Users Guide

Manuals Brands Dell Manuals TVs & monitors W-620

Table Of Contents

Dell PowerConnect

W-Series ArubaOS 6.1

User Guide

Summary of content (842 pages)

PAGE 1

Dell PowerConnect W-Series ArubaOS 6.
PAGE 2

Copyright © 2011 Aruba Networks, Inc. Aruba Networks trademarks include , Aruba Networks®, Aruba Wireless Networks®, the registered Aruba the Mobile Edge Company logo, and Aruba Mobility Management System®. Dell™, the DELL™ logo, and PowerConnect™ are trademarks of Dell Inc. All rights reserved. Specifications in this manual are subject to change without notice. Originated in the USA. All other trademarks are the property of their respective owners.
PAGE 3

Contents About this Guide ..................................................................................................................................................... 45 Audience............................................................................................................................................ 45 Fundamentals.................................................................................................................................... 45 WebUI...........................
PAGE 4

Create a VLAN Pool Using CLI ....................................................................................... 61 Viewing Existing VLAN IDs Using CLI ........................................................................... 61 Adding Existing VLAN IDs Using CLI............................................................................. 61 Add a Bandwidth Contract to the VLAN ...............................................................................
PAGE 5

Using the WebUI .............................................................................................................. 74 Using CLI ............................................................................................................................ 75 Directing Traffic into the Tunnel ............................................................................................ 75 Static Routes ....................................................................................................
PAGE 6

Adding the background image and naming the second floor......................................... 104 Defining Areas ........................................................................................................................ 104 Creating a Don’t Care Area .................................................................................................. 104 Creating a Don’t Deploy Area...............................................................................................
PAGE 7

In the WebUI ................................................................................................................... 130 In the CLI .......................................................................................................................... 130 AP Maintenance Mode ......................................................................................................... 131 In the WebUI ..................................................................................................
PAGE 8

In the CLI .......................................................................................................................... 154 Enable 802.11k Support.......................................................................................................... 155 In the WebUI ................................................................................................................... 155 In the CLI .................................................................................................
PAGE 9

Using the WebUI ............................................................................................................ 181 Using CLI .......................................................................................................................... 182 CHAP Authentication Support over PPPoE........................................................................ 182 Configure the Remote AP User Role ...................................................................................
PAGE 10

Using the WebUI ............................................................................................................ 206 Using CLI .......................................................................................................................... 207 Remote AP Authorization Profiles ....................................................................................... 207 Add or Edit a Remote AP Authorization Profile .........................................................
PAGE 11

Creating a New Profile .................................................................................................. 227 Assigning a Profile to a Mesh AP or AP Group......................................................... 230 Editing a Profile............................................................................................................... 230 Deleting a Profile ............................................................................................................
PAGE 12

In the WebUI ................................................................................................................... 253 In the CLI .......................................................................................................................... 253 AP Boot Sequence ......................................................................................................................... 254 Mesh Portal ......................................................................................
PAGE 13

Repairing the Internal Database.................................................................................. 272 Server Groups ................................................................................................................................. 273 Configuring Server Groups ................................................................................................... 273 In the WebUI .......................................................................................................
PAGE 14

Creating Roles and Policies for Sysadmin and Computer....................................... 300 Creating an Alias for the Internal Network Using CLI.............................................. 301 Configuring the RADIUS Authentication Server................................................................ 301 Using the WebUI ............................................................................................................ 301 Using the CLI ........................................................
PAGE 15

Chapter 12 Roles and Policies ........................................................................................................... 321 Policies............................................................................................................................................. 321 Access Control Lists (ACLs).................................................................................................. 322 Creating a Firewall Policy ..........................................................
PAGE 16

Chapter 14 Stateful and WISPr Authentication .............................................................................. 345 Stateful Authentication Overview................................................................................................ 345 WISPr Authentication Overview.................................................................................................. 345 Important Points to Remember .........................................................................................
PAGE 17

Changing the Protocol to HTTP............................................................................................ 369 Proxy Server Redirect............................................................................................................ 370 Redirecting Clients on Different VLANs.............................................................................. 371 Web Client Configuration with Proxy Script ......................................................................
PAGE 18

Set the IPsec Dynamic Map......................................................................................... 399 Finalize your WebUI changes ...................................................................................... 400 Configuring a VPN for Smart Card Clients.................................................................................. 401 Smart Card clients using IKEv2 ............................................................................................
PAGE 19

Using CLI to Configure VIA.................................................................................................... 428 Create VIA Roles ............................................................................................................ 428 Create VIA Authentication Profiles ............................................................................. 428 Create VIA Connection Profiles ...................................................................................
PAGE 20

Verifying Certificates ............................................................................................................. 450 Disabling Control Plane Security ......................................................................................... 451 Verify Whitelist Synchronization.......................................................................................... 451 Supported APs ...........................................................................................................
PAGE 21

In the WebUI ................................................................................................................... 469 In the CLI .......................................................................................................................... 469 RN Troubleshooting ............................................................................................................... 470 Chapter 23 IP Mobility..................................................................................
PAGE 22

Chapter 25 RSTP .................................................................................................................................. 495 Migration and Interoperability ..................................................................................................... 495 Rapid Convergence........................................................................................................................ 495 Edge Port and Point-to-Point.....................................................
PAGE 23

Branch Office Routing Table ................................................................................................ 527 Configuring OSPF............................................................................................................................ 528 Deployment Best Practices .......................................................................................................... 530 Sample Topology and Configuration ...................................................................
PAGE 24

Detect Valid SSID Misuse............................................................................................. 550 Detect Wellenreiter ....................................................................................................... 550 Client Intrusion Detection ..................................................................................................... 550 Detect Block ACK DoS ..................................................................................................
PAGE 25

Tarpit Shielding Administration.................................................................................................... 565 Configuring Tarpit Shielding ................................................................................................. 566 Licensing.................................................................................................................................. 566 Chapter 31 Link Aggregation Control Protocol ......................................................
PAGE 26

Configuring SNMP.......................................................................................................................... 585 SNMP Parameters for the Controller.................................................................................. 585 In the WebUI ................................................................................................................... 586 In the CLI ........................................................................................................
PAGE 27

In the CLI .......................................................................................................................... 612 Converting an Individual AP to a Spectrum Monitor........................................................ 612 In the WebUI ................................................................................................................... 612 In the CLI ........................................................................................................................
PAGE 28

License Usage................................................................................................................................. 653 Interaction ....................................................................................................................................... 654 Best Practices................................................................................................................................. 655 Installing a License ............................................
PAGE 29

IPv6 User Addresses...................................................................................................................... 673 Viewing or Deleting User Entries......................................................................................... 673 User Roles................................................................................................................................ 673 Viewing Datapath Statistics for IPv6 Sessions .......................................................
PAGE 30

Using CLI .......................................................................................................................... 701 Voice and Video Traffic Awareness for Encrypted Signaling Protocols ...................... 701 Using the WebUI ............................................................................................................ 702 Using the CLI ...................................................................................................................
PAGE 31

Managing Syslog Parser Domains in the CLI .................................................................... 727 Adding a new syslog parser domain........................................................................... 727 Showing ESI syslog parser domain information ....................................................... 727 Deleting an existing syslog parser domain................................................................ 727 Editing an existing syslog parser domain.............................
PAGE 32

Character-Matching Operators ........................................................................................... 742 Regular Expression Repetition Operators .......................................................................... 742 Regular Expression Anchors ................................................................................................ 743 References ..............................................................................................................................
PAGE 33

Appendix C Behavior and Defaults .................................................................................................... 773 Mode Support ................................................................................................................................. 773 Basic System Defaults................................................................................................................... 774 Network Services.....................................................................
PAGE 34

Provision the RAP using a Static IP Address..................................................................... 819 Provision the RAP on a PPPoE Connection........................................................................ 820 Using 3G/EVDO USB Modem................................................................................................ 821 Appendix I Acronyms and Terms...................................................................................................... 825 Acronyms.........
PAGE 35

Figures Figure 1 Figure 2 Figure 3 Figure 4 Figure 5 Figure 6 Figure 7 Figure 8 Figure 9 Figure 10 Figure 11 Figure 12 Figure 13 Figure 14 Figure 15 Figure 16 Figure 17 Figure 18 Figure 19 Figure 20 Figure 21 Figure 22 Figure 23 Figure 24 Figure 25 Figure 26 Figure 27 Figure 28 Figure 29 Figure 30 Figure 31 Figure 32 Figure 33 Figure 34 Figure 35 Figure 36 Figure 37 Figure 38 Figure 39 Figure 40 Figure 41 Figure 42 Figure 43 Figure 44 Enable BCMC Optimization ..............................................
PAGE 36

Figure 45 Figure 46 Figure 47 Figure 48 Figure 49 Figure 50 Figure 51 Figure 52 Figure 53 Figure 54 Figure 55 Figure 56 Figure 57 Figure 58 Figure 59 Figure 60 Figure 61 Figure 62 Figure 63 Figure 64 Figure 65 Figure 66 Figure 67 Figure 68 Figure 69 Figure 70 Figure 71 Figure 72 Figure 73 Figure 74 Figure 75 Figure 76 Figure 77 Figure 78 Figure 79 Figure 80 Figure 81 Figure 82 Figure 83 Figure 84 Figure 85 Figure 86 Figure 87 Figure 88 Figure 89 Figure 90 Figure 91 Figure 92 Figure 93 Figure 94 36 | IP-Ad
PAGE 37

Figure 95 Figure 96 Figure 97 Figure 98 Figure 99 Figure 100 Figure 101 Figure 102 Figure 103 Figure 104 Figure 105 Figure 106 Figure 107 Figure 108 Figure 109 Figure 110 Figure 111 Figure 112 Figure 113 Figure 114 Figure 115 Figure 116 Figure 117 Figure 118 Figure 119 Figure 120 Figure 121 Figure 122 Figure 123 Figure 124 Figure 125 Figure 126 Figure 127 Figure 128 Figure 129 Figure 130 Figure 131 Figure 132 Figure 133 Figure 134 Figure 135 Figure 136 Figure 137 Figure 138 Figure 139 Figure 140 Figure 141
PAGE 38

Figure 145 Figure 146 Figure 147 Figure 148 Figure 149 Figure 150 Figure 151 Figure 152 Figure 153 Figure 154 Figure 155 Figure 156 Figure 157 Figure 158 Figure 159 Figure 160 Figure 161 Figure 162 Figure 163 Figure 164 Figure 165 Figure 166 Figure 167 Figure 168 Figure 169 Figure 170 Figure 171 Figure 172 Figure 173 Figure 174 Figure 175 Figure 176 Figure 177 Figure 178 Figure 179 Figure 180 Figure 181 Figure 182 Figure 183 Figure 184 Figure 185 Figure 186 Figure 187 Figure 188 Figure 189 Figure 190 Figure
PAGE 39

Figure 195 Figure 196 Figure 197 Figure 198 Figure 199 Figure 200 Figure 201 Figure 202 Figure 203 Figure 204 Figure 205 Figure 206 Figure 207 Figure 208 Figure 209 Figure 210 Figure 211 Figure 212 Figure 213 Figure 214 Figure 215 Figure 216 Figure 217 Figure 218 Figure 219 Figure 220 Figure 221 Scope Options Dialog Box. ........................................................................................................... 766 DHCP Scope Values...........................................................
PAGE 40

| Dell PowerConnect W-Series ArubaOS 6.
PAGE 41

Tables Table 1 Table 2 Table 3 Table 4 Table 5 Table 6 Table 7 Table 8 Table 9 Table 10 Table 11 Table 12 Table 13 Table 14 Table 15 Table 16 Table 17 Table 18 Table 19 Table 20 Table 21 Table 22 Table 23 Table 24 Table 25 Table 26 Table 27 Table 28 Table 29 Table 30 Table 31 Table 32 Table 33 Table 34 Table 35 Table 36 Table 37 Table 38 Table 39 Table 40 Table 41 Table 42 Table 43 Table 44 Typographical Conventions ..........................................................................................
PAGE 42

Table 45 Table 46 Table 47 Table 48 Table 49 Table 50 Table 51 Table 52 Table 53 Table 54 Table 55 Table 56 Table 57 Table 58 Table 59 Table 60 Table 61 Table 62 Table 63 Table 64 Table 65 Table 66 Table 67 Table 68 Table 69 Table 70 Table 71 Table 72 Table 73 Table 74 Table 75 Table 76 Table 77 Table 78 Table 79 Table 80 Table 81 Table 82 Table 83 Table 84 Table 85 Table 86 Table 87 Table 88 Table 89 Table 90 Table 91 Table 92 Table 93 Table 94 42 | Mesh Cluster Profile Configuration Parameters .........
PAGE 43

Table 95 Table 96 Table 97 Table 98 Table 99 Table 100 Table 101 Table 102 Table 103 Table 104 Table 105 Table 106 Table 107 Table 108 Table 109 Table 110 Table 111 Table 112 Table 113 Table 114 Table 115 Table 116 Table 117 Table 118 Table 119 Table 120 Table 121 Table 122 Table 123 Table 124 Table 125 Table 126 Table 127 Table 128 Table 129 Table 130 Table 131 Table 132 Table 133 Table 134 Table 135 Table 136 Table 137 Table 138 Table 139 Table 140 Table 141 Table 142 Table 143 Table 144 Command Syntax..
PAGE 44

Table 145 Table 146 Table 147 Table 148 Table 149 Table 150 Table 151 Table 152 Table 153 Table 154 Table 155 Table 156 Table 157 Table 158 Table 159 Table 160 Table 161 Table 162 Table 163 Table 164 Table 165 Table 166 Table 167 Table 168 Table 169 Table 170 Table 171 Table 172 Table 173 Table 174 Table 175 Table 176 Table 177 Table 178 Table 179 44 | MIPS Controller AP Capacity .......................................................................................................
PAGE 45

About this Guide This User Guide describes the features supported by ArubaOS and provides instructions and examples for configuring controllers and Access Points (APs).
PAGE 46

When entering commands remember that:  commands are not case sensitive  the space bar will complete your partial keyword  the backspace key will erase your entry one letter at a time  the question mark ( ? ) will list available commands and options Related Documents The following items are part of the complete documentation for the Dell user-centric network:  Dell PowerConnect W-Series Controller Installation Guides  Dell PowerConnect W-Series Access Point Installation Guides  Dell Power
PAGE 47

WARNING: Indicates a risk of personal injury or death. Contacting Support Table 2 Contacting Dell Support Web Site Main Website dell.com Support Website support.dell.com Documentation Website support.dell.com/manuals Dell PowerConnect W-Series ArubaOS 6.
PAGE 48

| About this Guide Dell PowerConnect W-Series ArubaOS 6.
PAGE 49

Chapter 1 The Basic User-Centric Networks This chapter describes how to connect an Dell controller and Dell APs to your wired network. After completing the tasks described in this chapter, see “Access Points” on page 107 for information on configuring APs.
PAGE 50

Deployment Scenario #1 Router is Default Gateway for controller and clients In this deployment scenario, the APs and controller are on the same subnetwork and will use IP addresses assigned to the subnetwork. There are no routers between the APs and the controller. APs can be physically connected directly to the controller. The uplink port on the controller is connected to a layer-2 switch or router. For this scenario, you must perform the following tasks: 1. Run the initial setup wizard.
PAGE 51

For this scenario, you must perform the following tasks: 1. Run the initial setup wizard.  Set the IP address for VLAN 1.  Set the default gateway to the IP address of the interface of the upstream router to which you will connect the controller. 2. Connect the uplink port on the controller to the switch or router interface. 3. Deploy APs. The APs will use DNS or DHCP to locate the controller. 4. Configure VLANs for the wireless subnetworks on the controller. 5.
PAGE 52

For this scenario, you must perform the following tasks: 1. Run the initial setup.  Use the default IP address for VLAN 1. Since VLAN 1 is not used to connect to the layer-2 switch or router through the trunk port, you must configure the appropriate VLAN in a later step.  Do not specify a default gateway (use the default “none”). In a later step, you configure the default gateway. 2. Create a VLAN that has the same VLAN ID as the VLAN on the switch or router to which you will connect the controller.
PAGE 53

The initial setup might require that you specify the country code for the country in which the controller will operate; this sets the regulatory domain for the radio frequencies that the APs use. NOTE: You cannot change the country code for controllers designated for certain countries, such as the U.S. Improper country code assignment can disrupt wireless transmissions. Many countries impose penalties and sanctions for operators of wireless networks with devices set to improper country codes.
PAGE 54

redundancy where one controller has to back up many other controllers. With the VLAN pool feature you can control your configuration globally. CAUTION: VLAN pooling should not be used with static IP addresses.  Assign to the VLAN the ports) that you will use to connect the controller to the network. (For example, the uplink ports connected to a router are usually Gigabit ports.
PAGE 55

(host) #configure terminal Enter Configuration commands, one per line.
PAGE 56

controller is unable to obtain a gateway IP address, it will then attempt to obtain a gateway IP address using the option with the next-lowest path cost. 4. Click Apply. In the CLI ip default-gateway |{import cell|dhcp|pppoe}|{ipsec } Configuring the Loopback for the Controller You must configure a loopback address if you are not using a VLAN ID address to connect the controller to the network (see “Deployment Scenario #3” on page 51).
PAGE 57

System will now restart! ... Restarting system. To verify that the controller is accessible on the network, ping the loopback address from a workstation on the network. Configuring the System Clock You can manually set the clock on the controller, or configure the controller to use a Network Time Protocol (NTP) server to synchronize its system clock with a central time source. For more information about setting the controller’s clock, see “Setting the System Clock” on page 604.
PAGE 58

| The Basic User-Centric Networks Dell PowerConnect W-Series ArubaOS 6.
PAGE 59

Chapter 2 Network Parameters This chapter describes some basic network configuration on the controller.
PAGE 60

6. If you selected Port in step 4, select the ports you want to associate with the VLAN from the Port Selection window. -orIf you selected Port-Channel in step 4, click the Port-Channel ID drop-down list, select the specific channel number you want to associate with the VLAN, then select the ports from the Port Selection window. 7. Click Apply.
PAGE 61

The VLAN pool along with its assigned IDs appears on the VLAN Pool window. If the pool is valid (it has two or more IDs assigned to it), its status is enabled. If you create a VLAN pool and add only one or no VLAN IDs, its status appears as disabled. 8. Click Apply. 9. At the top of the window, click Save Configuration. Updating a VLAN Pool 1. On the VLAN Pool window, click Modify next to the VLAN name you want to edit. 2. Modify the list of VLAN IDs. Note that you can not modify the VLAN name. 3.
PAGE 62

To confirm the VLAN pool status and mappings assignments, use the show vlan mapping command: (host) (config) #show vlan mapping VLAN Name Pool Status ------------------mygroup Enabled group123 Disabled VLAN IDs -------2,4,12 Add a Bandwidth Contract to the VLAN Bandwidth contracts on a VLAN can limit broadcast and multicast traffic. ArubaOS includes an internal exception list to allow broadcast and multicast traffic using the VRRP, LACP, OSPF, PVST and STP protocols.
PAGE 63

Hardware is CPU Interface, Interface address is 00:0B:86:61:5B:98 (bia 00:0B:86:61:5B:98) Description: 802.1Q VLAN Internet address is 10.17.22.1 255.255.255.0 Routing interface is enable, Forwarding mode is enable Directed broadcast is disabled, BCMC Optimization enable Encapsulation 802, loopback not set MTU 1500 bytes Last clearing of "show interface" counters 12 day 1 hr 4 min 12 sec link status last changed 12 day 1 hr 2 min 21 sec Proxy Arp is disabled for the Interface In the WebUI 1.
PAGE 64

must pass through a predefined ACL. For example, this setup is useful if your company provides wired user guest access and you want guest user traffic to pass through an ACL to connect to a captive portal. You can set a range of VLANs as trusted or untrusted in trunk mode. The following table lists the port, VLAN and the trust/untrusted combination to determine if traffic is trusted or untrusted. both the port and the VLAN have to be configured as trusted for traffic to be considered as trusted.
PAGE 65

Configure Trusted/Untrusted Ports and VLANs in Trunk Mode The following procedures configure a range of Ethernet ports as untrusted native trunks ports, assign VLANs and make them untrusted and designate a policy through which VLAN traffic on the ports must pass. Using the WebUI 1. Navigate to the Configuration > Network > Ports window. 2. In the Port Selection section, click the port you want to configure. 3. For Port Mode select Trunk. 4.
PAGE 66

3. After client authentication, the VLAN can be the VLAN configured for a default role for an authentication method, such as 802.1x or VPN. 4. After client authentication, the VLAN can be derived from attributes returned by the authentication server (server-derived rule). A rule that derives a specific VLAN takes precedence over a rule that derives a user role that may have a VLAN configured for it. 5.
PAGE 67

Configuring Multiple Wired Uplink Interfaces (Active-Standby) You can assign up to four VLAN interfaces to operate in active-standby topology. An active-standby topology provides redundancy so that when an active interface fails, the user traffic can failover to the standby interface. To allow the controller to obtain a dynamic IP address for a VLAN, enable the DHCP or PPPoE client on the controller for the VLAN.
PAGE 68

interface vlan 62 ip address dhcp-client client-id myclient Enabling the PPPoE Client To authenticate to the BRAS and request a dynamic IP address, the controller must have the following configured:  PPPoE user name and password to connect to the DSL network  PPPoE service name — either an ISP name or a class of service configured on the PPPoE server When you shut down the VLAN, the PPPoE session terminates. Using the WebUI 1. Navigate to the Configuration > Network > IP > IP Interfaces page. 2.
PAGE 69

For example, the following configures the DHCP server on the controller to assign addresses to authenticated employees; the IP address of the DNS server obtained by the controller via DHCP/PPPoE is provided to clients along with their IP address. Using the WebUI 1. Navigate to the Configuration > Network > IP > DHCP Server page. 2. Select Enable DCHP Server. 3. Under Pool Configuration, select Add. 4. For Pool Name, enter employee-pool. 5. For Default Router, enter 10.1.1.254. 6.
PAGE 70

Using CLI ip access-list session guest any network 10.1.0.0 255.255.0.0 any deny any any any src-nat pool dynamic-srcnat Configuring Source NAT for VLAN Interfaces The example configuration in the previous section illustrates how to configure source NAT using a policy that is applied to a user role. You can also enable source NAT for a VLAN interface to cause NAT to be performed on the source address for all traffic that exits the VLAN.
PAGE 71

Using CLI interface vlan 1 ip address 66.1.131.5 255.255.255.0 interface vlan 6 ip address 192.168.2.1 255.255.255.0 ip nat inside ip default-gateway 66.1.131.1 Inter-VLAN Routing On the controller, you can map a VLAN to a layer-3 subnetwork by assigning a static IP address and netmask or by configuring a DHCP or PPPoE server to provide a dynamic IP address and netmask to the VLAN interface.
PAGE 72

Using CLI interface vlan ip address { |dhcp-client|pppoe} no ip routing Configuring Static Routes To configure a static route (such as a default route) on the controller, do the following: Using the WebUI 1. Navigate to the Configuration > Network > IP > IP Routes page. 2. Click Add to add a static route to a destination network or host. Enter the destination IP address and network mask (255.255.255.255 for a host route) and the next hop IP address. 3. Click Done to add the entry.
PAGE 73

6. When prompted that the changes were written successfully to flash, click OK. 7. The controller boots up with the changed loopback IP address. Using CLI interface loopback ip address
write memory Using the CLI to reboot the controller Enter the following command in Enable mode: reload Configuring the Controller IP Address The Controller IP address is used by the controller to communicate with external devices such as APs.
PAGE 74

7. When prompted that the changes were written successfully to flash, click OK. 8. The controller boots up with the changed controller IP address. of the selected VLAN ID. Using CLI (host) (config) #controller-ip [loopback|vlan ] Configuring GRE Tunnels A controller supports generic routing encapsulation (GRE) tunnels between the controller and APs. An AP opens a GRE tunnel to the controller for each radio interface.
PAGE 75

Using CLI interface tunnel tunnel mode gre ip address no shutdown tunnel source {| loopback | vlan } tunnel destination Directing Traffic into the Tunnel You can direct traffic into the tunnel by configuring one of the following:  Static route, which redirects traffic to the IP address of the tunnel  Firewall policy (session-based ACL), which redirects traffic to the specified tunnel ID Static Routes You can configure a static route that speci
PAGE 76

Using the WebUI 1. Navigate to the Configuration > Network > IP > GRE Tunnels page. 2. Click Edit for the tunnel for which you are enabling tunnel keepalives. 3. Select (check) Enable Heartbeats to enable tunnel keepalives and display the Heartbeat Interval and Heartbeat Retries fields. 4. Enter values for Heartbeat Interval and Heartbeat Retries. 5. Click Apply. Using CLI interface tunnel id tunnel keepalive [ ] 76 | Network Parameters Dell PowerConnect W-Series ArubaOS 6.
PAGE 77

Chapter 3 RF Plan RF Plan is a wireless deployment modeling tool that helps you design an efficient Wireless Local Area Network (WLAN) that optimizes coverage and performance, without complicated WLAN network setup. RF Plan provides the following critical functionality:  Defines WLAN coverage.  Defines WLAN environment security coverage.  Assesses equipment requirements.  Optimizes radio resources.
PAGE 78

RF Plan will deploy APs outside of the hotspot area based on the 802.11a and/or 802.11b/g rates defined by the system. For the system to define 802.11a and/or 802.11b/g rates, the system looks at the defined 802.11n rate and the distance covered by the defined rate; it then selects corresponding 802.11a and/or 802.11b/g rates based on the distance covered. Before You Begin Review the following steps to create a building model and plan the WLAN for your model. Task Overview 1.
PAGE 79

Table 4 Planning Worksheet - Building Dimensions (Continued) Building Dimensions Radio Types: AP Type: Overlap Factor: 802.11a Desired Rate: 802.11n (HT) Support: Use 40 MHz Channel Spacing: 802.11n Desired Rate: Table 5 Planning Worksheet - AP Desired Rates (2.4 GHz Radio Properties) AP Desired Rates (2.4 GHz Radio Properties) 802.11b/g Desired Rate: 802.11n (HT) Support: Use 40 MHz Channel Spacing: 802.11n Desired Rate: Table 6 Planning Worksheet - AM Desired Rates AM Desired Rates 802.11b|g: 802.
PAGE 80

Campus List Page The Campus List is the first page you see when you start RF Plan. This list contains a default campus and any campus you have defined using the RF Plan software. Figure 6 Plan>Campus List Window You may add, edit, and delete campuses using this page. You may also import and export campus information. Table 7 details the buttons on the Campus page. Table 7 Definition of Campus List Buttons 80 | RF Plan Buttons Description New Campus Use this button to create a new campus.
PAGE 81

Building List Pane Edit a campus from the building list pane. Figure 7 Plan>Building List Pane You can add, edit, and delete buildings using this page. You may also import and export building information. The buttons on this page are defined in Table 8. Table 8 Building List Buttons Buttons Description New Building Use this button to create a new building. When you add or edit a building, you can access other RF Plan pages.
PAGE 82

Building Specifications Overview The Building Specification Overview window displays the default values for a building that you are adding or the current values for a building that you are modifying. Figure 8 Plan>New Building>Overview Window The Overview page includes the following:  Building Dimensions: Your building’s name and dimensions  Access Point Modeling Parameters  Air Monitor Modeling Parameters  Building Dimension button (in the upper right-hand portion of the page).
PAGE 83

Figure 9 Plan>New Building>Specification Window Table 9 contains the information for you to enter in the Specification window. Table 9 New Building Specifications Parameters Parameter Description Campus Name Select a campus for this building from the drop-down menu. Building Name The Building Name is an alphanumeric string up to 64 characters in length. Width and Length Enter the rectangular exterior dimensions of the building.
PAGE 84

Figure 10 Plan>New Building>AP Modeling Parameters Window This window allows you to select or control the parameters as defined in Table 10. Table 10 AP Modeling Parameters 84 | RF Plan Parameter Description Radio Type Use this drop-down menu to specify the radio type. See “Radio Type” on page 85 AP Type Dell AP device. Use the drop-down menu to select the device type. The supported APs listed in the drop-down menu are dependent on the selected radio type.
PAGE 85

Radio Type Use the drop-down radio type menu to specify radio type of your AP. The available types are defined in Table 11. Table 11 Radio Type Definitions Parameter Description 801.11a/b/g Simultaneous use of 802.11b/g and 802.11a. 802.11b/g 2.4 GHz, Direct Spread Spectrum (DSSS) multiplexing with data rates up to 11 Mbps, combined with Orthogonal Frequency Division Multiplexing/Complementary Code Keying (OFDM/CCK) with data rates up to 54 Mbps. 802.
PAGE 86

You can select a pre-determined value from the drop-down overlap menu or specify a value in the text box to the left of the drop-down. The following table describes the available options. Table 13 Overlap Factor Values Overlap Factor Description 100% Low Use this option for buildings that contain open spaces such as warehouses. 150% Medium Use this option for most typical office environments with cubicles and sheetrock walls that have higher WLAN user density than warehouses.
PAGE 87

Table 14 Radio Properties (Continued) Radio Property Description 5 GHz Use 40 MHz Channel Spacing Use 40 MHz Channel Spacing—40 MHz operation, which supports higher data rates by utilizing two 20 MHz channels as a bonded pair, requires that high-throughput be enabled (checked). 40 MHz mode is most often utilized on the 5 GHz frequency band due to a greater number of available channels. This option is only available when 802.11n (HT) support is enabled (checked). 802.11b/g Desired Rate The desired 802.
PAGE 88

Figure 11 AM Modeling Page Controls on this page allow you to select the following functions, which are described in more detail in this section: Table 15 AM Modeling Radio Buttons Radio Button Description Design Model Use these radio buttons to specify a design model to use in the placement of AMs. See “Design Models” on page 88. Monitor Rates Use this drop-down menu to specify the desired monitor rate for the AMs. See “Monitor Rates” on page 88.
PAGE 89

Figure 12 Planning Floors You can select or adjust the features as described in Table 17: Table 17 Floor Planning Features Feature Description Zoom Use this drop-down menu or type a zoom factor in the text field to increase or decrease the size of the displayed floor area. See “Zoom” on page 89. Approximate Coverage Map (select radio type) Use this drop-down to select a particular radio type for which to show estimated coverage. See “Approximate Coverage Map” on page 90.
PAGE 90

Approximate Coverage Map Select a radio type from the Coverage drop-down menu to view the approximate coverage area for each of the APs that RF Plan has deployed in AP Plan or AM Plan. Adjusting the coverage values help you to understand how the AP coverage works in your building. NOTE: You will not see coverage areas displayed here until you have executed either an AP Plan or an AM Plan.
PAGE 91

Use the guidelines in this section when importing background images. By becoming familiar with these guidelines, you can ensure that your graphic file is edited properly for pre- and post-deployment planning.  Edit the image—Use an appropriate graphics editor to edit the file as needed.  Scale the image—If the image is not scaled, proportional triangulation and heat map displays can be incorrect when the plan is deployed.
PAGE 92

Location and Dimensions Specify absolute coordinates for the lower left corner and upper right corner of the box that represents the area being defined.  Begin the measurement with the lower left corner of the rectangular display area that represents your building’s footprint.  The coordinates of the upper right-hand corner of the display area are the absolute values of the dimensions you provided for the building. Location settings are zero-based. Values range from 0 to (height -1 and width -1).
PAGE 93

Figure 16 Access Point Editor Naming RF Plan automatically names APs using the default convention ap number, where number starts at 1 and increments by one for each new AP. When you manually create an AP, the new AP is assigned the next number and is added to the bottom of the suggested AP list. You may name an AP anything you wish. The name must consist of alphanumeric characters and be 64 characters or less in length. Fixed Fixed APs do not move when RF Plan executes the positioning algorithm.
PAGE 94

X and Y Coordinates The physical location of the AP is specified by X-Y coordinates that begin at the lower left corner of the display area. The numbers you specify in the X and Y text boxes are whole units. The Y-coordinate increases as a point moves up the display and the X-coordinate increases as they move from left to right across the display. 802.11 Types The 802.11 b/g and 802.11a Type drop-down menus allow you to choose the mode of operation for the AP.
PAGE 95

AP Plan Page The AP Plan page uses the information entered in the modeling pages to locate APs in the building(s) you described. All of the options on the Floors page can also be viewed and configured on the AP Plan page. The AP Plan page also includes some additional options, such as initializing, optimizing, and fixing AP/AM locations. Figure 17 AP Planning Initialize Initialize the Algorithm by clicking the Initialize button.
PAGE 96

Fix All Suggested AP/AMs Fix existing AP/AM locations at the building level. If AP/AM locations are fixed, AP/AMs will not move from their fixed locations during initialization or optimization. Clicking on this button will fix the locations of existing APs and AMs. You only need to click this button on either the AP or AM Plan page. AM Plan Page The AM Plan page uses the information entered in the modeling pages to locate AMs in the building(s) you described and calculate the optimum placement for the AMs.
PAGE 97

Exporting and Importing Files Both the Campus List page and the Building List page have Export and Import buttons, which allow you to export and import files that define the parameters of your campus and buildings. You can export a file so that it may be imported into and used to automatically configure a controller. On a controller, you can import a file that has been exported from another controller or from the standalone version of RF Plan that runs as a Windows application.
PAGE 98

When exporting a building file, Dell recommends that you click OK to export the background images. If you click Cancel, the exported file does not include the background images. The File Download window appears. From the File Download window, click Save to save the file. The Save As dialog box appears. From here, navigate to the location where want to save the file and enter the name for the exported file. When naming your exported file, be sure to give the file the.
PAGE 99

To use this feature, select one or more campuses from the Campus List page, or one or more buildings from the Building List page, and click AP FQLN Mapper. The AP FQLN Mapper page appears. From here, you can search for deployed APs by entering one or more parameters in the Search fields, view the results in the Search Results table, configure the FQLN, and modify the location of an AP. To search for deployed APs, enter information in the Search fields and click Search.
PAGE 100

 Building—Displays the building where the AP is deployed. To deploy the AP in a different building, select a building from the drop-down list. NOTE: This drop-down list only displays the available buildings in the selected campus. To add a new building, see “Building List Pane” on page 81.  Floor—Displays the floor where the AP is deployed. To deploy the AP on a different floor, select a floor from the drop-down list.
PAGE 101

The following example assumes you are not renaming an AP For more information about AP names, see Chapter 4, “Access Points” on page 107. provision-ap read-bootinfo ap-name copy-provisioning-params ap-name fqln reprovision ap-name RF Plan Example This section guides you through the process of creating a building and populating it with APs and AMs using RF Plan. Ensure you have sample.JPEG floor images handy for walking through this planning example.
PAGE 102

Table 19 Sample Building (Continued) Building Dimensions Don’t Care/Don’t Deploy Areas Shipping & Receiving = Don’t CareLobby = Don’t Deploy 802.11n Hotspot (Zone) Areas N/A Create a Building In this section you create a building using the information supplied in the planning table. 1. In the Campus List, select New Campus. Enter: My Campus and click OK. 2. In the Campus List, select the checkbox next to My Campus, and click Browse Campus. 3. Click New Building. The Overview page appears. 4. Click Save.
PAGE 103

Model the Access Points You now determine how many APs are required to cover your building with a specified data transfer rate and overlap. In this example, you use the Coverage Model. The following are assumed about the performance of the WLAN:  Radio Types: 802.11a/b/g/n  AP Type: AP-93  Overlap factor: Medium (150%)  802.11a desired rate: 48 Mbps  802.11b desired rate: 48 Mbps 1. From the navigation tree, Click on Modeling:AP under Building Specification.
PAGE 104

Adding the background image and naming the second floor 1. Click the Edit Floor link at the right of the Floor 2 indicator. 2. Enter: Second Level in the Name box of the Floor Editor Dialog. 3. Use the Browse button to locate the background image for the 2nd floor. 4. Click Apply. 5. Click Save on the Planning page, then OK. Defining Areas Before you advance to the AP and AM Planning pages, define special areas, such as Don’t Care, Don’t Deploy, or 802.11n Zone.
PAGE 105

Creating a Don’t Deploy Area 1. Click the New link in the Areas section under Floor 1 (named Entrance Level) to open the Area Editor. 2. Enter: Lobby in the Name text box in the Area Editor. 3. Select Don’t Deploy from the Type drop-down menu box. 4. Click Apply. Notice that an yellow box appears near the center of the floor plan. 5. Use your mouse (or other pointing device) to place the cursor over the box. Notice that the information you typed in the editor appears in the box.
PAGE 106

Running the AM Plan Running the AM Plan algorithm is similar to running the AP Plan. 1. From the navigation tree, click AM Plan under the Planning section. The AM Planning page appears. 2. Click Initialize then Optimize. The algorithm stops when the movement is less than a threshold value calculated based on the number of AMs. The threshold value may be seen in the status bar at the bottom of the browser window. 3. Click Save, then OK. 106 | RF Plan Dell PowerConnect W-Series ArubaOS 6.
PAGE 107

