name of the trusted Radsec server certificate.
Enabling Radsec on RADIUS Servers Conventional RADIUS protocol offers limited security. This level of limited security is not sufficient for authentication that takes place across unsecured networks such as the Internet. To address this, the RADIUS over TLS or Radsec enhancement is introduced to ensure RADIUS authentication and accounting data is transmitted safely and reliably across insecure networks. The default destination port for RADIUS over TLS is TCP/2083.
attribute format (such as string or integer) for each VSA. For more information on VSA-derived user roles, see Configuring a VSA-Derived Role on page 388 The following table describes Dell-specific RADIUS VSAs. For the current and complete list of all RADIUS VSAs available in the version of ArubaOS currently running on your controller, access the command-line interface and issue the command show aaa radius attributes.
Table 38: RADIUS VSAs VSA Type Value Description Aruba-MdpsDevice-Udid String 15 UDID is unique device identifier which is used as input attribute by the Onboard application while performing the device authorization to the internal RADIUS server within the ClearPass Policy Manager (CPPM). The UDID checks against role mappings or enforcement policies to determine if the device is authorized to be onboarded.
Table 38: RADIUS VSAs VSA Type Value Description Aruba-AirGroupUser-Name String 24 A device owner or username associated with the device. Aruba-AirGroupShared-User String 25 This VSA contains a comma-separated list of user names with whom the device is shared. Aruba-AirGroupShared-Role String 26 This VSA contains a comma-separated list of user roles with whom the device is shared.
Table 39: RADIUS Authentication Response Codes Code Description 0 Authentication OK. 1 Authentication failed : user/password combination not correct. 2 Authentication request timed out : No response from server. 3 Internal authentication error. 4 Bad Response from RADIUS server : verify shared secret is correct. 5 No RADIUS authentication server is configured. 6 Challenge from server. (This does not necessarily indicate an error condition.
3. Enter the cppm_username and cppm_password in the CPPM credentials option. 4. Click Apply. In the CLI: (host)(config) #aaa authentication-server radius (host)(config) #show aaa authentication-server radius Configuring an RFC-3576 RADIUS Server You can configure a RADIUS server to send user disconnect, change-of-authorization (CoA), and session timeout messages as described in RFC 3576, “Dynamic Authorization Extensions to Remote Dial In User Service (RADIUS).
Configuring an RFC-3576 RADIUS Server with Radsec Using the WebUI 1. Navigate to the Configuration > Security > Authentication > Servers page. 2. Select RFC 3576 Server to display the Radius Server List. 3. To define a new RFC 3576 RADIUS server, enter the IP address for the server and click Add. 4. Select the server name to configure server parameters. 5. Select the Radsec check box. 6. Click Apply. Using the CLI (host)(config) #aaa rfc-3576-server enable-radsec no ...
Table 40: LDAP Server Configuration Parameters Parameter Description Default: sAMAccountName Timeout Timeout period of a LDAP request, in seconds. Default: 20 seconds Mode Enables or disables the server. Default: enabled Preferred Connection Type Preferred type of connection between the controller and the LDAP server. The default order of connection type is: 1. ldap-s 2. start-tls 3.
Table 41: TACACS+ Server Configuration Parameters Parameter Host Description IP address of the server. Default: N/A Key Shared secret to authenticate communication between the TACACS+ client and server. Default: N/A TCP Port TCP port used by server. Default: 49 Retransmits Maximum number of times a request is retried. Default: 3 Timeout Timeout period for TACACS+ requests, in seconds. Default: 20 seconds Mode Enables or disables the server.
Configuring a Windows Server Table 42 defines parameters for a Windows server used for stateful NTLM authentication. Table 42: Windows Server Configuration Parameters Parameter Host Description IP address of the server. Default: N/A Mode Enables or disables the server. Default: enabled Windows Domain Name of the Windows Domain assigned to the server. Using the WebUI 1. Navigate to the Configuration > Security > Authentication > Servers page. 2. Select Windows Server to display the Windows Server List.
Table 43: Internal Database Configuration Parameters Parameters Description User Name (Required) Enter a user name or select Generate to automatically generate a user name. An entered user name can be up to 64 characters in length. Password (Required) Enter a password or select Generate to automatically generate a password string. An entered password must be a minimum of 6 characters and can be up to 128 characters in length. Role Role for the client.
Managing Internal Database Files ArubaOS allows you to import and export user information tables to and from the internal database. These files should not be edited once they are exported. ArubaOS only supports the importing of database files that were created during the export process. Note that importing a file into the internal database overwrites and removes all existing entries. Exporting Files in the WebUI 1. Navigate to the Configuration > Security > Authentication > Servers page. 2.
4. Click OK. Configuring Server Groups You can create groups of servers for specific types of authentication – for example, you can specify one or more RADIUS servers to be used for 802.1X authentication. You can configure servers of different types in one group. For example, you can include the internal database as a backup to a RADIUS server. Configuring Server Groups Server names are unique. You can configure the same server in more than one server group.
l Certain servers, such as the RSA RADIUS server, lock out the controller if there are multiple authentication failures. Therefore, you should not enable fail-through authentication with these servers. In the following example, you create a server group "corp-serv" with two LDAP servers (ldap-1 and ldap-2), each containing a subset of the usernames and passwords used in the network.
l The server is selected if the client/user information exactly matches a specified string. You can configure multiple match rules for the same server. The controller compares the client/user information with the match rules configured for each server, starting with the first server in the server group. If a match is found, the controller sends the authentication request to the server with the matching rule.
c. For Match String, enter abc.corpnet.com. d. Click Add Rule >>. e. Scroll to the right and click Add Server. The last server you added to the server group (radius-2) automatically appears as the first server in the list. In this example, the order of servers is not important. If you need to reorder the server list, scroll to the right and click the up or down arrow for the appropriate server. 7. Click Apply.
l @ : the @ portion is truncated This option does not support client information sent in the format host/. Using the WebUI 1. Navigate to the Configuration > Security > Authentication > Servers page. 2. Select Server Group to display the Server Group list. 3. Enter the name of the new server group and click Add. 4. Select the name to configure the server group. 5. Under Servers, click Edit for a configured server or click New to add a server to the group.
Parameter Description l contains : The rule is applied if and only if the attribute value contains the string in parameter Operand. l starts-with : The rule is applied if and only if the attribute value returned starts with the string in parameter Operand. l ends-with : The rule is applied if and only if the attribute value returned ends with the string in parameter Operand. l equals : The rule is applied if and only if the attribute value returned equals the string in parameter Operand.