Chapter 4 Access Points In ArubaOS, related configuration parameters are grouped into profiles that you can apply as needed to an AP group or to individual APs. When an AP is first installed on the network and powered on, the AP locates its host controller and the AP’s designated configuration is “pushed” from the controller to the AP. This chapter gives an overview of the basic function of each AP profile, and describes the process to install and configure the APs on your network.
PAGE 108

Table 21 AP Configuration Function Overview (Continued) Features and Function RF management Description Configure settings for balancing wireless traffic across APs, detect holes in radio coverage, or other metrics that can indicate interference and potential problems on the wireless network. Adaptive Radio Management (ARM) is an RF spectrum management technology that allows each AP to determine the best 802.11 channel and transmit power settings. ARM provides several configurable settings.
PAGE 109

Figure 18 AP Groups “DEFAULT” AP GROUP “VICTORIA” AP GROUP “TORONTO” AP GROUP NOTE: An AP can belong to only one AP group at a time. While you can use an AP group to apply a feature to a set of APs, you can also configure a feature or option for a specific AP by referencing the AP’s name. Any options or values that you configure for a specific AP will override the same options or values configured for the AP group to which the AP belongs.
PAGE 110

2. Select the AP you want to reassign, and click Provision. From the Provisioning page, select the AP group from the drop-down menu. 3. Click Apply and Reboot. In the CLI Use the following command to assign a single AP to an existing AP group. Use the WebUI to assign multiple APs to an AP group at the same time. ap-regroup {ap-name |serial-num |wired-mac } AP Configuration Profiles ArubaOS has a predefined version of each profile named “default.
PAGE 111

For more details, see “Enable 802.11k Support” on page 155.  SSID profile—Configures network authentication and encryption types. This profile also includes references to the EDCA (enhanced distributed channel access) Parameters Station Profile, the EDCA Parameters AP Profile and a High-throughput SSID profile. Use this profile to configure basic settings such as 802.11 authentication and encryption settings, or advanced settings such as DTIM (delivery traffic indication message) intervals, 802.11a/802.
PAGE 112

 RADIUS server profile—Identifies the IP address of a RADIUS server and sets RADIUS server parameters such as authentication and accounting ports and the maximum allowed number of authentication retries. For a list of the parameters in the RADIUS profile, see “Configuring a RADIUS Server” on page 264  LDAP server profile—Defines an external LDAP authentication server that processes requests from the controller.
PAGE 113

 Ethernet Interface Port/Wired Port Profile—Specifies a AAA profile for users connected to the wired port on an AP. For details on configuring this profile, see “Securing Clients on an AP Wired Port” on page 382.  AP Provisioning profile—Defines a group of provisioning parameters for an AP or AP group.  AP Authorization Profile—Allows you to assign an to a provisioned but unauthorized AP to a AP group with a restricted configuration profile.
PAGE 114

 RF event thresholds profile—Defines error event conditions, based on a customizable percentage of lowspeed frames, non-unicast frames, or fragmented, retry or error frames.  Spectrum Profile—Defines the spectrum band monitored by a spectrum monitor, or the individual channel monitored by a hybrid AP. For details on the spectrum analysis feature, see “Configuring the Spectrum Profile” on page 613. Mesh Profiles You can provision Dell APs to operate as mesh points, mesh portals or remote mesh portals.
PAGE 115

practices is to configure the lowest-level settings first. For example, if you are defining a virtual AP profile, you should first define a session policy, then define your server group, then create an AAA profile that references the session policy and your server group. Figure 20 represents the AP and AP Group profile hierarchy in the WebUI (navigate to Configuration>AP configuration).
PAGE 116

Figure 21 Other Profile Hierarchies Deploying APs Dell APs and AMs are designed to require only minimal setup to make them operational in an user-centric network. Once APs have established communication with the controller, you can apply advanced configuration to individual APs or groups of APs in the network using the WebUI on the controller. 116 | Access Points Dell PowerConnect W-Series ArubaOS 6.
PAGE 117

Deploy APs on your network using the following steps: 1. Run the Java-based RF Plan tool to help position APs and import floorplans for your installation. 2. Prior to installation, configure firewall settings and enable controller discovery so the APs can locate and identify the controller. 3. Ensure that APs will be able to obtain an IP address once they are connected to the network.
PAGE 118

1. If the master provisioning parameter is set to a DNS name, that name is resolved and all resulting addresses are put on the list. If master is set to an IP address, that address is put on the list. 2. If the master provisioning parameter is not set and a controller address was received in DHCP Option 43, that address is put on the list. 3.
PAGE 119

 If the APs are not in the same broadcast domain as the master controller, you must enable multicast on the network (ADP multicast queries are sent to the IP multicast group address 239.0.82.11) for the controller to respond to the APs’ queries. You also must make sure that all routers are configured to listen for Internet Group Management Protocol (IGMP) join requests from the controller and can route these multicast packets.
PAGE 120

Provisioning APs for Mesh The information in this section applies only if you are configuring and deploying APs in a mesh networking environment. If you are not, proceed to “Installing APs on the Network” on page 120. Before you install APs in a mesh networking environment, you must do the following:  Define and configure the mesh cluster profile and mesh radio profile before configuring an AP to operate as a mesh node. An AP configured for mesh is also known as a mesh node.
PAGE 121

and the end user’s client software. If you must provision your APs using a pre-shared key, you need to know which controller models you have that do not support certificate-based provisioning. Remote AP (RAP) vs Campus AP (CAP) Before you provision an AP, you should decide whether you want it to function as a Remote AP (RAP) or a Campus AP (CAP).
PAGE 122

3. Click the checkbox by the AP you want to provision, then click Provision. The Provisioning window opens. 4. In the AP Parameters section, click the AP Group drop-down list and select the AP group to which this AP should be assigned. 5. (Optional) Some AP models support an external antenna in addition to their internal antenna. If the AP you are provisioning supports an external antenna, the Provisioning window displays an additional Antenna Parameters section.
PAGE 123

Certificate based authentication allows a controller to authenticate a AP using its certificates instead of a PSK. You can manually provision an individual AP with a full set of provisioning parameters, or simultaneously provision an entire group of APs by defining a provisioning profile which contains a smaller set of provisioning parameters that can be applied the entire AP group.
PAGE 124

13. The AP list section displays current information for the AP you are provisioning or reprovisioning, and allows you to define additional parameters for your remote AP, such as AP Name, SNMP System Location and (if you are provisioning a Mesh Point or Portal) the AP’s Mesh role. 14. Click Apply and Reboot. (Reprovisioning the AP causes it to automatically reboot).
PAGE 125

4. Click the Provisioning Profile drop-down list and select the name of the provisioning profile you want to assign to this AP group. 5. Click Apply. If you are provisioning remote APs, you must also add the remote APs to the RAP whitelist. For details, see “Remote Access Points” on page 179. Troubleshooting After the AP has been provisioned, navigate to Monitoring>All Access Points window and verify that the AP has an up status.
PAGE 126

1. Navigate to the Configuration > Wireless> AP Installation page. The list of discovered APs are displayed on this page. 2. Select the AP you want to change. 3. Click Provision to reveal the Provisioning page. Locate the AP Installation Mode section. By default, the Default mode is selected. This means that the AP installation type is based on the AP model. 4. Select the Indoor option to change the installation to Indoor mode. Select the Outdoor option to change the to Outdoor mode. 5.
PAGE 127

ap-rename {ap-name |serial-num |wired-mac } If an AP is recognized by the controller but is powered off or not connected to the network or controller when you execute the command, the request is queued until the AP is powered back on or reconnected.
PAGE 128

3. Under Profiles, select AP, then AP system profile. The configuration settings displayed in the Profile Details window are described in Table 22. Table 22 AP System Profile Configuration Parameter Description LMS IP In multi-controller networks, this parameter specifies the IP address of the local management switch (LMS)—the Dell controller—which is responsible for terminating user traffic from the APs, and processing and forwarding the traffic to the wired network.
PAGE 129

Table 22 AP System Profile Configuration (Continued) Parameter Description Telnet Select this checkbox to enable telnet to the AP. SNMP sysContact SNMP system contact information. AeroScout RTLS Server Enables the AP to send RFID tag information to an AeroScout real-time asset location (RTLS) server. Specify the IP address and port number of the AeroScout server to which location reports should be sent. RF Band for AM mode scanning Scanning band for multiple RF radios.
PAGE 130

Prioritizing AP heartbeats To prioritize AP heartbeats using the WebUI: 1. Navigate to the Configuration > Wireless > AP Configuration page. 2. Select either the AP Group or AP Specific tab. Click Edit for the AP group or AP name. 3. Under Profiles, select AP, then AP system profile. The configuration settings are displayed in Profile Details. 4. Under Profile Details: a. In the Heartbeat DSCP field, enter a value greater than zero. b. Click Apply.
PAGE 131

lms-preemption ap-group ap-system-profile ap-name ap-system-profile AP Maintenance Mode You can configure APs to suppress traps and syslog messages related to those APs. Known as AP maintenance mode, this setting in the AP system profile is particularly useful when deploying, maintaining, or upgrading the network.
PAGE 132

Disabling LEDs in the WebUI An AP system profile’s LED operating mode affects LEDS on all APs using that profile. NOTE: This option is available on the W-AP120 Series, AP-90 Series, AP-105, and the RAP-5. 1. Navigate to the Configuration > Advanced Services> All Profiles page. 2. Select the AP tab and then select the AP system profiles tab. 3. Select the AP system profile you want to modify. 4. Locate the LED operating mode (W-AP120 series only) parameter. 5. From the drop-down list, select off. 6.
PAGE 133

4. Configure your RF Optimization radio settings. Table 23 describes the parameters. Click Apply to save your settings. Table 23 RF Optimization Profile Parameters Parameter Description Station Handoff Assist Allows the controller to force a client off an AP when the RSSI drops below a defined minimum threshold. Default: Disabled Detect Association Failure Enables or disables detection of station association failures.
PAGE 134

The following procedure details the steps to configure RF Event parameters. In the WebUI 1. Navigate to the Configuration > Wireless > AP Configuration window. Select either the AP Group or AP Specific tab.  If you selected the AP Group tab, click the Edit button by the AP group name for which you want to configure the RF Event profile.  If you selected the AP Specific tab, click the Edit button by the AP for which you want to create the RF Event profile. 2.
PAGE 135

Table 24 RF Event Profile Parameters (Continued) Parameter Description Frame Receive Error Rate Low Watermark After a frame receive error rate exceeded condition exists, the condition persists until the frame receive error rate drops below this value. The recommended value is 8%. Frame Retry Rate High Watermark If the frame retry rate (as a percentage of total frames in an AP) exceeds this value, a frame retry rate exceeded condition exists. The recommended value is 16%.
PAGE 136

Table 25 20 MHz and 40 MHz Static Channel Configuration Options WebUI CLI Definition Channel Text Field None Radio Button channel Entering a channel number in the CLI, or entering a channel number in the WebUI and selecting the None radio button, disables 40 MHz mode and activates 20 MHz mode for the entered channel.
PAGE 137

12. Enter 1 in the Channel text field and select the None radio button. In this instance, channel 1 is the assigned 20 MHz channel and 40 MHz mode is disabled and click Apply.
PAGE 138

for troubleshooting purposes, you can do so using the controller WebUI and CLI, or alternatively, through a console connection to the AP itself. To create a console connection to the AP: 1. Connect a local console to the serial port on the AP. You can connect the AP’s serial port to a terminal or terminal server using an Ethernet cable, or connect the serial console port to a DB-9 adapter, then connect the adapter to a laptop using an RS-232 cable.
PAGE 139

Chapter 5 Virtual APs APs advertise WLANs to wireless clients by sending out beacons and probe responses that contain the WLAN’s SSID and supported authentication and data rates. When a wireless client associates to an AP, it sends traffic to the AP’s Basic Service Set Identifier (BSSID) which is usually the AP’s MAC address. In the Dell network, an AP uses a unique BSSID for each WLAN. Thus a physical AP can support multiple WLANs. The WLAN configuration applied to a BSSID on an AP is called a virtual AP.
PAGE 140

When you assign a profile to an individual AP, the values in the profile override the profile assigned to the AP group to which the AP belongs. The exception is the virtual AP profile. You can apply multiple virtual AP profiles to individual APs, as well as to AP groups. You can exclude one or more virtual AP profiles from an individual AP. This prevents a virtual AP, defined at the AP group level, from being applied to a specific AP.
PAGE 141

 An 802.11a/b/g SSID called “Guest” that uses open system and is only available on the AP “building3-lobby” (this AP will support both the “Corpnet” and “Guest” SSIDs) Each WLAN requires a different SSID profile that maps into a separate virtual AP profile. For the SSID “Corpnet”, which will use WPA2, you need to configure an AAA profile that includes 802.1x authentication and an 802.1x authentication server group.
PAGE 142

The following sections describe how to do this using the WebUI and the CLI. Configuring the User Role In this example, the employee user role allows unrestricted access to network resources and is granted only to users who have been successfully authenticated with an external RADIUS server. You can configure a more restrictive user role by specifying allowed or disallowed source and destination, protocol, and service for the traffic.
PAGE 143

key enable aaa server-group corpnet auth-server Radius1 Configuring Authentication In this example, you create the 802.1x authentication profile corpnet. The AAA profile configures the authentication for a WLAN. The AAA profile defines the type of authentication (802.1x in this example), the authentication server group, and the default user role for authenticated users. In the WebUI 1. Navigate to the Configuration > Security > Authentication > L2 Authentication page. Select 802.
PAGE 144

Table 29 AAA Profile Parameters (Continued) Parameter Description SIP authentication role Click the SIP authentication role drop-down list and specify the role assigned to a session initiation protocol (SIP) client upon registration. NOTE: This feature requires the PEFNG license. Device Type Classification When you select this option, the controller will parse user-agent strings and attempt to identify the type of device connecting to the AP.
PAGE 145

5. Click the new Virtual AP name in the Profiles list or the Profile Details to display the configuration parameters defined in Table 30. 6. Verify that Virtual AP enable is selected; select 1 for the VLAN. 7. Click Apply. Table 30 Virtual AP Profile Parameters Parameter Description Virtual AP enable Select the Virtual AP enable checkbox to enable or disable the virtual AP. Allowed band The band(s) on which to use the virtual AP:  a—802.11a band only (5 GHz).  g—802.11b/g band only (2.4 GHz).
PAGE 146

Table 30 Virtual AP Profile Parameters (Continued) 146 | Virtual APs Parameter Description Mobile IP Enables or disables IP mobility for this virtual AP. Default: Enabled HA Discovery on-association If enabled, all clients of a virtual AP will receive mobility service on association. Default: Disabled DoS Prevention If enabled, APs ignore deauthentication frames from clients. This prevents a successful deauthorization attack from being carried out against the AP.
PAGE 147

Table 30 Virtual AP Profile Parameters (Continued) Parameter Description Drop Broadcast and Multicast Select the Drop Broadcast and Multicast checkbox to filter out broadcast and multicast traffic in the air. Do not enable this option for virtual APs configured in bridge forwarding mode. This configuration parameter is only intended for use for virtual APs in tunnel mode. In tunnel mode, all packets travel to the controller, so the controller is able to drop all broadcast traffic.
PAGE 148

Table 30 Virtual AP Profile Parameters (Continued) Parameter Description Steering Mode Band steering supports the following three different band steering modes.  Force-5GHz: When the AP is configured in force-5GHz band steering mode, the AP will try to force 5Ghz-capable APs to use that radio band.  Prefer-5GHz (Default): If you configure the AP to use prefer-5GHz band steering mode, the AP will try to steer the client to 5G band (if the client is 5G capable) but will let the client connect on the 2.
PAGE 149

Table 31 Basic SSID Profile Parameters (Continued) Parameter Description Network Authentication The layer-2 authentication to be used on this ESSID to protect access and ensure the privacy of the data transmitted to and from the network.  None  802.1x/WEP  WPA  WPA-PSK  WPA2  WPA2-PSK  xSec  Mixed If you select the Mixed authentication option, a drop-down list will appear in the Network Authentication section.
PAGE 150

Table 32 Advanced SSID Profile Parameters (Continued) Parameter 150 | Virtual APs Description wpa2-aes-gcm-128 WPA2 with AES GCM-128 (Suite-b) encryption and dynamic keys using 802.1X. NOTE: This parameter requires the ACR license. For further information on Suite-B encryption, see “Configuring an SSID for Suite-B cryptography” on page 152. wpa2-aes-gcm-256 WPA2 with AES GCM-256 (Suite-b) encryption and dynamic keys using 802.1X. NOTE: This parameter requires the ACR license.
PAGE 151

Table 32 Advanced SSID Profile Parameters (Continued) Parameter Description DSCP mapping for WMM voice AC DSCP used to map WMM voice traffic. The supported range is 0-255, and the default is 56. DSCP mapping for WMM video AC Select the DSCP used to map WMM video traffic. The supported range is 0-255, and the default is 40. DSCP mapping for WMM best-effort AC Select the DSCP value used to map WMM best-effort traffic. The supported range is 0-255, and the default is 24.
PAGE 152

Table 32 Advanced SSID Profile Parameters (Continued) Parameter Description Advertise QBSS Load IE Click this checkbox to enable the AP to advertise the QBSS load element. The element includes the following parameters that provide information on the traffic situation:  Station count: The total number of stations associated to the QBSS.  Channel utilization: The percentage of time (normalized to 255) the channel is sensed to be busy.
PAGE 153

 Create a new virtual AP profile guest.  Select the predefined AAA profile default-open.  Create a new SSID profile guest to configure “Guest” for the SSID name and open system for the authentication. The following sections describe how to do this using the WebUI and the CLI. Configuring the VLAN In this example, users on the “Corpnet” WLAN are placed into VLAN 1, which is the default VLAN configured on the controller.
PAGE 154

any any svc-https permit time-range workhours user-role guest session-acl restricted Configuring the Guest Virtual AP In this example, you apply the guest virtual AP profile to a specific AP. NOTE: Best practices are to assign a unique name to each virtual AP, SSID, and AAA profile that you modify. In this example, you use the name guest to identify the virtual AP and SSID profiles. In the WebUI 1. Navigate to Configuration > Wireless > AP Configuration > AP Specific page. 2. Click New.
PAGE 155

Enable 802.11k Support The 802.11k protocol provides mechanisms for APs and clients to dynamically measure the available radio resources. In an 802.11k enabled network, APs and clients can send neighbor reports, beacon reports, and link measurement reports to each other. This allows the APs and clients to take appropriate connection actions. The following procedure outlines the steps to configure 802.11k parameters. In the WebUI 1. Navigate to the Configuration > Wireless > AP Configuration window.
PAGE 156

Table 33 802.11k Profile Parameters (Continued) Parameter Description Measurement Mode for Beacon Reports Click the Measurement Mode for Beacon Reports drop-down list and specify one of the following measurement modes:  active—Enables active beacon measurement mode.
PAGE 157

! wlan virtual-ap "THR-VIRTUAL-AP-PROFILE-WPA2" ssid-profile "THR-SSID-PROFILE-WPA2" aaa-profile "THR-AAA-PROFILE-WPA2" vlan 60 ! ap system-profile "THR-AP-SYSTEM-PROFILE" lms-ip 1.1.1.1 bkup-lms-ip 2.2.2.2 ! ap-group "THRHQ1-STANDARD" virtual-ap "THR-VIRTUAL-AP-PROFILE-WPA2" ap-system-profile "THR-AP-SYSTEM-PROFILE" Configuring a High-Throughput Virtual AP With the implementation of the IEEE 802.11n standard, high-throughput can be configured to operate on the 5 GHz and/or 2.4 GHz frequency band.
PAGE 158

4. Select the 802.11a radio profile. NOTE: This radio profile represents activity on the 5 GHz frequency band. Since the high-throughput IEEE 802.11n standard operates on the 5 GHz and/or 2.4 GHz frequency band, high-throughput can be enabled on 802.11a or 802.11g radio profiles. a. Select New from the 802.11a radio profile drop-down menu. b. Enter ht-corpnet-a for the 802.11a radio profile name. c. Select (check) the High Throughput enable (radio) checkbox to enable high-throughput.
PAGE 159

c. Click Add. d. Select New from the SSID Profile drop-down menu associated with the “ht-vap-corpnet” virtual AP profile. The SSID Profile dialog box appears. e. Enter ht-corpnet for the SSID profile name. f. Click Apply to create the SSID profile and return to the virtual AP profile page. g. Click Apply on the virtual AP profile page. 10. Select the ht-vap-corpnet virtual AP profile. a. Select all from the Allowed band drop-down menu. b. Click Apply. 11. Select the SSID profile ht-corpnet.
PAGE 160

Table 35 High-Throughput SSID Profile Parameters (Continued) Short guard interval in 20 MHz mode Enable or disable use of short (400ns) guard interval in 20 MHz mode. This parameter is enabled by default. A guard interval is a period of time between transmissions that allows reflections from the previous data transmission to settle before an AP transmits data again. An AP identifies any signal content received inside this interval as unwanted inter-symbol interference, and rejects that data. The 802.
PAGE 161

Managing High-throughput Profiles Use the following commands to create a high-throughput radio profile or edit an existing profile. For details, see Table 34. rf ht-radio-profile 40MHz-intolerance clone honor-40MHz-intolerance no single-chain-legacy Use the following commands to create a high-throughput SSID profile or edit an existing profile. For details, see Table 35.
PAGE 162

| Virtual APs Dell PowerConnect W-Series ArubaOS 6.
PAGE 163

Chapter 6 Adaptive Radio Management (ARM) This document describes how to configure the ARM function to automatically select the best channel and transmission power settings for each AP on your WLAN. After completing the tasks described in the following pages, you can continue configuring your APs as described in the Dell User Guide.
PAGE 164

A high-throughput (802.11n) AP can use a 40 MHz channel pair comprised of two adjacent 20 MHz channels available in the regulatory domain profile for your country. When ARM is configured for a dual-band AP, it will dynamically select the primary and secondary channels for these devices. It can, however, continue to scan all changes in the a+b/g bands to calculate interference and detect rogue APs. Monitoring Your Network with ARM When ARM is enabled, an Dell AP will dynamically scan all 802.
PAGE 165

your AP groups. The following table describes different WLAN environments, and the type of ARM profiles appropriate for each. Table 36 ARM Profile Types ARM Profiles Example WLAN Description default profile only   multiple profiles   A warehouse where the physical environment is nearly the same for all APs, and each AP manages the same number of clients and traffic load.
PAGE 166

To create a copy of an existing ARM profile via the command-line interface, access the CLI in config mode and issue the following command. rf arm-profile clone where is a unique name for the new ARM profile, and is the name of the existing profile whose setting you want to copy. The name must be 1–63 characters, and can be composed of alphanumeric characters, special characters and spaces.
PAGE 167

Table 37 ARM Profile Configuration Parameters (Continued) Setting Description Allowed bands for 40MHz channels The specified setting allows ARM to determine if 40 MHz mode of operation is allowed on the 5 GHz or 2.4 GHz frequency band only, on both frequency bands, or on neither frequency band. Client Aware If the Client Aware option is enabled, the AP does not change channels if there is an active client associated to that AP.
PAGE 168

Table 37 ARM Profile Configuration Parameters (Continued) Setting Description Scanning The Scanning checkbox enables or disables AP scanning across multiple channels. Disabling this option also disables the following scanning features:  Multi Band Scan  Rogue AP Aware  Voip Aware Scan  Power Save Scan Do not disable Scanning unless you want to disable ARM and manually configure AP channel and transmission power.
PAGE 169

Table 37 ARM Profile Configuration Parameters (Continued) Setting Description Noise Threshold Maximum level of noise in channel that triggers a channel change. The range of possible 0–2,147,483,647 dBm. Default 75 dBm Noise Wait Time Minimum time in seconds the noise level has to exceed the Noise Threshold before it triggers a channel change. The range of possible values is 15–3600 seconds.
PAGE 170

mode-aware multi-band-scan no noise-threshold noise-wait-time ps-aware-scan rogue-ap-aware scan-interval scan mode all-reg-domain|reg-domain scan-time scanning voip-aware-scan Assigning an ARM Profile to an AP Group Once you have created a new ARM profile, you must assign it to a group of APs before those ARM settings go into effect. Each AP group has a separate set of configuration settings for its 802.11a radio profile and its 802.11g radio profile.
PAGE 171

rf dot11g-radio-profile arm-profile Where is the name of the AP group, and is the name of the ARM profile you want to assign to that radio band. Multi-Band ARM and 802.11a/802.11g Traffic Dell recommends using the multi-band ARM assignment and Mode Aware ARM feature for single-radio APs in networks with traffic in the 802.11a and 802.11g bands.
PAGE 172

   The client has sent less than 8 probes requests/auth in the last 10 seconds. If the client has sent more than 8 probes in the last 10 seconds, the client will be able to connect using whatever band it prefers Force-5GHz: When the AP is configured in force-5GHz band steering mode, the AP will not respond to 2.4 Ghz probe requests from a client if all the following conditions are met.
PAGE 173

Traffic Shaping In a mixed-client network, it is possible for slower clients to bring down the performance of the whole network. To solve this problem and ensure fair access to all clients independent of their WLAN or IP stack capabilities, an AP can implement the traffic shaping feature. This feature has the following three options:  default-access: Traffic shaping is disabled, and client performance is dependent on MAC contention resolution. This is the default traffic shaping setting.
PAGE 174

To disable traffic shaping, use the default-access parameter: wlan traffic-management-profile shaping-policy default-access Use the following commands to apply an 802.11a or 802.11g traffic management profile to an AP group or an individual AP.
PAGE 175

 Dynamic mode: In this mode, the Clear Channel Assessment (CCA) thresholds are based on channel loads, and take into account the location of the associated clients. When you set the Channel Reuse feature to dynamic mode, this feature is automatically enabled when the wireless medium around the AP is busy greater than half the time, and the CCA threshold adjusts to accommodate transmissions between the AP its most distant associated client.
PAGE 176

 Interference Index: The AP uses this metric to measure co-channel and adjacent channel interference. The Interference Index is calculated as a/b//c/d, where:  Metric value “a” is the channel interference the AP sees on its selected channel.  Metric value “b” is the interference the AP sees on the adjacent channel.  Metric value “c” is the channel interference the AP’s neighbors see on the selected channel.
PAGE 177

Transmission Power Levels Change Too Often Frequent changes in transmission power levels can indicate an unstable RF environment, but can also reflect incorrect ARM or AP settings. To slow down the frequency at which the APs change their transmit power, set the ARM Backoff Time to a higher value.
PAGE 178

| Adaptive Radio Management (ARM) Dell PowerConnect W-Series ArubaOS 6.
PAGE 179

Chapter 7 Remote Access Points The Secure Remote Access Point Service allows AP users, at remote locations, to connect to an Dell controller over the Internet. Since the Internet is involved, data traffic between the controller and the remote AP is VPN encapsulated. That is, the traffic between the controller and AP is encrypted. Remote AP operations are supported on all of Dell’s APs.
PAGE 180

Figure 26 Remote AP with Controller on Public Network Internet Corporate Network Controller’s IP Address  Deployment Scenario 3: The remote AP is on the public network or behind a NAT device and the controller is also behind a NAT device. (Dell recommends this deployment for remote access.) The remote AP must be configured with the tunnel termination point which must be a publicly-routable IP address. In this scenario, the remote AP uses the public IP address of the corporate firewall.
PAGE 181

this section assumes the default mode of operation. For information on remote AP modes of operation, refer to “Advanced Configuration Options” on page 194. Configure a Public IP Address for the Controller The remote AP requires an IP address to which it can connect in order to establish a VPN tunnel to the controller. This can be either a routable IP address that you configure on the controller, or the address of an external router or firewall that forwards traffic to the controller.
PAGE 182

5. To configure an Internet Security Association and Key Management Protocol (ISAKMP) encrypted subnet and preshared key, click Add in the IKE Shared Secrets section and configure the preshared key. Click Done to return to the IPSec page. 6. Click Apply.
PAGE 183

Configure the Remote AP User Role Once the remote AP is authenticated for the VPN and established a IPSec connection, it is assigned a role. This role is a temporary role assigned to the AP until it completes the bootstrap process after which it inherits the aprole. The appropriate ACLs need to be enabled to permit traffic from the controller to the AP and back to facilitate the bootstrap process. NOTE: User roles and policies require the PEFNG license.
PAGE 184

c. For Destination, select alias, then select mswitch. d. For Service, select service, then select svc-tftp. e. Click Add. 9. To create the next rule: a. Under Rules, click Add. b. For Source, select any. c. For Destination, select alias, then select mswitch. d. For Service, select service, then select svc-ftp. e. Click Add. 10. Click Apply. 11. Click the User Roles tab. a. Click Add. b. Enter the Role Name (for example, RemoteAP). c. Click Add under Firewall Policies. d.
PAGE 185

3. For Default Role, enter the user role you created previously (for example, RemoteAP). NOTE: User roles and policies require the PEFNG and PEFV license. You must install the PEFNG and PEFV license, as described in Chapter 34, “Software Licenses” . 4. Click Apply. 5. In the Profile list, under VPN Authentication Profile, select Server Group. 6. Select the server group from the drop-down menu. 7. Click Apply.
PAGE 186

f. Under Rules, click Add. g. For Source, select any. h. For Destination, select any. i. For Service, select service, then select svc-papi. j. Click Add. 6. To create the next rule: a. Under Rules, click Add. b. For Source, select any. c. For Destination, select any. d. For Service, select service, then select svc-l2tp. e. Click Add. 7. To create the next rule: a. Under Rules, click Add. b. For Source, select any. c. For Destination, select any. d. For Service, select service, then select svc-gre. e.
PAGE 187

e. Click Done. 13. Click Apply. Configure VPN authentication using the internal database 1. Navigate to the Configuration > Security > Authentication > L3 Authentication page. 2. In the Profiles list, select VPN Authentication Profile. 3. For Default Role, enter the user role you created previously (for example, rap_role). 4. Click Apply. 5. In the Profile list, under VPN Authentication Profile, select Server Group. 6. Select the internal server group from the drop-down menu. 7. Click Apply.
PAGE 188

on, the AP must also be able to obtain an IP address from a DHCP server on the local network or from the controller. If your configuration has an internal LMS IP address, remote APs may attempt to switch over to the LMS IP address, which is not reachable from the Internet. For remote APs, ensure that the LMS IP address in the AP system profile for the AP group has an externally routable IP address. Reprovisioning the AP causes it to automatically reboot.
PAGE 189

Revoking an AP In some cases, if an AP in the whitelist is retired from active usage, you can set the AP as revoked. This option restricts the AP from connecting to your controller. To revoke a remote AP: 1. Select an AP from the whitelist by selecting the checkbox. 2. Click the Modify button. 3. Select the checkbox under the Revoked column. 4. Click the Update button. Deploying a Branch Office/Home Office Solution In a branch office, the AP is deployed in a separate IP network from the corporate network.
PAGE 190

 Set forward mode for enet1 port NOTE: Remote APs support 802.1q VLAN tagging. Data from the remote AP will be tagged on the wired side.
PAGE 191

Table 38 RAP Console Summary Tab Information (Continued) Summary Table Name Basic View Information Wireless SSIDs    SSID: Name of the SSID. Status: SSID Status (up, down, or disabled). Band: Radio band available on the SSID. Advanced View Information            Wired Users   Wireless User   MAC Address: MAC address of the wired user. IP address: IP address of the wired user.  MAC Address: MAC address of the wireless user. IP address: IP address of the wireless user.
PAGE 192

Table 38 RAP Console Summary Tab Information (Continued) Summary Table Name Uplink Info Basic View Information Advanced View Information The Uplink Info table can display some or all of the following information for your remote AP, depending upon whether a link is active and the number of links supported by the AP.
PAGE 193

Table 39 RAP Console Connectivity Tab Information (Continued) Data Description LMS Connectivity Shows if the AP was able to connect to a local controller. This item also shows the IP address to which the AP attempted to connect, and, if the AP did connect successfully, the link that was used to connect to that controller. The top of the Connectivity tab has a Refresh link that allows users to refresh the data on their screen.
PAGE 194

Enabling Double Encryption The double encryption feature applies only for traffic to and from a wireless client that is connected to a tunneled SSID. When this feature is enabled, all traffic (which is already encrypted using Layer-2 encryption) is reencrypted in the IPSec tunnel. When this feature is disabled, the wireless frame is only encapsulated inside the IPSec tunnel.
PAGE 195

The column on the left of the table lists the remote AP operation settings. The row across the top of the table lists the forward mode settings. To understand how these settings work in concert, scan the desired remote AP operation with the forward mode setting and read the information in the appropriate table cell. The “all” column and row lists features that all remote AP operation and forward mode settings have in common regardless of other settings.
PAGE 196

Table 40 Remote AP Modes of Operation and Behavior (Continued) Remote AP Operation Setting Forward Mode Setting persistent ESSID is up when the AP contacts the controller and stays up if connectivity is disrupted with the controller. SSID configuration obtained from the controller. Designed for 802.1x SSIDs. Same behavior as standard, described below, except the ESSID is up if connectivity to the controller is lost.
PAGE 197

 All access ports on the remote AP, irrespective of their original forwarding mode will be moved to bridge forwarding mode.  Clients will receive IP address from the remote AP's DHCP server.  Client will have complete access to Remote AP's uplink network. You cannot enforce or modify any access control policies on the clients connected in this mode.
PAGE 198

Using the WebUI to configure virtual AP profile To configure virtual AP profile:  Set the remote AP operation to “always,” “backup,” or “persistent.”  Create and apply the applicable SSID profile. The SSID profile for the backup configuration in always, backup, or persistent mode must be a bridge SSID. When configuring the virtual AP profile, specify forward mode as “bridge.” The SSID profile for the backup configuration in standard mode can be a bridge, tunnel, or split tunnel SSID.
PAGE 199

wpa-passphrase (if necessary) wlan virtual-ap ssid-profile vlan forward-mode bridge aaa-profile rap-operation {always|backup|persistent} ap-group virtual-ap or ap-name virtual-ap Configuring the DHCP Server on the Remote AP You can configure the internal DHCP server on the remote AP to provide an IP address for the “backup” SSID if the controller is unreachable.
PAGE 200

d. At the Remote-AP DHCP Server ID field, enter the IP address for the DHCP server. e. At the Remote-AP DHCP Default Router field, enter the IP address for the default DHCP router. f. At the Remote-AP DHCP DNS Server list, enter an IP address in the field to right and click Add. You can add multiple IP addresses the same way. To delete an IP address, select an IP address from the list and click Delete. g. Specify the DHCP IP address pool.
PAGE 201

 Configure the AAA profile. Make sure the initial role contains the session ACL previously configured. The AAA profile defines the authentication method and the default user role. NOTE: 802.1x and PSK authentication is supported when configuring bridge or split tunnel mode.  Configure the virtual AP profile for the backup configuration.  Set the remote AP operation to “always” or “backup.”  Create and apply the applicable SSID profile.  Configure a bridge SSID for the backup configuration.
PAGE 202

c. Under Destination, select any. d. Under Service, select any. e. Under Action, select route, and select the src-nat checkbox. f. Click Add. 7. Click Apply . NOTE: If you use a local DHCP server to obtain IP addresses, you must define one additional ACL to permit traffic between clients without source NATing the traffic. Add user alias internal-network any permit before any any any route src-nat. 8. Click the User Roles tab. a. Click Add. b. Enter the Role Name. c. Click Add under Firewall Policies. d.
PAGE 203

b. To set the AAA profile and close the pop-up window, Click Apply. c. In the Profile Details entry for the new virtual AP profile, select NEW from the SSID Profile drop-down menu. The SSID Profile pop-up window displays to allow you to configure the SSID profile. d. Enter the name for the SSID profile. e. Under Network, enter a name in the Network Name (SSID) field. f. Under Security, select the network authentication and encryption methods. g.
PAGE 204

forward-mode bridge aaa-profile rap-operation {always|backup} ap system-profile lms-ip master-ip rap-dhcp-default-router rap-dhcp-dns-server rap-dhcp-lease rap-dhcp-pool-end rap-dhacp-pool-netmask rap-dhcp-pool-start rap-dhcp-server-id rap-dhcp-server-vlan ap-group virtual-ap ap-system-profile or ap-name virtual-ap ap-system-profile DNS Controller Setting In additi
PAGE 205

Backup Controller List Using DNS, the remote AP receives multiple IP addresses in response to a host name lookup. Known as the backup controller list, remote APs go through this list to associate with a controller. If the primary controller is unavailable or does not respond, the remote AP continues through the list until it finds an available controller. This provides redundancy and failover protection.
PAGE 206

ap-group ap-system-profile ap-name ap-system-profile Remote AP Failback In conjunction with the backup controller list, you can configure remote APs to revert back (failback) to the primary controller if it becomes available. If you do not explicitly configure this behavior, the remote AP will keep its connection with the backup controller until the remote AP, controller, or both have rebooted or some type of network failure occurs.
PAGE 207

Figure 32 Enable Remote AP Local Network Access 5. Click Apply. Using CLI  To enable, enter: ap system-profile rap-local-network-access  To disable, enter: ap system-profile no rap-local-network-access See the for detailed information on the command options.
PAGE 208