Using the CLI (host) (config) #aaa server-group (host) (Server Group name) #set {role|vlan} condition contains|endswith|equals|not-equals|starts-with set-value position Configuring a Role Derivation Rule for the Internal Database When you add a user entry in the controller’s internal database, you can optionally specify a user role (see Managing the Internal Database on page 189).
Management Authentication Users who need to access the controller to monitor, manage, or configure the Dell user-centric network can be authenticated with RADIUS, TACACS+, or LDAP servers or the internal database. Only user record attributes are returned upon successful authentication. Therefore, to derive a management role other than the default mgmt auth role, set the server derivation rule based on the user attributes. Using the WebUI 1. Navigate to the Configuration > Management > Administration page.
4: Idle Timeout 5: Session Timeout. Maximum session length timer expired. 7: Admin Reboot: Administrator is ending service, for example prior to rebooting the controller. l NAS-Identifier: This is set in the RADIUS server configuration. l NAS-IP-Address: IP address of the master controller. You can configure a “global” NAS IP address: n In the WebUI, navigate to the Configuration > Security > Authentication > Advanced page. n In the CLI, use the, ip radius nas-ip command.
The following attributes are sent only in Accounting Stop packets (they are not sent in Accounting Start packets): l Acct-Input-Octets l Acct-Output-Octets l Acct-Input-Packets l Acct-Output-Packets Remote APs in split-tunnel mode now support RADIUS accounting.
TACACS+ Accounting TACACS+ accounting allows commands issued on the controller to be reported to TACACS+ servers. You can specify which types of commands are reported (action, configuration, or show commands), or report all commands.
Setting an Authentication Timer To set an authentication timer, complete one of the following procedures: Using the WebUI 1. Navigate to the Configuration > Security > Authentication > Advanced page. 2. Configure the timers as described above. 3. Click Apply before moving on to another page or closing the browser window. If you do not perform this step, you will lose your configuration changes. Using the CLI The commands below configure timers you can apply to clients.
Chapter 10 MAC-based Authentication This chapter describes how to configure MAC-based authentication on the Dell controller using the WebUI. Use MAC-based authentication to authenticate devices based on their physical media access control (MAC) address. Although this not the most secure and scalable method, MAC-based authentication implicitly provides an addition layer of security to authenticate devices.
Table 47: MAC Authentication Profile Configuration Parameters Parameter Delimiter Description Delimiter used in the MAC string: l colon specifies the format Xx:XX:XX:XX:XX:XX l dash specifies the format XX-XX-XX-XX-XX-XX l none specifies the format XXXXXXXXXXXX l oui-nic specifies the format XXXXXX:XXXXXX Default: none NOTE: This parameter is available for the aaa authentication-server radius command. Case The case (upper or lower) used in the MAC string.
2. Select Internal DB. 3. Click Add User in the Users section. The user configuration page displays. 4. For User Name and Password, enter the MAC address for the client. Use the format specified by the Delimiter parameter in the MAC Authentication profile. For example, if the MAC Authentication profile specifies the default delimiter (none), enter MAC addresses in the format xxxxxxxxxxxx. 5. Click Enabled to activate this entry on creation. 6. Click Apply.
Chapter 11 Branch Controller Config for Controllers Many distributed enterprises with branch and remote offices and locations use cost-effective hybrid WAN connectivity solutions that include low-cost DSL, 4G and LTE technologies, rather than relying solely on traditional E1/T1 or T3/E3 dedicated circuits.
This chapter describes the features and functions of a branch controller, and includes the following topics: l Branch Deployment Features on page 208 l Zero-Touch Provisioning on page 222 l Using Smart Config to create a Branch Config Group on page 225 l PortFast and BPDU Guard on page 249 l Preventing WAN Link Failure on Virtual APs on page 251 l Branch WAN Dashboard on page 252 Branch Deployment Features This section describes the following branch controller features.
Scalable Site-to-Site VPN Tunnels ArubaOS 6.4.4.0 and later supports site-to-site IPSEC tunnels based on a Fully Qualified Domain Name (FQDN). When you identify the remote peer for a branch config group using an FQDN, that config group can be applied across multiple branch controllers, as the configured FQDN can resolve to different IP addresses for each local branch, based on local DNS settings. In ArubaOS 6.4.4.
reloads and associates to the secondary controller as the new master. The branch controller then synchronizes its branch and global configuration settings from the new master, and reloads again to apply those settings. WAN Failure (Authentication) Survivability This section contains the following information about the authentication survivability feature. This feature is supported on W-7000 Series controllers.
Clients Authentication Methods MAC-based Authentication clients PAP VPN clients l PAP with an external authentication server l CN lookup with an external authentication server VIA and other VPN clients Wireless Internet Service Provider roaming (WISPr) clients PAP method and CN lookup PAP In this initial release, the external authentication server can be either a RADIUS server or an LDAP server.
Administrative Functions This section describes the scenarios that illustrate the functionality that the authentication survivability feature provides. For more information, see: l WAN Failure (Authentication) Survivability on page 210 Enabling Authentication Survivability on a Local Branch Controller You can configure each local branch controller to enable or disable Authentication Survivability; by default, this feature is disabled.
2. The non-zero MAC-address client is authenticated using one of the following options: a. Authenticated with an External RADIUS server using PAP or EAP-TLS b. Authenticated with an External LDAP server using PAP c. Successful query on Common Name (CN) with an External RADIUS or LDAP server Picking Up the Survival Server for Authentication The Survival Server performs an authentication or query request when authentication survivability is enabled, and one of the following is true: 1.
External Captive Portal Client Authentication Using the XML-API Table 50 describes the authentication procedures for External Captive Portal clients using the XML-API, both when the branch's authentication servers are available and when they are not available. When the authentication servers are not available, the Survival Server takes over the handling of authentication requests.
server. The external authentication server can be either a RADIUS server or an LDAP server. Table 52: 802.1X Client Authentication Using EAP_TLS with CN Lookup When Authentication Servers Are Available l If the query succeeds, the associated access credential with a returned indicator of EXIST, plus the Key Reply attributes, are stored in the Survival Server database.
Table 54: WISPr Authentication Using PAP When Authentication Servers Are Available For a WISPr client authenticated by an external server using PAP: l If authentication succeeds, the associated access credential, along with an encrypted SHA-1 hash of the password and Key Reply attributes, are stored in the Survival Server database.
Figure 38 Branch Deployment Model with Master Controller in HQ Modes of Operation There are three modes of operation for the deflation and inflation compression processes: l Static Compression For static compression, a predefined Huffman code is used that may not be ideal for the block in question, but it usually achieves acceptable compression. The advantage of static compression is its speed of execution. l Dynamic Compression The advantage of dynamic compression is a higher compression ratio.
l Protecting higher-priority traffic: If you want to guarantee bandwidth for a company-critical application or application group, you can add that application to an exception list, then apply a bandwidth contract to all remaining traffic. You can apply bandwidth contracts using one or both of these models. Each interface supports up to 64 bandwidth contracts.
Enable Palo Alto firewall integration on a master controller to securely redirect internet inbound traffic from branch controllers using the branch config group into the PAN firewall. Although this configuration setting can be used on standalone or local controllers, this feature can only be used on controllers in these types of deployments when used in conjunction with the controller uplink VLAN manager feature. The uplink VLAN manager is enabled by default on branch controller uplinks.
Figure 40 Palo Alto Networks Active Satellites List . 5. The branch controller uses the Palo Alto Networks gateway list and credentials from the portal to contact all PAN gateways. Each PAN gateway sends the branch controller information that allows the branch controller to automatically create a secure IPsec tunnel and exchange branch subnet routes with each PAN gateway. 6.
Branch Controller Routing Features The following sections describe some of the features that can be configured using the Smart Config WebUI. For details on configuring these feature using the Smart Config WebUI, see Routing Configuration on page 235. Uplink Routing Using Nexthop Lists A next-hop IP is the IP address of a adjacent router or device with Layer-2 connectivity to the controller.
Inbound Interface Access Lists In a branch controller environment, where an IPsec map defines the connections between the local branch controllers and a master controller, the global routing ACL master-boc-traffic is applied to all IPsec maps between the master and the branch controllers.
Provisioning a controller includes completing the following: l setting the role l setting the country code l configuring the local configuration The local configuration is the configuration that is specific to a controller. That is, not the global configuration shared by a network of controllers. This includes, but is not limited to, IP addresses and VLANs.
l mini-setup: In this mode, the branch controller: n has its role set to branch when mini-setup is initiated n obtains its IP address from DHCP n n l is configured through the console with its country code and the IP address of the primary master controller and (optionally) the secondary master controller IP.
l Option-43 Vendor Specific Information (VSI) with the primary master IP address, the country code, and optionally, a secondary master IP (for deployments requiring Layer-3 redundancy). This VSI must be in one of the following formats, where the IP address of a master controller is in dotted-decimal notation (a.b.c.d) format or a fully qualified domain name format (master.example.
address pools are pushed out to each branch controller when it comes up on the network. If a branch controller is removed from the master, the IP addresses allocated to that branch controller can be reused and reassigned to a new branch controller. A master controller must have a separate VLAN pool defined for each VLAN used by its branch controller. A VLAN pool allocates a static, continuous block of multiple IP addresses to each branch controller.
Table 55: Branch Config Group Template Setting Parameter Description MAC Address MAC address of the controller. Description A brief description of the controller Time Zone A text string indicating the controller's time zone. NOTE: This string must contain three or more characters of a supported time zone in any of the formats described in Table 56, for example, HongKong or UTC+08 or CCT. DST Specify ON or OFF to indicate if the controller's time zone is currently using daylight savings time.
Table 56: Supported Branch Config Group Time Zone Formats UTC- Time Zones UTC+ Time Zones l "International-Date-Line-West", "UTC-12", l "Casablanca", "UTC+00", "UTC", l "American-Samoa", "UTC-11", "SST" l "Coordinated-Universal-Time", "UTC+00", "UTC", l "Hawaii", "UTC-10", "HST" l "Dublin", "UTC+00", "UTC", "IST" l "Alaska", "UTC-09", "AKST" l "Edinburgh", "UTC+00", "UTC", "BST" l "Baja-California", "UTC-08", "PST" l "Lisbon", "UTC+00", "UTC", "WEST" l "Pacific-Time", "UTC-08", "PST"
Table 56: Supported Branch Config Group Time Zone Formats UTC- Time Zones UTC+ Time Zones l "Mid-Atlantic", "UTC-02", "FNT" l "Helsinki", "UTC+02", "EET" "EEST" l "Azores", "UTC-01", "AZOST", "AZOST" l "Istanbul", "UTC+02", "EET" "EEST" l "Cape-Verde-Is", "UTC-01", "CVT" l "Kyiv", "UTC+02", "EET" "EEST" l "Casablanca", "UTC+00", "UTC", l "Riga", "UTC+02", "EET" "EEST" l "Coordinated-Universal-Time", "UTC+00", "UTC", l "Sofia", "UTC+02", "EET" "EEST" l "Dublin", "UTC+00", "UTC", "IST"
Table 56: Supported Branch Config Group Time Zone Formats UTC- Time Zones UTC+ Time Zones l "East-Europe", "UTC+02", "EET" "EEST" l "Hanoi", "UTC+07", "THA" l "Harare", "UTC+02", "EET" l "Jakarta", "UTC+07", "THA" l "International-Date-Line-West", "UTC-12", l "Novosibirsk", "UTC+07", "THA" l "American-Samoa", "UTC-11", "SST" l "Beijing" ,"UTC+08", "CCT" l "Hawaii", "UTC-10", "HST" l "Chongqing" ,"UTC+08", "CCT" l "Alaska", "UTC-09", "AKST" l "HongKong" ,"UTC+08", "CCT" l "Baja-Cal
Table 56: Supported Branch Config Group Time Zone Formats UTC- Time Zones UTC+ Time Zones l "Montevideo", "UTC-03", "BST," "UYST" l "Salvador", "UTC-03", "BST", "BRST" l "Mid-Atlantic", "UTC-02", "FNT" l "Azores", "UTC-01", "AZOST", "AZOST" l "Cape-Verde-Is", "UTC-01", "CVT" System Configuration Configure general system settings for the branch controllers in a branch config group by navigating to Configuration > Branch > Smart Config and selecting the System tab.
Parameter RADIUS interface source VLAN Description This field identifies the interface for outgoing RADIUS packets. The IP address of the specified interface is included in the IP header of RADIUS packets.
Parameter CA Cert Description (Optional) The branch controller can act as an OCSP client and issue OCSP queries to remote OCSP responders located on the intranet or Internet. If you have uploaded an OCSP responder certificate to the master controller, click Edit to modify the certificates used to sign OCSP for the revocation check point. For more information on configuring a controller as an OCSP client, see Configuring the Controller as an OCSP Client on page 295.
The settings on the Networking tab are described in the table below. Figure 42 Branch Controller Networking Settings. Parameter Description User VLANs VLAN ID Identifier for the VLAN. Description Text string describing the VLAN. NAT Inside Click this checkbox to enable source NAT for this VLAN. When applied, NAT is applied to both outbound and non-public, inter-VLAN traffic, with the desired IP address of the VLAN interface as the source address. Nat Outside Starting in ArubaOS 6.4.4.