Access Control Lists and Firewall Policies Remote APs support the following access control lists (ACLs); unless otherwise noted, you apply these ACLS to user roles:  Standard ACLs—Permit or deny traffic based on the source IP address of the packet.  Ethertype ACLs—Filter traffic based on the Ethertype field in the frame header.  MAC ACLs—Filter traffic on a specific source MAC address or range of MAC addresses.
PAGE 209

 Create rules to permit DHCP and corporate traffic to the corporate controller. When specifying the action that you want the controller to perform on a packet that matches the specified criteria, “permit” implies tunneling, which is used for corporate traffic, and “route” implies local bridging, which is used for local traffic. You must install the PEFNG license in the controller. For information about user roles and policies, see Chapter 12, “Roles and Policies” .
PAGE 210

f. Click Add. 7. To create the next rule: a. Under Rules, click Add. b. Under Source, select any. c. Under Destination, select alias. The following steps define an alias representing the corporate network. Once defined, you can use the alias for other rules and policies. You can also create multiple destinations the same way. 8. Under the alias section, click New. Enter a name in the Destination Name field. a. Click Add. b. For Rule Type, select Network. c. Enter the public IP address of the controller. d.
PAGE 211

session-acl When defining the alias, there are a number of other session ACLs that you can create to define the handling of local traffic, such as: ip access-list session user alias any redirect 0 user alias any route user alias any route src-nat Configuring ACL for restricted LD homepage access A user in split or bridge role using a remote AP (RAP) can log on to the local debug (LD) homepage and perform a reboot or reset operations.
PAGE 212

Figure 34 Enable Restricted Access to LD Homepage Configuring the AAA Profile and the Virtual AP Profile After you configure the session ACL, you define the AAA profile and virtual AP used for split tunneling. When defining the AAA parameters, specify the previously configured user role that contains the session ACL used for split tunneling. Using the WebUI 1. Navigate to the Security > Authentication > AAA Profiles page. From the AAA Profiles Summary list, click Add. 2.
PAGE 213

c. In the Profile Details entry for the new virtual AP profile, select NEW from the SSID Profile drop-down menu. A pop-up window displays to allow you to configure the SSID profile. d. Enter the name for the SSID profile. e. Under Network, enter a name in the Network Name (SSID) field. f. Under Security, select the network authentication and encryption methods. g. To set the SSID profile and close the window, click Apply. 4. Click Apply at the bottom of the Profile Details window. 5.
PAGE 214

Wi-Fi Multimedia Wi-Fi Multimedia (WMM) is a Wi-Fi Alliance specification based on the IEEE 802.11e wireless Quality of Service (QoS) standard. WMM works with 802.11a, b, g, and n physical layer standards. The IEEE 802.11e standard also defines the mapping between WMM access categories (ACs) and Differentiated Services Codepoint (DSCP) tags. Remote APs support WMM. WMM supports four ACs: voice, video, best effort, and background. You apply and configure WMM in the SSID profile.
PAGE 215

Figure 35 Uplink Bandwidth Reservation Using CLI (host) (config)#ap system-profile remotebw (host) (AP system profile "remotebw") #rap-bw-total 1024 (host) (AP system profile "remotebw") #rap-bw-resv-1 acl voice 128 priority 1 To view bandwidth reservations: (host) #show datapath rap-bw-resv ap-name remote-ap-1 RAP Uplink BW reservation statistics -----------------------------------Pos: Acl Resv Prio XmitPkts XmitByte Marked Enqueued Onqueue Drops TokenFin -------------------------------------------------
PAGE 216

| Remote Access Points Dell PowerConnect W-Series ArubaOS 6.
PAGE 217

Chapter 8 Secure Enterprise Mesh The Dell secure enterprise mesh solution is an effective way to expand network coverage for outdoor and indoor enterprise environments without any wires. Using mesh, you can bridge multiple Ethernet LANs or you can extend your wireless coverage. As traffic traverses across mesh APs, the mesh network automatically reconfigures around broken or blocked paths.
PAGE 218

For mesh as well as traditional thin AP deployments, the Dell controller provides centralized provisioning, configuration, policy definition, ongoing network management and wireless and security services. However, unlike the traditional thin AP case, mesh nodes also perform network traffic encryption and decryption, and packet forwarding over wired and wireless links. You configure the AP for mesh on the controller using either the WebUI or the CLI.
PAGE 219

Mesh Clusters Mesh clusters are similar to an Extended-Service Set (ESS) in a WLAN infrastructure. A mesh cluster is a logical set of mesh nodes that share the common connection and security parameters required to create mesh links. Mesh clusters are grouped and defined by a mesh cluster profile, as described in “Mesh Cluster Profile”. Mesh clusters may enforce predictability in mesh networking by limiting the amount of concurrent mesh points, hop counts, and bandwidth used in the mesh network.
PAGE 220

If the existing uplink quality degrades below the configured threshold, and a lower cost or more preferable uplink is available on the same channel and cluster, the mesh point reselects that link without re-scanning. In some cases, this invalidates all of the entries that have this mesh point as a next hop to the destination and triggers new learning of the bridge tables.
PAGE 221

Mesh Profiles Mesh profiles help define and bring-up the mesh network. The following sections describe the mesh cluster, mesh radio, and mesh recovery profiles in more detail. The complete mesh profile consists of a mesh radio profile, RF management (802.11a and 802.11g) radio profiles, a high-throughput SSID profile (if your deployment includes 802.11n-capable APs), a mesh cluster profile, and a read-only recovery profile.
PAGE 222

default. For information about configuring RF Management Radio profiles, see “RF Management (802.11a and 802.11g) Profiles”. NOTE: If you do not want the mesh radios carrying mesh-backhaul traffic to support client traffic, consider using a dedicated 802.11a/80211/g radio profile with the mesh radio disabled: in this scenario, the radio will carry mesh backhaul traffic but will not support client Virtual APs. Mesh nodes operating in different cluster profiles can share the same radio profile.
PAGE 223

Wired AP Profile The wired AP profile controls the configuration of the Ethernet port(s) on your AP. You can use the wired AP profile to configure Ethernet ports for bridging or secure jack operation using the wired AP profile. For details, see “Ethernet Ports for Mesh” on page 249 Mesh Recovery Profile In addition to the “default” and user-defined mesh cluster profiles, mesh nodes also have a recovery profile.
PAGE 224

Thin AP Services with Wireless Backhaul Deployment To expand your wireless coverage without bridging Ethernet LAN segments, you can use thin AP services with a wireless backhaul. In this scenario, the mesh point provides network access for wireless clients and establishes a mesh path to the mesh portal, which uses its wired interface to connect to the controller. Use the 802.11g radio for WLAN and controller services and the 802.11a radio for mesh services.
PAGE 225

Figure 39 Sample Point-to-Multipoint Deployment remote sites with connectivity via the mesh points mesh point mesh portal host site with access to the data center and the controller mesh point arun_019 High-Availability Deployment In this high-availability scenario, multiple Ethernet LAN segments are bridged via multiple wireless backhauls that carry traffic between the mesh portal and the mesh points. You configure one mesh portal for each remote LAN that you are bridging with the host LAN.
PAGE 226

Before You Begin Dell recommends the following when planning and deploying a mesh solution: Pre-Deployment Considerations  Stage the APs before deployment. Identify the location of the APs, configure them for mesh, provision them and verify connectivity before physically deploying the mesh APs in a live network.  Ensure the controller has Layer-2/3 network connectivity to the network segment where the mesh portal will be installed.
PAGE 227

 Have a trained professional install the AP. After installation, check to ensure the AP receives power and boots up, enabling RSSI outputs. NOTE: Although the AP is up and operational, it is not connected to the network.  Align the AP antenna for optimal RSSI.  Do not delete or modify mesh cluster profiles once you use them to provision mesh nodes. You can recover the mesh point if the original cluster profile is still available. Dell recommends creating a new mesh cluster profile if needed.
PAGE 228

3. In the Profile Details window pane, click the Mesh radio profile drop-down list and select New. Enter a new mesh radio profile name in the field to the right of the drop-down list. You cannot use spaces in radio profile names. 4. Configure your desired mesh radio settings.
PAGE 229

Table 42 Mesh Radio Profile Configuration Parameters (Continued) Parameter Description metric algorithm Use this setting to optimize operation of the link metric algorithm. Specifies the algorithm used by a mesh node to select its parent. Available options are: best-link-rssi—Selects the parent with the strongest RSSI, regardless of the number of children a potential parent has.  distributed-tree-rssi—Selects the parent based on link-RSSI and node cost based on the number of children.
PAGE 230

Table 42 Mesh Radio Profile Configuration Parameters (Continued) Parameter Description BC/MC Rate Optimization Broadcast/Multicast Rate Optimization dynamically selects the rate for sending broadcast/multicast frames on any BSS. This feature determines the optimal rate for sending broadcast and multicast frames based on the lowest of the unicast rates across all associated clients.
PAGE 231

Deleting a Profile Use the following procedure to delete an existing mesh radio profile using the WebUI. You can delete a mesh radio profile only if no other APs or AP groups are using that profile. 1. Navigate to the Configuration > Advanced Services> All Profiles window. 2. Expand the Mesh menu, then select Mesh radio profile. A list of mesh radio profiles appears in the Profile Details window pane. 3. Click the Delete button by the name of the profile you want to delete.
PAGE 232

ap-group mesh-radio-profile priority To associate a mesh radio profile with an individual AP: ap-name mesh-radio-profile priority The following examples assign the mesh cluster profiles cluster1 and cluster2 to two different AP groups. In the AP group group1, cluster1 has a priority of 5, and cluster2 has a priority of 10, so cluster1 has the higher priority.
PAGE 233

3. If you selected 802.11a radio profile, click the 802.11a radio profile drop-down list in the Profile Details window pane and select NEW. -orIf you selected 802.11g radio profile, click the 802.11g radio profile drop-down list in the Profile Details window pane and select NEW. 4. Enter a name for your new 802.11a or 802.11g radio profile. 5. Configure the radio settings described in Table 43, then click Apply to save your settings.
PAGE 234

Table 43 802.11a/802.11g RF Management Configuration Parameters (Continued) Parameter Description Spectrum load balancing mode The spectrum load balancing mode allows you to allows control over how to balance clients. Select one of the following options:  channel: Channel-based load-balancing balances clients across channels. This is the default load-balancing mode  radio: Radio-based load-balancing balances clients across APs.
PAGE 235

Table 43 802.11a/802.11g RF Management Configuration Parameters (Continued) Parameter Non 802.11 Interference Immunity Description Set a value for 802.11 Interference Immunity. The default setting for this parameter is level 2. When performance drops due to interference from non-802.11 interferers (such as DECT or Bluetooth devices), the level can be increased up to level 5 for improved performance.
PAGE 236

Table 43 802.11a/802.11g RF Management Configuration Parameters (Continued) Parameter Description ARM profile Dell's proprietary Adaptive Radio Management (ARM) technology maximizes WLAN performance by dynamically and intelligently choosing the best 802.11 channel and transmit power for each Dell AP in its current RF environment. Every RF management profile references an ARM profile.
PAGE 237

4. Click Apply. The profile name appears in the Profile list with your configured settings. If you configure this for the AP group, this profile also becomes the selected 802.11a or 802.11g RF management profile used by the mesh portal for your mesh network. Assigning a High-throughput Profile Each 802.11a or 802.11g RF management radio profile references a high-throughput profile that manages the AP group’s 40Mhz tolerance settings. By default, an 802.
PAGE 238

 If you selected AP Specific, click the Edit button by the AP to which you want to assign a new ARM profile 2. Under the Profiles list, expand the RF Management menu. 3. To reference an ARM profile for a 802.11a radio profile, expand the 802.11a radio profile menu. -orTo reference an ARM profile for a 802.11g radio profile, expand the 802.11g radio profile menu. 4. The Profile Details pane appears and displays information for the currently referenced ARM profile.
PAGE 239

2. Expand the RF menu, then select 802.11a radio profile or 802.11g radio profile. A list of profiles of the specified type appears in the Profile Details window pane. 3. Click the Delete button by the name of the profile you want to delete. Managing 802.11a/802.11g Profiles In the CLI You must be in config mode to create, modify or delete a 802.11a or 802.11g RF management radio profile using the CLI.
PAGE 240

Viewing RF Management Settings To view a complete list of 802.11a or 802.11g RF management profiles and their status: show rf dot11a-radio-profile|dot11g-radio-profile To view the settings of a specific RF management profile: show rf dot11a-radio-profile|dot11g-radio-profile Assigning a 802.11a/802.11g Profile To assign an 802.11a or 802.
PAGE 241

4. Enter a name for the new profile. 5. Configure the high-throughput SSID described in Table 44, then click Apply to save your settings. The profile name appears in the Mesh High-throughput SSID Profile list with your configured settings.
PAGE 242

Table 44 Mesh High-Throughput SSID Profile Configuration Parameters (Continued) Parameter Description Short guard interval in 40 MHz mode Enable or disable use of short (400ns) guard interval in 40 MHz mode. This parameter is enabled by default. A guard interval is a period of time between transmissions that allows reflections from the previous data transmission to settle before an AP transmits data again.
PAGE 243

Deleting a Profile You can delete a mesh high-throughput SSID profile only if no APs or AP groups are associated with that profile. 1. Navigate to the Configuration > Advanced Services> All Profiles window. 2. Expand the Mesh menu, then select Mesh High-throughput SSID profile. A list of high-throughput SSID profiles appears in the Profile Details window pane. 3. Click the Delete button by the name of the profile you want to delete.
PAGE 244

Deleting a Profile If no AP or AP group is using a mesh high-throughput SSID profile, you can delete that profile using the no parameter: no ap mesh-ht-ssid-profile Mesh Cluster Profiles The mesh cluster configuration gets pushed from the controller to the mesh portal and the other mesh points, which allows them to inherit the characteristics of the mesh cluster of which they are a member.
PAGE 245

If a mesh link breaks or the primary cluster profile is unavailable, mesh nodes use the highest priority backup cluster profile to re-establish the uplink or check for parents in the backup profiles. If these profiles are unavailable, the mesh node can revert to the recovery profile to bring up the mesh network until a cluster profile is available. For a sample configuration, see “show ap mesh topology”.
PAGE 246

Table 45 Mesh Cluster Profile Configuration Parameters (Continued) Parameter Description Priority Indicates the priority of the cluster profile. The mesh cluster priority determines the order by which the mesh cluster profiles are used. This allows you, rather than the link metric algorithm, to control the network topology by defining the cluster profiles to use if one becomes unavailable Specify the cluster priority when creating a new profile or adding an existing profile to a mesh cluster.
PAGE 247

Editing a Profile If you modify any mesh cluster profile setting, you must reprovision your AP. For example, if you change the priority of a cluster profile from 5 to 2, you must reprovision the AP before you can assign priority 5 to another cluster profile. Reprovisioning the AP causes it to automatically reboot. For more information, see “Provisioning Mesh Nodes”. 1. Navigate to the Configuration > Wireless > AP Configuration window. Select either the AP Group or AP Specific tab.
PAGE 248

cluster corporate opmode wpa2-psk-aes wpa-passphrase mesh_123 rf-band a ap mesh-cluster-profile cluster2 cluster corporate opmode wpa2-psk-aes wpa-passphrase mesh_123 rf-band a You can also create a new mesh radio profile by copying the settings of an existing profile using the clone parameter. Using the clone command to create a new profile makes it easier to keep constant attributes in common within multiple profiles.
PAGE 249

Deleting a Mesh Cluster Profile If no AP or is using a mesh cluster profile, you can delete that profile using the no parameter: no ap mesh-cluster-profile Ethernet Ports for Mesh If you are using mesh to join multiple Ethernet LANs, configure and enable bridging on the mesh point Ethernet port This section describes how to configure Ethernet ports for bridging or secure jack operation using the wired AP profile.
PAGE 250

forward-mode bridge wired-ap-enable Optionally, you can configure the following wired AP profile settings: ap wired-ap-profile switchport mode {access | trunk} switchport access vlan switchport trunk native vlan switchport trunk allowed vlan trusted Configuring Ethernet Ports for Secure Jack Operation You can configure the Ethernet port(s) on mesh nodes to operate in tunnel mode.
PAGE 251

Optionally, you can configure the following wired AP profile settings: ap wired-ap-profile trusted Extending the Life of a Mesh Network To prevent your mesh network from going down if you experience a controller failure, modify the following settings in the AP system profile(s) used by mesh nodes to maintain the mesh network until the controller is available: NOTE: Dell recommends the default maximum request retries and bootstrap threshold settings for most mesh networks; however, if you must kee
PAGE 252

On each radio interface, you provision a mode of operation: mesh node or thin AP (access) mode. If you do not specify mesh, the AP operates in thin AP (access) mode. If you configure mesh, the AP is provisioned with a minimum of two mesh cluster profiles: the “default” mesh cluster profile and an emergency read-only recovery profile, as described in the section “Mesh Clusters”. If you create and select multiple mesh cluster profiles, the AP is provisioned with those as well.
PAGE 253

 In multi-controller networks, save your mesh cluster configuration before provisioning the mesh nodes. To save your configuration in the WebUI, at the top of any window click Save Configuration. To save your configuration in the CLI, use the command: write memory.  If the same port on the controller is used to provision APs and provide PoE for mesh nodes, you must stop traffic from passing through that port after you provision the AP.
PAGE 254

provision-ap read-bootinfo ap-name mesh-role {mesh-point|mesh-portal|remote-mesh-portal} a-ant-bearing a-ant-tilt-angle g-ant-bearing g-ant-tilt-angle altitude latitude longitude reprovision ap-name AP Boot Sequence The information in this section describes the boot sequence for mesh APs. Depending on their configured role, the AP performs a slightly different boot sequence.
PAGE 255

Verifying the Network To view a list of your Mesh APs via the WebUI, navigate to the one of the following windows:  Monitoring > Network > All Mesh Nodes  Monitoring > Controller> Mesh Nodes To view mesh APs and the mesh topology tree using the command line interface, access the command-line interface in enable mode and issue the following commands:  show ap mesh active  show ap mesh topology Verification Checklist After provisioning the mesh APs, follow the steps below to ensure that the mesh n
PAGE 256

Use the show ap mesh topology command to verify the cluster topology, RSSI in presence of network traffic, and Tx and Rx rates.
PAGE 257

The RMP configuration requires an AP license. For more information about Dell software licenses, see Chapter 34, “Software Licenses” .” How RMP Works When a client at the branch office associates to a split VAP, the client’s DHCP requests are forwarded over a GRE tunnel (split tunnel) to the corporate network. This communication is done over a secure VPN tunnel. The IPs are assigned from the corporate pool based on the VLAN tag information, which helps to determine the corresponding VLAN.
PAGE 258

3. In the Authentication section, select the Remote AP radio button. 4. In the Remote AP Authentication Method section of this window, select either Pre-shared Key or Certificate. If you selected Pre-Shared Key, enter and confirm the Internet Key Exchange Pre-Shared Key (IKE PSK). 5. In the Master Discovery section, set the Master IP address as the controller IP address. 6. In the IP settings section, select Obtain IP Address Using DHCP. 7.
PAGE 259

5. Click Apply to save your changes. Next, assign the remote mesh points with the same mesh cluster profile, 802.11a and 802.11g RF management profiles, and mesh radio profile as the remote mesh portal. If you have defined an AP group for all your remote mesh points, you can just assign the required profiles to the remote mesh point AP group. Otherwise, you must assign the required profiles to each individual remote AP.
PAGE 260

2. Under the Profiles list, expand the Mesh menu, then select Mesh Cluster profile. 3. In the Profile Details window pane, click the Mesh Cluster profile drop-down list select New.  To add an existing mesh-cluster profile to the selected AP group, click the Add a profile drop-down list and select a new profile name from the list. 4. Click the using priority drop-down list to select a priority for the mesh cluster profile. The lower the number, the higher the priority.
PAGE 261

d. Click Apply. Provisioning a Remote Mesh Portal In the CLI Reprovisioning the AP causes it to automatically reboot. When you use the CLI to reprovision a mesh node, you may also provision other AP settings. provision-ap read-bootinfo ap-name mesh-role remote-mesh-portal reprovision ap-name Additional Information By default, the data frames the mesh portal receives on its mesh link are forwarded according to the bridge table entries on the portal.
PAGE 262

| Secure Enterprise Mesh Dell PowerConnect W-Series ArubaOS 6.
PAGE 263

Chapter 9 Authentication Servers The ArubaOS software allows you to use an external authentication server or the controller internal user database to authenticate clients who need to access the wireless network. Important Points to Remember  In order for an external authentication server to process requests from the Dell controller, you must configure the server to recognize the controller. Refer to the vendor documentation for information on configuring the authentication server.
PAGE 264

Figure 43 Server Group 802.1x Server Group Server Group Radii RADIUS-1 RADIUS-2 Server names are unique. You can configure the same server in multiple server groups. You must configure the server before you can add it to a server group. NOTE: If you are using the controller’s internal database for user authentication, use the predefined “Internal” server group. You can also include conditions for server-derived user roles or VLANs in the server group configuration.
PAGE 265

Table 46 RADIUS Server Configuration Parameters (Continued) Parameter Description NAS IP NAS IP address to send in RADIUS packets. You can configure a “global” NAS IP address that the controller uses for communications with all RADIUS servers. If you do not configure a server-specific NAS IP, the global NAS IP is used. To set the global NAS IP in the WebUI, navigate to the Configuration > Security > Authentication > Advanced page.
PAGE 266

Table 47 RADIUS Authentication Response Codes (Continued) Code Description 4 Bad Response from RADIUS server. Verify shared secret is correct. 5 No RADIUS authentication server is configured. 6 Challenge from server. (This does not necessarily indicate an error condition.
PAGE 267

Table 48 LDAP Server Configuration Parameters (Continued) Parameter Description Base-DN Distinguished Name of the node that contains the entire user database. Default: N/A Filter A string that is used to search for users in the LDAP database (default filter string is: ì(objectclass=*)î ). Default: N/A Key Attribute A string that is used to search for a LDAP server. For Active Directory, the value is sAMAccountName. Default: sAMAccountName Timeout Timeout period of a LDAP request, in seconds.
PAGE 268

Configuring a TACACS+ Server Table 49 defines the TACACS+ server parameters. Table 49 TACACS+ Server Configuration Parameters Parameter Description Host IP address of the server. Default: N/A Key Shared secret to authenticate communication between the TACACS+ client and server. Default: N/A TCP Port TCP port used by server. Default: 49 Retransmits Maximum number of times a request is retried. Default: 3 Timeout Timeout period for TACACS+ requests, in seconds.
PAGE 269

Configuring a Windows Server Table 50 defines parameters for a Windows server used for stateful NTLM authentication. Table 50 Windows Server Configuration Parameters Parameter Description Host IP address of the server. Default: N/A Mode Enables or disables the server. Default: enabled Windows Domain Name of the Windows Domain assigned to the server. In the WebUI 1. Navigate to the Configuration > Security > Authentication > Servers page. 2. Select Windows Server to display the Windows Server List.
PAGE 270

Table 51 Internal Database Configuration Parameters (Continued) Parameters Description Password (Required) Enter a password or select Generate to automatically generate a password string. An entered password must be a minimum of 6 characters and can be up to 128 characters in length. Role Role for the client. In order for this role to be assigned to a client, you need to configure a server derivation rule, as described in “Configuring Server-Derivation Rules” on page 277.
PAGE 271

Figure 44 IP-Address parameter in the local database To view IP-address parameter in the RAP Whitelist, navigate to the Wireless > AP Installation > RAP Whitelist page. Figure 45 IP-Address parameter in the RAP Whitelist NOTE: You cannot configure the IP-Address parameter using the WebUI.
PAGE 272

were created during the export process. Note that importing a file into the internal database overwrite and removes all existing entries. Exporting files in the WebUI 1. Navigate to the Configuration > Security > Authentication > Servers > page. 2. Select Internal DB. 3. Click Export in the Internal DB Maintenance section. A popup window opens. 4. Enter the name of the file you want to export 5. Click OK. Importing files in the WebUI 1.
PAGE 273

Server Groups You can create groups of servers for specific types of authentication — for example, you can specify one or more RADIUS servers to be used for 802.1x authentication. You can configure servers of different types in one group — for example, you can include the internal database as a backup to a RADIUS server. Configuring Server Groups Server names are unique. You can configure the same server in more than one server group.
PAGE 274

In the following example, you create a server group ‘corp-serv’ with two LDAP servers (ldap-1 and ldap-2), each of which contains a subset of the usernames and passwords used in the network. When fail-through authentication is enabled, users that fail authentication on the first server in the server list should be authenticated with the second server. In the WebUI 1. Navigate to the Configuration > Security > Authentication > Servers page. 2. Select LDAP Server to display the LDAP Server List. 3.
PAGE 275

You can configure multiple match rules for the same server. The controller compares the client/user information with the match rules configured for each server, starting with the first server in the server group. If a match is found, the controller sends the authentication request to the server with the matching rule. If no match is found before the end of the server list is reached, an error is returned and no authentication request for the client/user is sent.
PAGE 276

e. Scroll to the right and click Add Server. NOTE: The last server you added to the server group (radius-2) automatically appears as the first server in the list. In this example, the order of servers is not important. If you need to reorder the server list, scroll to the right and click the up or down arrow for the appropriate server. 7. Click Apply. In the CLI aaa server-group corp-serv auth-server radius-1 match-authstring starts-with host/ position 1 auth-server radius-2 match-authstring contains abc.
PAGE 277

 @ — the @ portion is truncated NOTE: This option does not support client information sent in the format host/. In the WebUI 1. Navigate to the Configuration > Security > Authentication > Servers page. 2. Select Server Group to display the Server Group list. 3. Enter the name of the new server group and click Add. 4. Select the name to configure the server group. 5. Under Servers, click Edit for a configured server or click New to add a server to the group.
PAGE 278

Table 52 Server Rule Configuration Parameters (Continued) Parameter Description Operation This is the match method by which the string in Operand is matched with the attribute value returned by the authentication server.  contains – The rule is applied if and only if the attribute value contains the string in parameter Operand.  starts-with – The rule is applied if and only if the attribute value returned starts with the string in parameter Operand.
PAGE 279

Configuring a Role Derivation Rule for the Internal Database When you add a user entry in the controller’s internal database, you can optionally specify a user role (see “Internal Database” on page 269). In order for the role specified in the internal database entry to be assigned to the authenticated client, you must configure a server derivation rule as shown in the following sections: In the WebUI 1. Navigate to the Configuration > Security > Authentication > Servers page. 2.
PAGE 280

Management Authentication Users who need to access the controller to monitor, manage, or configure the Dell user-centric network can be authenticated with RADIUS, TACACS+, or LDAP servers or the internal database. NOTE: Only user record attributes are returned upon a successful authentication. Therefore, to derive a different management role other than the default mgmt auth role, set the server derivation rule based on the user attributes. In the WebUI 1.
PAGE 281

7: Admin Reboot: Administrator is ending service, for example prior to rebooting the controller.  NAS-Identifier: This is set in the RADIUS server configuration.  NAS-IP-Address: IP address of the master controller. You can configure a “global” NAS IP address: in the WebUI, navigate to the Configuration > Security > Authentication > Advanced page; in the CLI, use the ip radius nas-ip command.
PAGE 282

 Acct-Output-Octets  Acct-Input-Packets  Acct-Output-Packets You can use either the WebUI or CLI to assign a server group for RADIUS accounting. In the WebUI 1. Navigate to the Configuration > Security > Authentication > AAA Profiles page. 2. Select AAA Profile, then select the AAA profile instance. 3. (Optional) In the Profile Details pane, select RADIUS Interim Accounting to allow the controller to send Interim-Update messages with current user statistics to the server at regular intervals.
PAGE 283

Table 54 Authentication Timers (Continued) Timer Description Authentication Server Dead Time Maximum period, in minutes, that the controller considers an unresponsive authentication server to be “out of service”. This timer is only applicable if there are two or more authentication servers configured on the controller. If there is only one authentication server configured, the server is never considered out of service and all requests are sent to the server.
PAGE 284

| Authentication Servers Dell PowerConnect W-Series ArubaOS 6.
PAGE 285

Chapter 10 802.1x Authentication 802.1x is an Institute of Electrical and Electronics Engineers (IEEE) standard that provides an authentication framework for WLANs. 802.1x uses the Extensible Authentication Protocol (EAP) to exchange messages during the authentication process. The authentication protocols that operate inside the 802.1x framework that are suitable for wireless networks include EAP-Transport Layer Security (EAP-TLS), Protected EAP (PEAP), and EAP-Tunneled TLS (EAP-TTLS).
PAGE 286

Supported EAP Types The following is the list of supported EAP types.  PEAP—Protected EAP (PEAP) is an 802.1x authentication method that uses server-side public key certificates to authenticate clients with server. The PEAP authentication creates an encrypted SSL / TLS tunnel between the client and the authentication server. The exchange of information is encrypted and stored in the tunnel ensuring the user credentials are kept secure.
PAGE 287

Figure 47 802.1x Authentication with RADIUS Server Client (Supplicant) WLAN Switch (Authenticator) Authentication Server • EAP Type • EAP Type • Client IP • Shared Secret • Server IP • Shared Secret • Auth Port • Acct Port • ESSID • Network Authentication • Data Encryption • ESSID • Network Authentication • Data Encryption The supplicant and authentication server must be configured to use the same EAP type.
PAGE 288

In this scenario, the supplicant is configured for EAP-Transport Layer Security (TLS) or EAP-Protected EAP (PEAP).  EAP-TLS is used with smart card user authentication. A smart card holds a digital certificate which, with the user-entered personal identification number (PIN), allows the user to be authenticated on the network. EAPTLS relies on digital certificates to verify the identities of both the client and server.
PAGE 289

6. Configure the virtual AP profile for an AP group or for a specific AP:  Select the AAA profile you previously configured.  In the SSID profile, configure the WLAN for 802.1x authentication. For details on how to complete the above steps, see “Example Configurations” on page 296 Using the WebUI This section describes how to create and configure a new instance of an 802.1x authentication profile in the WebUI or the CLI. 1.
PAGE 290

Table 55 802.1x Authentication Profile Basic WebUI Parameters (Continued) Parameter Description Termination Inner EAP-Type Select one of the following: EAP-Generic Token Card (GTC): Described in RFC 2284, this EAP method permits the transfer of unencrypted usernames and passwords from client to server. The main uses for EAP-GTC are one-time token cards such as SecureID and the use of LDAP or RADIUS as the user authentication server.
PAGE 291

Table 55 802.1x Authentication Profile Basic WebUI Parameters (Continued) Parameter Description Authentication Server Retry Count Maximum number of authentication requests that are sent to server group. The allowed range of values for this parameter is 0-3 requests, and the default value is 2 requests. Framed MTU Sets the framed Maximum Transmission Unit (MTU) attribute sent to the authentication server.
PAGE 292

Table 55 802.1x Authentication Profile Basic WebUI Parameters (Continued) Parameter Description Opportunistic Key Caching By default, the 802.1x authentication profile enables a cached pairwise master key (PMK) derived via a client and an associated AP and used when the client roams to a new AP. This allows clients faster roaming without a full 802.1x authentication. Uncheck this option to disable this feature. Note: Make sure that the wireless client (the 802.1x supplicant) supports this feature.
PAGE 293

Table 55 802.1x Authentication Profile Basic WebUI Parameters (Continued) Parameter Description TLS Guest Access Select TLS Guest Access to enable guest access for EAP-TLS users with valid certificates. This option is disabled by default. TLS Guest Role Click the TLS Guest Role drop-down list and select the default user role for EAP-TLS guest users. Note: This option may require a license This option may require a license (see license descriptions at “License Types” on page 652).
PAGE 294

delay }|{wpa-key-period } tls-guest-access tls-guest-role unicast-keyrotation use-session-key use-static-key validate-pmkid voice-aware wep-key-retries wep-key-size {40|128} wpa-fast-handover wpa-key-retries xSec-mtu Configuring and Using Certificates with AAA FastConnect The controller supports 802.1x authentication using digital certificates for AAA FastConnect.
PAGE 295

Configuring User and Machine Authentication When a Windows device boots, it logs onto the network domain using a machine account. Within the domain, the device is authenticated before computer group policies and software settings can be executed; this process is known as machine authentication. Machine authentication ensures that only authorized devices are allowed on the network. You can configure 802.
PAGE 296

 If only machine authentication succeeds, the role is dot1x_mc.  If only user authentication succeeds, the role is guest.  On failure of both machine and user authentication, the user does not have access to the network. With machine authentication enabled, the VLAN to which a client is assigned (and from which the client obtains its IP address) depends upon the success or failure of the machine and user authentications.
PAGE 297

The examples show how to configure using the WebUI and CLI commands. Authentication with an 802.1x RADIUS Server  An EAP-compliant RADIUS server provides the 802.1x authentication. The RADIUS server administrator must configure the server to support this authentication. The administrator must also configure the server to all communications with the Dell controller.  The authentication type is WPA. From the 802.
PAGE 298

an alias representing all internal network addresses. Once defined, you can use the alias for other rules and policies. d. Under Destination, select Internal Network. e. Under Service, select service. In the Service scrolling list, select svc-telnet. f. Under Action, select drop. g. Click Add. 5. Under Rules, click Add. a. Under Source, select user. b. Under Destination, select alias. Then select Internal Network. c. Under Service, select service. In the Service scrolling list, select svc-pop3. d.
PAGE 299

d. Under Action, select drop. e. Click Add. f. Repeat steps A-E to create rules for the following services: svc-ftp, svc-snmp, and svc-ssh. 5. Click Apply. 6. Select the User Roles tab. Click Add to create the faculty role. 7. For Role Name, enter faculty. 8. Under Firewall Policies, click Add. In Choose from Configured Policies, select the faculty policy you previously created. Click Done.
PAGE 300

g. Repeat steps A-F to create a rule for svc-dns. To create a rule to deny access to the internal network: a. Under Source, select user. b. Under Destination, select alias. Select Internal Network. c. Under Service, select any. d. Under Action, select drop. e. Click Add. To create rules to permit HTTP and HTTPS access during working hours: a. Under Source, select user. b. Under Destination, select any. c. Under Service, select service. In the Services scrolling list, select svc-http. d.
PAGE 301

Using the WebUI to create the Sysadmin Role 1. Navigate to Configuration > Security > Access Control > User Roles page. Click Add to create the sysadmin role. 2. For Role Name, enter sysadmin. 3. Under Firewall Policies, click Add. In Choose from Configured Policies, select the predefined allowall policy. Click Done. 4. Click Apply. Using the CLI to Create the Sysadmin Role user-role sysadmin session-acl allowall Using the WebUI to Create the Computer Role 1.
PAGE 302

4. Under Server Rules, click New. a. For Condition, enter Class. b. For Attribute, select value-of from the drop-down menu. c. For Operand, select set role. d. Click Add. 5. Click Apply. Using the CLI aaa authentication-server radius IAS1 host 10.1.1.21 key |*a^t%183923! aaa server-group IAS auth-server IAS1 set role condition Class value-of Configure 802.1x Authentication An AAA profile specifies the 802.1x authentication profile and 802.1x server group to be used for authenticating clients for a WLAN.
PAGE 303

Using the CLI aaa authentication dot1x dot1x machine-authentication enable machine-authentication machine-default-role computer machine-authentication user-default-role guest aaa profile aaa_dot1x dot1x-default-role faculty mac-default-role computer authentication-dot1x dot1x dot1x-server-group IAS Configure VLANs In this example, wireless clients are assigned to either VLAN 60 or 61 while guest users are assigned to VLAN 63.
PAGE 304

Using the CLI vlan 60 interface vlan 60 ip address 10.1.60.1 255.255.255.0 ip helper-address 10.1.1.25 vlan 61 interface vlan 61 ip address 10.1.61.1 255.255.255.0 ip helper-address 10.1.1.25 vlan 63 interface vlan 63 ip address 10.1.63.1 255.255.255.0 ip helper-address 10.1.1.25 ip default-gateway 10.1.1.254 Configuring the WLANs In this example, default AP parameters for the entire network are as follows: the default ESSID is WLAN-01 and the encryption mode is TKIP.
PAGE 305

a. Make sure Virtual AP enable is selected. b. For VLAN, select 63. c. Click Apply. 6. Navigate to the Configuration > Wireless > AP Configuration page. 7. In the AP Group list, click Edit for the second-floor. 8. In the Profiles list, select Wireless LAN, then select Virtual AP. 9. Select guest from the Add a profile drop-down menu. Click Add. 10. Click Apply.
PAGE 306

a. Make sure Virtual AP enable is selected. b. For VLAN, select 60. c. Click Apply. 6. Navigate to the Configuration > Wireless > AP Configuration page. 7. In the AP Group list, click Edit for the second-floor. 8. In the Profiles list, select Wireless LAN, then select Virtual AP. 9. To configure the WLAN-01_second-floor virtual AP: a. Select NEW from the Add a profile drop-down menu. Enter WLAN-second-floor, and click Add. b.
PAGE 307