Parameter Description Ports Port Settings: l Port Enable l Enable l Description l Trusted l Speed/Duplex l Mode l Native VLAN l Trunk/Access l VLAN l PortFast l BPDU Guard Click Edit to edit the settings for an individual interface port, or to apply an access control list (ACL) to inbound traffic, outbound traffic, or session traffic on a selected VLAN. NOTE: For complete details on the PortFast and BPDU Guard features, see PortFast and BPDU Guard on page 249.
Controller IP A valid branch config group requires a VLAN to be assigned to the controller IP address. To assign an VLAN to a controller IP: 1. Navigate to Configuration>Branch>Smart Config>Routing and select the Routing sub-tab. 2. Click the Controller-IP drop-down list and select a VLAN ID from the list of uplink VLANs configured on the Branch>Smart Config>Networking tab. 3. Click Apply. NAS IP ArubaOS 6.5.x allows you configure a branch controller NAS IP with a VLAN.
Table 58: Branch Controller DHCP Pool Settings Parameter Description VLAN VLAN ID. Click the VLAN drop-down list and select a VLAN ID from the list of uplink VLANs configured on the Branch>Smart Config>Networking tab. Pool Name Name that identifies this VLAN pool. Domain Name Domain name of the DNS server. DNS Server IP address of the DNS server. IP Address Range IP addresses at the start and end of the branch controller’s address range, in dotted-decimal format and the netmask per branch.
Table 59: Branch Controller Next-Hop Settings Parameter Description Nexthop-list name Name for the new nexthop list. Nexthop IP / DHCP IP address of the nexthop device or the VLAN ID of the VLAN used by the nexthop device. If the VLAN gets an IP address using DHCP, and the default gateway is determined by the VLAN interface, the gateway IP is used as the nexthop IP address.
Table 60: Policy Based Routing ACL Rule Parameters Field Description IP version Specifies whether the policy applies to IPv4 or IPv6 traffic. Source (required) Destination (required) Source of the traffic, which can be one of the following: l any: Acts as a wildcard and applies to any source address. l user: This refers to traffic from the wireless client. l host: This refers to traffic from a specific host. When this option is chosen, you must configure the IP address of the host.
Field Service (required) Action (required) Position Description Type of traffic, which can be one of the following: l any: This option specifies that this rule applies to any type of traffic. l application: For session and route policies on a W-7000 Series controller, you can create a rule that applies to a specific application type. Click the Application drop-down list and select an application type.
l If you selected the User Role type, click the Target drop-down list and select a user role. The rule will be applied to traffic from clients with the selected user role. 5. Click Done. 6. Click Apply. VPN Configuration Configure IPsec crypto maps and DTP settings for the branch controllers in a branch config group by navigating to Configuration>Branch>Smart Config and selecting the VPN tab. The settings on the VPN tab are described in the table below.
Parameter Description Description l Peer Gateway FQDN : This option allows you to use same FQDN across different branches. The FQDN resolves to different IP addresses for each branch, based on its local DNS setting. Define the peer gateway. If you selected IP Address for the Peer Gateway Type option, enter the appropriate IP address: l If you are configuring an IPsec map for a dynamically addressed remote peer, give the peer gateway a default value of 0.0.0.0.
Parameter Description Description If you enable Perfect Forward Secrecy (PFS) mode, new session keys are not derived from previously used session keys. Therefore, if a key is compromised, that compromised key does not affect any previous session keys. PFS mode is disabled by default. To enable this feature, click the PFS drop-down list and select one of the following Perfect Forward Secrecy modes: PFS l group1 : 768-bit Diffie–Hellman prime modulus group.
Parameter Description Description For certificate authentication, select Certificate, then click the Server Certificate and CA certificate drop-down lists to select certificates previously imported into the controller. Certificate See Management Access on page 824 for more information on managing certificates. DPD Parameters The DPD Parameters checkbox on the VPN tab enables or disables Dead Peer Detection.
Policy Name Policy Number IKE Version Encryption Algorithm Hash Algorithm Authentica -tion Method PRF Method DiffieHellman Group Default IKEv2 PSK protection suite 10007 IKEv2 AES - 128 SHA 96 Pre-shared key hmacsha1 2 (1024 bit) Default SuiteB 128bit ECDSA protection suite 10008 IKEv2 AES - 128 SHA 256128 ECDSA-256 Signature hmacsha2256 Random ECP Group (256 bit) Default SuiteB 256 bit ECDSA protection suite 10009 IKEv2 AES -256 SHA 384192 ECDSA-384 Signature hmacsha2384 Rand
Table 63: Branch Config Group WAN Setting Parameter Description WAN Failure Survivability Enable Auth-Survivability This parameter controls whether to use the Survival Server when no other authentication servers in the server group are in-service. This parameter also controls whether to store the user access credential in the Survival Server when it is authenticated by an external RADIUS or LDAP server in the server group. Authentication Survivability is enabled or disabled at each controller.
Table 63: Branch Config Group WAN Setting Parameter Description Probe Interval (sec) The Probe Interval field specifies the probe interval, in seconds. The WAN health-check feature sends the number of probes defined by the Packet Burst per Probe parameter during each probe interval. To change the default interval of 10 seconds, enter a new value into this field. Packet Burst Per Probe The Pocket Burst per Probe field specifies the number of probes to be sent during the probe interval.
Table 63: Branch Config Group WAN Setting Parameter Description l Category: The contract applies to all applications within a category type. l Exclude: If a bandwidth contract is applied to an entire interface or category of applications, you can create a bandwidth contract that excludes a single application or application category from that contract.
assigned to the branch controller in the whitelist entry. To assign a different configuration to an unprovisioned branch controller, you must delete the whitelist entry and create a new branch controller whitelist entry with the correct branch config group.
In most deployments, edge ports are access ports. However, in this scenario there are no restrictions in enabling the PortFast feature. The mode of the port changes from PortFast to non-PortFast when the port receives a STP BPDU. To re-enable this feature on a port, run the shut command followed by a no-shut command at the interface/port level. Configuring PortFast on a non-edge port can cause instability to the STP topology.
5. Click Update. To disable PortFast and BPDU Guard uncheck the PortFast and BPDU Guard checkboxes. It is recommended to enable PortFast only on access port types. However, PortFast can be enabled on the trunk ports by selecting the Trunk checkbox in the WebUI.
5. Once you select the virtual AP, click Advanced tab. 6. Modify the WAN Operation Mode drop-down menu value to Primary, Always, or Backup. For WAN link failure, this mode should be set to backup. In the CLI (host)(Virtual AP profile "default") #wan-operation backup For example: (host) (config) #wlan virtual-ap default (host)(Virtual AP profile "default")#? wan-operation Virtual-AP WAN operation wmm-traffic-managemen..
l Throughput : Displays the In and Out traffic for VLANs. The Throughput table has four tabs for different uplinks. First tab shows throughput of VLANs having high priority followed by other VLAN data based on its priority. Clicking on each tab loads In and Out traffic throughput data for that particular VLAN. l Latency : Displays Latency data for available VLANs. Each line represents one VLAN. l Alerts : Lists the last five alerts with time stamp and description.
Chapter 12 802.1X Authentication 802.1X is an Institute of Electrical and Electronics Engineers (IEEE) standard that provides an authentication framework for WLANs. 802.1X uses the Extensible Authentication Protocol (EAP) to exchange messages during the authentication process. The authentication protocols that operate inside the 802.1X framework that are suitable for wireless networks include EAP-Transport Layer Security (EAP-TLS), Protected EAP (PEAP), and EAPTunneled TLS (EAP-TTLS).
l l l l l l l l l l l l PEAP—Protected EAP (PEAP) is an 802.1X authentication method that uses server-side public key certificates to authenticate clients with the server. The PEAP authentication creates an encrypted SSL / TLS tunnel between the client and the authentication server. The exchange of information is encrypted and stored in the tunnel to ensure that the user credentials are kept secure.
For the controller to communicate with the authentication server, you must configure the IP address, authentication port, and accounting port of the server on the controller. The authentication server must be configured with the IP address of the RADIUS client, which is the controller in this case. Both the controller and the authentication server must be configured to use the same shared secret.
Configuring 802.1X Authentication On the controller, use the following steps to configure a wireless network that uses 802.1X authentication: 1. Configure the VLANs to which the authenticated users will be assigned. See Network Configuration Parameters on page 92. 2. Configure policies and roles. You can specify a default role for users who are successfully authenticated using 802.1X.
Table 65: 802.1X Authentication Profile Basic WebUI Parameters Parameter Description Basic 802.1X Authentication Settings Max authentication failures Number of times a user can try to log in with wrong credentials after which the user is blacklisted as a security threat. Set to 0 to disable blacklisting, otherwise enter a non-zero integer to blacklist the user after the specified number of failures. Range: 0-5 failures. Default: 0 failure. NOTE: This option may require a license.
Table 65: 802.1X Authentication Profile Basic WebUI Parameters Parameter Description by Microsoft clients. Enforce Suite-B 128 bit or more security level Authentication Configure Suite-B 128 bit or more security level authentication enforcement. Enforce Suite-B 128 bit or more security level Authentication Configure Suite-B 192 bit security level authentication enforcement. Advanced 802.1X Authentication Settings Machine Authentication Cache Timeout The timeout, in hours, for machine authentication.
Table 65: 802.1X Authentication Profile Basic WebUI Parameters Parameter Description Default: 30 seconds. Authentication Server Retry Count Maximum number of authentication requests that are sent to server group. Range: 0-3 requests. Default: 2 requests. Framed MTU Sets the framed Maximum Transmission Unit (MTU) attribute sent to the authentication server. Range: 500-1500 bytes. Default: 1100 bytes. Number of times IDRequests are retried Maximum number of times ID requests are sent to the client.
Table 65: 802.1X Authentication Profile Basic WebUI Parameters Parameter Delay between WPA/WPA2 Unicast Key and Group Key Exchange Description Interval, in milliseconds, between unicast and multicast key exchange. Time interval in milliseconds. Range: 0-2000. Default: 0 (no delay). Time interval after which the PMKSA will be deleted The time interval after which the PMKSA (Pairwise Master Key Security Association) cache is deleted. Time interval in Hours. Range: 1-2000. Default: 8.
Table 65: 802.1X Authentication Profile Basic WebUI Parameters Parameter Token Caching Description If you select EAP-GTC as the inner EAP method, you can select the Token Caching checkbox to enable the controller to cache the username and password of each authenticated user. The controller continues to reauthenticate users with the remote authentication server. However, if the authentication server is unavailable, the controller will inspect its cached credentials to reauthenticate users.
Configuring and Using Certificates with AAA FastConnect The controller supports 802.1X authentication using digital certificates for AAA FastConnect. l l Server Certificate—A server certificate installed in the controller verifies the authenticity of the controller for 802.1X authentication. Dell controllers ship with a demonstration digital certificate.
Working with Role Assignment with Machine Authentication Enabled When you enable machine authentication, there are two additional roles you can define in the 802.1X authentication profile: l Machine authentication default machine role l Machine authentication default user role While you can select the same role for both options, you should define the roles as per the polices that need to be enforced. Also, these roles can be different from the 802.
l If only user authentication succeeds, the role is guest. l On failure of both machine and user authentication, the user does not have access to the network. With machine authentication enabled, the VLAN to which a client is assigned (and from which the client obtains its IP address) depends upon the success or failure of the machine and user authentications.
Prerequisites l l An AP has to be configured with the credentials for 802.1X authentication. These credentials are stored securely in the AP flash. The AP must complete the 802.1X authentication before it sends or receives IP traffic such as DHCP. If the AP cannot complete 802.1X authentication (explicit failure or reply timeout) within 1 minute, the AP will proceed to initiate the IP traffic and attempt to contact the controller. The infrastructure can be configured to allow this.
Configuring Authentication with an 802.1X RADIUS Server l l l An EAP-compliant RADIUS server provides the 802.1X authentication. The RADIUS server administrator must configure the server to support this authentication. The administrator must also configure the server to all communications with the Dell controller. The authentication type is WPA. From the 802.1X authentication exchange, the client and the controller derive dynamic keys to encrypt data transmitted on the wireless network. 802.
e. Under Service, select service. In the Service scrolling list, select svc-telnet. f. Under Action, select drop. g. Click Add. 5. Under Rules, click Add. a. Under Source, select user. b. Under Destination, select alias and then select Internal Network. c. Under Service, select service. In the Service scrolling list, select svc-pop3. d. Under Action, select drop. e. Click Add. 6. Repeat steps 4A-E to create rules for the following services: svc-ftp, svc-smtp, svc-snmp, and svc-ssh. 7. Click Apply. 8.
6. Select the User Roles tab. Click Add to create the faculty role. 7. For Role Name, enter faculty. 8. Under Firewall Policies, click Add. In Choose from Configured Policies, select the faculty policy you previously created. Click Done.
d. Under Action, select drop. e. Click Add. To create rules to permit HTTP and HTTPS access during working hours: a. Under Source, select user. b. Under Destination, select any. c. Under Service, select service. In the Services scrolling list, select svc-http. d. Under Action, select permit. e. Under Time Range, select working-hours. f. Click Add. g. Repeat steps A-F for the svc-https service. To create a rule that denies the user access to all destinations and all services: a. Under Source, select user. b.