Using the WebUI 1. Navigate to the Configuration > Security > Authentication > Servers page. 2. In the Servers list, select Internal DB. 3. Under Users, click Add User to add users. 4. For each user, enter a username and password. 5. Select the Role for each user (if a role is not specified, the default role is guest). 6. Select the expiration time for the user account in the internal database. 7. Click Apply.
PAGE 308

d. Click Apply. 2. Select the AAA Profiles tab. a. In the AAA Profiles Summary, click Add to add a new profile. b. Enter aaa_dot1x, then click Add. c. Select the aaa_dot1x profile you just created. d. For 802.1x Authentication Default Role, select faculty. e. Click Apply. 3. In the Profiles list (under the aaa_dot1x profile you just created), select 802.1x Authentication Profile. a. Select the dot1x profile from the 802.1x Authentication Profile drop-down menu. b. Click Apply. 4.
PAGE 309

c. Under DHCP Helper Address, click Add. Enter 10.1.1.25 and click Add. d. Click Apply. 4. In the IP Interfaces page, click Edit for VLAN 63. a. For IP Address, enter 10.1.63.1. b. For Net Mask, enter 255.255.255.0. c. Under DHCP Helper Address, click Add. Enter 10.1.1.25 and click Add. d. Click Apply. 5. Select the IP Routes tab. a. For Default Gateway, enter 10.1.1.254. b. Click Apply. Using the CLI vlan 60 interface vlan 60 ip address 10.1.60.1 255.255.255.0 ip helper-address 10.1.1.
PAGE 310

a. Select NEW from the Add a profile drop-down menu. Enter guest for the name of the virtual AP profile, and click Add. b. In the Profile Details entry for the guest virtual AP profile, select NEW from the SSID profile drop-down menu. A pop-up window allows you to configure the SSID profile. c. Enter guest for the name of the SSID profile. d. Enter guest for the Network Name. e. For Network Authentication, select None. f. For Encryption, select WEP. g. Enter the WEP key. h. Click Apply. i.
PAGE 311

a. Select NEW from the Add a profile drop-down menu. Enter WLAN-01_first-floor, and click Add. b. In the Profile Details entry for the WLAN-01_first-floor virtual AP profile, select aaa_dot1x from the AAA Profile drop-down menu. A pop-up window displays the configured AAA parameters. Click Apply in the pop-up window. c. From the SSID profile drop-down menu, select NEW. A pop-up window allows you to configure the SSID profile. d. Enter WLAN-01 for the name of the SSID profile. e.
PAGE 312

ap-group first-floor virtual-ap WLAN-01_first-floor ap-group second-floor virtual-ap WLAN-01_second-floor Mixed Authentication Modes Use l2-auth-fail-through command to perform mixed authentication which includes both MAC and 802.1x authentication. When MAC authentication fails, enable the l2-auth-fail-through command to perform 802.1x authentication. NOTE: By default the l2-auth-fail-through command is disabled.
PAGE 313

 Unicast Key Rotation: Enabled  Unicast Key Rotation Time Interval: 1021 Seconds Using the WebUI 1. Navigate to the Configuration > Security > Authentication > L2 Authentication page. 2. Select 802.1x Authentication Profile, then select the name of the profile you want to configure. 3. Select the Advanced tab.
PAGE 314

| 802.1x Authentication Dell PowerConnect W-Series ArubaOS 6.
PAGE 315

Chapter 11 Certificate Revocation The Certificate Revocation feature enables the ArubaOS controller to perform real-time certificate revocation checks using the Online Certificate Status Protocol (OCSP) or traditional certificate validation using the Certificate Revocation List (CRL) client. About OCSP and CRL OCSP (RFC 2560) is a standard protocol that consists of an OCSP client and an OCSP responder.
PAGE 316

Configuring the Controller as an OCSP Client When OCSP is used as the revocation method, you need to configure the OCSP responder certificate and the OCSP URL. In the WebUI 1. Navigate to the Configuration > Management > Certificates > Upload page. 2. Enter a name in the Certificate Name field. This name identifies the certificate you are uploading. 3. Enter the certificate file name in the Certificate Filename field. Use the Browse button to enter the full pathname. 4.
PAGE 317

Figure 50 View certificate details 8. Select the Revocation Checkpoint tab. 9. In the Revocation Checkpoint pane, click Edit next to the revocation checkpoint that you want to configure. The Revocation Checkpoint pane displays. 10. In the Revocation Check field, select ocsp from the Method 1 drop-down list as the primary check method. 11. In the OCSP URL field, enter the URL of the OCSP responder. 12.
PAGE 318

Configuring the Controller as a CRL Client CRL is the traditional method of checking certificate validity. When you want to check certificate validity using a CRL, you need to import the CRL. CRLs can only be imported using the WebUI. In the WebUI 1. Navigate to the Configuration > Management > Certificates > Upload page. 2. Enter a name in the Certificate Name field. This name identifies the CRL certificate you are uploading. 3. Enter the certificate file name in the Certificate Filename field.
PAGE 319

5. Select OCSP signer cert from the Certificate Type drop-down menu. Once this certificate is uploaded it is maintained in the certificate store for OCSP signer certificates. These certificates are used for signature verification. The OCSP signer cert is used to sign OCSP responses for this revocation check point. The OCSP signer cert can be the same trusted CA as the check point, a designated OCSP signer certificate issued by the same CA as the check point or some other local trusted authority.
PAGE 320

| Certificate Revocation Dell PowerConnect W-Series ArubaOS 6.
PAGE 321

Chapter 12 Roles and Policies Every client in an Dell user-centric network is associated with a user role, which determines the client’s network privileges, how often it must re-authenticate, and which bandwidth contracts are applicable. A policy is a set of rules that applies to traffic that passes through the Dell controller. You specify one or more policies for a user role. Finally, you can assign a user role to clients before or after they authenticate to the system.
PAGE 322

 Firewall policies are dynamic, meaning that address information in the policy rules can change as the policies are applied to users. For example, the alias user in a policy automatically applies to the IP address assigned to a particular user. ACLs typically require static IP addresses in the rule. NOTE: You can apply IPv4 and IPv6 firewall policies to the same user role. See Chapter 35, “IPv6 Support” on page 659 for information about configuring IPv6 firewall policies.
PAGE 323

Table 59 Firewall Policy Rule Parameters (Continued) Field Description Service (required) Type of traffic, which can be one of the following:  any: This option specifies that this rule applies to any type of traffic.  tcp: Using this option, you configure a range of TCP port(s) to match for the rule to be applied.  udp: Using this option, you configure a range of UDP port(s) to match for the rule to be applied.
PAGE 324

In the WebUI 1. Navigate to the Configuration > Security > Access Control > Policies page on the WebUI. 2. To configure a firewall policy, select the policy type from the Policies title bar. You can select All, IPv4 Session, IPv6 Session, Ethernet, MAC, Standard or Extended. 3. Click Add to create a new policy. 4. If you selected All in Step 2, then select the type of policy you are adding from the Policy Type drop-down menu. 5. Click Add to add a rule that allows HTTP traffic. a.
PAGE 325

 dns: Service is DNS  ftp: Service is FTP  h323: Service is H323  noe: Service is Alcatel NOE  rtsp: Service is RTSP  sccp: Service is SCCP  sip: Service is SIP  sips: Service is Secure SIP  svp: Service is SVP  tftp: Service is TFTP  vocera: Service is VOCERA 7. Click Apply to save your changes.
PAGE 326

7. (Optional) Click the White list Bandwidth Contract drop-down list and specify the name of a bandwidth contract to apply to the session traffic. For further information on creating Bandwidth Contracts, see “Configuring a Bandwidth Contract in the WebUI” on page 328 8. Click Done. The ACL displays on the white list section. 9. To delete an entry, click Delete next to the entry you want to delete. 10. Click Apply to save changes.
PAGE 327

Table 60 User Role Parameters (Continued) Field Description VPN Dialer (optional) This assigns a VPN dialer to a user role. For details about VPN dialer, see Chapter 17, “Virtual Private Networks” . Select a dialer from the drop-down list and assign it to the user role. This dialer will be available for download when a client logs in using captive portal and is assigned this role. L2TP Pool (optional) This assigns an L2TP pool to the user role.
PAGE 328

access-list session web-only position 1 After assigning the user role (see “User Role Assignments” on page 329), you can use the show reference userrole command to see the profiles that reference this user role. Bandwidth Contracts You can manage bandwidth utilization by assigning maximum bandwidth rates, or bandwidth contracts, to user roles.
PAGE 329

c. Click the Bandwidth drop-down list and select kbps. d. Click Done to add the new contract and assign it to the role. The New Bandwidth Contract section closes. 4. In the Bandwidth Contract section, select the Per User checkbox. 5. Scroll to the bottom of the page, and click Apply.
PAGE 330

3. The user role can be the default user role configured for an authentication method, such as 802.1x or VPN. For each authentication method, you can configure a default role for clients who are successfully authenticated using that method. 4. The user role can be derived from attributes returned by the authentication server and certain client attributes (this is known as a server-derived role).
PAGE 331

Table 61 Conditions for a User-Derived Role or VLAN Rule Type Condition Value BSSID: Assign client to a role or VLAN based upon the BSSID of AP to which client is associating. One of the following: contains  ends with  equals  does not equal  starts with MAC address (xx:xx:xx:xx:xx:xx)  DHCP-Option: Assign client to a role or VLAN based upon the DHCP signature ID. One of the following:  equals  starts with DHCP signature ID. NOTE: This string is not case sensitive.
PAGE 332

The following table describes some of the DHCP options that are useful for assigning a user role or VLAN. DHCP Option values DHCP Option Description Hexadecimal Equivalent 12 Host name 0C 55 Parameter Request List 37 60 Vendor Class Identifier 3C 81 Client FQDN 51 The device identification features in ArubaOS can also automatically identify different client device types and operating systems by parsing the User-Agent strings in the client’s HTTP packets.
PAGE 333

User-Derived Role Example The example rule shown in Figure 51 below sets a user role for clients whose host name (DHCP option 12) has a value of 6C6170746F70, which is the hexadecimal equivalent of the ASCII string “laptop”. The first two digits in the Value field are the hexadecimal value of 12 (which is 0C), followed by the specific signature to be matched. NOTE: There are many online tools available for converting ASCII text to a hexadecimal string.
PAGE 334

In the WebUI 1. Navigate to the Configuration > Security > Authentication page. 2. To configure the default user role for MAC or 802.1x authentication, select the AAA Profiles tab. Select the AAA profile. Enter the user role for MAC Authentication Default Role or 802.1x Authentication Default Role. 3. To configure the default user role for other authentication methods, select the L2 Authentication or L3 Authentication tab. Select the authentication type (Stateful 802.
PAGE 335

Global Firewall Parameters Table 62 describes optional firewall parameters you can set on the controller for IPv4 traffic. To set these options in the WebUI, navigate to the Configuration > Advanced Services > Stateful Firewall > Global Setting page and select or enter values in the IPv4 column. To set these options in the CLI, use the firewall configuration commands. See Chapter 35, “IPv6 Support” for information about configuring firewall parameters for IPv6 traffic.
PAGE 336

Table 62 IPv4 Firewall Parameters (Continued) Parameter Description Log ICMP Errors Enables logging of received ICMP errors. You should not enable this option unless instructed to do so by an Dell representative. Default: Disabled Stateful SIP Processing Disables monitoring of exchanges between a voice over IP or voice over WLAN device and a SIP server. This option should be enabled only when there is no VoIP or VoWLAN traffic on the network.
PAGE 337

Table 62 IPv4 Firewall Parameters (Continued) Parameter Description Stateful H.323 Processing Disables stateful H.323 processing. Default: Enabled Stateful SCCP Processing Disables stateful SCCP processing. Default: Disabled Only allow local subnets in user table Adds only IP addresses, which belong to a local subnet, to the user-table. Default: Disabled Session mirror IPSEC Configures session mirroring of all frames that are processed by IPsec.
PAGE 338

| Roles and Policies Dell PowerConnect W-Series ArubaOS 6.
PAGE 339

Chapter 13 Dashboard Monitoring The ArubaOS dashboard monitoring functionality provides enhanced visibility into your wireless network performance and usage within a controller. This allows you to easily locate and diagnose WLAN issues in the controller. The dashboard monitoring is available via the WebUI. To monitor and troubleshoot RF issues in the WLAN, click the Dashboard tab.
PAGE 340

Additionally, you can view the distribution of the APs in different noise floor ranges, channel utilization ranges, and non-Wi-Fi interference ranges using the histograms. To understand histogram information, see “Using Dashboard Histograms” on page 340. Using Dashboard Histograms Dashboard histograms are a visual representation of the distribution of the wireless clients, access points, and radios across different performance parameters in the controller.
PAGE 341

Security This page allows you to monitor the detection and protection of wireless intrusions in your network. The two top tables—Discovered APs & Clients and Events—contain data as links. When these links are selected they arrange, filter, and display the appropriate information in the lower table. NOTE: The term events in this document refers to security threats, vulnerabilities, attacks (intrusion or Denial of Service) and other related events.
PAGE 342

 View WLAN trends: View the trends of the clients connected in the WLAN and the WLAN usage in the last 15 minutes.  View client summary: Click on the hyperlinked client name on the client details table to view the Client Summary page. In this page, you can view the client details summary (air quality metrics and from and to clients statistics), bandwidth of the client usage, trend of the client frame loss in the last 15 minutes, and the frame rate distribution of the client.
PAGE 343

 View client summary: Click on the hyperlinked client name on the client details table to view the Client Summary page. In this page, you can view the client details summary (air quality metrics and from or to clients statistics), bandwidth of the client usage, trend of the client frame loss in the last 15 minutes, and the frame rate distribution of the client.  View AP details: Click on the hyperlinked AP name to view the Access Points page.
PAGE 344

| Dashboard Monitoring Dell PowerConnect W-Series ArubaOS 6.
PAGE 345

Chapter 14 Stateful and WISPr Authentication ArubaOS supports stateful 802.1x authentication, stateful NTLM authentication and authentication for Wireless Internet Service Provider roaming (WISPr). Stateful authentication differs from 802.
PAGE 346

server for authentication. Once the client has been authenticated on the partner ISP, it will be authenticated on your hotspot’s own ISP, as per their service agreements. Once your ISP sends an authentication message to the controller, the controller assigns the default WISPr user role to that client.
PAGE 347

In the CLI Use the following commands to configure stateful 802.1x authentication via the command-line interface. The first set of commands defines the RADIUS server used for 802.1x authentication, and the second set assigns that server to a server group. The third set of commands associates that server group with the stateful 802.1x authentication profile, then sets the authentication role and timeout period.
PAGE 348

7. Click Apply. 8. In the Profiles list, select the Server Group entry below the Stateful NTLM Authentication profile. 9. Click the Server Group drop-down list and select the group of Windows servers you want to use for stateful NTLM authentication. 10. Click Apply. In the CLI Use the following commands to configure stateful NTLM authentication via the command-line interface.
PAGE 349

4. Define values for the following parameters Table 63 WISPr Authentication Profile Parameters Parameter Description Default Role Default role assigned to users that complete WISPr authentication. Logon wait minimum wait If the controller’s CPU utilization has surpassed the Login wait CPU utilization threshold value, the Logon wait minimum wait parameter defines the minimum number of seconds a user will have to wait to retry a login attempt. Range: 1–10 seconds. Default: 5 seconds.
PAGE 350

default-role logon-wait {cpu-threshold|maximum-delay|minimum-delay} server-group wispr-location-id-ac wispr-location-id-cc wispr-location-id-isocc wispr-location-id-network wispr-location-name-location wispr-location-name-operator-name 350 | Stateful and WISPr Authentication Dell PowerConnect W-Series ArubaOS 6.
PAGE 351

Chapter 15 Captive Portal Captive portal is one of the methods of authentication supported by ArubaOS. A captive portal presents a web page which requires user action before network access is granted. The required action can be simply viewing and agreeing to an acceptable use policy, or entering a user ID and password which must be validated against a database of authorized users.
PAGE 352

There are differences in how captive portal functions work and how you configure captive portal, depending on whether the license is installed. Later sections in this chapter describe how to configure captive portal in the base operating system (without the PEFNG license) and with the license installed. Controller Server Certificate The Dell controller is designed to provide secure services through the use of digital certificates.
PAGE 353

What follows are the tasks for configuring captive portal in the base ArubaOS. The example server group and profile names appear inside quotation marks.  Create the Server Group name. In this example, the server group name is “cp-srv”. If you are configuring captive portal for registered users, configure the server(s) and create the server group. For more information about configuring authentication servers and server groups, see Chapter 9, “Authentication Servers” .
PAGE 354

c. For Initial Role, select the captive portal authentication profile (for example, c-portal) you created previously. NOTE: The Initial Role must be exactly the same as the name of the captive portal authentication profile you created. d. Click Apply. 4. Navigate to the Configuration > Wireless > AP Configuration page. Select either the AP Group or AP Specific tab. Click Edit for the applicable AP group name or AP name. 5. Under Profiles, select Wireless LAN, then select Virtual AP. 6.
PAGE 355

The captive portal authentication profile specifies the captive portal login page and other configurable parameters. The initial user role configuration must include the applicable captive portal authentication profile instance. NOTE: MAC-based authentication, if enabled on the controller, takes precedence over captive portal authentication. The following are the basic tasks for configuring captive portal using role-based access provided by the Policy Enforcement Firewall software module.
PAGE 356

a. In the Captive Portal Authentication Profile Instance list, enter the name of the profile (for example, cportal), then click Add. b. Select the captive portal authentication profile you just created. c. Select the default role (for example, employee) for captive portal users. d. Enable guest login and/or user login, as well as other parameters (refer to Table 64). e. Click Apply. 3.
PAGE 357

aaa authentication captive-portal c-portal default-role employee server-group cp-srv user-role logon captive-portal c-portal aaa profile aaa_c-portal initial-role logon wlan ssid-profile ssid_c-portal essid c-portal-ap vlan 20 wlan virtual-ap vp_c-portal aaa-profile aaa_c-portal ssid-profile ssid_c-portal Example Authentication with Captive Portal In the following example:  Guest clients associate to the guestnet SSID which is an open wireless LAN.
PAGE 358

Creating an Auth-guest User Role The auth-guest user role consists of the following ordered policies:  cplogout is a predefined policy that allows captive portal logout.  guest-logon-access is a policy that you create with the following rules:  Allows DHCP exchanges between the user and the DHCP server during business hours while blocking other users from responding to DHCP requests.  Allows DNS exchanges between the user and the public DNS server during business hours.
PAGE 359

e. Click Add. 6. Under Rules, click Add. a. Under Source, select any. b. Under Destination, select any. c. Under Service, select service. Select svc-dhcp. d. Under Action, select permit. e. Under Time Range, select working-hours. f. Click Add. Aliases The following step defines an alias representing the public DNS server addresses. Once defined, you can use the alias for other rules and policies. 1. Navigate to the Configuration > Security > Access Control > Policies page. 2.
PAGE 360

a. Under Source, select any. b. Under Destination, select any. c. Under Service, select service. Select svc-dhcp. d. Under Action, select permit. e. Under Time Range, select working-hours. f. Click Add. 7. Under Rules, click Add. a. Under Source, select user. b. Under Destination, select alias. Select Public DNS from the drop-down menu. c. Under Service, select service. Select svc-dns. d. Under Action, select src-nat. e. Under Time Range, select working-hours. f. Click Add. 8. Under Rules, click Add. a.
PAGE 361

c. Under the alias selection, click New. For Destination Name, enter “Internal Network”. Click Add to add a rule. For Rule Type, select network. For IP Address, enter 10.0.0.0. For Network Mask/Range, enter 255.0.0.0. Click Add to add the network range. Repeat these steps to add the network ranges 172.16.0.0 255.255.0.0 and 192.168.0.0 255.255.0.0. Click Apply. The alias “Internal Network” appears in the Destination menu d. Under Destination, select Internal Network. e. Under Service, select any. f.
PAGE 362

Guest-Logon Role To create the guest-logon role via the WebUI: 1. Navigate to the Configuration > Security > Access Control > User Roles page. 2. Click Add. 3. For Role Name, enter auth-guest. 4. Under Firewall Policies, click Add. 5. For Choose from Configured Policies, select cplogout from the drop-down menu. 6. Click Done. 7. Under Firewall Policies, click Add. 8. For Choose from Configured Policies, select guest-logon-access from the drop-down menu. 9. Click Done. 10. Under Firewall Policies, click Add.
PAGE 363

user alias “Public DNS” svc-dns src-nat time-range working-hours Auth-Guest-Access Policy To create an auth-guest-access policy via the command-line interface, access the CLI in config mode and issue the following commands: ip access-list session auth-guest-access user any udp 68 deny any any svc-dhcp permit time-range working-hours user alias “Public DNS” svc-dns src-nat time-range working-hours user any svc-http src-nat time-range working-hours user any svc-https src-nat time-range working-hours Block-I
PAGE 364

2. Navigate to the Configuration > Network > IP > IP Interfaces page. a. Click Edit for VLAN 900. b. For IP Address, enter 192.168.200.20. c. For Net Mask, enter 255.255.255.0. d. Click Apply. 3. Click the DHCP Server tab. a. Select Enable DHCP Server. b. Click Add under Pool Configuration. c. For Pool Name, enter guestpool. d. For Default Router, enter 192.168.200.20. e. For DNS Server, enter 64.151.103.120. f. For Lease, enter 4 hours. g. For Network, enter 192.168.200.0. For Netmask, enter 255.255.255.0.
PAGE 365

To configure captive portal authentication via the command-line interface, access the CLI in config mode and issue the following commands: aaa authentication captive-portal guestnet default-role auth-guest user-logon no guest-logon server-group internal Modifying the Initial User Role The captive portal authentication profile specifies the captive portal login page and other configurable parameters.
PAGE 366

3. To configure the virtual AP profile, navigate to the Configuration > Wireless > AP Configuration page. Select either the AP Group or AP Specific tab. Click Edit for the applicable AP group name or AP name. 4. Under Profiles, select Wireless LAN, then select Virtual AP. 5. To create a new virtual AP profile, select NEW from the Add a profile drop-down menu. Enter the name for the virtual AP profile (for example, guestnet), and click Add. a.
PAGE 367

Table 64 Captive Portal Authentication Profile Parameters Parameter Description Black List Name of an existing black list on an IPv4 or IPv6 network destination. The black list contains websites (unauthenticated) that a guest cannot access. Default Guest Role Role assigned to guest. Default: guest Default Role Role assigned to the Captive Portal user upon login.
PAGE 368

Table 64 Captive Portal Authentication Profile Parameters (Continued) Parameter Description Add switch IP address in redirection URL Sends the controller’s IP address in the redirection URL when external captive portal servers are used. An external captive portal server can determine the controller from which a request originated by parsing the ‘switchip’ variable in the URL. Default: Disabled Use CHAP (nonstandard) Use CHAP protocol.
PAGE 369

Table 65 Captive Portal login Pages (Continued) Entity Engineering Business Faculty Captive portal authentication profile eng-cp (Specify /auth/eng-login.html and eng-user) bus-cp (Specify /auth/bus-login.html and bus-user) fac-cp (Specify /auth/bus-login.
PAGE 370

Proxy Server Redirect You can configure captive portal to work with proxy Web servers. When proxy Web servers are used, browser proxy server settings for end users are configured for the proxy server’s IP address and TCP port. When the user opens a Web browser, the HTTP/S connection request must be redirected from the proxy server to the captive portal on the controller.
PAGE 371

user any svc-https dst-nat 8081 Redirecting Clients on Different VLANs You can redirect wireless clients that are on different VLANs (from the controller’s IP address) to the captive portal on the controller. To do this: 1. Specify the redirect address for the captive portal. 2. For captive portal with the PEFNG license only, you need to modify the captiveportal policy that is assigned to the user. To do this: a. Create a network destination alias to the controller interface. b.
PAGE 372

Personalizing the Captive Portal Page The following can be personalized on the default captive portal page:  Captive portal background  Page text  Acceptance Use Policy The background image and text should be visible to users with a browser window on a 1024 by 768 pixel screen. The background should not clash if viewed on a much larger monitor. A good option is to have the background image at 800 by 600 pixels, and set the background color to be compatible.
PAGE 373

d. To view the page background changes, click Submit at the bottom on the page and then click the View CaptivePortal link. The User Agreement Policy page appears and displays the Captive Portal page as it will be seen by users. 3. To customize the captive portal background text: a. Enter the text that needs to be displayed in the Page Text (in HTML format) message box. b. To view the background text changes, click Submit at the bottom on the page and then click the View CaptivePortal link.
PAGE 374

c.Click Accept. This displays the Captive Portal page as it will be seen by users. Creating Walled Garden Access On the Internet, a walled garden typically controls a user’s access to web content and services. The walled garden directs the user’s navigation within particular areas to allow access to a selection of websites or prevent access to other websites. NOTE: The Walled Garden feature can be used with the PEFNG or PEFV licenses.
PAGE 375

5. Select name from the Rule Type drop-down menu and add a hostname or wildcard with domain name to which an unauthenticated user is redirected. 6. Click Apply. 7. Navigate to Configuration > Security > Authentication > L3 Authentication. 8. Select Captive Portal Authentication Profile . 9. To allow users to access a domain, enter the destination name that contains the allowed domain names in the White List field. This stops unauthenticated users from viewing specific domains such as a hotel website.
PAGE 376

| Captive Portal Dell PowerConnect W-Series ArubaOS 6.
PAGE 377

Chapter 16 Advanced Security Extreme Security (xSec) is a cryptographically secure, Layer-2 tunneling network protocol implemented over the 802.1x protocol. The xSec protocol can be used to secure Layer-2 traffic between the Dell controller and wired and wireless clients, or between Dell controllers. NOTE: xSec is an optional ArubaOS software module. You must purchase and install the license for the xSec software module on the controller.
PAGE 378

Securing Client Traffic You can secure wireless or wired client traffic with xSec. On the client, install the Odyssey Client software. The xSec client must complete 802.1x authentication. to connect to the network. The client indicates the use of the xSec protocol during 802.1x exchanges with the controller. (Dell controllers support 802.1x for both wired and wireless clients.) Upon successful client authentication, an xSec tunnel is established between the controller and the client.
PAGE 379

In the WebUI 1. Navigate to the Configuration > Security > Authentication > AAA Profiles page. a. To create a new AAA profile, click Add in the AAA Profiles Summary. b. Enter a name for the profile (for example, xsec-wireless), and click Add. c. To configure the AAA profile, click on the newly-created profile name. d. For 802.1x Authentication Default Role, select a configured user role (for example, employee). e. Click Apply. f. In the AAA Profile list, select 802.
PAGE 380

This VLAN must have an IP interface, and is a different VLAN from the port’s “native” VLAN that provides connectivity to the network. 2. Configure the user role for the authenticated xSec clients. See Chapter 12, “Roles and Policies” for information. 3. Configure the server group that will be used to authenticate clients using 802.1x. See Chapter 9, “Authentication Servers” for more information. 4. Configure the controller port to which the wired clients) are connected.
PAGE 381

f. In the AAA Profile list, select 802.1x Authentication Profile under the AAA profile you configured. Select the applicable 802.1x authentication profile (for example, xsec-wired-dot1x). Click Apply. g. In the AAA Profile list, select 802.1x Authentication Server Group under the AAA profile you configured. Select the applicable server group (for example, xsec-svrs). Click Apply. 3. Navigate to the Configuration > Advanced Services > Wired Access page. a.
PAGE 382

c. For Enter VLAN(s), select the native VLAN (for example, VLAN 1) on the port to ensure Layer-2 connectivity to the network. d. For xSec VLAN, select the VLAN to which authenticated users are assigned from the drop-down menu (for example, VLAN 20) e. Click Apply. 2. Navigate to the Configuration > Security > Authentication > AAA Profiles page to configure the AAA profile. a. To create a new AAA profile, click Add. b. Enter a name for the profile (for example, xsec-3party), and click Add. c.
PAGE 383

b. Select either the AP Group or AP Specific tab. Click the Edit button by name of the AP group or individual AP you want to configure. c. In the Profiles list, expand the AP profile menu and select the Ethernet Interface Port Configuration profile for the Ethernet port number you want to configure. d. In the Profile Details window, click the Ethernet interface port configuration drop-down list and select New. 2.
PAGE 384

enet0-port-profile enet1-port-profile enet2-port-profile enet3-port-profile enet4-port-profile Securing Controller-to-Controller Communication xSec can be used to secure data and control traffic passed between two controllers. The only requirement is that both controllers be members of the same VLAN.
PAGE 385

In the CLI For Controller 1: interface gigabitethernet|fastethernet slot/port vlan 1 xsec point-to-point 10:11:12:13:14:15 1234567898765432 allowed vlan 101,200,250 For Controller 2: interface gigabitethernet|fastethernet slot/port vlan 1 xsec point-to-point 01:02:03:04:05:06 1234567898765432 allowed vlan 101,200,250 Configuring the Odyssey Client on Client Machines You can obtain the Odyssey Client from Juniper Networks.
PAGE 386

Figure 56 Modifying a regedit Policy 3. Open the Funk Odyssey Client. Click the Profile tab in the client window. This allows the user to create the user profile for 802.1x authentication. Figure 57 The Funk Odyssey Client Profile a. In the login name dialog box, enter the login name used for 802.1x authentication. For the password, the client could use the WINDOWS password or use the configured password based on the selection made. b.
PAGE 387

Figure 58 Certificate Information c. Click the Authentication tab. In the resultant window, click the Add tab and select EAP/PEAP. Move this option to the top of the list if PEAP is the method chosen. If certification validation not required, uncheck the Validate server certificates setting. d. Click the PEAP Settings tab and select the EAP protocol supported. e. Click OK. f. To modify an existing profile, select the profile and then click the Properties tab. 4.
PAGE 388

g. Apply the configuration changes made by clicking on the OK tab. h. To modify an existing profile, select the profile and then click the Properties tab. 5. Click the Adapters tab if the adapter used is not seen under the list of adapters pull down menu under connections. a. When using a wireless client, click the Wireless tab. b. Select the Wireless adapters only radio button. From the resulting list, select the adapter required from the list and click OK. c. For wired 802.
PAGE 389

Chapter 17 Virtual Private Networks Wireless networks can use virtual private network (VPN) connections to further secure wireless data from attackers. The Dell controller can be used as a VPN concentrator that terminates all VPN connections from both wired and wireless clients.
PAGE 390

You then specify the default user role and authentication server group in the VPN authentication default profile, as described in the following sections. Selecting an IKE protocol Controllers running ArubaOS version 6.1 and later support both IKEv1 and the newer IKEv2 protocol to establish IPsec tunnels. IKEv2 is simpler, faster, and a more reliable protocol than IKEv1, though both IKEv1 and IKEv2 support the same suite-B cryptographic algorithms.
PAGE 391

IKEv2 Clients Not all clients support the both the IKEv1 and IKEv2 protocols. Only the clients in Table 69 support IKEv2 with the following authentication types: Table 69 VPN Clients Supporting IKEv2 Windows 7 Client StrongSwan 4.3 Client Machine authentication with Certificates  User-name password authentication using EAPMSCHAPv2 or PEAP-MSCHAPv2  User smart-card authentication with EAP-TLS / IKEv2 NOTE: Windows 7 clients using IKEv2 do not support pre-shared key authentication.
PAGE 392

VPN Authentication Profiles VPN Authentication profiles identify a user role for authenticated VPN clients, an authentication server, and the server group to which the authentication server belongs. There are three predefined VPN authentication profiles: default, default-rap and default-cap. These different profiles allow you to use different authentication servers, user roles and IP pools for VPN, remote AP and campus AP clients.
PAGE 393

Configuring a Basic VPN for L2TP/IPsec The combination of Layer-2 Tunneling Protocol and Internet Protocol Security (L2TP/IPsec) is a highly-secure technology that enables VPN connections across public networks such as the Internet. L2TP/IPsec provides both a logical transport mechanism on which to transmit PPP frames as well as tunneling or encapsulation so that the PPP frames can be sent across an IP network.
PAGE 394

3. Click Done to apply the configuration. Enable Source NAT In the Source NAT section of the IPSEC tab, select Enable Source NAT if the IP addresses of clients need to be translated to access the network. If you enabled source NAT, click the NAT pool drop-down list and select an existing NAT pool. If you have not yet created the NAT pool you want to use: 1. Navigate to Configuration > IP > NAT Pools. 2. Click Add. 3.
PAGE 395

Configure IKE Policies ArubaOS contains several predefined default IKE policies, as described in Table 72 on page 411. If you do not want to use any of these predefined policies, you can use the procedures below to edit an existing policy or create your own custom IKE policy instead. NOTE: The IKE policy selections, along with any preshared key, need to be reflected in the VPN client configuration. When using a third-party VPN client, set the VPN configuration on clients to match the choices made above.
PAGE 396

Set the IPsec Dynamic Map Dynamic maps enable IPsec SA negotiations from dynamically addressed IPsec peers. ArubaOS has a predefined IPsec dynamic map for IKEv1. If you do not want to use this predefined map, you can use the procedures below to edit an existing map or create your own custom IPsec dynamic map instead. 1. Scroll down to the IPsec Dynamic Map section of the IPSEC tab, then click Edit by a map name to edit an existing map or click Add to create a new map. 2.
PAGE 397

5. If you are configuring a VPN to support machine authentication using certificates, define server certificates for VPN clients using IKEv1. For IKEv1: crypto-local isakmp server-certificate 6. If you are configuring a VPN to support IKEv1 Clients using pre-shared keys, you can configure a global IKE key by entering 0.0.0.0 for both the address and netmask parameters in the command below, or configure an IKE key for an individual subnet by specifying the IP address and netmask for that subnet.
PAGE 398

1. In the Address Pools section of the IPSEC tab, click Add to open the Add Address Pool page. 2. Specify the pool name, the start address, and the end address. 3. Click Done to apply the configuration. Enable Source NAT In the Source NAT section of the IPSEC tab, select Enable Source NAT if the IP addresses of clients need to be translated to access the network. If you enabled source NAT, click the NAT pool drop-down list and select an existing NAT pool.
PAGE 399

2. Enter a number into the Priority field to set the priority for this policy. Enter a priority to 1 for the configuration to take priority over the Default setting. 3. Select the IKE version. Click the Version drop-down list and select V2 for IKEv2. 4. Set the Encryption type. Click the Encryption drop-down list and select one of the following encryption types.  DES  3DES  AES128  AES192  AES256 5. Set the HASH function.
PAGE 400

1. Scroll down to the IPsec Dynamic Map section of the IPSEC tab, then click Edit by a map name to edit an existing map or click Add to create a new map. 2. In the Name field, enter a name for the dynamic map 3. In the Priority field, enter a priority number for the map. Negotiation requests for security associations will try to match the highest-priority map first. If that map does not match, the negotiation request will continue down the list to the next-highest priority map until a match is made. 4.
PAGE 401

6. Define IKEv2 Policies: crypto isakmp policy encryption {3des|aes128|aes192|aes256|des} version v2 authentication {pre-share|rsa-sig|ecdsa-256ecdsa-384} group {1|2|19|20} hash {md5|sha|sha1-96|sha2-256-128|sha2-384-192} prf PRF-HMAC-MD5|PRF-HMAC-SHA1|PRF-HMAC-SHA256|PRF-HMAC-SHA384 lifetime 7.
PAGE 402

On the controller, you need to configure the L2TP/IPsec VPN with EAP as the PPP authentication and IKE policy for preshared key authentication of the SA. NOTE: On the RADIUS server, you must configure a remote access policy to allow EAP authentication for smart card users and select a server certificate. The user entry in Microsoft Active Directory must be configured for smart cards. To configure a L2TP/IPsec VPN for clients using smart cards and IKEv1, ensure that the following settings are configured: 8.
PAGE 403

2. Navigate to the Configuration > Security > Authentication > L3 Authentication window. a. Under default VPN Authentication Profile, select Server Group. b. Select the internal server group from the drop-down menu. c. Click Apply. 3. Navigate to the Configuration > Advanced Services > VPN Services > IPsec window. a. Select Enable L2TP (this is enabled by default). b. Select PAP for Authentication Protocols. 4.
PAGE 404

1. Add entries for Cisco VPN XAuth clients to the controller’s internal database, or to an external RADIUS or NOTE: For each client, you need to create an entry in the internal database with the entire Principal name (SubjectAltname in X.509 certificates) or Common Name as it appears on the certificate. LDAP server. For details on configuring an authentication server, see “Authentication Servers” on page 263 2.
PAGE 405

On the controller, you need to configure the following: 1. Add entries for Cisco VPN XAuth clients to the controller’s internal database, For details on configuring an authentication server, see “Authentication Servers” on page 263 NOTE: For each client, you need to create an entry in the internal database with the entire Principal name (SubjectAltname in X.509 certificates) or Common Name as it appears on the certificate. 2.
PAGE 406

2. To enable PPTP, select Enable PPTP. 3. Select either MSCHAP or MSCHAPv2 as the authentication protocol. 4. Configure IP addresses of the primary and secondary DNS servers. 5. Configure primary and secondary WINS Server IP addresses that will be pushed to the VPN Dialer. 6. Configure the VPN Address Pool. a. Click Add. The Add Address Pool window displays. b. Specify the pool name, start address, and end address. c. Click Done on completion to apply the configuration. 7.
PAGE 407