In the CLI (host)(config) #user-role sysadmin session-acl allowall Creating a computer role In the WebUI 1. Navigate to Configuration > Security > Access Control > User Roles page. Click Add to create the computer role. 2. For Role Name, enter computer. 3. Under Firewall Policies, click Add. In Choose from Configured Policies, select the predefined allowall policy. Click Done. 4. Click Apply.
d. Click Add. 5. Click Apply. In the CLI (host)(config) #aaa authentication-server radius IAS1 host 10.1.1.21 key |*a^t%183923! (host)(config) #aaa server-group IAS auth-server IAS1 set role condition Class value-of Configuring 802.1X Authentication An AAA profile specifies the 802.1X authentication profile and 802.1X server group to be used for authenticating clients for a WLAN. The AAA profile also specifies the default user roles for 802.1X and MAC authentication. In the 802.
(host)(config) #aaa profile aaa_dot1x d>ot1x-default-role faculty mac-default-role computer authentication-dot1x dot1x d>ot1x-server-group IAS Configuring VLANs In this example, wireless clients are assigned to either VLAN 60 or 61 while guest users are assigned to VLAN 63. VLANs 60 and 61 split users into smaller IP subnetworks, improving performance by decreasing broadcast traffic. The VLANs are internal to the Dell controller only and do not extend into other parts of the wired network.
(host)(config) #interface vlan 61 ip address 10.1.61.1 255.255.255.0 ip helper-address 10.1.1.25 (host)(config) #vlan 63 (host)(config) #interface vlan 63 ip address 10.1.63.1 255.255.255.0 ip helper-address 10.1.1.25 (host)(config) #ip default-gateway 10.1.1.254 Configuring the WLANs In this example, default AP parameters for the entire network are: the default ESSID is WLAN-01 and the encryption mode is TKIP.
8. In the Profiles list, select Wireless LAN and then Virtual AP. 9. Select guest from the Add a profile drop-down list. Click Add. 10.Click Apply.
9. To configure the WLAN-01_second-floor virtual AP: a. Select NEW from the Add a profile drop-down list. Enter WLAN-second-floor, and click Add. b. In the Profile Details entry for the virtual AP profile, select aaa_dot1x from the AAA profile drop-down list. A pop-up window displays the configured AAA profile parameters. Click Apply . c. From the SSID profile drop-down list, select WLAN-01. A pop-up window displays the configured SSID profile parameters. Click Apply . d.
6. Select the expiration time for the user account in the internal database. 7. Click Apply. In the CLI Use the privileged mode in the CLI to configure users in the controller’s internal database. (host)(config) #local-userdb add username password Configuring a Server Rule In the WebUI 1. Navigate to the Configuration > Security > Authentication > Servers page. 2. Select Server Group to display the Server Group list. 3. Select the internal server group. 4.
d. For 802.1X Authentication Default Role, select faculty. e. Click Apply. 3. In the Profiles list (under the aaa_dot1x profile you just created), select 802.1X Authentication Profile. a. Select the dot1x profile from the 802.1X Authentication Profile drop-down list. b. Click Apply. 4. In the Profiles list (under the aaa_dot1x profile you just created), select 802.1X Authentication Server Group. a. Select the internal server group. b. Click Apply.
b. For Net Mask, enter 255.255.255.0. c. Under DHCP Helper Address, click Add. Enter 10.1.1.25 and click Add. d. Click Apply. 5. Select the IP Routes tab. a. For Default Gateway, enter 10.1.1.254. b. Click Apply. In the CLI (host)(config) #vlan 60 (host)(config) #interface vlan 60 ip address 10.1.60.1 255.255.255.0 ip helper-address 10.1.1.25 (host)(config) #vlan 61 (host)(config) #interface vlan 61 ip address 10.1.61.1 255.255.255.0 ip helper-address 10.1.1.
d. Enter guest for the Network Name. e. For Network Authentication, select None. f. For Encryption, select WEP. g. Enter the WEP key. h. Click Apply. i. Under Profile Details, click Apply. 5. Click on the guest virtual AP name in the Profiles list or in Profile Details to display configuration parameters. a. Ensure that you select Virtual AP enable. b. For VLAN, select 63. c. Click Apply. 6. Navigate to the Configuration > Wireless > AP Configuration page. 7. In the AP Group list, select second-floor. 8.
d. Enter WLAN-01 for the name of the SSID profile. e. Enter WLAN-01 for the Network Name. f. Select WPA for Network Authentication. g. Click Apply. h. At the bottom of the Profile Details page, click Apply. 5. Click on the WLAN-01_first-floor virtual AP profile name in the Profiles list or in Profile Details to display configuration parameters. a. Ensure that you select Virtual AP enable. b. For VLAN, select 60. c. Click Apply. 6. Navigate to the Configuration > Wireless > AP Configuration page. 7.
Configuring Mixed Authentication Modes Use l2-auth-fail-through command to perform mixed authentication which includes both MAC and 802.1X authentication. When MAC authentication fails, enable the l2-auth-fail-through command to perform 802.1X authentication. By default the l2-auth-fail-through command is disabled. Table 68: Mixed Authentication Modes Authentication 1 2 3 4 5 6 MAC authentication Success Success Success Fail Fail Fail 802.
l Unicast Key Rotation Time Interval: 1021 Seconds In the WebUI 1. Navigate to the Configuration > Security > Authentication > L2 Authentication page. 2. Select 802.1X Authentication Profile, then select the name of the profile you want to configure. 3. Select the Advanced tab.
Enabling Application SSO Enabling application SSO using L2 authentication information requires configuration on the controller and CPPM.
3. Select the User Role that the SSO profile will be linked to and click Edit. 4. Under Misc. Configuration, select an IDP profile from the idp profile name drop-down menu. 5. Click Apply. In the CLI user-role sso Selecting an IDP Certificate An SSL certificate is needed for SSL negotiation with browser.
Chapter 13 Stateful and WISPr Authentication ArubaOS supports stateful 802.1X authentication, stateful NTLM authentication, and authentication for Wireless Internet Service Provider roaming (WISPr). Stateful authentication differs from 802.
Working With WISPr Authentication WISPr authentication allows a “smart client” to authenticate to the network when roaming between Wireless Internet Service Providers, even if the wireless hotspot uses an ISP, which the client may not have an account for.
1. Navigate to the Configuration > Security > Authentication > L2 Authentication page. 2. In the Profiles list, select Stateful 802.1X Authentication Profile. 3. Click the Default Role drop-down list, and select the role assigned to stateful 802.1X authenticated users. 4. Specify the timeout period for authentication requests, between 1 and 20 seconds. The default value is 10 seconds. 5. Select the Mode checkbox to enable stateful 802.1X authentication.