To support site-site VPN with dynamically addressed devices, you must enable IKE Aggressive-Mode with Authentication based on a Pre-Shared-Key. The Dell controller with a dynamic IP address must be configured to be the initiator of IKE Aggressive-mode for Site-Site VPN, while the controller with a static IP address must be configured as the responder of IKE Aggressive-mode. VPN Topologies You must configure VPN settings on the controllers at both the local and remote sites.
PAGE 408

8. If you are using IKEv2 to establish a site-to-site VPN to a statically addressed remote peer, identify the peer device by entering its certificate subject name in the Peer Certificate Subject Name field. NOTE: To identify the subject name of a peer certificate, access the command-line interface and issue the command show crypto-local pki servercert subject 9. The Security Association Lifetime parameter defines the lifetime of the security association, in seconds.
PAGE 409

19. Click Done to apply the site-to-site VPN configuration. 20. Click Apply. 21. Click the IPSEC tab to configure an IKE policy. a. Under IKE Policies, click Add to open the IPSEC Add Policy configuration page. b. Set the Priority to 1 for this configuration to take priority over the Default setting. c. Set the Version type to match the IKE version you selected in Step 10 above. d. Set the Encryption type from the drop-down menu. e. Set the HASH Algorithm from the drop-down menu. f.
PAGE 410

group {1|2|19|20} hash {md5|sha|sha1-96|sha2-256-128|sha2-384-192} lifetime To configure site-to-site VPN with a static and a dynamically addressed controller that initiates IKE Aggressivemode for Site-Site VPN: crypto-local ipsec-map src-net dst-net peer-ip local-fqdn vlan pre-connect enable|disable trusted enable For the Pre-shared-key: crypto-local isakmp key address netmask 255.255.255.
PAGE 411

Default IKE policies ArubaOS includes the following default IKE policies. These policies are predefined and cannot be edited.
PAGE 412

4. Select the authentication protocol. This should match the L2TP or PPTP authentication type configured for the VPN in the Configuration > Advanced Services > VPN Services > IPSEC window. 5. (Optional) Select Send Direct Network Traffic In Clear to enable “split tunneling” functionality so that traffic destined for the internal network is tunneled while traffic for the Internet is not. This option is not recommended for security reasons. 6.
PAGE 413

dialer Dell PowerConnect W-Series ArubaOS 6.
PAGE 414

| Virtual Private Networks Dell PowerConnect W-Series ArubaOS 6.
PAGE 415

Chapter 18 Virtual Intranet Access Virtual Intranet Access (VIA) is part of the Dell remote networks solution targeted for teleworkers and mobile users. VIA detects the users network environment (trusted and un-trusted) and automatically connects the user to their enterprise network. Trusted networks typically refers to a protected office network that allows users to directly access corporate intranet. Un-trusted networks are public Wi-Fi hotspots like airports, cafes, or home network.
PAGE 416

Table 73 VIA Connectivity Behavior (Continued) User action / environment VIA’s behavior The client moves from an un-trusted to a trusted environment. Auto-launch and stay idle. VIA does not establish remote connection. You can, however, manually connect to a network by selecting an appropriate connection profile from the Settings tab. While in an un-trusted environment, user disconnects the remote connection. Disconnects gracefully. User moves to a trusted environment.
PAGE 417

Upgrade Workflow VIA checks for upgrade requirements during the login phase. There are two types of upgrade process: Minimal Upgrade and Complete Upgrade. Minimal Upgrade This type of upgrade is initiated for bug fixes and some minor enhancements which requires only some components of the client to be upgraded. When a VPN session is active the upgrade binary is downloaded by VIA from the controller. After the active VIA connection is terminated, the upgrade process is started and the client is upgraded.
PAGE 418

Authentication mechanisms supported in VIA 1.x Authentication is performed using IKEv1 only. Phase 0 authentication, which authenticates the VPN client, can be performed using either a pre-shared key or an X.509 certificate (the X.509 certificate must appear in the operating system’s “user” certificate store.). If certificates are used for IKE phase 0 authentication, it must be followed by username/password authentication.
PAGE 419

1. Enable VPN Server Module—ArubaOS allows you to connect to the VIA controller using the default user roles. However, to configure and assign specific user roles you must install the Policy Enforcement Firewall Virtual Private Network (PEFV) license. 2. Create VIA User Roles—VIA user roles contain access control policies for users connecting to your network using VIA. You can configure different VIA roles or use the default VIA role—default-via-role 3.
PAGE 420

Create VIA Authentication Profile This following steps illustrate the procedure to create an authentication profile to authenticate users against a server group. 1. Navigate to Configuration > Security > Authentication > L3 Authentication. 2. Under the Profiles section, expand the VIA Authentication Profile option.
PAGE 421

Figure 63 VIA - Enter a name for the server group Create VIA Connection Profile To create VIA connection profile: 1. Navigate to Configuration > Security > Authentication > L3 Authentication tab. Click the VIA Connection Profile option and enter a name for the connection profile. Figure 64 VIA - Create VIA Connection Profile 2. Click on the new VIA connection profile to configure the connection settings. You can configure the following options for a VIA connection profile.
PAGE 422

Table 76 VIA - Connection Profile Options (Continued) Configuration Option Description VIA tunneled networks A list of network destination (IP address and netmask) that the VIA client will tunnel through the controller. All other network destinations will be reachable directly by the VIA client.  Enter an IP address & network mask and click the Add button to add to the tunneled networks list.  To delete a network entry, select the IP address and click the Delete button.
PAGE 423

Table 76 VIA - Connection Profile Options (Continued) Configuration Option Description Enable split-tunneling Enable or disable split tunneling.  If enabled, all traffic to the VIA tunneled networks (Step 3 in this table) will go through the controller and the rest is just bridged directly on the client.  If disabled, all traffic will flow through the controller. Default: off Allow client-side logging Enable or disable client side logging.
PAGE 424

Figure 65 VIA - Select VIA Authentication Profile Associate VIA Connection Profile to User Role To associate a VIA connection profile to a user role: 1. Navigate to Configuration > Security > Access Control > User Roles tab. 2. Select the VIA user role (See “Create VIA User Roles” on page 419) and click the Edit button. 3. In the Edit Role page, navigate to VIA Connection Profile and select the connection profile from the dropdown list box and click the Change button. 4.
PAGE 425

Figure 67 VIA - Create VIA Client WLAN Profile 4. Expand the new WLAN profile and click SSID Profile. In the profile details page, select New from the SSDI Profile drop-down box and enter a name for the SSID profile. 5. In the Basic tab, enter the network name (SSID) and select 802.11 security settings. Click the Apply button to continue. Figure 68 VIA - Configure the SSID Profile 6. You can now configure the SSID profile by select the SSID profile under VIA Client WLAN Profile option.
PAGE 426

The VIA client WLAN profile are similar to the authentication settings used to set up a wireless network in Microsoft Windows. The following table shows the Microsoft Windows equivalent settings: Table 77 Configure VIA client WLAN profile Option Description EAP-PEAP options Select the following options, if the EAP type is PEAP (Protected EAP):  validate-server-certificate: Select this option to validate server certificates.  enable-fast-reconnect: Select this option to allow fast reconnect.
PAGE 427

Figure 70 VIA - Customize VIA logo, Landing Page, and download VIA Installer Your company logo here Download VIA Installer and Version File To download the VIA installer and version file: 1. Navigate to Configuration > Advanced Services > VPN Services > VIA tab. 2. Under VIA installers for various platforms section, click ansetup.msi to download the installation file.Using CLI to Configure VIA Customize VIA Logo To use a custom logo on the VIA download page and the VIA client: 1.
PAGE 428

Using CLI to Configure VIA The following steps illustrate configuring VIA using CLI. Install your Policy Enforcement Firewall Virtual Private Network (PEFV) license key. For detailed information on the VIA command line options, see the Dell PowerConnect W-Series ArubaOS 6.1 Command Reference Guide.
PAGE 429

(host) (VIA Client WLAN Profile "via_corporate_wpa2") #ssid-profile "via_corporate_ssid" For detailed configuration parameter information, see “wlan client-wlan-profile” command in the Dell PowerConnect W-Series ArubaOS 6.1 Command Reference Guide. Customize VIA logo, landing page and downloading installer This step can only be performed using the WebUI. See “Re-branding VIA and Downloading the Installer” on page 426.. Dell PowerConnect W-Series ArubaOS 6.
PAGE 430

| Virtual Intranet Access Dell PowerConnect W-Series ArubaOS 6.
PAGE 431

Chapter 19 MAC-based Authentication This chapter describes how to configure MAC-based authentication on the Dell controller using the WebUI. Use MAC-based authentication to authenticate devices based on their physical media access control (MAC) address. While not the most secure and scalable method, MAC-based authentication implicitly provides an addition layer of security authentication devices.
PAGE 432

Using the WebUI to configure a MAC authentication profile 1. Navigate to the Configuration > Security > Authentication > L2 Authentication page. 2. Select MAC Authentication Profile. 3. Enter a profile name and click Add. 4. Select the profile name to display configurable parameters. 5. Configure the parameters, as described in Table 78. 6. Click Apply.
PAGE 433

Chapter 20 Control Plane Security ArubaOS supports secure IPsec communications between a controller and campus APs using public-key selfsigned certificates created by each master controller. The controller certifies its APs by issuing them certificates. If the master controller has any associated local controllers, the master controller sends a certificate to each local controller, which in turn sends certificates to their own associated campus APs.
PAGE 434

The default automatic certificate provisioning setting requires that you manually enter each AP’s information into the campus AP whitelist. If you change the default automatic certificate provisioning values to let the controller send certificates to all APs on the network, that new setting ensures that all valid APs will receive a certificate, but also increases the chance that a rogue or unwanted AP will also be certified.
PAGE 435

Table 79 Control Plane Security Parameters (Continued) Parameter Addresses Allowed for Auto Cert Description If your controller has a publicly accessible interface, you should identify the campus APs by IP address range. This will prevent the controller from sending certificates to external or rogue campus APs that may attempt to access your controller through that interface.
PAGE 436

certified on the network will also be included in the campus AP whitelist, but these APs will appear in an unapproved state. Use the campus AP whitelist to grant valid APs secure access to the network, or to revoke access from suspected rogue APs. When you revoke or remove an AP from the campus AP whitelist on a controller that uses control plane security, that AP will not be able to communicate with the controller again, except to obtain a new certificate.
PAGE 437

Table 81 View Campus AP Whitelist Parameters (Continued) Parameter Description State The Campus AP Whitelist reports one of the following states for each campus AP:  unapproved-no-cert: AP has no certificate and is not approved.  unapproved-factory-cert: AP has a preinstalled certificate that was not approved.  approved-ready-for-cert: The AP has been approved as a valid campus AP and is ready to receive a certificate.  certified-factory-cert: The AP is already has a factory certificate.
PAGE 438

2. Click the Campus AP Whitelist tab. 3. Select the checkbox by the entry for the AP you want to edit, then click Modify. If your campus AP whitelist is large and you cannot immediately locate the AP entry you want to edit, select the Search link by the upper right corner of the whitelist. The Campus AP Whitelist tab will display several fields that allow you to search for an AP with a specified MAC address, certificate type or state.
PAGE 439

whitelist-db cpsec revoke mac-address revoke-text <"revoke text"> Deleting an AP Entry from the Campus AP Whitelist Before you delete an AP entry from the campus whitelist, verify that auto certificate provisioning is either no longer enabled, or only enabled for IP addresses that do not include the AP being removed.
PAGE 440

Table 83 Control Plane Security Whitelists (Continued) Master Switch Whitelist Local Switch Whitelist The campus AP whitelist contains an entry for every secure campus AP on the network, regardless of the controller to which it is connected. The master switch whitelist is empty, and does not appear in the WebUI. The local switch whitelist contains an entry for each associated local controller.
PAGE 441

show whitelist-db cpsec-seq Viewing and Managing the Master or Local Switch Whitelists The following sections describe the commands to view and delete entries in a master or local switch whitelist. Viewing the Master or Local Switch Whitelist To view the master or local switch whitelists via the WebUI, use the procedure below: 1. Access the controller’s WebUI, and navigate to Configuration>Controller. 2. Select the Control Plane Security tab.
PAGE 442

1. Access the controller’s WebUI, and navigate to Configuration>Controller. 2. Select the Control Plane Security tab. 3. To delete an entry from the Local Switch Whitelist: In the Local Switch List For AP Whitelist Sync section, click the Delete button by each controller entry you want to remove. -orTo delete an entry from the Master Controller Whitelist: In the Master Switch List For AP Whitelist Sync section, click the Delete button by each controller entry you want to remove. 4.
PAGE 443

 Automatic Synchronization: Schedule automatic database backups using the database synchronize period CLI command in config mode. CAUTION: If you add a new backup controller to an existing controller, the backup controller must be added as the lower priority controller. If the backup controller is not added as a lower priority controller, your control plane security keys and certificates may be lost.
PAGE 444

2. Click the Cluster Setting tab. 3. For the cluster role, select Root. 4. In the Cluster Member IPsec Keys section, enter the switch IP address of a member controller in the cluster. If you want to use a single key for all member controllers, use the IP address 0.0.0.0. 5. In the IPsec Key and Retype IPsec Key fields, enter the IPsec key for communication between the specified member controller and the cluster root. 6. Click Add. 7.
PAGE 445

ipsec-custom-cert master-mac1 [master-mac2 ] ca-cert server-cert [suite-b ] In this command the parameter is the IP address of the root master controller in the cluster. If you are using an IPsec key, the parameter in this command must be have the same value as the key defined for the cluster member via the cluster-member-ip command. Viewing Controller Cluster Settings To view your current cluster configuration via the WebUI: 1.
PAGE 446

Access the command-line interface on the old local controller and issue the command whitelist-db cpsec purge -orAccess the local controller WebUI, navigate to Configuration>AP Installation>Campus AP Whitelist and click Purge. 3. Once the campus AP whitelist has been purged, you must inform the master controller that the local controller will no longer be available. .
PAGE 447

Replacing a Redundant Master Controller The control plane security feature requires you to synchronize databases from the primary master controller to the backup master controller at least once after the network is up at running. This will ensure that all certificates, keys and whitelist entries are synchronized to the backup controller. Since the AP whitelist may change periodically, the network administrator should regularly synchronize these settings to the backup controller.
PAGE 448

6. Remove the old cluster member from the network. Remember, that controller will still have campus AP whitelist entries from the entire cluster. You may want to delete or revoke unwanted entries from the campus AP whitelist. Now, you must install the new cluster member controller according to the procedure described in “Creating a Cluster Member” on page 444. The new cluster member obtains a certificate from the cluster root when it first becomes active. 7.
PAGE 449

Replacing a Redundant Cluster Root Controller Dell recommends using a backup controller with your cluster root controller. If your cluster root has a backup controller, you can replace the backup cluster root without having to reboot all cluster master and local controllers, minimizing network disruptions. The control plane security feature requires you to synchronize databases from the primary controller to the backup controller at least once after the network is up at running.
PAGE 450

Table 86 Control Plane Security Upgrade Strategies Automatically send Certificates to Campus APs Manually Certify Campus APs 1. Access the control plane security window and enable both 1. Identify the campus APs that should receive certificates by entering the campus APs’ MAC addresses in the campus AP the control plane security feature and the auto certificate whitelist. provisioning option.
PAGE 451

by accessing the controller’s command-line interface and issuing the command show tpm cert-info. If the controller has a valid certificate, the output of the command should appear similar to the output in the example below.
PAGE 452

Figure 74 Sequence numbers on Master and Local Controllers Supported APs The control plane security feature is supported on AP modelsW-AP105 andW-AP120 Series, W-AP130 Series, and W-AP175. APs that do not support control plane security will not be able to connect to a controller enabled with this feature. Rogue APs If you enable auto certificate provisioning enabled with the Auto Cert Allow All option, any AP that appears on the network will receive a certificate.
PAGE 453

Chapter 21 Adding Local Controllers This chapter explains how to expand your network by adding a local controller to a master controller configuration. Typically, this is the first expansion of a network with just one controller (which is a master controller). This chapter is a basic discussion of creating master-local controller configurations. More complicated multi-controller configurations are discussed in other chapters.
PAGE 454

encryption. For details and requirements for Suite-B encryption, see “Configuring an SSID for Suite-B cryptography” on page 152. Configuring a Preshared Key Leaving the PSK set to the default value exposes the IPSec channel to serious risk, therefore you should always configure a unique PSK for each controller pair. Sharing the same PSK between more than two controllers increases the likelihood of compromise. If one controller is compromised, all controllers are compromised.
PAGE 455

Using the CLI to configure a PSK Master Controller On the master controller you can configure a specific IPSec PSK for a local controller and use the localip 0.0.0.0 ipsec command: NOTE: You need to change the secret key to a non-default PSK key value even if you use a per-local controller PSK key configuration. localip 0.0.0.0 ipsec localip ipsec Local Controller On the local controller the secret key (PSK) must match the master controller’s PSK.
PAGE 456

4. For those APs that need to boot off the local controller, configure the LMS IP address to point to the new local controller. 5. Reboot the APs that are already on the network, so that they now connect to the local controller. These steps are explained below. Configuring the Local Controller You configure the role of a controller by running the initial setup on an unconfigured controller, or by using the WebUI, Controller Wizard, or CLI on a previously-configured controller.
PAGE 457

Ensure that the master controller recognizes the new controller as its local controller. The local controller should be listed with type local in the Monitoring > Network > All WLAN Controllers page on the master. It takes about 4 – 5 minutes for the master and local controllers to synchronize configurations. Configuring Trusted Ports On the local controller, navigate to the Configuration > Network > Ports page and make sure that the port on the local controller connecting to the master is trusted.
PAGE 458

3. Select the AP system profile you want to modify. 4. Enter the controller IP address in the LMS IP field. 5. Click Apply. Using the CLI to configure the LMS IP ap system-profile lms-ip ap-group ap-system-profile ap-name ap-system-profile 458 | Adding Local Controllers Dell PowerConnect W-Series ArubaOS 6.
PAGE 459

Chapter 22 Remote Nodes A remote node (RN) is an easy-to-provision controller that can get its local and global configuration and license limits from a central controller called a remote node controller (RNC). You define configuration settings for each RN via an remote-node profile on the RNC, which can be either a local controller or a master controller. Each RN configuration profile defines values for VLANs, VLAN interfaces, GRE tunnels, and management users for one or more RNs.
PAGE 460

a master controller with two local controllers configured as RNCs. Each RNC in this example manages two individual RNs. Figure 75 Remote Nodes in a Network Once you have decided which controller you want to configure as a RN, follow the steps below to create a new remote-node profile and activate that profile by validating that it has been correctly configured. Note that you can only create a remote note profile via the command-line interface; there is no WebUI support for this feature.
PAGE 461

Table 87 Configuration Commands Available in Remote-Node Profile Mode (Continued) Command Description controller-ip loopback vlan Configure the controller IP. For details on using this command, see “controller-ip” on page 175. dialer group Dialer group profile associated with this RN profile. instance Configure the RN MAC address. interface Configure the RN interface  cellular—Configure the cellular Interface.  fastethernet—Configure the FastEthernet (IEEE 802.3) interface.
PAGE 462

defined on the RNC. Remote Node address pools are pushed out to each RN when it comes up on the network. If a RN is removed from the RNC, the IP addresses allocated to that RN can be reused and reassigned to a new RN. An RNC must have a separate VLAN pool defined for each VLAN used by its RNs. A VLAN pool allocates a static, continuous block of multiple IP addresses to each RN. The RN will act as a DNS proxy server and dynamically assign IP addresses from its allocated pool to each AP or client on the VLAN.
PAGE 463

Create a remote node profile remote-node-profile remote-node-pilot-620 model 620 controller-ip vlan 10 Define VLANs for a remote node profile and assign a wired aaa profile to each VLAN vlan 10 vlan 20 vlan 10 wired aaa-profile "corp-captive-portal" vlan 20 wired aaa-profile "guest-captive-portal" interface fastethernet "1/4" switchport access vlan 20 trusted ip access-group "wired-source-nat" session ! Identify the RN interfaces to be used as access ports for each VLAN The following commands make those p
PAGE 464

operstate up ! interface vlan 10 ip address internal ! Manage and configure the uplink network connection uplink wired vlan 2 interface tunnel 1 tunnel source controller-ip tunnel destination remote-node-master-ip ip address internal ip ospf area 1.1.1.1 trusted ! Configure the uplink network connection and define a static IPsec route map no ip ip ip spanning-tree route 10.100.0.0 255.255.0.0 ipsec "default-boc-bm-ipsecmap" route 10.1.0.0 255.255.0.0 ipsec "default-boc-bm-ipsecmap" route 10.0.0.0 255.0.
PAGE 465

Define DHCP pools for a RN tunnel remote-node-dhcp-pool tunnel1 pool-type tunnel 1 domain-name arubanetworks.com range startip 1.1.1.0 endip 1.1.2.0 hosts 1 ! Define RN DHCP pools for each VLAN remote-node-dhcp-pool vlan10 pool-type vlan 10 domain-name arubanetworks.com range startip 10.71.10.0 endip 10.71.11.0 hosts 16 ! remote-node-dhcp-pool vlan20 pool-type vlan 20 domain-name arubanetworks.com range startip 10.71.20.0 endip 10.71.21.
PAGE 466

interface vlan 20 ip address 10.71.20.241 255.255.255.240 interface vlan 20 operstate up interface vlan 10 interface vlan 10 ip address 10.71.10.241 255.255.255.240 uplink wired vlan 2 interface tunnel 1 interface tunnel 1 tunnel source controller-ip interface tunnel 1 tunnel destination remote-node-master-ip interface tunnel 1 ip address 1.1.1.61 255.255.255.252 interface tunnel 1 ip ospf area 1.1.1.1 interface tunnel 1 trusted no spanning-tree ip route 10.100.0.0 255.255.0.
PAGE 467

Adding an RN to the whitelist To add an RN to the RN whitelist, access the command-line interface of the RNC, enter enable mode, then issue the command local-userdb-remote-node add mac-address remote-node-profile where is the MAC address of the RN in colon-separated six-octet format, and is the name of the RN configuration profile you want to assign to that RN.
PAGE 468

Table 89 RN Provisioning Checklist Parameter Description Your Setting Name Name of the RN Date/Time and Country Code Current date and time at the RN’s location and the country code. If you want the RN to take its date and time settings from a NTP server, specify the IP address of that server. IP address of the RNC IP address of the RNC, in dotteddecimal format. Shared key Shared key to communicate with the RNC controller.
PAGE 469

Monitoring a Remote Node You can monitor an RN from its RNC WebUI. Although a management user can access the RN monitoring page via the RN WebUI, the WebUI is disabled on the RN itself. To access the RN directly, you must use the RN command-line interface.
PAGE 470

RN Troubleshooting The All WLAN controllers table in the RNC WebUI and the output of the show switches command in the RNC CLI include the Config ID for each RN. Each time the RNC sends a configuration update to any associated RN or local controller, the RNC increases its Config ID by one. When an RN or local controller acknowledges that the configuration change has been sent, the RNC increases the Config ID for that RN or local controller by one also.
PAGE 471

Chapter 23 IP Mobility A mobility domain is a group of Dell controllers among which a wireless user can roam without losing their IP address. Mobility domains are not tied with the master controller, thus it is possible for a user to roam between controllers managed by different master controllers as long as all of the controllers belong to the same mobility domain. You enable and configure mobility domains only on Dell controllers.
PAGE 472

3. The foreign agent delivers traffic to the mobile client. 4. Traffic sent by Mobile Client B is also tunneled back to the home agent. Figure 77 Routing of Traffic to Mobile Client within Mobility Domain Mobile Client B Client’s Home Network 3 2 4 Home Agent Foreign Agent 1 Foreign Network Host A Configuring Mobility Domains Before configuring a mobility domain, you should determine the user VLAN(s) for which mobility is required.
PAGE 473

Configuring a Mobility Domain You configure mobility domains on master controllers. All local controllers managed by the master controller share the list of mobility domains configured on the master. Mobility is disabled by default and must be explicitly enabled on all controllers that will support client mobility. Disabling mobility does not delete any mobilityrelated configuration. The home agent table (HAT) maps a user VLAN IP subnet to potential home agent addresses.
PAGE 474

Make sure that the ESSID to which the mobile client will connect supports IP mobility. You can disable IP mobility for an ESSID in the virtual AP profile (IP mobility is enabled by default). If you disable IP mobility for a virtual AP, any client that associates to the virtual AP will not have mobility service. Joining a Mobility Domain Assigning a controller to a specific mobility domain is the key to defining the roaming area for mobile clients.
PAGE 475

Figure 78 Example Configuration: Campus-Wide Controller B 10.2.1.245 Controller A 10.1.1.245 (Master) Controller C 10.1.3.245 This example uses the “default” mobility domain for the campus-wide roaming area. Since all controllers are initially included in the default mobility domain, you do not need to explicitly configure “default” as the active domain on each controller. Configuring Mobility using the WebUI On controller A (the master controller): 1.
PAGE 476

On controllers B and C: 1. Navigate to the Configuration > Advanced Services > IP Mobility page. 2. Select the Enable IP Mobility checkbox. 3. Click Apply. Configuring Mobility using the CLI On controller A (the master controller): ip mobile domain default hat 10.1.1.0 255.255.255.0 hat 10.1.1.0 255.255.255.0 hat 10.1.2.0 255.255.255.0 hat 10.1.3.0 255.255.255.0 hat 10.2.1.0 255.255.255.0 hat 10.2.2.0 255.255.255.0 hat 10.2.3.0 255.255.255.0 hat 10.3.1.0 255.255.255.0 hat 10.3.2.0 255.255.255.0 hat 10.3.3.
PAGE 477

Roaming status can be one of the following: Table 92 Client Roaming Status Roaming Status Type Description Home Switch/Home VLAN This controller is the home agent for a station and the client is on the VLAN on which it has an IP address. Mobile IP Visitor This controller is not the home agent for a client. Mobile IP Binding (away) This controller is the home agent for a client that is currently away.
PAGE 478

Viewing specific client information using the CLI show ip mobile trace | Mobile Client Roaming Locations You can view information about where a mobile user has been in the mobility domain. This information can only be viewed on the client’s home agent. In the WebUI 1. Navigate to the Monitoring > controller > Clients page. 2. Click Status. The mobility state section contains information about the user locations.
PAGE 479

Table 94 IP Mobility Configuration Parameters (Continued) Parameter Description Foreign Agent lifetime Requested lifetime, in seconds, as per RFC 3344, “IP Mobility Support for IPv4”. The range of allowed values is 10-65534 seconds. The default setting is 180 seconds. Max. Visitors Allowed Set a maximum allowed number of active visitors. The range of allowed values for this option is 05000 visitors. The default setting is 5000 visitors.
PAGE 480

Table 94 IP Mobility Configuration Parameters (Continued) Parameter Description Max. Station Mobility Events per Second Maximum number of mobility events (events that can trigger mobility) handled per second. Mobility events above this threshold are ignored. This helps to control frequent mobility state changes when the client bounces back and forth on APs before settling down. The allowed range of values is 1-65535 events, and the default value is 25 events.
PAGE 481

}| event-threshold | log-trail | no-service-timeout | onassociation |re-home | stale-timeout | stand-alone-AP | trail-length |trail-timeout To configure revocation functionality, use the following command: ip mobile revocation {interval |retransmits To enable packet trace for a given MAC address, use the following command: ip mobile packet-trace Proxy Mobile IP The proxy mobile IP module in a mobility-enabled contr
PAGE 482

The bridge mode mobility feature facilitates client mobility on up to 32 layer-2 connected APs by allowing the APs to communicate and share user state as the user roams from AP to AP. This mechanism is always enabled when an AP is set to bridge mode, and it requires that all of the APs where roaming will occur be on the same Layer 2 segment. Figure 79 Bridge Mode Mobility The roaming process occurs as follows: 1. A client begins to roam from AP1 and starts an association with AP2. 2.
PAGE 483

Mobility Multicast Internet Protocol (IP) multicast is a network addressing method used to simultaneously deliver a single stream of information from one sender to multiple clients on a network. Unlike broadcast traffic, which is meant for all hosts in a single domain, multicast traffic is sent only to those specific hosts who are configured to receive such traffic. Clients who want to receive multicast traffic can join a multicast group via IGMP messages.
PAGE 484

Figure 80 Inter-controller Mobility 1. The local controller uses its VLAN 10 IP address to join multicast group1 on behalf of a mobile client. 2. The mobile client leaves its local controller and roams to VLAN 50 remote controller A. Remote controller A locates the mobile client's local controller and learns about the client's multicast groups. Remote controller A then joins group1 on behalf the mobile client, using its VLAN 50 source IP.
PAGE 485

6. Click Apply to apply your changes. 7. (Optional) Repeat steps 1-6 above to configure mobility multicast for another VLAN interface. Configuring Mobility Multicast Using the CLI The following command enables IGMP and/or IGMP snooping on this interface, or configures a VLAN interface for uninterrupted streaming of multicast traffic.
PAGE 486

| IP Mobility Dell PowerConnect W-Series ArubaOS 6.
PAGE 487

Chapter 24 VRRP The underlying mechanism for the Dell redundancy solution is the Virtual Router Redundancy Protocol (VRRP).
PAGE 488

Table 96 VRRP Parameters (Continued) Parameter Description Delay Specifying a value enables the delay timer. The timer is triggered when the VRRP state moves out of backup or init state to become a master. This is applicable only if router pre-emption is enabled. When the timer is triggered, it forces VRRP to wait for a specified period of time, so that all the applications are ready before coming up. This prevents the APs from connecting to the controller before it can receive them.
PAGE 489

In the WebUI 1. Navigate to the Configuration > Advanced Services > Redundancy page on the WebUI for each of the local controllers. 2. Under Virtual Router Table, click Add to create a VRRP instance. 3. Enter the IP Address for the virtual router. Select the VLAN on which VRRP will run. Set the Admin State to Up. 4. Click Done to apply the configuration and add the VRRP instance.
PAGE 490

The master controller is also responsible for providing the configuration for any AP to complete its boot process. If the master controller becomes unavailable, the network continues to run without any interruption. However, any change in the network topology or configuration will require the availability of the master controller. To maintain a highly redundant network, the administrator can use a controller to act as a hot standby for the master controller.
PAGE 491

NOTE: All the APs and local controllers in the network should be configured with the virtual IP address as the master IP address. The master IP address can be configured for local controllers during the Initial Setup. The controller will require a reboot after changing the master IP on the controller.
PAGE 492

Incremental Configuration Synchronization Typically when the master and the local is synchronized, the complete configuration is sent to the local. You can, now send only the incremental updates to the local by using the following CLI commands In the CLI Use the following commands for incremental configuration synchronization: Table 99 Incremental Configuration Synchronization Commands Command Description cfgm set sync-type The master sends full configuration file to the local.
PAGE 493

Figure 81 Redundant Topology: Master-Local Redundancy The network in Figure 81, the master controller is connected to the local controllers on VLANs 1 through n through a Layer-2 network. To configure redundancy as described in the conceptual overview for master-local redundancy, configure VRRP instances on each of the VLANs between the master and the respective local controller.
PAGE 494

preempt authentication password description local-backed-by-master no shutdown To configure APs, configure the appropriate virtual IP address (depending on which controller is expected to control the APs) for the LMS IP address parameter in the AP system profile for an AP group or specified AP. As an example, the administrator can configure APs in the AP group “floor1” to be controlled by local controller 1, APs in the AP group “floor2” to be controlled by local controller 2 and so on.
PAGE 495

Chapter 25 RSTP Dell’s implementation of Rapid Spanning Tree Protocol (RSTP) is as specified in 802.1w with backward compatibility to legacy Spanning Tree (STP) 802.1D. RSTP takes advantage of point-to-point links and provides rapid convergence of the spanning tree. RSTP is enabled by default on all Dell controllers. Migration and Interoperability Dell’s RSTP implementation interoperates with PVST (Per VLAN Spanning Tree 802.1D) and Rapid-PVST (802.1w) implementation on industry-standard router/switches.
PAGE 496

In addition to port state changes, RSTP introduces port roles for all the interfaces (see Table 101). Table 101 Port Role Descriptions RSTP (802.1w) Port Role Description Root The port that receives the best BPDU on a bridge. Designated The port can send the best BPDU on the segment to which it is connected. Alternate The port offers an alternate path, in the direction of root bridge, to that provided by bridge’s root port.
PAGE 497

Figure 82 Configuring RSTP Since RSTP is enabled by default, the default values appear in the WebUI. Table 102 list the RSTP defaults and ranges (when applicable) in the configuration interface mode (config-if). Table 102 RSTP Default Values Feature Default Value/Range Port Cost The RSTP interface path cost.
PAGE 498

point-to-point port-priority portfast Set interface as point-to-point link Change an interface's spanning tree priority Allow a change from blocking to forwarding Monitoring RSTP Statistical information for point-to-point, role, BPDU etc. can be viewed from the WebUI (see Figure 83). Figure 83 Monitoring RSTP Troubleshooting The following points give some troubleshooting tips.  The show spantree command displays the root and the bridge information; verify that they are correct.
PAGE 499

case, Tx counter will keep incrementing while Rx counter will remain the same. It is quite opposite for a port with role as “root/alternate/backup”.
PAGE 500

| RSTP Dell PowerConnect W-Series ArubaOS 6.
PAGE 501

Chapter 26 PVST+ PVST+ (Per-VLAN Spanning Tree Plus) provides for load balancing of VLANs across multiple ports resulting in optimal usage of network resources. PVST+ also ensures interoperability with industry accepted PVST+ protocols. NOTE: By default, PVST+ is disable.
PAGE 502

6. Configure PVST+ on a range of VLANs using the VLAN IDs (coma separated or hyphen separated) spanning-tree vlan range 2-6,11 Configure using the WebUI From the WebUI, add a VLAN instance and enable PVST+ 502 | PVST+ Dell PowerConnect W-Series ArubaOS 6.
PAGE 503

Chapter 27 W-600 Series Controller The W-600 Controller Series is designed for compact, cost-effective "all-in-one" networking solutions. The W600 Series includes a firewall, wireless LAN controller, 9-port (8-port for the W-650 and W-651) Ethernet switch with PoE+, IP router, site-to-site VPN edge device, file server, and print server. Additionally, the W-651 controller includes an integrated single radio dual-band (802.11 a/n or 802.11 b/g/n) wireless internal Access Point (AP).
PAGE 504

 Sharing disks that contain errors may cause unpredictable behavior. Scan the disk for errors before mounting the disks to a W-600 Series.  Un-mount all partitions before disconnecting the disk from the controller.  Detection of devices connected to an external USB hub may be unpredictable.  A USB hard disk connected to the controller via an USB ExpressCard adapter is not supported. Internal Access Point (AP) The W-651 controller includes an internal AP.
PAGE 505

Figure 84 Cellular Profile Commands (host) (config) # cellular profile profile_name (host) (config-cellular dialer driver import modeswitch no priority serial tty user vendor profile_name)# ? Dialer group settings Cellular modem driver Import USB device parameters USB device modeswitch settings Delete Command Override default priority USB device serial Modem TTY port User name authentication USB Vendor ID (host) (config-cellular profile_name)# Figure 85 list the Uplink commands.
PAGE 506

Figure 87 WebUI Uplink Manager You can enable/disable the uplink to overwrite cellular and wired uplink priority. The corresponding commands are: (host) (config)# uplink [enable | disable] (host) (config)# uplink [cellular | wired] priority [x] Cellular Profile The Cellular Profile tab allows you to add/modify/delete one or more cellular profiles. The WebUI screen for Cellular Profile is divided into the Cellular Profile Table (the top portion) and the Modify Cellular Profile (the bottom portion).
PAGE 507

Figure 88 Cellular Profile from the WebUI Dialer Group Use the Dialer Group command to configure EVDO devices that require specific input for the initial string (initstring) and dial string. When adding or modifying an existing dialer group (see Figure 89), the WebUI executes the following commands: (host) (config-cellular profile_name)# dialer group init-string (host) (config-cellular profile_name)# dialer group dial-string Dell PowerConnect W-Series ArubaOS 6.
PAGE 508

Figure 89 Configuring Dialer Group Configuring a Supported USB Modem If your USB Modem is a validated modem, then no configuration is needed. Just follow the “plug and play” steps below. 1. Insert the USB Modem into an open USB port. 2.
PAGE 509

Figure 92 show uplink (host) #show uplink Id Uplink Type Properties -- ----------- ---------1 Wired vlan 1 2 Cellular Novatel_U727 (host) # Priority State ------- ----200 Connected 100 Standby Status -----* Active * Ready Cellular uplinks have a lower priority than wired links by default. You can change the default by changing the profile-specific priority or by changing the default cell priority. Figure 93 uplink cellular priority (host) (config) #uplink cellular priority 201 (host) (config) # 4.
PAGE 510

If your modem is not recognized (such as “type is unknown”, “no matching profile”, or “device not ready”), use the show usb verbose (Figure 95) command to verify your modem is listed. Figure 95 show usb verbose for profile and driver (host) #show usb verbose ... T: Bus=01 Lev=02 Prnt=02 Port=00 Cnt=01 Dev#= 3 Spd=12 MxCh= 0 D: Ver= 1.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=1410 ProdID=4100 Rev= 0.00 S: Manufacturer=Novatel Wireless Inc.
PAGE 511

If you get entries similar to the example below: Figure 98 Driver=(none) (host) #show usb verbose ... I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) I: If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) ... This means the driver does not work with these ports. Try the other drivers and see if they pick up the device. Airprime is the reliable catch-all driver, Sierra is for certain Sierra cards, and cdc-acm is a legacy abstract control modem driver.
PAGE 512

Figure 102 Port I/O error (host) (support)#show usb test 16 ttyUSB4 Error: Port I/O error. TTY port usb/16/ttyUSB4 inaccessible (host) (support)# Once you find one (or more) modem TTY port, configure it in the cellular profile and test the port. Testing the TTY Port After your TTY port is correctly configured, the port is in the 'Device Ready' state.
PAGE 513

Figure 105 show dialer group example (host)# show dialer group Dialer Group Table -----------------Name Init String -------------evdo_us ATQ0V1E0 gsm_us AT+CGDCONT=1,"IP","ISP.CINGULAR" (host)# Dial String ----------ATDT#777 ATD*99# The ATD, in the Dial String column in Figure 105, specifies the number to dial, and is typically the same among respective CDMA/GSM carriers.
PAGE 514

USB Device Table ---------------Address Product Vendor ProdID Serial Type Profile State ------- ------- ------ ------ ------ ---- ------- ----- 5 OneTouch 0d49 7350 2HAS49ZZ Storage 0424 2502 03f0 7317 3 4 HP LaserJet P3005 Hub CNH1D00105 Printer Configuring in the CLI 1. Login as admin and switch to config mode. 2. Enter the command below to enable NAS service: (host)(config)# service network-storage 3.
PAGE 515

Users can now access the connected storage device from the filesystem path. For example: \\\\\ Managing NAS Devices The following commands are available for managing a NAS devices after they are mounted and configured in the controller. For more details on these command, see the Command Line Reference Guide.
PAGE 516

Table 104 Multi-function Media Eject Button Initial State LED State Action Status LED Function LED Action Completed NAS Media Operational Green-solid Press and hold media eject button for 1 to 5 seconds only Amber-flashing Un-mount all NAS media Amber-solid NAS Media Unmounted Amber-solid Press and hold media eject button for 1 to 5 seconds only Amber-flashing Mount all attached NAS devices, and return to fully functional operation Green-solid Operational Green-solid Press and hold media
PAGE 517

6. Defining printer job storage—To view the maximum number of jobs that can be saved in the memory, type: (host) (config)# network-printer max-jobs <1-50> The W-600 Series controller will support a storage of 50 jobs. You can now access the printer from their clients. For example: \\\ Additional Commands for Managing Printers The following commands are available for managing a printer after they are configured in the controller.
PAGE 518

Sample Topology and Configuration Figure 106 uses both the W-650 and W-651 controller to illustrate this example topology. Where the W-650 is used, a W-620 could be used just as effectively. Figure 106 W-600 Series Topology Remote Branch 1 User/AP Vlans/SW-IP: SW-IP: 192.168.30.1 Vlan-30: 192.168.30.x Vlan-31: 192.168.31.x Vlan-32: 192.168.32.x W-651 Enterprise/HQ SW-IP: 192.168.225.1 Vlan-225: 192.168.225.x Vlan-100: 192.168.100.x Vlan-68: 192.168.68.x UplinkVlan: 192.168.16.
PAGE 519

! interface gigabitethernet 1/3 description "GE1/3" trusted switchport access vlan 32 ! interface vlan 16 ip address 192.168.16.251 255.255.255.0 ! interface vlan 30 ip address 192.168.30.1 255.255.255.0 ! interface vlan 31 ip address 192.168.31.1 255.255.255.0 ! interface vlan 32 ip address 192.168.32.1 255.255.255.0 ! uplink wired priority 202 uplink cellular priority 201 uplink wired vlan 16 interface tunnel 2003 description "Tunnel Interface" ip address 2.0.0.3 255.0.0.0 tunnel source 192.168.30.
PAGE 520

switchport access vlan 51 ! interface gigabitethernet 1/3 description "GE1/3" trusted switchport access vlan 52 ! interface vlan 20 ip address 192.168.20.1 255.255.255.0 ! interface vlan 50 ip address 192.168.50.1 255.255.255.0 ! interface vlan 51 ip address 192.168.51.1 255.255.255.0 ! interface vlan 52 ip address 192.168.52.1 255.255.255.0 ! uplink wired priority 206 uplink cellular priority 205 uplink wired vlan 20 interface tunnel 2005 description "Tunnel Interface" ip address 2.0.0.5 255.0.0.
PAGE 521

switchport access vlan 68 ! interface vlan 68 ip address 192.168.68.220 255.255.255.0 ! interface vlan 100 ip address 192.168.100.1 255.255.255.0 ! interface vlan 225 ip address 192.168.225.2 255.255.255.0 ! interface tunnel 2003 description "Tunnel Interface" ip address 2.1.0.3 255.0.0.0 tunnel source 192.168.225.2 tunnel destination 192.168.30.1 trusted ip ospf area 10.10.10.10 ! interface tunnel 2005 description "Tunnel Interface" ip address 2.1.0.5 255.0.0.0 tunnel source 192.168.225.
PAGE 522

! W-3200 Central Office Controller—Backup localip 0.0.0.0 ipsec db947e8d1b383813a4070ab0799fa6246b80fc5cfcc3268f controller-ip vlan 225 ! interface gigabitethernet 1/0 description "GE1/0" trusted switchport access vlan 225 ! interface gigabitethernet 1/1 description "GE1/1" trusted switchport access vlan 100 ! interface gigabitethernet 1/2 description "GE1/2" trusted switchport access vlan 68 ! interface vlan 68 ip address 192.168.68.221 255.255.255.224 ! interface vlan 100 ip address 192.168.100.5 255.
PAGE 523

no shutdown ! vrrp 2 priority 99 ip address 192.168.225.9 vlan 225 tracking vlan 68 sub 40 tracking vlan 100 sub 40 tracking vlan 225 sub 40 no shutdown ! ip default-gateway 192.168.68.1 ip route 192.168.0.0 255.255.0.0 null 0 ! router ospf router ospf router-id 192.168.225.1 router ospf area 10.10.10.10 stub router ospf redistribute vlan 100,225 ! Upgrading and Migrating The W-600 Series Controllers require ArubaOS 3.4 or later. ArubaOS releases prior to ArubaOS version 3.4.
PAGE 524

| W-600 Series Controller Dell PowerConnect W-Series ArubaOS 6.
PAGE 525

Chapter 28 OSPFv2 OSPFv2 (Open Shortest Path First) is a dynamic Interior Gateway routing Protocol (IGP) based on IETF RFC 2328. The premise of OSPF is that the shortest or fastest routing path is used. Dell’s implementation of OSPFv2 allows Dell controllers to deploy effectively in a Layer 3 topology. Dell controllers can act as default gateway for all clients and forward user packets to the upstream router.
PAGE 526

WLAN Topology The controller (Figure 107) is configured with VLAN 10 and VLAN 12 as user VLANs. These VLANs have clients on the subnets and the controller is the default router for those clients. VLAN 4 and VLAN 5 both have OSPF enabled. These interfaces are connected to a upstream routers (Router 1 and Router 2). The OSPF interface cost on VLAN 4 is configured lower than VLAN 5. The IDs are:  Dell controller—40.1.1.1  Router 1—50.1.1.1  Router 2—60.1.1.
PAGE 527

In this scenario the default route is normally pointed to the uplink router; in many cases the ISP. Configure the area as stub so that inter-area routes are also advertised enabling the branch office controller to reach the corporate subnets. Branch Office Topology All the OSPF control packets exchanged between the Branch office and the Central office controllers undergo GRE encapsulation before entering the IPsec tunnels.
PAGE 528

The routing table of the Central office controller is below: (host) #show ip route Codes: C - connected, O - OSPF, R - RIP, S - static M - mgmt, U - route usable, * - candidate default Gateway of last resort is 4.1.1.2 to network 0.0.0.0 O* O O C C C 0.0.0.0/0 [1/0] via 4.1.1.2* 14.1.1.0/24 [1/0] via 30.1.1.1* 15.1.1.0/24 [1/0] via 30.1.1.1* 4.1.1.0 is directly connected, VLAN4 5.1.1.0 is directly connected, VLAN5 20.1.1.
PAGE 529

Figure 108 General OSPF Configuration Select the Add button to add an area (see Figure 109). Figure 109 Add an OSPF Area Configure the OSPF interface settings in the Configuration screen (Figure 110). If OSPF is enable, the parameters contain the correct default values. The OSPF values are editable only when OSPF is enabled on the interface. Dell PowerConnect ArubaOS 6.
PAGE 530

Figure 110 Edit OSPF VLAN Settings OSPF monitoring is available from an IP Routing sub-section (Controller > IP Routing > Routing). Both Static and OSPF routes are available in table format. OSPF Interfaces and Neighboring information is available from the OSPF tab. The Interface information includes transmit (TX) and receive (RX) statistics. Deployment Best Practices Below are some guidelines regarding deployment and topology for this release of OSPFv2.
PAGE 531

Sample Topology and Configuration Figure 111 displays a sample OSPF topology followed by sample configurations of the Remote Branch 1, Remote Branch 2, and the W-3200 Central Office Controller (Active and Backup). Figure 111 Sample OSPF Topology Remote Branch 1 User/AP Vlans/SW-IP: SW-IP: 192.168.30.1 Vlan-30: 192.168.30.x Vlan-31: 192.168.31.x Vlan-32: 192.168.32.x Enterprise/HQ SW-IP: 192.168.225.1 Vlan-225: 192.168.225.x Vlan-100: 192.168.100.x Vlan-68: 192.168.68.
PAGE 532

interface gigabitethernet 1/3 description "GE1/3" trusted switchport access vlan 32 ! interface vlan 16 ip address 192.168.16.251 255.255.255.0 ! interface vlan 30 ip address 192.168.30.1 255.255.255.0 ! interface vlan 31 ip address 192.168.31.1 255.255.255.0 ! interface vlan 32 ip address 192.168.32.1 255.255.255.0 ! uplink wired priority 202 uplink cellular priority 201 uplink wired vlan 16 interface tunnel 2003 description "Tunnel Interface" ip address 2.0.0.3 255.0.0.0 tunnel source 192.168.30.
PAGE 533

! interface gigabitethernet 1/3 description "GE1/3" trusted switchport access vlan 52 ! interface vlan 20 ip address 192.168.20.1 255.255.255.0 ! interface vlan 50 ip address 192.168.50.1 255.255.255.0 ! interface vlan 51 ip address 192.168.51.1 255.255.255.0 ! interface vlan 52 ip address 192.168.52.1 255.255.255.0 ! uplink wired priority 206 uplink cellular priority 205 uplink wired vlan 20 interface tunnel 2005 description "Tunnel Interface" ip address 2.0.0.5 255.0.0.0 tunnel source 192.168.50.
PAGE 534

interface vlan 68 ip address 192.168.68.220 255.255.255.0 ! interface vlan 100 ip address 192.168.100.1 255.255.255.0 ! interface vlan 225 ip address 192.168.225.2 255.255.255.0 ! interface tunnel 2003 description "Tunnel Interface" ip address 2.1.0.3 255.0.0.0 tunnel source 192.168.225.2 tunnel destination 192.168.30.1 trusted ip ospf area 10.10.10.10 ! interface tunnel 2005 description "Tunnel Interface" ip address 2.1.0.5 255.0.0.0 tunnel source 192.168.225.2 tunnel destination 192.168.50.
PAGE 535

W-3200 Central Office Controller—Backup localip 0.0.0.0 ipsec db947e8d1b383813a4070ab0799fa6246b80fc5cfcc3268f controller-ip vlan 225 ! interface gigabitethernet 1/0 description "GE1/0" trusted switchport access vlan 225 ! interface gigabitethernet 1/1 description "GE1/1" trusted switchport access vlan 100 ! interface gigabitethernet 1/2 description "GE1/2" trusted switchport access vlan 68 ! interface vlan 68 ip address 192.168.68.221 255.255.255.224 ! interface vlan 100 ip address 192.168.100.5 255.255.
PAGE 536

priority 99 ip address 192.168.225.9 vlan 225 tracking vlan 68 sub 40 tracking vlan 100 sub 40 tracking vlan 225 sub 40 no shutdown ! ip default-gateway 192.168.68.1 ip route 192.168.0.0 255.255.0.0 null 0 ! router ospf router ospf router-id 192.168.225.1 router ospf area 10.10.10.10 stub router ospf redistribute vlan 100,225 ! 536 | OSPFv2 Dell PowerConnect ArubaOS 6.
PAGE 537

Chapter 29 Wireless Intrusion Prevention The ArubaOS Wireless Intrusion Prevention (WIP) features and configurations are discussed in this chapter. WIP offers a wide selection of intrusion detection and protection features to protect the network against wireless threats. Like most other security-related features of the Dell network, the WIP configuration is done on the master controller in the network.
PAGE 538

Figure 112 WIP Wizard Wizard Intrusion Detection Apply the intrusion detection mechanisms for detecting attacks against your infrastructure and clients (see Figure 113). You can either set the detection level to automatically enable the appropriate detection mechanisms or customize the settings for infrastructure and client attacks.
PAGE 539

Figure 113 WIP Wizard’s Intrusion Detection Wizard Intrusion Protection Apply the intrusion protection mechanisms for your infrastructure and clients (see Figure 114). You can set the protection level to automatically enable the appropriate protection mechanisms or customize the settings for your infrastructure and clients.
PAGE 540

To enable custom settings, click the Allow custom settings link to manually enable or disable the protection mechanisms for your clients. To revert to the standard settings from custom settings mode, click the Revert to standard settings link. Figure 114 WIP Wizard Intrusion Protection Monitoring Dashboard The Security Summary dashboard, in the Monitoring section of the WebUI, allows you to monitor the detection and protection of wireless intrusions in your network.
PAGE 541

Figure 115 WIP Monitoring Dashboard Rogue AP Detection The most important WIP functionality is the ability to classify an AP as a potential security threat. An AP is considered to be a rogue AP if it is both unauthorized and plugged into the wired side of the network. An AP is considered to be an interfering AP if it is seen in the RF environment but is not connected to the wired network.
PAGE 542

Table 106 Client Classification Definitions Classification Description Valid Client Any client that successfully authenticates with a valid AP and passes encrypted traffic is classified as a valid client. Manually-contained Client Any clients for which DoS is enabled manually. Interfering Client A client associated to any AP and is not valid.
PAGE 543

 Propagated-Wired-MAC—The MAC addresses of wired devices learned by a different AP than the one that uses it for classifying a rogue.  Base-BSSID-Override—The classification was derived from another BSSID which belongs to the same AP that supports multiple BSSIDs on the radio interface.  AP-Rule—A user defined AP classification rule has matched.  System-Wired-MAC—The MAC addresses of wired devices learned at the controller.
PAGE 544

Example Rules If SSID equals xyz AND SNR > 40 then classify AP as suspected-rogue with conf-level-increment of 20 If SNR > 60 and DISCOVERING_APS > 2, then classify AP as suspected-rogue with conf-level increment of 35 If SSID equals ‘XYZ’, then classify AP as known-neighbor Rule Matching A rule must be enabled before it is matched. A maximum of 32 rules can be created with a maximum of 16 rules active simultaneously.
PAGE 545

Table 107 Infrastructure Detection Summary (Continued) Feature Command Trap Syslog ID Detect Ad hoc Networks ids unauthorized-device-profile detect-adhoc-network wlsxNAdhocNetwork 126033, 127033 Detect Ad hoc Network Using Valid SSID ids unauthorized-device-profile detect-adhoc-using-valid-ssid adhoc-using-valid-ssid-quiettime wlsxAdhocUsingValidSSID 126068, 127068 Detect AP Flood Attack ids dos-profile detect-ap-flood ap-flood-threshold ap-flood-inc-time ap-flood-quiet-time wlsxApFloodAttack
PAGE 546

Table 107 Infrastructure Detection Summary (Continued) Feature Command Trap Syslog ID Detect Overflow IE ids dos-profile detect-overflow-ie overflow-ie-quiet-time wlsxOverflowIEDetected 126084, 127084 Detect Malformed FrameAssoc Request ids dos-profile detect-malformed-assoc-req malformed-assoc-req-quiet-time wlsxMalformedAssocReqDetected 126080, 127080 Detect Malformed FrameAuth ids dos-profile detect-malformed-frame-auth malformed-auth-frame-quiet-time wlsxMalformedAuthFrameDetected 126083,
PAGE 547

Table 107 Infrastructure Detection Summary (Continued) Feature Command Trap Syslog ID Detect Netstumbler ids signature-matching-profile signature ‘Netstumbler Generic’ signature ‘Netstumbler Version 3.3.0.
PAGE 548

Detect AP Impersonation In AP impersonation attacks, the attacker sets up an AP that assumes the BSSID and ESSID of a valid AP. AP impersonation attacks can be done for man-in-the-middle attacks, a rogue AP attempting to bypass detection, or a honeypot attack. Detect AP Spoofing An AP Spoofing attack involves an intruder sending forged frames that are made to look like they are from a legitimate AP.
PAGE 549

Detect Overflow EAPOL Key Some wireless drivers used in access points do not correctly validate the EAPOL key fields. A malicious EAPOLKey packet with an invalid advertised length can trigger a DoS or possible code execution. This can only be achieved after a successful 802.11 association exchange. Detect Overflow IE Some wireless drivers used in access points do not correctly parse the vendor-specific IE tags.
PAGE 550

Detect Broadcast Disassociation By sending disassociation frames to the broadcast address (FF:FF:FF:FF:FF:FF), an attacker can disconnect all stations on a network for a widespread DoS. Detect Netstumbler NetStumbler is a popular wardriving application used to locate 802.11 networks. When used with certain NICs, NetStumbler generates a characteristic frame that can be detected. Version 3.3.0 of NetStumbler changed the characteristic frame slightly.
PAGE 551

Table 108 Client Detection Summary (Continued) Feature Command Trap Syslog ID Detect Disconnect Station Attack ids dos-profile detect-disconnect-sta disconnect-sta-quiet-time disconnect-sta-assoc-respthreshold disconnect-deauth-disassocthreshold wlsxNDisconnectStationAttack 126035, 127035 Detect EAP Rate Anomaly ids-dos-profile detect-eap-rate-anomaly eap-rate-threshold eap-rate-time-interval eap-rate-quiet-time wlsxEAPRateAnomaly 126032, 127032 Detect FATA-Jack Attack Structure ids dos-
PAGE 552

Table 108 Client Detection Summary (Continued) Feature Command Trap Syslog ID Detect AirJack ids signature-matching-profile signature AirJack wlsxNSignatureMatchAirjack 126046, 127046 wlsxNSignatureMatchAsleap 126044, 127044 wlsxNSignatureMatchNullProbeResp 126045, 127045 ids general-profile signature-quiet-time Detect ASLEAP ids signature-matching-profile signature ASLEAP ids general-profile signature-quiet-time Detect Null Probe Response ids signature-matching-profile signature Null Probe R
PAGE 553

Detect FATA-Jack Attack Structure FATA-Jack is an 802.11 client DoS tool that tries to disconnect targeted stations using spoofed authentication frames that contain an invalid authentication algorithm number. Detect Hotspotter Attack The Hotspotter attack is an evil-twin attack which attempts to lure a client to a malicious AP. Many enterprise employees use their laptop in Wi-Fi area hotspots at airports, cafes, malls etc. They have SSIDs of their hotspot service providers configured on their laptops.
PAGE 554

 Authorized Client associated to Honeypot AP—A honeypot is an AP that is not valid but is using an SSID that has been designated as valid/protected  Authorized Client in ad hoc connection mode—A valid client that has joined an ad hoc network Detect AirJack AirJack is a suite of device drivers for 802.11(a/b/g) raw frame injection and reception. It was intended to be used as a development tool for all 802.
PAGE 555

Table 109 Infrastructure Protection Summary (Continued) Feature Command Trap Syslog ID Protect From AP Impersonation ids impersonation-profile protect-ap-impersonation wlsxAPDeauthContainment wlsxClientDeauthContainment wlsxTarpitContainment 106005, 106006, 126102, 126103, 126108, 127102, 127103, 127108 Protect Misconfigured AP ids unauthorized-device-profile protect-misconfigured-ap wlsxAPDeauthContainment wlsxClientDeauthContainment wlsxTarpitContainment 106005, 106006, 126102, 126103, 126108,
PAGE 556

Client Intrusion Protection Table 110 list the client intrusion protection features with their related commands, traps, and syslog identifications. Details of each feature follow the table.
PAGE 557

Table 111 WMS Configuration Parameters (Continued) Parameter Description Station Ageout Interval The amount of time, in minutes, that a client is unseen by any probes before it is deleted from the database. Enter 0 to disable ageout. Default: 30 minutes Enable Statistics Update in DB Enables or disables statistics update in the database. Default: enabled Collect Stat Enables collection of statistics (up to 25,000 entries) on the master controller for monitored APs and clients.
PAGE 558

(host) #wms import-db database The wms reint-db command reinitializes the WMS database. Note that this command does not make an automatic backup of the current database. (host) #wms renit-db Client Blacklisting When a client is blacklisted in the Dell system, the client is not allowed to associate with any AP in the network for a specified amount of time. If a client is connected to the network when it is blacklisted, a deauthentication message is sent to force the client to disconnect.
PAGE 559

To clear the entire client blacklist using the command-line interface, access the CLI in config mode and issue the following command: stm purge-blacklist-client Authentication Failure Blacklisting You can configure a maximum authentication failure threshold for each of the following authentication methods:  802.
PAGE 560

3. In the Profiles list, expand the IDS menu, then select IDS profile. 4. Select the IDS DOS profile. 5. Select (check) Spoofed Deauth Blacklist. 6. Click Apply. To enabled spoofed deauth detection and blacklisting via the command-line interface, access the CLI in config mode, and issue the following commands: ids dos-profile spoofed-deauth-blacklist Blacklist Duration You can configure the duration that clients are blacklisted on a per-SSID basis via the virtual AP profile.
PAGE 561

Chapter 30 WIP Advanced Features Device Classification is the first step in securing the corporate environment from unauthorized wireless access. Adequate measures to quickly shut down intrusions are critical to protect sensitive information and network resources. APs and stations must be accurately classified to determine whether they are valid, rogue or neighboring APs, and an automated response can be implemented to prevent possible intrusion attempts.
PAGE 562

All-reg-domain Channels—A valid non-overlapping channel that is in the regulatory domain of at least one country. The channels in this category belong to the frequency range of:  2412MHz to 2472MHz in the g-band  5100Mhz to 5895MHz in the a-band. Rare Channel—Channels that fall into a frequency range outside of the regulatory domain; 2484 MHz and 4900MHz-4995MHz (J-channels), and 5000-5100Mhz. The channels in this group do not belong to any other group.
PAGE 563

dwell-time-other-reg-domain-channel—For channels that belong to the all regulatory domain group (all-regdomain) with no wireless activity The default setting is 250 ms. dwell-time-rare-channel—For channels in the rare group where no wireless activity is detected. The default value is 100 ms. Use the rf am-scan-profile command to set the dwell time and scan mode. Channel Visiting The Active and DOS channels are visited more frequently than the other channels.
PAGE 564

Configuring Per AP Setting If the AP is a dual-band single radio AP, an option is available to specify which band should be used for scanning in AM-mode. This setting is available in the “ap system-profile”, via the am-scan-rf-band command. ap system-profile am-scan-rf-band [a | g | all] The default value is “all”, which is consistent with the prior behavior. This setting is ignored in the case of a dual radio AP. There are four parameters that will control the age out of devices in the AM module.
PAGE 565

42702 25620500 402424 56245 0 0 DVACLU Channel Flags: D: Default, V: Valid, A: AP Present, C: Reg Domain Channel, O: DOS Channel, Z: Rare Channel T: Valid 20MHZ Channel, F: Valid 40MHz Channel, L: Scan 40MHz Channel (lower), U: Scan 40MHz channel (upper) R: Radar detected in last 30 min, X: DFS required Licensing The ability to perform rare scanning is available only with the RFprotect license. However, the AP can scan ‘regdomain’ or ‘all-reg-domain’ channels without the RFprotect license.
PAGE 566

Configuring Tarpit Shielding Use the ids-general-profile command to configure Tarpit Shielding (for detailed information on commands refer to the Command Line Reference Guide).
PAGE 567

Chapter 31 Link Aggregation Control Protocol Dell PowerConnect implementation of Link Aggregation Control Protocol (LACP) is based on the standards specified in 802.3ad. LACP provides a standardized means for exchanging information, with partner systems, to form a link aggregation group (LAG). LACP avoids port channel misconfiguration. Two devices (actor and partner) exchange LACP data units (DUs) in the process of forming a LAG.
PAGE 568

1. Enable LACP and configure the per-port specific LACP. The group number range is 0 to 7. lacp group mode {active | passive}  Active mode—the interface is in active negotiating state. LACP runs on any link that is configured to be in the active state. The port in an active mode also automatically initiates negotiations with other ports by initiating LACP packets.  Passive mode—the interface is not in an active negotiating state.
PAGE 569

In the WebUI Access LACP from the Configuration->Network->Port tabs. Use the drop down menus to enter the LACP values.  LACP Group—The link aggregation group (LAG) number; range is 0 to 7  Mode—Active negotiation state or not in an active negotiation state indicated by the passive option.
PAGE 570

 The output of the command show interface port-channel now indicates if the LAG is created by LACP (dynamic) or static configuration. If the LAG is created via LACP, you can not add/delete any ports under that port channel. All other commands are allowed.
PAGE 571

Chapter 32 Management Access This chapter describes management access and tasks for a user-centric network and includes the following topics:  “Certificate Authentication for WebUI Access” on page 571  “Management Password Policy” on page 578  “Managing Certificates” on page 580  “Configuring SNMP” on page 585  “Configuring Logging” on page 586  “Guest Provisioning” on page 588  “Managing Files on the Controller” on page 601  “Setting the System Clock” on page 604 Certificate Authen
PAGE 572

5. To configure the management user, navigate to the Configuration > Management > Administration page. a. Under Management Users, click Add. b. Select Certificate Management. c. Select WebUI Certificate. d. Enter the username. e. Select the user role assigned to the user upon validation of the client certificate f. Enter the serial number for the client certificate. g. Select the name of the CA that issued the client certificate. h. Click Apply.
PAGE 573

d. Enter the username. e. Select the management role assigned to the user upon validation of the client certificate. f. Select the client certificate. g. Click Apply. In the CLI ssh mgmt-auth public-key [username/password] mgmt-user ssh-pubkey client-cert Radius Server Authentication Radius Server Username/Password Authentication In this example, an external RADIUS server is used to authenticate management users.
PAGE 574

server-group corp_rad RADIUS Server Authentication with VSA In this scenario, an external RADIUS server authenticates management users and returns to the controller the Dell vendor-specific attribute (VSA) called Dell-Admin-Role that contains the name of the management role for the user. The authenticated user is placed into the management role specified by the VSA. The controller configuration is identical to the “Radius Server Username/Password Authentication” on page 573.
PAGE 575

4. Navigate to the Configuration > Management > Administration page. a. Under Management Authentication Servers, select a management role (for example, read-only) for the Default Role. b. Select (check) Mode. c. For Server Group, select the server group that you just configured. d. Click Apply.
PAGE 576

In the CLI aaa authentication-server radius rad1 host enable aaa server-group corp_rad auth-server rad1 set role condition Class equals it set-value root aaa authentication mgmt default-role read-only enable server-group corp_rad For more information about configuring server-derivation rules, see “Configuring Server-Derivation Rules” on page 277.
PAGE 577

This procedure also resets the enable mode password to enable. If you have defined a management user password policy, make sure that the new password conforms to this policy. For details, see “Management Password Policy” on page 578. Figure 116 is an example of how to reset the password. The commands in bold type are what you enter.
PAGE 578

loginsession timeout In the above command, can be any number of minutes from 5 to 60 or seconds from 1 to 3600, inclusive. You can also specify a timeout value of 0 to disable CLI session timeouts. Setting a WebUI Session Timeout To define a timeout interval for a WebUI session, use the command: web-server sessiontimeout In the above command, can be any number of seconds from 30 to 3600, inclusive.
PAGE 579

Table 113 Management Password Policy Settings (Continued) Parameter Description Maximum Number of failed attempts in 3 minute window to lockout user The number of failed attempts within a 3 minute window that causes the user to be locked out for the period of time specified by the Time duration to lockout the user upon crossing the "lock-out" threshold parameter. Range: 0-10 attempts. By default, the password lockout feature is disabled, and the default value of this parameter is 0 attempts.
PAGE 580

password-lock-out password-lock-out-time password-max-character-repeat. password-min-digit password-min-length password-min-lowercase-characters password-min-special-character password-min-uppercase-characters password-not-username Management Authentication Profile Parameters Table 115 describes configuration parameters on the Management Authentication profile page. NOTE: In the CLI, you configure these options with the aaa authentication mgmt and aaa-server-group commands.
PAGE 581

During certificate-based authentication, the controller provides its server certificate to the client for authentication. After validating the controller’s server certificate, the client presents its own certificate to the controller for authentication. To validate the client certificate, the controller checks the certificate revocation list (CRL) maintained by the CA that issued the client certificate.
PAGE 582

In the WebUI 1. Navigate to the Configuration > Management > Certificates > CSR page. 2. Enter the following information: Table 116 CSR Parameters Parameter Description Range CSR Type Type of the CSR. You can generate a certificate signing request either with an Elliptic curve (EC) key, or with a Rivest-Shamir-Aldeman ec/rsa (RSA) key. Curve name Length of the private/public key for ECDSA. This is applicable only if CSR Type is ec.
PAGE 583

Importing Certificates Use the WebUI or the CLI to import certificates into the controller. NOTE: You cannot export certificates from the controller. You can import the following types of certificates into the controller:  Server certificate signed by a trusted CA. This includes a public and private key pair.  CA certificate used to validate other server or client certificates. This includes only the public key for the certificate.  Client certificate and client’s public key.
PAGE 584

To view the contents of a certificate with the CLI, use the following commands: Table 117 Certificate Show Commands Command Description show crypto-local pki trustedCAs []<[attribute>] Displays the contents of a trusted CA certificate. If a name is not specified, all CA certificates imported into the controller are displayed. If name and attribute are specified, then only the attribute in the certificate are displayed. Attributes can be CN, validity, serial-number, issuer, subject, public-key.
PAGE 585

Configuring SNMP Dell controllers support versions 1, 2c, and 3 of Simple Network Management Protocol (SNMP) for reporting purposes only. In other words, SNMP cannot be used for setting values in an Dell system in the current ArubaOS version. NOTE: Dell-specific management information bases (MIBs) describe the objects that can be managed using SNMP. See the Dell PowerConnect W-Series ArubaOS MIB Reference Guide for information about the Dell MIBs and SNMP traps.
PAGE 586

Follow the steps below to configure a controller’s basic SNMP parameters. In the WebUI 1. Navigate to the Configuration > Management > SNMP page. 2. If the controller will be sending SNMP traps, click Add in the Trap Receivers section to add a trap receiver. 3. If you are using SNMPv3 to obtain values from the Dell controller, click Add in the SNMPv3 Users section to add a new SNMPv3 user. 4. Click Apply.
PAGE 587

Table 120 Software Modules (Continued) Category/Subcategory Description firewall Firewall messages packet-trace Packet trace messages mobility Mobility messages vpn VPN messages dot1x 802.1x messages ike IKE messages webserver Web server messages Wireless Wireless messages all All wireless messages User User messages all All user messages captive-portal Captive portal user messages vpn VPN messages dot1x 802.
PAGE 588

In the WebUI 1. Navigate to the Configuration > Management > Logging > Servers page. 2. To add a logging server, click New in the Logging Servers section. 3. Click Add to add the logging server to the list of logging servers. Ensure that the syslog server is enabled and configured on this host. Click Apply. 4. To select the types of messages you want to log, select the Levels tab. 5. Select the category or subcategory to be logged. 6.
PAGE 589

This section describes how to design a Guest Provisioning page using all three tabs. Configuring the Guest Fields 1. Navigate to the Configuration > Management > Guest Provisioning page. The Guest Provisioning configuration page displays with the Guest Fields tab on top. This tab contains the following columns:  Internal Name—The unique identifier that is mapped to the label in the UI.
PAGE 590

Table 122 Guest Provisioning—Guest Field Descriptions (Continued) Guest Field Description (Continued) guest_username Username for the guest. guest_password Password for the guest. (Must contain at least 1-6 characters and at least one digit.) guest_fullname Full name of the guest. guest_company Name of the guest's company. guest_email Guest's Email address. guest_phone Guest's phone number comments Optional comments about the guest's account status, meeting schedule and so on.
PAGE 591

Configuring the Page Design The Page Design tab lets you specify the company banner, heading, and text and background colors that appear on the Guest Provisioning page. 1. Navigate to the Configuration > Management > Guest Provisioning page and select the Page Design tab. Figure 119 Guest Provisioning Configuration Page—Page Design Tab 2. Enter the filename which contains the company banner in the Banner field.
PAGE 592

3. Enter the number of the port through which the guest provisioning email passes in the Port field. 4. Click Apply and then Save Configuration. Configuring an SMTP server and port in the CLI The following command creates a guest-access email and sends guest user email through SMTP server IP address 1.1.1.1 on port 25. (host) (host) (host) (host) (config) #guest-access-email (Guest-access Email ) # (Guest-access Email ) #smtp-port 25 (Guest-access Email ) #smtp-server 1.1.1.
PAGE 593

Figure 121 Sample Guest Account Email – Sent to Sponsor 4. To save changes, click Apply. Configuring a Guest Provisioning User The guest provisioning user has access to the Guest Provisioning Page (GPP) to create guest accounts within your company. The guest provisioning user is usually a person at the front desk who greets guests and creates guest accounts.
PAGE 594

1. Navigate to the Configuration > Management > Administration page. 2. In the Management Users section, click Add. 3. In the Add User page, select Certificate Management. 4. Make sure that the Use external authentication server to authenticate check box is unchecked. 5. In the Username field, enter the name of the user who you want to configure as a guest provisioning user. 6. In the Role field, select guest-provisioning from the drop-down list. 7.
PAGE 595

Customizing the Guest Access Pass In the WebUI, you can customize the pop-up window that displays the guest account information. You may want to do this before the Guest Provisioning user creates guest accounts. 1. Navigate to the Configuration > Security > Access Control > Guest Access page. 2. Click Browse to insert a logo or other banner information on the window. NOTE: Dell recommends using a logo or banner image that is 600 x 100 pixels (width x height).
PAGE 596

Guest Provisioning User Tasks The Guest Provisioning user creates guest accounts by filling in information on the Guest Provisioning page. Tasks include creating, editing, manually sending email, enabling, printing, disabling and deleting guest accounts. The Guest Provisioning user can also manually send emails to either the guest or sponsor. To create a new guest account, the Guest Provisioning user clicks New to display the New Guest window. (See Figure 124.
PAGE 597

Figure 125 Creating a Guest Account—Show Details Pop-up Window Importing Multiple Guest Entries The Guest Provisioning user can manually create individual guest entries, as previously described, or import multiple guest entries into the database from a CSV file. This is useful and more efficient if you want to enter multiple guest entries at once. To import multiple guest entries, you need to: 1. Create a CSV file that contains the guest entries 2.
PAGE 598

 There is no format checking on field. Only the local-userdb-guest CLI command will validate proper format.  Any extra columns, beyond the 9th column, are discarded.  The WebUI only supports characters that the CLI supports.  If a guest’s user ID is not provided, then it is automatically generated based on the numeric suffix in the Import Guest List window. See Figure 127.  We recommend a maximum of 250 entries per CSV file.
PAGE 599

Figure 128 Displaying the Guest Entries Log File 5. Click Import. A window displays that lets you open CSV file in text format. (See Figure 128.) 6. Open the text file. (See Figure 129.) Note that because no user ID is entered in the CSV file, a guest ID (username) is automatically generated based on the default value in the Suffix for auto-generated field. Make changes or corrections to the guest entry information in text file. A user can also change the start time and end time from this window.
PAGE 600

Figure 130 Viewing Multiple Imported Guest Entries—Guest Provisioning Page Printing Guest Account Information To print guest account information: 1. Highlight the guest account you want to print and click Print. The Print info for guest window displays. 2. Click Print password if you want to print the guest password on the badge. Then enter or generate a new password for the guest. This modifies the existing guest password. (See Figure 131.) 3.
PAGE 601

Restricting one Captive Portal Session for each Guest You can restrict one captive portal session for each guest. When a new captive portal request is received and passes authentication, all users are checked and compared with user names. If a user with the same name already exists and this option is enabled, the second login is denied. NOTE: If a guest logs in from one system (and does not log out) and tries to log in again from another system, that guest has to wait for the initial session to expire. 1.
PAGE 602