To create and define settings for a Stateful NTLM Authentication profile, select an existing profile, then click Save As in the right window pane. Enter a name for the new profile in the entry field at the top of the right window pane. 4. Click the Default Role drop-down list, and select the role to be assigned to all users after they complete stateful NTLM authentication. 5. Specify the timeout period for authentication requests, between 1 and 20 seconds. The default value is 10 seconds. 6.
To create and define settings for a new Stateful Kerberos Authentication profile, select an existing profile, then click Save As in the right window pane. Enter a name for the new profile in the entry field at the top of the right window pane. 4. Click the Default Role drop-down list, and select the role to be assigned to all users after they complete stateful Kerberos authentication. 5. Specify the timeout period for authentication requests, from 1-20 seconds. The default value is 10 seconds. 6.
Table 69: WISPr Authentication Profile Parameters Parameter Description Default Role Default role assigned to users that complete WISPr authentication. Logon wait minimum wait If the controller’s CPU utilization has surpassed the Login wait CPU utilization threshold value, the Logon wait minimum wait parameter defines the minimum number of seconds a user has to wait to retry a login attempt. Range: 1–10 seconds. Default: 5 seconds.
(host)(config)# aaa authentication-server radius host 172.4.77.
Chapter 14 Certificate Revocation The Certificate Revocation feature enables the controller to perform real-time certificate revocation checks using the Online Certificate Status Protocol (OCSP), or traditional certificate validation using the Certificate Revocation List (CRL) client.
Configuring an OCSP Controller as a Responder The controller can be configured to act as an OCSP responder (server) and respond to OCSP queries from clients that want to obtain revocation status of certificates. The OCSP responder on the controller is accessible over HTTP port 8084. You cannot configure this port. Although the OCSP responder accepts signed OCSP requests, it does not attempt to verify the signature before processing the request. Therefore, even unsigned OCSP requests are supported.
Figure 45 Upload a certificate 6. Click Upload. The certificate appears in the Certificate Lists pane. 7. For detailed information about an uploaded certificate, click View next to the certificate. Figure 46 View certificate details 8. Select the Revocation Checkpoint tab. Dell Networking W-Series ArubaOS 6.5.
9. In the Revocation Checkpoint pane, click Edit next to the revocation checkpoint that you want to configure. The Revocation Checkpoint pane displays. 10.In the Revocation Check field, select ocsp from the Method 1 drop-down list as the primary check method. 11.In the OCSP URL field, enter the URL of the OCSP responder. 12.In the OCSP Responder Cert field, select the OCSP certificate you want to configure from the drop-down menu. 13.Click Apply.
10.In the Revocation Check field, select crl from the Method 1 drop-down list. 11.In the CRL Location field, enter the CRL you want to use for this revocation checkpoint. The CRLs listed are files that have already been imported onto the controller. 12.Click Apply. In the CLI This example configures an OCSP responder with the check method as CRL for revocation check point ROOTCassh-webui. The CRL location is crl1 and the revocation check method is crl.
12.In the Revocation Check field, optionally select a check method from the Method 1 drop-down list. Optionally, select a backup check method from the Method 2 drop-down list. 13.Select Enable next to Enable OCSP Responder. 14.Select OCSP signer cert from the OCSP Signer Cert drop-down menu. 15.In the CRL Location field, enter the CRL you want used for this revocation checkpoint. The CRLs listed are files that have already been imported onto the controller. 16.Click Apply.
In this example, a user is configured without the RCP: (host)(config) #mgmt-user ssh-pubkey client-cert client2-rg test2 root Displaying Revocation Checkpoint for the SSH Pubkey User The RCP checks the revocation status of the SSH user’s client certificate before permitting access. If the revocation check fails, the user is denied access using the ssh-pubkey authentication method. However, the user can still authenticate through a username and password if configured to do so.
2. In the Profiles section (left pane) of the All Profile Management page, click Other Profiles > VIA Connection > Default. 3. In the Profiles Details section (right pane), select the OCSP Cert verification enabled check box. In the CLI To enable the OCSP certificate verification, the ocsp-responder enable subcommand is introduced in the aaa authentication via connection-profile command. It is disabled by default.
Chapter 15 Captive Portal Authentication Captive portal is one of the methods of authentication supported by ArubaOS. A captive portal presents a web page which requires user action before network access is granted. The required action can be simply viewing and agreeing to an acceptable use policy, or entering a user ID and password which must be validated against a database of authorized users.
There are differences in how captive portal functions work and how you configure captive portal, depending on whether the license is installed. Other parts of this chapter describe how to configure captive portal in the base operating system (without the PEFNG license) and with the license installed. Controller Server Certificate The Dell controller is designed to provide secure services through the use of digital certificates.
The WLAN Wizard within the ArubaOS WebUI allows for basic captive portal configuration for WLANs associated with the “default” ap-group: Configuration > Wizards > WLAN Wizard. Follow the steps in the workflow pane within the wizard and refer to the help tab for assistance. What follows are the tasks for configuring captive portal in the base ArubaOS. The example server group and profile names appear inside quotation marks. l Create the Server Group name. In this example, the server group name is “cp-srv”.
c. For Initial Role, select the captive portal authentication profile (for example, c-portal) you created previously. The Initial Role must be exactly the same as the name of the captive portal authentication profile you created. d. Click Apply. 4. Navigate to the Configuration > Wireless > AP Configuration page. Select either the AP Group or AP Specific tab. Click Edit for the applicable AP group name or AP name. 5. Under Profiles, select Wireless LAN, then select Virtual AP. 6.
The captive portal authentication profile specifies the captive portal login page and other configurable parameters. The initial user role configuration must include the applicable captive portal authentication profile instance. MAC-based authentication, if enabled on the controller, takes precedence over captive portal authentication. The following are the basic tasks for configuring captive portal using role-based access provided by the Policy Enforcement Firewall software module.
b. Select the captive portal authentication profile you just created. c. Select the default role (for example, employee) for captive portal users. d. Enable guest login and/or user login, as well as other parameters (refer to Table 70). e. Click Apply. 3. To specify the authentication servers, select Server Group under the captive portal authentication profile you just configured. a. Select the server group (for example, cp-srv) from the drop-down menu. b. Click Apply. 4. Select the AAA Profiles tab. a.
server-group cp-srv (host)(config) #user-role logon captive-portal c-portal (host)(config) #aaa profile aaa_c-portal initial-role logon (host)(config) #wlan ssid-profile ssid_c-portal essid c-portal-ap vlan 20 (host)(config) #wlan virtual-ap vp_c-portal aaa-profile aaa_c-portal ssid-profile ssid_c-portal Sample Authentication with Captive Portal In the following example: l l l Guest clients associate to the guestnet SSID which is an open wireless LAN.
l cplogout is a predefined policy that allows captive portal logout. l guest-logon-access is a policy that you create with the following rules: n n Allows DHCP exchanges between the user and the DHCP server during business hours while blocking other users from responding to DHCP requests. Allows DNS exchanges between the user and the public DNS server during business hours. Traffic is source-NATed using the IP interface of the controller for the VLAN.
b. Under Destination, select any. c. Under Service, select service. Select svc-dhcp. d. Under Action, select permit. e. Under Time Range, select working-hours. f. Click Add. Creating Aliases The following step defines an alias representing the public DNS server addresses. Once defined, you can use the alias for other rules and policies. 1. Navigate to the Configuration > Security > Access Control > Policies page. 2. Select Add to add the guest-logon-access policy. 3.