You can use the following protocols to copy files to or from a controller:  File Transfer Protocol (FTP): Standard TCP/IP protocol for exchanging files between computers.  Trivial File Transfer Protocol (TFTP): Software protocol that does not require user authentication and is simpler to implement and use than FTP.  Secure Copy (SCP): Protocol for secure transfer of files between computers that relies on the underlying Secure Shell (SSH) protocol to provide authentication and security.
PAGE 603

In the CLI copy tftp: system: partition [0|1]} copy ftp: system: partition {0|1} copy scp: system: partition [0|1] Backing Up and Restoring the Flash File System You can store the entire content of the flash file system on a controller to a compressed archive file. You can then copy the archive file to an external server for backup purposes.
PAGE 604

copy flash: logs.tar tftp: copy flash: logs.tar scp: Copying Other Files The flash file system contains the following configuration files:  startup-config: Contains the configuration options that are used the next time the controller is rebooted. It contains all options saved by clicking the Save Configuration button in the WebUI or by entering the write memory CLI command.
PAGE 605

clock summer-time [recurring] <1-4> first last <1-4> first last [<-23 - 23>] Clock Synchronization You can use NTP to synchronize the controller to a central time source. Configure the controller to set its system clock using NTP by configuring one or more NTP servers.
PAGE 606

7. Under NTP Trusted Keys, enter a string in the Trusted Key field. This is a subset of key which are trusted. The trusted key value must be numeric characters between 1 to 65535. 8. Click Apply. In the CLI This example enables NTP authentication, add authentication secret keys into the database, and specifies a subset of keys which are trusted. It also enables the iburst option.
PAGE 607

Chapter 33 Spectrum Analysis Wireless networks operate in environments with electrical and radio frequency devices that can interfere with network communications. Microwave ovens, cordless phones, and even adjacent Wi-Fi networks are all potential sources of continuous or intermittent interference.
PAGE 608

The radios on groups of APs can be converted to dedicated spectrum monitors or hybrid APs via the AP group’s dot11a and dot11g radio profiles. Individual APs can also be converted to spectrum monitors through the AP’s spectrum override profile. The radios on groups of APs can be converted to dedicated spectrum monitors or hybrid APs via the AP group’s dot11a and dot11g radio profiles. Individual APs can also be converted to spectrum monitors through the AP’s spectrum override profile.
PAGE 609

Table 125 Spectrum Analysis Graphs (Continued) Graph Title Description Channel Utilization Trend A line chart that shows the channel utilization for one or more radio channels, as measured over a defined time interval. Spectrum monitors can show data for multiple channels, while a hybrid AP will show utilization levels for its one monitored channel only.
PAGE 610

requested. Each client may select up to eight different spectrum analysis charts and graphs to appear in the spectrum dashboard. A controller can support up to 22 active WebUI connections. If spectrum analysis clients are simultaneously viewing WebUI data for than 22 spectrum analysis devices, any additional WebUI requests will be refused until some clients close their WebUI browser sessions. When you finish reviewing data from an SM or hybrid AP, you should disconnect the device from your spectrum client.
PAGE 611

Creating Spectrum Monitors and Hybrid APs Each controller can support up to 22 active WebUI connections to spectrum monitor or hybrid AP radios. If you plan on using spectrum monitors or hybrid APs as a permanent overlay to constantly monitor your network, you should create a separate AP group for these devices. If you plan on temporarily converting campus APs to spectrum monitors, best practices are to use the spectrum local override profile to convert an AP to a spectrum monitor.
PAGE 612

In the CLI To convert a group of APs via the command-line interface, access the CLI in config mode and issue the following commands, where is the name of the 802.11a or 802.11g radio profile used by the group of APs you want to convert to hybrid APs. rf dot11a-radio-profile spectrum-monitoring rf dot11g-radio-profile spectrum-monitoring Converting an Individual AP to a Spectrum Monitor There are two ways to change a radio on an individual AP or AM into a spectrum monitor.
PAGE 613

ap spectrum local-override override ap-name spectrum-band 2ghz|5ghzlower|5ghz-middle|5ghz-upper Converting a Group of APs to Spectrum Monitors When you convert a group of APs to spectrum monitors using their 802.11a/802.11g radio profiles, all APs in the group will stop serving clients and will act as spectrum monitors only.
PAGE 614

ageout times or to monitor a different part of the radio band, you can create a new spectrum profile, and assign that new profile to the AP group’s 802.11a or 802.11g radio profile. NOTE: If you want an individual spectrum monitor to analyze a non-default frequency band, best practices are to define the frequency band using the spectrum monitor’s spectrum local override profile.
PAGE 615

Table 126 Spectrum Profile Parameters (Continued) Parameter Description Age Out: Xbox Define the ageout time for Xbox consoles. The default time is 25 seconds. Age Out: Cordless Network Frequency Hopper Define the ageout time for cordless network frequency hopping devices. The default time is 25 seconds. Age Out: Cordless Base Frequency Hopper Define the ageout time for cordless base frequency hopping devices. The default time is 25 seconds.
PAGE 616

3. Click the Add button. A table appears, displaying a list of spectrum analysis devices, sorted by name. Singleradio spectrum devices will have a single entry in this table, and dual-radio spectrum devices will have two entries; one for each radio. This table displays the following data for each radio. Table 127 Spectrum Device Selection Information Table Column Description AP Name of the AP whose radio you want to convert to a spectrum monitor. AP names are case sensitive.
PAGE 617

Figure 132 Viewing a list of Connected Spectrum Monitors To view a list of connected spectrum devices via the command-line interface, issue the command show ap spectrum monitors.
PAGE 618

Configuring the Spectrum Analysis Dashboards Once you have connected spectrum monitors to your spectrum analysis client, you can begin to monitor spectrum data in the spectrum analysis dashboards. There are two predefined sets of dashboard views, View1, and View 2. By default, View1 displays the Real-Time FFT, FFT Duty-Cycle and Swept Spectrogram graphs, and View 2 displays the Swept Spectrogram and Quality Spectrogram charts, and the Channel Summary and Active Devices tables.
PAGE 619

Changing Graphs within a Spectrum View To replace an existing graph with any other type of graph or chart: 1. From the Monitoring>Spectrum Analysis>Spectrum Dashboards window, click one of the dashboard names at the top of the window to select the dashboard layout with the graph you want to change. 2. Click the down arrow at the far right end of the graph title bar to display a drop-down menu of chart options. 3. Click Replace With to display a list of available graphs. 4.
PAGE 620

Figure 135 Renaming a Spectrum Dashboard View 3. The Dashboard Name popup window appears. Enter a new name for the dashboard view, then click OK. Saving a Dashboard View You can select different graphs to display in a dashboard view, but these changes will not be saved unless you save that view. Dashboard views, (like the spectrum analysis profile and spectrum local-override profile) are all local configurations that must be configured on each controller.
PAGE 621

(Configuration options are described in “Spectrum Analysis Graph Configuration Options” on page 621). To close the options pane if you have not made any changes to the graph, click Close at the bottom of the Options pane or click the resize button again to return the graph to its original size. To save any changes to the graph, click OK to save your settings and close the Options pane.
PAGE 622

Active Devices This graph appears as a pie chart showing the percentages and total numbers of each device type for all active devices seen by the spectrum monitor or hybrid AP radio. This chart is useful for determining which types of devices are sending signals on the specified radio band or channel. The Active Devices graphs for spectrum monitors can be configured to show data for several different device types on a single radio channel or range of channels.
PAGE 623

Table 128 Active Devices Graph Options (Continued) Parameter Description Show Click the checkbox by any of these device categories to include that device type in the graph. WiFi (AP)  Microwave (This option is only available for 2.4 GHz radios)  Bluetooth (This option is only available for 2.
PAGE 624

. Table 129 Active Devices Table Options Parameter Description Device Type This column shows the type of active device detected by the spectrum monitor or hybrid AP. This column may display any of the following values:  WiFi (AP)  Microwave (This option is only available for 2.4 GHz radios)  Bluetooth (This option is only available for 2.
PAGE 625

Table 129 Active Devices Table Options (Continued) Parameter Description Activity Duration Amount of time that the device has been active. To filter the output of this table to show devices that have been active within a specific time range, click the icon in the column heading. Select Any to display all entries, regardless of how long the device has been active. To display entries for devices active for a specific time range: 1. Select the button by the > symbol. 2.
PAGE 626

Figure 141 Active Devices Trend Graph An Active Devices Trend chart created by a hybrid AP displays data for the single channel monitored by that device. For spectrum monitors, the Active Devices Trend chart can display values for up to five different channels and device types. These graphs show the following data by default:  For SMs on the 2.4 GHz radio band, Wi-Fi APs on channel 1, and fixed-frequency devices on channel 6.
PAGE 627

Table 130 Active Devices Trend Options (Continued) Parameter Description Show lines for these channels The Active Devices Trend chart can display values for up to five different device types on different channels for a spectrum monitor, or a single device type for a hybrid AP. To choose which type of data each line should represent, click the channel number drop-down list and select a channel within the radio band, then click the device type drop-down list and select one of the following device types.
PAGE 628

Figure 142 Channel Metrics Graph Table 131 describes the parameters that can be displayed in the Channel Metrics graph. Click the down arrow in the upper right corner of this chart then click the Options menu to access these configuration settings. Once you have configured the desired parameters, click OK at the bottom of the Options menu to save your settings and return to the spectrum dashboards.
PAGE 629

those channels. Spectrum monitors can display data for up to five different channels in their selected band. Hybrid APs display data for their one monitored channel only. NOTE: For more information on how the spectrum analysis feature determines the quality of a channel, see “Channel Metrics” on page 627. When you hover your mouse over any line in the chart, a tooltip displays channel quality or availability data for that individual channel at the selected time.
PAGE 630

Table 132 Channel Metrics Trend Options (Continued) Parameter Description Show Lines for These Channels The Channel Quality Trend chart for a spectrum monitor can display channel quality, channel availability or channel utilization values for up to five different channels on the selected radio band. Charts for hybrid APs can display data for the one channel monitored by that hybrid AP radio.
PAGE 631

Table 133 Channel Summary Table Parameters (Continued) Parameter Description SNIR (dB) The Signal-to-Noise-and-Interference Ratio (SNIR) is the ratio of signal strength to the combined levels of interference and noise on that channel. This value is calculated by determining the maximum noise-floor and interference-signal levels, and then calculating how strong the desired signal is above this maximum.
PAGE 632

Figure 145 Device Duty Cycle Table 134 describes the parameters you can use to customize the Device Duty Cycle chart. Click the down arrow in the upper right corner of this chart then click the Options menu to access these configuration settings. Once you have configured the desired parameters, click OK at the bottom of the Options menu to save your settings and return to the spectrum dashboards.
PAGE 633

Table 134 Device Duty Cycle Options (Continued) Parameter Description Show This graph can display values for up to five different device types on different channels for a spectrum monitor, or a single device type for a hybrid AP monitoring a single channel.
PAGE 634

Table 135 describes the parameters you can use to customize the Channel Utilization Trend chart. Click the down arrow in the upper right corner of this chart then click the Options menu to access these configuration settings. Once you have configured the desired parameters, click OK at the bottom of the Options menu to save your settings and return to the spectrum dashboards.
PAGE 635

Table 136 describes the parameters you can use to customize the Devices vs Channel chart. Click the down arrow in the upper right corner of this chart then click the Options menu to access these configuration settings. Once you have configured the desired parameters, click OK at the bottom of the Options menu to save your settings and return to the spectrum dashboards.
PAGE 636

Figure 148 FFT Duty Cycle By default, this chart shows the current duty cycle for devices on all channels being monitored by the spectrum monitor radio. Table 137 describes the other optional parameters you can use to customize the FFT Duty Cycle table. Click the down arrow in the upper right corner of this chart then click the Options menu to access these configuration settings.
PAGE 637

Table 137 FFT Duty Cycle Options (Continued) Parameter Description Show Select a checkbox to display that information on the FFT Duty Cycle chart.  Duty Cycle: The percentage of duty cycle the channel or frequency was actively utilized.  Max Hold: The maximum recorded percentage of active duty cycles for the channel frequency since the chart was last reset. To clear this setting, click the down arrow at the end of the title bar for this graph and select Reset MaxHold.
PAGE 638

settings. Once you have configured the desired parameters, click OK at the bottom of the Options menu to save your settings and return to the spectrum dashboards. Table 138 Interference Power Options Band This field shows the radio band used by the spectrum monitor or hybrid AP radio (2.4 GHz or 5GHz). It is not selectable and cannot be changed via the Options window.
PAGE 639

Figure 150 Quality Spectrogram When you hover your mouse over any part of the spectrogram, a tooltip will show the devices the spectrum monitor detected on that frequency, the BSSID of the device (if applicable), the power level of the device in dBm, the time the device was last seen by the spectrum monitor, and the channels affected by the device. describes the other optional parameters you can use to customize the Quality Spectrogram.
PAGE 640

there may be a large number of FFT signatures received by the radio every second, an algorithm selects one FFT sample to display in the Real-time FFT chart every second. NOTE: This chart is only available for AP models W-AP105, W-AP92, W-AP93, W-AP175and the W-AP130 Series. This chart can show an average for all samples taken over the last second, the maximum FFT power measured for all samples taken over ten channel sweeps, and the greatest FFT power recorded since the chart was last reset.
PAGE 641

Table 140 Real-Time FFT Options (Continued) Parameter Description Center Frequency If you selected Frequency in the X-Axis parameter, enter the frequency, in MHz, that you want to appear in the center of the x-axis of this chart. Span If you selected Frequency in the X-Axis parameter, specify the size of the range of frequencies around the selected center frequency.
PAGE 642

The example in Figure 152 shows how an FFT Power chart could appear if a single data measurement was plotted as a simple line graph. Figure 152 Simple Line Graph of FFT Power Data Now, suppose that each channel’s FFT power level was also represented by a color that corresponded to that specific FFT power level. In the example below, channel 12 has a FFT power level of -50 dBm, so it is represented by the color red. Channel 1 has a FFT power level of -85 dBm, so it is represented by dark blue.
PAGE 643

pushed up higher on the chart until it reaches the top of the spectrogram and ages out. The example below shows the Swept Spectrogram chart after it has recorded over 300 seconds of FFT data. Figure 155 Swept Spectrogram Table 141 describes the parameters you can use to customize the Swept Spectrogram chart. Click the down arrow in the upper right corner of this chart then click the Options menu to access these configuration settings.
PAGE 644

Table 141 Swept Spectrogram Options (Continued) Parameter Description Color-Map Range If this chart is configured to show average or maximum FFT values, the default color range on this chart represents values from -50dBm (red) to -90dBm (blue). If you would like the color range on this chart to represent a different range of FFT power levels, enter this range in the from and to entry blanks.
PAGE 645

Figure 156 Recording Spectrum Analysis Data While the recording is in progress, a round, red recording icon and recording status information appears at the top of the spectrum dashboard. You will be allowed to view data for other spectrum monitors and charts while the recording is in progress. If you want to stop the recording before recording period has finished, click the Stop button by the recording status information.
PAGE 646

4. An Open dialog box appears and prompts you to browse to and select the file you want to open. 5. Click Open. 6. Click the triangular play icon at the top of the window to start playing back the recording. Recorded data for the selected spectrum monitor and dashboard view appears in the spectrum analysis dashboard. A playback progress bar at the top of the window shows what part of the recording currently appears on the dashboard.
PAGE 647

Table 142 Non-Wi-Fi Interferer Types Non-Wi-Fi Interferer Description Bluetooth Any device that uses the Bluetooth protocol to communicate in the 2.4 GHz band is classified as a Bluetooth device. Bluetooth uses a frequency hopping protocol. Fixed Frequency (Audio) Some audio devices such as wireless speakers and microphones also use fixed frequency to continuously transmit audio. These devices are classified as Fixed Frequency (Audio).
PAGE 648

the bottom of the Spectrum Monitors and Spectrum Dashboard window. When you close the browser and end your spectrum analysis session, the session log will be cleared. The example in Figure 159 shows that a 2.4 GHz radio on hybrid AP was connected to the spectrum analysis client, its channel changed twice, then was disconnected from the spectrum client.
PAGE 649

Table 143 Spectrum Analysis CLI Commands (Continued) Command Description show ap spectrum interference-power This command shows the interference power detected by a 802.11a or 80211g radio on a spectrum monitor. show ap spectrum monitors This command shows a list of APs currently configured as spectrum monitors. show ap spectrum technical-support Save spectrum data for later analysis by your Dell technical support representative.
PAGE 650

 AM: Spectrum: new wifi device found = [addr:%s] SSID = [ssid:%s] BSSID [bssid_str:%s] DEVICE ID [did:%d]  AM: Spectrum: deleting wifi device = [addr:%s] SSID = [ssid:%s] BSSID [bssid_str:%s] DEVICE ID [did:%d]  AM: Spectrum: new non-wifi device found = DEVICE ID [did:%u] Type [dytpe:%s] Signal [sig:%u] Freq [freq:%u]KHz Bandwidth [bw:%u]KHz  AM: Spectrum: deleting non-wifi device = DEVICE ID [did:%d] Type [dtype:%s] 650 | Spectrum Analysis Dell PowerConnect W-Series ArubaOS 6.
PAGE 651

Chapter 34 Software Licenses ArubaOS base features include sophisticated authentication and encryption, protection against rogue wireless APs, seamless mobility with fast roaming, the origination and termination of IPsec/L2TP/PPTP tunnels between controllers, clients, and other VPN gateways, adaptive RF management and analysis tools, centralized configuration, and location tracking. Optional add-on licenses provide advanced feature such as Wireless Intrusion Protection and Policy Enforcement Firewall.
PAGE 652

Licenses Each license refers to specific functionality (or module) that supports unique features. The licenses are:  Base OS—base operating functions including VPN and VIA clients.  AP Capacity —capacity license for RAP indoor and outdoor Mesh APs. Campus, Remote, or Mesh APs can terminate on the controller without the need for a separate license.  Advanced Cryptography (ACR)—this is required for the Suite B Cryptography in IPsec and 802.11 modes.
PAGE 653

Figure 160 Alert Flag At the end of the 90-day period, you must apply for a permanent license to re-enable the features permanently on the controller. Evaluation software license keys are only available in electronic form and are emailed to you. When an evaluation period expires:   The controller automatically backs up the startup configuration and reboots itself at midnight (according to the system clock).  All permanent licenses are unaffected.
PAGE 654

Table 144 Usage per License (Continued) License Basis What Consumes One License RFprotect AP One operational AP AP AP One operational LAN-connected or mesh AP that is advertising at least one BSSID (virtual-AP) or RAP ACR Session One active client termination The MIPS controller licenses are variable-capacity (see Table 145). NOTE: In Table 145, the Remote AP count is equal to the total AP count for all the controllers.
PAGE 655

 An evaluation ACR license is available (EVL-ACR-1024). You can install the ACR evaluation license with a higher capacity than the platform maximum.  On a platform that supports 2048 IPsec tunnels, with a LIC-ACR-512 installed, only 512 IPsec tunnels can be terminated using Suite B encryption. An additional 1536 IPsec tunnels, using non-Suite B modes (e.g. AES-CBC), can still be supported.  On a platform with LIC-ACR-512 installed, a mixture of IPsec and 802.11i Suite B connections can be supported.
PAGE 656

4. Enter the software license key via the controller’s WebUI; navigate to Configuration > Network > Controller > System Settings page and select the License tab. Enter the software license key and click Apply (see “Applying the Software License Key in the WebUI” on page 657). Or Launch the License Wizard from the Configuration tab and click the New button. Enter the software license key in the space provided (see “Applying the Software License Key in the License Wizard” on page 657). 5.
PAGE 657

Creating a software license key 1. Select Activate a Certificate. 2. Enter the certificate ID number and the system serial number of your controller. 3. Review the license agreement and select Yes to accept the agreement. 4. Click Activate it. A copy of the transaction and the software license key is emailed to you at the email address you entered for your user account . NOTE: The software license key is only valid for the system serial number for which you activated the certificate.
PAGE 658

Resetting the Controller Rebooting or resetting a controller has no effect on either permanent or evaluation licenses. Issuing the write erase command on a controller running software licenses does not affect the license key management database on the controller. Issuing the write erase all command resets the controller to factory defaults, and deletes all databases on the controller including the license key management database. You must reinstall all previously-installed license keys.
PAGE 659

Chapter 35 IPv6 Support This chapter describes ArubaOS support for IPv6 clients.
PAGE 660

The following image illustrates how IPv6 clients, APs, and controller communicate with each other in an IPv6 network. Figure 161 IPv6 Topology  The IPv6 controller (MC2) terminates both V4 AP (IPv4 AP) and V6 AP (IPv6 AP).  Client 1 (IPv4 client) terminates to V6 AP and Client 2 (IPv6 client) terminates to V4 AP.  Router is an external IPv6 router in the subnet to generate RAs and acts as the default gateway in this illustration.  MC1 (master) and MC2 (local) communicates in IPv4.
PAGE 661

 “Configure Multicast Listener Discovery (MLD)” on page 664  “Debug IPv6 Controller” on page 665  “Provision IPv6 AP” on page 666 You can also view the IPv6 statistics on the controller using the following commands:  show datapath ip-reassembly ipv6: View the IPv6 contents of the IP Reassembly statistics table.  show datapath route ipv6: View datapath IPv6 routing table.  show datapath route-cache ipv6: View datapath IPv6 route cache.
PAGE 662

Table 146 IPv6 APs Support Matrix (Continued) Features Supported on IPv6 APs? AP boot by TFTP No WMM QoS No AP Debug and Syslog Yes ARM & AM Yes WIDS Yes (Limited) CLI support for users & datapath Yes Configure IPv6 Interface Address You can configure IPv6 addresses for the management interface, VLAN interface, and the loopback interface of the controller. The controller can have up to three IPv6 addresses for each VLAN interface.
PAGE 663

Using CLI To configure link local address (host)(config)#interface vlan (host)(config-subif)#ipv6 address link-local To configure global unicast address (host)(config)#interface vlan (host)(config-subif)#ipv6 address / To configure global unicast address (EUI 64 format) (host)(config)#interface vlan (host)(config-subif)#ipv6 address eui-64 To configure management interface address (host)(config)#interface mgmt
PAGE 664

2. Enter the destination IP address and the forwarding settings in the respective fields. 3. Click the Done button to add the static route to the IPv6 routes table. 4. Click the Apply button to apply the configuration.
PAGE 665

 Query Response Interval: default value is 100 (1/10 seconds). 3. Click the Apply button to apply the configuration.
PAGE 666

(host) #tracepath ipv6 Provision IPv6 AP You can provision an IPv6 AP on an IPv6 controller. You can either configure a static IP address or obtain a dynamic IPv6 address via stateless-autoconfig. The controller can act as the default gateway for the IPv6 clients, if static IPv6 routes are set on the controller. NOTE: In this release of ArubaOS, the IPv6 controller cannot generate router advertisements (RA).
PAGE 667

(host) (config-exthdr) #eh permit | deny To view the EH types denied: (host) (config-exthdr) #show netexthdr default Extended Header type(s) Denied -----------------------------51, 234, Captive Portal over IPv6 IPv6 is now enabled on the captive portal for user authentication on the Dell controller. For user authentication use the internal captive portal that is initiated from the controller. A new parameter captive has been added to the IPv6 captive portal session ACL.
PAGE 668

IPv6 clients must be mapped to a VLAN that is bridged to an external router which provides IPv6 services to those clients. On the controller, you can configure IPv4 and IPv6 clients on the same VLAN. NOTE: IPv6 clients and the IPv6 router must be on the same VLAN.
PAGE 669

ArubaOS Features that Support IPv6 This section describes ArubaOS features that support IPv6 clients. Authentication This release of ArubaOS only supports 802.1x authentication for IPv6 clients. You cannot configure layer-3 authentications to authenticate IPv6 clients. Table 147 IPv6 Client Authentication Authentication Method Supported for IPv6 Clients? 802.1x Yes Stateful 802.
PAGE 670

Table 148 IPv6 Firewall Parameters (Continued) Authentication Method Description Deny Inter User Bridging Prevents the forwarding of Layer-2 traffic between wired or wireless users. You can configure user role policies that prevent Layer-3 traffic between users or networks but this does not block Layer-2 traffic. This option can be used to prevent traffic, such as Appletalk or IPX, from being forwarded. Default: Disabled Deny All IP Fragments Drops all IP fragments.
PAGE 671

ipv6 firewall session-idle-timeout 60 Firewall Policies A user role, which determines a client’s network privileges, is defined by one or more firewall policies. A firewall policy consists of one or more rules that define the source, destination, and service type for specific traffic and whether you want the controller to permit or deny traffic that matches the rule. You can configure firewall policies for IPv4 traffic or for IPv6 traffic and apply IPv4 and IPv6 firewall policies to the same user role.
PAGE 672

Table 149 IPv6 Firewall Policy Rule Parameters (Continued) Field Description Time Range (optional) Time range for which this rule is applicable. You configure time ranges in the Configuration > Security > Access Control > Time Ranges page. Black List (optional) Automatically blacklists a client that is the source or destination of traffic matching this rule.
PAGE 673

7. Click Apply to apply the configuration. The policy is not created until the configuration is applied. To create an IPv6 firewall policy using the command-line interface, issue the following commands in config mode: ip access-list session ipv6-web-only ipv6 network 2002:d81f:f9f0:1000::/64 any svc-http permit ipv6 network 2002:d81f:f9f0:1000::/64 any svc-https permit Assigning an IPv6 Policy to a User Role To assign an IPv6 policy using the WebUI: 1.
PAGE 674

Viewing Datapath Statistics for IPv6 Sessions To view datapath session statistics for individual IPv6 sessions, access the command-line interface in enable mode and issue the command show datapath session ipv6. To display the user entries in the datapath, access the command-line interface in enable mode, and issue the command show datapath user ipv6. For details on each of these commands and the output they display, see the ArubaOS CLI Reference Guide.
PAGE 675

Chapter 36 Voice and Video This chapter outlines the steps required to configure voice and video services on the Dell controller for Voice over IP (VoIP) devices, including Session Initiation Protocol (SIP), Spectralink Voice Priority (SVP), H323, SCCP, Vocera, and Alcatel NOE phones, clients running Microsoft Office Communicator Server (OCS), and Apple devices running the Facetime application.
PAGE 676

Using Default Net Services The following table lists the default net services and their ports: Table 150 Default Voice Net Services and Ports Net Service Name Protocol Port ALG svc-sccp TCP 2000 SCCP svc-sip-tcp TCP 5060 SIP svc-sip-udp UDP 5060 SIP svc-sips TCP 5061 SIP svc-noe UDP 32512 NOE svc-h323-udp UDP 1718, 1719 H.323 svc-h323-tcp TCP 1720 H.
PAGE 677

Using the Default User Role The controller is configured with the default voice role.
PAGE 678

Table 151 Services for ALGs (Continued) ALG Service Name VOCERA svc-vocera SCCP svc-sccp H.323   svc-h323-tcp svc-h323-udp DHCP svc-dhcp TFTP svc-tftp ICMP svc-icmp DNS svc-dns Table 152 Other Mandatory Services for the ALGs ACL Service Name DHCP svc-dhcp TFTP svc-tftp ICMP svc-icmp DNS svc-dns d. For Action, select permit. e. For Queue, select High. f. Click Add. Repeat steps 1 to 5e to add more ALG services. 6. Click Apply. 7. Select the User Roles tab.
PAGE 679

session-acl Replace the following strings:  policy-name with a string that you want to identify the roles policy  role-name with the name you want to identify the voice user role.  service-name with any of the service names from Table 150 on page 676. Using the User-Derivation Roles The user role can be derived from attributes from the client’s association with an AP.
PAGE 680

Using the CLI to derive the role based on MAC OUI aaa derivation-rules user name set role condition macaddr contains xx:xx:xx set-value role Configuring Firewall Settings for Voice and Video ALGs After configuring the user roles, you must configure the firewall settings for the voice and video Application-Level Gateways (ALGs) to pass the traffic securely through the Dell devices. You can use the WebUI or CLI to configure the firewall settings for the ALGs. Using WebUI 1.
PAGE 681

 Configure the dynamic multicast optimization threshold—The maximum number of high throughput stations in a multicast group. The optimization will stop if the number exceeds the threshold value.  Enable multicast rate optimization to support higher data rate for multicast traffic in the absence of dynamic multicast optimization. Dynamic multicast optimization takes precedence over multicast rate optimization up to the configured threshold value.
PAGE 682

3. Create an ACL on the controller with the values equivalent to the DSCP mappings to prioritize the video traffic. Example: The following ACL prioritizes the multicast traffic from the specified multicast group on the controller. You can also add this ACL to any user role or port. (host) (config-sess-mcast_video_acl)#any network 224.0.0.0 255.0.0.0 any permit tos 40 queue high 802.1p 5 a.
PAGE 683

6. Configure multicast rate optimization for video traffic. (host) (config) #wlan ssid-profile default (host) (SSID Profile "default") #mcast-rate-opt (host) (SSID Profile "default") #show wlan ssid-profile default SSID Profile "default" ---------------------Parameter Value ------------SSID enable Enabled ESSID building1-ap Encryption opensystem DTIM Interval 1 beacon periods 802.11a Basic Rates 6 12 24 ... ... ...
PAGE 684

8. Configure and apply a bandwidth management profile. (host) (config)# wlan wmm-traffic-management-profile default NOTE: Ensure that you configure the WMM traffic management profile to the virtual AP profile if you have configured the virtual AP traffic management profile. a. Enable a bandwidth shaping policy so that the allocated bandwidth share is appropriately used. (host) (WMM Traffic management profile "default") # enable-shaping b.
PAGE 685

c. Click the Apply button to apply the settings and save the configurations. Figure 163 Enable IGMP Proxy To enable IGMP snooping: a. Navigate to the Configuration > Network > IP page. Under the IGMP settings, select the Enable IGMP checkbox. b. Select the Snooping checkbox. c. Click the Apply button to apply the settings and save the configurations. Figure 164 Enable IGMP Snooping 2. Enable wireless multimedia and set a DSCP value for video traffic. a.
PAGE 686

You can also add this ACL to any user role or port. To apply the ACL to a user role: a. Navigate to the Configuration > Security> Access Control page and click the User Roles tab. b. Edit the user role and click the Add button under Firewall Policies. c. Select the ACL from the Choose From Configured Policies drop down and click the Done button. d. Click the Apply button to save the configurations. Figure 167 Apply ACL to User Role To apply the ACL to a port: a.
PAGE 687

d. Click the Apply button to save the configurations. Figure 170 Enable Multicast Rate Optimization 6. Configure ARM scanning for video traffic. Under the Profiles column, expand RF Management > Adaptive Radio Management (ARM) Profile and select the profile name. This example uses the default profile. Select the Video Aware Scan option and click the Apply button. Figure 171 Enabling Video Aware Scan 7.
PAGE 688

QoS for Voice and Video QoS settings for voice and video applications is configured when you configure firewall roles and policies. VoIP Call Admission Control Profile VoIP call admission control prevents any single AP from becoming congested with voice calls. You configure call admission control options in the VoIP Call Admission Control profile which you apply to an AP group or a specific AP. You can use the WebUI or CLI to configure a VoIP Call Admission Control profile. Using the WebUI 1.
PAGE 689

Table 153 VoIP Call Admission Control Configuration Parameters (Continued) Parameter Description VoIP Disconnect Extra Call In the VoIP Call Admission Control (CAC) profile, you can limit the number of active voice calls allowed on a radio. This feature is disabled by default. When the disconnect extra call feature is enabled, the system monitors the number of active voice calls, and if the defined threshold is reached, any new calls are disconnected.
PAGE 690

WMM supports four access categories (ACs): voice, video, best effort, and background. Table 154 on page 690 shows the mapping of the WMM access categories to 802.1p priority values. The 802.1p priority value is contained in a two-byte QoS control field in the WMM data frame. Table 154 WMM Access Category to 802.1p Priority Mapping Priority 802.
PAGE 691

DSCP tags to prioritize various traffic types. You apply and configure WMM AC mappings to a WMM-enabled SSID profile. NOTE: The user-configured mapping only takes effect when WMM is enabled for the SSID profile. DSCP classifies packets based on network policies and rules, not priority. The configured DSCP value defines per hop behaviors (PHBs). The PHB is a 6-bit value added to the 8-bit Differentiated Services (DS) field of the IP packet header.
PAGE 692

5. Scroll down to the Wireless Multimedia (WMM) option. Select (check) this option. 6. Modify the DSCP mapping settings, as needed:  DSCP mapping for WMM voice AC—DSCP used to map voice traffic  DSCP mapping for WMM video AC—DSCP used to map video traffic  DSCP mapping for WMM best-effort AC—DSCP used to map best-effort traffic  DSCP mapping for WMM background AC—DSCP used to map background traffic 7. Click Apply.
PAGE 693

WMM is an extension to the Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA) protocol’s Distributed Coordination Function (DCF). The collision resolution algorithm responsible for traffic prioritization depends on the following configurable parameters for each AC:  arbitrary inter-frame space number (AIFSN)  minimum and maximum contention window (CW) size For each AC, the backoff time is the sum of the AIFSN and a random value between 0 and the CW value.
PAGE 694

Table 157 EDCA Parameters Station and EDCA Parameters AP Profile Settings (Continued) Parameter Background Description Set the following parameters to define the background queue. aifsn: Arbitrary inter-frame space number. Possible values are 1-15.  ecw-max: The exponential (n) value of the maximum contention window size, as expressed by 2n-1. A value of 4 computes to 24-1 = 15. Possible values are 1-15.  ecw-min: The exponential (n) value of the minimum contention window size, as expressed by 2n-1.
PAGE 695

You can use the WebUI or CLI to enable WMM queue content enforcement. Using the WebUI 1. Navigate to the Configuration > Advanced Services > Stateful Firewall page. 2. Select Enforce WMM Voice Priority Matches Flow Content. 3. Click Apply. Using CLI firewall wmm-voip-content-enforcement Extended Voice and Video Functionalities This section describes the other voice and video-related functionalities that are available on the controller.
PAGE 696

The example below shows how to configure an ACL to identify and monitor Apple Facetime traffic. (host) (config) #ip access-list session facetime (host) (config-sess-facetime)#any any tcp 80 permit position 1 queue low (host) (config-sess-facetime)#any any tcp 443 permit position 2 queue low (host) (config-sess-facetime)#any network 17.0.0.0 255.0.0.
PAGE 697

Using the WebUI 1. Navigate to the Configuration > AP Configuration page. Select either the AP Group or AP Specific tab.  If you selected the AP Group tab, click the Edit button by the name of the AP group with the ARM profile you want to configure.  If you selected the AP Specific tab, click the Edit button by the name of the AP with the ARM profile you want to configure. 2. In the Profiles list, Expand the RF Management section. 3. Select Adaptive Radio Management (ARM) Profile. 4.
PAGE 698

Using the WebUI to configure the SIP client user role 1. Navigate to the Configuration > AP Configuration page. Select either AP Group or AP Specific.  If you select AP Group, click Edit for the AP group name for which you want to configure the SIP client user role.  If you select AP Specific, select the name of the AP for which you want to configure the SIP client user role. 2. Under Profiles, select Wireless LAN, then select Virtual AP.
PAGE 699

3. Enable Real Time call quality analysis for the voice calls by selecting the Real-Time Analysis of voice calls check box. Figure 174 Enable Real Time Analysis 4. Click the Apply button to apply the settings and save the configurations. Viewing Real Time Call Quality Reports 1. To view the average Real Time analysis reports, navigate to the Monitoring > Voice > Real-Time Quality Analysis page. 2.
PAGE 700

Real-Time Analysis detail report -------------------------------Time Jitter(U)(msec) Pkt-loss(U)(%) Delay(U)(usec) rvalue(U) Jitter(D)(msec) Pkt-loss(D)(%) Delay(D)(usec) rvalue(D) ---------------- --------------- -------------- -------------- --------- -------------- -------------- -------------- --------Aug 17 11:55:18 71.000 0.000 0.000 93.360 0.000 0.000 0.000 NA Aug 17 11:55:13 76.000 0.000 0.000 93.360 0.000 0.000 0.000 NA Aug 17 11:55:08 69.000 0.000 0.000 93.360 0.000 0.000 0.
PAGE 701

4. Specify a timeout value in seconds in the Session Expiry field. The range is 240 - 1200 seconds. The default value is 300 seconds. Figure 175 Enabling SIP Session Timer 5. Click the Apply button to apply the settings and save the configurations.
PAGE 702

Using the WebUI 1. Navigate to the Configuration > Security > Access control page. 2. Click the Policies tab. Figure 176 Firewall Policies Tab 3. Click the Add button to create a new policy. 4. Enter a name for the policy in the Policy Name field and choose Session in the Policy Type drop down menu. 5. Select IPv4 in the IP Version drop down menu and click the Add button. 6. In the Service column, choose service and Select svc-sips (tcp-5061) from the Service drop-down menu. 7.
PAGE 703

strength (dbm value) reported by the voice clients (received from all APs) to determine if the voice clients are within or leaving their active Wi-Fi connection. If the signal strength is weak, the controller will trigger the handover process to switch the voice client to an alternate carrier or connection. This process ensures QoS for voice calls. NOTE: The handover process is available for voice clients supporting the 802.11K standard and with the ability to transmit and receive beacon reports.
PAGE 704

Dial Plan for SIP Calls A PSTN call from a SIP device usually requires the user to prefix 9 or 0 before the destination number. You can configure dial plans (prefix codes) on the controller that are required by the local EPABX system to provide outgoing PSTN call facility from a SIP device. After the dial plan is configured, a user can make SIP calls by dialing the destination number without any prefixes. NOTE: Dial plan can be configured only for SIP over UDP.
PAGE 705

Using the WebUI 1. In the WebUI, navigate to Configuration > Advanced Services > All Profiles > Controller > Dialplan Profile. Enter a name for the dial plan profile and click the Add button. Figure 179 Dialplan Profile 2. Under Profiles, expand Controller and select the newly created dial plan profile. Enter the following dial plan details and click the Add button.  Sequence number: The dial plan position in the list of dial plans.  Pattern: The number that the user will dial.
PAGE 706

4. Under Profile, navigate to Controller > SIP settings and select Dialplan Profile. In the Profile Details section, select the Dialplan Profile from the drop down list and click the Apply button.
PAGE 707

(host) (config) #show voice dialplan-profile local Dialplan Profile "local" --------------------------Parameter Value --------- ----dialplan 100 XXXXXXX 9%e Enhanced 911 Support ArubaOS provides seamless support for emergency calls in the Dell network by interoperating with RedSky emergency call server. The controller uses SNMP to interoperate with RedSky call handling system. NOTE: This release of ArubaOS supports only RedSky emergency call server.
PAGE 708

 AP Location  AP Mode  Controller IP Address The controller also supports location queries for the clients that are not identified as voice clients on the controller. Voice over Remote Access Point Voice traffic support is enhanced on split tunnel mode over a remote access point. The voice traffic management for remote and local users are done on the controller. However, the sessions are created differently for both users.
PAGE 709

3. In the Profile Details section, select the SSID profile you want to configure. 4. Click the Advanced tab. 5. Scroll down the Advanced options and select the Battery Boost check box. 6. Scroll up to change the DTIM Interval to a longer interval time. 7. Click Apply.
PAGE 710

Using CLI To view the details of a voice client based on its IP address: (host) #show voice client-status ip 10.15.20.63 Voice Client(s) Status ---------------------Client(IP) Client(MAC) Client Name ALG Server(IP) Registration State Call Status BSSID ESSID AP Name Flags ------------------------------ ----------------------------- ---------- ------------------10.15.20.63 00:00:f0:05:c9:e3 7812 h323 10.3.113.
PAGE 711

AP Events --------Timestamp --------Aug 13 09:22:54 Aug 13 09:22:58 Aug 13 09:26:22 Aug 13 11:29:33 Aug 13 11:29:39 Aug 13 11:30:29 Aug 13 11:30:36 BSS Id -----00:1a:1e:a8:2d:80 00:1a:1e:a8:2d:80 00:1a:1e:a8:2d:80 00:1a:1e:a8:2d:80 00:1a:1e:a8:2d:80 00:1a:1e:a8:2d:80 00:1a:1e:a8:2d:80 Category -------Call Call Call Call Call Call Call Event ----Call Start Call End Call Start Call End Call Start Call End Call Start AP Station Reports -----------------Timestamp BSS Id RSSI Tx Data-Bytes Tx-Data-Time Rx Rx
PAGE 712

Using CLI To view the details of a completed call based on the CDR Id: (host) #show voice call-cdrs cid 4 Voice Client(s) CDRs (Detail) ----------------------------CDR Id Client IP Client Name ALG Dir Called/Calling Party Status Dur(sec) Orig time R-value Reason Codec Band Setup Time(sec) Re-Assoc Initial-BSSID Initial-ESSID Initial-AP Name ------ ------------------- ----- -------------------- ------ -------- -------------- ------ ----- ------------------ -------- ------------------------- --------------4 1
PAGE 713

Enabling Logging for a Specific Client 1. Navigate to the Configuration > Advanced Services > All Profiles page. 2. Expand Other Profiles under the Profiles section and click VoIP Logging. 3. Enter the MAC address of the voice client in the Client's MAC address for logging field. Figure 184 Enable Logging for a Voice Client 4. Click the Apply button to apply the settings and save the configurations. NOTE: To enable logging on a specific voice client, you must enable voice logs.
PAGE 714

Using CLI To view the voice signaling message traces: (host)#show voice trace sip count 5 SIP Voice Client(s) Message Trace --------------------------------ALG Client Name Client(MAC) Client(IP) Event BSSID --- ----------- ------------------------SIP 6202 00:03:2a:02:75:cc 10.15.20.123 200_OK 00:0b:86:b7:83:91 SIP 6202 00:03:2a:02:75:cc 10.15.20.123 REGISTER 00:0b:86:b7:83:91 SIP 6202 00:03:2a:02:75:cc 10.15.20.123 200_OK 00:0b:86:b7:83:91 SIP 6202 00:03:2a:02:75:cc 10.15.20.
PAGE 715

Profile Name -----------default local VoIP CAC Profile ---------------default default Virtual AP Group Profiles ------------------------Profile Name 802.11K Profile HA Discovery on-assoc. Drop Broadcast/Multicast Broadcast ARP to Unicast -------------------------- ---------------------- ----------------------- ---------------------abcd default Disabled Disabled Disabled VoIP Call Admission Control Profiles -----------------------------------Profile Name VoIP CAC ------------ --------default Disabled 802.
PAGE 716

| Voice and Video Dell PowerConnect W-Series ArubaOS 6.
PAGE 717

Chapter 37 External Services Interface The Dell External Services Interface (ESI) provides an open interface that is used to integrate security solutions that solve interior network problems such as viruses, worms, spyware, and corporate compliance. ESI allows selective redirection of traffic to external service appliances such as anti-virus gateways, content filters, and intrusion detection systems.
PAGE 718

Figure 185 ESI-Fortinet Topology Wireless Users Untrusted Interface Corporate Network Controller DMZ/ Internet Wired Users AntiVirus Firewall Server Trusted Interface arun_007 In the ESI–Fortnet topology , the clients connect to access points (both wireless and wired). The wired access points tunnel all traffic back to the controller over the existing network.
PAGE 719

Figure 186 Load Balancing Groups Core Router (default gateway) = 10.168.172.1/24 Trusted interface IP address = 10.168.172.1/24 Trusted interface IP address = 10.168.172.3/24 Fortinet Gateway Controller Untrusted interface IP address = 10.168.171.1/24 Untrusted interface IP address = 10.168.171.3/24 Wireless User Subnet = 10.168.173.
PAGE 720

Figure 187 ESI Parser Domains Domain Fortinet Domain Acme Fortinet 1 10.1.1.1 Acme 1 10.2.2.1 Controller Fortinet 2 10.1.1.2 Fortinet 3 10.1.1.3 Acme 2 10.2.2.2 Access Point Acme 3 10.2.2.3 arun_006 The ESI syslog parser begins with a list of configured IP interfaces which listen for ESI messages. When a syslog message is received, it is checked against the list of defined ESI servers. If a server match is found, the message is then tested against the list of predefined rules.
PAGE 721

Figure 188 Peer Controllers Peer Controllers ESI Server Group Fortinet Server 30.0.0.1 Fortinet Server 30.0.0.3 Fortinet Server 30.0.0.2 Peer Controllers Local Controller 20.0.0.1 Master Controller 10.0.0.1 AP Wireless Client Jack AP Wireless Client Joe arun_002 In this scenario, several controllers (master and local) are defined in the same syslog parser domain to act as peers.
PAGE 722

The parser expression that matches this condition is “log_id=0100030101”. This is a narrow match on the specific log ID number shown in the message, or “log_id=[0–9]{10}[ ]” ,which is a regular expression that matches any Fortigate log entry with a ten-digit log ID followed by a space. User Pattern Matching To extract the user identifier in the example Fortigate virus message shown above (“src=1.2.3.4”), use the following expression, “src=(.
PAGE 723

In the WebUI To configure a health check profile: 1. Navigate to the Configuration > Advanced Services > External Services page on the WebUI. 2. Click Add in the Health Check Configuration section. (To change an existing profile, click Edit.) 3. Provide the following details: a. Enter a Profile Name. b. Frequency (secs)—Indicates how often the controller checks to see if the server is up and running. Default: 5 seconds. c.
PAGE 724

For NAT mode, enter the Trusted IP Address (the trusted interface on the external server) and the NAT Destination Port number (the port a packet is redirected to rather than the original destination port in the packet). You can also choose to enable a health check on the trusted IP address interface. 4. Click Done when you are finished. 5. Click Apply to apply the configuration changes..
PAGE 725

In the WebUI To configure user roles to redirect the required traffic to the server(s), navigate to the Configuration > Access Control > User Roles view. 1. To add a new role, click Add. To change an existing role, click Edit for the firewall policy to be changed. The WebUI displays the User Roles tab on top. 2. Role Name. Enter the name for the role. 3. To add a policy for the new role, click Add in the Firewall Policies section. The WebUI expands the Firewall Policies section.
PAGE 726

any any svc-http redirect esi-group fortinet direction both blacklist any any any permit user-role guest access-list session fortinet ESI Syslog Parser Domains and Rules To configure the ESI syslog parser, navigate to the Configuration > Advanced Services > External Services view on the WebUI (see ). The following sections describe how to manage syslog parser domains using the WebUI and CLI.
PAGE 727

When you make a change in the domain, you can click the View Commands link in the lower right corner of the window to see the CLI command that corresponds to the edit action you performed. Managing Syslog Parser Domains in the CLI Use these CLI commands to manage syslog parser domains.
PAGE 728

Adding a new parser rule To add a new syslog parser rule: 1. Click Add in the Syslog Parser Rules view. The system displays the new rule view. 1. In the Rule Name text box, type the name of the rule you want to add. 2. Click the Enable checkbox to enable the rule. 3. In the Condition Pattern text box, type the regular expression to be used as the condition pattern. For example, “log_id=[0–9]{10}[ ]” to search for and match a 10-digit string preceded by “log_id=” and followed by one space. 4.
PAGE 729

g. In the drop-down Parser Group list, select one of the configured parser domain names. NOTE: At this point, you can test the rule you just edited by using the Test section of the edit rule view. You can also test rules outside the add or edit processes by using the rule test in the Syslog Parser Test view (accessed from the External Services page by clicking the Syslog Parser Test tab, described in “Testing a Parser Rule” on page 496. 4. Click Apply to apply the configuration changes.
PAGE 730

Editing an existing syslog parser rule esi parser rule rule-name condition expression domain name enable match {ipaddr expression | mac expression | user expression} no position position set {blacklist | role role} Testing a parser rule esi parser rule rule-name test {file filename | msg message} Monitoring Syslog Parser Statistics The following sections describe how to monitor syslog parser statistics using the WebUI and CLI.
PAGE 731

Figure 189 Example Route-Mode Topology Core Router (default gateway) = 10.168.172.1/24 Trusted interface IP address = 10.168.172.1/24 Trusted interface IP address = 10.168.172.3/24 Fortinet Gateway Controller Untrusted interface IP address = 10.168.171.1/24 Untrusted interface IP address = 10.168.171.3/24 Wireless User Subnet = 10.168.173.
PAGE 732

 In the second phase of the configuration task, the user roles are configured with the redirection policies (session ACL definition) instructing the controller to redirect the different types of traffic to different server groups.  In the final phase, the ESI parser domains and rules are configured. NOTE: The procedures shown in the following sections are based on the requirements in the example routed ESI topology.
PAGE 733

2. Click Add in the External Servers section. 3. Provide the following details: a. Server Name. (This example uses the name forti_1.) b. Server Group. Use the drop-down list to assign this server to a group from the existing configured groups. (This example uses fortinet.) c. Server Mode. Use the drop-down list to choose the mode (bridge, nat, or route) your topology requires. See the description above to understand the differences between the modes. (This example uses route mode.) d. Trusted IP Address.
PAGE 734

For example: esi group fortinet ping default server forti_1 Redirection Policies and User Role The following sections describe how to configure the redirection policies and user role using the WebUI and CLI. In the WebUI To configure user roles to redirect the required traffic to the server(s), navigate to the Configuration > Access Control > User Roles view (see 1.). 1. To add a new role, click Add.The WebUI displays the Add Role view. Role Name. Enter “guest” as the name for the role. 2.
PAGE 735

In the CLI Use these commands to define the redirection filter for sending traffic to the ESI server and apply the firewall policy to a user role in the route-mode ESI topology example. ip access-list session policy any any any redirect esi-group group direction both blacklist //For any incoming traffic, going to any destination, //redirect the traffic to servers in the specified ESI group. any any any permit //For everything else, allow the traffic to flow normally.
PAGE 736

Adding a New Parser Rule in the WebUI To add a new syslog parser rule for the route-mode example: 1. Click Add in the Syslog Parser Rules tab (Advanced Services > External Services > Syslog Parser Rule). The system displays the new rule view. 2. In the Rule Name text box, type the name of the rule to be added (in this example, “forti_virus”). 3. Click the Enable checkbox to enable the rule. 4. In the Condition Pattern text box, type the regular expression to be used as the condition pattern.
PAGE 737

Figure 190 Example NAT-Mode Topology In this example, all HTTP traffic received by the controller is redirected to the external captive portal server group and load-balanced across the captive portal servers. All wireless client traffic with destination port 80 is redirected to the captive portal server group, with the new destination port 8080. NOTE: The external servers do not necessarily have to be on the subnet as the controller.
PAGE 738

 Health-check ping:  Name = externalcp_ping  Frequency = 30 seconds  Retry-count = 2 attempts  Timeout = 2 seconds (2 seconds is the default)  ESI group = external_cps  Session access control list (ACL)  Name = cp_redirect_acl  Session policy = user any svc-http redirect esi-group external_cps direction both Configuring the Example NAT-mode ESI Topology This section describes how to implement the example NAT-mode ESI topology shown in using both the WebUI, then the CLI.
PAGE 739

Configuring the ESI Group in the WebUI 1. Click Add in the Server Groups section External Services view on the WebUI. 2. Provide the following details: a. Group Name. This example uses external_cps. b. Health-Check Profile. Select the health-check ping from the drop-down list. This example uses externalcp_ping. 3. Click Done when you are finished. NOTE: To apply the configuration (changes), you must click Apply in the External Services view on the WebUI.
PAGE 740

Configuring the Example NAT-mode Topology in the CLI The CLI configuration process consists of these general tasks:  Configuring captive portal (see Chapter 15, “Captive Portal” on page 351).  Configuring the health-check ping method.  Configuring the ESI servers.  Configuring the ESI group.  Defining the redirect filter for sending traffic to the ESI server.
PAGE 741

frequency 30 retry-count 3 esi server external_cp1 dport 8080 mode nat trusted-ip-addr 10.1.1.1 esi server external_cp2 dport 8080 mode nat trusted-ip-addr 10.1.1.2 esi server external_cp3 dport 8080 mode nat trusted-ip-addr 10.1.1.
PAGE 742

 “Regular Expression Repetition Operators” on page 513  “Regular Expression Anchors” on page 513  “References” on page 514 Character-Matching Operators Character-matching operators define what the search will match. Table 160 Character-matching operators in regular expressions Operator Description Sample Result . Match any one character. grep .ord sample.txt Matches ford, lord, 2ord, etc. in the file sample.txt. [] Match any one character listed between the brackets grep [cng]ord sample.
PAGE 743

Regular Expression Anchors Anchors describe where to match the pattern, and are a handy tool for searching for common string combinations. Some of the anchor examples use the vi line editor command :s, which stands for substitute. That command uses the syntax: s/pattern_to_match/pattern_to_substitute.
PAGE 744

| External Services Interface Dell PowerConnect W-Series ArubaOS 6.
PAGE 745

Chapter 38 External User Management This chapter introduces the ArubaOS XML API interface and briefly discusses how you can use the simple API calls to perform external user management tasks. A sample code listing at the end of the chapter to help you get started with using the XML API.
PAGE 746

5. Create an XML request with the appropriate API call 6. Process XML response appropriately NOTE: The default logon role of a client or user must have captive-portal enabled. Configuring the XML API Server Configure an external XML API server in your AAA infrastructure. In this example, 10.11.12.13 is your server. The XML API interface on the controller will receive requests from this server.
PAGE 747

(host) (config) #wlan virtual-ap wireless-vap (host) (Virtual AP profile "wireless-vap") #aaa-profile wirelessusers (host) (config) #show wlan virtual-ap wireless-vap Virtual AP profile "wireless-vap" --------------------------------Parameter --------Virtual AP enable Allowed band AAA Profile 802.
PAGE 748

AAA Profile "default-xml-api" (Predefined (changed)) ---------------------------------------------------Parameter Value ------------Initial role logon MAC Authentication Profile N/A MAC Authentication Default Role guest MAC Authentication Server Group default 802.1X Authentication Profile N/A 802.1X Authentication Default Role guest 802.1X Authentication Server Group N/A RADIUS Accounting Server Group N/A XML API server 10.11.12.
PAGE 749

... Value You can specify any of the following commands in the XML request: Table 163 XML API Authentication Command Authentication Command Description user_add This command adds the user to the controllers user table. user_delete This command deletes the user from the controller user_authenticate This command will authentication the user based on the authentication rules defined in the controllers configuration.
PAGE 750

The command also displays the number of times an authentication event occurred and the number of new authentication events that occurred since the last status check. (host) # show aaa xml-api statistics ECP Statistics -------------Statistics ---------user_authenticate user_add user_delete user_blacklist unknown user unknown role unknown external agent authentication failed invalid command invalid message authentication method invalid message digest 10.10.10.
PAGE 751

User_Name Shared_Key MD5|SHA-1|cleartext 1.0 #select any one The following options are mandatory when you execute the user_add command:  IP Address  Version Authenticating a User This XML requests uses the user_authenticate command to authenticate and derive a new for the user.
PAGE 752

Shared_Key MD5|SHA-1|cleartext 1.0 #select any one The following options are mandatory when you execute the user_blacklist command:  IP Address  Version XML Response For every successful XML request the controller will return the processed information as an XML response. There are two types of responses: Default response and Query response.
PAGE 753

Table 165 XML Response Codes (Continued) Code Reason message Description 7 invalid message digest Returned by commands that contain the shared_key in the XML request. 8 missing message authentication The authentication method is not specified in the XML request. Returned by all commands that require the authentication method in the XML request. 9 missing or invalid version number The XML request does not contain the version number or the version number is incorrect. Returned by all commands.
PAGE 754

In which, the result, code and reason values are similar to the default response. The following responses, however, are returned only in the result code returns the OK string. Table 166 Query Response Code Response Code Description Role Displays the current role of the authenticated user Type Displays is the user or client is wired or wireless. Auth_status Displays the authentication status of the user or client. Available values are: authenticated or unauthenticated.
PAGE 755

#define debug(x...)fprintf(stderr, x) #else #define debug(x...) #endif extern int cgi_escape_url(char *t, int tl, char *s, int sl, int b_newline); static void encode_message_digest (unsigned char *md, int mdlen, char *output); static void usage (void) { fprintf(stderr, "Usage: ecp [options] []\n"); fprintf(stderr, fprintf(stderr, fprintf(stderr, fprintf(stderr, fprintf(stderr, " " " " " \n"); \n"); Switch IP address.\n"); One of add, del, or authenti
PAGE 756

p += strlen(p); } if (macaddr) { sprintf(p, "%s", macaddr); p += strlen(p); } if (name) { sprintf(p, "%s", name); p += strlen(p); } if (password) { sprintf(p, "%s", password); p += strlen(p); } if (role) { sprintf(p, "%s", role); p += strlen(p); } if (tout) { sprintf(p, "%s", tout); p += strlen(p); } if (secret) { if (auth == NULL) { key = secret; auth = "cleartext"; #ifndef OPENSSL_NO_SHA1 } else if (!strca
PAGE 757

for (i=0; i
PAGE 758

XMl API Response The response message from the controller is sent in an XML format. The default format of the response is: [Message header] Displays the request parameters and other standard header details. .. ... .. Status Message Code in case of an error Adding a Client This command will add a client on your network. Figure 192 Adding a client—request and response john@linux:/home/john/tools/xml-api# ./auth -i 10.10.10.
PAGE 759

View the updated details of the client on the controller (host) #show user-table Users ----IP ---------10.10.10.249 MAC -----------00:19:d2:01:0b:aa Name ------ Role ---logon Age(d:h:m) ---------00:00:00 Auth ---- ...... ... [truncated] ...... User Entries: 1/1 Deleting a Client This command will delete a client from your network.Deleting a client—request and response john@linux:/home/john/tools/xml-api# ./auth -i 10.10.10.248 10.11.12.
PAGE 760

(host) #show user Users ----IP ---------10.10.10.248 MAC -----------00:19:d2:01:0b:84 Name ------ Role ---logon Age(d:h:m) ---------00:00:00 Auth ---- ..... ... [truncated] ..... User Entries: 1/1 The following command shows the captive portal status of the logon role of the client.
PAGE 761

(host) (config) #show user Users ----IP MAC --------------------10.10.10.248 00:19:d2:01:0b:84 Name -----John Role ---guest Age(d:h:m) ---------00:00:04 Auth ---Web ..... ... [truncated] .. ..... User Entries: 1/1 Querying Client Information This command will fetch a all details about a client connected in your network. Querying Client Information— request and response john@linux:/home/john/tools/xml-api# ./auth -i 10.10.10.249 10.11.12.
PAGE 762

The output of the show user command displays the client information. Users ----IP ---------10.10.10.249 MAC -----------00:19:d2:01:0b:aa Name -----John Role ---logon Age(d:h:m) ---------00:00:01 Auth ---- ..... ... [truncated] . ..... User Entries: 1/1 Blacklisting a Client This command will blacklist a client and restrict it from connecting to your network. The show user-table lists the client connected on your network before processing the request to blacklist the client. Users ----IP ---------10.
PAGE 763

The show user-table command does not list the blacklisted client. You can use the show ap blacklist-clients command on your controller to view the list of blacklisted clients (host) (config) #show ap blacklist-clients Blacklisted Clients ------------------STA reason -------00:19:d2:01:0b:84 user-defined Dell PowerConnect W-Series ArubaOS 6.
PAGE 764

| External User Management Dell PowerConnect W-Series ArubaOS 6.
PAGE 765

Appendix A DHCP with Vendor-Specific Options This appendix describes how to configure several DHCP vendor-specific options.
PAGE 766

Table 168 Configure option 60 on the Windows DHCP server (Continued) Field Information Description Dell AP vendor class identifier 5. Click OK to save this information. 6. In the Predefined Options and Values dialog box, make sure 060 Dell Access Point is selected from the Option Name drop-down list. 7. In the Value field, enter the following information: String : ArubaAP 8. Click OK to save this information. 9. Under the server, select the scope you want to configure and expand it.
PAGE 767

Option 43 is configured for this DHCP scope. Note that even though you entered the IP address in ASCII text, it displays in binary form. Figure 196 DHCP Scope Values DHCP Relay Agent Information Option (Option 82) The DHCP Relay Agent Information option (Option 82) allows the DHCP Relay Agent to insert circuit specific information into a request that is being forwarded to a DHCP server.
PAGE 768

Linux DHCP Servers The following is an example configuration for the Linux dhcpd.conf file. After you enter the configuration, you must restart the DHCP service. option serverip code 43 = ip-address; class "vendor-class" { match option vendor-class-identifier; } . . . subnet 10.200.10.0 netmask 255.255.255.0 { default-lease-time 200; max-lease-time 200; option subnet-mask 255.255.255.0; option routers 10.200.10.1; option domain-name-servers 10.4.0.12; option domain-name "vlan10.aa.mycorpnetworks.
PAGE 769

Appendix B External Firewall Configuration In many deployment scenarios, an external firewall is situated between Dell devices. This appendix describes the network ports that need to be configured on the external firewall to allow proper operation of the Dell network. You can also use this information to configure session ACLs to apply to physical ports on the controller for enhanced security.
PAGE 770

Between a Remote AP (IPSec) and a controller:  NAT-T (UDP port 4500).  TFTP (UDP port 69) . NOTE: TFTP is not needed for normal operation. If the remote AP loses its local image for any reason, it will use TFTP to download the latest image. Network Management Access This section describes the network ports that need to be configured on the firewall to manage the Dell network.
PAGE 771

 For External Services Interface (ESI): ICMP (protocol 1) and syslog (UDP port 514) between a controller and any ESI servers.  For XML API: HTTP (TCP port 80) or HTTPS (TCP port 443) between a controller and an XML-API client. Dell PowerConnect W-Series ArubaOS 6.
PAGE 772

| External Firewall Configuration Dell PowerConnect W-Series ArubaOS 6.
PAGE 773

Appendix C Behavior and Defaults This appendix contains the following topics:  “Mode Support” on page 773  “Basic System Defaults” on page 774  “Default Management User Roles” on page 780  “Default Open Ports” on page 783 Mode Support Most ArubaOS features are supported in all forwarding modes. However, there are a some features that are not supported in one or more forwarding modes.
PAGE 774

Table 169 Features not Supported in Each Forwarding Mode (Continued) Forwarding Mode Feature Not Supported Bridge Mode on Campus APs or Remote APs (continued) SIP ALG SIP: SIP authentication tracking SIP: CAC enforcement enhancements SIP: Phone number awareness SIP: R-Value computation SIP: Delay measurement Management: Voice-specific views Management: Voice client statistics Management: Voice client troubleshooting Voice protocol monitoring/reporting SVP ALG H.
PAGE 775

Table 170 Predefined Network Services (Continued) Name Protocol Port(s) svc-sip-tcp tcp 5060 svc-kerberos udp 88 svc-pop3 tcp 110 svc-adp udp 8200 svc-noe udp 32512 svc-noe-oxo udp 5000 svc-dns udp 53 svc-msrpc-tcp tcp 135 139 svc-rtsp tcp 554 svc-http tcp 80 svc-vocera udp 5002 svc-nterm tcp 1026 1028 svc-sip-udp udp 5060 svc-papi udp 8211 svc-ftp tcp 21 svc-natt udp 4500 svc-svp 119 0 svc-gre gre 0 svc-smtp tcp 25 svc-smb-udp udp 445 svc-esp
PAGE 776

Table 170 Predefined Network Services (Continued) Name Protocol Port(s) svc-v6-icmp icmp 0 any any 0 Policies The following are predefined policies. Table 171 Predefined Policies Predefined Policy Description ip access-list session allowall any any any permit An "allow all" firewall rule that permits all traffic.
PAGE 777

Table 171 Predefined Policies (Continued) Predefined Policy Description ip access-list session ap-acl any any udp 5000 any any udp 5555 any any svc-gre permit any any svc-syslog permit any user svc-snmp permit user any svc-snmp-trap permit user any svc-ntp permit This is a policy for internal use and should not be modified. It permits APs to boot up and communicate with the controller.
PAGE 778

Table 171 Predefined Policies (Continued) Predefined Policy Description ip access-list session svp-acl any any svc-svp permit queue high user host 224.0.1.116 any permit Use for Spectralink VoIP devices to automatically permit and prioritize Spectralink Voice Protocol (SVP). ip access-list session noe-acl any any svc-noe permit queue high Use for Alcatel NOE VoIP devices to automatically permit and prioritize NOE traffic.
PAGE 779

Table 172 Predefined Roles Predefined Role Description user-role ap-role session-acl control session-acl ap-acl This is an internal role and should not be edited. user-role default-vpn-role session-acl allowall ipv6 session-acl v6-allowall This is the default role used for VPN-connected clients. It is referenced in the default "aaa authentication vpn" profile.
PAGE 780

Table 172 Predefined Roles (Continued) Predefined Role Description user-role -logon session-acl control session-acl captiveportal session-acl vpnlogon This role is only generated when creating a new WLAN using the WLAN Wizard. The WLAN Wizard creates this role when captive portal is enabled and a PEFNG license is installed. This is the initial role that a client will be placed in prior to captive portal authentication.
PAGE 781

Table 173 Predefined Management Roles (Continued) Predefined Role Permissions network-operations This role supports a subset of show, configuration, action, and database commands that are used to monitor the controller. You can log into the CLI; however, you can only use a subset of CLI commands to monitor the controller.
PAGE 782

Table 173 Predefined Management Roles (Continued) Predefined Role Permissions network-operations (continued) Monitoring > Network > All Access Points Monitoring > Network > All Wired Access Points You can view the reports created by the following CLI commands:  DB:opcode=monitor-summary  DB:opcode=cr-load  DB:opcode=wlm-search&class=probes&start  DB:opcode=wlm-search&class=amii  DB:opcode=monitor-get-all-gps&status=any  show ap-group  show vlan status Monitoring > Controller > Controller Summary Y
PAGE 783

Table 173 Predefined Management Roles (Continued) Predefined Role Permissions network-operations (continued) Monitoring > Controller > Clients > Blacklist You can view the reports created by the following CLI commands:  stm add-blacklist-client  aaa user delete { | all | mac | name | role } Monitoring > Controller > Blacklist Clients You can view the reports created by the following CLI commands:  stm remove-blacklist-client Monitoring > Controlle
PAGE 784

Table 174 Default (Trusted) Open Ports (Continued) Port Number Protocol Where Used Description 21 TCP controller FTP server for AP6X software download. 22 TCP controller SSH 23 TCP AP and controller Telnet is disabled by default but the port is still open. 53 UDP controller Internal domain. 67 UDP AP (and controller if DHCP server is configured) DHCP server. 68 UDP AP (and controller if DHCP server is configured) DHCP client.
PAGE 785

Table 174 Default (Trusted) Open Ports (Continued) Port Number Protocol Where Used Description 8081 TCP controller Used internally for captive portal authentication (HTTPS). Not exposed to wireless users. A default self-signed certificate is installed in the controller. Users in a production environment are urged to install a certificate from a well known CA such as Verisign. Self-signed certs are open to man-in-the-middle attacks and should only be used for testing.
PAGE 786

| Behavior and Defaults Dell PowerConnect W-Series ArubaOS 6.
PAGE 787

Appendix D 802.1x Configuration IAS Windows This appendix provides examples of how to configure a Microsoft Internet Authentication Server, and a Windows XP wireless client for 802.1x authentication with the controller (see Chapter 10, “802.1x Authentication” on page 285 for information about configuring the controller).
PAGE 788

4. In the New RADIUS Client dialog window, enter the name and IP address for the controller. Click Next. 5. In the next window that appears, enter and confirm a shared secret. The shared secret is configured on both the RADIUS server and client, and ensures that an unauthorized client cannot perform authentication against the server. 6. Click Finish.
PAGE 789

Figure 198 IAS Remote Access Policies 2. To add a new policy, select Action > New Remote Access Policy. This launches a wizard that steps you through configuring the remote access policy. 3. Click Next on the initial wizard window to proceed. 4. Enter the name for the policy, for example, “Wireless Computers” and click Next. 5. In the Access Method window, select the Wireless option, then click Next. 6.
PAGE 790

Figure 200 Policy Configuration Wizard—PEAP Properties 10. For PEAP, select the “inner” authentication method. The authentication method shown is MS-CHAPv2. (Because password authentication is being used on this network, this is the only EAP authentication type that should be selected.) You can also enable fast reconnect in this screen.
PAGE 791

Another example of a Class attribute configuration is shown below for the “Wireless-Student” policy. This policy returns the RADIUS attribute Class with the value “student” upon successful completion. Figure 202 Example RADIUS Class Attribute for “student” Configure Management Authentication using IAS Before you can configure the controller for management authentication using Windows IAS, you must perform the following steps to configure a Windows IAS RADIUS server on your Windows client.
PAGE 792

5. In the User or Group Access window of the wizard, select either user or group, depending upon how your user permissions are defined. Click Next. 6. In the Authentication Method window, click the Type drop-down list and select Protected EAP (PEAP). Click Next. 7. Click Finish. Now you must define properties for the remote policy you just created. 1. 1. In the Internet Authentication Service window, click the Remote Access Policy icon.
PAGE 793

Figure 203 Configuring a RADIUS Server for IAS Management Authentication 6. In the Host field, enter the IP address of the RADIUS server you want to use for Management Authentication. 7. Enter and then retype the shared key for the server. 8. Click Apply 9. Select Server Group from the server list on the left window pane. 10. In the entry blank on the right window pane, enter the name of a new server group (for example, “Management_group”), then click Add. 11. Click Apply. 12.
PAGE 794

Verify Communication between the Controller and the RADIUS Server After you have configured your Windows Server and the Dell controller for Windows IAS Management Authentication, you can verify that the controller and server are communicating. 1. Navigate to Diagnostics>AAA Test Server. 2. Click the Server Name drop-down list and select the RADIUS server. 3. Select either MSCHAP-V2 or PAP as the authentication method. 4. Enter the user name and password in the Username and Password fields. 5.
PAGE 795

4. Click the Advanced button to display the Networks to access window. Figure 207 Networks to Access This window determines what types of wireless networks the client can access. By default, Windows connects to any type of wireless network. Make sure that the option Computer-to-computer (ad hoc) networks only is not selected. Click Close. 5. In the Wireless Networks tab, click Add to add a wireless network. 6. Click the Association tab to enter the network properties for the SSID.
PAGE 796

 Enter the preshared key NOTE: Do not select the option “This is a computer-to-computer (ad hoc) network; wireless access points are not used”. Figure 208 shows the configuration for the SSID WLAN-01 which uses WPA network authentication with TKIP data encryption. Figure 208 Wireless Network Association 7. Click the Authentication tab to enter the 802.1x authentication parameters for the SSID. This tab configures the EAP type used between the wireless client and the authentication server.
PAGE 797

Figure 209 Wireless Network Authentication 8. Under EAP type, select Properties to display the Protected EAP Properties window. Configure the client PEAP properties, as shown in Figure 210:  Select Validate server certificate. This instructs the client to check the validity of the server certificate from an expiration, identity, and trust perspective.  Select the trusted Certification Authority (CA) that can issue server certificates for the network.
PAGE 798

Figure 211 EAP MSCHAPv2 Properties 798 | 802.1x Configuration IAS Windows Dell PowerConnect W-Series ArubaOS 6.
PAGE 799

Appendix E Internal Captive Portal You can customize the default captive portal page through the WebUI, as detailed in Chapter 15, “Captive Portal” . This appendix discusses creating and installing a new internal captive portal page and other customization.
PAGE 800

Username: Minimal: Recommended Options: accesskey="u" Sets the keyboard shortcut to 'u' SIZE="25"Sets the size of the input box to 25 VALUE=""Ensures no default value Password: Minimal: Recommended Options: accesskey="p" Sets the keyboard shortcut to 'p' SIZE="25"Sets the size of the input box to 25 VALUE=""Ensures no default value FQDN: Minimal: Re
PAGE 801

Installing a New Captive Portal Page You can install the captive portal page by using the Maintenance function of the WebUI. Log into the WebUI and navigate to Configuration > Management >Captive Portal > Upload Custom Login Pages. This page lets you upload your own files to the controller. There are different page types that you can choose:  Captive Portal Login (top level): This type uploads the file into the controller and sets the captive portal page to reference the file that you are uploading.
PAGE 802

} } if (errmsg && errmsg.length > 0) { errmsg = "
\n" + errmsg + "\n
\n"; document.write(errmsg); } } Reverting to the Default Captive Portal You can reassign the default captive portal site using the "Revert to factory default settings" check box in the "Upload Custom Login Pages" section of the Maintenance tab in the WebUI.
PAGE 803

Replace the "Shift_JIS" part of the above line with the character set that is used by your system. In theory, any character encoding that has been registered with IANA can be used, but you must ensure that any text you enter uses this character set and that your target browsers support the required character set encoding. b. The final ...
PAGE 804

} } if (errmsg && errmsg.length > 0) { switch(errmsg) { case "Authentication Failed": localized_msg="Authentication Failed"; break; default: localised_msg=errmsg; break; } errmsg = "
\n" + localised_msg + "\n
\n"; document.write(errmsg); }; } e. Translate the web page text. Once you have made the changes as above, you only need to translate the rest of the text that appears on the page.
PAGE 805

Any required client side script (CSS) and media files can also be uploaded using the “Content” Page Type, however file space is limited (use the CLI command show storage to see available space). Remember to leave ample room for system files. NOTE: The "Registered User" and "Guest User" sections of the login page are implemented as graphics files, referenced by the default CSS styles.
PAGE 806

In order to actually use this file, you will need to configure the welcome page on the controller. To do this use the CLI command: "aaa captive-portal welcome-page /upload/welc.html" where "welc.html" is the name of the file that you uploaded, or you can change the Welcome page in the captive portal authentication profile in the WebUI. 806 | Internal Captive Portal Dell PowerConnect W-Series ArubaOS 6.
PAGE 807

An example that will create the same page as displayed in Figure 213 is shown below. The part in red will redirect the user to the web page you originally setup. For this to work, please follow the procedure described above in this document. :