6. Under Rules, click Add. a. Under Source, select any. b. Under Destination, select any. c. Under Service, select service. Select svc-dhcp. d. Under Action, select permit. e. Under Time Range, select working-hours. f. Click Add. 7. Under Rules, click Add. a. Under Source, select user. b. Under Destination, select alias. Select Public DNS from the drop-down menu. c. Under Service, select service. Select svc-dns. d. Under Action, select src-nat. e. Under Time Range, select working-hours. f. Click Add. 8.
c. Under the alias selection, click New. For Destination Name, enter “Internal Network”. Click Add to add a rule. For Rule Type, select network. For IP Address, enter 10.0.0.0. For Network Mask/Range, enter 255.0.0.0. Click Add to add the network range. Repeat these steps to add the network ranges 172.16.0.0 255.240.0.0 and 192.168.0.0 255.255.0.0. Click Apply. The alias “Internal Network” appears in the Destination menu d. Under Destination, select Internal Network. e. Under Service, select any. f.
1. Navigate to the Configuration > Security > Access Control > User Roles page. 2. Click Add. 3. For Role Name, enter auth-guest. 4. Under Firewall Policies, click Add. 5. For Choose from Configured Policies, select cplogout from the drop-down menu. 6. Click Done. 7. Under Firewall Policies, click Add. 8. For Choose from Configured Policies, select guest-logon-access from the drop-down menu. 9. Click Done. 10.Under Firewall Policies, click Add. 11.
Creating an Auth-Guest-Access Policy To create an auth-guest-access policy via the command-line interface, access the CLI in config mode and issue the following commands: (host)(config) #ip access-list session auth-guest-access user any udp 68 deny any any svc-dhcp permit time-range working-hours user alias “Public DNS” svc-dns src-nat time-range working-hours user any svc-http src-nat time-range working-hours user any svc-https src-nat time-range working-hours Creating a Block-Internal-Access Policy To cr
a. Click the IP Interfaces tab. a. Click Edit for VLAN 900. b. For IP Address, enter 192.168.200.20. c. For Net Mask, enter 255.255.255.0. d. Click Apply. 3. Click the DHCP Server tab. a. Select Enable DHCP Server. b. Click Add under Pool Configuration. c. In the Pool Name field, enter guestpool. d. In the Default Router field, enter 192.168.200.20. e. In the DNS Server field, enter 64.151.103.120. f. In the Lease field, enter 4 hours. g. In the Network field, enter 192.168.200.0.
(host)(config) #aaa authentication captive-portal guestnet d>efault-role auth-guest user-logon no guest-logon server-group internal Modifying the Initial User Role The captive portal authentication profile specifies the captive portal login page and other configurable parameters. The initial user role configuration must include the applicable captive portal authentication profile instance.
5. To create a new virtual AP profile, select NEW from the Add a profile drop-down menu. Enter the name for the virtual AP profile (for example, guestnet), and click Add. a. In the Profile Details entry for the new virtual AP profile, select the AAA profile you previously configured. A pop-up window displays the configured AAA profile parameters. Click Apply in the pop-up window. b. From the SSID profile drop-down menu, select NEW. A pop-up window allows you to configure the SSID profile. c.
Table 70: Captive Portal Authentication Profile Parameters Parameter Default Role Description Role assigned to the Captive Portal user upon login. When both user and guest logon are enabled, the default role applies to the user logon; users logging in using the guest interface are assigned the guest role. Default: guest Default Guest Role Role assigned to guest.
Parameter Description Max Authentication failures Maximum number of authentication failures before the user is blacklisted. Show FDQN Allows the user to see and select the fully-qualified domain name (FQDN) on the login page. The FQDNs shown are specified when configuring individual servers for the server group used with captive portal authentication. Default: 0 Default: Disabled Authentication Protocol Logon Page Select the PAP, CHAP or MS-CHAPv2 authentication protocol.
Parameter Description This parameter requires the Public Access license. Black List To add a netdestination to the captive portal blacklist, enter the destination host or subnet, then click Add. The netdestination will be added to the blacklist. To remove a netdestination from the blacklist, select it in the blacklist field, then click Delete. If you have not yet defined a netdestination, use the CLI command netdestination to define a destination host or subnet before you add it to the blacklist.
for each WLAN that will use captive portal. For example, if you want to have different captive portal login pages for the engineering, business and faculty departments, you need to create and configure according to Table 71. Table 71: Captive Portal login Pages Entity Engineering Business Faculty Captive portal login page /auth/eng-login.html /auth/bus-login.html /auth/fac-login.
l destination is the mswitch alias l service is svc-http l action is dst-nat c. Click Apply.
4. Click Add to add the rule. Use the up arrows to move this rule just below the rule that allows HTTP(S) traffic. 5. Click Apply. To redirect proxy server traffic via the command-line interface, access the CLI in config mode and issue the following commands.
n Service is svc-https or svc-http n Action is permit 3. Click Add to add the rule. Use the up arrows to move this rule above the rules that perform destination NAT. 4. Click Apply.
2. To customize the page background: a. Select the YOUR CUSTOM BACKGROUND page. b. Under Additional options, enter the location of the JPEG image in the Upload your own custom background field. c. Set the background color in the Custom page background color field. The color code must a hexadecimal value in the format #hhhhhh. d. To view the page background changes, click Submit at the bottom on the page and then click the View CaptivePortal link.
Creating and Installing an Internal Captive Portal If you do not wish to customize the default captive portal page, you can use the following procedures to create and install a new internal captive portal page.
The form can use either the "get" or the "post" methods, but the "post" method is recommended. The form's action must absolutely or relatively reference https:///auth/index.html/u. You can construct an authentication form using the following HTML: A recommended option for the
